habanalabs: fix dma-buf release handling if dma_buf_fd() fails

The dma-buf private object is freed if a call to dma_buf_fd() fails,
and because a file was already associated with the dma-buf in
dma_buf_export(), the release op will be called and will use this
object.

Mark the 'priv' field as NULL in this case, and avoid accessing it from
the release op.

Signed-off-by: Tomer Tayar <ttayar@habana.ai>
Reviewed-by: Oded Gabbay <ogabbay@kernel.org>
Signed-off-by: Oded Gabbay <ogabbay@kernel.org>

diff --git a/drivers/misc/habanalabs/common/memory.c b/drivers/misc/habanalabs/common/memory.c
index 6934563..a2d24c9 100644 (file)
--- a/drivers/misc/habanalabs/common/memory.c
+++ b/drivers/misc/habanalabs/common/memory.c
@@ -1782,7 +1782,12 @@ static void hl_unmap_dmabuf(struct dma_buf_attachment *attachment,
 static void hl_release_dmabuf(struct dma_buf *dmabuf)
 {
        struct hl_dmabuf_priv *hl_dmabuf = dmabuf->priv;
-       struct hl_ctx *ctx = hl_dmabuf->ctx;
+       struct hl_ctx *ctx;
+
+       if (!hl_dmabuf)
+               return;
+
+       ctx = hl_dmabuf->ctx;
 
        if (hl_dmabuf->memhash_hnode) {
                mutex_lock(&ctx->mem_hash_lock);
@@ -1822,7 +1827,7 @@ static int export_dmabuf(struct hl_ctx *ctx,
 
        fd = dma_buf_fd(hl_dmabuf->dmabuf, flags);
        if (fd < 0) {
-               dev_err(hdev->dev, "failed to get a file descriptor for a dma-buf\n");
+               dev_err(hdev->dev, "failed to get a file descriptor for a dma-buf, %d\n", fd);
                rc = fd;
                goto err_dma_buf_put;
        }
@@ -1835,6 +1840,7 @@ static int export_dmabuf(struct hl_ctx *ctx,
        return 0;
 
 err_dma_buf_put:
+       hl_dmabuf->dmabuf->priv = NULL;
        dma_buf_put(hl_dmabuf->dmabuf);
        return rc;
 }