On 3/4/06, Benjamin LaHaise [off-list ref] wrote:

On Fri, Mar 03, 2006 at 01:42:20PM -0800, Chris Leech wrote:

quoted

+void dma_async_device_unregister(struct dma_device* device)
+{

...

quoted

+     kref_put(&device->refcount, dma_async_device_cleanup);
+     wait_for_completion(&device->done);
+}

This looks like a bug: device is dereferenced after it is potentially
freed.

Actually, this is where the code is waiting to make sure it's safe to
free device.  The release function for the kref completes
device->done.  Each of the devices channels holds a reference to the
device.  When a device is unregistered it's channels are removed from
the clients, which hold a reference for each outstanding transaction. 
When all the outstanding transactions complete, the channels kref goes
to 0, and the reference to the device is dropped.  When the device
kref goes to 0 the completion is set, and it's now safe to free the
memory for the device and channel structures.

I have a writeup of the locking and reference counting that I'll
finish and add in as a big comment to the code.

-Chris