RDMA/umem: Fix double dma_buf_unpin in failure path

In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to
ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf
is immediately unpinned but the umem_dmabuf->pinned flag is still
set. Then, when ib_umem_release() is called, it calls
ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again.

Fix this by removing the immediate unpin upon failure and just let
the ib_umem_release/revoke path handle it. This also ensures the
proper unmap-unpin unwind ordering if the dmabuf_map_pages call
happened to fail due to dma_resv_wait_timeout (and therefore has
a non-NULL umem_dmabuf->sgt).

Fixes: 1e4df4a21c5a ("RDMA/umem: Allow pinned dmabuf umem usage")
Signed-off-by: Jacob Moroni <jmoroni@google.com>
Link: https://patch.msgid.link/20260224234153.1207849-1-jmoroni@google.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>

diff --git a/drivers/infiniband/core/umem_dmabuf.c b/drivers/infiniband/core/umem_dmabuf.c
index f5298c33e581c7c13a17efa6b5e3f11a441fa3af..d30f24b90bca9ed96745e9a37f6e816207f2c341 100644 (file)
--- a/drivers/infiniband/core/umem_dmabuf.c
+++ b/drivers/infiniband/core/umem_dmabuf.c
@@ -218,13 +218,11 @@ ib_umem_dmabuf_get_pinned_with_dma_device(struct ib_device *device,
 
        err = ib_umem_dmabuf_map_pages(umem_dmabuf);
        if (err)
-               goto err_unpin;
+               goto err_release;
        dma_resv_unlock(umem_dmabuf->attach->dmabuf->resv);
 
        return umem_dmabuf;
 
-err_unpin:
-       dma_buf_unpin(umem_dmabuf->attach);
 err_release:
        dma_resv_unlock(umem_dmabuf->attach->dmabuf->resv);
        ib_umem_release(&umem_dmabuf->umem);