The xarray pointer which has the userqueue xarray structure
reference should be cleared when the userqueue gets
destroyed. Otherwise, we may access the freed xa memory and
see the below warnings.
warning 1:
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x7a/0xe0
[ +0.000044] Call Trace:
[ +0.000017] <TASK>
[ +0.000016] dump_stack_lvl+0x6c/0x90
[ +0.000025] print_report+0xc4/0x5e0
[ +0.000025] ? srso_return_thunk+0x5/0x5f
[ +0.000024] ? kasan_complete_mode_report_info+0x60/0x1d0
[ +0.000030] ? _raw_spin_lock+0x7a/0xe0
[ +0.000023] kasan_report+0xdf/0x120
[ +0.000023] ? _raw_spin_lock+0x7a/0xe0
[ +0.000025] kasan_check_range+0xf7/0x1b0
[ +0.000025] __kasan_check_write+0x14/0x20
[ +0.000024] _raw_spin_lock+0x7a/0xe0
[ +0.000023] ? __pfx__raw_spin_lock+0x10/0x10
[ +0.000024] ? amdgpu_userq_wait_ioctl+0xac0/0x1f30 [amdgpu]
[ +0.000442] amdgpu_userq_wait_ioctl+0x18fc/0x1f30 [amdgpu]
[ +0.000428] ? __pfx_amdgpu_userq_wait_ioctl+0x10/0x10 [amdgpu]
[ +0.000424] ? __pfx_idr_alloc_u32+0x10/0x10
[ +0.000027] ? srso_return_thunk+0x5/0x5f
[ +0.000024] ? __kasan_check_write+0x14/0x20
[ +0.000025] ? srso_return_thunk+0x5/0x5f
[ +0.000024] ? idr_alloc+0x72/0xc0
[ +0.000023] ? srso_return_thunk+0x5/0x5f
[ +0.000023] ? fput+0x1c/0x2f0
[ +0.000025] drm_ioctl_kernel+0x178/0x2f0 [drm]
[ +0.000065] ? __pfx_amdgpu_userq_wait_ioctl+0x10/0x10 [amdgpu]
[ +0.000425] ? __pfx_drm_ioctl_kernel+0x10/0x10 [drm]
[ +0.000064] ? srso_return_thunk+0x5/0x5f
[ +0.000023] ? __kasan_check_write+0x14/0x20
[ +0.000025] drm_ioctl+0x513/0xd20 [drm]
[ +0.000058] ? __pfx_amdgpu_userq_wait_ioctl+0x10/0x10 [amdgpu]
[ +0.000428] ? __pfx_drm_ioctl+0x10/0x10 [drm]
[ +0.000061] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ +0.000027] ? __count_memcg_events+0x11f/0x3a0
[ +0.000027] ? srso_return_thunk+0x5/0x5f
[ +0.001040] ? srso_return_thunk+0x5/0x5f
[ +0.000969] ? _raw_spin_unlock_irqrestore+0x27/0x50
[ +0.000966] amdgpu_drm_ioctl+0xcd/0x1d0 [amdgpu]
[ +0.001352] __x64_sys_ioctl+0x135/0x1b0
[ +0.000966] x64_sys_call+0x1205/0x20d0
[ +0.000968] do_syscall_64+0x4d/0x120
[ +0.000960] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ +0.000962] RIP: 0033:0x7f42af11a94f
warning 2:
WARNING: at lib/xarray.c:1849 __xa_alloc+0x13a/0x150
[ 366.491409] RIP: 0010:__xa_alloc+0x13a/0x150
[ 366.491434] Call Trace:
[ 366.491437] <TASK>
[ 366.491440] ? show_regs+0x6d/0x80
[ 366.491445] ? __warn+0x91/0x140
[ 366.491450] ? __xa_alloc+0x13a/0x150
[ 366.491453] ? report_bug+0x1c9/0x1e0
[ 366.491459] ? handle_bug+0x63/0xa0
[ 366.491463] ? exc_invalid_op+0x1d/0x80
[ 366.491467] ? asm_exc_invalid_op+0x1f/0x30
[ 366.491476] ? __xa_alloc+0x13a/0x150
[ 366.491484] amdgpu_userq_wait_ioctl+0xe0e/0xfe0 [amdgpu]
[ 366.491743] ? idr_alloc_u32+0x97/0xd0
[ 366.491749] ? __pfx_amdgpu_userq_wait_ioctl+0x10/0x10 [amdgpu]
[ 366.491912] drm_ioctl_kernel+0xae/0x100 [drm]
[ 366.491942] drm_ioctl+0x2a1/0x500 [drm]
[ 366.491961] ? __pfx_amdgpu_userq_wait_ioctl+0x10/0x10 [amdgpu]
[ 366.492127] ? srso_return_thunk+0x5/0x5f
[ 366.492132] ? srso_return_thunk+0x5/0x5f
[ 366.492135] ? _raw_spin_unlock_irqrestore+0x2b/0x50
[ 366.492139] amdgpu_drm_ioctl+0x4f/0x90 [amdgpu]
[ 366.492288] __x64_sys_ioctl+0x99/0xd0
[ 366.492295] x64_sys_call+0x1209/0x20d0
[ 366.492299] do_syscall_64+0x51/0x120
[ 366.492303] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 366.492418] RIP: 0033:0x7f86f3b1a94f
Signed-off-by: Arunpravin Paneer Selvam <arunpravin.paneersel...@amd.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_userqueue.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userqueue.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_userqueue.c
index cba51bdf2e2c..311d536a7079 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userqueue.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userqueue.c
@@ -73,6 +73,7 @@ amdgpu_userqueue_cleanup(struct amdgpu_userq_mgr *uq_mgr,
}
uq_funcs->mqd_destroy(uq_mgr, queue);
+ queue->fence_drv->fence_drv_xa_ptr = NULL;
amdgpu_userq_fence_driver_free(queue);
idr_remove(&uq_mgr->userq_idr, queue_id);
kfree(queue);
--
2.25.1
