An extra dma_fence_put() can drop the last reference to a fence while
it is
still attached to a dma_resv object. This frees the fence prematurely
via
dma_fence_release() while other users still hold the pointer.
Later accesses through dma_resv iteration may then operate on the freed
fence object, leading to refcount underflow warnings and potential hangs
when walking reservation fences.
Fix this by correcting the fence lifetime so the dma_resv object
retains a
valid reference until it is done with the fence.
[ 31.133803] refcount_t: underflow; use-after-free.
[ 31.133805] WARNING: lib/refcount.c:28 at
refcount_warn_saturate+0x58/0x90, CPU#18: kworker/u96:1/188
[ 31.133815] Modules linked in: snd_seq_dummy snd_hrtimer qrtr
binfmt_misc nls_iso8859_1 snd_hda_codec_alc882
snd_hda_codec_realtek_lib snd_hda_codec_generic snd_hda_codec_atihdmi
snd_hda_codec_hdmi snd_hda_intel amd_atl snd_hda_codec intel_rapl_msr
intel_rapl_common amdgpu snd_hda_core snd_intel_dspcfg amdxcp
snd_intel_sdw_acpi drm_panel_backlight_quirks snd_hwdep gpu_sched
drm_buddy snd_pcm drm_ttm_helper ttm drm_exec drm_suballoc_helper
snd_seq_midi drm_client_lib snd_seq_midi_event drm_display_helper
snd_rawmidi cec snd_seq edac_mce_amd ghash_clmulni_intel
snd_seq_device aesni_intel rc_core drm_kms_helper gigabyte_wmi
snd_timer wmi_bmof rapl k10temp video i2c_piix4 snd i2c_smbus
input_leds soundcore joydev ccp mac_hid sch_fq_codel msr parport_pc
ppdev lp parport drm efi_pstore nfnetlink dmi_sysfs autofs4
hid_generic usbhid hid nvme igb ahci i2c_algo_bit dca libahci
nvme_core wmi
[ 31.133932] CPU: 18 UID: 0 PID: 188 Comm: kworker/u96:1 Not
tainted 6.19.0-amd-staging-drm-next #28 PREEMPT(voluntary)
[ 31.133937] Hardware name: Gigabyte Technology Co., Ltd. X570
AORUS ELITE/X570 AORUS ELITE, BIOS F37c 05/12/2022
[ 31.133940] Workqueue: sdma1 drm_sched_run_job_work [gpu_sched]
[ 31.133951] RIP: 0010:refcount_warn_saturate+0x58/0x90
[ 31.133955] Code: 74 2f 83 fe 01 75 38 48 8d 3d a4 2c 91 01 67 48
0f b9 3a eb 36 48 8d 3d a6 2c 91 01 67 48 0f b9 3a eb 28 48 8d 3d a8
2c 91 01 <67> 48 0f b9 3a eb 1a 48 8d 3d aa 2c 91 01 67 48 0f b9 3a
eb 0c 48
[ 31.133959] RSP: 0018:ffffca16807dfd68 EFLAGS: 00010246
[ 31.133962] RAX: ffff89e988f05600 RBX: 0000000000000000 RCX:
0000000000000000
[ 31.133965] RDX: 0000000000000000 RSI: 0000000000000003 RDI:
ffffffffa1fd2f30
[ 31.133967] RBP: ffffca16807dfd68 R08: 0000000000000000 R09:
0000000000000000
[ 31.133969] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff89e98edf1308
[ 31.133971] R13: ffff89e9d3001380 R14: ffff89e9dab5f800 R15:
ffff89e9dab5f880
[ 31.133974] FS: 0000000000000000(0000) GS:ffff89ed0cc3e000(0000)
knlGS:0000000000000000
[ 31.133976] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 31.133979] CR2: 00007f3050081c28 CR3: 0000000117f06000 CR4:
0000000000350ef0
[ 31.133982] Call Trace:
[ 31.133985] <TASK>
[ 31.133989] drm_sched_entity_pop_job+0x414/0x420 [gpu_sched]
[ 31.133997] drm_sched_run_job_work+0x15f/0x3c0 [gpu_sched]
[ 31.134003] process_scheduled_works+0x1f0/0x450
[ 31.134011] worker_thread+0x27f/0x370
[ 31.134016] kthread+0x1ed/0x210
[ 31.134020] ? __pfx_worker_thread+0x10/0x10
[ 31.134023] ? srso_return_thunk+0x5/0x5f
[ 31.134027] ? __pfx_kthread+0x10/0x10
[ 31.134031] ret_from_fork+0x10f/0x1b0
[ 31.134035] ? __pfx_kthread+0x10/0x10
[ 31.134039] ret_from_fork_asm+0x1a/0x30
[ 31.134047] </TASK>
[ 31.134049] ---[ end trace 0000000000000000 ]---
...
[ 56.544104] watchdog: BUG: soft lockup - CPU#9 stuck for 26s!
[glxgears:cs0:3483]
[ 56.544108] Modules linked in: snd_seq_dummy snd_hrtimer qrtr
binfmt_misc nls_iso8859_1 snd_hda_codec_alc882
snd_hda_codec_realtek_lib snd_hda_codec_generic snd_hda_codec_atihdmi
snd_hda_codec_hdmi snd_hda_intel amd_atl snd_hda_codec intel_rapl_msr
intel_rapl_common amdgpu snd_hda_core snd_intel_dspcfg amdxcp
snd_intel_sdw_acpi drm_panel_backlight_quirks snd_hwdep gpu_sched
drm_buddy snd_pcm drm_ttm_helper ttm drm_exec drm_suballoc_helper
snd_seq_midi drm_client_lib snd_seq_midi_event drm_display_helper
snd_rawmidi cec snd_seq edac_mce_amd ghash_clmulni_intel
snd_seq_device aesni_intel rc_core drm_kms_helper gigabyte_wmi
snd_timer wmi_bmof rapl k10temp video i2c_piix4 snd i2c_smbus
input_leds soundcore joydev ccp mac_hid sch_fq_codel msr parport_pc
ppdev lp parport drm efi_pstore nfnetlink dmi_sysfs autofs4
hid_generic usbhid hid nvme igb ahci i2c_algo_bit dca libahci
nvme_core wmi
[ 56.544166] CPU: 9 UID: 0 PID: 3483 Comm: glxgears:cs0 Tainted:
G W 6.19.0-amd-staging-drm-next #28 PREEMPT(voluntary)
[ 56.544170] Tainted: [W]=WARN
[ 56.544171] Hardware name: Gigabyte Technology Co., Ltd. X570
AORUS ELITE/X570 AORUS ELITE, BIOS F37c 05/12/2022
[ 56.544172] RIP: 0010:dma_resv_iter_walk_unlocked+0x4e/0x180
[ 56.544179] Code: 45 31 ed eb 0e 41 8b 46 08 41 3b 46 18 0f 83 23
01 00 00 49 8b 46 10 48 85 c0 74 20 48 8d 78 38 b9 ff ff ff ff f0 0f
c1 48 38 <83> f9 01 75 07 e8 78 ce ff ff eb 06 0f 8c e3 00 00 00 41
8b 46 1c
[ 56.544180] RSP: 0018:ffffca16865bb870 EFLAGS: 00000217
[ 56.544182] RAX: ffff89e997f38d80 RBX: 0000000000000005 RCX:
0000000000000006
[ 56.544183] RDX: 0000000000000001 RSI: 0000000000000000 RDI:
ffff89e997f38db8
[ 56.544184] RBP: ffffca16865bb898 R08: 0000000000000000 R09:
0000000000000000
[ 56.544185] R10: 0000000000000000 R11: 0000000000000000 R12:
ffffca16865bb8c0
[ 56.544186] R13: 0000000000000000 R14: ffffca16865bb8a8 R15:
ffff89e997f38d80
[ 56.544187] FS: 00007f8f8d3ff6c0(0000) GS:ffff89ed0c9fe000(0000)
knlGS:0000000000000000
[ 56.544189] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 56.544190] CR2: 00007f8f9b735020 CR3: 0000000117f06000 CR4:
0000000000350ef0
[ 56.544191] Call Trace:
[ 56.544193] <TASK>
[ 56.544197] dma_resv_wait_timeout+0x55/0x190
[ 56.544202] amdgpu_bo_kmap+0x3a/0xa0 [amdgpu]
[ 56.544502] amdgpu_userq_fence_read_wptr+0x130/0x2e0 [amdgpu]
[ 56.544670] amdgpu_userq_signal_ioctl+0x1f6/0x5e0 [amdgpu]
[ 56.544847] ? srso_return_thunk+0x5/0x5f
[ 56.544851] ? amdgpu_userq_wait_ioctl+0xab7/0xb80 [amdgpu]
[ 56.545021] ? __pfx_amdgpu_userq_signal_ioctl+0x10/0x10 [amdgpu]
[ 56.545190] drm_ioctl_kernel+0xd9/0x150 [drm]
[ 56.545222] drm_ioctl+0x29a/0x4a0 [drm]
[ 56.545245] ? __pfx_amdgpu_userq_signal_ioctl+0x10/0x10 [amdgpu]
[ 56.545422] ? srso_return_thunk+0x5/0x5f
[ 56.545426] amdgpu_drm_ioctl+0x46/0x90 [amdgpu]
[ 56.545595] __se_sys_ioctl+0x73/0xd0
[ 56.545600] __x64_sys_ioctl+0x1d/0x30
[ 56.545602] x64_sys_call+0x1715/0x2d00
[ 56.545604] do_syscall_64+0x7c/0x6a0
[ 56.545608] ? __pfx_amdgpu_userq_wait_ioctl+0x10/0x10 [amdgpu]
[ 56.545778] ? srso_return_thunk+0x5/0x5f
[ 56.545781] ? amdgpu_drm_ioctl+0x6c/0x90 [amdgpu]
[ 56.545950] ? srso_return_thunk+0x5/0x5f
Signed-off-by: Sunil Khatri <[email protected]>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
index 146ca6d7f4f5..442c08b69f7c 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
@@ -882,12 +882,9 @@ int amdgpu_userq_wait_ioctl(struct drm_device
*dev, void *data,
* be good for now
*/
r = dma_fence_wait(fences[i], true);
- if (r) {
- dma_fence_put(fences[i]);
+ if (r)
goto free_fences;
- }
- dma_fence_put(fences[i]);
continue;
}
@@ -909,7 +906,6 @@ int amdgpu_userq_wait_ioctl(struct drm_device
*dev, void *data,
fence_info[cnt].va = fence_drv->va;
fence_info[cnt].value = fences[i]->seqno;
- dma_fence_put(fences[i]);
/* Increment the actual userq fence count */
cnt++;
}
