Bug#819881: radeon_fence_ref BUG: unable to handle kernel NULL pointer dereference

[Ben Hutchings <ben@decadent.org.uk>]

Control: tag -1 upstream patch

On Sun, 2016-04-03 at 14:38 +0200, Peter Palfrader wrote:
> Package: src:linux
> Version: 3.16.7-ckt25-1
> Severity: serious
> 
> Hi,
> 
> with the latest jessie kernel, my system freezes when I visit certain
> webpages in iceweasel (such as the system upgrade page from my
> mikrotik
> router).
> 
> This issue is not present in 3.16.7-ckt20-1+deb8u4.
[...]

Sorry about this.  There was one earlier similar report which I meant
to investigate but didn't find time before the point release.

All three call traces are very similar and, based on the functions
listed, I believe the attached patch (taken from the next 3.16.7-ckt
stable update) should fix the bug.  Please test that, following the
instructions at
<https://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official>

Ben.

-- 
Ben Hutchings
The two most common things in the universe are hydrogen and stupidity.

From: Luis Henriques <luis.henriques@canonical.com>
Date: Wed, 9 Mar 2016 13:58:27 +0000
Subject: Revert "drm/radeon: hold reference to fences in radeon_sa_bo_new"
Origin: http://kernel.ubuntu.com/git/ubuntu/linux.git/commit?id=f80be5a9b1ccf679415676f761bc9efdc3ad13b5

This reverts commit 73187980dfefe5198aadcfdf0a377e461eed2bfa, which was
commit f6ff4f67cdf8455d0a4226eeeaf5af17c37d05eb upstream.

This patch was triggering a Oops in stable kernel 3.10.99.  Christian
agrees that the patch is correct but "assumes that radeon_fence_unref()
can safely take NULL as the fence which is not the case for older
kernels."

Reported-by: Erik Andersen <andersen@codepoet.org>
Acked-by: Christian König <christian.koenig@amd.com>
Cc: Nicolai Hähnle <nicolai.haehnle@amd.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 drivers/gpu/drm/radeon/radeon_sa.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c
index 15fd57296081..adcf3e2f07da 100644
--- a/drivers/gpu/drm/radeon/radeon_sa.c
+++ b/drivers/gpu/drm/radeon/radeon_sa.c
@@ -349,13 +349,8 @@ int radeon_sa_bo_new(struct radeon_device *rdev,
 			/* see if we can skip over some allocations */
 		} while (radeon_sa_bo_next_hole(sa_manager, fences, tries));
 
-		for (i = 0; i < RADEON_NUM_RINGS; ++i)
-			radeon_fence_ref(fences[i]);
-
 		spin_unlock(&sa_manager->wq.lock);
 		r = radeon_fence_wait_any(rdev, fences, false);
-		for (i = 0; i < RADEON_NUM_RINGS; ++i)
-			radeon_fence_unref(&fences[i]);
 		spin_lock(&sa_manager->wq.lock);
 		/* if we have nothing to wait for block */
 		if (r == -ENOENT) {

Attachment: signature.asc
Description: This is a digitally signed message part