[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#819881: radeon_fence_ref BUG: unable to handle kernel NULL pointer dereference

Control: tag -1 upstream patch

On Sun, 2016-04-03 at 14:38 +0200, Peter Palfrader wrote:
> Package: src:linux
> Version: 3.16.7-ckt25-1
> Severity: serious
> Hi,
> with the latest jessie kernel, my system freezes when I visit certain
> webpages in iceweasel (such as the system upgrade page from my
> mikrotik
> router).
> This issue is not present in 3.16.7-ckt20-1+deb8u4.

Sorry about this.  There was one earlier similar report which I meant
to investigate but didn't find time before the point release.

All three call traces are very similar and, based on the functions
listed, I believe the attached patch (taken from the next 3.16.7-ckt
stable update) should fix the bug.  Please test that, following the
instructions at


Ben Hutchings
The two most common things in the universe are hydrogen and stupidity.
From: Luis Henriques <luis.henriques@canonical.com>
Date: Wed, 9 Mar 2016 13:58:27 +0000
Subject: Revert "drm/radeon: hold reference to fences in radeon_sa_bo_new"
Origin: http://kernel.ubuntu.com/git/ubuntu/linux.git/commit?id=f80be5a9b1ccf679415676f761bc9efdc3ad13b5

This reverts commit 73187980dfefe5198aadcfdf0a377e461eed2bfa, which was
commit f6ff4f67cdf8455d0a4226eeeaf5af17c37d05eb upstream.

This patch was triggering a Oops in stable kernel 3.10.99.  Christian
agrees that the patch is correct but "assumes that radeon_fence_unref()
can safely take NULL as the fence which is not the case for older

Reported-by: Erik Andersen <andersen@codepoet.org>
Acked-by: Christian König <christian.koenig@amd.com>
Cc: Nicolai Hähnle <nicolai.haehnle@amd.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
 drivers/gpu/drm/radeon/radeon_sa.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c
index 15fd57296081..adcf3e2f07da 100644
--- a/drivers/gpu/drm/radeon/radeon_sa.c
+++ b/drivers/gpu/drm/radeon/radeon_sa.c
@@ -349,13 +349,8 @@ int radeon_sa_bo_new(struct radeon_device *rdev,
 			/* see if we can skip over some allocations */
 		} while (radeon_sa_bo_next_hole(sa_manager, fences, tries));
-		for (i = 0; i < RADEON_NUM_RINGS; ++i)
-			radeon_fence_ref(fences[i]);
 		r = radeon_fence_wait_any(rdev, fences, false);
-		for (i = 0; i < RADEON_NUM_RINGS; ++i)
-			radeon_fence_unref(&fences[i]);
 		/* if we have nothing to wait for block */
 		if (r == -ENOENT) {

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: