kern/53565: radeon fence_get crash

[tobiasu%tmux.org@localhost]

>Number:         53565
>Category:       kern
>Synopsis:       radeon fence_get crash
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Sep 01 17:30:01 +0000 2018
>Originator:     Tobias Ulmer
>Release:        NetBSD 8.99.24
>Organization:
>Environment:
NetBSD i7.tmux.org 8.99.24 NetBSD 8.99.24 (GENERIC) #2: Sat Sep  1 16:29:09 UTC 2018  root%i7.tmux.org@localhost:/root/GENERIC amd64
>Description:
Open/close some X11 clients, within a couple of seconds/minutes the machine panics:

alltraps() at netbsd:alltraps+0xc8   
radeon_fence_ref() at netbsd:radeon_fence_ref+0x11
radeon_sa_bo_new() at netbsd:radeon_sa_bo_new+0x280
radeon_ib_get() at netbsd:radeon_ib_get+0x32
radeon_cs_ioctl() at netbsd:radeon_cs_ioctl+0x249
drm_ioctl() at netbsd:drm_ioctl+0x234
sys_ioctl() at netbsd:sys_ioctl+0x11c
syscall() at netbsd:syscall+0x173

Gdb confirms the fence argument to radeon_fence_ref is NULL, which makes sense as radeon_sa_bo_new() doesn't always initialize every member of "fences" in radeon_sa_bo_next_hole() depending on conditions.

On Linux, calls to radeon_fence_ref end up in dma_fence_get(), which checks for NULL: https://elixir.bootlin.com/linux/latest/source/include/linux/dma-fence.h#L274 
>How-To-Repeat:

>Fix:
I'm proposing the following trivial fix:

--- a/external/bsd/drm2/linux/linux_fence.c
+++ b/external/bsd/drm2/linux/linux_fence.c
@@ -178,8 +178,8 @@ fence_is_later(struct fence *a, struct fence *b)
 struct fence *
 fence_get(struct fence *fence)
 {
-
-       kref_get(&fence->refcount);
+       if (fence)
+               kref_get(&fence->refcount);
        return fence;
 }