Re: kern/56804: panic: drm2 overreleasing kref

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

The following reply was made to PR kern/56804; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: prlw1%cam.ac.uk@localhost
Cc: gnats-bugs%NetBSD.org@localhost
Subject: Re: kern/56804: panic: drm2 overreleasing kref
Date: Wed, 25 May 2022 01:02:33 +0000

 If you still have the core dump, can you share dmesg, and print what
 `ret' is in frame #8?  I want to see how nouveau_bo_init failed.
 
 
 The immediate cause of this panic is that the error branches in
 nouveau_gem_new are broken:
 
 	ret = drm_gem_object_init(drm->dev, &nvbo->bo.base, size);
 	if (ret) {
 		nouveau_bo_ref(NULL, &nvbo);
 		return ret;
 	}
 
 	ret = nouveau_bo_init(nvbo, size, align, flags, NULL, NULL);
 	if (ret) {
 		nouveau_bo_ref(NULL, &nvbo);
 		return ret;
 	}
 
 The function nouveau_bo_ref(NULL, &nvbo) releases the reference to
 nvbo (and sets it to null), by doing ttm_bo_put(&nvbo->bo).  But
 ttm_bo_put isn't valid until ttm_bo_init has completed, and that
 doesn't run until nouveau_bo_init.
 
 Instead, this should maybe just use kfree (not sure if
 nv10_bo_put_tile_region is necessary here -- issued by
 nouveau_bo_del_ttm which is normally used by ttm in ttm_bo_put to free
 nvbo when the last reference is dropped).
 
 But none of this explains why we took this error branch in the first
 place.  Knowing what `ret' is might help to narrow it down which
 branch of nouveau_bo_init -> ttm_bo_init -> ttm_bo_init_reserved
 failed.  If you can reproduce this, it might also be helpful to insert
 printfs in every branch of ttm_bo_init_reserved, and of its callees
 ttm_bo_validate/ttm_bo_move_buffer/ttm_bo_mem_space/ttm_bo_handle_move_mem,
 to see where it came from.