[ 676.850997] pancsf fb000000.gpu: Unhandled Page fault in AS6 at VA 0x0000800000000020 [ 676.850997] Reason: TODO [ 676.850997] raw fault status: 0x7CD003C3 [ 676.850997] decoded fault status: SLAVE FAULT [ 676.850997] exception type 0xC3: TRANSLATION_FAULT_3 [ 676.850997] access type 0x3: WRITE [ 676.850997] source id 0x7CD0 [ 676.855929] ------------[ cut here ]------------ [ 676.856711] WARNING: CPU: 1 PID: 9 at drivers/gpu/drm/pancsf/pancsf_sched.c:354 pancsf_group_put+0x19c/0x200 [pancsf] [ 676.858158] Modules linked in: pancsf gpu_sched drm_shmem_helper [ 676.858863] CPU: 1 PID: 9 Comm: kworker/u16:0 Not tainted 6.2.0-rc1BORIS+ #9 [ 676.859556] Hardware name: Rockchip RK3588 EVB1 V10 Board (DT) [ 676.860129] Workqueue: panfrost-csf-sched pancsf_tick_work [pancsf] [ 676.861187] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 676.861881] pc : pancsf_group_put+0x19c/0x200 [pancsf] [ 676.862811] lr : pancsf_group_put+0x5c/0x200 [pancsf] [ 676.863740] sp : ffff80000cf17890 [ 676.864091] x29: ffff80000cf17890 x28: 0000000000000001 x27: 0000000000000001 [ 676.864868] x26: ffff00010fe4619a x25: ffff000124cf72a8 x24: ffff80000cf179b0 [ 676.865645] x23: ffff80000cf17b34 x22: ffff00010fe462a8 x21: ffff000124cf72a8 [ 676.866421] x20: ffff00010fe462a8 x19: ffff00010fe46000 x18: ffffffffffffffb8 [ 676.867198] x17: 0000000000001440 x16: 0000000000000000 x15: 0000000000000001 [ 676.867970] x14: 0000000000000000 x13: 00000000ffffffff x12: 0000000000000001 [ 676.868743] x11: 1fffe00021fc8c00 x10: 1fffe00021fc8c55 x9 : 0000000000000000 [ 676.869519] x8 : ffff000123958370 x7 : ffff800002171bb0 x6 : 0000000000000000 [ 676.870294] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80000216bac4 [ 676.871067] x2 : 0000000000000001 x1 : 0000000000000004 x0 : ffff00010fe462a8 [ 676.871841] Call trace: [ 676.872114] pancsf_group_put+0x19c/0x200 [pancsf] [ 676.873015] pancsf_tick_work+0x1604/0x1850 [pancsf] [ 676.873930] process_one_work+0x3c0/0x61c [ 676.874366] worker_thread+0x458/0x8f0 [ 676.874770] kthread+0x19c/0x1c4 [ 676.875125] ret_from_fork+0x10/0x20 [ 676.875519] irq event stamp: 1314106 [ 676.875891] hardirqs last enabled at (1314105): [] _raw_spin_unlock_irqrestore+0x4c/0xa4 [ 676.876839] hardirqs last disabled at (1314106): [] el1_dbg+0x24/0x74 [ 676.877627] softirqs last enabled at (1312474): [] _stext+0x3f0/0x4d4 [ 676.878412] softirqs last disabled at (1312467): [] ____do_softirq+0x10/0x1c [ 676.879248] ---[ end trace 0000000000000000 ]--- [ 676.881388] ------------[ cut here ]------------ [ 676.881866] WARNING: CPU: 1 PID: 9 at drivers/gpu/drm/pancsf/pancsf_gem.c:36 pancsf_gem_unmap_and_put+0xb4/0x130 [pancsf] [ 676.883328] Modules linked in: pancsf gpu_sched drm_shmem_helper [ 676.884032] CPU: 1 PID: 9 Comm: kworker/u16:0 Tainted: G W 6.2.0-rc1BORIS+ #9 [ 676.884854] Hardware name: Rockchip RK3588 EVB1 V10 Board (DT) [ 676.885427] Workqueue: panfrost-csf-sched pancsf_tick_work [pancsf] [ 676.886489] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 676.887183] pc : pancsf_gem_unmap_and_put+0xb4/0x130 [pancsf] [ 676.888165] lr : pancsf_gem_unmap_and_put+0x7c/0x130 [pancsf] [ 676.889156] sp : ffff80000cf177f0 [ 676.889507] x29: ffff80000cf17810 x28: 0000000000000001 x27: 0000000000000001 [ 676.890281] x26: ffff00010fe4619a x25: ffff000124cf72a8 x24: ffff80000cf179b0 [ 676.891057] x23: ffff80000cf177f8 x22: ffff80000d2c9000 x21: ffff00011b875800 [ 676.891835] x20: 0000800000002000 x19: ffff00010fe47800 x18: ffffffffffffffb8 [ 676.892611] x17: ffff80000217079c x16: ffff80000837f95c x15: ffff800002170828 [ 676.893388] x14: ffff80000215fe34 x13: ffff8000080b75a0 x12: 0000000000000001 [ 676.894163] x11: 1ffff000019e2ed6 x10: 1ffff000019e2ed6 x9 : 7f8cf43958192c00 [ 676.894939] x8 : 7f8cf43958192c00 x7 : ffff800002165b84 x6 : 0000000000000000 [ 676.895714] x5 : ffff80000c69c5f8 x4 : 0000000000000008 x3 : ffff80000a13396c [ 676.896490] x2 : 0000000000000000 x1 : ffff00010082cc80 x0 : 00000000ffffffea [ 676.897263] Call trace: [ 676.897536] pancsf_gem_unmap_and_put+0xb4/0x130 [pancsf] [ 676.898490] pancsf_free_queue+0x138/0x180 [pancsf] [ 676.899396] pancsf_group_put+0xb4/0x200 [pancsf] [ 676.900287] pancsf_tick_work+0x1604/0x1850 [pancsf] [ 676.901210] process_one_work+0x3c0/0x61c [ 676.901645] worker_thread+0x458/0x8f0 [ 676.902051] kthread+0x19c/0x1c4 [ 676.902405] ret_from_fork+0x10/0x20 [ 676.902798] irq event stamp: 1314144 [ 676.903171] hardirqs last enabled at (1314143): [] kasan_quarantine_put+0xc4/0x1cc [ 676.904063] hardirqs last disabled at (1314144): [] el1_dbg+0x24/0x74 [ 676.904852] softirqs last enabled at (1314130): [] _stext+0x3f0/0x4d4 [ 676.905638] softirqs last disabled at (1314109): [] ____do_softirq+0x10/0x1c [ 676.906474] ---[ end trace 0000000000000000 ]--- [ 676.909620] ------------[ cut here ]------------ [ 676.910096] WARNING: CPU: 1 PID: 9 at drivers/gpu/drm/pancsf/pancsf_gem.c:36 pancsf_gem_unmap_and_put+0xb4/0x130 [pancsf] [ 676.911557] Modules linked in: pancsf gpu_sched drm_shmem_helper [ 676.912260] CPU: 1 PID: 9 Comm: kworker/u16:0 Tainted: G W 6.2.0-rc1BORIS+ #9 [ 676.913082] Hardware name: Rockchip RK3588 EVB1 V10 Board (DT) [ 676.913655] Workqueue: panfrost-csf-sched pancsf_tick_work [pancsf] [ 676.914708] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 676.915402] pc : pancsf_gem_unmap_and_put+0xb4/0x130 [pancsf] [ 676.916384] lr : pancsf_gem_unmap_and_put+0x7c/0x130 [pancsf] [ 676.917365] sp : ffff80000cf17830 [ 676.917715] x29: ffff80000cf17850 x28: 0000000000000001 x27: 0000000000000001 [ 676.918490] x26: ffff00010fe4619a x25: ffff000124cf72a8 x24: ffff80000cf179b0 [ 676.919266] x23: ffff80000cf17838 x22: ffff80000cde6000 x21: ffff00011b875800 [ 676.920042] x20: 0000800000001000 x19: ffff00010fe47000 x18: ffffffffffffffb8 [ 676.920817] x17: ffff800002162b5c x16: ffff80000837f95c x15: ffff80000215fe34 [ 676.921593] x14: ffff800002140d24 x13: ffff8000083cab18 x12: 0000000000000001 [ 676.922367] x11: 1ffff000019e2ede x10: 1ffff000019e2ede x9 : 7f8cf43958192c00 [ 676.923143] x8 : 7f8cf43958192c00 x7 : ffff800002165b84 x6 : 0000000000000000 [ 676.923917] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80000a13396c [ 676.924690] x2 : 0000000000000000 x1 : ffff00010082cc80 x0 : 00000000ffffffea [ 676.925463] Call trace: [ 676.925735] pancsf_gem_unmap_and_put+0xb4/0x130 [pancsf] [ 676.926690] pancsf_group_put+0x174/0x200 [pancsf] [ 676.927589] pancsf_tick_work+0x1604/0x1850 [pancsf] [ 676.928504] process_one_work+0x3c0/0x61c [ 676.928940] worker_thread+0x458/0x8f0 [ 676.929346] kthread+0x19c/0x1c4 [ 676.929701] ret_from_fork+0x10/0x20 [ 676.930094] irq event stamp: 1314268 [ 676.930466] hardirqs last enabled at (1314267): [] kasan_quarantine_put+0xc4/0x1cc [ 676.931358] hardirqs last disabled at (1314268): [] el1_dbg+0x24/0x74 [ 676.932147] softirqs last enabled at (1314164): [] _stext+0x3f0/0x4d4 [ 676.932932] softirqs last disabled at (1314147): [] ____do_softirq+0x10/0x1c [ 676.933768] ---[ end trace 0000000000000000 ]--- [ 676.935951] ================================================================== [ 676.936625] BUG: KASAN: use-after-free in pancsf_tick_work+0x15e8/0x1850 [pancsf] [ 676.937741] Write of size 8 at addr ffff00010fe462a8 by task kworker/u16:0/9 [ 676.938401] [ 676.938564] CPU: 1 PID: 9 Comm: kworker/u16:0 Tainted: G W 6.2.0-rc1BORIS+ #9 [ 676.939359] Hardware name: Rockchip RK3588 EVB1 V10 Board (DT) [ 676.939905] Workqueue: panfrost-csf-sched pancsf_tick_work [pancsf] [ 676.940917] Call trace: [ 676.941161] dump_backtrace+0x100/0x150 [ 676.941550] show_stack+0x18/0x24 [ 676.941886] dump_stack_lvl+0x7c/0xa0 [ 676.942262] print_address_description+0x80/0x348 [ 676.942734] print_report+0x114/0x1e4 [ 676.943109] kasan_report+0xbc/0x118 [ 676.943476] __asan_store8+0x94/0x98 [ 676.943835] pancsf_tick_work+0x15e8/0x1850 [pancsf] [ 676.944718] process_one_work+0x3c0/0x61c [ 676.945120] worker_thread+0x458/0x8f0 [ 676.945498] kthread+0x19c/0x1c4 [ 676.945825] ret_from_fork+0x10/0x20 [ 676.946190] [ 676.946349] Allocated by task 509: [ 676.946683] kasan_set_track+0x3c/0x70 [ 676.947066] kasan_save_alloc_info+0x24/0x30 [ 676.947487] __kasan_kmalloc+0x90/0xa8 [ 676.947870] kmalloc_trace+0x7c/0x94 [ 676.948231] pancsf_create_group+0xa8/0xad0 [pancsf] [ 676.949114] pancsf_ioctl_group_create+0x70/0xa8 [pancsf] [ 676.950036] drm_ioctl_kernel+0x148/0x1c0 [ 676.950438] drm_ioctl+0x278/0x524 [ 676.950781] __arm64_sys_ioctl+0xb8/0xf0 [ 676.951180] invoke_syscall+0x54/0x170 [ 676.951554] el0_svc_common+0x104/0x154 [ 676.951935] do_el0_svc+0x40/0xe8 [ 676.952269] el0_svc+0x50/0xbc [ 676.952588] el0t_64_sync_handler+0x84/0xf0 [ 676.953006] el0t_64_sync+0x190/0x194 [ 676.953371] [ 676.953529] Freed by task 9: [ 676.953816] kasan_set_track+0x3c/0x70 [ 676.954199] kasan_save_free_info+0x38/0x5c [ 676.954611] ____kasan_slab_free+0xf4/0x17c [ 676.955030] __kasan_slab_free+0x18/0x28 [ 676.955428] slab_free_freelist_hook+0xb0/0x17c [ 676.955876] __kmem_cache_free+0x130/0x27c [ 676.956283] kfree+0x80/0xc8 [ 676.956580] pancsf_group_put+0x190/0x200 [pancsf] [ 676.957447] pancsf_tick_work+0x1604/0x1850 [pancsf] [ 676.958331] process_one_work+0x3c0/0x61c [ 676.958732] worker_thread+0x458/0x8f0 [ 676.959110] kthread+0x19c/0x1c4 [ 676.959436] ret_from_fork+0x10/0x20 [ 676.959796] [ 676.959955] Last potentially related work creation: [ 676.960412] kasan_save_stack+0x30/0x60 [ 676.960802] kasan_record_aux_stack_noalloc+0x88/0x9c [ 676.961292] insert_work+0x3c/0x194 [ 676.961645] __queue_work+0x5f0/0x6a8 [ 676.962010] queue_work_on+0x64/0xe0 [ 676.962367] pancsf_queue_csg_sync_update_locked+0x90/0x108 [pancsf] [ 676.963374] pancsf_sched_handle_job_irqs+0x828/0xfd4 [pancsf] [ 676.964333] pancsf_job_irq_handler+0xa4/0x134 [pancsf] [ 676.965239] irq_thread_fn+0x48/0xb0 [ 676.965602] irq_thread+0x158/0x230 [ 676.965953] kthread+0x19c/0x1c4 [ 676.966280] ret_from_fork+0x10/0x20 [ 676.966642] [ 676.966800] Second to last potentially related work creation: [ 676.967334] kasan_save_stack+0x30/0x60 [ 676.967723] kasan_record_aux_stack_noalloc+0x88/0x9c [ 676.968213] insert_work+0x3c/0x194 [ 676.968566] __queue_work+0x5f0/0x6a8 [ 676.968931] queue_work_on+0x64/0xe0 [ 676.969289] pancsf_queue_csg_sync_update_locked+0x90/0x108 [pancsf] [ 676.970295] pancsf_sched_handle_job_irqs+0x828/0xfd4 [pancsf] [ 676.971253] pancsf_job_irq_handler+0xa4/0x134 [pancsf] [ 676.972158] irq_thread_fn+0x48/0xb0 [ 676.972518] irq_thread+0x158/0x230 [ 676.972869] kthread+0x19c/0x1c4 [ 676.973196] ret_from_fork+0x10/0x20 [ 676.973557] [ 676.973716] The buggy address belongs to the object at ffff00010fe46000 [ 676.973716] which belongs to the cache kmalloc-1k of size 1024 [ 676.974851] The buggy address is located 680 bytes inside of [ 676.974851] 1024-byte region [ffff00010fe46000, ffff00010fe46400) [ 676.975929] [ 676.976089] The buggy address belongs to the physical page: [ 676.976609] page:000000000458aa1a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10fe40 [ 676.977479] head:000000000458aa1a order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0 [ 676.978330] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff) [ 676.979028] raw: 0bfffc0000010200 ffff000100002780 dead000000000122 0000000000000000 [ 676.979750] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 676.980459] page dumped because: kasan: bad access detected [ 676.980978] [ 676.981137] Memory state around the buggy address: [ 676.981592] ffff00010fe46180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 676.982261] ffff00010fe46200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 676.982930] >ffff00010fe46280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 676.983594] ^ [ 676.984026] ffff00010fe46300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 676.984695] ffff00010fe46380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 676.985358] ================================================================== [ 676.986319] Disabling lock debugging due to kernel taint [ 677.297593] pancsf fb000000.gpu: Unhandled Page fault in AS5 at VA 0x0000800000000020 [ 677.297593] Reason: TODO [ 677.297593] raw fault status: 0x7CD003C3 [ 677.297593] decoded fault status: SLAVE FAULT [ 677.297593] exception type 0xC3: TRANSLATION_FAULT_3 [ 677.297593] access type 0x3: WRITE [ 677.297593] source id 0x7CD0 [ 677.609441] ------------[ cut here ]------------ [ 677.609864] WARNING: CPU: 7 PID: 83 at drivers/gpu/drm/pancsf/pancsf_sched.c:421 pancsf_tick_work+0xa14/0x1850 [pancsf] [ 677.610963] Modules linked in: pancsf gpu_sched drm_shmem_helper [ 677.611516] CPU: 7 PID: 83 Comm: kworker/u16:4 Tainted: G B W 6.2.0-rc1BORIS+ #9 [ 677.612281] Hardware name: Rockchip RK3588 EVB1 V10 Board (DT) [ 677.612799] Workqueue: panfrost-csf-sched pancsf_tick_work [pancsf] [ 677.613492] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 677.614116] pc : pancsf_tick_work+0xa14/0x1850 [pancsf] [ 677.614716] lr : pancsf_tick_work+0x990/0x1850 [pancsf] [ 677.615315] sp : ffff80000dbf78d0 [ 677.615612] x29: ffff80000dbf7c50 x28: 0000000000000001 x27: 0000000000000004 [ 677.616258] x26: 0000000000000068 x25: 00000000ffffffff x24: ffff80000dbf79a0 [ 677.616903] x23: ffff0001233c8880 x22: 000000000000007f x21: ffff00011b0e4194 [ 677.617548] x20: ffff00011b0e42a8 x19: ffff80000dbf79b0 x18: ffffffffffffe563 [ 677.618193] x17: 0000000002c44449 x16: 000000001a64b629 x15: 0000000000000001 [ 677.618838] x14: 0000000000000000 x13: 000000000001a4ac x12: 0000000000000001 [ 677.619482] x11: 1ffff00001eace00 x10: 1fffe0002361c837 x9 : 0000000000000000 [ 677.620127] x8 : 0000000000000001 x7 : 0000000000000000 x6 : ffff800002171cf8 [ 677.620771] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80000216de90 [ 677.621415] x2 : 0000000000000000 x1 : 0000000000000004 x0 : ffff00011b0e41b8 [ 677.622059] Call trace: [ 677.622280] pancsf_tick_work+0xa14/0x1850 [pancsf] [ 677.622851] process_one_work+0x3c0/0x61c [ 677.623218] worker_thread+0x458/0x8f0 [ 677.623559] kthread+0x19c/0x1c4 [ 677.623852] ret_from_fork+0x10/0x20 [ 677.624179] irq event stamp: 1342352 [ 677.624497] hardirqs last enabled at (1342351): [] _raw_spin_unlock_irq+0x40/0x9c [ 677.625311] hardirqs last disabled at (1342352): [] __schedule+0x19c/0x960 [ 677.626060] softirqs last enabled at (1341458): [] _stext+0x3f0/0x4d4 [ 677.626777] softirqs last disabled at (1341447): [] ____do_softirq+0x10/0x1c [ 677.627541] ---[ end trace 0000000000000000 ]--- [ 678.761295] sched: RT throttling activated