https://bugzilla.kernel.org/show_bug.cgi?id=198221
Petr Vandrovec (petr@vandrovec.name) changed:
What |Removed |Added ---------------------------------------------------------------------------- Regression|No |Yes
--- Comment #2 from Petr Vandrovec (petr@vandrovec.name) --- I've built kernel with the change and give it some time, but I don't think that it is a culprit.
I think that there is a race in how nouveau handles scheduled work:
This work being scheduled has func callback set to nouveau_gem_object_delete_work(), which does its job, and then frees the work.
Now nouveau_cli_work_queue sets some work properties, adds work to the cli->worker queue, and schedules work->cli->work.
But nouveau_cli_work might run between the moment work is added to cli->worker queue and moment schedule_work(&work->cli->work) is issued.
In that case work dereference in nouveau_cli_work_fence will access freed work memory, read garbage (0x00010000 in this case), add offsetof(cli, work) of 0x1f8, and pass this garbage pointer into schedule_work().
I'm not entirely sure what are expectations for the work, but perhaps work should be added to the cli->worker list from nouveau_cli_work_fence, rather than by nouveau_cli_work_queue.
Regression seems to be introduced by 814a23243bd2aaa9aafe03d85d0502a73be42b58, "drm/nouveau: implement per-client delayed workqueue with fence support"