Hello, I'm getting some fence refcounting related panics with the current Linus's master branch: It happens immediately whenever I start Xorg or sway. Anyone has any ideas where to start looking? It works fine with v5.15. (sorry for the interleaved log, it's coming from multiple CPUs at once I guess) kind regards, o. ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 4 PID: 560 at lib/refcount.c:28 refcount_warn_saturate+0xec/0x140 Modules linked in: CPU: 4 PID: 560 Comm: sway Not tainted 5.15.0-13547-g5169ae41ace0 #24 Hardware name: Pine64 PinePhonePro (DT) pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0xec/0x140 lr : refcount_warn_saturate+0xec/0x140 sp : ffff8000127b3be0 x29: ffff8000127b3be0 x28: ffff8000127b3d50 x27: ffff00001927e700 x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000004 x23: ffff00001e31da80 x22: ffff000005497580 x21: ffff00001e31da90 x20: ffff00001e31da80 x19: ffff00001e31da90 x18: 0000000000000003 x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000127b3b68 x14: ffffffffffffffff x13: 2e656572662d7265 x12: 7466612d65737520 x11: 3b776f6c66726564 x10: ffff800011d7e8a0 x9 : ffff800010178a1c x8 : 00000000ffffefff x7 : ffff800011dd68a0 x6 : 0000000000000001 x5 : ffff0000f778e788 x4 : 0000000000000000 x3 : 0000000000000027 x2 : 0000000000000023 x1 : ffff0000f778e790 x0 : 0000000000000026 Call trace: refcount_warn_saturate+0xec/0x140 drm_syncobj_replace_fence+0x16c/0x17c panfrost_ioctl_submit+0x364/0x440 drm_ioctl_kernel+0x9c/0x154 drm_ioctl+0x1f0/0x410 __arm64_sys_ioctl+0xb4/0xdc invoke_syscall+0x4c/0x110 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x2c/0x90 el0_svc+0x14/0x50 el0t_64_sync_handler+0x9c/0x120 el0t_64_sync+0x158/0x15c ---[ end trace 51cdc14807ba9222 ]--- ------------[ cut here ]------------ Unable to handle kernel write to read-only memory at virtual address ffff800010820b10 refcount_t: saturated; leaking memory. Mem abort info: WARNING: CPU: 1 PID: 223 at lib/refcount.c:22 refcount_warn_saturate+0x6c/0x140 ESR = 0x9600004e Modules linked in: EC = 0x25: DABT (current EL), IL = 32 bits CPU: 1 PID: 223 Comm: pan_js Tainted: G W 5.15.0-13547-g5169ae41ace0 #24 SET = 0, FnV = 0 Hardware name: Pine64 PinePhonePro (DT) EA = 0, S1PTW = 0 pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) FSC = 0x0e: level 2 permission fault pc : refcount_warn_saturate+0x6c/0x140 Data abort info: lr : refcount_warn_saturate+0x6c/0x140 ISV = 0, ISS = 0x0000004e sp : ffff800012a2bd90 CM = 0, WnR = 1 x29: ffff800012a2bd90 swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000019ba000 x28: 0000000000000000 [ffff800010820b10] pgd=10000000f7fff003 x27: 0000000000000000 , p4d=10000000f7fff003 , pud=10000000f7ffe003 x26: 0000000000000000 , pmd=0040000000a00781 x25: ffff800011906000 x24: ffff000013ee7a20 Internal error: Oops: 9600004e [#1] SMP Modules linked in: x23: ffff8000108211e0 x22: ffff800011906000 CPU: 2 PID: 222 Comm: pan_js Tainted: G W 5.15.0-13547-g5169ae41ace0 #24 x21: ffff0000251ef000 Hardware name: Pine64 PinePhonePro (DT) pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) x20: ffff000005497580 pc : dma_fence_add_callback+0xc8/0x120 x19: ffff00001532b4c0 lr : dma_fence_add_callback+0x78/0x120 x18: 0000000000000000 sp : ffff800012a23d60 x29: ffff800012a23d60 x17: 000000040044ffff x28: 0000000000000000 x16: 00000032b5503510 x27: 0000000000000000 x15: 0000000000000000 x26: 0000000000000000 x14: ffff00000550c380 x25: ffff800011906000 x13: 2e79726f6d656d20 x24: 0000000000000000 x12: 676e696b61656c20 x23: 0000000000000000 x11: 3b64657461727574 x22: ffff8000108211e0 x10: 6173203a745f746e x21: ffff0000054975d0 x9 : ffff80001022e51c x20: ffff00001532b468 x8 : 0000000000000001 x19: ffff000005497580 x7 : 0000000000000e08 x18: 0000000000000000 x6 : 0000000000000001 x17: 000000040044ffff x5 : 0000000000000000 x16: 00000032b5503510 x4 : ffff0000f773a788 x15: 0000000000000000 x3 : ffff0000f77466f0 x14: ffff00000550d100 x2 : ffff0000f773a788 x13: ffff8000e5e4e000 x1 : ffff8000e5e32000 x12: 0000000034d4d91d x0 : 0000000000000026 x11: 0000000000000000 Call trace: x10: 0000000000000002 refcount_warn_saturate+0x6c/0x140 x9 : ffff800010899578 drm_sched_entity_pop_job+0x418/0x490 drm_sched_main+0xb0/0x41c x8 : ffff0000148dcd60 kthread+0x14c/0x160 x7 : 0000000000000000 ret_from_fork+0x10/0x20 x6 : 00000000010a4760 ---[ end trace 51cdc14807ba9223 ]--- x5 : ffff000013ee79f8 x4 : 0000000000000001 x3 : ffff0000054975b0 x2 : 0000000000000000 x1 : ffff800010820b10 x0 : ffff000005497590 Call trace: dma_fence_add_callback+0xc8/0x120 drm_sched_entity_pop_job+0xa4/0x490 drm_sched_main+0xb0/0x41c kthread+0x14c/0x160 ret_from_fork+0x10/0x20 Code: 91004260 f9400e61 f9000e74 a9000680 (f9000034) ---[ end trace 51cdc14807ba9224 ]--- Kernel panic - not syncing: Oops: Fatal exception SMP: stopping secondary CPUs SMP: failed to stop secondary CPUs 1-2 Kernel Offset: disabled CPU features: 0x2,00004042,40000806 Memory Limit: none ---[ end Kernel panic - not syncing: Oops: Fatal exception ]---
