rcar_du_vsp sometimes causes double-free #33
Description
[ 49.579630] =============================================================================
[ 49.579655] BUG kmalloc-128 (Tainted: G W O ): Object already free
[ 49.579670] -----------------------------------------------------------------------------
[ 49.579670]
[ 49.579687] Disabling lock debugging due to kernel taint
[ 49.579713] INFO: Allocated in sg_kmalloc+0x18/0x30 age=1700 cpu=1 pid=4050
[ 49.579729] INFO: Freed in sg_free_table+0x7c/0x90 age=5 cpu=1 pid=3548
[ 49.579743] INFO: Slab 0xffff7e000053dc00 objects=21 used=20 fp=0xffff800014f70200 flags=0x4081
[ 49.579760] INFO: Object 0xffff800014f70200 @offset=512 fp=0x (null)
[ 49.579760]
[ 49.579781] Redzone ffff800014f70180: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 49.579798] Redzone ffff800014f70190: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 49.579814] Redzone ffff800014f701a0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 49.579831] Redzone ffff800014f701b0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 49.579847] Redzone ffff800014f701c0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 49.579863] Redzone ffff800014f701d0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 49.579879] Redzone ffff800014f701e0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 49.579895] Redzone ffff800014f701f0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 49.579912] Object ffff800014f70200: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 49.579928] Object ffff800014f70210: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 49.579944] Object ffff800014f70220: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 49.590218] Object ffff800014f70230: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 49.590244] Object ffff800014f70240: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 49.590264] Object ffff800014f70250: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 49.590285] Object ffff800014f70260: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 49.590305] Object ffff800014f70270: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
[ 49.590325] Redzone ffff800014f70280: bb bb bb bb bb bb bb bb ........
[ 49.590345] Padding ffff800014f702c0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 49.590364] Padding ffff800014f702d0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 49.590384] Padding ffff800014f702e0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 49.590404] Padding ffff800014f702f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 49.590434] CPU: 0 PID: 88 Comm: kworker/u8:3 Tainted: G B W O 4.9.0-yocto-standard #9
[ 49.590454] Hardware name: XENVM-4.9 (DT)
[ 49.590477] Workqueue: events_unbound commit_work
[ 49.590494] Call trace:
[ 49.590509] [] dump_backtrace+0x0/0x1a0
[ 49.590524] [] show_stack+0x14/0x20
[ 49.590541] [] dump_stack+0x94/0xb8
[ 49.590558] [] print_trailer+0x124/0x1f8
[ 49.590572] [] object_err+0x3c/0x50
[ 49.590588] [] free_debug_processing+0x2c8/0x398
[ 49.590604] [] __slab_free+0x294/0x3c0
[ 49.590617] [] kfree+0x1ac/0x1b0
[ 49.590635] [] sg_free_table+0x7c/0x90
[ 49.590654] [] rcar_du_vsp_plane_cleanup_fb+0x78/0xa0
[ 49.590670] [] drm_atomic_helper_cleanup_planes+0x74/0x98
[ 49.629995] [] rcar_du_atomic_commit_tail+0x5c/0x68
[ 49.630031] [] commit_tail+0x44/0x80
[ 49.630047] [] commit_work+0x10/0x18
[ 49.630068] [] process_one_work+0x1c8/0x380
[ 49.630087] [] worker_thread+0x48/0x498
[ 49.630104] [] kthread+0xd0/0xe8
[ 49.630122] [] ret_from_fork+0x10/0x50
This is caused because rcar_du_vsp_plane_state holds sg_tables. When rcar_du_vsp_plane_atomic_duplicate_state() creates copy of plane state, it also copies state og sg_tables. Then, in some cases rcar_du_vsp_plane_prepare_fb() is not called for original plane. So,
rcar_du_vsp_plane_cleanup_fb() tries to free the same sg_table two times: for original plane and for copied one.