drm_dev_put() throws use-after-free on unbind cleanup #14
Description
Radeon device fails to initialize because of some configuration issue. The rare code path used to detach the driver then WARNs like this:
[ 19.874251] [drm] radeon kernel modesetting enabled.
[ 19.874251] radeon 0000:c1:00.0: vgaarb: deactivate vga console
[ 19.874251] pci 0000:c0:01.0: BAR 0 [mem 0x00000000-0x0000ffff 64bit pref]: not claimed; can't enable device
[ 19.874251] pci 0000:c0:01.0: Error enabling bridge (-22), continuing
[ 19.874251] radeon 0000:c1:00.0: BAR 0 [mem 0x00000000-0x0fffffff 64bit pref]: not claimed; can't enable device
[ 19.874251] radeon 0000:c1:00.0: probe with driver radeon failed with error -22
[ 19.874251] ------------[ cut here ]------------
[ 19.874251] WARNING: CPU: 0 PID: 293 at lib/refcount.c:28 refcount_warn_saturate+0x170/0x380
[ 19.874251] refcount_t: underflow; use-after-free.
[ 19.874251] Modules linked in: radeon(+) drm_client_lib video drm_exec drm_suballoc_helper i2c_algo_bit drm_ttm_helper ttm drm_display_helper drm_kms_helper drm joydev ipmi_ssif drm_panel_orientation_quirks i2c_core evdev ipmi_devintf efi_pstore ipmi_msghandler dm_mod btrfs blake2b_generic xor raid6_pq hid_generic usbhid hid sd_mod sr_mod cdrom ata_generic mptspi scsi_transport_spi mptscsih pata_cmd64x ohci_pci libata ohci_hcd mptbase ehci_pci ehci_hcd scsi_mod usbcore e1000 scsi_common usb_common
[ 19.878255] CPU: 0 UID: 0 PID: 293 Comm: (udev-worker) Tainted: G W 6.18.0-rc1-epic1 #53 PREEMPT
[ 19.878255] Tainted: [W]=WARN
[ 19.878255] Hardware name: hp server rx2620 , BIOS 04.29 11/30/2007
[ 19.878255]
Call Trace:
[ 19.878255] [<a00000010003b470>] show_stack.part.0+0x30/0x80
sp=e000000101b1fa60 bsp=e000000101b11c08
[ 19.878255] [<a00000010003b750>] show_stack+0x90/0xc0
sp=e000000101b1fa60 bsp=e000000101b11bd0
[ 19.878255] [<a000000100026940>] dump_stack_lvl+0xe0/0x120
sp=e000000101b1fc30 bsp=e000000101b11b60
[ 19.878255] [<a0000001000269b0>] dump_stack+0x30/0x60
sp=e000000101b1fc30 bsp=e000000101b11b08
[ 19.878255] [<a00000010008f8e0>] __warn+0x220/0x2c0
sp=e000000101b1fc30 bsp=e000000101b11ac0
[ 19.878255] [<a00000010008fcf0>] warn_slowpath_fmt+0x370/0x500
sp=e000000101b1fc30 bsp=e000000101b11a48
[ 19.878255] [<a000000100b85870>] refcount_warn_saturate+0x170/0x380
sp=e000000101b1fc60 bsp=e000000101b11a20
[ 19.878255] [<a0000002017e9dc0>] drm_dev_put.part.0+0x180/0x1c0 [drm]
sp=e000000101b1fc60 bsp=e000000101b11a00
[ 19.878255] [<a0000002017e9eb0>] devm_drm_dev_init_release+0x30/0x80 [drm]
sp=e000000101b1fc60 bsp=e000000101b119d8
[ 19.878255] [<a000000101078040>] devm_action_release+0x40/0x80
sp=e000000101b1fc60 bsp=e000000101b119b0
[ 19.878255] [<a00000010107c330>] devres_release_all+0x130/0x240
sp=e000000101b1fc60 bsp=e000000101b11978
[ 19.878255] [<a00000010106ad70>] device_unbind_cleanup+0x30/0x180
sp=e000000101b1fc70 bsp=e000000101b11950
[ 19.878255] [<a00000010106ca20>] really_probe+0x660/0xb40
sp=e000000101b1fc70 bsp=e000000101b11900
[ 19.878255] [<a00000010106d1f0>] __driver_probe_device+0x2f0/0x3c0
sp=e000000101b1fc80 bsp=e000000101b118c0
[ 19.878255] [<a00000010106d4e0>] driver_probe_device+0xa0/0x200
sp=e000000101b1fc80 bsp=e000000101b11878
[ 19.878255] [<a00000010106dcd0>] __driver_attach+0x290/0x4c0
sp=e000000101b1fc80 bsp=e000000101b11840
[ 19.878255] [<a000000101066bc0>] bus_for_each_dev+0x100/0x1c0
sp=e000000101b1fc80 bsp=e000000101b117f0
[ 19.878255] [<a00000010106b140>] driver_attach+0x40/0x80
sp=e000000101b1fc90 bsp=e000000101b117d0
[ 19.878255] [<a000000101069b30>] bus_add_driver+0x230/0x580
sp=e000000101b1fc90 bsp=e000000101b11788
[ 19.878255] [<a00000010106fc20>] driver_register+0x160/0x340
sp=e000000101b1fc90 bsp=e000000101b11758
[ 19.878255] [<a000000100de9b40>] __pci_register_driver+0xc0/0x100
sp=e000000101b1fc90 bsp=e000000101b11728
[ 19.878255] [<a0000002030f0100>] radeon_module_init+0x100/0x10000 [radeon]
sp=e000000101b1fc90 bsp=e000000101b11710
[ 19.878255] [<a0000001000302a0>] do_one_initcall+0xe0/0x580
sp=e000000101b1fc90 bsp=e000000101b116e0
[ 19.878255] [<a000000100229bc0>] do_init_module+0xc0/0x6c0
sp=e000000101b1fcd0 bsp=e000000101b11698
[ 19.878255] [<a00000010022ec20>] load_module+0x4360/0x52c0
sp=e000000101b1fcd0 bsp=e000000101b11528
[ 19.878255] [<a000000100230050>] init_module_from_file+0xd0/0x140
sp=e000000101b1fd50 bsp=e000000101b114f0
[ 19.878255] [<a0000001002304f0>] sys_finit_module+0x330/0x840
sp=e000000101b1fde0 bsp=e000000101b11448
[ 19.878255] [<a000000100032800>] ia64_ret_from_syscall+0x0/0x20
sp=e000000101b1fe30 bsp=e000000101b11440
[ 19.878255] ---[ end trace 0000000000000000 ]---
[ 24.313182] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX