From nobody Sun Jun 14 01:35:18 2026 Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5A1B30E853 for ; Mon, 4 May 2026 20:19:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777925954; cv=none; b=N4KlJ+AU+ZS5kJjqb8kwYmkkYwDI2AliF/BsXFjTHO/vbOHAu2PmvP8GhLctH/oVjAV+kTSQjhf67Ur0sFwF1CaocUvTqIQy6G3qEFdIHAMnrcWXgqnLdlh9JEM5LpEnUtE9QsCLlvhxkN0W25qD8GvM6kBcYy88Jyec1oHsoAY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777925954; c=relaxed/simple; bh=EF/AXOZq24b4Tnt1bvQhOXUwu01Y3py1+Jyfb67o9BE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=YXovH4RXpbpXwXiQ+4fCMEU+/UWWGkmjWSmBLsP7VcFIA+Z9zQc0BD8SxQSNR9AIaRpUBe8O6QlETjtih7Qlm5p8QS0zIor1AN2DC/ME2UftE47VqSrmblcRLy9T7SUV3kAYSYLJbcXT8q67ckmJuwKgnTXeybdyZntsT7oXdmw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=k/yq6Obb; arc=none smtp.client-ip=209.85.208.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="k/yq6Obb" Received: by mail-lj1-f180.google.com with SMTP id 38308e7fff4ca-38e7d983f50so51498951fa.1 for ; Mon, 04 May 2026 13:19:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777925951; x=1778530751; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0tOD8/6djJ4pMyTuanqYIEyAgeWg4xBI8A3+BKBgiYE=; b=k/yq6ObbBgnyW4N5VMtPd9CvOEyfEyw/Zoq7pXMthK3WWIMT4PYIxhObc5mAafbJON m0GqgMo8i6YUwFu1tupbGV/6H+dikEc9OfLLSXqbTCmGsHsTGc0R4mqpjWXk7yNxnQ4B xVcK8PeDkQA2cFpsNS+jpx0B4Wd9oKUQO+WxBDp7K9/lwLuBRNSyVEA+mwzhxR8t7P4J f4UHPaPxfnukYvnB5adk61f3LA8RthEZEz8G4JwPiLbOzHDixH21Za7nDP+vyb6x04zb YyNh8p5gk311qeKX0Kw+IHmd2s3bFOU0lHG9mpUK+4zs2F0GGHDkkpAmHUQzxaGRJ87x 3HSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777925951; x=1778530751; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=0tOD8/6djJ4pMyTuanqYIEyAgeWg4xBI8A3+BKBgiYE=; b=Cilj644sOEZspm6bFOTx4MiUXjsRuEI5rhchWi43cBBdDur0/YbQdVeJPwggdeG5F2 Uu5SxdYyf95QQml6EvcXSA2ppDjgt145FAEWnxR3T7tN4r2pNO+7C8BBbuAN/357Nbuv +MhJ3GAjA4jnv0622aoIKkhSX/JcszEkLjTwaWhwsjIhZsPUusa6DzZWImXrRHnjtPOH 1Xlc6S/Q7R6+1FbQLv/bPym991EmMoAMkCsuVC23c0Xnpee6D0FZuTxBeWW44eShh1Zz U/A6TgxC8LNIOq1BGo9O2DPX0QrrQGi3/lGxq+F5K164t5BviPipgpPGk8C8EQQ4KDPd 3Zfw== X-Forwarded-Encrypted: i=1; AFNElJ80TeVZB5gSN63Ux8FYUXlPRHHgzXahahKJXGtDqUaaqCqz2x0twU/3JAdSAqPILNLPVyPb8EI8A8HohLc=@vger.kernel.org X-Gm-Message-State: AOJu0YxhoJlYLhtOaaIvbaOksLfNOlJK+VcwTwu9r8K/S/Ms/MXlSjXF gjpTqbwycMlBmUiwxlvDqSiNyTm/1vnM1mvxJSraVQ6Qb6m14QjUJK9V X-Gm-Gg: AeBDiev3sANwut8AZKOkVH7Bik1MPi6seH5FCBCw1yfIKq0OMvRDWFGrqZtXRZ8DajI 8gR4aXWk0JHAbKOH3Ch0gnrrTRTrMrBvFtUNQ/431PxXSJc11jCJV1idIkDZGyDFuekm9fNA1d8 BkdUexE/CD2ES5qlesLKNrbJCO4tIw15yn2W6PHdFEtVoCYCEGu8Z9s7BFbT90QEydNHHrPpb6r LU5ktfz1frD2oPGZfBWXlTfC8x5HXz+cA6gYXvYdR88ch+kMKGp3kdP2QQla+PyrxNhcQGlUET0 Teb2EigxSmmeLHs4cxLUecCYIgW5bLjR40Cak9Kz1Ud2kmtcPfoxsjxW6m9MNUYe5RyYstlPoyu RqChHUyl1KSpQ9YrG3zWdNtTpwqVaxYPMncChy/QuI+Rwh0bG7oYV9o7IOtqAwGZwgDsQ/rvGaN r4BjElgxlkn2bbJOhd8PMtO6Xyi/vBNMUgH+DXFKzA2sZp X-Received: by 2002:a05:6512:3f02:b0:5a4:175d:21a with SMTP id 2adb3069b0e04-5a862ec2566mr3851306e87.2.1777925950756; Mon, 04 May 2026 13:19:10 -0700 (PDT) Received: from localhost ([188.234.148.119]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c230c68sm3245638e87.19.2026.05.04.13.19.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 13:19:10 -0700 (PDT) From: Mikhail Gavrilov To: harry.wentland@amd.com, sunpeng.li@amd.com, alexander.deucher@amd.com, christian.koenig@amd.com Cc: siqueira@igalia.com, airlied@gmail.com, simona@ffwll.ch, ardb@kernel.org, hamza.mahfooz@amd.com, aurabindo.pillai@amd.com, Roman.Li@amd.com, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Mikhail Gavrilov Subject: [PATCH] drm/amd/display: Wrap DCN32 phantom-plane allocation in DC_RUN_WITH_PREEMPTION_ENABLED Date: Tue, 5 May 2026 01:19:05 +0500 Message-ID: <20260504201905.90667-1-mikhail.v.gavrilov@gmail.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" dcn32_validate_bandwidth() wraps dcn32_internal_validate_bw() with DC_FP_START()/DC_FP_END(). On x86 non-RT, DC_FP_START expands into kernel_fpu_begin() which takes fpregs_lock(), i.e. local_bh_disable(). Allocations done inside this region must therefore not sleep. The legacy DML1 path through dcn32_full_validate_bw_helper() -> dcn32_add_phantom_pipes() -> dcn32_enable_phantom_plane() unconditionally calls dc_state_create_phantom_plane() -> dc_create_plane_state(), which performs kvzalloc(sizeof(struct dc_plane_state)). On a recent kernel sizeof(struct dc_plane_state) is 343736 bytes (335 KiB), well above the PAGE_ALLOC_COSTLY_ORDER threshold, so __kvmalloc_node() takes the vmalloc path. __get_vm_area_node() then trips its BUG_ON(in_interrupt()) because SOFTIRQ_DISABLE_OFFSET is set in preempt_count: kernel BUG at mm/vmalloc.c:3206! RIP: __get_vm_area_node+0x257/0x2d0 Workqueue: events_unbound commit_work Call Trace: __vmalloc_node_range_noprof+0x22b/0x570 __kvmalloc_node_noprof+0x3d0/0xb40 dc_create_plane_state+0x35/0x290 [amdgpu] dc_state_create_phantom_plane+0x1a/0x120 [amdgpu] dcn32_enable_phantom_plane+0x101/0x780 [amdgpu] dcn32_add_phantom_pipes+0x47/0x460 [amdgpu] dcn32_full_validate_bw_helper.constprop.0+0xa46/0x1d70 [amdgpu] dcn32_internal_validate_bw+0x49c/0x1600 [amdgpu] dml1_validate+0x20f/0x800 [amdgpu] dcn32_validate_bandwidth+0x317/0x540 [amdgpu] dc_validate_with_context+0xd34/0x1d30 [amdgpu] dc_commit_streams+0x7ca/0x1810 [amdgpu] amdgpu_dm_commit_streams+0xfd4/0x1e60 [amdgpu] amdgpu_dm_atomic_commit_tail+0x29e/0x3520 [amdgpu] commit_tail+0x204/0x4b0 process_one_work+0x8fd/0x16a0 Per-CPU __preempt_count on the crashing CPU at panic time was 0x202: SOFTIRQ_DISABLE_OFFSET (0x200) from fpregs_lock() plus two preempt holds from dc_fpu_begin() and kernel_fpu_begin(). The DML2 paths already wrap their large vzalloc()s in DC_RUN_WITH_PREEMPTION_ENABLED() to handle this case (see drivers/gpu/drm/amd/display/dc/dml2_0/dml21/dml21_wrapper.c:26 and drivers/gpu/drm/amd/display/dc/dml2_0/dml2_wrapper.c:24). Apply the same guard to the DML1 phantom-plane allocation in dcn32_enable_phantom_plane(). This is a separate class of issue from "drm/amd/display: Fix unsafe uses of kernel mode FPU" by Ard Biesheuvel, which addressed callers entering DC FP compilation units without DC_FP_START. The bug fixed here is the inverse: a sleeping allocator invoked from within an active DC_FP_START region. Reproducer (RX 7900 XTX, single 4K HDMI display, DCN 3.2): launch any workload that produces rapid atomic modeset commits. The most reliable trigger observed is launching Rise of the Tomb Raider via Proton and repeatedly pressing the Super key during the level loading screen; crash occurs within ~4 minutes uptime. Random crashes are also observed during routine fullscreen toggles (image viewers, chat applications). Hardware verified clean: memtest86+ 4 passes, stressapptest -W -m 32 4 hours, both pass with 0 errors. KASAN active, no reports under load. Fixes: 235c67634230 ("drm/amd/display: add DCN32/321 specific files for Dis= play Core") Cc: stable@vger.kernel.org # v6.0+ Signed-off-by: Mikhail Gavrilov --- .../drm/amd/display/dc/resource/dcn32/dcn32_resource.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c= b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c index 82f81b586986..3751f7a94a05 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c @@ -92,9 +92,14 @@ #include "dml/dcn32/dcn32_fpu.h" =20 #include "dc_state_priv.h" +#include "dc_fpu.h" =20 #include "dml2_0/dml2_wrapper.h" =20 +#if !defined(DC_RUN_WITH_PREEMPTION_ENABLED) +#define DC_RUN_WITH_PREEMPTION_ENABLED(code) code +#endif + #define DC_LOGGER_INIT(logger) =20 enum dcn32_clk_src_array_id { @@ -1684,7 +1689,8 @@ static void dcn32_enable_phantom_plane(struct dc *dc, if (curr_pipe->top_pipe && curr_pipe->top_pipe->plane_state =3D=3D curr_= pipe->plane_state) phantom_plane =3D prev_phantom_plane; else - phantom_plane =3D dc_state_create_phantom_plane(dc, context, curr_pipe-= >plane_state); + DC_RUN_WITH_PREEMPTION_ENABLED(phantom_plane =3D + dc_state_create_phantom_plane(dc, context, curr_pipe->plane_state)); =20 if (!phantom_plane) continue; --=20 2.54.0