Well first of all you need to send that to dri-devel and even lkml, so that Chris and others can take a look as well. Second that patch doesn't looks correct to me, obj->staged should never be related to obj->fence. Regards, Christian. Am 26.02.2018 um 06:34 schrieb Monk Liu: > issue: > kernel oops or vmc page fault occured during vk_example/vk_cts > test. > > root cause: > previously reservation object would kfree the staged when slot > checked available during reserve_shared(), which is incorrect > becasue this way reservation_object->fence will be a wild pointer > referenced by following reservation_object_add_shared_fence, > and lead to lot of abnormal cases depends on luck. > > fix: > don't call kfree on staged in reserve_shared > and there won't be memleak introduced because reservation's > finish routine would kfree both staged and fence > > Change-Id: If7c01f1b4be3d3d8a81efa90216841f79ab1fc1c > Signed-off-by: Monk Liu <Monk.Liu at amd.com> > --- > drivers/dma-buf/reservation.c | 7 ++----- > 1 file changed, 2 insertions(+), 5 deletions(-) > > diff --git a/drivers/dma-buf/reservation.c b/drivers/dma-buf/reservation.c > index 314eb10..bc01e0d 100644 > --- a/drivers/dma-buf/reservation.c > +++ b/drivers/dma-buf/reservation.c > @@ -74,12 +74,9 @@ int reservation_object_reserve_shared(struct reservation_object *obj) > old = reservation_object_get_list(obj); > > if (old && old->shared_max) { > - if (old->shared_count < old->shared_max) { > - /* perform an in-place update */ > - kfree(obj->staged); > - obj->staged = NULL; > + if (old->shared_count < old->shared_max) > return 0; > - } else > + else > max = old->shared_max * 2; > } else > max = 4;