https://bugzilla.kernel.org/show_bug.cgi?id=198221 Petr Vandrovec (petr@xxxxxxxxxxxxxx) changed: What |Removed |Added ---------------------------------------------------------------------------- Regression|No |Yes --- Comment #2 from Petr Vandrovec (petr@xxxxxxxxxxxxxx) --- I've built kernel with the change and give it some time, but I don't think that it is a culprit. I think that there is a race in how nouveau handles scheduled work: This work being scheduled has func callback set to nouveau_gem_object_delete_work(), which does its job, and then frees the work. Now nouveau_cli_work_queue sets some work properties, adds work to the cli->worker queue, and schedules work->cli->work. But nouveau_cli_work might run between the moment work is added to cli->worker queue and moment schedule_work(&work->cli->work) is issued. In that case work dereference in nouveau_cli_work_fence will access freed work memory, read garbage (0x00010000 in this case), add offsetof(cli, work) of 0x1f8, and pass this garbage pointer into schedule_work(). I'm not entirely sure what are expectations for the work, but perhaps work should be added to the cli->worker list from nouveau_cli_work_fence, rather than by nouveau_cli_work_queue. Regression seems to be introduced by 814a23243bd2aaa9aafe03d85d0502a73be42b58, "drm/nouveau: implement per-client delayed workqueue with fence support" -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel
