https://bugzilla.kernel.org/show_bug.cgi?id=207383 --- Comment #94 from mnrzk@xxxxxxxxxxxxxx --- I just got this interesting log w/ drm.debug=0x54 right before a crash: [ 971.537862] [drm:drm_atomic_state_init [drm]] Allocated atomic state 00000000cac2d51a [ 971.537909] [drm:drm_atomic_get_crtc_state [drm]] Added [CRTC:47:crtc-0] 00000000dc3e08a2 state to 00000000cac2d51a [ 971.537938] [drm:drm_atomic_get_plane_state [drm]] Added [PLANE:45:plane-5] 00000000ab054dfb state to 00000000cac2d51a [ 971.537963] [drm:drm_atomic_set_fb_for_plane [drm]] Set [FB:103] for [PLANE:45:plane-5] state 00000000ab054dfb [ 971.537988] [drm:drm_atomic_check_only [drm]] checking 00000000cac2d51a [ 971.538064] [drm:drm_atomic_get_private_obj_state [drm]] Added new private object 00000000da817c3e state 000000001743c8e6 to 00000000cac2d51a [ 971.538211] [drm:drm_atomic_nonblocking_commit [drm]] committing 00000000cac2d51a nonblocking [ 971.538898] [drm:drm_atomic_state_init [drm]] Allocated atomic state 00000000cc027c4b [ 971.538941] [drm:drm_atomic_get_crtc_state [drm]] Added [CRTC:49:crtc-1] 00000000992fcbd2 state to 00000000cc027c4b [ 971.538968] [drm:drm_atomic_get_plane_state [drm]] Added [PLANE:44:plane-4] 000000009d6970b1 state to 00000000cc027c4b [ 971.538992] [drm:drm_atomic_set_fb_for_plane [drm]] Set [FB:103] for [PLANE:44:plane-4] state 000000009d6970b1 [ 971.539017] [drm:drm_atomic_check_only [drm]] checking 00000000cc027c4b [ 971.539108] [drm:drm_atomic_get_private_obj_state [drm]] Added new private object 00000000da817c3e state 0000000057153d72 to 00000000cc027c4b [ 971.539140] [drm:drm_atomic_nonblocking_commit [drm]] committing 00000000cc027c4b nonblocking [ 971.544942] [drm:drm_atomic_state_default_clear [drm]] Clearing atomic state 00000000cc027c4b [ 971.544977] [drm:__drm_atomic_state_free [drm]] Freeing atomic state 00000000cc027c4b and then my debugger detected a use-after-free while 00000000cac2d51a was being committed. Basically the sequence of events is as follows: 1. Non-blocking commit #1 (00000000cac2d51a) was requested, allocated, and is deferred to workqueue. 2. Non-blocking commit #2 (00000000cc027c4b) was requested, allocated, and is deferred to workqueue. 3. Commit #2 starts and completes before commit #1 is started, dm_state is freed. 4. Commit #1 starts after commit #2 and is using commit #2's freed dm_state pointer. And from every instance of this bug I have seen, it has been due to page-flipping. So Nicholas, it seems your observation was correct; the sequence of events are very similar to how you've described the other bug. Perhaps we'll have to look into the page-flipping code to figure out what exactly is going on. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel
