On Wed, Jul 24, 2013 at 01:00:57PM +0200, Daniel Vetter wrote: > This function is called without the dev->struct_mutex held, hence we > need to use the _unlocked unreference variants. > > As soon as the object is registered userspace can sneak in here with a > gem_close ioctl call, so the object can (and with my new evil tests > actually does) get the final unreference in this place. The lack of > locking then results in hilarity and some good leakage. So there is a small race for a second thread on the fd to guess the new handle before the owner sees its. We should be able to push the transfer of ownership into the handle_create() routine to close this race with incurring any extra cost. -Chris -- Chris Wilson, Intel Open Source Technology Centre _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/intel-gfx
