On Wed, Jul 24, 2013 at 3:30 PM, Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> wrote: > On Wed, Jul 24, 2013 at 02:02:20PM +0200, Daniel Vetter wrote: >> This function is called without the dev->struct_mutex held, hence we >> need to use the _unlocked unreference variants. >> >> As soon as the object is registered userspace can sneak in here with a >> gem_close ioctl call, so the object can (and with my new evil tests >> actually does) get the final unreference in this place. The lack of >> locking then results in hilarity and some good leakage. >> >> v2: We need to make the trace call _before_ we drop our ref - the >> object might very well be gone by then already. > > Pass the size into the tracepoint, that gets rid of the racy read (the > actual userspace side we've allowed ourselves to be racy before). And > keeps the function clean, if you rewrite it like I suggested. Well I honestly don't really see the upshot of the little diff you've pasted on irc. The bug is that we call the wrong unreference function and that we access the object after we've dropped the reference. -Daniel -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/intel-gfx
