On Wed, Jul 24, 2013 at 03:48:28PM +0200, Daniel Vetter wrote: > On Wed, Jul 24, 2013 at 3:30 PM, Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> wrote: > > On Wed, Jul 24, 2013 at 02:02:20PM +0200, Daniel Vetter wrote: > >> This function is called without the dev->struct_mutex held, hence we > >> need to use the _unlocked unreference variants. > >> > >> As soon as the object is registered userspace can sneak in here with a > >> gem_close ioctl call, so the object can (and with my new evil tests > >> actually does) get the final unreference in this place. The lack of > >> locking then results in hilarity and some good leakage. > >> > >> v2: We need to make the trace call _before_ we drop our ref - the > >> object might very well be gone by then already. > > > > Pass the size into the tracepoint, that gets rid of the racy read (the > > actual userspace side we've allowed ourselves to be racy before). And > > keeps the function clean, if you rewrite it like I suggested. > > Well I honestly don't really see the upshot of the little diff you've > pasted on irc. The bug is that we call the wrong unreference function > and that we access the object after we've dropped the reference. Ignoring the typo, it is much neater code. The code that was there before my hack. -Chris -- Chris Wilson, Intel Open Source Technology Centre _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/intel-gfx
