https://bugs.freedesktop.org/show_bug.cgi?id=75279 --- Comment #35 from Ilia Mirkin --- (In reply to comment #33) > The stack to the free() points to line 203 here, while the stack to where > the free'd data is subsequently used points to line 205 here: > > http://cgit.freedesktop.org/mesa/mesa/tree/src/gallium/drivers/nouveau/ > nouveau_fence.c?id=ce6dd69697ae62d9336bbd4f5808bc4d75cdcc04#n203 > > > if (fence == screen->fence.current) > nouveau_fence_next(screen); > > do { > nouveau_fence_update(screen, FALSE); // <--- free here! > > if (fence->state == NOUVEAU_FENCE_STATE_SIGNALLED) // <-- > use-after-free > return TRUE; > > > So it seems like nouveau_fence_update (which was apparently inlined) > destroys the fence object... do you need to call nouveau_fence_ref() to keep > it alive? This code is rather confusing. You have to keep in mind how it's used, which among other things is from the kick handler. I tried to fix it up with http://cgit.freedesktop.org/mesa/mesa/commit/?id=ce6dd69697ae62d9336bbd4f5808bc4d75cdcc04 But I guess it was insufficient? I have an odd recollection that I felt like the stuff in the context destroy was suspect, but I don't remember how. Since it wasn't directly related to my problem, I left it alone (esp since I was going under the assumption that it would only be triggered on exit, in which case it's harder to care). Unfortunately it was a long enough time ago that I've lost my context on this. I'm guessing that the key here is that there are multiple contexts and one screen. (Someone should confirm that to be the case.) -- You are receiving this mail because: You are the assignee for the bug.