<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - [CI][BXT only] igt@* - incomplete timeout/system hang"
href="https://bugs.freedesktop.org/show_bug.cgi?id=103927#c28">Comment # 28</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - [CI][BXT only] igt@* - incomplete timeout/system hang"
href="https://bugs.freedesktop.org/show_bug.cgi?id=103927">bug 103927</a>
from <span class="vcard"><a class="email" href="mailto:stanislav.lisovskiy@intel.com" title="Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>"> <span class="fn">Stanislav Lisovskiy</span></a>
</span></b>
<pre>(In reply to Chris Wilson from <a href="show_bug.cgi?id=103927#c27">comment #27</a>)
<span class="quote">> (In reply to Stanislav Lisovskiy from <a href="show_bug.cgi?id=103927#c26">comment #26</a>)
> > (In reply to Chris Wilson from <a href="show_bug.cgi?id=103927#c25">comment #25</a>)
> > > (In reply to Stanislav Lisovskiy from <a href="show_bug.cgi?id=103927#c23">comment #23</a>)
> > > > (In reply to Francesco Balestrieri from <a href="show_bug.cgi?id=103927#c22">comment #22</a>)
> > > > > Stan, did you figure out anything from the latest logs?
> > > >
> > > > There is a NULL pointer deref in do_remove_conflicting_framebuffers
> > > > function:
> > >
> > > That's a known-use-after-free. You can't guarantee that you even see a NULL
> > > pointer as its value depends on what else gets written by a third party.
> >
> > Ok, is there any patch available elsewhere?
>
> Nope, we are hoping for a kasan hit to tell us where the use-after-free
> emanated from.</span >
We could try also poisoning registered_fb[i] somehow to mark and determine when
it was freed.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>