I don't totally understand the stack trace but I do see a double free bug.
drivers/gpu/drm/vgem/vgem_drv.c 186 static struct drm_gem_object *vgem_gem_create(struct drm_device *dev, 187 struct drm_file *file, 188 unsigned int *handle, 189 unsigned long size) 190 { 191 struct drm_vgem_gem_object *obj; 192 int ret; 193 194 obj = __vgem_gem_create(dev, size);
obj->base.handle_count is zero.
195 if (IS_ERR(obj)) 196 return ERR_CAST(obj); 197 198 ret = drm_gem_handle_create(file, &obj->base, handle);
We bump it +1 and then the error handling calls drm_gem_object_handle_put_unlocked(obj); which calls drm_gem_object_put_unlocked(); which frees obj.
199 drm_gem_object_put_unlocked(&obj->base);
So this is a double free. Could someone check my thinking and send a patch? It's just a one liner. Otherwise I can send it on Monday.
200 if (ret) 201 return ERR_PTR(ret); 202 203 return &obj->base; 204 }
regards, dan carpenter