On Fri, 2026-04-24 at 00:01 +0900, Alexandre Courbot wrote:
dropped before obj.
I am not sure this is enough to solve the double-free issue - although my GEM knowledge is lacking, so please take this with a grain of salt.
Take an object where we called `sg_table`, so the SGT has been created.
When the object is dropped by DRM, `free_callback` is first called. It calls `drm_gem_shmem_release`, which frees the SGT.
Then, the `Drop` implementation of `Object` is called, and `sgt_res` is dropped... which attempts to free the SGT again.
I haven't tested that and rely only on a quick look at the code and my partial understanding, but the correct fix appears to be to clearing `sgt_res` in `free_callback`.
Whoops! No you're right, and so is Deborah (she mentioned this previously, but when reading through it I completely forgot that free_callback() was in the picture). We can't clear SetOnce, but we can use mem::take() which should be essentially the same thing. Will fix in the next respin