Re: [bug report] drm/msm: devcoredump iommu fault support

On Mon, May 09, 2022 at 07:48:23AM -0700, Rob Clark wrote:

On Sun, May 8, 2022 at 11:28 PM Dan Carpenter dan.carpenter@oracle.com wrote:

...

407         } else {
408                 /*
409                  * We couldn't attribute this fault to any particular context,
410                  * so increment the global fault count instead.
411                  */
412                 gpu->global_faults++;
413         }
414
415         /* Record the crash state */
416         pm_runtime_get_sync(&gpu->pdev->dev);
417         msm_gpu_crashstate_capture(gpu, submit, comm, cmd);
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^

This function calls:

    dev_coredumpm(gpu->dev->dev, THIS_MODULE, gpu, 0, GFP_KERNEL,
                                              ^^^

Which kfrees gpu.

How does the gpu object get kfree'd? That is the root problem, it shouldn't be freed until module unload. I don't think e25e92e08e32: "drm/msm: devcoredump iommu fault support" is actually related.

Is there a way to reproduce this?

Ah. Thanks for your feedback. I saw free(data) and misread it as kfree(data). It's actually a function pointer which is msm_gpu_devcoredump_free() so it doesn't free "gpu".

My bad.

regards, dan carpenter