On Mon, May 09, 2022 at 07:48:23AM -0700, Rob Clark wrote:
> On Sun, May 8, 2022 at 11:28 PM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> > 407 } else {
> > 408 /*
> > 409 * We couldn't attribute this fault to any particular context,
> > 410 * so increment the global fault count instead.
> > 411 */
> > 412 gpu->global_faults++;
> > 413 }
> > 414
> > 415 /* Record the crash state */
> > 416 pm_runtime_get_sync(&gpu->pdev->dev);
> > 417 msm_gpu_crashstate_capture(gpu, submit, comm, cmd);
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > This function calls:
> >
> > dev_coredumpm(gpu->dev->dev, THIS_MODULE, gpu, 0, GFP_KERNEL,
> > ^^^
> > Which kfrees gpu.
>
> How does the gpu object get kfree'd? That is the root problem, it
> shouldn't be freed until module unload. I don't think e25e92e08e32:
> "drm/msm: devcoredump iommu fault support" is actually related.
>
> Is there a way to reproduce this?
Ah. Thanks for your feedback. I saw free(data) and misread it as
kfree(data). It's actually a function pointer which is
msm_gpu_devcoredump_free() so it doesn't free "gpu".
My bad.
regards,
dan carpenter
