Hi maxime,
On 9/5/23 14:06, Maxime Ripard wrote:
On Tue, Sep 05, 2023 at 10:58:30AM +0200, Thomas Hellström wrote:
when using __drm_kunit_helper_alloc_drm_device() the driver may be
dereferenced by device-managed resources up until the device is
freed, which is typically later than the kunit-managed resource code
frees it.
I'd like to have a bit more context on how a driver can end up in that
situation?
I interpret the attached traces as follows.
INIT:
Code allocates a struct device as a kunit-managed resource.
Code allocates a drm driver as a kunit-managed resource.
Code allocates a drm device as a device-managed resource.
EXIT:
Kunit resource cleanup frees the drm driver
Kunit resource cleanup frees the struct device, which starts a
device-managed resource cleanup
device-managed cleanup calls drm_dev_put()
drm_dev_put() dereferences the (now freed) drm driver -> Boom.
It should be sufficient to enable KASAN and run the drm_exec_test kunit
test to trigger this.
Thanks,
Thomas
Maxime
