From: Takashi Iwai <tiwai@suse.de>
To: Cezary Rojewski <cezary.rojewski@intel.com>
Cc: alsa-devel@alsa-project.org,
pierre-louis.bossart@linux.intel.com, tiwai@suse.com,
hdegoede@redhat.com, broonie@kernel.org,
amadeuszx.slawinski@linux.intel.com
Subject: Re: [PATCH 1/9] ALSA: hda: Do not unset preset when cleaning up codec
Date: Mon, 11 Jul 2022 16:12:34 +0200 [thread overview]
Message-ID: <877d4jsppp.wl-tiwai@suse.de> (raw)
In-Reply-To: <2966b410-f00d-9b33-fcfa-30d484455579@intel.com>
On Mon, 11 Jul 2022 10:25:17 +0200,
Cezary Rojewski wrote:
>
> On 2022-07-09 6:34 PM, Takashi Iwai wrote:
> > On Wed, 06 Jul 2022 14:02:22 +0200,
> > Cezary Rojewski wrote:
> >>
> >> snd_hda_codec_cleanup_for_unbind() unsets preset what interferes with
> >> module unloading and triggers null-ptr-deref. Preset is assigned only
> >> once, during device/driver matching whereas module reload and unload
> >> follow completely different path and may occur several times during
> >> runtime.
> >
> > Hm, the driver reload/unload does unbind. Keeping this field mean to
> > leave the pointer to the possibly freed object, no?
> >
> > And if it's not cleared, where is this field cleared instead?
>
>
> avs-driver i.e. the bus driver takes responsibility for the codec
> device only. There is no real probe(), just the device creation and
> initialization of its fields. The rest is handled by the component
> driver (sound/soc/hda.c). If this field is cleared and the test is
> limited to reloading HDAudio codec module alone, we get a
> panic. Something similar to the stack found below my message.
>
> In regard to the other question - are presets freed at all? It seems
> all of them are part of the static device-driver matching list. If so,
> the pointer is always valid.
When the codec driver is unbound and the module is unloaded, the whole
objects and symbols are gone.
> [ 136.827856] RIP: 0010:hda_codec_probe+0x16c/0x560 [snd_soc_hda_codec]
> [ 136.827929] Code: ff 85 c0 0f 88 5b 0b 00 00 4d 8d bc 24 d0 03 00
> 00 4c 89 ff e8 e5 a2 9e ca 49 8b 9c 24 d0 03 00 00 48 8d 7b 10 e8 d4
> a2 9e ca <48> 8b 73 10 4c 89 e7 e8 e8 7d fb ff 85 c0 0f 88 43 0b 00 00
> 4c 89
> [ 136.828028] RSP: 0018:ffff888101af74d0 EFLAGS: 00010286
> [ 136.828079] RAX: 0000000000000001 RBX: 0000000000000000 RCX:
> ffffffff8b4f1b1a
> [ 136.828128] RDX: 0000000000000001 RSI: 0000000000000008 RDI:
> ffffffff8e323d20
> [ 136.828175] RBP: ffff888101af7540 R08: 1ffffffff1c647a4 R09:
> fffffbfff1c647a5
> [ 136.828224] R10: ffffffff8e323d27 R11: fffffbfff1c647a4 R12:
> ffff888102920000
> [ 136.828272] R13: ffff88810812e428 R14: ffff888102925028 R15:
> ffff8881029203d0
> [ 136.828323] FS: 00007f9049dd8540(0000) GS:ffff888227100000(0000)
> knlGS:0000000000000000
> [ 136.828380] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 136.828425] CR2: 0000000000000010 CR3: 000000010f086001 CR4:
> 00000000003706e0
> [ 136.828474] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [ 136.828520] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [ 136.828568] Call Trace:
> [ 136.828593] <TASK>
> [ 136.828628] snd_soc_component_probe+0x3a/0x60 [snd_soc_core]
> [ 136.828981] soc_probe_component+0x276/0x4a0 [snd_soc_core]
> [ 136.829274] snd_soc_bind_card+0x819/0x13d0 [snd_soc_core]
> [ 136.829560] ? __kasan_slab_alloc+0x32/0x90
> [ 136.829614] snd_soc_register_card+0x24e/0x260 [snd_soc_core]
> [ 136.829900] devm_snd_soc_register_card+0x48/0x90 [snd_soc_core]
> [ 136.830204] avs_hdaudio_probe+0x298/0x2c0 [snd_soc_avs_hdaudio]
> [ 136.830269] platform_probe+0x67/0x100
> [ 136.830313] really_probe+0x1ff/0x500
> [ 136.830354] __driver_probe_device+0xeb/0x240
> [ 136.830397] driver_probe_device+0x4e/0xf0
> [ 136.830438] __driver_attach+0xfd/0x210
> [ 136.830478] ? __device_attach_driver+0x170/0x170
> [ 136.830520] bus_for_each_dev+0xf9/0x150
> [ 136.830557] ? subsys_dev_iter_exit+0x10/0x10
> [ 136.830597] ? preempt_count_sub+0x18/0xc0
> [ 136.830643] driver_attach+0x2d/0x40
> [ 136.830679] bus_add_driver+0x28e/0x320
> [ 136.830722] driver_register+0xdc/0x170
> [ 136.830763] ? 0xffffffffc0428000
> [ 136.830796] __platform_driver_register+0x39/0x40
> [ 136.830842] avs_hdaudio_driver_init+0x1c/0x1000 [snd_soc_avs_hdaudio]
> [ 136.830902] do_one_initcall+0xa0/0x2e0
> [ 136.830939] ? initcall_blacklisted+0x170/0x170
> [ 136.830981] ? __kasan_kmalloc+0x88/0xa0
> [ 136.831020] ? kasan_poison+0x3c/0x50
> [ 136.831059] ? kasan_unpoison+0x28/0x50
> [ 136.831100] ? kasan_poison+0x3c/0x50
> [ 136.831139] ? __asan_register_globals+0x5e/0x70
> [ 136.831187] do_init_module+0xf6/0x350
> [ 136.831228] load_module+0x2bf5/0x2e30
> (...)
Hmm, in the Oops above, at which moment,
snd_hda_codec_cleanup_for_unbind() is called via which function?
Is it the unload of HD-audio codec driver during the probe of AVS
HD-audio?
The preset is assigned to the given HD-audio device object for the
attached codec driver. Once after the codec driver gets unbound, you
must not access to this codec driver's methods any longer, hence we
clear the preset field.
So I wonder how the access to the codec->preset happens after the
codec unbind.
thanks,
Takashi
next prev parent reply other threads:[~2022-07-11 14:13 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-06 12:02 [PATCH 0/9] ALSA: hda: Codec-reload bug fixes and cleanups Cezary Rojewski
2022-07-06 12:02 ` [PATCH 1/9] ALSA: hda: Do not unset preset when cleaning up codec Cezary Rojewski
2022-07-09 16:34 ` Takashi Iwai
2022-07-11 8:25 ` Cezary Rojewski
2022-07-11 14:12 ` Takashi Iwai [this message]
2022-07-12 9:42 ` Cezary Rojewski
2022-07-12 10:46 ` Takashi Iwai
2022-07-12 10:58 ` Cezary Rojewski
2022-07-15 14:55 ` Takashi Iwai
2023-01-17 14:45 ` Cezary Rojewski
2023-01-17 14:51 ` Takashi Iwai
2022-07-06 12:02 ` [PATCH 2/9] ALSA: hda: Fix null-ptr-deref when i915 fails and hdmi is denylisted Cezary Rojewski
2022-07-06 12:02 ` [PATCH 3/9] ALSA: hda: Make device usage_count consistent across subsequent probing Cezary Rojewski
2022-07-06 12:02 ` [PATCH 4/9] ALSA: hda: Fix put_device() inconsistency in error path Cezary Rojewski
2022-07-06 12:02 ` [PATCH 5/9] ALSA: hda: Skip event processing for unregistered codecs Cezary Rojewski
2022-07-09 16:47 ` Takashi Iwai
2022-07-15 14:27 ` Takashi Iwai
2022-07-06 12:02 ` [PATCH 6/9] ALSA: hda: Fix page fault in snd_hda_codec_shutdown() Cezary Rojewski
2022-07-15 18:16 ` Pierre-Louis Bossart
2022-07-15 18:23 ` Takashi Iwai
2022-07-17 10:05 ` Cezary Rojewski
2022-07-06 12:02 ` [PATCH 7/9] ALSA: hda: Reset all SIE bits in INTCTL Cezary Rojewski
2022-07-06 12:02 ` [PATCH 8/9] ALSA: hda: Remove unused macro definition Cezary Rojewski
2022-07-06 12:02 ` [PATCH 9/9] ALSA: hda/realtek: Remove redundant init_hook() in alc_default_init() Cezary Rojewski
2022-07-09 16:46 ` Takashi Iwai
2022-07-11 8:12 ` Cezary Rojewski
2022-07-09 16:50 ` [PATCH 0/9] ALSA: hda: Codec-reload bug fixes and cleanups Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877d4jsppp.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=alsa-devel@alsa-project.org \
--cc=amadeuszx.slawinski@linux.intel.com \
--cc=broonie@kernel.org \
--cc=cezary.rojewski@intel.com \
--cc=hdegoede@redhat.com \
--cc=pierre-louis.bossart@linux.intel.com \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox