From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
To: alsa-devel@alsa-project.org, tiwai@suse.de
Cc: intel-gfx@lists.freedesktop.org
Subject: [Intel-gfx] [PATCH] ALSA: hda: fix general protection fault in azx_runtime_idle
Date: Wed, 10 Nov 2021 23:03:07 +0200 [thread overview]
Message-ID: <20211110210307.1172004-1-kai.vehmanen@linux.intel.com> (raw)
Fix a corner case between PCI device driver remove callback and
runtime PM idle callback.
Following sequence of events can happen:
- at azx_create, context is allocated with devm_kzalloc() and
stored as pci_set_drvdata()
- user-space requests to unbind audio driver
- dd.c:__device_release_driver() calls PCI remove
- pci-driver.c:pci_device_remove() calls the audio
driver azx_remove() callback and this is completed
- pci-driver.c:pm_runtime_put_sync() leads to a call
to rpm_idle() which again calls azx_runtime_idle()
- the azx context object, as returned by dev_get_drvdata(),
is no longer valid
-> access fault in azx_runtime_idle when executing
struct snd_card *card = dev_get_drvdata(dev);
chip = card->private_data;
if (chip->disabled || hda->init_failed)
This was discovered by i915_module_load test with 5.15.0 based
linux-next tree.
Example log caught by i915_module_load test with linux-next
https://intel-gfx-ci.01.org/tree/linux-next/
<4> [264.038232] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b73f0: 0000 [#1] PREEMPT SMP NOPTI
<4> [264.038248] CPU: 0 PID: 5374 Comm: i915_module_loa Not tainted 5.15.0-next-20211109-gc8109c2ba35e-next-20211109 #1
[...]
<4> [264.038267] RIP: 0010:azx_runtime_idle+0x12/0x60 [snd_hda_intel]
[...]
<4> [264.038355] Call Trace:
<4> [264.038359] <TASK>
<4> [264.038362] __rpm_callback+0x3d/0x110
<4> [264.038371] rpm_idle+0x27f/0x380
<4> [264.038376] __pm_runtime_idle+0x3b/0x100
<4> [264.038382] pci_device_remove+0x6d/0xa0
<4> [264.038388] device_release_driver_internal+0xef/0x1e0
<4> [264.038395] unbind_store+0xeb/0x120
<4> [264.038400] kernfs_fop_write_iter+0x11a/0x1c0
Fix the issue by setting drvdata to NULL at end of azx_remove().
Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
---
sound/pci/hda/hda_intel.c | 1 +
1 file changed, 1 insertion(+)
Some non-persistent direct links showing the bug trigger on
different platforms with linux-next 20211109:
- https://intel-gfx-ci.01.org/tree/linux-next/next-20211109/fi-tgl-1115g4/igt@i915_module_load@reload.html
- https://intel-gfx-ci.01.org/tree/linux-next/next-20211109/fi-jsl-1/igt@i915_module_load@reload.html
Notably with 20211110 linux-next, the bug does not trigger:
- https://intel-gfx-ci.01.org/tree/linux-next/next-20211110/fi-tgl-1115g4/igt@i915_module_load@reload.html
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index 7762718cf429..b90c817e3f6f 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -2364,6 +2364,7 @@ static void azx_remove(struct pci_dev *pci)
cancel_delayed_work_sync(&hda->probe_work);
device_lock(&pci->dev);
+ pci_set_drvdata(pci, NULL);
snd_card_free(card);
}
}
base-commit: 6322ec8d0de924cf9672b23c1b5052afafc2f03b
--
2.33.0
next reply other threads:[~2021-11-10 21:17 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-10 21:03 Kai Vehmanen [this message]
2021-11-10 21:55 ` [Intel-gfx] [PATCH] ALSA: hda: fix general protection fault in azx_runtime_idle Takashi Iwai
2021-11-10 22:15 ` Kai Vehmanen
2021-11-11 13:29 ` Takashi Iwai
2021-11-11 17:39 ` Kai Vehmanen
2021-11-12 10:02 ` Takashi Iwai
2021-11-12 12:27 ` Kai Vehmanen
2021-11-15 7:57 ` Takashi Iwai
2021-11-10 21:57 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for " Patchwork
2021-11-10 22:27 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2021-11-10 23:45 ` [Intel-gfx] ✗ Fi.CI.IGT: failure " Patchwork
2021-11-11 15:33 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for ALSA: hda: fix general protection fault in azx_runtime_idle (rev2) Patchwork
2021-11-11 15:37 ` [Intel-gfx] ✗ Fi.CI.DOCS: " Patchwork
2021-11-11 16:01 ` [Intel-gfx] ✗ Fi.CI.BAT: failure " Patchwork
2021-11-12 10:28 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for ALSA: hda: fix general protection fault in azx_runtime_idle (rev3) Patchwork
2021-11-12 10:32 ` [Intel-gfx] ✗ Fi.CI.DOCS: " Patchwork
2021-11-12 10:57 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2021-11-12 15:04 ` [Intel-gfx] ✗ Fi.CI.IGT: failure " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211110210307.1172004-1-kai.vehmanen@linux.intel.com \
--to=kai.vehmanen@linux.intel.com \
--cc=alsa-devel@alsa-project.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox