[alsa-devel] [BUG] NULL pointer dereference in patch_sigmatel.c

Takashi Iwai tiwai at suse.de
Sun Aug 9 20:01:58 CEST 2009 

At Sun, 09 Aug 2009 15:10:31 +0300,
Ozan Çağlayan wrote:
> 
> Takashi Iwai wrote:
> >
> >> The patch below doesn't undef CONFIG_SND_HDA_INPUT_JACK after
> >> configuring. Actually there are config1.h* and config.h* and both
> >> contains def/undefs for *JACK* stuff. But I'll undefine it after
> >> configure and then compile to see it the error goes.
> >>     
> >
> > Yeah I realized it, now fixed alsa-driver GIT tree to undef in
> > adriver.h instead.
> >
> >
> > Takashi
> >   
> 
> I've compiled the latest snapshot which includes that fix and made it
> try to the guy who has the sigmatel codec. It still oopses but in
> another place. I've double checked with #error that SND_HDA_INPUT_JACK
> and SND_JACK is unset. The new oops backtrace:
> 
> BUG: unable to handle kernel NULL pointer dereference at 00000000
> IP: [<f8c774ba>] :snd_hda_codec_idt:stac92xx_init+0x280/0x504
> *pde = 00000000 
> Oops: 0000 [#1] SMP 
> Modules linked in: snd_hda_codec_idt snd_hda_intel(+) snd_hda_codec aes_i586 aes_generic ipv6 af_packet bridge bnep rfcomm l2cap microcode acpi_cpufreq cpufreq_powersave cpufreq_userspace cpufreq_conservative ndiswrapper vboxdrv snd_hwdep nvidia(P) arc4 snd_seq_dummy ecb iwl4965 snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm hci_usb snd_timer intel_agp iwlcore thermal bluetooth rfkill led_class processor agpgart r5u870 sky2 battery mac80211 usbcam videobuf_dma_sg pcmcia firmware_class videobuf_core sony_laptop uvcvideo compat_ioctl32 videodev v4l1_compat iTCO_wdt tpm_infineon cfg80211 video output tifm_7xx1 tifm_core yenta_socket rsrc_nonstatic snd soundcore snd_page_alloc button rtc_cmos ac rtc_core joydev iTCO_vendor_support tpm tpm_bios i2c_i801 i2c_core pcmcia_core rtc_lib sg ext3 jbd mbcache sr_mod cdrom sd_mod ata_piix uhci_hcd pata_acpi ehci_hcd usbcore ohci1394 ieee1394 ata_generic libata scsi_mod dock
> 
> Pid: 1899, comm: modprobe Tainted: P         (2.6.25.20-114 #1)
> EIP: 0060:[<f8c774ba>] EFLAGS: 00210246 CPU: 0
> EIP is at stac92xx_init+0x280/0x504 [snd_hda_codec_idt]
> EAX: 00000000 EBX: 00000040 ECX: 00000000 EDX: 0000000a
> ESI: f592dc00 EDI: f6a05800 EBP: f6705d4c ESP: f6705d28
>  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> Process modprobe (pid: 1899, ti=f6704000 task=f670c000 task.ti=f6704000)
> Stack: 00000000 f6705d5c f8c5b24a f6e61800 00000001 00080002 f592dc00 f67ac200 
>        f679856c f6705d58 f8c5a6ec f592dc00 f6705d6c f8c5b298 f6798564 f67ac200 
>        00000000 f6705dcc f8c6e2e8 f6ea2146 f6705da4 f74a3c00 00000004 00000008 
> Call Trace:
>  [<f8c5b24a>] ? snd_hda_codec_build_pcms+0x216/0x24c [snd_hda_codec]
>  [<f8c5a6ec>] ? snd_hda_codec_build_controls+0x20/0x3d [snd_hda_codec]
>  [<f8c5b298>] ? snd_hda_build_controls+0x18/0x67 [snd_hda_codec]
>  [<f8c6e2e8>] ? azx_probe+0x863/0x8fb [snd_hda_intel]
>  [<f8c6d91a>] ? azx_send_cmd+0x0/0x126 [snd_hda_intel]
>  [<f8c6d733>] ? azx_get_response+0x0/0x1e7 [snd_hda_intel]
>  [<f8c6cf50>] ? azx_attach_pcm_stream+0x0/0x15c [snd_hda_intel]
>  [<f8c6cc06>] ? azx_bus_reset+0x0/0x56 [snd_hda_intel]
>  [<f8c6caae>] ? azx_power_notify+0x0/0x57 [snd_hda_intel]
>  [<c01e7a37>] ? pci_device_probe+0x39/0x59
>  [<c024395f>] ? driver_probe_device+0xa0/0x136
>  [<c0243a50>] ? __driver_attach+0x5b/0x91
>  [<c024333c>] ? bus_for_each_dev+0x3b/0x63
>  [<c0243804>] ? driver_attach+0x14/0x16
>  [<c02439f5>] ? __driver_attach+0x0/0x91
>  [<c0242d3a>] ? bus_add_driver+0x9d/0x1ba
>  [<c0243bc4>] ? driver_register+0x47/0xa7
>  [<c0168681>] ? __vunmap+0x93/0x9b
>  [<c01e7bec>] ? __pci_register_driver+0x35/0x61
>  [<f8a4b017>] ? alsa_card_azx_init+0x17/0x19 [snd_hda_intel]
>  [<c0141f9c>] ? sys_init_module+0x18ad/0x19ca
>  [<c0109c77>] ? do_syscall_trace+0x138/0x17f
>  [<c0104a2e>] ? syscall_call+0x7/0xb
>  [<c02d0000>] ? pci_bus_size_bridges+0x362/0x36d
>  =======================
> Code: 0f b7 94 5f a4 02 00 00 b9 01 00 00 00 89 f0 43 e8 90 ef ff ff 3b 9f 9c 02 00 00 7c e3 f6 47 18 40 74 40 8b 87 08 01 00 00 31 c9 <0f> b7 10 89 f0 6a 00 68 01 07 00 00 e8 0c 1e fe ff 0f b7 97 28 
> EIP: [<f8c774ba>] stac92xx_init+0x280/0x504 [snd_hda_codec_idt] SS:ESP 0068:f6705d28
> ---[ end trace fc30bda5826e9f63 ]---
> 
> markup_oops output:
> 
> No vmlinux specified, assuming /lib/modules/2.6.25.20-114/build/vmlinux                                           
>                  */                                                                                               
>                 stac92xx_auto_set_pinctl(codec, spec->autocfg.line_out_pins[0],
>                                 AC_PINCTL_OUT_EN);
>                 /* fake event to set up pins */
>                 stac_issue_unsol_event(codec, spec->autocfg.hp_pins[0]);
>         } else {
>  f8c774a4:      3b 9f 9c 02 00 00       cmp    0x29c(%edi),%ebx    |  %edi = f6a05800  %ebx => 40
>  f8c774aa:      7c e3                   jl     f8c7748f <stac92xx_init+0x255>
>                 stac92xx_auto_init_multi_out(codec);
>                 stac92xx_auto_init_hp_out(codec);
>                 for (i = 0; i < cfg->hp_outs; i++)
>  f8c774ac:      f6 47 18 40             testb  $0x40,0x18(%edi)    |  %edi = f6a05800
>  f8c774b0:      74 40                   je     f8c774f2 <stac92xx_init+0x2b8>
>                         stac_toggle_power_map(codec, cfg->hp_pins[i], 1);
>         }
>  f8c774b2:      8b 87 08 01 00 00       mov    0x108(%edi),%eax    |  %edi = f6a05800  %eax => 0
>  f8c774b8:      31 c9                   xor    %ecx,%ecx           |  %ecx => 0
> *f8c774ba:      0f b7 10                movzwl (%eax),%edx         |  %eax = 0  %edx = a <--- faulting instruction
>  f8c774bd:      89 f0                   mov    %esi,%eax
>  f8c774bf:      6a 00                   push   $0x0
>  f8c774c1:      68 01 07 00 00          push   $0x701
>  f8c774c6:      e8 fc ff ff ff          call   f8c774c7 <stac92xx_init+0x28d>
>         if (spec->auto_mic) {
>                 /* initialize connection to analog input */
>  f8c774cb:      0f b7 97 28 01 00 00    movzwl 0x128(%edi),%edx
>  f8c774d2:      b9 06 00 00 00          mov    $0x6,%ecx
>  f8c774d7:      89 f0                   mov    %esi,%eax
>  f8c774d9:      e8 8d fc ff ff          call   f8c7716b <enable_pin_detect>
>  f8c774de:      59                      pop    %ecx
>  f8c774df:      5b                      pop    %ebx
>  f8c774e0:      85 c0                   test   %eax,%eax
>  f8c774e2:      74 0e                   je     f8c774f2 <stac92xx_init+0x2b8>
>                 snd_hda_codec_write_cache(codec, spec->dmux_nids[0], 0,
>  f8c774e4:      0f b7 97 28 01 00 00    movzwl 0x128(%edi),%edx
>  f8c774eb:      89 f0                   mov    %esi,%eax
>  f8c774ed:      e8 8d ed ff ff          call   f8c7627f <stac_issue_unsol_event>
>  f8c774f2:      c7 45 f0 00 00 00 00    movl   $0x0,-0x10(%ebp)
> ...
> 
> I had troubles to decode this faulty instruction to the current
> source code but I've added some printk's to suspicious dereferences
> and told the guy to retry.

Could you load the module with probe_only=1 option and give
alsa-info.sh output (or at least codec#* proc file)?


thanks,

Takashi

More information about the Alsa-devel mailing list