[alsa-devel] Memory corruption in ASoC

Mark Brown broonie at opensource.wolfsonmicro.com
Thu Mar 18 17:43:06 CET 2010


On Thu, Mar 18, 2010 at 05:17:55PM +0100, Daniel Mack wrote:

> So the first stream (PLAYBACK) already exported its dma_data which is
> now freed by the code initializing the second stream (CAPTURE).
> This corrupts all existing users of course, and in this particular case,
> the cleanup in __pxa2xx_pcm_hw_free() dereferences a pointer which is
> bogus.

> What I really don't understand is why this didn't crash a lot earlier
> for many more users.

> So how is this supposed to be fixed? Should dma_data become a member of
> some per-stream instance? I believe that also other platforms than PXA
> are actually affected - am I right?

It should really be per-substream, yes.

It's relatively hard to trigger problems on a lot of platform since the
DAI data pointer is often only really used at stream setup, meaning that
triggering a problem requires that a system not only does simultaneous
playback and capture but also has overlapping startup of the two.  PXA
is also very rare in doing dynamic allocation here, most drivers use
statically allocated resources which would make any problems much less
obvious.

There's some more generic issues there to do with imposing constraints
but that's a separate thing.


More information about the Alsa-devel mailing list