[alsa-devel] ALSA sound core device deinit crash

Takashi Iwai tiwai at suse.de
Fri Jul 8 07:28:32 CEST 2016 

On Fri, 08 Jul 2016 07:19:05 +0200,
b_lkasam at codeaurora.org wrote:
> 
> Hi Alsa team,
> There is kernel crash observed when soundcard register failure case as
> below ->
> 
> diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c old mode
> 100644 new mode 100755 index 0495890..60a1eb0
> --- a/sound/soc/soc-core.c
> +++ b/sound/soc/soc-core.c
> @@ -1382,6 +1382,7 @@ static int soc_probe_link_dais(struct
> snd_soc_card *card, int num, int order)
> /* do machine specific initialization */ if (dai_link->init) { ret =
> dai_link->init(rtd);
> + ret = -ENODEV; //  -> we can force error here to reproduce crash
> easily.
> if (ret < 0) {
> dev_err(card->dev, "ASoC: failed to init %s: %d\n", dai_link->name,
> ret);
> 
> If sound card fails at initialize at above, it is crashing in
> pcm_chmap_ctl_private_free().
> 
> <1>[   40.646642] [01-01-2016 00:07:16 CPU:0x3] Unable to handle kernel
> paging request at virtual address ffffffc0da644b68
> <1>[   40.646664] [01-01-2016 00:07:16 CPU:0x3] pgd = ffffffc001d28000
> <1>[   40.646673] [01-01-2016 00:07:16 CPU:0x3] [ffffffc0da644b68]
> *pgd=00000000857fc003, *pud=00000000857fc003, *pmd=000000017ddd8003,
> *pte=00c000015a644793
> <0>[   40.646697] [01-01-2016 00:07:16 CPU:0x3] Internal error: Oops:
> 9600004f [#1] PREEMPT SMP
> <6>[   40.646708] [01-01-2016 00:07:16 CPU:0x3] Modules linked in:
> brcm_bt_drv fm_drv brcm_hci_ldisc texfat(PO)
> <6>[   40.646735] [01-01-2016 00:07:16 CPU:0x3] CPU: 3 PID: 299 Comm:
> kworker/u8:8 Tainted: P           O   3.18.24-g41b2dda2-00002-gbe25a74
> #1
> <6>[   40.646744] [01-01-2016 00:07:16 CPU:0x3] Hardware name: Qualcomm
> Technologies, Inc. MSM 8996 v3.x + PMI8996 MTP (DT)
> <6>[   40.646763] [01-01-2016 00:07:16 CPU:0x3] Workqueue: deferwq
> deferred_probe_work_func
> <6>[   40.646773] [01-01-2016 00:07:16 CPU:0x3] task: ffffffc0e951c880
> ti: ffffffc03368c000 task.ti: ffffffc03368c000
> <6>[   40.646787] [01-01-2016 00:07:16 CPU:0x3] PC is at
> pcm_chmap_ctl_private_free+0x1c/0x2c
> <6>[   40.646798] [01-01-2016 00:07:16 CPU:0x3] LR is at
> snd_ctl_free_one+0x20/0x34
> 
> 
> FIX:
> 
> Can you look at the change below and share your comments on this?
> diff --git a/sound/core/device.c b/sound/core/device.c old mode 100644
> new mode 100755 index 41bec30..eaffde1
> --- a/sound/core/device.c
> +++ b/sound/core/device.c
> @@ -219,6 +219,7 @@ void snd_device_free_all(struct snd_card *card)
> 
>           if (snd_BUG_ON(!card))
>                   return;
> -       list_for_each_entry_safe_reverse(dev, next, &card->devices,
> list)
> +               list_for_each_entry_safe(dev, next, &card->devices,
> list)
>                   __snd_device_free(dev); }
> 
> 
> Since control sound device has the lowest type value
> (SNDRV_DEV_CONTROL), it will be the first entry linked in the
> card->devices linked list head and will be the last one to be freed.
> 
> This issue seems to be resolved by modifying the sequence the sound
> devices in the card->devices list are freed as shown below (from
> “prev”
> direction to “next” direction) but I’m not sure if this is a right
> approach from ALSA perspective.

This doesn't look correct.  The strange thing is that this error
shouldn't happen no matter which free loop direction is.  The chmap
ctl should have been already removed by the disconnection before
freeing.  It means that either the disconnection isn't done properly
or something else is missing.

Could you give the full stack trace?  It's important to know which
code path triggers it.


thanks,

Takashi

More information about the Alsa-devel mailing list