On Fri, 05 Feb 2021 22:02:16 +0100, Mikhail Gavrilov wrote:
Hi folks. On 5.11-rc6 (git 3aaf0a27ffc2) I caught a new issue. For unknown reason sound disappeared in my headset Hyperx orbit s. But after reconnecting to another USB port headset stopped being detected as USB device in dmesg and in log appears a record about bug KASAN: use-after-free.
[37920.370627] xhci_hcd 0000:06:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0013 address=0xfe836480 flags=0x0000] [37920.370720] xhci_hcd 0000:06:00.3: WARNING: Host System Error [37925.514865] xhci_hcd 0000:06:00.3: xHCI host not responding to stop endpoint command. [37925.514875] xhci_hcd 0000:06:00.3: USBSTS: HCHalted HSE EINT HCE [37925.514883] xhci_hcd 0000:06:00.3: xHCI host controller not responding, assume dead [37925.515700] xhci_hcd 0000:06:00.3: HC died; cleaning up [37925.515760] usb 3-1: USB disconnect, device number 2 [37925.515765] usb 3-1.1: USB disconnect, device number 5 [37925.515896] ================================================================== [37925.515899] BUG: KASAN: use-after-free in snd_complete_urb+0x109e/0x1740 [snd_usb_audio] [37925.515919] Read of size 8 at addr ffff88813a264260 by task kworker/19:0/649395
[37925.515926] CPU: 19 PID: 649395 Comm: kworker/19:0 Tainted: G W --------- --- 5.11.0-0.rc6.20210203git3aaf0a27ffc2.144.fc34.x86_64 #1 [37925.515930] Hardware name: System manufacturer System Product Name/ROG STRIX X570-I GAMING, BIOS 3402 01/13/2021 [37925.515934] Workqueue: usb_hub_wq hub_event [37925.515940] Call Trace: [37925.515943] <IRQ> [37925.515945] dump_stack+0xae/0xe5 [37925.515955] print_address_description.constprop.0+0x18/0x160 [37925.515960] ? snd_complete_urb+0x109e/0x1740 [snd_usb_audio]
(snip)
This must be a stray URB processed after the disconnection. Does the patch below help?
thanks,
Takashi
--- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -127,6 +127,8 @@ static void snd_usb_stream_disconnect(struct snd_usb_stream *as) subs = &as->substream[idx]; if (!subs->num_formats) continue; + snd_usb_endpoint_sync_pending_stop(subs->sync_endpoint); + snd_usb_endpoint_sync_pending_stop(subs->data_endpoint); subs->data_endpoint = NULL; subs->sync_endpoint = NULL; }