From: xiao jin jin.xiao@intel.com
After start of fe and be, fe might go to close without triggering STOP, and substream->runtime is freed. However, be is still at START state and its substream->runtime still points to the freed runtime.
Later on, FE is opened/started again, and triggers STOP. snd_pcm_do_stop => dpcm_fe_dai_trigger => dpcm_fe_dai_do_trigger => dpcm_be_dai_trigger => dpcm_do_trigger => soc_pcm_trigger => skl_platform_pcm_trigger skl_platform_pcm_trigger accesses the freed old runtime data and kernel panic.
The patch fixes it by assigning be_substream->runtime in dpcm_be_dai_startup when be's state is START.
Signed-off-by: xiao jin jin.xiao@intel.com Signed-off-by: Zhang Yanmin yanmin.zhang@intel.com Signed-off-by: Eugeniu Rosca erosca@de.adit-jv.com --- sound/soc/soc-pcm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c index 4f60c0a83311..6ca1d02065ce 100644 --- a/sound/soc/soc-pcm.c +++ b/sound/soc/soc-pcm.c @@ -1608,6 +1608,8 @@ int dpcm_be_dai_startup(struct snd_soc_pcm_runtime *fe, int stream) if (be->dpcm[stream].users++ != 0) continue;
+ be_substream->runtime = be->dpcm[stream].runtime; + if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_NEW) && (be->dpcm[stream].state != SND_SOC_DPCM_STATE_CLOSE)) continue; @@ -1615,7 +1617,6 @@ int dpcm_be_dai_startup(struct snd_soc_pcm_runtime *fe, int stream) dev_dbg(be->dev, "ASoC: open %s BE %s\n", stream ? "capture" : "playback", be->dai_link->name);
- be_substream->runtime = be->dpcm[stream].runtime; err = __soc_pcm_open(be, be_substream); if (err < 0) { be->dpcm[stream].users--;