[alsa-devel] [PATCH] ASoC: Intel: Skylake: Acquire irq after RIRB allocation
Cold reboot stress test found that the hda irq could access rirb ring buffer before its memory gets allocated which resulting in null pointer dereference inside snd_hdac_bus_update_rirb().
Fix it by moving the skl_acquire_irq after ring buffer allocation. While here, also change err return from -EBUSY to actual error code.
Signed-off-by: Yong Zhi yong.zhi@intel.com --- sound/soc/intel/skylake/skl.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c index dce649485649..cf09721ca13e 100644 --- a/sound/soc/intel/skylake/skl.c +++ b/sound/soc/intel/skylake/skl.c @@ -838,11 +838,7 @@ static int skl_first_init(struct hdac_bus *bus)
snd_hdac_bus_parse_capabilities(bus);
- if (skl_acquire_irq(bus, 0) < 0) - return -EBUSY; - pci_set_master(pci); - synchronize_irq(bus->irq);
gcap = snd_hdac_chip_readw(bus, GCAP); dev_dbg(bus->dev, "chipset global capabilities = 0x%x\n", gcap); @@ -875,6 +871,12 @@ static int skl_first_init(struct hdac_bus *bus) if (err < 0) return err;
+ err = skl_acquire_irq(bus, 0); + if (err < 0) + return err; + + synchronize_irq(bus->irq); + /* initialize chip */ skl_init_pci(skl);
On 8/13/18 6:15 PM, Yong Zhi wrote:
Cold reboot stress test found that the hda irq could access rirb ring buffer before its memory gets allocated which resulting in null pointer dereference inside snd_hdac_bus_update_rirb().
Fix it by moving the skl_acquire_irq after ring buffer allocation. While here, also change err return from -EBUSY to actual error code.
I am not that familiar with PCI gory details but that patch was reviewed internally with no objections raised; there was also an agreement that the SOF driver would follow the same sequence, so
Acked-by: Pierre-Louis Bossart pierre-louis.bossart@linux.intel.com
Signed-off-by: Yong Zhi yong.zhi@intel.com
sound/soc/intel/skylake/skl.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c index dce649485649..cf09721ca13e 100644 --- a/sound/soc/intel/skylake/skl.c +++ b/sound/soc/intel/skylake/skl.c @@ -838,11 +838,7 @@ static int skl_first_init(struct hdac_bus *bus)
snd_hdac_bus_parse_capabilities(bus);
if (skl_acquire_irq(bus, 0) < 0)
return -EBUSY;pci_set_master(pci);
synchronize_irq(bus->irq);
gcap = snd_hdac_chip_readw(bus, GCAP); dev_dbg(bus->dev, "chipset global capabilities = 0x%x\n", gcap);
@@ -875,6 +871,12 @@ static int skl_first_init(struct hdac_bus *bus) if (err < 0) return err;
- err = skl_acquire_irq(bus, 0);
- if (err < 0)
return err;- synchronize_irq(bus->irq);
- /* initialize chip */ skl_init_pci(skl);
On Tue, 14 Aug 2018 16:50:51 +0200, Pierre-Louis Bossart wrote:
On 8/13/18 6:15 PM, Yong Zhi wrote:
Cold reboot stress test found that the hda irq could access rirb ring buffer before its memory gets allocated which resulting in null pointer dereference inside snd_hdac_bus_update_rirb().
Fix it by moving the skl_acquire_irq after ring buffer allocation. While here, also change err return from -EBUSY to actual error code.
I am not that familiar with PCI gory details but that patch was reviewed internally with no objections raised; there was also an agreement that the SOF driver would follow the same sequence, so
Acked-by: Pierre-Louis Bossart pierre-louis.bossart@linux.intel.com
It's a standard idiom for a driver allocating a shared irq line. Because an irq may be issued by another device on the same line, the registered irq handler may be kicked off before the registers or whatever else is ready for use, eventually leading to some Oops.
The destructor is other way round; first free the irq handler, then release the rest resources.
Takashi
Signed-off-by: Yong Zhi yong.zhi@intel.com
sound/soc/intel/skylake/skl.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c index dce649485649..cf09721ca13e 100644 --- a/sound/soc/intel/skylake/skl.c +++ b/sound/soc/intel/skylake/skl.c @@ -838,11 +838,7 @@ static int skl_first_init(struct hdac_bus *bus) snd_hdac_bus_parse_capabilities(bus);
- if (skl_acquire_irq(bus, 0) < 0)
return -EBUSY;- pci_set_master(pci);
- synchronize_irq(bus->irq); gcap = snd_hdac_chip_readw(bus, GCAP); dev_dbg(bus->dev, "chipset global capabilities = 0x%x\n", gcap);
@@ -875,6 +871,12 @@ static int skl_first_init(struct hdac_bus *bus) if (err < 0) return err;
- err = skl_acquire_irq(bus, 0);
- if (err < 0)
return err;- synchronize_irq(bus->irq);
- /* initialize chip */ skl_init_pci(skl);
Alsa-devel mailing list Alsa-devel@alsa-project.org http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
On Tue, Aug 14, 2018 at 05:16:38PM +0200, Takashi Iwai wrote:
Pierre-Louis Bossart wrote:
I am not that familiar with PCI gory details but that patch was reviewed internally with no objections raised; there was also an agreement that the SOF driver would follow the same sequence, so
It's a standard idiom for a driver allocating a shared irq line. Because an irq may be issued by another device on the same line, the registered irq handler may be kicked off before the registers or whatever else is ready for use, eventually leading to some Oops.
The destructor is other way round; first free the irq handler, then release the rest resources.
Right, it's nothing to do with PCI specifically. We even have a debug option in the kernel which will simulate the interrupt firing on potentially shared lines immediately on registering to try to catch such bugs.
The patch
ASoC: Intel: Skylake: Acquire irq after RIRB allocation
has been applied to the asoc tree at
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git
All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying to this mail.
Thanks, Mark
From 12eeeb4f4733bbc4481d01df35933fc15beb8b19 Mon Sep 17 00:00:00 2001
From: Yong Zhi yong.zhi@intel.com Date: Mon, 13 Aug 2018 18:15:14 -0500 Subject: [PATCH] ASoC: Intel: Skylake: Acquire irq after RIRB allocation
Cold reboot stress test found that the hda irq could access rirb ring buffer before its memory gets allocated which resulting in null pointer dereference inside snd_hdac_bus_update_rirb().
Fix it by moving the skl_acquire_irq after ring buffer allocation. While here, also change err return from -EBUSY to actual error code.
Signed-off-by: Yong Zhi yong.zhi@intel.com Acked-by: Pierre-Louis Bossart pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown broonie@kernel.org --- sound/soc/intel/skylake/skl.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c index dce649485649..cf09721ca13e 100644 --- a/sound/soc/intel/skylake/skl.c +++ b/sound/soc/intel/skylake/skl.c @@ -838,11 +838,7 @@ static int skl_first_init(struct hdac_bus *bus)
snd_hdac_bus_parse_capabilities(bus);
- if (skl_acquire_irq(bus, 0) < 0) - return -EBUSY; - pci_set_master(pci); - synchronize_irq(bus->irq);
gcap = snd_hdac_chip_readw(bus, GCAP); dev_dbg(bus->dev, "chipset global capabilities = 0x%x\n", gcap); @@ -875,6 +871,12 @@ static int skl_first_init(struct hdac_bus *bus) if (err < 0) return err;
+ err = skl_acquire_irq(bus, 0); + if (err < 0) + return err; + + synchronize_irq(bus->irq); + /* initialize chip */ skl_init_pci(skl);
participants (4)
-
Mark Brown -
Pierre-Louis Bossart -
Takashi Iwai -
Yong Zhi