[alsa-devel] [regression] snd_soc_simple_card: refcount_t: underflow; use-after-free.
Hi, in linux 5.0-rc there is a regression regarding snd_soc_simple_card. Since updated from 4.20 there is a new error appearing in the kernel log, although sound works fine and the system is stable.
The issue has not been bisected, but it probably lies at or arround this commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
The DT node referred in the trace below is: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch...
The kernel comes from the ArchLinuxArm distribution, its configuration is: https://archlinuxarm.org/packages/aarch64/linux-aarch64-rc/files/config
This trace is from "dmesg -tl1,2,3,4": OF: ERROR: Bad of_node_put() on /hdmi-sound CPU: 2 PID: 370 Comm: kworker/2:2 Tainted: G C 5.0.0-rc6-1-ARCH #1 Hardware name: Sapphire-RK3399 Board (DT) Workqueue: events deferred_probe_work_func Call trace: dump_backtrace+0x0/0x1b8 show_stack+0x24/0x30 dump_stack+0x98/0xbc of_node_release+0xd0/0xd8 kobject_put+0x8c/0x1f0 of_node_put+0x24/0x30 __of_get_next_child+0x50/0x70 of_get_next_child+0x64/0x90 asoc_simple_card_probe+0xe4/0x6b0 [snd_soc_simple_card] platform_drv_probe+0x58/0xa8 really_probe+0x1f0/0x3d8 driver_probe_device+0xe4/0x138 __device_attach_driver+0xb4/0x140 bus_for_each_drv+0x8c/0xd8 __device_attach+0xdc/0x158 device_initial_probe+0x24/0x30 bus_probe_device+0x9c/0xa8 deferred_probe_work_func+0xa0/0xf0 process_one_work+0x1ac/0x400 worker_thread+0x50/0x488 kthread+0x130/0x138 ret_from_fork+0x10/0x1c ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 370 at lib/refcount.c:187 refcount_sub_and_test_checked+0xb8/0xd0 Modules linked in: snd_soc_hdmi_codec rockchip_vpu(C+) rockchip_rga videobuf2_dma_contig videobuf2_dma_sg v4l2_mem2mem videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common rc_cec snd_soc_simple_card realtek snd_soc_rockchip_i2s snd_soc_simple_card_utils snd_soc_rockchip_pcm dw_hdmi_cec dw_hdmi_i2s_audio dw_wdt videodev rtc_rk808 media hid_kensington dwmac_rk rockchip_saradc rockchip_thermal stmmac_platform stmmac squashfs loop crypto_user gpio_keys rockchipdrm analogix_dp dw_hdmi cec rc_core dw_mipi_dsi drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm drm_panel_orientation_quirks CPU: 2 PID: 370 Comm: kworker/2:2 Tainted: G C 5.0.0-rc6-1-ARCH #1 Hardware name: Sapphire-RK3399 Board (DT) Workqueue: events deferred_probe_work_func pstate: 80000085 (Nzcv daIf -PAN -UAO) pc : refcount_sub_and_test_checked+0xb8/0xd0 lr : refcount_sub_and_test_checked+0xb8/0xd0 sp : ffff000012d9ba20 x29: ffff000012d9ba20 x28: 0000000000000000 x27: 0000000000000002 x26: 0000000000000001 x25: ffff0000115ad6c8 x24: ffff0000090bb428 x23: ffff8000f781a740 x22: 0000000000000000 x21: ffff8000f781a740 x20: ffff8000f781a740 x19: ffff8000f781a790 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffffffffffffffff x14: 0000000000000003 x13: 0000000000000000 x12: ffff000011810000 x11: ffff0000115d6000 x10: ffff000011810f48 x9 : 0000000000000000 x8 : ffff00001181f170 x7 : 0000000000000000 x6 : 0000000000000001 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000007 x2 : 0000000000000007 x1 : 86b2dbbfc7425b00 x0 : 0000000000000000 Call trace: refcount_sub_and_test_checked+0xb8/0xd0 refcount_dec_and_test_checked+0x14/0x20 kobject_put+0x24/0x1f0 of_node_put+0x24/0x30 __of_get_next_child+0x50/0x70 of_get_next_child+0x64/0x90 asoc_simple_card_probe+0x544/0x6b0 [snd_soc_simple_card] platform_drv_probe+0x58/0xa8 really_probe+0x1f0/0x3d8 driver_probe_device+0xe4/0x138 __device_attach_driver+0xb4/0x140 bus_for_each_drv+0x8c/0xd8 __device_attach+0xdc/0x158 device_initial_probe+0x24/0x30 bus_probe_device+0x9c/0xa8 deferred_probe_work_func+0xa0/0xf0 process_one_work+0x1ac/0x400 worker_thread+0x50/0x488 kthread+0x130/0x138 ret_from_fork+0x10/0x1c ---[ end trace ae290e9394a14a2f ]--- asoc-simple-card hdmi-sound: ASoC: no DMI vendor name!
Regards, Vicente.
Hi Vicente
Thank you for your reporting
of_node_put+0x24/0x30 __of_get_next_child+0x50/0x70 of_get_next_child+0x64/0x90 asoc_simple_card_probe+0xe4/0x6b0 [snd_soc_simple_card] platform_drv_probe+0x58/0xa8
I can't reproduce this issue, but according to this back-trace, I *guess* of_get_child_count() at asoc_simple_card_parse_of() is the issue (= we need of_node_get(node) before it) ?
If so, we need to fix is not simple-card, but of.h I think like this patch
c0a480d1acf7dc184f9f3e7cf724483b0d28dc2e ("device property: Fix usecount for of_graph_get_port_parent()")
Best regards --- Kuninori Morimoto
Hi Vicente, again
of_node_put+0x24/0x30 __of_get_next_child+0x50/0x70 of_get_next_child+0x64/0x90 asoc_simple_card_probe+0xe4/0x6b0 [snd_soc_simple_card] platform_drv_probe+0x58/0xa8
I can't reproduce this issue, but according to this back-trace, I *guess* of_get_child_count() at asoc_simple_card_parse_of() is the issue (= we need of_node_get(node) before it) ?
I could reproduce this issue. Thank you for reporting. I will post fixup patch soon. Please check it.
Best regards --- Kuninori Morimoto
On Fri, Feb 15, 2019 at 8:41 AM Kuninori Morimoto kuninori.morimoto.gx@renesas.com wrote:
Hi Vicente, again
of_node_put+0x24/0x30 __of_get_next_child+0x50/0x70 of_get_next_child+0x64/0x90 asoc_simple_card_probe+0xe4/0x6b0 [snd_soc_simple_card] platform_drv_probe+0x58/0xa8
I can't reproduce this issue, but according to this back-trace, I *guess* of_get_child_count() at asoc_simple_card_parse_of() is the issue (= we need of_node_get(node) before it) ?
I could reproduce this issue. Thank you for reporting. I will post fixup patch soon. Please check it.
Hi Kuninori, Vicente,
I think I'm experimenting the same issue.
Kuninori,
The patch that you've sent is on an older kernel (from December) and the code has changed but the problem remains in another form.
I'm having a look at this. Not sure is a problem from ASoC or from OF core.
1.246852] OF: ERROR: Bad of_node_put() on /sound-wm8524 [ 1.252259] CPU: 3 PID: 26 Comm: kworker/3:0 Not tainted 5.0.0-rc6-next-20190215-00002-g6e04e67e1342-dirty #32 [ 1.262261] Hardware name: NXP i.MX8MQ EVK (DT) [ 1.266807] Workqueue: events deferred_probe_work_func [ 1.271950] Call trace: [ 1.274406] dump_backtrace+0x0/0x158 [ 1.278074] show_stack+0x14/0x20 [ 1.281396] dump_stack+0xa8/0xcc [ 1.284717] of_node_release+0xb0/0xc8 [ 1.288474] kobject_put+0x74/0xf0 [ 1.291879] of_node_put+0x14/0x28 [ 1.295286] __of_get_next_child+0x44/0x70 [ 1.299387] of_get_next_child+0x3c/0x60 [ 1.303315] simple_for_each_link+0x1dc/0x230 [ 1.307676] simple_probe+0x80/0x540 [ 1.311256] platform_drv_probe+0x50/0xa0 [ 1.315270] really_probe+0x20c/0x2c0 [ 1.318936] driver_probe_device+0x58/0x108 [ 1.323124] __device_attach_driver+0x94/0xb8 [ 1.327485] bus_for_each_drv+0x68/0xd0 [ 1.331325] __device_attach+0xd8/0x140 [ 1.335165] device_initial_probe+0x10/0x18 [ 1.339352] bus_probe_device+0x94/0xa0 [ 1.343193] deferred_probe_work_func+0x70/0xa8 [ 1.347730] process_one_work+0x1e8/0x330 [ 1.351744] worker_thread+0x40/0x448 [ 1.355411] kthread+0x124/0x128 [ 1.358643] ret_from_fork+0x10/0x18
participants (3)
-
Daniel Baluta -
Kuninori Morimoto -
Vicente Bergas