Oops with "ALSA: jack: implement software jack injection via debugfs"
commit 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs") is causing issues for our CI as we see a use-after-free on module unload (on all machines):
https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_9715/fi-skl-6700k2/pstore0-1...
<4> [241.294412] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6c13: 0000 [#1] PREEMPT SMP PTI <4> [241.294424] CPU: 7 PID: 5820 Comm: i915_module_loa Not tainted 5.11.0-rc6-CI-CI_DRM_9715+ #1 <4> [241.294432] Hardware name: System manufacturer System Product Name/Z170 PRO GAMING, BIOS 0802 09/02/2015 <4> [241.294438] RIP: 0010:__lock_acquire+0x61a/0x25a0 <4> [241.294444] Code: 00 00 83 f8 2f 0f 87 a0 00 00 00 3b 05 97 61 07 02 c7 44 24 18 01 00 00 00 0f 86 d4 00 00 00 89 05 83 61 07 02 e9 c9 00 00 00 <48> 81 3f 80 14 d9 82 41 bc 00 00 00 00 45 0f 45 e0 83 fe 01 0f 87 <4> [241.294451] RSP: 0018:ffffc90000e77b78 EFLAGS: 00010002 <4> [241.294454] RAX: 0000000000000000 RBX: ffff888137d50040 RCX: 0000000000000000 <4> [241.294458] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 6b6b6b6b6b6b6c13 <4> [241.294461] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 <4> [241.294464] R10: 0000000000000001 R11: 00000000d2337ff6 R12: 0000000000000001 <4> [241.294467] R13: 0000000000000000 R14: 0000000000000000 R15: 6b6b6b6b6b6b6c13 <4> [241.294470] FS: 00007f0e00616e40(0000) GS:ffff88824db80000(0000) knlGS:0000000000000000 <4> [241.294474] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4> [241.294477] CR2: 00007f375bda2cb0 CR3: 000000010ddd6001 CR4: 00000000003706e0 <4> [241.294480] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 <4> [241.294483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 <4> [241.294486] Call Trace: <4> [241.294489] lock_acquire+0xd0/0x3b0 <4> [241.294493] ? lockref_get+0x9/0x20 <4> [241.294498] _raw_spin_lock+0x2a/0x40 <4> [241.294501] ? lockref_get+0x9/0x20 <4> [241.294505] lockref_get+0x9/0x20 <4> [241.294508] simple_recursive_removal+0x31/0x2a0 <4> [241.294511] ? debugfs_remove+0x50/0x50 <4> [241.294515] ? _raw_spin_unlock+0x24/0x40 <4> [241.294519] debugfs_remove+0x3b/0x50 <4> [241.294522] snd_card_free+0x76/0xa0 <4> [241.294527] pci_device_remove+0x36/0xb0 <4> [241.294531] device_release_driver_internal+0xf2/0x1d0 <4> [241.294820] unbind_store+0xeb/0x120 <4> [241.294824] kernfs_fop_write_iter+0x11d/0x1c0 <4> [241.294828] new_sync_write+0x11d/0x1b0 <4> [241.294832] vfs_write+0x260/0x390 <4> [241.294835] ksys_write+0x5a/0xd0 <4> [241.294838] do_syscall_64+0x33/0x80 <4> [241.294842] entry_SYSCALL_64_after_hwframe+0x44/0xa9 <4> [241.294845] RIP: 0033:0x7f0dffd80281 <4> [241.294848] Code: c3 0f 1f 84 00 00 00 00 00 48 8b 05 59 8d 20 00 c3 0f 1f 84 00 00 00 00 00 8b 05 8a d1 20 00 85 c0 75 16 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 57 f3 c3 0f 1f 44 00 00 41 54 55 49 89 d4 53 <4> [241.294855] RSP: 002b:00007fff5a3a9c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 <4> [241.294860] RAX: ffffffffffffffda RBX: 0000555708dc2cf0 RCX: 00007f0dffd80281 <4> [241.294863] RDX: 000000000000000c RSI: 0000555708dc2ddb RDI: 0000000000000006 <4> [241.294866] RBP: 00007fff5a3a9d20 R08: 0000555708dc2ddb R09: 000000000000000c <4> [241.294869] R10: 00000000fffffff4 R11: 0000000000000246 R12: 00007fff5a3a9c90 <4> [241.294872] R13: 00007f0e00007b18 R14: 0000000000000006 R15: 0000555708dc2ddb <4> [241.294877] Modules linked in: vgem snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio i915 mei_hdcp x86_pkg_temp_thermal coretemp crct10dif_pclmul crc32_pclmul snd_hda_intel snd_intel_dspcfg ghash_clmulni_intel snd_hda_codec snd_hwdep snd_hda_core e1000e mei_me snd_pcm mei ptp pps_core prime_numbers [last unloaded: vgem] <4> [241.294901] ---[ end trace 98e116c0344cf275 ]--- <4> [242.399691] RIP: 0010:__lock_acquire+0x61a/0x25a0 <4> [242.399698] Code: 00 00 83 f8 2f 0f 87 a0 00 00 00 3b 05 97 61 07 02 c7 44 24 18 01 00 00 00 0f 86 d4 00 00 00 89 05 83 61 07 02 e9 c9 00 00 00 <48> 81 3f 80 14 d9 82 41 bc 00 00 00 00 45 0f 45 e0 83 fe 01 0f 87 <4> [242.399705] RSP: 0018:ffffc90000e77b78 EFLAGS: 00010002 <4> [242.399709] RAX: 0000000000000000 RBX: ffff888137d50040 RCX: 0000000000000000 <4> [242.399713] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 6b6b6b6b6b6b6c13 <4> [242.399716] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 <4> [242.399719] R10: 0000000000000001 R11: 00000000d2337ff6 R12: 0000000000000001 <4> [242.399722] R13: 0000000000000000 R14: 0000000000000000 R15: 6b6b6b6b6b6b6c13 <4> [242.399725] FS: 00007f0e00616e40(0000) GS:ffff88824db80000(0000) knlGS:0000000000000000 <4> [242.399729] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4> [242.399732] CR2: 00007f375bda2cb0 CR3: 000000010ddd6001 CR4: 00000000003706e0 <4> [242.399735] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 <4> [242.399739] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 <6> [242.399742] note: i915_module_loa[5820] exited with preempt_count 1 <3> [242.399745] BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:49 <3> [242.399749] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 5820, name: i915_module_loa <4> [242.399753] INFO: lockdep is turned off. <4> [242.399755] irq event stamp: 125679 <4> [242.399757] hardirqs last enabled at (125679): [<ffffffff81a9e36f>] _raw_spin_unlock_irq+0x1f/0x40 <4> [242.399763] hardirqs last disabled at (125678): [<ffffffff81a9e151>] _raw_spin_lock_irq+0x41/0x50 <4> [242.399768] softirqs last enabled at (125054): [<ffffffff81e00342>] __do_softirq+0x342/0x48e <4> [242.399773] softirqs last disabled at (124021): [<ffffffff81c00f52>] asm_call_irq_on_stack+0x12/0x20 <4> [242.399779] CPU: 7 PID: 5820 Comm: i915_module_loa Tainted: G D 5.11.0-rc6-CI-CI_DRM_9715+ #1 <4> [242.399784] Hardware name: System manufacturer System Product Name/Z170 PRO GAMING, BIOS 0802 09/02/2015 <4> [242.399787] Call Trace: <4> [242.399790] dump_stack+0x77/0x97 <4> [242.399794] ___might_sleep.cold.120+0xf2/0x106 <4> [242.399799] exit_signals+0x2b/0x350 <4> [242.399803] do_exit+0xc8/0xcb0 <4> [242.399807] ? ksys_write+0x5a/0xd0 <4> [242.399811] rewind_stack_do_exit+0x17/0x17 <4> [242.399814] RIP: 0033:0x7f0dffd80281 <4> [242.399817] Code: c3 0f 1f 84 00 00 00 00 00 48 8b 05 59 8d 20 00 c3 0f 1f 84 00 00 00 00 00 8b 05 8a d1 20 00 85 c0 75 16 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 57 f3 c3 0f 1f 44 00 00 41 54 55 49 89 d4 53 <4> [242.399824] RSP: 002b:00007fff5a3a9c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 <4> [242.399828] RAX: ffffffffffffffda RBX: 0000555708dc2cf0 RCX: 00007f0dffd80281 <4> [242.399831] RDX: 000000000000000c RSI: 0000555708dc2ddb RDI: 0000000000000006 <4> [242.399834] RBP: 00007fff5a3a9d20 R08: 0000555708dc2ddb R09: 000000000000000c <4> [242.399838] R10: 00000000fffffff4 R11: 0000000000000246 R12: 00007fff5a3a9c90 <4> [242.399841] R13: 00007f0e00007b18 R14: 0000000000000006 R15: 0000555708dc2ddb Created at 2021-02-02 17:16:13
On Tue, 02 Feb 2021 17:30:36 +0100, Chris Wilson wrote:
commit 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs") is causing issues for our CI as we see a use-after-free on module unload (on all machines):
https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_9715/fi-skl-6700k2/pstore0-1...
Could you try the patch below? The unload test was completely forgotten.
thanks,
Takashi
-- 8< -- From: Takashi Iwai tiwai@suse.de Subject: [PATCH] ALSA: core: Fix the debugfs removal at snd_card_free()
The debugfs_remove() call should have been done at the right place before the card object gets freed.
Fixes: 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs") Signed-off-by: Takashi Iwai tiwai@suse.de --- sound/core/init.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/sound/core/init.c b/sound/core/init.c index d4e78b176793..84b573e9c1f9 100644 --- a/sound/core/init.c +++ b/sound/core/init.c @@ -487,6 +487,10 @@ static int snd_card_do_free(struct snd_card *card) dev_warn(card->dev, "unable to free card info\n"); /* Not fatal error */ } +#ifdef CONFIG_SND_DEBUG + debugfs_remove(card->debugfs_root); + card->debugfs_root = NULL; +#endif if (card->release_completion) complete(card->release_completion); kfree(card); @@ -537,11 +541,6 @@ int snd_card_free(struct snd_card *card) /* wait, until all devices are ready for the free operation */ wait_for_completion(&released);
-#ifdef CONFIG_SND_DEBUG - debugfs_remove(card->debugfs_root); - card->debugfs_root = NULL; -#endif - return 0; } EXPORT_SYMBOL(snd_card_free);
Quoting Takashi Iwai (2021-02-02 16:48:35)
On Tue, 02 Feb 2021 17:30:36 +0100, Chris Wilson wrote:
commit 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs") is causing issues for our CI as we see a use-after-free on module unload (on all machines):
https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_9715/fi-skl-6700k2/pstore0-1...
Could you try the patch below? The unload test was completely forgotten.
This took longer than it deserved, https://patchwork.freedesktop.org/series/86597/
The oops is fixed.
Tested-by: Chris Wilson chris@chris-wilson.co.uk -Chris
On Tue, 02 Feb 2021 23:47:33 +0100, Chris Wilson wrote:
Quoting Takashi Iwai (2021-02-02 16:48:35)
On Tue, 02 Feb 2021 17:30:36 +0100, Chris Wilson wrote:
commit 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs") is causing issues for our CI as we see a use-after-free on module unload (on all machines):
https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_9715/fi-skl-6700k2/pstore0-1...
Could you try the patch below? The unload test was completely forgotten.
This took longer than it deserved, https://patchwork.freedesktop.org/series/86597/
The oops is fixed.
Tested-by: Chris Wilson chris@chris-wilson.co.uk
Thanks! I'm going to queue the fix before reaching to linux-next.
Takashi
On 2/3/21 6:47 AM, Chris Wilson wrote:
Quoting Takashi Iwai (2021-02-02 16:48:35)
On Tue, 02 Feb 2021 17:30:36 +0100, Chris Wilson wrote:
commit 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs") is causing issues for our CI as we see a use-after-free on module unload (on all machines):
https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_9715/fi-skl-6700k2/pstore0-1...
Could you try the patch below? The unload test was completely forgotten.
This took longer than it deserved, https://patchwork.freedesktop.org/series/86597/
The oops is fixed.
Tested-by: Chris Wilson chris@chris-wilson.co.uk -Chris
Oh, Thanks.
Hui.
participants (3)
-
Chris Wilson -
Hui Wang -
Takashi Iwai