From patchwork Fri Jun 1 22:53:34 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Srinivas Kandagatla X-Patchwork-Id: 137574 Delivered-To: patch@linaro.org Received: by 2002:a2e:9706:0:0:0:0:0 with SMTP id r6-v6csp1505512lji; Fri, 1 Jun 2018 15:55:53 -0700 (PDT) X-Google-Smtp-Source: ADUXVKK5ADCuUd22X0B6B5W6po93LcmnRG0IZSnsx2HKovAmDe92kFPMhatqYPEnPnN/YlAHQ1SV X-Received: by 2002:a63:7f4f:: with SMTP id p15-v6mr10273211pgn.312.1527893753293; Fri, 01 Jun 2018 15:55:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527893753; cv=none; d=google.com; s=arc-20160816; b=B2HPorSJ7o0mQVBgHFjQlTthp4T/BL4Kq/StSjkVX748L0bM32w/bN5TBfIJWfQl4r 4v7y4q0XD08fqudwfPXAXwiItcte7ABy4rT6IS6qFoQxmq2XM/L+3+0QyW+KJ/cNYFHy ngLIDh+qTlvj6NXykpIeTfBG+iN9OPKAq0W6W8xMAT+yqB7Rm0yPRo9nAdF9XBuKmzed e+X9tZfHdSUcV1BgoNim25bXwHOH9LBMf+2cACz79IDYJYXTsL6HVgp91IFGO1iZrevZ ILNqUQh7cGVPR2tp9B5Tbx4IuHXUp7FJFJxKga4rBxsizqzikZ6CBrKXk5XYFOSzey8m r/vA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=osXHmK9gyzdOaYZ+dt9u9KEoZkMfSHfV6DGSSBvubzQ=; b=uspTY92TYV2l8cf0NJz9TI0MqAu7DY0BEofAXmpQnMFdwjdgb0BqH6bBKHLNt0C9JB I63pMWdqDPszufAtQE3U3LFXaL1sTgGXmkr887cZDYU9v7/3UAKJ2IweLBUSvDPu7pR8 f71+BdEhZGIvwMsdZNT519jo19vaE6ZFuQ6cQgm8+rI4SZVIHOZrCi9grr+W9xoAAQkr VCFtH+bHtVzxidhrk7UjAuVLuaTTCiWHiDQWhi5s7Klt2SCsYDsgOp7JIKak9RDMFfB8 pftYcJZRkZUcsOu8XOkrY8FxT46pR/FrBvYXobuws8+Nnt+jfDin9HUtsgON6PTnz+Lp iB1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=fzn4+/8c; spf=pass (google.com: best guess record for domain of linux-arm-msm-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-arm-msm-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b68-v6si39408760pfg.94.2018.06.01.15.55.52; Fri, 01 Jun 2018 15:55:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-arm-msm-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=fzn4+/8c; spf=pass (google.com: best guess record for domain of linux-arm-msm-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-arm-msm-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750732AbeFAWzv (ORCPT + 13 others); Fri, 1 Jun 2018 18:55:51 -0400 Received: from mail-wr0-f196.google.com ([209.85.128.196]:39054 "EHLO mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750724AbeFAWzu (ORCPT ); Fri, 1 Jun 2018 18:55:50 -0400 Received: by mail-wr0-f196.google.com with SMTP id w7-v6so25732683wrn.6 for ; Fri, 01 Jun 2018 15:55:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=IvAxVVAlqs3DHgQqx5X0IeM9Nmf1Y9p2L7vumwQZV+g=; b=fzn4+/8cqnB5JxROGwVQc/EeZ8qK2qw7l988DXINKugrPpVBRTQYtEjnJGGeVaGWGX JtTEBXBF1Fc3FnIgQcAndq+BahxDnOCV8u7OdQKAf3pw6Pc/pFCppoz6zv+ASMoOAiB5 5V3+4St8mXUtmHXB+i5Y1deinMGH9295ShQrM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=IvAxVVAlqs3DHgQqx5X0IeM9Nmf1Y9p2L7vumwQZV+g=; b=Ewpc16vYHEcxYYi1zbaAAJMW7D0kqgPXpxNpG9e+5rP2Zks+5n5qwDYy9WuNf6u3mI GmTgd8FSJWrdVLYk7yhCFwpSnfganEpmkcSRlmsaCp3fql01iz5tRMoFs41Pmi/TTxPK +J1kDI7dVk0uTqo74IudgAbrLnxxqE1B4nHIoTCUPi2/8jMfxGT5keZJUhXvyG3Y/6N8 8h5SJ6RdtK/4dCodhiNqUdxx6lCUJCzNABZnKvU4WnFtZuX1s1iMddwG6EOjeoLP5z7p IF9IlBz/ePc3+IT+SX8Z3x+OkPC/5YhHB7FX3ZeIqhx9CA3lB7s4r86Uz5s+KNkeyNBg PAIA== X-Gm-Message-State: ALKqPwcVkNXoLSktMJ403oM6MnMSF++BpA3rPt79YcNffw8ettBEmeO+ xOjHydgfmGZPsl8ObwgiAfUGiVkVVoM= X-Received: by 2002:adf:8f23:: with SMTP id p32-v6mr9555813wrb.193.1527893748744; Fri, 01 Jun 2018 15:55:48 -0700 (PDT) Received: from localhost.localdomain (cpc90716-aztw32-2-0-cust92.18-1.cable.virginm.net. [86.26.100.93]) by smtp.gmail.com with ESMTPSA id b15-v6sm41225511wri.14.2018.06.01.15.55.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 01 Jun 2018 15:55:47 -0700 (PDT) From: Srinivas Kandagatla To: broonie@kernel.org, alsa-devel@alsa-project.org Cc: linux-arm-msm@vger.kernel.org, lgirdwood@gmail.com, bgoswami@codeaurora.org, tiwai@suse.com, perex@perex.cz, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, rohkumar@qti.qualcomm.com, Srinivas Kandagatla Subject: [PATCH] ASoC: dapm: delete dapm_kcontrol_data paths entry before freeing Date: Fri, 1 Jun 2018 23:53:34 +0100 Message-Id: <20180601225334.19064-1-srinivas.kandagatla@linaro.org> X-Mailer: git-send-email 2.16.2 Sender: linux-arm-msm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org dapm_kcontrol_data is freed as part of dapm_kcontrol_free(), leaving the paths list pointer dangling in the list. This leads to system crash when we try to unload and reload sound card. I hit this bug during ADSP crash/reboot test case on Dragon board DB410c. Below is the kernel BUG with SLAB Poisoning -- 2.16.2 -- To unsubscribe from this list: send the line "unsubscribe linux-arm-msm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ============================================================================= BUG kmalloc-128 (Tainted: G W ): Poison overwritten ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: 0xffff80003cf1c310-0xffff80003cf1c31f. First byte 0x10 instead of 0x6b INFO: Allocated in dapm_kcontrol_data_alloc.isra.37+0x34/0x2a8 age=6929 cpu=0 pid=50 __slab_alloc.isra.24+0x24/0x38 kmem_cache_alloc+0x190/0x1d8 dapm_kcontrol_data_alloc.isra.37+0x34/0x2a8 dapm_create_or_share_kcontrol+0x1d4/0x290 snd_soc_dapm_new_widgets+0x410/0x568 snd_soc_register_card+0xa58/0xcd0 apq8016_sbc_bind+0x31c/0x458 try_to_bring_up_master+0x204/0x2e8 component_add+0x94/0x178 q6pcm_routing_probe+0x38/0x48 platform_drv_probe+0x58/0xb8 driver_probe_device+0x324/0x478 __device_attach_driver+0xa8/0x160 bus_for_each_drv+0x48/0x98 __device_attach+0xc0/0x158 device_initial_probe+0x10/0x18 INFO: Freed in dapm_kcontrol_free+0x40/0x50 age=3135 cpu=1 pid=1792 kfree+0x1bc/0x1d0 dapm_kcontrol_free+0x40/0x50 snd_ctl_free_one+0x20/0x38 snd_ctl_remove+0xf0/0x108 snd_ctl_dev_free+0x3c/0x70 __snd_device_free+0x50/0x88 snd_device_free_all+0x2c/0x50 release_card_device+0x1c/0x78 device_release+0x34/0x98 kobject_put+0x90/0x1f0 put_device+0x14/0x20 snd_card_free+0x54/0x70 snd_soc_unregister_card+0x84/0x138 snd_soc_unregister_component+0xa4/0xd0 q6routing_dai_unbind+0x44/0x78 component_unbind.isra.4+0x28/0x50 INFO: Slab 0xffff7e0000f3c700 objects=25 used=0 fp=0xffff80003cf1fc80 flags=0xfffc00000008100 INFO: Object 0x (ptrval) @offset=768 fp=0x (ptrval) Redzone (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ Redzone (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ Redzone (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ Redzone (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ Redzone (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ Redzone (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ Redzone (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ Redzone (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ Object (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object (ptrval): 10 c3 f1 3c 00 80 ff ff 10 c3 f1 3c 00 80 ff ff ...<.......<.... Object (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk. Redzone (ptrval): bb bb bb bb bb bb bb bb ........ Padding (ptrval): 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding (ptrval): 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding (ptrval): 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding (ptrval): 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ CPU: 1 PID: 1792 Comm: sh Tainted: G B W 4.17.0-rc7-02229-gb429ee402d16-dirty #202 Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT) Call trace: dump_backtrace+0x0/0x1b0 show_stack+0x14/0x20 dump_stack+0x9c/0xbc print_trailer+0x124/0x1d8 check_bytes_and_report+0xe8/0x120 check_object+0x24c/0x288 __free_slab+0x9c/0x2f0 discard_slab+0x60/0x88 __slab_free+0x35c/0x3e8 kfree+0x1bc/0x1d0 snd_soc_dapm_free_widget+0xac/0xd0 snd_soc_dapm_free+0x64/0xb8 soc_remove_component+0x50/0x80 soc_remove_dai_links+0x110/0x208 snd_soc_unregister_card+0x9c/0x138 snd_soc_unregister_component+0xa4/0xd0 q6routing_dai_unbind+0x44/0x78 component_unbind.isra.4+0x28/0x50 component_unbind_all+0xc0/0xe8 apq8016_sbc_unbind+0x50/0xa0 take_down_master+0x24/0x48 component_del+0x90/0x130 q6afe_dai_dev_remove+0x40/0x68 platform_drv_remove+0x24/0x50 device_release_driver_internal+0x170/0x208 device_release_driver+0x14/0x20 bus_remove_device+0xcc/0x150 device_del+0x10c/0x310 platform_device_del.part.3+0x24/0x90 platform_device_unregister+0x18/0x30 of_platform_device_destroy+0x94/0x98 q6afe_remove+0x20/0x38 apr_device_remove+0x30/0x70 device_release_driver_internal+0x170/0x208 device_release_driver+0x14/0x20 bus_remove_device+0xcc/0x150 device_del+0x10c/0x310 device_unregister+0x1c/0x70 apr_remove_device+0xc/0x18 device_for_each_child+0x50/0x80 apr_remove+0x18/0x20 rpmsg_dev_remove+0x38/0x68 device_release_driver_internal+0x170/0x208 device_release_driver+0x14/0x20 bus_remove_device+0xcc/0x150 device_del+0x10c/0x310 device_unregister+0x1c/0x70 qcom_smd_remove_device+0xc/0x18 device_for_each_child+0x50/0x80 qcom_smd_unregister_edge+0x3c/0x70 smd_subdev_remove+0x18/0x28 rproc_stop+0x48/0xd8 rproc_shutdown+0x60/0xe8 state_store+0xbc/0xf8 dev_attr_store+0x18/0x28 sysfs_kf_write+0x3c/0x50 kernfs_fop_write+0x118/0x1e0 __vfs_write+0x18/0x110 vfs_write+0xa4/0x1a8 ksys_write+0x48/0xb0 sys_write+0xc/0x18 el0_svc_naked+0x30/0x34 Signed-off-by: Srinivas Kandagatla --- sound/soc/soc-dapm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index 1e9a36389667..36a39ba30226 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -433,6 +433,8 @@ static int dapm_kcontrol_data_alloc(struct snd_soc_dapm_widget *widget, static void dapm_kcontrol_free(struct snd_kcontrol *kctl) { struct dapm_kcontrol_data *data = snd_kcontrol_chip(kctl); + + list_del(&data->paths); kfree(data->wlist); kfree(data); }