Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1762270pxj;
        Sun, 16 May 2021 03:28:36 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz+2cYg83G7SJjgT3Krm9cawAc7CaLFwFXSHYu5up+GO7hFjHafTBL6YUwCJoNbFlZUz3Pp
X-Received: by 2002:a17:906:b10e:: with SMTP id u14mr56173566ejy.546.1621160916324;
        Sun, 16 May 2021 03:28:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621160916; cv=none;
        d=google.com; s=arc-20160816;
        b=zVug9VbwEBFOQ7iomBStH9rE2yMIFWBq+taQdGXsftivqqz6ToYcxSrZEUFFIA31tJ
         BbfqfDGZYnH+Ti2eFXqhLj75iEF4Nn9VqCHMkYGvXEklSY2ScOWR6NKoHYOodYUAo7C3
         51U0fvjcfkkxV9s0y6L3W1i9QQI6re9u5g5jW02UR1JeLbV95OAdkXHj6YmUMM4VDrhw
         ASTUvlsOfSRd7k97C1BY1rEvSzEeBZE2EsJHymrHpNGwfj6gM9ymy1cNCr8Bb6asGJv8
         8XbeFfaCDHBPVuTajMTa2EbimHTJoPqjZe6OQ/oTs8npPJlXKSlL4UkmgFq8/HHT+Zu/
         1wiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:references:in-reply-to
         :subject:cc:to:from:message-id:date;
        bh=2MSPKrwfEbNNDzSIarz1PJ+tEcYBVis1hEYgI2/T0vs=;
        b=IH892MLofDuorEtSJs/B+JNjtujWni8bQk1yK+nVofDG704GuHD4SPigtuL/1yHUm+
         /vDZihJhFKzOgh+W3ebIb4aOZXkmQPP1ZBAba1fGPFGvGjQ0D3X8h99tujzT2opBDi6a
         pOHDOP9v+hjeVpIAPsIevYM7e3rVIW4XRKNT1j3pkfj36Mu155v7yhbnWRaQ3tHSb0QB
         /64MgXtNuNKk+eRBpoCBlmVsqAZEtRmuxJg8K+2lfCBCrbMu8AXlOHRD3uq0/8jbPnF2
         yw/KGa8pongdQBMUxhCIJDlG2bEFbOvQXQ2setxk2vIaS8aj/Q52/ZOeZfE6uLDu6oGy
         HzQg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id he16si7630314ejc.516.2021.05.16.03.28.13;
        Sun, 16 May 2021 03:28:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230075AbhEPJum (ORCPT <rfc822;longbowk@gmail.com> + 99 others);
        Sun, 16 May 2021 05:50:42 -0400
Received: from mx2.suse.de ([195.135.220.15]:40478 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S229568AbhEPJul (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 16 May 2021 05:50:41 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.221.27])
        by mx2.suse.de (Postfix) with ESMTP id 2E5E4B04F;
        Sun, 16 May 2021 09:49:26 +0000 (UTC)
Date:   Sun, 16 May 2021 11:49:26 +0200
Message-ID: <s5hbl9b6mah.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Sergey Senozhatsky <senozhatsky@chromium.org>
Cc:     Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
        "Gustavo A. R. Silva" <gustavoars@kernel.org>,
        Leon Romanovsky <leon@kernel.org>, alsa-devel@alsa-project.org,
        linux-kernel@vger.kernel.org
Subject: Re: ALSA: intel8x0: div by zero in snd_intel8x0_update()
In-Reply-To: <YKDYbaprE3K2QpCe@google.com>
References: <YJ4yBmIV6RJCo42U@google.com>
        <s5hk0o18tio.wl-tiwai@suse.de>
        <YJ5cHdv6MVmAKD3b@google.com>
        <YKDYQfDf7GiMfGCN@google.com>
        <YKDYbaprE3K2QpCe@google.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, 16 May 2021 10:31:41 +0200,
Sergey Senozhatsky wrote:
> 
> On (21/05/16 17:30), Sergey Senozhatsky wrote:
> > On (21/05/14 20:16), Sergey Senozhatsky wrote:
> > > > --- a/sound/pci/intel8x0.c
> > > > +++ b/sound/pci/intel8x0.c
> > > > @@ -691,6 +691,9 @@ static inline void snd_intel8x0_update(struct intel8x0 *chip, struct ichdev *ich
> > > >  	int status, civ, i, step;
> > > >  	int ack = 0;
> > > >  
> > > > +	if (!ichdev->substream || ichdev->suspended)
> > > > +		return;
> > > > +
> > > >  	spin_lock_irqsave(&chip->reg_lock, flags);
> > > >  	status = igetbyte(chip, port + ichdev->roff_sr);
> > > >  	civ = igetbyte(chip, port + ICH_REG_OFF_CIV);
> > 
> > This does the problem for me.
> 
>        ^^^ does fix

OK, thanks for confirmation.  So this looks like some spurious
interrupt with the unexpected hardware bits.

However, the suggested check doesn't seem covering enough, and it
might still hit if the suspend/resume happens before the device is
opened but not set up (and such a spurious irq is triggered).

Below is more comprehensive fix.  Let me know if this works, too.


thanks,

Takashi

-- 8< --
Subject: [PATCH] ALSA: intel8x0: Don't update period unless prepared

The interrupt handler of intel8x0 calls snd_intel8x0_update() whenever
the hardware sets the corresponding status bit for each stream.  This
works fine for most cases as long as the hardware behaves properly.
But when the hardware gives a wrong bit set, this leads to a NULL
dereference Oops, and reportedly, this seems what happened on a VM.

For fixing the crash, this patch adds a internal flag indicating that
the stream is ready to be updated, and check it (as well as the flag
being in suspended) to ignore such spurious update.

Cc: <stable@vger.kernel.org>
Reported-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/pci/intel8x0.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c
index 35903d1a1cbd..5b124c4ad572 100644
--- a/sound/pci/intel8x0.c
+++ b/sound/pci/intel8x0.c
@@ -331,6 +331,7 @@ struct ichdev {
 	unsigned int ali_slot;			/* ALI DMA slot */
 	struct ac97_pcm *pcm;
 	int pcm_open_flag;
+	unsigned int prepared:1;
 	unsigned int suspended: 1;
 };
 
@@ -691,6 +692,9 @@ static inline void snd_intel8x0_update(struct intel8x0 *chip, struct ichdev *ich
 	int status, civ, i, step;
 	int ack = 0;
 
+	if (!ichdev->prepared || ichdev->suspended)
+		return;
+
 	spin_lock_irqsave(&chip->reg_lock, flags);
 	status = igetbyte(chip, port + ichdev->roff_sr);
 	civ = igetbyte(chip, port + ICH_REG_OFF_CIV);
@@ -881,6 +885,7 @@ static int snd_intel8x0_hw_params(struct snd_pcm_substream *substream,
 	if (ichdev->pcm_open_flag) {
 		snd_ac97_pcm_close(ichdev->pcm);
 		ichdev->pcm_open_flag = 0;
+		ichdev->prepared = 0;
 	}
 	err = snd_ac97_pcm_open(ichdev->pcm, params_rate(hw_params),
 				params_channels(hw_params),
@@ -902,6 +907,7 @@ static int snd_intel8x0_hw_free(struct snd_pcm_substream *substream)
 	if (ichdev->pcm_open_flag) {
 		snd_ac97_pcm_close(ichdev->pcm);
 		ichdev->pcm_open_flag = 0;
+		ichdev->prepared = 0;
 	}
 	return 0;
 }
@@ -976,6 +982,7 @@ static int snd_intel8x0_pcm_prepare(struct snd_pcm_substream *substream)
 			ichdev->pos_shift = (runtime->sample_bits > 16) ? 2 : 1;
 	}
 	snd_intel8x0_setup_periods(chip, ichdev);
+	ichdev->prepared = 1;
 	return 0;
 }
 
-- 
2.26.2