Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp546441rwb; Tue, 27 Sep 2022 00:51:15 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4kDDiE83wpeXh917PcNSbS3KFDyrsnPdvreJstkizQIAnfP0JfpBzifAx4dVwtNHdSW6yo X-Received: by 2002:a17:90b:3ec6:b0:202:cb7d:92a4 with SMTP id rm6-20020a17090b3ec600b00202cb7d92a4mr3105952pjb.123.1664265075018; Tue, 27 Sep 2022 00:51:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664265075; cv=none; d=google.com; s=arc-20160816; b=YbDYcM9wD6xF0wErGzDw0hNm5lZPTYuRxvl3vkP9dHEy/q3mpeOmdBjZupyAqT3j1Z tUNjqm4POukN98MuyjoabFQDsdpIWOaspgNgU28cxtn+bzWsG19qazEjSwjHBz2FjgUw vcGK7r4F/IkqQH3OhLKsqzJ537eVdmWpH5+JjHt6zdCu0YZ99VEuRzvE6jKFw25ym67/ 11ZjWBltLbhDTZeXxRrAVinc/RP0t9sgxr1T77ycX1phuZGQivKpvqirh4v+/xASiI08 2GRQ1nLwWuk4pqDMwkJeAjTL7C7KjdS50JSMqAKpOQDsuqonniI1c2b0d9UtR2hhIDXf +VrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=dfbYX5MFFi6yzhF9F27mNns8Zph4pZcCkqAT3ZuvvN8=; b=L3+9Vr884JAqQOZeEFMKPkoAq/5+LKKOe7aawjKnhYgBVoN5DIk73lQG1ZVf+iJPLL RUP++FP6tOIbeEOtzcI7lRbMJen4sa69qrQvdBSBQfKXPvTSXpoBWmOv7ZeH1X5nfQk9 BuGaLj8OZkTfLl6qrrkydScGR76RV7MHOnYovKlm0u4Ui3a/OqvjUw2lQv0zQP94WqM3 cGhHoIaX2RSedi8tOODd6H3azd8CnAZoP2dHvMIMCHoKCHp7bY5Sb5RNw3VlVQHh3fUb iJzs6HaUkwm1d5QrzM/Xhg3MUEleQFQYWezNXmJEF85fv0SGLH+VOTtMOeLzl+vp3+EL 7yrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=a6Q6dvkX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t21-20020a63d255000000b0043c0b452d3csi1193760pgi.69.2022.09.27.00.51.03; Tue, 27 Sep 2022 00:51:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=a6Q6dvkX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230302AbiI0HfA (ORCPT + 99 others); Tue, 27 Sep 2022 03:35:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48246 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230055AbiI0He6 (ORCPT ); Tue, 27 Sep 2022 03:34:58 -0400 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4426010565 for ; Tue, 27 Sep 2022 00:34:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1664264097; x=1695800097; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=aGdiIa2AskwQtLlBRejm6EBBRYZSm6Aal1pnfF0CKs4=; b=a6Q6dvkXQAxKqH9vLak5Qka7Uu808mzp1293ADG2+bOAfiASnFKUqfcO f8HNIXCVUqriLAsBNax7+6gyGHno05jJcwPZatRRD1wbjKtBbmVN8Ateo Rsa6zNxMLljUo0eDR6/o0wzV+ws8tq6McnV3rN9QQA5seLBIX7IMeQCjv JcVWZi2Q7LgaBmAn3cpSRcdqCWDsAEafLkIpEbZCkG7HCqfeaz99TTQNT Su8CRCH03l6HINA+TBzaH7OX5vx0jhnIt6qTqxFhKPJNwad+sbG27+N2w x+z8z9yLM/XLeVu9DCpWjrle4tAL0HE8Shh9DDl0MR9rENQ5fFl2RxPkU A==; X-IronPort-AV: E=McAfee;i="6500,9779,10482"; a="327602360" X-IronPort-AV: E=Sophos;i="5.93,348,1654585200"; d="scan'208";a="327602360" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Sep 2022 00:34:56 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10482"; a="572558408" X-IronPort-AV: E=Sophos;i="5.93,348,1654585200"; d="scan'208";a="572558408" Received: from aslawinx-mobl.ger.corp.intel.com (HELO [10.99.249.206]) ([10.99.249.206]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Sep 2022 00:34:52 -0700 Message-ID: Date: Tue, 27 Sep 2022 09:34:49 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.1 Subject: Re: [PATCH] ASoC: soc-pcm: fix fe and be race when accessing substream->runtime Content-Language: en-US To: Eugeniu Rosca , Liam Girdwood , Mark Brown , Jaroslav Kysela , Takashi Iwai , alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org Cc: Yanmin Zhang , Eugeniu Rosca , Jiada Wang , Zhang Yanmin , Ramesh Babu , Dean Jenkins , Ramesh Babu B , xiao jin , Cezary Rojewski References: <1664210154-11552-1-git-send-email-erosca@de.adit-jv.com> From: =?UTF-8?Q?Amadeusz_S=c5=82awi=c5=84ski?= In-Reply-To: <1664210154-11552-1-git-send-email-erosca@de.adit-jv.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-9.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 9/26/2022 6:35 PM, Eugeniu Rosca wrote: > From: xiao jin > > After start of fe and be, fe might go to close without triggering > STOP, and substream->runtime is freed. However, be is still at > START state and its substream->runtime still points to the > freed runtime. > Well if it is being freed, maybe pointer should be set to NULL instead in place that happens? > Later on, FE is opened/started again, and triggers STOP. > snd_pcm_do_stop => dpcm_fe_dai_trigger > => dpcm_fe_dai_do_trigger > => dpcm_be_dai_trigger > => dpcm_do_trigger > => soc_pcm_trigger > => skl_platform_pcm_trigger > skl_platform_pcm_trigger accesses the freed old runtime data and > kernel panic. > > The patch fixes it by assigning be_substream->runtime in > dpcm_be_dai_startup when be's state is START. > > Signed-off-by: xiao jin > Signed-off-by: Zhang Yanmin > Signed-off-by: Eugeniu Rosca > --- > sound/soc/soc-pcm.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c > index 4f60c0a83311..6ca1d02065ce 100644 > --- a/sound/soc/soc-pcm.c > +++ b/sound/soc/soc-pcm.c > @@ -1608,6 +1608,8 @@ int dpcm_be_dai_startup(struct snd_soc_pcm_runtime *fe, int stream) > if (be->dpcm[stream].users++ != 0) > continue; > > + be_substream->runtime = be->dpcm[stream].runtime; > + > if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_NEW) && > (be->dpcm[stream].state != SND_SOC_DPCM_STATE_CLOSE)) > continue; > @@ -1615,7 +1617,6 @@ int dpcm_be_dai_startup(struct snd_soc_pcm_runtime *fe, int stream) > dev_dbg(be->dev, "ASoC: open %s BE %s\n", > stream ? "capture" : "playback", be->dai_link->name); > > - be_substream->runtime = be->dpcm[stream].runtime; > err = __soc_pcm_open(be, be_substream); > if (err < 0) { > be->dpcm[stream].users--;