mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-11-01 08:58:07 +00:00
e81478bbe7
Fix a corner case between PCI device driver remove callback and
runtime PM idle callback.
Following sequence of events can happen:
- at azx_create, context is allocated with devm_kzalloc() and
stored as pci_set_drvdata()
- user-space requests to unbind audio driver
- dd.c:__device_release_driver() calls PCI remove
- pci-driver.c:pci_device_remove() calls the audio
driver azx_remove() callback and this is completed
- pci-driver.c:pm_runtime_put_sync() leads to a call
to rpm_idle() which again calls azx_runtime_idle()
- the azx context object, as returned by dev_get_drvdata(),
is no longer valid
-> access fault in azx_runtime_idle when executing
struct snd_card *card = dev_get_drvdata(dev);
chip = card->private_data;
if (chip->disabled || hda->init_failed)
This was discovered by i915_module_load test with 5.15.0 based
linux-next tree.
Example log caught by i915_module_load test with linux-next
https://intel-gfx-ci.01.org/tree/linux-next/
<4> [264.038232] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b73f0: 0000 [#1] PREEMPT SMP NOPTI
<4> [264.038248] CPU: 0 PID: 5374 Comm: i915_module_loa Not tainted 5.15.0-next-20211109-gc8109c2ba35e-next-20211109 #1
[...]
<4> [264.038267] RIP: 0010:azx_runtime_idle+0x12/0x60 [snd_hda_intel]
[...]
<4> [264.038355] Call Trace:
<4> [264.038359] <TASK>
<4> [264.038362] __rpm_callback+0x3d/0x110
<4> [264.038371] rpm_idle+0x27f/0x380
<4> [264.038376] __pm_runtime_idle+0x3b/0x100
<4> [264.038382] pci_device_remove+0x6d/0xa0
<4> [264.038388] device_release_driver_internal+0xef/0x1e0
<4> [264.038395] unbind_store+0xeb/0x120
<4> [264.038400] kernfs_fop_write_iter+0x11a/0x1c0
Fix the issue by setting drvdata to NULL at end of azx_remove().
Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Link: https://lore.kernel.org/r/20211110210307.1172004-1-kai.vehmanen@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||
|---|---|---|
| .. | ||
| ac97 | ||
| ali5451 | ||
| asihpi | ||
| au88x0 | ||
| aw2 | ||
| ca0106 | ||
| cs46xx | ||
| cs5535audio | ||
| ctxfi | ||
| echoaudio | ||
| emu10k1 | ||
| hda | ||
| ice1712 | ||
| korg1212 | ||
| lola | ||
| lx6464es | ||
| mixart | ||
| nm256 | ||
| oxygen | ||
| pcxhr | ||
| riptide | ||
| rme9652 | ||
| trident | ||
| vx222 | ||
| ymfpci | ||
| ad1889.c | ||
| ad1889.h | ||
| ak4531_codec.c | ||
| als300.c | ||
| als4000.c | ||
| atiixp.c | ||
| atiixp_modem.c | ||
| azt3328.c | ||
| azt3328.h | ||
| bt87x.c | ||
| cmipci.c | ||
| cs4281.c | ||
| cs5530.c | ||
| ens1370.c | ||
| ens1371.c | ||
| es1938.c | ||
| es1968.c | ||
| fm801.c | ||
| intel8x0.c | ||
| intel8x0m.c | ||
| Kconfig | ||
| maestro3.c | ||
| Makefile | ||
| rme32.c | ||
| rme96.c | ||
| sis7019.c | ||
| sis7019.h | ||
| sonicvibes.c | ||
| via82xx.c | ||
| via82xx_modem.c | ||