e81478bbe7
Fix a corner case between PCI device driver remove callback and runtime PM idle callback. Following sequence of events can happen: - at azx_create, context is allocated with devm_kzalloc() and stored as pci_set_drvdata() - user-space requests to unbind audio driver - dd.c:__device_release_driver() calls PCI remove - pci-driver.c:pci_device_remove() calls the audio driver azx_remove() callback and this is completed - pci-driver.c:pm_runtime_put_sync() leads to a call to rpm_idle() which again calls azx_runtime_idle() - the azx context object, as returned by dev_get_drvdata(), is no longer valid -> access fault in azx_runtime_idle when executing struct snd_card *card = dev_get_drvdata(dev); chip = card->private_data; if (chip->disabled || hda->init_failed) This was discovered by i915_module_load test with 5.15.0 based linux-next tree. Example log caught by i915_module_load test with linux-next https://intel-gfx-ci.01.org/tree/linux-next/ <4> [264.038232] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b73f0: 0000 [#1] PREEMPT SMP NOPTI <4> [264.038248] CPU: 0 PID: 5374 Comm: i915_module_loa Not tainted 5.15.0-next-20211109-gc8109c2ba35e-next-20211109 #1 [...] <4> [264.038267] RIP: 0010:azx_runtime_idle+0x12/0x60 [snd_hda_intel] [...] <4> [264.038355] Call Trace: <4> [264.038359] <TASK> <4> [264.038362] __rpm_callback+0x3d/0x110 <4> [264.038371] rpm_idle+0x27f/0x380 <4> [264.038376] __pm_runtime_idle+0x3b/0x100 <4> [264.038382] pci_device_remove+0x6d/0xa0 <4> [264.038388] device_release_driver_internal+0xef/0x1e0 <4> [264.038395] unbind_store+0xeb/0x120 <4> [264.038400] kernfs_fop_write_iter+0x11a/0x1c0 Fix the issue by setting drvdata to NULL at end of azx_remove(). Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com> Link: https://lore.kernel.org/r/20211110210307.1172004-1-kai.vehmanen@linux.intel.com Signed-off-by: Takashi Iwai <tiwai@suse.de> |
||
---|---|---|
.. | ||
ac97 | ||
ali5451 | ||
asihpi | ||
au88x0 | ||
aw2 | ||
ca0106 | ||
cs46xx | ||
cs5535audio | ||
ctxfi | ||
echoaudio | ||
emu10k1 | ||
hda | ||
ice1712 | ||
korg1212 | ||
lola | ||
lx6464es | ||
mixart | ||
nm256 | ||
oxygen | ||
pcxhr | ||
riptide | ||
rme9652 | ||
trident | ||
vx222 | ||
ymfpci | ||
ad1889.c | ||
ad1889.h | ||
ak4531_codec.c | ||
als300.c | ||
als4000.c | ||
atiixp_modem.c | ||
atiixp.c | ||
azt3328.c | ||
azt3328.h | ||
bt87x.c | ||
cmipci.c | ||
cs4281.c | ||
cs5530.c | ||
ens1370.c | ||
ens1371.c | ||
es1938.c | ||
es1968.c | ||
fm801.c | ||
intel8x0.c | ||
intel8x0m.c | ||
Kconfig | ||
maestro3.c | ||
Makefile | ||
rme32.c | ||
rme96.c | ||
sis7019.c | ||
sis7019.h | ||
sonicvibes.c | ||
via82xx_modem.c | ||
via82xx.c |