New issue
Advanced search Search tips

Issue 773553 link

Starred by 1 user
Status: Fixed
Owner:
groeck@chromium.org
Closed: Oct 2017
Cc:
cychiang@chromium.org
chromeos-audio-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Crash in snd_jack_set_key when running chromeos-4.4 on cyan

Project Member Reported by groeck@chromium.org, Oct 11 2017 
[   30.933374] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[   30.942166] IP: [<ffffffff818d6fef>] snd_jack_set_key+0x37/0x8e
[   30.948802] PGD 0
[   30.951052] Oops: 0000 [#1] PREEMPT SMP KASAN
[   30.959573] gsmi: Log Shutdown Reason 0x03
[   30.964154] Modules linked in: snd_hda_codec_hdmi uvcvideo btusb videobuf2_vmalloc btrtl btbcm videobuf2_memops btintel snd_soc_sst_cht_bsw_max98090_ti(+) videobuf2_v4l2 videobuf2_core snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_intel_sst_acpi snd_intel_sst_core snd_soc_max98090 snd_soc_sst_mfld_platform snd_soc_sst_match xt_nat bridge stp llc bluetooth zram ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat xt_mark fuse iio_trig_sysfs snd_seq_midi cros_ec_sensors cros_ec_sensors_core industrialio_triggered_buffer kfifo_buf industrialio snd_seq_midi_event snd_rawmidi snd_seq ip6table_filter snd_seq_device iwlmvm iwl7000_mac80211 r8152 mii iwlwifi cfg80211 joydev
[   31.033046] CPU: 1 PID: 2061 Comm: udevd Tainted: G    B           4.4.86 #2
[   31.040930] Hardware name: GOOGLE Cyan, BIOS Google_Cyan.7287.50.0 09/06/2015
[   31.048911] task: ffff8801511bb500 ti: ffff88005e488000 task.ti: ffff88005e488000
[   31.057278] RIP: 0010:[<ffffffff818d6fef>]  [<ffffffff818d6fef>] snd_jack_set_key+0x37/0x8e
[   31.066638] RSP: 0018:ffff88005e48f8f8  EFLAGS: 00010246
[   31.072569] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff810e6803
[   31.080547] RDX: 1ffffffff040d906 RSI: dffffc0000000000 RDI: ffffffff8206c830
[   31.088524] RBP: ffff88005e48f918 R08: fffff5200003fc69 R09: 0000000000000000
[   31.096502] R10: ffffed0028833e00 R11: ffffc900001fe344 R12: 0000000000000000
[   31.104473] R13: 00000000000000e2 R14: 0000000000004000 R15: ffff880158c8a408
[   31.112452] FS:  00007c60c7150800(0000) GS:ffff88015b880000(0000) knlGS:0000000000000000
[   31.121498] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   31.127922] CR2: 0000000000000020 CR3: 000000005e486000 CR4: 00000000001006e0
[   31.135897] Stack:
[   31.138145]  ffff88007204c028 ffff88007204c060 ffff880158c50bc0 ffff880158c8a430
[   31.146448]  ffff88005e48f940 ffffffff819171b1 ffff880158c8a418 ffffffffc04620c0
[   31.154748]  ffffffffc04620c0 ffff88005e48f960 ffffffffc0460039 ffff880158c8a418
[   31.163052] Call Trace:
[   31.165800]  [<ffffffff819171b1>] ts3a227e_enable_jack_detect+0x56/0xc5
[   31.173209]  [<ffffffffc0460039>] 0xffffffffc0460039
[   31.178768]  [<ffffffff818f4974>] soc_probe_component+0x470/0x651
[   31.185360] sdhci: Timeout waiting for Buffer Read Ready interrupt during tuning procedure, falling back to fixed sampling clock
[   31.198520]  [<ffffffff81ac9416>] ? mutex_unlock+0x22/0x34
[   31.204664]  [<ffffffff818fabfa>] snd_soc_register_card+0xb5d/0x1864
[   31.211780]  [<ffffffff8190e3df>] devm_snd_soc_register_card+0x4b/0x7d
[   31.219083]  [<ffffffffc04603d4>] 0xffffffffc04603d4
[   31.224640]  [<ffffffff8166afcd>] platform_drv_probe+0x78/0xc7
[   31.231166]  [<ffffffff816689dd>] driver_probe_device+0x18d/0x3fc
[   31.237983]  [<ffffffff81668cd6>] __driver_attach+0x8a/0xb4
[   31.244218]  [<ffffffff81668c4c>] ? driver_probe_device+0x3fc/0x3fc
[   31.251229]  [<ffffffff81667446>] bus_for_each_dev+0xba/0xdf
[   31.257561]  [<ffffffff81668325>] driver_attach+0x2b/0x2e
[   31.263600]  [<ffffffff81667e3e>] bus_add_driver+0x189/0x2d1
[   31.269932]  [<ffffffff816699e6>] driver_register+0x108/0x156
[   31.276361]  [<ffffffff8166aef1>] __platform_driver_register+0x6c/0x71
[   31.283660]  [<ffffffffc0468000>] ? 0xffffffffc0468000
[   31.289404]  [<ffffffffc0468017>] init_module+0x17/0x1000 [snd_soc_sst_cht_bsw_max98090_ti]
[   31.298746]  [<ffffffff810004c5>] do_one_initcall+0x1a8/0x1bd
[   31.305174]  [<ffffffff811ebc60>] ? kasan_kmalloc+0x49/0x4e
[   31.311411]  [<ffffffff811e9289>] ? kmem_cache_alloc_trace+0x112/0x136
[   31.318714]  [<ffffffff8119755f>] do_init_module+0xe9/0x2c7
[   31.324951]  [<ffffffff811264f4>] load_module+0x2b06/0x322a
[   31.331191]  [<ffffffff8112121f>] ? copy_module_from_fd+0x111/0x163
[   31.338204]  [<ffffffff81126e01>] SYSC_finit_module+0x80/0xa5
[   31.344632]  [<ffffffff81126e01>] ? SYSC_finit_module+0x80/0xa5
[   31.351256]  [<ffffffff81126e44>] SyS_finit_module+0xe/0x10
[   31.357492]  [<ffffffff81acca8b>] entry_SYSCALL_64_fastpath+0x1c/0x8f
[   31.364693] Code: 41 56 41 55 41 54 53 48 89 fb 48 8d 7f 20 41 89 c4 41 89 f6 0f bd c6 41 89 d5 ba 00 40 00 00 44 0f bd e2 41 29 c4 e8 5b 49 91 ff <83> 7b 20 00 74 11 be 42 01 00 00 48 c7 c7 8a de e5 81 e8 11 2b
[   31.386347] RIP  [<ffffffff818d6fef>] snd_jack_set_key+0x37/0x8e
[   31.393076]  RSP <ffff88005e48f8f8>
[   31.396972] CR2: 0000000000000020
[   31.407237] ---[ end trace 0fb94188dba54f52 ]---
[   31.455480] Kernel panic - not syncing: Fatal exception

References: Commit 453b7764f139764 ("CHROMIUM: ASoC: cht_bsw_max98090_ti: Fix NULL pointer dereference while accessing jack") in chromeos-4.12, upstream commit f22449344d9 ("ASoC: rockchip-max98090: Fix NULL pointer dereference while accessing to jack")

Comment 1 by groeck@chromium.org, Oct 11 2017

Status: Started (was: Assigned)
Project Member

Comment 2 by bugdroid1@chromium.org, Oct 15 2017

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/989cedd282bcb1c719e6dd777de8eddb4f6c7a99

commit 989cedd282bcb1c719e6dd777de8eddb4f6c7a99
Author: Guenter Roeck <groeck@chromium.org>
Date: Fri Oct 13 21:45:01 2017

CHROMIUM: ASoC: cht_bsw_max98090_ti: Fix NULL pointer dereference while accessing jack

Commit f2ed6b07645e ("ASoC: Make aux_dev more like a generic component")
caused a regression on this driver, since now a kernel oops is seen when
the driver is loaded, or more specifically when ts3a227e_enable_jack_detect()
is called.

That commit changed the probing of aux_devs before checking new DAI links,
so cht_max98090_headset_init is now called before cht_codec_init.
The kernel crashes due a NULL pointer dereference in cht_max98090_headset_init
since there is a call that tries to access the jack pointer which has not
been allocated yet.

Also see upstream commit f22449344d9 ("ASoC: rockchip-max98090: Fix NULL
pointer dereference while accessing to jack") for reference.

BUG= chromium:773553 
TEST=Run chromeos-4.4 on cyan or similar boards

Change-Id: I558e7722d3fc9cd0891debe24a23555586281094
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/711375
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/989cedd282bcb1c719e6dd777de8eddb4f6c7a99/sound/soc/intel/boards/cht_bsw_max98090_ti.c

Comment 3 by groeck@chromium.org, Oct 15 2017

Status: Fixed (was: Started)

Sign in to add a comment