When remove module snd-usb-audio, snd_card_free_when_closed() will not
release the card resource if the card_dev refcount > 0 and
usb_audio_disconnect() will return directly, finally kernel will release
the module resource. Then if the userspace continue to cleanup sound card
resources, such as close controlC0, the closing path will touch this
modules' code, unfortunately it just got released and the kernel will
dump below error:
[ 183.450073] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP
[ 183.456345] Modules linked in: snd_usbmidi_lib snd_hwdep [last unloaded: snd_usb_audio]
[ 183.464373] CPU: 0 PID: 537 Comm: wireplumber Not tainted 6.6.23-06215-gc5317d88b3ec #708
[ 183.472552] Hardware name: NXP i.MX93 11X11 EVK board (DT)
[ 183.478039] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 183.485004] pc : 0xffff80007c19a3b0
[ 183.488507] lr : snd_pcm_dev_free+0x3c/0x70
[ 183.492708] sp : ffff800085c77af0
[ 183.496030] x29: ffff800085c77af0 x28: dead000000000122 x27: ffff0000079f8090
[ 183.503188] x26: ffff0000079f8090 x25: ffff00000e78c270 x24: ffff00000e78c000
[ 183.510336] x23: ffff00000e78c1a8 x22: ffff00000e78c000 x21: ffff00000b6a2718
[ 183.517486] x20: ffff800082608180 x19: ffff00000d2d7400 x18: 0000000000000000
[ 183.524635] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffa0000b90
[ 183.531786] x14: 0000000000000000 x13: 0000000000000000 x12: ffff700010b8ef49
[ 183.538939] x11: 1ffff00010b8ef48 x10: ffff700010b8ef48 x9 : 0000000000000000
[ 183.546086] x8 : ffff800085c77a50 x7 : ffff00006ccd77b0 x6 : 0000000000000003
[ 183.553236] x5 : 00000000000000c0 x4 : ffff00000ea57000 x3 : dfff800000000000
[ 183.560386] x2 : 0000000000000007 x1 : ffff80007c19a3b0 x0 : ffff00000d2d7400
[ 183.567539] Call trace:
[ 183.569992] 0xffff80007c19a3b0
[ 183.573134] __snd_device_free+0x94/0x16c
[ 183.577156] snd_device_free_all+0x70/0xe8
[ 183.581258] release_card_device+0x30/0xc0
[ 183.585363] device_release+0x50/0x10c
[ 183.589124] kobject_put+0xe0/0x184
[ 183.592634] put_device+0x14/0x24
[ 183.595954] snd_card_file_remove+0x158/0x22c
[ 183.600322] snd_ctl_release+0x174/0x194
[ 183.604256] snd_disconnect_release+0x128/0x178
[ 183.608798] __fput+0x160/0x3d0
[ 183.611955] __fput_sync+0x74/0x84
[ 183.615370] __arm64_sys_close+0x4c/0x8c
[ 183.619302] invoke_syscall+0x60/0x184
[ 183.623072] el0_svc_common.constprop.0+0x114/0x13c
[ 183.627960] do_el0_svc+0x30/0x40
[ 183.631288] el0_svc+0x38/0x70
[ 183.634356] el0t_64_sync_handler+0x120/0x12c
[ 183.638724] el0t_64_sync+0x190/0x194
[ 183.642403] Code: ???????? ???????? ???????? ???????? (????????)
[ 183.648497] ---[ end trace 0000000000000000 ]---
To fix the issue, use snd_card_free() to release all resources (including
all files attached to the card_dev) instead snd_card_free_when_closed().
Then, even the userspace trying to cleanup the resources, kernel will not
touch the released code memory.
Signed-off-by: Xu Yang <xu.yang_2@xxxxxxx>
---
sound/usb/card.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c
index 1b2edc0fd2e9..5e799f147eb5 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -992,7 +992,7 @@ static void usb_audio_disconnect(struct usb_interface *intf)
if (chip->num_interfaces <= 0) {
usb_chip[chip->index] = NULL;
mutex_unlock(®ister_mutex);
- snd_card_free_when_closed(card);
+ snd_card_free(card);
} else {
mutex_unlock(®ister_mutex);
}
--
2.34.1
[Index of Archives]
[Pulseaudio]
[Linux Audio Users]
[ALSA Devel]
[Fedora Desktop]
[Fedora SELinux]
[Big List of Linux Books]
[Yosemite News]
[KDE Users]
