On 9/26/2022 6:35 PM, Eugeniu Rosca wrote:
From: xiao jin <jin.xiao@xxxxxxxxx>
After start of fe and be, fe might go to close without triggering
STOP, and substream->runtime is freed. However, be is still at
START state and its substream->runtime still points to the
freed runtime.
Well if it is being freed, maybe pointer should be set to NULL instead
in place that happens?
Later on, FE is opened/started again, and triggers STOP.
snd_pcm_do_stop => dpcm_fe_dai_trigger
=> dpcm_fe_dai_do_trigger
=> dpcm_be_dai_trigger
=> dpcm_do_trigger
=> soc_pcm_trigger
=> skl_platform_pcm_trigger
skl_platform_pcm_trigger accesses the freed old runtime data and
kernel panic.
The patch fixes it by assigning be_substream->runtime in
dpcm_be_dai_startup when be's state is START.
Signed-off-by: xiao jin <jin.xiao@xxxxxxxxx>
Signed-off-by: Zhang Yanmin <yanmin.zhang@xxxxxxxxx>
Signed-off-by: Eugeniu Rosca <erosca@xxxxxxxxxxxxxx>
---
sound/soc/soc-pcm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
index 4f60c0a83311..6ca1d02065ce 100644
--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -1608,6 +1608,8 @@ int dpcm_be_dai_startup(struct snd_soc_pcm_runtime *fe, int stream)
if (be->dpcm[stream].users++ != 0)
continue;
+ be_substream->runtime = be->dpcm[stream].runtime;
+
if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_NEW) &&
(be->dpcm[stream].state != SND_SOC_DPCM_STATE_CLOSE))
continue;
@@ -1615,7 +1617,6 @@ int dpcm_be_dai_startup(struct snd_soc_pcm_runtime *fe, int stream)
dev_dbg(be->dev, "ASoC: open %s BE %s\n",
stream ? "capture" : "playback", be->dai_link->name);
- be_substream->runtime = be->dpcm[stream].runtime;
err = __soc_pcm_open(be, be_substream);
if (err < 0) {
be->dpcm[stream].users--;
