On 9/26/22 18:35, Eugeniu Rosca wrote: > From: xiao jin <jin.xiao@xxxxxxxxx> > > After start of fe and be, fe might go to close without triggering > STOP, and substream->runtime is freed. However, be is still at > START state and its substream->runtime still points to the > freed runtime. > > Later on, FE is opened/started again, and triggers STOP. > snd_pcm_do_stop => dpcm_fe_dai_trigger > => dpcm_fe_dai_do_trigger > => dpcm_be_dai_trigger > => dpcm_do_trigger > => soc_pcm_trigger > => skl_platform_pcm_trigger > skl_platform_pcm_trigger accesses the freed old runtime data and > kernel panic. > > The patch fixes it by assigning be_substream->runtime in > dpcm_be_dai_startup when be's state is START. Can I ask on which kernel this patch was validated and on what platform? We've done a lot of work since last year on DPCM states, and I wonder the problem mentioned above actually exists on recent kernels. Specifically, if the FE is closed, I don't get how the BE is not closed as well. And if this problem is found on a recent kernel, then it should be seen in the AVS driver as well, no? > Signed-off-by: xiao jin <jin.xiao@xxxxxxxxx> > Signed-off-by: Zhang Yanmin <yanmin.zhang@xxxxxxxxx> > Signed-off-by: Eugeniu Rosca <erosca@xxxxxxxxxxxxxx> > --- > sound/soc/soc-pcm.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c > index 4f60c0a83311..6ca1d02065ce 100644 > --- a/sound/soc/soc-pcm.c > +++ b/sound/soc/soc-pcm.c > @@ -1608,6 +1608,8 @@ int dpcm_be_dai_startup(struct snd_soc_pcm_runtime *fe, int stream) > if (be->dpcm[stream].users++ != 0) > continue; > > + be_substream->runtime = be->dpcm[stream].runtime; > + > if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_NEW) && > (be->dpcm[stream].state != SND_SOC_DPCM_STATE_CLOSE)) > continue; > @@ -1615,7 +1617,6 @@ int dpcm_be_dai_startup(struct snd_soc_pcm_runtime *fe, int stream) > dev_dbg(be->dev, "ASoC: open %s BE %s\n", > stream ? "capture" : "playback", be->dai_link->name); > > - be_substream->runtime = be->dpcm[stream].runtime; > err = __soc_pcm_open(be, be_substream); > if (err < 0) { > be->dpcm[stream].users--;