Takashi Iwai <tiwai@xxxxxxx> writes:
> On Tue, 23 May 2017 19:14:05 +0200,
> Mark Brown wrote:
>>
>> On Tue, May 23, 2017 at 06:46:58PM +0200, Robert Jarzmik wrote:
>>
>> > Did you notice the same behavior on other platforms, and if not would you have a
>> > hint why it happens to me ?
>>
>> This is the only report I've seen, sorry. It's not ringing any bells
>> immediately either - I'll have a think.
>
> What's the problem? soc_free_pcm_runtime() just calls kfree() of rtd,
> but it's not called in snd_pcm_free(), isn't it?
You're right, it's not called, but it's dereferenced.
The way I see it, what happens is :
- soc_free_pcm_runtime() calls kfree(rtd)
- ... guess ...
- some other call does a kmalloc() which gets the same bucket as rtd
- this other call puts data in the previous rtd
=> in my backtrace, this data is 35343848, which looks like the string
"548H"
- snd_pcm_free() calls soc_pcm_free()
- soc_pcm_free() uses in the for_each loop rtd->card->component_dev_list, and
triggers the BUG.
> In anyway the calls there look in a wrong order. Basically we should
> start with snd_card_free() to sync with the whole operation finishes,
> then release everything. Below is an untested patch to do that.
With you patch, the bug is gone in my first 3 tries.
Cheers.
--
Robert
_______________________________________________
Alsa-devel mailing list
Alsa-devel@xxxxxxxxxxxxxxxx
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
