Dear Linux Kernel Team, I had encountered the problem that I reported to debian kernel team: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050117 , where I was suggested to report this to upstream. After a lot of struggle, I found that this issue occurs after the following commit. The problem happens if a YAMAHA YMF7x4 sound card is present AND the firmware is missing. Not only the shutdown/reboot problem, but the page fault, whose error log is being cited following the commit, also occurs in the boot process. <<< The commit which causes the reported problem >>> From: Tasos Sahanidis <tasos@xxxxxxxxxxxx> [ Upstream commit f33fc1576757741479452255132d6e3aaf558ffe ] snd_card_ymfpci_remove() was removed in commit c6e6bb5eab74 ("ALSA: ymfpci: Allocate resources with device-managed APIs"), but the call to snd_card_new() was not replaced with snd_devm_card_new(). Since there was no longer a call to snd_card_free, unloading the module would eventually result in Oops: [697561.532887] BUG: unable to handle page fault for address: ffffffffc0924480 [697561.532893] #PF: supervisor read access in kernel mode [697561.532896] #PF: error_code(0x0000) - not-present page [697561.532899] PGD ae1e15067 P4D ae1e15067 PUD ae1e17067 PMD 11a8f5067 PTE 0 [697561.532905] Oops: 0000 [#1] PREEMPT SMP NOPTI [697561.532909] CPU: 21 PID: 5080 Comm: wireplumber Tainted: G W OE 6.2.7 #1 [697561.532914] Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS, BIOS 4408 10/28/2022 [697561.532916] RIP: 0010:try_module_get.part.0+0x1a/0xe0 [697561.532924] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 49 89 fc bf 01 00 00 00 e8 56 3c f8 ff <41> 83 3c 24 02 0f 84 96 00 00 00 41 8b 84 24 30 03 00 00 85 c0 0f [697561.532927] RSP: 0018:ffffbe9b858c3bd8 EFLAGS: 00010246 [697561.532930] RAX: ffff9815d14f1900 RBX: ffff9815c14e6000 RCX: 0000000000000000 [697561.532933] RDX: 0000000000000000 RSI: ffffffffc055092c RDI: ffffffffb3778c1a [697561.532935] RBP: ffffbe9b858c3be8 R08: 0000000000000040 R09: ffff981a1a741380 [697561.532937] R10: ffffbe9b858c3c80 R11: 00000009d56533a6 R12: ffffffffc0924480 [697561.532939] R13: ffff9823439d8500 R14: 0000000000000025 R15: ffff9815cd109f80 [697561.532942] FS: 00007f13084f1f80(0000) GS:ffff9824aef40000(0000) knlGS:0000000000000000 [697561.532945] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [697561.532947] CR2: ffffffffc0924480 CR3: 0000000145344000 CR4: 0000000000350ee0 [697561.532949] Call Trace: [697561.532951] <TASK> [697561.532955] try_module_get+0x13/0x30 [697561.532960] snd_ctl_open+0x61/0x1c0 [snd] [697561.532976] snd_open+0xb4/0x1e0 [snd] [697561.532989] chrdev_open+0xc7/0x240 [697561.532995] ? fsnotify_perm.part.0+0x6e/0x160 [697561.533000] ? __pfx_chrdev_open+0x10/0x10 [697561.533005] do_dentry_open+0x169/0x440 [697561.533009] vfs_open+0x2d/0x40 [697561.533012] path_openat+0xa9d/0x10d0 [697561.533017] ? debug_smp_processor_id+0x17/0x20 [697561.533022] ? trigger_load_balance+0x65/0x370 [697561.533026] do_filp_open+0xb2/0x160 [697561.533032] ? _raw_spin_unlock+0x19/0x40 [697561.533036] ? alloc_fd+0xa9/0x190 [697561.533040] do_sys_openat2+0x9f/0x160 [697561.533044] __x64_sys_openat+0x55/0x90 [697561.533048] do_syscall_64+0x3b/0x90 [697561.533052] entry_SYSCALL_64_after_hwframe+0x72/0xdc [697561.533056] RIP: 0033:0x7f1308a40db4 [697561.533059] Code: 24 20 eb 8f 66 90 44 89 54 24 0c e8 46 68 f8 ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 32 44 89 c7 89 44 24 0c e8 78 68 f8 ff 8b 44 [697561.533062] RSP: 002b:00007ffcce664450 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 [697561.533066] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1308a40db4 [697561.533068] RDX: 0000000000080000 RSI: 00007ffcce664690 RDI: 00000000ffffff9c [697561.533070] RBP: 00007ffcce664690 R08: 0000000000000000 R09: 0000000000000012 [697561.533072] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000080000 [697561.533074] R13: 00007f13054b069b R14: 0000565209f83200 R15: 0000000000000000 [697561.533078] </TASK> Fixes: c6e6bb5eab74 ("ALSA: ymfpci: Allocate resources with device-managed APIs") Signed-off-by: Tasos Sahanidis <tasos@xxxxxxxxxxxx> Link: https://lore.kernel.org/r/20230329032422.170024-1-tasos@xxxxxxxxxxxx Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- sound/pci/ymfpci/ymfpci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/ymfpci/ymfpci.c b/sound/pci/ymfpci/ymfpci.c index 1e198e4d57b8d..82d4e0fda91be 100644 --- a/sound/pci/ymfpci/ymfpci.c +++ b/sound/pci/ymfpci/ymfpci.c @@ -170,7 +170,7 @@ static int snd_card_ymfpci_probe(struct pci_dev *pci, return -ENOENT; } - err = snd_card_new(&pci->dev, index[dev], id[dev], THIS_MODULE, + err = snd_devm_card_new(&pci->dev, index[dev], id[dev], THIS_MODULE, sizeof(*chip), &card); if (err < 0) return err; -- 2.39.2 <<< Error Log of the page fault in the boot process >>> [ 24.101852] snd_ymfpci 0000:00:0e.0: firmware: failed to load yamaha/ds1_dsp.fw (-2) [ 24.101931] firmware_class: See https://wiki.debian.org/Firmware for information about missing firmware [ 24.102001] snd_ymfpci 0000:00:0e.0: firmware: failed to load yamaha/ds1_dsp.fw (-2) [ 24.102031] snd_ymfpci 0000:00:0e.0: Direct firmware load for yamaha/ds1_dsp.fw failed with error -2 [ 24.102049] snd_ymfpci 0000:00:0e.0: firmware request failed: -2 [ 24.102077] snd_ymfpci: probe of 0000:00:0e.0 failed with error -2 [ 24.102435] BUG: unable to handle page fault for address: f0da8084 [ 24.102465] #PF: supervisor write access in kernel mode [ 24.102486] #PF: error_code(0x0002) - not-present page [ 24.102507] *pdpt = 0000000006bd0001 *pde = 000000000237a067 *pte = 0000000000000000 [ 24.102544] Oops: 0002 [#1] PREEMPT SMP PTI [ 24.102568] CPU: 0 PID: 247 Comm: (udev-worker) Not tainted 6.1.27 #3 [ 24.102594] Hardware name: MICRO-STAR INTERNATIONAL CO., LTD MS-6163/MS-6163 (i440BX), BIOS 4.51 PG 08/22/00 [ 24.102623] EIP: snd_ymfpci_free+0x1b/0x130 [snd_ymfpci] [ 24.102684] Code: b8 01 00 00 00 5b 5e 5f 5d c3 8d 74 26 00 90 3e 8d 74 26 00 55 89 e5 56 53 8b 98 88 01 00 00 8b 43 10 8d 90 84 00 00 00 31 c0 <89> 02 8b 73 10 89 86 b0 00 00 00 8b 4b 10 89 81 80 00 00 00 b9 ff [ 24.102730] EAX: 00000000 EBX: c4d0a610 ECX: 0005f320 EDX: f0da8084 [ 24.102754] ESI: c4d0a018 EDI: cfcd780c EBP: c792fc44 ESP: c792fc3c [ 24.102778] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00210246 [ 24.102803] CR0: 80050033 CR2: f0da8084 CR3: 06bc8000 CR4: 000006f0 [ 24.102828] Call Trace: [ 24.102853] release_card_device+0x47/0x90 [snd] [ 24.102911] device_release+0x30/0x90 [ 24.102953] kobject_put+0x99/0x1d0 [ 24.102987] put_device+0x11/0x20 [ 24.103009] __snd_card_release+0x71/0x80 [snd] [ 24.103043] release_nodes+0x43/0xb0 [ 24.103068] devres_release_all+0x79/0xb0 [ 24.103094] device_unbind_cleanup+0x10/0x60 [ 24.103125] really_probe+0x1f6/0x340 [ 24.103150] __driver_probe_device+0x75/0x100 [ 24.103175] driver_probe_device+0x1f/0x90 [ 24.103199] __driver_attach+0xcf/0x1b0 [ 24.103223] ? __device_attach_driver+0x100/0x100 [ 24.103248] bus_for_each_dev+0x5b/0xa0 [ 24.103272] driver_attach+0x19/0x20 [ 24.103293] ? __device_attach_driver+0x100/0x100 [ 24.103317] bus_add_driver+0x17f/0x1e0 [ 24.103340] driver_register+0x79/0xd0 [ 24.103364] ? 0xf0d3a000 [ 24.103383] __pci_register_driver+0x42/0x50 [ 24.103421] ymfpci_driver_init+0x1c/0x1000 [snd_ymfpci] [ 24.103458] do_one_initcall+0x41/0x1e0 [ 24.103482] ? kvfree+0x25/0x30 [ 24.103518] ? __kmem_cache_alloc_node+0x24d/0x350 [ 24.103546] ? kmalloc_trace+0x22/0x90 [ 24.103581] ? do_init_module+0x21/0x1e0 [ 24.103606] do_init_module+0x43/0x1e0 [ 24.103628] load_module+0x1a97/0x1ca0 [ 24.103661] __ia32_sys_finit_module+0xa7/0x110 [ 24.103692] __do_fast_syscall_32+0x68/0xb0 [ 24.103720] ? __do_fast_syscall_32+0x72/0xb0 [ 24.103742] ? __do_fast_syscall_32+0x72/0xb0 [ 24.103764] ? __do_fast_syscall_32+0x72/0xb0 [ 24.103787] ? irqentry_exit_to_user_mode+0x8/0x20 [ 24.103817] do_fast_syscall_32+0x29/0x60 [ 24.103839] do_SYSENTER_32+0x15/0x20 [ 24.103861] entry_SYSENTER_32+0x98/0xf1 [ 24.103892] EIP: 0xb7f89549 [ 24.103911] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76 [ 24.103956] EAX: ffffffda EBX: 0000001a ECX: b7f6be09 EDX: 00000000 [ 24.103983] ESI: 00f31910 EDI: 00f341f0 EBP: 00000000 ESP: bff1561c [ 24.104007] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00200292 [ 24.104036] Modules linked in: snd_ymfpci(+) snd_ac97_codec ac97_bus saa7134 snd_mpu401_uart snd_opl3_lib snd_hwdep tveeprom videobuf2_dma_sg gameport ppdev snd_rawmidi videobuf2_memops videobuf2_v4l2 snd_seq_device videobuf2_common snd_pcm snd_timer videodev snd pcspkr soundcore mc parport_pc parport evdev serio_raw sg loop fuse dm_mod efi_pstore dax configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic sil164 nouveau hid_generic mxm_wmi sd_mod video usbhid t10_pi wmi hid i2c_algo_bit drm_display_helper crc64_rocksoft crc64 cec crc_t10dif rc_core sr_mod crct10dif_generic crct10dif_common drm_ttm_helper cdrom ttm ata_generic drm_kms_helper ata_piix ohci_pci uhci_hcd ohci_hcd ehci_pci libata ehci_hcd drm usbcore scsi_mod psmouse e1000 i2c_piix4 scsi_common usb_common floppy button fan [ 24.105590] CR2: 00000000f0da8084 [ 24.105590] ---[ end trace 0000000000000000 ]--- [ 24.105590] EIP: snd_ymfpci_free+0x1b/0x130 [snd_ymfpci] [ 24.105590] Code: b8 01 00 00 00 5b 5e 5f 5d c3 8d 74 26 00 90 3e 8d 74 26 00 55 89 e5 56 53 8b 98 88 01 00 00 8b 43 10 8d 90 84 00 00 00 31 c0 <89> 02 8b 73 10 89 86 b0 00 00 00 8b 4b 10 89 81 80 00 00 00 b9 ff [ 24.105590] EAX: 00000000 EBX: c4d0a610 ECX: 0005f320 EDX: f0da8084 [ 24.105590] ESI: c4d0a018 EDI: cfcd780c EBP: c792fc44 ESP: c792fc3c [ 24.105590] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00210246 [ 24.105590] CR0: 80050033 CR2: f0da8084 CR3: 06bc8000 CR4: 000006f0 [ 24.105590] note: (udev-worker)[247] exited with irqs disabled I looked into this problem and found the mechanism of the page fault. 1) chip->reg_area_virt is mapped in sound/pci/ymfpci/ymfpci_main.c: snd_ymfpci_create() in the initialize process of snd_ymfpci. 2) The initializing fails due to a lack of the firmware. 3) The allocated resources are released in drivers/base/devres.c: release_nodes(). 4) In the release process 3), reg_area_virt is unmapped before calling sound/pci/ymfpci/ymfpci_main.c: snd_ymfpci_free(). 5) The first register access in sound/pci/ymfpci/ymfpci_main.c: snd_ymfpci_free() causes page fault because the reg_area_virt is already unmapped. Unfortunately, I am not familiar with the linux kernel code, so I am not sure of the appropriate way how the problem should be fixed. Any idea? Thanks in advance. -- Takashi Yano <takashi.yano@xxxxxxxxxxx>
