Bug 201621

Summary: NULL pointer dereference in snd_hda_codec_generic at cap_put_caller
Product: Drivers Reporter: Konrad Rzepecki (hannibal)
Component: Sound(ALSA)Assignee: Jaroslav Kysela (perex)
Status: RESOLVED CODE_FIX    
Severity: normal CC: tiwai
Priority: P1    
Hardware: x86-64   
OS: Linux   
Kernel Version: 4.19.0, 4.19.1 Subsystem:
Regression: No Bisected commit-id:
Attachments: alsa-info output
Fix patch

Description Konrad Rzepecki 2018-11-05 10:20:07 UTC 
Latest 4.19.X (vanilla) kernel from Slackware-current cause following oops when running alsactl. Previous 4.14.X works fine with same system. Below is stack trace form 4.19.1, 4.19.0 looks almost the same.

Nov  5 07:44:29 chinol kernel: [   55.837081] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000                                                          
Nov  5 07:44:29 chinol kernel: [   55.839085] Oops: 0010 [#1] SMP PTI                                                                                                            
Nov  5 07:44:29 chinol kernel: [   55.840001] CPU: 3 PID: 1385 Comm: alsactl Not tainted 4.19.1 #1                                                                               
Nov  5 07:44:29 chinol kernel: [   55.840944] Hardware name: LENOVO 25376Q0/25376Q0, BIOS 6IET85WW (1.45 ) 02/14/2013                                                            
Nov  5 07:44:29 chinol kernel: [   55.841895] RIP: 0010:          (null)                                                                                                         
Nov  5 07:44:29 chinol kernel: [   55.842857] Code: Bad RIP value.                                                                                                               
Nov  5 07:44:29 chinol kernel: [   55.843811] RSP: 0018:ffffa32541f17d48 EFLAGS: 00010202                                                                                        
Nov  5 07:44:29 chinol kernel: [   55.844772] RAX: 0000000000000000 RBX: ffff8a5decf76d80 RCX: 0000000000000000                                                                  
Nov  5 07:44:29 chinol kernel: [   55.845751] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000001                                                                  
Nov  5 07:44:29 chinol kernel: [   55.846746] RBP: 0000000000000009 R08: ffffffffffffffff R09: 0000000000000000                                                                  
Nov  5 07:44:29 chinol kernel: [   55.847782] R10: 0000000000000b00 R11: 0000000000000000 R12: ffff8a5decf7e000                                                                  
Nov  5 07:44:29 chinol kernel: [   55.848834] R13: 0000000000000000 R14: ffff8a5dec605000 R15: 0000000000000003                                                                  
Nov  5 07:44:29 chinol kernel: [   55.849898] FS:  00007f776a532740(0000) GS:ffff8a5df3b80000(0000) knlGS:0000000000000000                                                       
Nov  5 07:44:29 chinol kernel: [   55.850982] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033                                                                                  
Nov  5 07:44:29 chinol kernel: [   55.852066] CR2: ffffffffffffffd6 CR3: 000000022151c006 CR4: 00000000000206e0                                                                  
Nov  5 07:44:29 chinol kernel: [   55.853177] Call Trace:                                                                                                                        
Nov  5 07:44:29 chinol kernel: [   55.854309]  ? cap_put_caller+0x11f/0x160 [snd_hda_codec_generic]                                                                              
Nov  5 07:44:29 chinol kernel: [   55.855457]  ? snd_ctl_elem_write+0xe2/0x190 [snd]                                                                                             
Nov  5 07:44:29 chinol kernel: [   55.856578]  ? __kmalloc_track_caller+0x12f/0x210                                                                                              
Nov  5 07:44:29 chinol kernel: [   55.857711]  ? snd_ctl_ioctl+0x12b/0x6d0 [snd]                                                                                                 
Nov  5 07:44:29 chinol kernel: [   55.858823]  ? __check_object_size+0xa9/0x17c                                                                                                  
Nov  5 07:44:29 chinol kernel: [   55.859935]  ? _copy_from_user+0x37/0x60                                                                                                       
Nov  5 07:44:29 chinol kernel: [   55.861060]  ? snd_ctl_ioctl+0x169/0x6d0 [snd]                                                                                                 
Nov  5 07:44:29 chinol kernel: [   55.862186]  ? snd_card_file_remove+0x8a/0x150 [snd]                                                                                           
Nov  5 07:44:29 chinol kernel: [   55.863308]  ? do_vfs_ioctl+0xa4/0x620                                                                                                         
Nov  5 07:44:29 chinol kernel: [   55.864433]  ? set_close_on_exec+0x2a/0x60                                                                                                     
Nov  5 07:44:29 chinol kernel: [   55.865555]  ? do_fcntl+0x524/0x610                                                                                                            
Nov  5 07:44:29 chinol kernel: [   55.866651]  ? ksys_ioctl+0x60/0x90                                                                                                            
Nov  5 07:44:29 chinol kernel: [   55.867728]  ? __x64_sys_fcntl+0x8b/0xb0                                                                                                       
Nov  5 07:44:29 chinol kernel: [   55.868816]  ? __x64_sys_ioctl+0x16/0x20                                                                                                       
Nov  5 07:44:29 chinol kernel: [   55.869931]  ? do_syscall_64+0x55/0x100                                                                                                        
Nov  5 07:44:29 chinol kernel: [   55.871041]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9                                                                                        
Nov  5 07:44:29 chinol kernel: [   55.872134] Modules linked in: rpcsec_gss_krb5 ipv6 8021q garp mrp stp llc fuse algif_skcipher af_alg joydev snd_hda_codec_hdmi hid_generic snd
_hda_codec_conexant uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 usbhid videodev hid videobuf2_common i915 kvmgt vfio_mdev mdev coretemp snd_
hda_intel intel_powerclamp vfio_iommu_type1 snd_hda_codec iwldvm vfio kvm_intel snd_hda_core cec rc_core mmc_block kvm snd_hwdep drm_kms_helper irqbypass i2c_dev crct10dif_pclmu
l wmi_bmof mxm_wmi crc32_pclmul gpio_ich mac80211 crc32c_intel thinkpad_acpi drm ghash_clmulni_intel evdev tpm_tis snd_pcm firewire_ohci intel_cstate psmouse i2c_algo_bit sdhci_
pci nvram iwlwifi fb_sys_fops tpm_tis_core serio_raw i2c_i801 syscopyarea intel_ips snd_timer sysfillrect cqhci firewire_core thermal                                            
Nov  5 07:44:29 chinol kernel: [   55.878294]  hwmon intel_agp tpm battery mei_me sysimgblt cfg80211 snd intel_gtt sdhci ehci_pci soundcore ac e1000e i2c_core rfkill mmc_core ag
pgart mei wmi video ehci_hcd lpc_ich button pcc_cpufreq acpi_cpufreq loop                                                                                                        
Nov  5 07:44:29 chinol kernel: [   55.881014] CR2: 0000000000000000                                                                                                              
Nov  5 07:44:29 chinol kernel: [   55.882437] ---[ end trace 67c28e26fd859c3c ]---
Nov  5 07:44:29 chinol kernel: [   55.883971] RIP: 0010:          (null)                                                                                                         
Nov  5 07:44:29 chinol kernel: [   55.885367] Code: Bad RIP value.                                                                                                               
Nov  5 07:44:29 chinol kernel: [   55.886741] RSP: 0018:ffffa32541f17d48 EFLAGS: 00010202                                                                                        
Nov  5 07:44:29 chinol kernel: [   55.888374] RAX: 0000000000000000 RBX: ffff8a5decf76d80 RCX: 0000000000000000                                                                  
Nov  5 07:44:29 chinol kernel: [   55.890051] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000001                                                                  
Nov  5 07:44:29 chinol kernel: [   55.891685] RBP: 0000000000000009 R08: ffffffffffffffff R09: 0000000000000000                                                                  
Nov  5 07:44:29 chinol kernel: [   55.893323] R10: 0000000000000b00 R11: 0000000000000000 R12: ffff8a5decf7e000                                                                  
Nov  5 07:44:29 chinol kernel: [   55.894965] R13: 0000000000000000 R14: ffff8a5dec605000 R15: 0000000000000003                                                                  
Nov  5 07:44:29 chinol kernel: [   55.896668] FS:  00007f776a532740(0000) GS:ffff8a5df3b80000(0000) knlGS:0000000000000000                                                       
Nov  5 07:44:29 chinol kernel: [   55.898329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033                                                                                  
Nov  5 07:44:29 chinol kernel: [   55.900084] CR2: ffffffffffffffd6 CR3: 000000022151c006 CR4: 00000000000206e0
Comment 1 Takashi Iwai 2018-11-05 10:26:24 UTC 
Hrm, not sure what broke, as there hasn't been so big changes in the generic parser.

In anyway, please boot with the working kernel, and get alsa-info.sh output.
Run the script with --no-upload option, and attach to Bugzilla.
Comment 2 Konrad Rzepecki 2018-11-05 10:36:41 UTC 
Created attachment 279321 [details]
alsa-info output
Comment 3 Takashi Iwai 2018-11-05 11:33:21 UTC 
Thanks.  I guess the patch below should fix the issue.
Could you give it a try?
Comment 4 Takashi Iwai 2018-11-05 11:33:49 UTC 
Created attachment 279325 [details]
Fix patch
Comment 5 Konrad Rzepecki 2018-11-05 11:40:35 UTC 
Thanks, I will test it as soon as I can.
Comment 6 Konrad Rzepecki 2018-11-06 11:27:31 UTC 
Patch fix issue, alsactl no longer causes oops.
Thanks again.
Comment 7 Takashi Iwai 2018-11-06 12:36:19 UTC 
OK, I'll submit the fix and merge later.  It'll be likely pushed for 4.20-rc1, then backported to 4.19.y stable tree later.