Bug 214947

Summary: kernel NULL pointer dereference in snd_pcm_mmap_data for RME HDSP audio interfaces
Product: Drivers Reporter: Till Schäfer (till2.schaefer)
Component: Sound(ALSA)Assignee: Jaroslav Kysela (perex)
Status: RESOLVED CODE_FIX    
Severity: normal CC: tiwai
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.14.* Subsystem:
Regression: No Bisected commit-id:
Attachments: alsa-info.txt
Fix patch

Description Till Schäfer 2021-11-04 23:08:16 UTC 
Created attachment 299455 [details]
alsa-info.txt

After upgrading to kernel 5.14, I get the following kernel crash. This seems to be related to the RME HDSPe Multiface II audio interface. Other people are also reporting this bug for RME audio interfaces. 


Arch Bug: https://bugs.archlinux.org/task/72059
Another report: https://githubmemory.com/repo/DeaDBeeF-Player/deadbeef/issues/2674



Nov  4 23:30:47 wgw-till kernel: BUG: kernel NULL pointer dereference, address: 0000000000000000
Nov  4 23:30:47 wgw-till kernel: #PF: supervisor read access in kernel mode
Nov  4 23:30:47 wgw-till kernel: #PF: error_code(0x0000) - not-present page
Nov  4 23:30:47 wgw-till kernel: PGD 0 P4D 0 
Nov  4 23:30:47 wgw-till kernel: Oops: 0000 [#1] SMP PTI
Nov  4 23:30:47 wgw-till kernel: CPU: 3 PID: 3381 Comm: pulseaudio Tainted: P           O      5.14.16-gentoo #1
Nov  4 23:30:47 wgw-till kernel: Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD5H/Z97X-UD5H, BIOS F8 06/17/2014
Nov  4 23:30:47 wgw-till kernel: RIP: 0010:snd_dma_buffer_mmap+0x0/0x30
Nov  4 23:30:47 wgw-till kernel: Code: 83 fa 06 77 1c 48 8b 04 c5 20 e8 30 a1 48 85 c0 74 0e 48 8b 40 08 48 85 c0 74 05 e9 4a 53 63 00 c3 0f 0b c3 66 0f 1f 44 00 00 <48> 63 07 8d 50 ff 83 fa 06 77 1b 48 8b 04 c5 20 e8 30 a1 48 85 c0
Nov  4 23:30:47 wgw-till kernel: RSP: 0018:ffff9adac1f7fd10 EFLAGS: 00010246
Nov  4 23:30:47 wgw-till kernel: RAX: ffff899576149400 RBX: ffff899542951400 RCX: 0000000000000000
Nov  4 23:30:47 wgw-till kernel: RDX: 00000000001af000 RSI: ffff89957fead0c0 RDI: 0000000000000000
Nov  4 23:30:47 wgw-till kernel: RBP: 00007fd1fb506000 R08: 00000000040400fb R09: 0000000000001000
Nov  4 23:30:47 wgw-till kernel: R10: 00007fd1fb507000 R11: 00007fd1fb6b2000 R12: ffff89957fead930
Nov  4 23:30:47 wgw-till kernel: R13: ffff899540958cc0 R14: ffff89957fead0c0 R15: ffff89957cb1e9c0
Nov  4 23:30:47 wgw-till kernel: FS:  00007fd1fac31740(0000) GS:ffff899a46cc0000(0000) knlGS:0000000000000000
Nov  4 23:30:47 wgw-till kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov  4 23:30:47 wgw-till kernel: CR2: 0000000000000000 CR3: 000000010a02c005 CR4: 00000000001706e0
Nov  4 23:30:47 wgw-till kernel: Call Trace:
Nov  4 23:30:47 wgw-till kernel: snd_pcm_mmap_data+0x122/0x140
Nov  4 23:30:47 wgw-till kernel: mmap_region+0x3e5/0x680
Nov  4 23:30:47 wgw-till kernel: do_mmap+0x343/0x530
Nov  4 23:30:47 wgw-till kernel: ? _copy_to_user+0x1c/0x30
Nov  4 23:30:47 wgw-till kernel: ? snd_pcm_common_ioctl+0x29d/0x1350
Nov  4 23:30:47 wgw-till kernel: vm_mmap_pgoff+0xaf/0x150
Nov  4 23:30:47 wgw-till kernel: ksys_mmap_pgoff+0x1d0/0x230
Nov  4 23:30:47 wgw-till kernel: ? snd_pcm_ioctl+0x1e/0x30
Nov  4 23:30:47 wgw-till kernel: do_syscall_64+0x64/0x90
Nov  4 23:30:47 wgw-till kernel: ? syscall_exit_to_user_mode+0x12/0x40
Nov  4 23:30:47 wgw-till kernel: ? do_syscall_64+0x71/0x90
Nov  4 23:30:47 wgw-till kernel: ? syscall_exit_to_user_mode+0x12/0x40
Nov  4 23:30:47 wgw-till kernel: ? do_syscall_64+0x71/0x90
Nov  4 23:30:47 wgw-till kernel: ? exc_page_fault+0x65/0x110
Nov  4 23:30:47 wgw-till kernel: entry_SYSCALL_64_after_hwframe+0x44/0xae
Nov  4 23:30:47 wgw-till kernel: RIP: 0033:0x7fd1fb37cd92
Nov  4 23:30:47 wgw-till kernel: Code: e4 e8 b2 44 01 00 66 90 41 f7 c1 ff 0f 00 00 75 27 55 48 89 fd 53 89 cb 48 85 ff 74 3b 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 66 5b 5d c3 0f 1f 00 48 8b 05 a9 10 0c 00 64
Nov  4 23:30:47 wgw-till kernel: RSP: 002b:00007ffff15e95d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
Nov  4 23:30:47 wgw-till kernel: RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fd1fb37cd92
Nov  4 23:30:47 wgw-till kernel: RDX: 0000000000000003 RSI: 0000000000001000 RDI: 0000000000000000
Nov  4 23:30:47 wgw-till kernel: RBP: 0000000000000000 R08: 0000000000000013 R09: 0000000000000000
Nov  4 23:30:47 wgw-till kernel: R10: 0000000000000001 R11: 0000000000000246 R12: 0000559ae0582010
Nov  4 23:30:47 wgw-till kernel: R13: 0000000000000001 R14: 0000000000000000 R15: 00007fd1f9e351a0
Nov  4 23:30:47 wgw-till kernel: Modules linked in: nvidia_drm(PO) nvidia_modeset(PO) nvidia(PO) intel_rapl_msr intel_rapl_common iosf_mbi x86_pkg_temp_thermal snd_hdsp
Nov  4 23:30:47 wgw-till kernel: CR2: 0000000000000000
Nov  4 23:30:47 wgw-till kernel: ---[ end trace 70cfc0f62f7178eb ]---
Nov  4 23:30:47 wgw-till kernel: RIP: 0010:snd_dma_buffer_mmap+0x0/0x30
Nov  4 23:30:47 wgw-till kernel: Code: 83 fa 06 77 1c 48 8b 04 c5 20 e8 30 a1 48 85 c0 74 0e 48 8b 40 08 48 85 c0 74 05 e9 4a 53 63 00 c3 0f 0b c3 66 0f 1f 44 00 00 <48> 63 07 8d 50 ff 83 fa 06 77 1b 48 8b 04 c5 20 e8 30 a1 48 85 c0
Nov  4 23:30:47 wgw-till kernel: RSP: 0018:ffff9adac1f7fd10 EFLAGS: 00010246
Nov  4 23:30:47 wgw-till kernel: RAX: ffff899576149400 RBX: ffff899542951400 RCX: 0000000000000000
Nov  4 23:30:47 wgw-till kernel: RDX: 00000000001af000 RSI: ffff89957fead0c0 RDI: 0000000000000000
Nov  4 23:30:47 wgw-till kernel: RBP: 00007fd1fb506000 R08: 00000000040400fb R09: 0000000000001000
Nov  4 23:30:47 wgw-till kernel: R10: 00007fd1fb507000 R11: 00007fd1fb6b2000 R12: ffff89957fead930
Nov  4 23:30:47 wgw-till kernel: R13: ffff899540958cc0 R14: ffff89957fead0c0 R15: ffff89957cb1e9c0
Nov  4 23:30:47 wgw-till kernel: FS:  00007fd1fac31740(0000) GS:ffff899a46cc0000(0000) knlGS:0000000000000000
Nov  4 23:30:47 wgw-till kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov  4 23:30:47 wgw-till kernel: CR2: 0000000000000000 CR3: 000000010a02c005 CR4: 00000000001706e0

Reproducible: Always

# emerge --info
Portage 3.0.28 (python 3.9.7-final-0, default/linux/amd64/17.1/desktop/plasma, gcc-11.2.0, glibc-2.33-r7, 5.13.19-gentoo x86_64)
=================================================================
System uname: Linux-5.13.19-gentoo-x86_64-Intel-R-_Core-TM-_i7-4790K_CPU_@_4.00GHz-with-glibc2.33
KiB Mem:    24533876 total,  19947572 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Tue, 02 Nov 2021 21:51:33 +0000
Head commit of repository gentoo: a9215ace7ab2d5c1255a51fa78bf03cd10e7c678

Timestamp of repository audio-overlay: Sun, 31 Oct 2021 19:53:24 +0000
Head commit of repository audio-overlay: 1a95312d72d5fe09a7753981037848f758aa733d

Timestamp of repository kde: Tue, 02 Nov 2021 14:21:06 +0000
Head commit of repository kde: f1949c88c6fb67373cdf79e3cd7ac7a76711206d

Timestamp of repository steam-overlay: Sun, 31 Oct 2021 19:53:14 +0000
Head commit of repository steam-overlay: 89b2827ea35ef220c165a9adfb5b5187c2f3da9d

sh bash 5.1_p8
ld GNU ld (Gentoo 2.37_p1 p0) 2.37
app-shells/bash:          5.1_p8::gentoo
dev-java/java-config:     2.3.1::gentoo
dev-lang/perl:            5.34.0-r3::gentoo
dev-lang/python:          2.7.18_p13::gentoo, 3.9.7_p1::gentoo
dev-lang/rust:            1.53.0::gentoo
dev-util/cmake:           3.20.5::gentoo
sys-apps/baselayout:      2.7::gentoo
sys-apps/openrc:          0.44.7::gentoo
sys-apps/sandbox:         2.25::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.71-r1::gentoo
sys-devel/automake:       1.13.4-r2::gentoo, 1.16.4::gentoo
sys-devel/binutils:       2.37_p1::gentoo
sys-devel/gcc:            11.2.0::gentoo
sys-devel/gcc-config:     2.4::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.3::gentoo
sys-kernel/linux-headers: 5.10::gentoo (virtual/os-headers)
sys-libs/glibc:           2.33-r7::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/gentoo.git
    priority: -1000
    sync-git-verify-commit-signature: true

audio-overlay
    location: /var/db/repos/audio-overlay
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/audio-overlay.git
    masters: gentoo

kde
    location: /var/db/repos/kde
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/kde.git
    masters: gentoo

steam-overlay
    location: /var/db/repos/steam-overlay
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/steam-overlay.git
    masters: gentoo

shared_overlay
    location: /opt/conf/common/var/db/repos/shared_overlay
    masters: gentoo
    priority: 100

local_overlay
    location: /var/db/repos/local_overlay
    masters: gentoo
    priority: 200

Installed sets: @system
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe -ftree-vectorize -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.8/conf"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/portage/package.accept_keywords/99-autounmask /etc/portage/package.unmask/99-autounmask /etc/portage/package.use/99-autounmask /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe -ftree-vectorize -ggdb"
DISTDIR="/var/cache/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y --autounmask=y --autounmask-write --autounmask-continue --jobs=2 --load-average=8 --backtrack=100 --alert"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms sign splitdebug strict strict-keepdir unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j8"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
RUSTFLAGS="-C target-cpu=native -O -g"
USE="X a52 aac acl acpi activities aes alsa amd64 apng avif avx avx2 bash-completion bluetooth branding brotli bzip2 cairo cdaudio cdda cddb cdparanoia cdr chm cli crypt cups dbus declarative djvu dnssec dri dts dvd dvdr elogind emboss encode eps epub evdev exif f16c ffmpeg flac fma3 fortran gdbm gif glib gpg gpm gstreamer gtk gui gzip iconv icu id3tag idn ieee1394 imagemagick inotify ipv6 irc jpeg jpeg2k kde kipi kwallet lame lcms libglvnd libnotify libsamplerate libtirpc lvm lzma mad matroska mmx mmxext mng mp3 mp4 mpeg mplayer mpris mtp multilib musicbrainz ncurses nls nptl ntp ogg opengl openmp opus otr pam pango pclmul pcre pdf phonon plasma png policykit popcnt ppds pulseaudio qml qt5 quicktime rar raw rdrand readline real rss rtc sdl seccomp semantic-desktop spell split-usr sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 startup-notification svg taglib tcpd theora threads thumbnail tiff truetype twolame udev udisks unicode upower usb v4l v4l2 vaapi vcd vdpau vim-syntax visualization vorbis vpx wavpack webp widgets wma wmf wxwidgets x264 x265 xattr xcb xinerama xml xv xvid xvidv xvmc xz zlib zstd" ABI_X86="64" ADA_TARGET="gnat_2019" ALSA_CARDS="hdsp hdspm" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3 php7-4" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_9" PYTHON_TARGETS="python3_9" RUBY_TARGETS="ruby26 ruby27" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Till Schäfer 2021-11-04 23:41:07 UTC 
this patch seems to be related: https://www.spinics.net/lists/alsa-devel/msg129824.html
Comment 2 Takashi Iwai 2021-11-05 08:20:54 UTC 
(In reply to Till Schäfer from comment #1)
> this patch seems to be related:
> https://www.spinics.net/lists/alsa-devel/msg129824.html

Yes, those three patches should be backported to 5.14.y.

The corresponding upstream commits are
cbea6e5a7772b7a5b80baa8f98fd77853487fd2a
0899a7a23047f106c06888769d6cd6ff43d7395f
4d9e9153f1c64d91a125c6967bc0bfb0bb653ea0

Could you verify whether they fix the bug?
Comment 3 Till Schäfer 2021-11-05 08:31:31 UTC 
I was able to fix the bug with these two patches atop 5.14.16.

  ALSA: pcm: Check mmap capability of runtime dma buffer at first
  ALSA: pci: rme: Set up buffer type properly

(the third one was not relevant for me with RME hardware)
Comment 4 Takashi Iwai 2021-11-05 08:42:45 UTC 
OK, thanks.  I'll ask Greg to cherry-pick those for 5.14.y stable tree.
Comment 5 Takashi Iwai 2021-11-07 16:57:35 UTC 
I found another bug in the rme patch 0899a7a23047f106c06888769d6cd6ff43d7395f, and it's not fully backportable to 5.14.y, either.

Could you drop those patches again and test the patch below instead?
It's the one I submitted and merged to the upstream now.
Comment 6 Takashi Iwai 2021-11-07 16:58:04 UTC 
Created attachment 299485 [details]
Fix patch
Comment 7 Till Schäfer 2021-11-07 22:22:59 UTC 
Works for me!
Comment 8 Takashi Iwai 2021-11-08 07:56:17 UTC 
Thanks for quick testing!  Then this will be the fix for 5.14.x.  It'll be included in the next PR for 5.16-rc1 in this week, then will be backported to 5.14.x.