195875 – Plugging in Tascam US-16x08 causes paging error.

Bug 195875 - Plugging in Tascam US-16x08 causes paging error.

Summary: Plugging in Tascam US-16x08 causes paging error.

Status:	NEW

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Sound(ALSA) (show other bugs)
Hardware:	x86-64 Linux

Importance:	P1 normal
Assignee:	Jaroslav Kysela

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-05-24 21:00 UTC by Bollie
Modified:	2017-06-01 15:16 UTC (History)
CC List:	3 users (show)

See Also:
Kernel Version:	4.11.2
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Proposed fix (1.12 KB, patch) 2017-05-26 19:18 UTC, Bollie	Details \| Diff
Revert patch (2.19 KB, patch) 2017-05-30 07:34 UTC, Takashi Iwai	Details \| Diff
Fix patch for a typo (1.12 KB, patch) 2017-05-30 21:28 UTC, Takashi Iwai	Details \| Diff
Fix VLA again (1.93 KB, patch) 2017-05-30 21:28 UTC, Takashi Iwai	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Bollie 2017-05-24 21:00:15 UTC

It might be related to the recent addition of the us16x08.patch.

The following is being printed to the log prior to the system starting to hang:

Mai 24 22:29:02 malamute kernel: BUG: unable to handle kernel paging request at ffffffffa08b6352
Mai 24 22:29:02 malamute kernel: IP: memcpy_erms+0x6/0x10
Mai 24 22:29:02 malamute kernel: PGD 1a0c067 
Mai 24 22:29:02 malamute kernel: PUD 1a0d063 
Mai 24 22:29:02 malamute kernel: PMD 46abd8067 
Mai 24 22:29:02 malamute kernel: PTE 8000000456c7d161
Mai 24 22:29:02 malamute kernel: 
Mai 24 22:29:02 malamute kernel: Oops: 0003 [#1] PREEMPT SMP
Mai 24 22:29:02 malamute kernel: Modules linked in: snd_usb_audio snd_usbmidi_lib snd_rawmidi snd_seq_device fuse ctr ccm rfcomm bnep rtsx_usb_ms memstick btusb btrtl joydev mousedev arc4 snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic msr iwlmvm mac80211 intel_rapl x86_pkg_temp_thermal intel_powerclamp iTCO_wdt msi_wmi snd_hda_intel coretemp iTCO_vendor_support sparse_keymap i915 kvm_intel iwlwifi mxm_wmi kvm snd_hda_codec irqbypass snd_hda_core snd_hwdep evdev intel_cstate snd_pcm drm_kms_helper input_leds intel_rapl_perf snd_timer psmouse cfg80211 snd mac_hid alx drm soundcore pcspkr mdio hci_uart i2c_i801 intel_gtt syscopyarea btbcm mei_me sysfillrect btqca sysimgblt fb_sys_fops btintel i2c_algo_bit mei intel_pch_thermal shpchp fan thermal bluetooth ac battery wmi acpi_als rfkill video kfifo_buf industrialio
Mai 24 22:29:02 malamute kernel:  tpm_tis intel_lpss_acpi i2c_hid tpm_tis_core tpm intel_lpss button acpi_pad sch_fq_codel vboxnetflt(O) vboxnetadp(O) pci_stub vboxpci(O) vboxdrv(O) acpi_call(O) ip_tables x_tables algif_skcipher af_alg rtsx_usb_sdmmc led_class mmc_core rtsx_usb dm_crypt dm_mod sr_mod cdrom sd_mod usbhid hid serio_raw atkbd libps2 crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd ahci xhci_pci libahci xhci_hcd libata usbcore scsi_mod usb_common i8042 serio ext4 crc16 jbd2 fscrypto mbcache
Mai 24 22:29:02 malamute kernel: CPU: 0 PID: 2320 Comm: pulseaudio Tainted: G           O    4.11.2-1-ARCH #1
Mai 24 22:29:02 malamute kernel: Hardware name: Micro-Star International Co., Ltd. GE62 6QC/MS-16J5, BIOS E16J5IMS.114 04/29/2016
Mai 24 22:29:02 malamute kernel: task: ffff8804426b9d00 task.stack: ffffc90006ee4000
Mai 24 22:29:02 malamute kernel: RIP: 0010:memcpy_erms+0x6/0x10
Mai 24 22:29:02 malamute kernel: RSP: 0018:ffffc90006ee7cb8 EFLAGS: 00010286
Mai 24 22:29:02 malamute kernel: RAX: ffffffffa08b6352 RBX: 000000000000001d RCX: 0000000000000004
Mai 24 22:29:02 malamute kernel: RDX: 0000000000000004 RSI: ffff88046c1c2220 RDI: ffffffffa08b6352
Mai 24 22:29:02 malamute kernel: RBP: ffffc90006ee7d20 R08: 000000000001b3a0 R09: ffffffffa00f9bed
Mai 24 22:29:02 malamute kernel: R10: ffffea0011b07080 R11: 0000000000000073 R12: 0000000000000040
Mai 24 22:29:02 malamute kernel: R13: ffff88041f104800 R14: 0000000080000500 R15: 0000000000000000
Mai 24 22:29:02 malamute kernel: FS:  00007ff39a073c80(0000) GS:ffff880481c00000(0000) knlGS:0000000000000000
Mai 24 22:29:02 malamute kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Mai 24 22:29:02 malamute kernel: CR2: ffffffffa08b6352 CR3: 00000004459ce000 CR4: 00000000003406f0
Mai 24 22:29:02 malamute kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Mai 24 22:29:02 malamute kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Mai 24 22:29:02 malamute kernel: Call Trace:
Mai 24 22:29:02 malamute kernel:  ? snd_usb_ctl_msg+0xb4/0x140 [snd_usb_audio]
Mai 24 22:29:02 malamute kernel:  snd_us16x08_send_urb.isra.0+0x2c/0x30 [snd_usb_audio]
Mai 24 22:29:02 malamute kernel:  snd_us16x08_meter_get+0x76/0x2c0 [snd_usb_audio]
Mai 24 22:29:02 malamute kernel:  ? __check_object_size+0x4c/0x1c2
Mai 24 22:29:02 malamute kernel:  snd_ctl_elem_read+0xa8/0xd0 [snd]
Mai 24 22:29:02 malamute kernel:  snd_ctl_ioctl+0x5bf/0x6a0 [snd]
Mai 24 22:29:02 malamute kernel:  do_vfs_ioctl+0xa5/0x600
Mai 24 22:29:02 malamute kernel:  ? handle_mm_fault+0xde/0x240
Mai 24 22:29:02 malamute kernel:  ? __fget+0x77/0xb0
Mai 24 22:29:02 malamute kernel:  SyS_ioctl+0x79/0x90
Mai 24 22:29:02 malamute kernel:  entry_SYSCALL_64_fastpath+0x1a/0xa9
Mai 24 22:29:02 malamute kernel: RIP: 0033:0x7ff398a680d7
Mai 24 22:29:02 malamute kernel: RSP: 002b:00007ffc3d904678 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
Mai 24 22:29:02 malamute kernel: RAX: ffffffffffffffda RBX: 000000000000005d RCX: 00007ff398a680d7
Mai 24 22:29:02 malamute kernel: RDX: 00007ffc3d9046a0 RSI: 00000000c4c85512 RDI: 0000000000000015
Mai 24 22:29:02 malamute kernel: RBP: 0000000000002710 R08: 00000000011d0750 R09: 000000000000019a
Mai 24 22:29:02 malamute kernel: R10: 0000000000007fff R11: 0000000000000246 R12: 00007ff398d22b38
Mai 24 22:29:02 malamute kernel: R13: 00000000000004c0 R14: 0000000001295fc0 R15: 00007ff398d22ae0
Mai 24 22:29:02 malamute kernel: Code: c3 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 
Mai 24 22:29:02 malamute kernel: RIP: memcpy_erms+0x6/0x10 RSP: ffffc90006ee7cb8
Mai 24 22:29:02 malamute kernel: CR2: ffffffffa08b6352
Mai 24 22:29:02 malamute kernel: ---[ end trace 3fbf30e3599c0922 ]---

Comment 1 Bollie 2017-05-26 19:18:24 UTC

Created attachment 256737 [details]
Proposed fix

Thanks to Detlef, we figured out what was going wrong. 

You were passing a static const char via a (char*) cast to snd_usb_ctl_msg, which then tries to write into that using memcpy. 

I've created a patch and tested it using 4.11.2. Now my US-16x08 seems to working properly.

Comment 2 Takashi Iwai 2017-05-26 21:17:33 UTC

Thanks for spotting out.

Could you check just simply reverting the commit 89b593c30e83 ("ALSA: usb-audio: purge needless variable length array") works, too?

Comment 3 Bollie 2017-05-26 21:29:32 UTC

(In reply to Takashi Iwai from comment #2)
> Thanks for spotting out.
> 
> Could you check just simply reverting the commit 89b593c30e83 ("ALSA:
> usb-audio: purge needless variable length array") works, too?

It looks like it might work, unless it won't also revert "ALSA: usb-audio: Fix memory leak and corruption in mixer_us16x08.c". Sorry, this is the first time dealing with kernel code. ;)

Although I did forget to mention, that I also fixed a typo with the attached patch regarding the control name for Mid Low Q. It would be great to have that named properly.

Cheers,
Bollie

Comment 4 Takashi Iwai 2017-05-30 07:33:35 UTC

(In reply to Bollie from comment #3)
> (In reply to Takashi Iwai from comment #2)
> > Thanks for spotting out.
> > 
> > Could you check just simply reverting the commit 89b593c30e83 ("ALSA:
> > usb-audio: purge needless variable length array") works, too?
> 
> It looks like it might work, unless it won't also revert "ALSA: usb-audio:
> Fix memory leak and corruption in mixer_us16x08.c".

It should be revertible without another revert.  Try the patch below, for example.

> Although I did forget to mention, that I also fixed a typo with the attached
> patch regarding the control name for Mid Low Q. It would be great to have
> that named properly.

Yes, this should be corrected but handled in another patch.

Comment 5 Takashi Iwai 2017-05-30 07:34:52 UTC

Created attachment 256767 [details]
Revert patch

Comment 6 Bollie 2017-05-30 11:18:36 UTC

Comment on attachment 256767 [details]
Revert patch

Thank you so much for that patch. I'm gonna give it a try. But won't it bring back the warning: Variable length array is used?

Anyway, I'll report back to you.

Comment 7 Takashi Iwai 2017-05-30 11:41:45 UTC

It's no real compile warning, and we can fix it later in a cleaner way.

Comment 8 Bollie 2017-05-30 18:23:02 UTC

I can confirm that the reverting patch works. 

For the last two items:

- correcting the name of LowMid Q
- creating dedicated arrays for mix_init_msg1 and 2

... will you create separate patches for those? Or shall I open another ticket with a proposed patch?

Cheers and thank you!
Bollie

Comment 9 Takashi Iwai 2017-05-30 21:27:34 UTC

Yes, below two patches address the remaining issues.

Comment 10 Takashi Iwai 2017-05-30 21:28:20 UTC

Created attachment 256795 [details]
Fix patch for a typo

Comment 11 Takashi Iwai 2017-05-30 21:28:48 UTC

Created attachment 256797 [details]
Fix VLA again

Apply on top of the previous revert patch.

Note You need to log in before you can comment on or make changes to this bug.