Bug 40682 - Oops in alsa /dev/snd/timer device with SNDRV_TIMER_IOCTL_SELECT ioctl
Summary: Oops in alsa /dev/snd/timer device with SNDRV_TIMER_IOCTL_SELECT ioctl
Status: CLOSED CODE_FIX
Alias: None
Product: Drivers
Classification: Unclassified
Component: Sound(ALSA) (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Jaroslav Kysela
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-07 17:14 UTC by some
Modified: 2011-08-15 09:23 UTC (History)
2 users (show)

See Also:
Kernel Version: 2.6.29.1, ...
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Fix patch (974 bytes, patch)
2011-08-08 10:33 UTC, Takashi Iwai 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description some 2011-08-07 17:14:08 UTC 
Hi. I have this Oops

[ 6642.899997] BUG: unable to handle kernel NULL pointer dereference at 000000e8
[ 6642.900126] IP: [<c01176f5>] __ticket_spin_lock+0x5/0x15
[ 6642.900126] *pde = 00000000
[ 6642.900126] Oops: 0000 [#18] SMP
[ 6642.900126] last sysfs file: /sys/devices/pci0000:00/0000:00:14.0/class
[ 6642.900126] Modules linked in: nls_iso8859_1 nls_cp437 vfat fat usb_storage binfmt_misc ipv6 loop sd_mod snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device mptspi mptscsih mptbase ac parport_pc parport floppy thermal ohci_hcd scsi_transport_spi psmouse i2c_piix4 snd ehci_hcd processor thermal_sys button serio_raw scsi_mod i2c_core pcnet32 mii pcspkr usbcore soundcore snd_page_alloc evdev
[ 6642.900126]
[ 6642.900126] Pid: 3495, comm: exx Tainted: G      D    (2.6.29.1 #13) VirtualBox
[ 6642.900126] EIP: 0060:[<c01176f5>] EFLAGS: 00010086 CPU: 0
[ 6642.900126] EIP is at __ticket_spin_lock+0x5/0x15
[ 6642.900126] EAX: 000000e8 EBX: 00000282 ECX: 00000000 EDX: 00000100
[ 6642.900126] ESI: 000000e8 EDI: df2e125c EBP: df514be8 ESP: daa73f38
[ 6642.900126]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 6642.900126] Process exx (pid: 3495, ti=daa72000 task=daa42810 task.ti=daa72000)
[ 6642.900126] Stack:
[ 6642.900126]  c0117792 c042f619 df2e125c da9219c0 e0c42f9d dabd48c0 da9219c0 e0c43685
[ 6642.900126]  df2e1380 00000010 dabd48c0 da9fad40 df2e125c df514be8 e0c436ae 00000010
[ 6642.900126]  c018a4d5 df80dec0 da9fad40 00000000 daa7f6c0 daa72000 c0187da1 daa7f6c0
[ 6642.900126] Call Trace:
[ 6642.900126]  [<c0117792>] default_spin_lock_flags+0x5/0x7
[ 6642.900126]  [<c042f619>] _spin_lock_irqsave+0x25/0x2b
[ 6642.900126]  [<e0c42f9d>] snd_timer_stop+0x23/0x3e [snd_timer]
[ 6642.900126]  [<e0c43685>] snd_timer_close+0x211/0x220 [snd_timer]
[ 6642.900126]  [<e0c436ae>] snd_timer_user_release+0x1a/0x35 [snd_timer]
[ 6642.900126]  [<c018a4d5>] __fput+0xa6/0x150
[ 6642.900126]  [<c0187da1>] filp_close+0x4e/0x54
[ 6642.900126]  [<c0187e0b>] sys_close+0x64/0x9f
[ 6642.900126]  [<c0103466>] syscall_call+0x7/0xb
[ 6642.900126] Code: 24 0c 89 da 89 f0 5b 5e e9 91 fd ff ff 89 4c 24 0c 89 f1 0f b7 d2 89 5c 24 10 0f b6 c0 5b 5e e9 a5 fd ff ff 90 90 ba 00 01 00 00 <3e> 66 0f c1 10 38 f2 74 06 f3 90 8a 10 eb f6 c3 53 89 c3 0f b7
[ 6642.900126] EIP: [<c01176f5>] __ticket_spin_lock+0x5/0x15 SS:ESP 0068:daa73f38
[ 6642.900126] ---[ end trace 11e604579b3dcb21 ]---

I can reproduce it with this code:
---------------------------------------------------------------
#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/types.h>
#include <linux/soundcard.h>


struct snd_timer_id {
        int dev_class;
        int dev_sclass;
        int card;
        int device;
        int subdevice;
};

struct snd_timer_select {
        struct snd_timer_id id; /* bind to timer ID */
        unsigned char reserved[32];     /* reserved */
};


#define SNDRV_TIMER_IOCTL_SELECT _IOW('T', 0x10, struct snd_timer_select)

main(int argc, char **argv)
{
int h;
struct snd_timer_select sel;

h=open("/dev/snd/timer",O_RDONLY | O_NONBLOCK);
if(h< 0)
 {
        perror("open");
        exit(0);
 }

sel.id.dev_class = 0;
sel.id.dev_sclass = 1;


if(ioctl(h, SNDRV_TIMER_IOCTL_SELECT,&sel)>=0)
 {
        printf("ok\n");
 }

close(h);
return 1;
}
------------------------------------------------------------------

Bug is placed int sound/core/timer.c in snd_timer_user_tselect function.
Comment 1 some 2011-08-07 17:29:45 UTC 
lspci:

00:05.0 Multimedia audio controller: Intel Corporation 82801AA AC'97 Audio Controller (rev 01)
        Subsystem: Intel Corporation Device 0000
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
        Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 64
        Interrupt: pin A routed to IRQ 5
        Region 0: I/O ports at d100 [size=256]
        Region 1: I/O ports at d200 [size=64]
        Kernel driver in use: Intel ICH
        Kernel modules: snd-intel8x0
Comment 2 Takashi Iwai 2011-08-08 10:32:15 UTC 
The patch below should fix the problem.
It was applied to sound git tree now, and will be included in the next pull request.

Thanks.
Comment 3 Takashi Iwai 2011-08-08 10:33:05 UTC 
Created attachment 68032 [details]
Fix patch
Comment 4 Florian Mickler 2011-08-15 09:14:20 UTC 
A patch referencing this bug report has been merged in Linux v3.1-rc2:

commit 0584ffa548b6e59aceb027112f23a55f0133400e
Author: Takashi Iwai <tiwai@suse.de>
Date:   Mon Aug 8 12:24:46 2011 +0200

    ALSA: timer - Fix Oops at closing slave timer
Note You need to log in before you can comment on or make changes to this bug.