lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ffef657cce57b7bce005b99f9b14dc81c9ae4535.camel@gmail.com>
Date: Fri, 26 Sep 2025 17:10:30 +0200
From: Baltazár Radics <baltazar.radics@...il.com>
To: Liam Girdwood <lgirdwood@...il.com>, Mark Brown <broonie@...nel.org>
Cc: linux-sound@...r.kernel.org, linux-sunxi@...ts.linux.dev, 
	linux-kernel@...r.kernel.org
Subject: ASoC: sun4i-codec: Missing snd_soc_component_driver names causing
 NULL pointer dereference

I ran into an issue where the kernel would panic depending on sun4i-
codec vs sun8i-codec-analog driver load order. (If both are compiled-
in, the default order does reproduce the crash.)If sun4i-codec was
loaded before its analog component, snd_soc_register_card would return
-EPROBE_DEFER. During cleanup snd_soc_unregister_component_by_driver
tries to find components by driver name leading to the following oops:

[    0.841199] 8<--- cut here ---
[    0.844315] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read
[    0.853268] [00000000] *pgd=00000000
[    0.856885] Internal error: Oops: 5 [#1] SMP ARM
[    0.861507] Modules linked in:
[    0.864569] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.5 #1 NONE 
[    0.871617] Hardware name: Allwinner sun8i Family
[    0.876316] PC is at strcmp+0x0/0x34
[    0.879911] LR is at snd_soc_lookup_component_nolocked+0x64/0xa4
[    0.885923] pc : [<c08e8824>]    lr : [<c075679c>]    psr: 00000013
[    0.892184] sp : e0821de0  ip : 00000000  fp : c0c615e8
[    0.897404] r10: 00000006  r9 : c0c49854  r8 : 0000001b
[    0.902624] r7 : c0b04de8  r6 : c125b010  r5 : c0dde7e8  r4 : c1a95a40
[    0.909146] r3 : c09b1d50  r2 : 0000006e  r1 : c0b04de8  r0 : 00000000
[    0.915669] Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
[    0.922802] Control: 10c5387d  Table: 4000406a  DAC: 00000051
[    0.928541] Register r0 information: NULL pointer
[    0.933250] Register r1 information: non-slab/vmalloc memory
[    0.938908] Register r2 information: non-paged memory
[    0.943958] Register r3 information: non-slab/vmalloc memory
[    0.949615] Register r4 information: slab kmalloc-256 start c1a95a00 pointer offset 64 size 256
[    0.958327] Register r5 information: non-slab/vmalloc memory
[    0.963984] Register r6 information: slab kmalloc-1k start c125b000 pointer offset 16 size 1024
[    0.972693] Register r7 information: non-slab/vmalloc memory
[    0.978350] Register r8 information: non-paged memory
[    0.983400] Register r9 information: non-slab/vmalloc memory
[    0.989057] Register r10 information: non-paged memory
[    0.994193] Register r11 information: non-slab/vmalloc memory
[    0.999937] Register r12 information: NULL pointer
[    1.004726] Process swapper/0 (pid: 1, stack limit = 0x(ptrval))
[    1.010730] Stack: (0xe0821de0 to 0xe0822000)
[    1.015091] 1de0: c0b04de8 c125b010 c125b010 e0821e18 0000001b c0758f20 c1a95c0c c125b010
[    1.023264] 1e00: c125b010 c076c86c c1a9bc00 c1a9bc80 c125b010 c058804c c112b780 c1a95d00
[    1.031436] 1e20: 00000007 75b58edd c125b010 00000205 c0ddec6c 00000000 c1a9b3b8 c05821b0
[    1.039608] 1e40: c125b010 c0582960 c125b010 c0ddec6c c125b010 00000000 c1a9b3b8 c0582a90
[    1.047781] 1e60: 60000013 c0c49854 c0e25818 c0ddec6c c125b010 00000000 c1a9b3b8 c0582c74
[    1.055953] 1e80: c125b010 c0ddec6c c125b054 c1016000 c1a9b3b8 c0582eec 00000000 c0ddec6c
[    1.064126] 1ea0: c0582e5c c0580950 c1016000 c1016058 c10f7234 75b58edd c1016000 c0ddec6c
[    1.072298] 1ec0: c1a9b380 00000000 c1016000 c0581b74 c0b0534c 00000000 c0ddec6c c1050000
[    1.080471] 1ee0: 00000000 c0deb000 c0deb000 c0583bf8 c0c2ddd8 c1050000 00000000 c010e26c
[    1.088643] 1f00: 000004bf 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[    1.096814] 1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[    1.104986] 1f40: 00000000 00000000 00000000 75b58edd c11a6200 000000f3 c11a6200 c0c49834
[    1.113158] 1f60: c0deb000 c0b14140 c0c49854 c0c01264 00000006 00000006 00000000 c0c004d0
[    1.121331] 1f80: c08f37a8 c0d04e80 c08f37a8 00000000 00000000 00000000 00000000 00000000
[    1.129503] 1fa0: 00000000 c08f37c4 00000000 c010014c 00000000 00000000 00000000 00000000
[    1.137674] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[    1.145846] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[    1.154014] Call trace: 
[    1.154030]  strcmp from snd_soc_lookup_component_nolocked+0x64/0xa4
[    1.162926]  snd_soc_lookup_component_nolocked from snd_soc_unregister_component_by_driver+0x2c/0x44
[    1.172065]  snd_soc_unregister_component_by_driver from snd_dmaengine_pcm_unregister+0x28/0x64
[    1.180773]  snd_dmaengine_pcm_unregister from devres_release_all+0x98/0xfc
[    1.187749]  devres_release_all from device_unbind_cleanup+0xc/0x60
[    1.194028]  device_unbind_cleanup from really_probe+0x220/0x2c8
[    1.200046]  really_probe from __driver_probe_device+0x88/0x1a0
[    1.205977]  __driver_probe_device from driver_probe_device+0x30/0x110
[    1.212515]  driver_probe_device from __driver_attach+0x90/0x178
[    1.218533]  __driver_attach from bus_for_each_dev+0x7c/0xcc
[    1.224203]  bus_for_each_dev from bus_add_driver+0xcc/0x1ec
[    1.229871]  bus_add_driver from driver_register+0x80/0x11c
[    1.235457]  driver_register from do_one_initcall+0x58/0x23c
[    1.241134]  do_one_initcall from kernel_init_freeable+0x1dc/0x238
[    1.247324]  kernel_init_freeable from kernel_init+0x1c/0x12c
[    1.253079]  kernel_init from ret_from_fork+0x14/0x28
[    1.258137] Exception stack(0xe0821fb0 to 0xe0821ff8)
[    1.263187] 1fa0:                                     00000000 00000000 00000000 00000000
[    1.271359] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[    1.279530] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[    1.286145] Code: e5e32001 e3520000 1afffffb e12fff1e (e4d03001) 
[    1.292290] ---[ end trace 0000000000000000 ]---

The specific hardware in my case is a FriendlyARM NanoPi Duo2. Note
that the current device tree has the relevant node disabled, so I'm
running with the following patch applied:

---
arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts b/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts
index 2b0566d4b386..6301b1a78301 100644
--- a/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts
+++ b/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts
@@ -137,6 +137,14 @@ &reg_usb0_vbus {
 	status = "okay";
 };
 
+&codec {
+	status = "okay";
+	allwinner,audio-routing =
+	       "Line Out", "LINEOUT",
+	       "MIC1", "Mic",
+	       "Mic", "MBIAS";
+};
+
 &uart0 {
 	pinctrl-names = "default";
 	pinctrl-0 = <&uart0_pa_pins>;
--


I'm not sure if it's the correct solution, but setting the names of
these snd_soc_component_driver instances does seem to fix my issue:

---
 sound/soc/sunxi/sun4i-codec.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sound/soc/sunxi/sun4i-codec.c b/sound/soc/sunxi/sun4i-codec.c
index 93733ff2e32a..f00537f7f97d 100644
--- a/sound/soc/sunxi/sun4i-codec.c
+++ b/sound/soc/sunxi/sun4i-codec.c
@@ -959,6 +959,7 @@ static const struct snd_soc_dapm_route sun4i_codec_codec_dapm_routes[] = {
 };
 
 static const struct snd_soc_component_driver sun4i_codec_codec = {
+	.name			= "sun4i-codec-codec",
 	.controls		= sun4i_codec_controls,
 	.num_controls		= ARRAY_SIZE(sun4i_codec_controls),
 	.dapm_widgets		= sun4i_codec_codec_dapm_widgets,
@@ -971,6 +972,7 @@ static const struct snd_soc_component_driver sun4i_codec_codec = {
 };
 
 static const struct snd_soc_component_driver sun7i_codec_codec = {
+	.name			= "sun7i-codec-codec",
 	.controls		= sun7i_codec_controls,
 	.num_controls		= ARRAY_SIZE(sun7i_codec_controls),
 	.dapm_widgets		= sun4i_codec_codec_dapm_widgets,
@@ -1278,6 +1280,7 @@ static const struct snd_soc_dapm_route sun6i_codec_codec_dapm_routes[] = {
 };
 
 static const struct snd_soc_component_driver sun6i_codec_codec = {
+	.name			= "sun6i-codec-codec",
 	.controls		= sun6i_codec_codec_widgets,
 	.num_controls		= ARRAY_SIZE(sun6i_codec_codec_widgets),
 	.dapm_widgets		= sun6i_codec_codec_dapm_widgets,
@@ -1307,6 +1310,7 @@ static const struct snd_soc_dapm_widget sun8i_a23_codec_codec_widgets[] = {
 };
 
 static const struct snd_soc_component_driver sun8i_a23_codec_codec = {
+	.name			= "sun8i-a23-codec-codec",
 	.controls		= sun8i_a23_codec_codec_controls,
 	.num_controls		= ARRAY_SIZE(sun8i_a23_codec_codec_controls),
 	.dapm_widgets		= sun8i_a23_codec_codec_widgets,
@@ -1527,6 +1531,7 @@ static const struct snd_soc_dapm_route suniv_codec_codec_dapm_routes[] = {
 };
 
 static const struct snd_soc_component_driver suniv_codec_codec = {
+	.name			= "suniv-codec-codec",
 	.controls		= suniv_codec_codec_widgets,
 	.num_controls		= ARRAY_SIZE(suniv_codec_codec_widgets),
 	.dapm_widgets		= suniv_codec_codec_dapm_widgets,
@@ -1952,6 +1957,7 @@ static const struct snd_soc_dapm_widget sun50i_h616_codec_codec_widgets[] = {
 };
 
 static const struct snd_soc_component_driver sun50i_h616_codec_codec = {
+	.name       = "sun50i-h616-codec-codec",
 	.controls   = sun50i_h616_codec_codec_controls,
 	.num_controls   = ARRAY_SIZE(sun50i_h616_codec_codec_controls),
 	.dapm_widgets   = sun50i_h616_codec_codec_widgets,
-- 
2.51.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ