| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <391d0e76-93bb-48a4-a6d5-2938766710a0@sirena.org.uk>
Date: Fri, 26 Sep 2025 16:31:25 +0100
From: Mark Brown <broonie@...nel.org>
To: Baltazár Radics <baltazar.radics@...il.com>
Cc: Liam Girdwood <lgirdwood@...il.com>, linux-sound@...r.kernel.org,
linux-sunxi@...ts.linux.dev, linux-kernel@...r.kernel.org,
Csókás Bence <csokas.bence@...lan.hu>,
Andre Przywara <andre.przywara@....com>,
Jernej Skrabec <jernej.skrabec@...il.com>,
Ondrej Jirman <megi@....cz>
Subject: Re: ASoC: sun4i-codec: Missing snd_soc_component_driver names
causing NULL pointer dereference
On Fri, Sep 26, 2025 at 05:10:30PM +0200, Baltazár Radics wrote:
> I ran into an issue where the kernel would panic depending on sun4i-
> codec vs sun8i-codec-analog driver load order. (If both are compiled-
> in, the default order does reproduce the crash.)If sun4i-codec was
> loaded before its analog component, snd_soc_register_card would return
> -EPROBE_DEFER. During cleanup snd_soc_unregister_component_by_driver
> tries to find components by driver name leading to the following oops:
Copying in some of the people who work on sunxi. It seems clear that we
should handle missing names more gracefully here.
>
> [ 0.841199] 8<--- cut here ---
> [ 0.844315] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read
> [ 0.853268] [00000000] *pgd=00000000
> [ 0.856885] Internal error: Oops: 5 [#1] SMP ARM
> [ 0.861507] Modules linked in:
> [ 0.864569] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.5 #1 NONE
> [ 0.871617] Hardware name: Allwinner sun8i Family
> [ 0.876316] PC is at strcmp+0x0/0x34
> [ 0.879911] LR is at snd_soc_lookup_component_nolocked+0x64/0xa4
> [ 0.885923] pc : [<c08e8824>] lr : [<c075679c>] psr: 00000013
> [ 0.892184] sp : e0821de0 ip : 00000000 fp : c0c615e8
> [ 0.897404] r10: 00000006 r9 : c0c49854 r8 : 0000001b
> [ 0.902624] r7 : c0b04de8 r6 : c125b010 r5 : c0dde7e8 r4 : c1a95a40
> [ 0.909146] r3 : c09b1d50 r2 : 0000006e r1 : c0b04de8 r0 : 00000000
> [ 0.915669] Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> [ 0.922802] Control: 10c5387d Table: 4000406a DAC: 00000051
> [ 0.928541] Register r0 information: NULL pointer
> [ 0.933250] Register r1 information: non-slab/vmalloc memory
> [ 0.938908] Register r2 information: non-paged memory
> [ 0.943958] Register r3 information: non-slab/vmalloc memory
> [ 0.949615] Register r4 information: slab kmalloc-256 start c1a95a00 pointer offset 64 size 256
> [ 0.958327] Register r5 information: non-slab/vmalloc memory
> [ 0.963984] Register r6 information: slab kmalloc-1k start c125b000 pointer offset 16 size 1024
> [ 0.972693] Register r7 information: non-slab/vmalloc memory
> [ 0.978350] Register r8 information: non-paged memory
> [ 0.983400] Register r9 information: non-slab/vmalloc memory
> [ 0.989057] Register r10 information: non-paged memory
> [ 0.994193] Register r11 information: non-slab/vmalloc memory
> [ 0.999937] Register r12 information: NULL pointer
> [ 1.004726] Process swapper/0 (pid: 1, stack limit = 0x(ptrval))
> [ 1.010730] Stack: (0xe0821de0 to 0xe0822000)
> [ 1.015091] 1de0: c0b04de8 c125b010 c125b010 e0821e18 0000001b c0758f20 c1a95c0c c125b010
> [ 1.023264] 1e00: c125b010 c076c86c c1a9bc00 c1a9bc80 c125b010 c058804c c112b780 c1a95d00
> [ 1.031436] 1e20: 00000007 75b58edd c125b010 00000205 c0ddec6c 00000000 c1a9b3b8 c05821b0
> [ 1.039608] 1e40: c125b010 c0582960 c125b010 c0ddec6c c125b010 00000000 c1a9b3b8 c0582a90
> [ 1.047781] 1e60: 60000013 c0c49854 c0e25818 c0ddec6c c125b010 00000000 c1a9b3b8 c0582c74
> [ 1.055953] 1e80: c125b010 c0ddec6c c125b054 c1016000 c1a9b3b8 c0582eec 00000000 c0ddec6c
> [ 1.064126] 1ea0: c0582e5c c0580950 c1016000 c1016058 c10f7234 75b58edd c1016000 c0ddec6c
> [ 1.072298] 1ec0: c1a9b380 00000000 c1016000 c0581b74 c0b0534c 00000000 c0ddec6c c1050000
> [ 1.080471] 1ee0: 00000000 c0deb000 c0deb000 c0583bf8 c0c2ddd8 c1050000 00000000 c010e26c
> [ 1.088643] 1f00: 000004bf 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> [ 1.096814] 1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> [ 1.104986] 1f40: 00000000 00000000 00000000 75b58edd c11a6200 000000f3 c11a6200 c0c49834
> [ 1.113158] 1f60: c0deb000 c0b14140 c0c49854 c0c01264 00000006 00000006 00000000 c0c004d0
> [ 1.121331] 1f80: c08f37a8 c0d04e80 c08f37a8 00000000 00000000 00000000 00000000 00000000
> [ 1.129503] 1fa0: 00000000 c08f37c4 00000000 c010014c 00000000 00000000 00000000 00000000
> [ 1.137674] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> [ 1.145846] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
> [ 1.154014] Call trace:
> [ 1.154030] strcmp from snd_soc_lookup_component_nolocked+0x64/0xa4
> [ 1.162926] snd_soc_lookup_component_nolocked from snd_soc_unregister_component_by_driver+0x2c/0x44
> [ 1.172065] snd_soc_unregister_component_by_driver from snd_dmaengine_pcm_unregister+0x28/0x64
> [ 1.180773] snd_dmaengine_pcm_unregister from devres_release_all+0x98/0xfc
> [ 1.187749] devres_release_all from device_unbind_cleanup+0xc/0x60
> [ 1.194028] device_unbind_cleanup from really_probe+0x220/0x2c8
> [ 1.200046] really_probe from __driver_probe_device+0x88/0x1a0
> [ 1.205977] __driver_probe_device from driver_probe_device+0x30/0x110
> [ 1.212515] driver_probe_device from __driver_attach+0x90/0x178
> [ 1.218533] __driver_attach from bus_for_each_dev+0x7c/0xcc
> [ 1.224203] bus_for_each_dev from bus_add_driver+0xcc/0x1ec
> [ 1.229871] bus_add_driver from driver_register+0x80/0x11c
> [ 1.235457] driver_register from do_one_initcall+0x58/0x23c
> [ 1.241134] do_one_initcall from kernel_init_freeable+0x1dc/0x238
> [ 1.247324] kernel_init_freeable from kernel_init+0x1c/0x12c
> [ 1.253079] kernel_init from ret_from_fork+0x14/0x28
> [ 1.258137] Exception stack(0xe0821fb0 to 0xe0821ff8)
> [ 1.263187] 1fa0: 00000000 00000000 00000000 00000000
> [ 1.271359] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> [ 1.279530] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> [ 1.286145] Code: e5e32001 e3520000 1afffffb e12fff1e (e4d03001)
> [ 1.292290] ---[ end trace 0000000000000000 ]---
>
> The specific hardware in my case is a FriendlyARM NanoPi Duo2. Note
> that the current device tree has the relevant node disabled, so I'm
> running with the following patch applied:
>
> ---
> arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts b/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts
> index 2b0566d4b386..6301b1a78301 100644
> --- a/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts
> +++ b/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts
> @@ -137,6 +137,14 @@ ®_usb0_vbus {
> status = "okay";
> };
>
> +&codec {
> + status = "okay";
> + allwinner,audio-routing =
> + "Line Out", "LINEOUT",
> + "MIC1", "Mic",
> + "Mic", "MBIAS";
> +};
> +
> &uart0 {
> pinctrl-names = "default";
> pinctrl-0 = <&uart0_pa_pins>;
> --
>
>
> I'm not sure if it's the correct solution, but setting the names of
> these snd_soc_component_driver instances does seem to fix my issue:
>
> ---
> sound/soc/sunxi/sun4i-codec.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/sound/soc/sunxi/sun4i-codec.c b/sound/soc/sunxi/sun4i-codec.c
> index 93733ff2e32a..f00537f7f97d 100644
> --- a/sound/soc/sunxi/sun4i-codec.c
> +++ b/sound/soc/sunxi/sun4i-codec.c
> @@ -959,6 +959,7 @@ static const struct snd_soc_dapm_route sun4i_codec_codec_dapm_routes[] = {
> };
>
> static const struct snd_soc_component_driver sun4i_codec_codec = {
> + .name = "sun4i-codec-codec",
> .controls = sun4i_codec_controls,
> .num_controls = ARRAY_SIZE(sun4i_codec_controls),
> .dapm_widgets = sun4i_codec_codec_dapm_widgets,
> @@ -971,6 +972,7 @@ static const struct snd_soc_component_driver sun4i_codec_codec = {
> };
>
> static const struct snd_soc_component_driver sun7i_codec_codec = {
> + .name = "sun7i-codec-codec",
> .controls = sun7i_codec_controls,
> .num_controls = ARRAY_SIZE(sun7i_codec_controls),
> .dapm_widgets = sun4i_codec_codec_dapm_widgets,
> @@ -1278,6 +1280,7 @@ static const struct snd_soc_dapm_route sun6i_codec_codec_dapm_routes[] = {
> };
>
> static const struct snd_soc_component_driver sun6i_codec_codec = {
> + .name = "sun6i-codec-codec",
> .controls = sun6i_codec_codec_widgets,
> .num_controls = ARRAY_SIZE(sun6i_codec_codec_widgets),
> .dapm_widgets = sun6i_codec_codec_dapm_widgets,
> @@ -1307,6 +1310,7 @@ static const struct snd_soc_dapm_widget sun8i_a23_codec_codec_widgets[] = {
> };
>
> static const struct snd_soc_component_driver sun8i_a23_codec_codec = {
> + .name = "sun8i-a23-codec-codec",
> .controls = sun8i_a23_codec_codec_controls,
> .num_controls = ARRAY_SIZE(sun8i_a23_codec_codec_controls),
> .dapm_widgets = sun8i_a23_codec_codec_widgets,
> @@ -1527,6 +1531,7 @@ static const struct snd_soc_dapm_route suniv_codec_codec_dapm_routes[] = {
> };
>
> static const struct snd_soc_component_driver suniv_codec_codec = {
> + .name = "suniv-codec-codec",
> .controls = suniv_codec_codec_widgets,
> .num_controls = ARRAY_SIZE(suniv_codec_codec_widgets),
> .dapm_widgets = suniv_codec_codec_dapm_widgets,
> @@ -1952,6 +1957,7 @@ static const struct snd_soc_dapm_widget sun50i_h616_codec_codec_widgets[] = {
> };
>
> static const struct snd_soc_component_driver sun50i_h616_codec_codec = {
> + .name = "sun50i-h616-codec-codec",
> .controls = sun50i_h616_codec_codec_controls,
> .num_controls = ARRAY_SIZE(sun50i_h616_codec_codec_controls),
> .dapm_widgets = sun50i_h616_codec_codec_widgets,
> --
> 2.51.0
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists