lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4c8276a4-a405-4780-abd0-bb4a33eb6a14@gmail.com>
Date: Sat, 27 Sep 2025 20:52:57 +0200 (GMT+02:00)
From: Baltazár Radics <baltazar.radics@...il.com>
To: Ondřej Jirman <megi@....cz>
Cc: Mark Brown <broonie@...nel.org>, Liam Girdwood <lgirdwood@...il.com>,
	linux-sound@...r.kernel.org, linux-sunxi@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	Csókás Bence <csokas.bence@...lan.hu>,
	Andre Przywara <andre.przywara@....com>,
	Jernej Skrabec <jernej.skrabec@...il.com>
Subject: Re: ASoC: sun4i-codec: Missing snd_soc_component_driver names
 causing NULL pointer dereference

Hi!

Sep 27, 2025 20:21:00 Ondřej Jirman <megi@....cz>:

> Hi Baltazár,
>
> On Fri, Sep 26, 2025 at 04:31:25PM +0100, Mark Brown wrote:
>> On Fri, Sep 26, 2025 at 05:10:30PM +0200, Baltazár Radics wrote:
>>> I ran into an issue where the kernel would panic depending on sun4i-
>>> codec vs sun8i-codec-analog driver load order. (If both are compiled-
>>> in, the default order does reproduce the crash.)If sun4i-codec was
>>> loaded before its analog component, snd_soc_register_card would return
>>> -EPROBE_DEFER. During cleanup snd_soc_unregister_component_by_driver
>>> tries to find components by driver name leading to the following oops:
>
> Your kernel version (6.16.5) does not contain fix for this:
>
>   https://lore.kernel.org/linux-sound/87ect8ysv8.wl-kuninori.morimoto.gx@renesas.com/

Shoot, I didn't notice this one. Thanks for the info and sorry for the noise!

> Kind regards,
>     o.
>
>> Copying in some of the people who work on sunxi.  It seems clear that we
>> should handle missing names more gracefully here.
>>
>>>
>>> [    0.841199] 8<--- cut here ---
>>> [    0.844315] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read
>>> [    0.853268] [00000000] *pgd=00000000
>>> [    0.856885] Internal error: Oops: 5 [#1] SMP ARM
>>> [    0.861507] Modules linked in:
>>> [    0.864569] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.5 #1 NONE
>>> [    0.871617] Hardware name: Allwinner sun8i Family
>>> [    0.876316] PC is at strcmp+0x0/0x34
>>> [    0.879911] LR is at snd_soc_lookup_component_nolocked+0x64/0xa4
>>> [    0.885923] pc : [<c08e8824>]    lr : [<c075679c>]    psr: 00000013
>>> [    0.892184] sp : e0821de0  ip : 00000000  fp : c0c615e8
>>> [    0.897404] r10: 00000006  r9 : c0c49854  r8 : 0000001b
>>> [    0.902624] r7 : c0b04de8  r6 : c125b010  r5 : c0dde7e8  r4 : c1a95a40
>>> [    0.909146] r3 : c09b1d50  r2 : 0000006e  r1 : c0b04de8  r0 : 00000000
>>> [    0.915669] Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
>>> [    0.922802] Control: 10c5387d  Table: 4000406a  DAC: 00000051
>>> [    0.928541] Register r0 information: NULL pointer
>>> [    0.933250] Register r1 information: non-slab/vmalloc memory
>>> [    0.938908] Register r2 information: non-paged memory
>>> [    0.943958] Register r3 information: non-slab/vmalloc memory
>>> [    0.949615] Register r4 information: slab kmalloc-256 start c1a95a00 pointer offset 64 size 256
>>> [    0.958327] Register r5 information: non-slab/vmalloc memory
>>> [    0.963984] Register r6 information: slab kmalloc-1k start c125b000 pointer offset 16 size 1024
>>> [    0.972693] Register r7 information: non-slab/vmalloc memory
>>> [    0.978350] Register r8 information: non-paged memory
>>> [    0.983400] Register r9 information: non-slab/vmalloc memory
>>> [    0.989057] Register r10 information: non-paged memory
>>> [    0.994193] Register r11 information: non-slab/vmalloc memory
>>> [    0.999937] Register r12 information: NULL pointer
>>> [    1.004726] Process swapper/0 (pid: 1, stack limit = 0x(ptrval))
>>> [    1.010730] Stack: (0xe0821de0 to 0xe0822000)
>>> [    1.015091] 1de0: c0b04de8 c125b010 c125b010 e0821e18 0000001b c0758f20 c1a95c0c c125b010
>>> [    1.023264] 1e00: c125b010 c076c86c c1a9bc00 c1a9bc80 c125b010 c058804c c112b780 c1a95d00
>>> [    1.031436] 1e20: 00000007 75b58edd c125b010 00000205 c0ddec6c 00000000 c1a9b3b8 c05821b0
>>> [    1.039608] 1e40: c125b010 c0582960 c125b010 c0ddec6c c125b010 00000000 c1a9b3b8 c0582a90
>>> [    1.047781] 1e60: 60000013 c0c49854 c0e25818 c0ddec6c c125b010 00000000 c1a9b3b8 c0582c74
>>> [    1.055953] 1e80: c125b010 c0ddec6c c125b054 c1016000 c1a9b3b8 c0582eec 00000000 c0ddec6c
>>> [    1.064126] 1ea0: c0582e5c c0580950 c1016000 c1016058 c10f7234 75b58edd c1016000 c0ddec6c
>>> [    1.072298] 1ec0: c1a9b380 00000000 c1016000 c0581b74 c0b0534c 00000000 c0ddec6c c1050000
>>> [    1.080471] 1ee0: 00000000 c0deb000 c0deb000 c0583bf8 c0c2ddd8 c1050000 00000000 c010e26c
>>> [    1.088643] 1f00: 000004bf 00000000 00000000 00000000 00000000 00000000 00000000 00000000
>>> [    1.096814] 1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
>>> [    1.104986] 1f40: 00000000 00000000 00000000 75b58edd c11a6200 000000f3 c11a6200 c0c49834
>>> [    1.113158] 1f60: c0deb000 c0b14140 c0c49854 c0c01264 00000006 00000006 00000000 c0c004d0
>>> [    1.121331] 1f80: c08f37a8 c0d04e80 c08f37a8 00000000 00000000 00000000 00000000 00000000
>>> [    1.129503] 1fa0: 00000000 c08f37c4 00000000 c010014c 00000000 00000000 00000000 00000000
>>> [    1.137674] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
>>> [    1.145846] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
>>> [    1.154014] Call trace:
>>> [    1.154030]  strcmp from snd_soc_lookup_component_nolocked+0x64/0xa4
>>> [    1.162926]  snd_soc_lookup_component_nolocked from snd_soc_unregister_component_by_driver+0x2c/0x44
>>> [    1.172065]  snd_soc_unregister_component_by_driver from snd_dmaengine_pcm_unregister+0x28/0x64
>>> [    1.180773]  snd_dmaengine_pcm_unregister from devres_release_all+0x98/0xfc
>>> [    1.187749]  devres_release_all from device_unbind_cleanup+0xc/0x60
>>> [    1.194028]  device_unbind_cleanup from really_probe+0x220/0x2c8
>>> [    1.200046]  really_probe from __driver_probe_device+0x88/0x1a0
>>> [    1.205977]  __driver_probe_device from driver_probe_device+0x30/0x110
>>> [    1.212515]  driver_probe_device from __driver_attach+0x90/0x178
>>> [    1.218533]  __driver_attach from bus_for_each_dev+0x7c/0xcc
>>> [    1.224203]  bus_for_each_dev from bus_add_driver+0xcc/0x1ec
>>> [    1.229871]  bus_add_driver from driver_register+0x80/0x11c
>>> [    1.235457]  driver_register from do_one_initcall+0x58/0x23c
>>> [    1.241134]  do_one_initcall from kernel_init_freeable+0x1dc/0x238
>>> [    1.247324]  kernel_init_freeable from kernel_init+0x1c/0x12c
>>> [    1.253079]  kernel_init from ret_from_fork+0x14/0x28
>>> [    1.258137] Exception stack(0xe0821fb0 to 0xe0821ff8)
>>> [    1.263187] 1fa0:                                     00000000 00000000 00000000 00000000
>>> [    1.271359] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
>>> [    1.279530] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
>>> [    1.286145] Code: e5e32001 e3520000 1afffffb e12fff1e (e4d03001)
>>> [    1.292290] ---[ end trace 0000000000000000 ]---
>>>
>>> The specific hardware in my case is a FriendlyARM NanoPi Duo2. Note
>>> that the current device tree has the relevant node disabled, so I'm
>>> running with the following patch applied:
>>>
>>> ---
>>> arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts | 8 ++++++++
>>> 1 file changed, 8 insertions(+)
>>>
>>> diff --git a/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts b/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts
>>> index 2b0566d4b386..6301b1a78301 100644
>>> --- a/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts
>>> +++ b/arch/arm/boot/dts/allwinner/sun8i-h3-nanopi-duo2.dts
>>> @@ -137,6 +137,14 @@ &reg_usb0_vbus {
>>>     status = "okay";
>>> };
>>>
>>> +&codec {
>>> +   status = "okay";
>>> +   allwinner,audio-routing =
>>> +          "Line Out", "LINEOUT",
>>> +          "MIC1", "Mic",
>>> +          "Mic", "MBIAS";
>>> +};
>>> +
>>> &uart0 {
>>>     pinctrl-names = "default";
>>>     pinctrl-0 = <&uart0_pa_pins>;
>>> --
>>>
>>>
>>> I'm not sure if it's the correct solution, but setting the names of
>>> these snd_soc_component_driver instances does seem to fix my issue:
>>>
>>> ---
>>> sound/soc/sunxi/sun4i-codec.c | 6 ++++++
>>> 1 file changed, 6 insertions(+)
>>>
>>> diff --git a/sound/soc/sunxi/sun4i-codec.c b/sound/soc/sunxi/sun4i-codec.c
>>> index 93733ff2e32a..f00537f7f97d 100644
>>> --- a/sound/soc/sunxi/sun4i-codec.c
>>> +++ b/sound/soc/sunxi/sun4i-codec.c
>>> @@ -959,6 +959,7 @@ static const struct snd_soc_dapm_route sun4i_codec_codec_dapm_routes[] = {
>>> };
>>>
>>> static const struct snd_soc_component_driver sun4i_codec_codec = {
>>> +   .name           = "sun4i-codec-codec",
>>>     .controls       = sun4i_codec_controls,
>>>     .num_controls       = ARRAY_SIZE(sun4i_codec_controls),
>>>     .dapm_widgets       = sun4i_codec_codec_dapm_widgets,
>>> @@ -971,6 +972,7 @@ static const struct snd_soc_component_driver sun4i_codec_codec = {
>>> };
>>>
>>> static const struct snd_soc_component_driver sun7i_codec_codec = {
>>> +   .name           = "sun7i-codec-codec",
>>>     .controls       = sun7i_codec_controls,
>>>     .num_controls       = ARRAY_SIZE(sun7i_codec_controls),
>>>     .dapm_widgets       = sun4i_codec_codec_dapm_widgets,
>>> @@ -1278,6 +1280,7 @@ static const struct snd_soc_dapm_route sun6i_codec_codec_dapm_routes[] = {
>>> };
>>>
>>> static const struct snd_soc_component_driver sun6i_codec_codec = {
>>> +   .name           = "sun6i-codec-codec",
>>>     .controls       = sun6i_codec_codec_widgets,
>>>     .num_controls       = ARRAY_SIZE(sun6i_codec_codec_widgets),
>>>     .dapm_widgets       = sun6i_codec_codec_dapm_widgets,
>>> @@ -1307,6 +1310,7 @@ static const struct snd_soc_dapm_widget sun8i_a23_codec_codec_widgets[] = {
>>> };
>>>
>>> static const struct snd_soc_component_driver sun8i_a23_codec_codec = {
>>> +   .name           = "sun8i-a23-codec-codec",
>>>     .controls       = sun8i_a23_codec_codec_controls,
>>>     .num_controls       = ARRAY_SIZE(sun8i_a23_codec_codec_controls),
>>>     .dapm_widgets       = sun8i_a23_codec_codec_widgets,
>>> @@ -1527,6 +1531,7 @@ static const struct snd_soc_dapm_route suniv_codec_codec_dapm_routes[] = {
>>> };
>>>
>>> static const struct snd_soc_component_driver suniv_codec_codec = {
>>> +   .name           = "suniv-codec-codec",
>>>     .controls       = suniv_codec_codec_widgets,
>>>     .num_controls       = ARRAY_SIZE(suniv_codec_codec_widgets),
>>>     .dapm_widgets       = suniv_codec_codec_dapm_widgets,
>>> @@ -1952,6 +1957,7 @@ static const struct snd_soc_dapm_widget sun50i_h616_codec_codec_widgets[] = {
>>> };
>>>
>>> static const struct snd_soc_component_driver sun50i_h616_codec_codec = {
>>> +   .name       = "sun50i-h616-codec-codec",
>>>     .controls   = sun50i_h616_codec_codec_controls,
>>>     .num_controls   = ARRAY_SIZE(sun50i_h616_codec_codec_controls),
>>>     .dapm_widgets   = sun50i_h616_codec_codec_widgets,
>>> --
>>> 2.51.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ