From patchwork Sun Jan 24 10:10:33 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Vyukov X-Patchwork-Id: 8098391 Return-Path: X-Original-To: patchwork-alsa-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 364D2BEEE5 for ; Sun, 24 Jan 2016 10:11:13 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id A10312039D for ; Sun, 24 Jan 2016 10:11:11 +0000 (UTC) Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) by mail.kernel.org (Postfix) with ESMTP id C8DD520386 for ; Sun, 24 Jan 2016 10:11:09 +0000 (UTC) Received: by alsa0.perex.cz (Postfix, from userid 1000) id 32FA1260699; Sun, 24 Jan 2016 11:11:08 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_NONE, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=no version=3.3.1 Received: from alsa0.perex.cz (localhost [127.0.0.1]) by alsa0.perex.cz (Postfix) with ESMTP id B1F51260670; Sun, 24 Jan 2016 11:10:59 +0100 (CET) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa0.perex.cz (Postfix, from userid 1000) id 5EA51260672; Sun, 24 Jan 2016 11:10:58 +0100 (CET) Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) by alsa0.perex.cz (Postfix) with ESMTP id 2C9BE260631 for ; Sun, 24 Jan 2016 11:10:53 +0100 (CET) Received: by mail-wm0-f41.google.com with SMTP id b14so39658554wmb.1 for ; Sun, 24 Jan 2016 02:10:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=YLL0T2fnu5esV3YaWsyMhmOmPPXQaud8X2GrW1JnYPg=; b=isXb//LVSJzEYWKvRnXBGSnERfGeN/lM6EMqlLXDzMpWxDAxIff1Imvz0qCoouBHuM /7LvGl27SNrHyKD2+jpBwSPBr5YQyoJoqOsAOTvFQ9UaFVmvElykMRJafhjxySKEkXHm GSRm66G1iWuI84wCzS4zB0a/3AsQbPlwtxSOymacMVhL3pJlwaHsmDAcOs5wBp/hSzKL zJlt57f3U2hIx5+hnR9mdffKCLzo59L7BxvWGk0+qvxi0kFuU/sSNtX0/bWWFDhN5xCH 0xV2xsQr9mHY0hPogwd8wS/OSHxlStRB0AnI67ieGFYQ/Wit2bLY3e9ex7wjF68tbuJk 1kZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=YLL0T2fnu5esV3YaWsyMhmOmPPXQaud8X2GrW1JnYPg=; b=lYRvEWmOQbo9iQ1t3mHa4S6h4SE1mjpo5FUGXRIyUI33nD5iHeyBZzQgXtghmt8kZA 5ik9BIBU+RIlC1BoLqKfQZGme+Ygk3gBOdwtNWdGhrlnGpNXvz3djhvoPhue3EPRbHEJ 4SzylMf+Lf+zTUwE1SSy0zM+ts4Jygkb1CZmfOhrHAVdBGYZjXXgD4zfR6fRBGbU8Z7H eTwkbZQ09Ao8CkX7SLyRmbuxHYihe7sO+0F9a/TQ5q7oA7cXoc8szcZQ426cm5Rsdjxb h5QRQhqOW//soUrufPzWh7EJ+F2/ykU25x5EeUXSwkyq6W/hyZDGFaXFp22xDofT1dvk UAOw== X-Gm-Message-State: AG10YOT3HXoSDpuoIdh0jqQkpGiqTt5MB27JgXWkrejkSXqQJM8nbNQ+d9SidIA/xW1kkXQ8QILqsaUTja1iWV0F X-Received: by 10.28.174.196 with SMTP id x187mr13072795wme.2.1453630252761; Sun, 24 Jan 2016 02:10:52 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.165.234 with HTTP; Sun, 24 Jan 2016 02:10:33 -0800 (PST) From: Dmitry Vyukov Date: Sun, 24 Jan 2016 11:10:33 +0100 Message-ID: To: Jaroslav Kysela , Takashi Iwai , Jie Yang , Mark Brown , alsa-devel@alsa-project.org, LKML Subject: [alsa-devel] sound: use-after-free in snd_timer_notify1 X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org X-Virus-Scanned: ClamAV using ClamSMTP Hello, The following program causes use-after-free in snd_timer_notify1: Alsa-devel mailing list Alsa-devel@alsa-project.org http://mailman.alsa-project.org/mailman/listinfo/alsa-devel ================================================================== BUG: KASAN: use-after-free in snd_timer_notify1+0x411/0x460 at addr ffff880035a433e0 Read of size 8 by task syz-executor/11116 ============================================================================= BUG kmalloc-256 (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in snd_timer_instance_new+0x52/0x3a0 age=1 cpu=1 pid=11106 [< inline >] kzalloc include/linux/slab.h:607 [< none >] snd_timer_instance_new+0x52/0x3a0 sound/core/timer.c:105 [< none >] snd_timer_open+0x522/0xce0 sound/core/timer.c:288 [< none >] snd_seq_timer_open+0x223/0x560 sound/core/seq/seq_timer.c:279 [< none >] snd_seq_queue_use+0x147/0x230 sound/core/seq/seq_queue.c:528 [< none >] snd_seq_queue_alloc+0x36a/0x4d0 sound/core/seq/seq_queue.c:199 [< none >] snd_seq_ioctl_create_queue+0xdb/0x2b0 sound/core/seq/seq_clientmgr.c:1536 [< none >] snd_seq_do_ioctl+0x19d/0x1c0 sound/core/seq/seq_clientmgr.c:2209 [< none >] snd_seq_ioctl+0x54/0xa0 sound/core/seq/seq_clientmgr.c:2224 [< inline >] vfs_ioctl fs/ioctl.c:43 [< none >] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674 [< inline >] SYSC_ioctl fs/ioctl.c:689 [< none >] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680 [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 INFO: Freed in snd_timer_close+0x3a8/0x700 age=19 cpu=3 pid=11114 [< none >] kfree+0x2b7/0x2e0 mm/slub.c:3664 [< none >] snd_timer_close+0x3a8/0x700 sound/core/timer.c:368 [< none >] snd_seq_timer_close+0x97/0x130 sound/core/seq/seq_timer.c:312 [< none >] snd_seq_queue_timer_close+0x28/0x50 sound/core/seq/seq_queue.c:475 [< none >] snd_seq_ioctl_set_queue_timer+0x159/0x300 sound/core/seq/seq_clientmgr.c:1809 [< none >] snd_seq_do_ioctl+0x19d/0x1c0 sound/core/seq/seq_clientmgr.c:2209 [< none >] snd_seq_ioctl+0x54/0xa0 sound/core/seq/seq_clientmgr.c:2224 [< inline >] vfs_ioctl fs/ioctl.c:43 [< none >] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674 [< inline >] SYSC_ioctl fs/ioctl.c:689 [< none >] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680 [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 INFO: Slab 0xffffea0000d69000 objects=22 used=16 fp=0xffff880035a42d80 flags=0x1fffc0000004080 INFO: Object 0xffff880035a43330 @offset=13104 fp=0xffff880064ccee20 CPU: 0 PID: 11116 Comm: syz-executor Tainted: G B 4.4.0+ #276 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 00000000ffffffff ffff880064bcf560 ffffffff82999e2d ffff88003e807000 ffff880035a43330 ffff880035a40000 ffff880064bcf590 ffffffff81757354 ffff88003e807000 ffffea0000d69000 ffff880035a43330 ffff880064bcf718 Call Trace: [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295 [] snd_timer_notify1+0x411/0x460 sound/core/timer.c:416 [] _snd_timer_stop+0x235/0x5c0 sound/core/timer.c:524 [] snd_timer_pause+0x1a/0x20 sound/core/timer.c:583 [< inline >] snd_seq_timer_stop sound/core/seq/seq_timer.c:325 [] snd_seq_timer_start+0x148/0x1a0 sound/core/seq/seq_timer.c:366 [< inline >] snd_seq_queue_process_event sound/core/seq/seq_queue.c:687 [] snd_seq_control_queue+0x304/0x8b0 sound/core/seq/seq_queue.c:748 [] event_input_timer+0x25/0x30 sound/core/seq/seq_system.c:118 [] snd_seq_deliver_single_event.constprop.11+0x3f4/0x740 sound/core/seq/seq_clientmgr.c:634 [] snd_seq_deliver_event+0x122/0x800 sound/core/seq/seq_clientmgr.c:828 [] snd_seq_dispatch_event+0xf9/0x510 sound/core/seq/seq_clientmgr.c:902 [] snd_seq_check_queue+0x3fb/0x560 sound/core/seq/seq_queue.c:293 [] snd_seq_enqueue_event+0x24d/0x400 sound/core/seq/seq_queue.c:357 [] snd_seq_client_enqueue_event+0x214/0x430 sound/core/seq/seq_clientmgr.c:961 [] snd_seq_write+0x2ef/0x570 sound/core/seq/seq_clientmgr.c:1075 [] __vfs_write+0x113/0x480 fs/read_write.c:528 [] vfs_write+0x167/0x4a0 fs/read_write.c:577 [< inline >] SYSC_write fs/read_write.c:624 [] SyS_write+0x111/0x220 fs/read_write.c:616 [] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 ================================================================== // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #include #include long r[254]; int main() { memset(r, -1, sizeof(r)); r[0] = syscall(SYS_mmap, 0x20000000ul, 0x1c000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[2] = open("/dev/snd/seq", 0x1ul, 0, 0, 0); *(uint32_t*)0x20006000 = (uint32_t)0xffffffffffffffff; *(uint32_t*)0x20006004 = (uint32_t)0x10000; *(uint32_t*)0x20006008 = (uint32_t)0x2; *(uint8_t*)0x2000600c = (uint8_t)0x7; *(uint8_t*)0x2000600d = (uint8_t)0x2; *(uint8_t*)0x2000600e = (uint8_t)0xec0; *(uint8_t*)0x2000600f = (uint8_t)0x4; *(uint8_t*)0x20006010 = (uint8_t)0x7; *(uint8_t*)0x20006011 = (uint8_t)0x9; *(uint8_t*)0x20006012 = (uint8_t)0x80000000; *(uint8_t*)0x20006013 = (uint8_t)0x2; *(uint8_t*)0x20006014 = (uint8_t)0x2; *(uint8_t*)0x20006015 = (uint8_t)0x3; *(uint8_t*)0x20006016 = (uint8_t)0x8; *(uint8_t*)0x20006017 = (uint8_t)0x9; *(uint8_t*)0x20006018 = (uint8_t)0x4; *(uint8_t*)0x20006019 = (uint8_t)0xffffffffffffff5c; *(uint8_t*)0x2000601a = (uint8_t)0x5ab; *(uint8_t*)0x2000601b = (uint8_t)0x4; *(uint8_t*)0x2000601c = (uint8_t)0x0; *(uint8_t*)0x2000601d = (uint8_t)0x38; *(uint8_t*)0x2000601e = (uint8_t)0x9d; *(uint8_t*)0x2000601f = (uint8_t)0x8; *(uint8_t*)0x20006020 = (uint8_t)0x3; *(uint8_t*)0x20006021 = (uint8_t)0x47221059; *(uint8_t*)0x20006022 = (uint8_t)0x400; *(uint8_t*)0x20006023 = (uint8_t)0x1000; *(uint8_t*)0x20006024 = (uint8_t)0x2; *(uint8_t*)0x20006025 = (uint8_t)0x3; *(uint8_t*)0x20006026 = (uint8_t)0x3; *(uint8_t*)0x20006027 = (uint8_t)0x80000000; *(uint8_t*)0x20006028 = (uint8_t)0x5; *(uint8_t*)0x20006029 = (uint8_t)0x200; *(uint8_t*)0x2000602a = (uint8_t)0x1; *(uint8_t*)0x2000602b = (uint8_t)0x30; *(uint8_t*)0x2000602c = (uint8_t)0x4; *(uint8_t*)0x2000602d = (uint8_t)0x0; *(uint8_t*)0x2000602e = (uint8_t)0x3; *(uint8_t*)0x2000602f = (uint8_t)0xffffffff8a5c645b; *(uint8_t*)0x20006030 = (uint8_t)0x4; *(uint8_t*)0x20006031 = (uint8_t)0x1; *(uint8_t*)0x20006032 = (uint8_t)0x3ff; *(uint8_t*)0x20006033 = (uint8_t)0x200; *(uint8_t*)0x20006034 = (uint8_t)0x3; *(uint8_t*)0x20006035 = (uint8_t)0xea3e; *(uint8_t*)0x20006036 = (uint8_t)0x9; *(uint8_t*)0x20006037 = (uint8_t)0x200; *(uint8_t*)0x20006038 = (uint8_t)0x0; *(uint8_t*)0x20006039 = (uint8_t)0x5; *(uint8_t*)0x2000603a = (uint8_t)0xfdc; *(uint8_t*)0x2000603b = (uint8_t)0x1000; *(uint8_t*)0x2000603c = (uint8_t)0x467; *(uint8_t*)0x2000603d = (uint8_t)0xea; *(uint8_t*)0x2000603e = (uint8_t)0x40; *(uint8_t*)0x2000603f = (uint8_t)0x9e98; *(uint8_t*)0x20006040 = (uint8_t)0x7; *(uint8_t*)0x20006041 = (uint8_t)0x7; *(uint8_t*)0x20006042 = (uint8_t)0x0; *(uint8_t*)0x20006043 = (uint8_t)0x20; *(uint8_t*)0x20006044 = (uint8_t)0x1; *(uint8_t*)0x20006045 = (uint8_t)0x4; *(uint8_t*)0x20006046 = (uint8_t)0x2; *(uint8_t*)0x20006047 = (uint8_t)0x9; *(uint8_t*)0x20006048 = (uint8_t)0x5; *(uint8_t*)0x20006049 = (uint8_t)0x6; *(uint8_t*)0x2000604a = (uint8_t)0x8f2; *(uint8_t*)0x2000604b = (uint8_t)0x0; *(uint32_t*)0x2000604c = (uint32_t)0x6; *(uint8_t*)0x20006050 = (uint8_t)0x0; *(uint8_t*)0x20006051 = (uint8_t)0x0; *(uint8_t*)0x20006052 = (uint8_t)0x0; *(uint8_t*)0x20006053 = (uint8_t)0x0; *(uint8_t*)0x20006054 = (uint8_t)0x0; *(uint8_t*)0x20006055 = (uint8_t)0x0; *(uint8_t*)0x20006056 = (uint8_t)0x0; *(uint8_t*)0x20006057 = (uint8_t)0x0; *(uint8_t*)0x20006058 = (uint8_t)0x0; *(uint8_t*)0x20006059 = (uint8_t)0x0; *(uint8_t*)0x2000605a = (uint8_t)0x0; *(uint8_t*)0x2000605b = (uint8_t)0x0; *(uint8_t*)0x2000605c = (uint8_t)0x0; *(uint8_t*)0x2000605d = (uint8_t)0x0; *(uint8_t*)0x2000605e = (uint8_t)0x0; *(uint8_t*)0x2000605f = (uint8_t)0x0; *(uint8_t*)0x20006060 = (uint8_t)0x0; *(uint8_t*)0x20006061 = (uint8_t)0x0; *(uint8_t*)0x20006062 = (uint8_t)0x0; *(uint8_t*)0x20006063 = (uint8_t)0x0; *(uint8_t*)0x20006064 = (uint8_t)0x0; *(uint8_t*)0x20006065 = (uint8_t)0x0; *(uint8_t*)0x20006066 = (uint8_t)0x0; *(uint8_t*)0x20006067 = (uint8_t)0x0; *(uint8_t*)0x20006068 = (uint8_t)0x0; *(uint8_t*)0x20006069 = (uint8_t)0x0; *(uint8_t*)0x2000606a = (uint8_t)0x0; *(uint8_t*)0x2000606b = (uint8_t)0x0; *(uint8_t*)0x2000606c = (uint8_t)0x0; *(uint8_t*)0x2000606d = (uint8_t)0x0; *(uint8_t*)0x2000606e = (uint8_t)0x0; *(uint8_t*)0x2000606f = (uint8_t)0x0; *(uint8_t*)0x20006070 = (uint8_t)0x0; *(uint8_t*)0x20006071 = (uint8_t)0x0; *(uint8_t*)0x20006072 = (uint8_t)0x0; *(uint8_t*)0x20006073 = (uint8_t)0x0; *(uint8_t*)0x20006074 = (uint8_t)0x0; *(uint8_t*)0x20006075 = (uint8_t)0x0; *(uint8_t*)0x20006076 = (uint8_t)0x0; *(uint8_t*)0x20006077 = (uint8_t)0x0; *(uint8_t*)0x20006078 = (uint8_t)0x0; *(uint8_t*)0x20006079 = (uint8_t)0x0; *(uint8_t*)0x2000607a = (uint8_t)0x0; *(uint8_t*)0x2000607b = (uint8_t)0x0; *(uint8_t*)0x2000607c = (uint8_t)0x0; *(uint8_t*)0x2000607d = (uint8_t)0x0; *(uint8_t*)0x2000607e = (uint8_t)0x0; *(uint8_t*)0x2000607f = (uint8_t)0x0; *(uint8_t*)0x20006080 = (uint8_t)0x0; *(uint8_t*)0x20006081 = (uint8_t)0x0; *(uint8_t*)0x20006082 = (uint8_t)0x0; *(uint8_t*)0x20006083 = (uint8_t)0x0; *(uint8_t*)0x20006084 = (uint8_t)0x0; *(uint8_t*)0x20006085 = (uint8_t)0x0; *(uint8_t*)0x20006086 = (uint8_t)0x0; *(uint8_t*)0x20006087 = (uint8_t)0x0; *(uint8_t*)0x20006088 = (uint8_t)0x0; *(uint8_t*)0x20006089 = (uint8_t)0x0; *(uint8_t*)0x2000608a = (uint8_t)0x0; *(uint8_t*)0x2000608b = (uint8_t)0x0; r[131] = syscall(SYS_ioctl, r[2], 0xc08c5332ul, 0x20006000ul, 0, 0, 0); *(uint32_t*)0x20006fd7 = (uint32_t)0x0; *(uint32_t*)0x20006fdb = (uint32_t)0x0; *(uint32_t*)0x20006fdf = (uint32_t)0x6; *(uint32_t*)0x20006fe3 = (uint32_t)0x81; *(uint32_t*)0x20006fe7 = (uint32_t)0x7; *(uint32_t*)0x20006feb = (uint32_t)0x9; *(uint32_t*)0x20006fef = (uint32_t)0x401; *(uint8_t*)0x20006ff3 = (uint8_t)0x0; *(uint8_t*)0x20006ff4 = (uint8_t)0x0; *(uint8_t*)0x20006ff5 = (uint8_t)0x0; *(uint8_t*)0x20006ff6 = (uint8_t)0x0; *(uint8_t*)0x20006ff7 = (uint8_t)0x0; *(uint8_t*)0x20006ff8 = (uint8_t)0x0; *(uint8_t*)0x20006ff9 = (uint8_t)0x0; *(uint8_t*)0x20006ffa = (uint8_t)0x0; *(uint8_t*)0x20006ffb = (uint8_t)0x0; *(uint8_t*)0x20006ffc = (uint8_t)0x0; *(uint8_t*)0x20006ffd = (uint8_t)0x0; *(uint8_t*)0x20006ffe = (uint8_t)0x0; *(uint8_t*)0x20006fff = (uint8_t)0x0; *(uint8_t*)0x20007000 = (uint8_t)0x0; *(uint8_t*)0x20007001 = (uint8_t)0x0; *(uint8_t*)0x20007002 = (uint8_t)0x0; *(uint8_t*)0x20007003 = (uint8_t)0x0; *(uint8_t*)0x20007004 = (uint8_t)0x0; *(uint8_t*)0x20007005 = (uint8_t)0x0; *(uint8_t*)0x20007006 = (uint8_t)0x0; *(uint8_t*)0x20007007 = (uint8_t)0x0; *(uint8_t*)0x20007008 = (uint8_t)0x0; *(uint8_t*)0x20007009 = (uint8_t)0x0; *(uint8_t*)0x2000700a = (uint8_t)0x0; *(uint8_t*)0x2000700b = (uint8_t)0x0; *(uint8_t*)0x2000700c = (uint8_t)0x0; *(uint8_t*)0x2000700d = (uint8_t)0x0; *(uint8_t*)0x2000700e = (uint8_t)0x0; *(uint8_t*)0x2000700f = (uint8_t)0x0; *(uint8_t*)0x20007010 = (uint8_t)0x0; *(uint8_t*)0x20007011 = (uint8_t)0x0; *(uint8_t*)0x20007012 = (uint8_t)0x0; *(uint8_t*)0x20007013 = (uint8_t)0x0; *(uint8_t*)0x20007014 = (uint8_t)0x0; *(uint8_t*)0x20007015 = (uint8_t)0x0; *(uint8_t*)0x20007016 = (uint8_t)0x0; *(uint8_t*)0x20007017 = (uint8_t)0x0; *(uint8_t*)0x20007018 = (uint8_t)0x0; *(uint8_t*)0x20007019 = (uint8_t)0x0; *(uint8_t*)0x2000701a = (uint8_t)0x0; *(uint8_t*)0x2000701b = (uint8_t)0x0; *(uint8_t*)0x2000701c = (uint8_t)0x0; *(uint8_t*)0x2000701d = (uint8_t)0x0; *(uint8_t*)0x2000701e = (uint8_t)0x0; *(uint8_t*)0x2000701f = (uint8_t)0x0; *(uint8_t*)0x20007020 = (uint8_t)0x0; *(uint8_t*)0x20007021 = (uint8_t)0x0; *(uint8_t*)0x20007022 = (uint8_t)0x0; *(uint8_t*)0x20007023 = (uint8_t)0x0; *(uint8_t*)0x20007024 = (uint8_t)0x0; *(uint8_t*)0x20007025 = (uint8_t)0x0; *(uint8_t*)0x20007026 = (uint8_t)0x0; *(uint8_t*)0x20007027 = (uint8_t)0x0; *(uint8_t*)0x20007028 = (uint8_t)0x0; *(uint8_t*)0x20007029 = (uint8_t)0x0; *(uint8_t*)0x2000702a = (uint8_t)0x0; *(uint8_t*)0x2000702b = (uint8_t)0x0; *(uint8_t*)0x2000702c = (uint8_t)0x0; *(uint8_t*)0x2000702d = (uint8_t)0x0; *(uint8_t*)0x2000702e = (uint8_t)0x0; *(uint8_t*)0x2000702f = (uint8_t)0x0; *(uint8_t*)0x20007030 = (uint8_t)0x0; *(uint8_t*)0x20007031 = (uint8_t)0x0; *(uint8_t*)0x20007032 = (uint8_t)0x0; r[203] = syscall(SYS_ioctl, r[2], 0x40605346ul, 0x20006fd7ul, 0, 0, 0); *(uint8_t*)0x20005000 = (uint8_t)0x3ff; *(uint8_t*)0x20005001 = (uint8_t)0x2e; *(uint8_t*)0x20005002 = (uint8_t)0x1; *(uint8_t*)0x20005003 = (uint8_t)0x8; *(uint32_t*)0x2000500c = (uint32_t)0x4; *(uint8_t*)0x20005010 = (uint8_t)0x8001; *(uint8_t*)0x20005011 = (uint8_t)0x2; *(uint8_t*)0x20005012 = (uint8_t)0xfffffffffffffffa; *(uint8_t*)0x20005013 = (uint8_t)0xffff; *(uint8_t*)0x2000501c = (uint8_t)0x5; *(uint8_t*)0x2000501d = (uint8_t)0x2; *(uint8_t*)0x2000501e = (uint8_t)0x5; *(uint8_t*)0x2000501f = (uint8_t)0x0; *(uint8_t*)0x20005020 = (uint8_t)0x5; *(uint8_t*)0x20005021 = (uint8_t)0x100000000; *(uint8_t*)0x20005022 = (uint8_t)0x7; *(uint8_t*)0x20005023 = (uint8_t)0xfffffffffffff2fb; *(uint32_t*)0x2000502c = (uint32_t)0x8; *(uint8_t*)0x20005030 = (uint8_t)0x80; *(uint8_t*)0x20005031 = (uint8_t)0x485; *(uint8_t*)0x20005032 = (uint8_t)0x4; *(uint8_t*)0x20005033 = (uint8_t)0x4; *(uint8_t*)0x2000503c = (uint8_t)0x9; *(uint8_t*)0x2000503d = (uint8_t)0x7; *(uint8_t*)0x2000503e = (uint8_t)0x20; *(uint8_t*)0x2000503f = (uint8_t)0x0; *(uint8_t*)0x20005040 = (uint8_t)0x20; *(uint8_t*)0x20005041 = (uint8_t)0x9; *(uint8_t*)0x20005042 = (uint8_t)0x2; *(uint8_t*)0x20005043 = (uint8_t)0x2; *(uint64_t*)0x20005058 = (uint64_t)0x0; *(uint64_t*)0x20005060 = (uint64_t)0x0; *(uint8_t*)0x20005068 = (uint8_t)0x1c8; *(uint8_t*)0x20005069 = (uint8_t)0xfffffffffffffff7; *(uint8_t*)0x2000506a = (uint8_t)0x1ff; *(uint8_t*)0x2000506b = (uint8_t)0x9f9f; *(uint32_t*)0x2000507c = (uint32_t)0x90; *(uint32_t*)0x20005080 = (uint32_t)0x40; *(uint32_t*)0x20005084 = (uint32_t)0x0; *(uint8_t*)0x20005088 = (uint8_t)0x0; *(uint8_t*)0x20005089 = (uint8_t)0x4; *(uint8_t*)0x2000508a = (uint8_t)0x1; *(uint8_t*)0x2000508b = (uint8_t)0xffffffff80000001; *(uint32_t*)0x20005094 = (uint32_t)0x9; *(uint8_t*)0x20005098 = (uint8_t)0x8; *(uint8_t*)0x20005099 = (uint8_t)0x7; *(uint8_t*)0x2000509a = (uint8_t)0xfff; *(uint8_t*)0x2000509b = (uint8_t)0x8; *(uint32_t*)0x200050a8 = (uint32_t)0xbd1e; r[253] = syscall(SYS_write, r[2], 0x20005000ul, 0x95cul, 0, 0, 0); return 0; } I am on commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20) + the following pending patch from Takashi: diff --git a/sound/core/hrtimer.c b/sound/core/hrtimer.c index f845ecf..656d9a9 100644 --- a/sound/core/hrtimer.c +++ b/sound/core/hrtimer.c @@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_timer *t) struct snd_hrtimer *stime = t->private_data; atomic_set(&stime->running, 0); - hrtimer_cancel(&stime->hrt); + hrtimer_try_to_cancel(&stime->hrt); hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution), HRTIMER_MODE_REL); atomic_set(&stime->running, 1); @@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_timer *t) { struct snd_hrtimer *stime = t->private_data; atomic_set(&stime->running, 0); + hrtimer_try_to_cancel(&stime->hrt); return 0; } _______________________________________________