From patchwork Fri Jun  1 22:53:34 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
X-Patchwork-Id: 10444401
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	DD7FB6028F for <patchwork-linux-arm@patchwork.kernel.org>;
	Fri,  1 Jun 2018 22:56:13 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C3A1128B00
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Fri,  1 Jun 2018 22:56:13 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B898828B3C; Fri,  1 Jun 2018 22:56:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,MAILING_LIST_MULTI autolearn=unavailable version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
	[198.137.202.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 48D9D28B00
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Fri,  1 Jun 2018 22:56:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=aQrGz0zqidn+II/+ZPRAKpv6uMSrYimb4w8nd8QBPgk=;
	b=n64
	CX3d0sWZxpnCyym91T1qgNlEao5ZySPbKGQF23iyJnzpNVHR3k4AO9dYKZNCExU8YUzAO1+ajFaIg
	McpFB9P+f1j10tx1S/iw7PartyHfjoeTbBuzsyLUQ2AgNwkpIltiG3bdoyYJmZBofRIyoWfur/4fm
	GjwG2j98c5QBTXH7gCSwXtzjWr2QQjyPvLIp7OFDQWlrOirOoTKMru2Pikyjoh+hv/VQJ2iFrXUgU
	LcDW4X7810mN5bMC0tg1KHUY2KfC0k9BIAO09czXi3LszG/AnOo1iNroUv3rYYwc3Q31Lp9yf3UjN
	elhSWez6uP+ow0NvvfGYSL6locRhzqg==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1fOsxo-0007OF-Gl; Fri, 01 Jun 2018 22:56:04 +0000
Received: from mail-wr0-x244.google.com ([2a00:1450:400c:c0c::244])
	by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat
	Linux)) id 1fOsxl-0007MG-3E
	for linux-arm-kernel@lists.infradead.org;
	Fri, 01 Jun 2018 22:56:03 +0000
Received: by mail-wr0-x244.google.com with SMTP id a12-v6so2720519wro.1
	for <linux-arm-kernel@lists.infradead.org>;
	Fri, 01 Jun 2018 15:55:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id;
	bh=IvAxVVAlqs3DHgQqx5X0IeM9Nmf1Y9p2L7vumwQZV+g=;
	b=fzn4+/8cqnB5JxROGwVQc/EeZ8qK2qw7l988DXINKugrPpVBRTQYtEjnJGGeVaGWGX
	JtTEBXBF1Fc3FnIgQcAndq+BahxDnOCV8u7OdQKAf3pw6Pc/pFCppoz6zv+ASMoOAiB5
	5V3+4St8mXUtmHXB+i5Y1deinMGH9295ShQrM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=IvAxVVAlqs3DHgQqx5X0IeM9Nmf1Y9p2L7vumwQZV+g=;
	b=J0KtZcdmRVqd8ow9nzykLPm/rG67dZDDLaUqlXiMP/Pk5nk2rHSoL7MWIa6EB2uG00
	UvyzSLGpKsZ3avdlpNeI4z+HUfo2nFRKROJd9JcB4m1cvKd6N2/szb6NwW9VyHY7yPVx
	orljczHQA5nFhyadJmScJ029+kOFHw9P6WdhsBVDH1b0/3WPRcH0fZnlswuDuhOwRbPa
	ITPhOVHjb09wsakL0tBp4RCzWkuzJXgAGq4QKRIXkDOSr+rMUmcJpksY5iCmKG76XHGk
	2+naLb8jVvVHJqjl57P0UPnyDa3onFQyA1PqvvpFZKlgfEKOiZbDf/Qk7dpjlwtLUbjL
	9m9g==
X-Gm-Message-State: ALKqPwfnXxcmlO20OBr6Ob8ur7Do/YQ6iD37gqTUHVph2ZIrbsUUX0et
	C6D/t8R05QEiHQl/p8NURGksPg==
X-Google-Smtp-Source: 
 ADUXVKIhXNCc49vJmmlQqwfwoVqiVhDXSLXK32fmUkntSHUPcfEu34/D5nbnCLzyZJp6qQmbhJ1cEw==
X-Received: by 2002:adf:8f23:: with SMTP id
	p32-v6mr9555813wrb.193.1527893748744;
	Fri, 01 Jun 2018 15:55:48 -0700 (PDT)
Received: from localhost.localdomain
	(cpc90716-aztw32-2-0-cust92.18-1.cable.virginm.net. [86.26.100.93])
	by smtp.gmail.com with ESMTPSA id
	b15-v6sm41225511wri.14.2018.06.01.15.55.47
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 01 Jun 2018 15:55:47 -0700 (PDT)
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
To: broonie@kernel.org,
	alsa-devel@alsa-project.org
Subject: [PATCH] ASoC: dapm: delete dapm_kcontrol_data paths entry before
	freeing
Date: Fri,  1 Jun 2018 23:53:34 +0100
Message-Id: <20180601225334.19064-1-srinivas.kandagatla@linaro.org>
X-Mailer: git-send-email 2.16.2
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20180601_155601_155816_17868201 
X-CRM114-Status: GOOD (  11.48  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: rohkumar@qti.qualcomm.com, bgoswami@codeaurora.org,
	linux-arm-msm@vger.kernel.org, tiwai@suse.com, lgirdwood@gmail.com,
	perex@perex.cz, Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
	linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

dapm_kcontrol_data is freed as part of dapm_kcontrol_free(), leaving the
paths list pointer dangling in the list.

This leads to system crash when we try to unload and reload sound card.
I hit this bug during ADSP crash/reboot test case on Dragon board DB410c.

Below is the kernel BUG with SLAB Poisoning

=============================================================================
BUG kmalloc-128 (Tainted: G        W        ): Poison overwritten
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: 0xffff80003cf1c310-0xffff80003cf1c31f. First byte 0x10 instead of 0x6b
INFO: Allocated in dapm_kcontrol_data_alloc.isra.37+0x34/0x2a8 age=6929 cpu=0 pid=50
 __slab_alloc.isra.24+0x24/0x38
 kmem_cache_alloc+0x190/0x1d8
 dapm_kcontrol_data_alloc.isra.37+0x34/0x2a8
 dapm_create_or_share_kcontrol+0x1d4/0x290
 snd_soc_dapm_new_widgets+0x410/0x568
 snd_soc_register_card+0xa58/0xcd0
 apq8016_sbc_bind+0x31c/0x458
 try_to_bring_up_master+0x204/0x2e8
 component_add+0x94/0x178
 q6pcm_routing_probe+0x38/0x48
 platform_drv_probe+0x58/0xb8
 driver_probe_device+0x324/0x478
 __device_attach_driver+0xa8/0x160
 bus_for_each_drv+0x48/0x98
 __device_attach+0xc0/0x158
 device_initial_probe+0x10/0x18
INFO: Freed in dapm_kcontrol_free+0x40/0x50 age=3135 cpu=1 pid=1792
 kfree+0x1bc/0x1d0
 dapm_kcontrol_free+0x40/0x50
 snd_ctl_free_one+0x20/0x38
 snd_ctl_remove+0xf0/0x108
 snd_ctl_dev_free+0x3c/0x70
 __snd_device_free+0x50/0x88
 snd_device_free_all+0x2c/0x50
 release_card_device+0x1c/0x78
 device_release+0x34/0x98
 kobject_put+0x90/0x1f0
 put_device+0x14/0x20
 snd_card_free+0x54/0x70
 snd_soc_unregister_card+0x84/0x138
 snd_soc_unregister_component+0xa4/0xd0
 q6routing_dai_unbind+0x44/0x78
 component_unbind.isra.4+0x28/0x50
INFO: Slab 0xffff7e0000f3c700 objects=25 used=0 fp=0xffff80003cf1fc80 flags=0xfffc00000008100
INFO: Object 0x        (ptrval) @offset=768 fp=0x        (ptrval)

Redzone         (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
Redzone         (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
Redzone         (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
Redzone         (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
Redzone         (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
Redzone         (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
Redzone         (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
Redzone         (ptrval): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
Object         (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object         (ptrval): 10 c3 f1 3c 00 80 ff ff 10 c3 f1 3c 00 80 ff ff  ...<.......<....
Object         (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object         (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object         (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object         (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object         (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object         (ptrval): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
Redzone         (ptrval): bb bb bb bb bb bb bb bb                          ........
Padding         (ptrval): 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding         (ptrval): 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding         (ptrval): 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding         (ptrval): 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
CPU: 1 PID: 1792 Comm: sh Tainted: G    B   W         4.17.0-rc7-02229-gb429ee402d16-dirty #202
Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
Call trace:
 dump_backtrace+0x0/0x1b0
 show_stack+0x14/0x20
 dump_stack+0x9c/0xbc
 print_trailer+0x124/0x1d8
 check_bytes_and_report+0xe8/0x120
 check_object+0x24c/0x288
 __free_slab+0x9c/0x2f0
 discard_slab+0x60/0x88
 __slab_free+0x35c/0x3e8
 kfree+0x1bc/0x1d0
 snd_soc_dapm_free_widget+0xac/0xd0
 snd_soc_dapm_free+0x64/0xb8
 soc_remove_component+0x50/0x80
 soc_remove_dai_links+0x110/0x208
 snd_soc_unregister_card+0x9c/0x138
 snd_soc_unregister_component+0xa4/0xd0
 q6routing_dai_unbind+0x44/0x78
 component_unbind.isra.4+0x28/0x50
 component_unbind_all+0xc0/0xe8
 apq8016_sbc_unbind+0x50/0xa0
 take_down_master+0x24/0x48
 component_del+0x90/0x130
 q6afe_dai_dev_remove+0x40/0x68
 platform_drv_remove+0x24/0x50
 device_release_driver_internal+0x170/0x208
 device_release_driver+0x14/0x20
 bus_remove_device+0xcc/0x150
 device_del+0x10c/0x310
 platform_device_del.part.3+0x24/0x90
 platform_device_unregister+0x18/0x30
 of_platform_device_destroy+0x94/0x98
 q6afe_remove+0x20/0x38
 apr_device_remove+0x30/0x70
 device_release_driver_internal+0x170/0x208
 device_release_driver+0x14/0x20
 bus_remove_device+0xcc/0x150
 device_del+0x10c/0x310
 device_unregister+0x1c/0x70
 apr_remove_device+0xc/0x18
 device_for_each_child+0x50/0x80
 apr_remove+0x18/0x20
 rpmsg_dev_remove+0x38/0x68
 device_release_driver_internal+0x170/0x208
 device_release_driver+0x14/0x20
 bus_remove_device+0xcc/0x150
 device_del+0x10c/0x310
 device_unregister+0x1c/0x70
 qcom_smd_remove_device+0xc/0x18
 device_for_each_child+0x50/0x80
 qcom_smd_unregister_edge+0x3c/0x70
 smd_subdev_remove+0x18/0x28
 rproc_stop+0x48/0xd8
 rproc_shutdown+0x60/0xe8
 state_store+0xbc/0xf8
 dev_attr_store+0x18/0x28
 sysfs_kf_write+0x3c/0x50
 kernfs_fop_write+0x118/0x1e0
 __vfs_write+0x18/0x110
 vfs_write+0xa4/0x1a8
 ksys_write+0x48/0xb0
 sys_write+0xc/0x18
 el0_svc_naked+0x30/0x34

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
---
 sound/soc/soc-dapm.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 1e9a36389667..36a39ba30226 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -433,6 +433,8 @@ static int dapm_kcontrol_data_alloc(struct snd_soc_dapm_widget *widget,
 static void dapm_kcontrol_free(struct snd_kcontrol *kctl)
 {
 	struct dapm_kcontrol_data *data = snd_kcontrol_chip(kctl);
+
+	list_del(&data->paths);
 	kfree(data->wlist);
 	kfree(data);
 }