subject:"\[PATCH\] sound\/usb\: fix to release stream resources from media_snd_device

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

2016-03-22 Thread Mauro Carvalho Chehab

Em Tue, 22 Mar 2016 11:29:34 -0600
Shuah Khan  escreveu:

> On 03/22/2016 07:03 AM, Shuah Khan wrote:
> > On 03/21/2016 10:01 PM, Shuah Khan wrote:  
> >> On 03/19/2016 07:31 AM, Shuah Khan wrote:  
> >>> On 03/19/2016 06:10 AM, Mauro Carvalho Chehab wrote:  
>  Em Fri, 18 Mar 2016 20:50:31 -0600
>  Shuah Khan  escreveu:
>   
> > Fix to release stream resources from media_snd_device_delete() before
> > media device is unregistered. Without this change, stream resource free
> > is attempted after the media device is unregistered which would result
> > in use-after-free errors.
> >
> > Signed-off-by: Shuah Khan 
> > ---
> >
> > - Ran bind/unbind loop (1000 iteration) test on snd-usb-audio
> >   while running mc_nextgen_test loop (1000 iterations) in parallel.
> > - Ran bind/unbind and rmmod/modprobe tests on both drivers. Also
> >   generated graphs when after bind/unbind, rmmod/modprobe. Graphs
> >   look good.
> > - Note: Please apply the following patch to fix memory leak:
> >   sound/usb: Fix memory leak in media_snd_stream_delete() during unbind
> >   https://lkml.org/lkml/2016/3/16/1050  
> 
>  Yeah, a way better!
> 
>  For normal bind/unbind, it seems to be working fine. Also
>  for driver's rmmod, so:
> 
>  Tested-by: Mauro Carvalho Chehab   
> 
> Takashi,
> 
> Could please ack this patch - please see below that the problem
> Mauro and I both saw ended up to a latent bug in au0828 that is
> in Linux 4.5 as well. It is now fixed.

FYI, the patches we're intending to send to fix the issues with
au0828 and snd-usb-audio are at my experimental tree:

https://git.linuxtv.org/mchehab/experimental.git/log/?h=au0828-unbind-fixes

The patches are:

f9dca0c46f12 [media] au0828: Fix dev_state handling
d9898e2e7bb3 [media] au0828: fix au0828_v4l2_close() dev_state race condition
52a6e1f97587 [media] media-devnode: add missing mutex lock in error handler
db268d4f59c5 [media] media-device: Simplify compat32 logic
105817f85b02 sound/usb: fix to release stream resources from 
media_snd_device_delete()
70fafd948468 sound/usb: Fix memory leak in media_snd_stream_delete() during 
unbind
a78a4b10ecd3 sound/usb/media: use core routine to initialize media_device
9d8830150475 [media] media-device: use kref for media_device instance
544439bf084a [media] media-device: make topology_version u64
4e18ca9ce0c2 [media] media-device: Fix a comment
c38077d39c7e [media] media-device: get rid of the spinlock
a50d06389fdf sound/usb: fix NULL dereference in usb_audio_probe()
b39950960d2b [media] media: au0828 fix to clear enable/disable/change source 
handlers
d9f03ad36a9d [media] v4l2-mc: cleanup a warning
6a4f10cff976 [media] au0828: disable tuner links and cache tuner/decoder

We're running some stress tests today, so we may need to send a few
other patches later on, but I guess they'll be either at au0828 or
at the media core.

Regards,
Mauro
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

2016-03-22 Thread Shuah Khan

On 03/22/2016 07:03 AM, Shuah Khan wrote:
> On 03/21/2016 10:01 PM, Shuah Khan wrote:
>> On 03/19/2016 07:31 AM, Shuah Khan wrote:
>>> On 03/19/2016 06:10 AM, Mauro Carvalho Chehab wrote:
 Em Fri, 18 Mar 2016 20:50:31 -0600
 Shuah Khan  escreveu:

> Fix to release stream resources from media_snd_device_delete() before
> media device is unregistered. Without this change, stream resource free
> is attempted after the media device is unregistered which would result
> in use-after-free errors.
>
> Signed-off-by: Shuah Khan 
> ---
>
> - Ran bind/unbind loop (1000 iteration) test on snd-usb-audio
>   while running mc_nextgen_test loop (1000 iterations) in parallel.
> - Ran bind/unbind and rmmod/modprobe tests on both drivers. Also
>   generated graphs when after bind/unbind, rmmod/modprobe. Graphs
>   look good.
> - Note: Please apply the following patch to fix memory leak:
>   sound/usb: Fix memory leak in media_snd_stream_delete() during unbind
>   https://lkml.org/lkml/2016/3/16/1050

 Yeah, a way better!

 For normal bind/unbind, it seems to be working fine. Also
 for driver's rmmod, so:

 Tested-by: Mauro Carvalho Chehab 

Takashi,

Could please ack this patch - please see below that the problem
Mauro and I both saw ended up to a latent bug in au0828 that is
in Linux 4.5 as well. It is now fixed.

thanks,
-- Shuah


 PS.:
 ===

 There are still some troubles if we run an infinite loop
 binding/unbinding au0828 and another one binding/unbinding
 snd-usb-audio, like this one:
>>>
>>> Yes. I noticed this one when I was running a loop of 1000 on au0828.
>>> I couldn't reproduce this when I tested this patch.
>>>
>>> P.S: au08282 loops takes longer btw since au0828 initialization is lot more
>>> complex. We have to look at this one.
>>>


 [   91.556188] [ cut here ]
 [   91.556500] WARNING: CPU: 1 PID: 2920 at 
 drivers/media/media-entity.c:392 __media_entity_pipeline_start+0x271/0xce0 
 [media]()
 [   91.556626] Modules linked in: ir_lirc_codec lirc_dev au8522_dig xc5000 
 tuner au8522_decoder au8522_common au0828 videobuf2_vmalloc 
 videobuf2_memops videobuf2_v4l2 videobuf2_core tveeprom dvb_core rc_core 
 v4l2_common videodev snd_usb_audio snd_usbmidi_lib snd_rawmidi 
 snd_seq_device media cpufreq_powersave cpufreq_conservative 
 cpufreq_userspace cpufreq_stats parport_pc ppdev lp parport 
 snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp 
 coretemp kvm_intel iTCO_wdt kvm iTCO_vendor_support irqbypass 
 crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel 
 sha256_ssse3 sha256_generic hmac drbg snd_hda_codec_realtek i915 
 snd_hda_codec_generic aesni_intel aes_x86_64 btusb lrw btrtl gf128mul 
 snd_hda_intel glue_helper ablk_helper btbcm btintel cryptd psmouse 
 snd_hda_codec bluetooth
 [   91.556693]  snd_hwdep i2c_algo_bit sg snd_hda_core serio_raw pcspkr 
 evdev drm_kms_helper snd_pcm rfkill drm snd_timer mei_me snd i2c_i801 
 soundcore lpc_ich mei mfd_core battery video dw_dmac 
 i2c_designware_platform dw_dmac_core i2c_designware_core acpi_pad button 
 tpm_tis tpm ext4 crc16 mbcache jbd2 dm_mod sd_mod hid_generic usbhid ahci 
 libahci libata e1000e xhci_pci ptp scsi_mod ehci_pci ehci_hcd pps_core 
 xhci_hcd fan thermal sdhci_acpi sdhci mmc_core i2c_hid hid
 [   91.556748] CPU: 1 PID: 2920 Comm: v4l_id Tainted: G  D W   
 4.5.0+ #62
 [   91.556751] Hardware name:  /NUC5i7RYB, BIOS 
 RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
 [   91.556754]  a0e247a0 8803a3d17b08 819447c1 
 
 [   91.556759]  88009bbe17c0 8803a3d17b48 8114fd16 
 a0e20651
 [   91.556763]  8803a47c9c58 8803a477d2c8 8803a5ac96f8 
 dc00
 [   91.556768] Call Trace:
 [   91.556774]  [] dump_stack+0x85/0xc4
 [   91.556778]  [] warn_slowpath_common+0xc6/0x120
 [   91.556783]  [] ? 
 __media_entity_pipeline_start+0x271/0xce0 [media]
 [   91.556786]  [] warn_slowpath_null+0x1a/0x20
 [   91.556790]  [] 
 __media_entity_pipeline_start+0x271/0xce0 [media]
 [   91.556794]  [] ? __schedule+0x78a/0x2570
 [   91.556797]  [] ? memset+0x28/0x30
 [   91.556802]  [] ? 
 media_entity_pipeline_stop+0x60/0x60 [media]
 [   91.556806]  [] ? trace_hardirqs_on+0xd/0x10
 [   91.556810]  [] ? au0828_enable_source+0x55/0x9f0 
 [au0828]
 [   91.556813]  [] ? mutex_trylock+0x400/0x400
 [   91.556818]  [] ? au0828_v4l2_close+0xb3/0x590 
 [au0828]
 [   91.556822]  [] au0828_enable_source+0x3f4/0x9f0 
 [au0828]
 [   91.556824]  [] ? mutex_trylock+0x400/0x400
 [   91.556834]  [] v4l_enable_media_source+0x66/0x90 
 [videodev]
 [   91.556839]  [] au0828_

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

2016-03-22 Thread Shuah Khan

On 03/21/2016 10:01 PM, Shuah Khan wrote:
> On 03/19/2016 07:31 AM, Shuah Khan wrote:
>> On 03/19/2016 06:10 AM, Mauro Carvalho Chehab wrote:
>>> Em Fri, 18 Mar 2016 20:50:31 -0600
>>> Shuah Khan  escreveu:
>>>
 Fix to release stream resources from media_snd_device_delete() before
 media device is unregistered. Without this change, stream resource free
 is attempted after the media device is unregistered which would result
 in use-after-free errors.

 Signed-off-by: Shuah Khan 
 ---

 - Ran bind/unbind loop (1000 iteration) test on snd-usb-audio
   while running mc_nextgen_test loop (1000 iterations) in parallel.
 - Ran bind/unbind and rmmod/modprobe tests on both drivers. Also
   generated graphs when after bind/unbind, rmmod/modprobe. Graphs
   look good.
 - Note: Please apply the following patch to fix memory leak:
   sound/usb: Fix memory leak in media_snd_stream_delete() during unbind
   https://lkml.org/lkml/2016/3/16/1050
>>>
>>> Yeah, a way better!
>>>
>>> For normal bind/unbind, it seems to be working fine. Also
>>> for driver's rmmod, so:
>>>
>>> Tested-by: Mauro Carvalho Chehab 
>>>
>>> PS.:
>>> ===
>>>
>>> There are still some troubles if we run an infinite loop
>>> binding/unbinding au0828 and another one binding/unbinding
>>> snd-usb-audio, like this one:
>>
>> Yes. I noticed this one when I was running a loop of 1000 on au0828.
>> I couldn't reproduce this when I tested this patch.
>>
>> P.S: au08282 loops takes longer btw since au0828 initialization is lot more
>> complex. We have to look at this one.
>>
>>>
>>>
>>> [   91.556188] [ cut here ]
>>> [   91.556500] WARNING: CPU: 1 PID: 2920 at 
>>> drivers/media/media-entity.c:392 __media_entity_pipeline_start+0x271/0xce0 
>>> [media]()
>>> [   91.556626] Modules linked in: ir_lirc_codec lirc_dev au8522_dig xc5000 
>>> tuner au8522_decoder au8522_common au0828 videobuf2_vmalloc 
>>> videobuf2_memops videobuf2_v4l2 videobuf2_core tveeprom dvb_core rc_core 
>>> v4l2_common videodev snd_usb_audio snd_usbmidi_lib snd_rawmidi 
>>> snd_seq_device media cpufreq_powersave cpufreq_conservative 
>>> cpufreq_userspace cpufreq_stats parport_pc ppdev lp parport 
>>> snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp 
>>> coretemp kvm_intel iTCO_wdt kvm iTCO_vendor_support irqbypass 
>>> crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel sha256_ssse3 
>>> sha256_generic hmac drbg snd_hda_codec_realtek i915 snd_hda_codec_generic 
>>> aesni_intel aes_x86_64 btusb lrw btrtl gf128mul snd_hda_intel glue_helper 
>>> ablk_helper btbcm btintel cryptd psmouse snd_hda_codec bluetooth
>>> [   91.556693]  snd_hwdep i2c_algo_bit sg snd_hda_core serio_raw pcspkr 
>>> evdev drm_kms_helper snd_pcm rfkill drm snd_timer mei_me snd i2c_i801 
>>> soundcore lpc_ich mei mfd_core battery video dw_dmac 
>>> i2c_designware_platform dw_dmac_core i2c_designware_core acpi_pad button 
>>> tpm_tis tpm ext4 crc16 mbcache jbd2 dm_mod sd_mod hid_generic usbhid ahci 
>>> libahci libata e1000e xhci_pci ptp scsi_mod ehci_pci ehci_hcd pps_core 
>>> xhci_hcd fan thermal sdhci_acpi sdhci mmc_core i2c_hid hid
>>> [   91.556748] CPU: 1 PID: 2920 Comm: v4l_id Tainted: G  D W   
>>> 4.5.0+ #62
>>> [   91.556751] Hardware name:  /NUC5i7RYB, BIOS 
>>> RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
>>> [   91.556754]  a0e247a0 8803a3d17b08 819447c1 
>>> 
>>> [   91.556759]  88009bbe17c0 8803a3d17b48 8114fd16 
>>> a0e20651
>>> [   91.556763]  8803a47c9c58 8803a477d2c8 8803a5ac96f8 
>>> dc00
>>> [   91.556768] Call Trace:
>>> [   91.556774]  [] dump_stack+0x85/0xc4
>>> [   91.556778]  [] warn_slowpath_common+0xc6/0x120
>>> [   91.556783]  [] ? 
>>> __media_entity_pipeline_start+0x271/0xce0 [media]
>>> [   91.556786]  [] warn_slowpath_null+0x1a/0x20
>>> [   91.556790]  [] 
>>> __media_entity_pipeline_start+0x271/0xce0 [media]
>>> [   91.556794]  [] ? __schedule+0x78a/0x2570
>>> [   91.556797]  [] ? memset+0x28/0x30
>>> [   91.556802]  [] ? media_entity_pipeline_stop+0x60/0x60 
>>> [media]
>>> [   91.556806]  [] ? trace_hardirqs_on+0xd/0x10
>>> [   91.556810]  [] ? au0828_enable_source+0x55/0x9f0 
>>> [au0828]
>>> [   91.556813]  [] ? mutex_trylock+0x400/0x400
>>> [   91.556818]  [] ? au0828_v4l2_close+0xb3/0x590 [au0828]
>>> [   91.556822]  [] au0828_enable_source+0x3f4/0x9f0 
>>> [au0828]
>>> [   91.556824]  [] ? mutex_trylock+0x400/0x400
>>> [   91.556834]  [] v4l_enable_media_source+0x66/0x90 
>>> [videodev]
>>> [   91.556839]  [] au0828_v4l2_close+0x25a/0x590 [au0828]
>>> [   91.556846]  [] v4l2_release+0xf0/0x210 [videodev]
>>> [   91.556849]  [] __fput+0x20f/0x6d0
>>> [   91.556853]  [] fput+0xe/0x10
>>> [   91.556856]  [] task_work_run+0x137/0x200
>>> [   91.556859]  [] exit_to_usermode_loop+0x154/0x180
>>> [   91.556863]  [] ? trace_hardirqs_on_caller+0x16/0x590
>>> [   91.55

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

2016-03-21 Thread Shuah Khan

On 03/19/2016 07:31 AM, Shuah Khan wrote:
> On 03/19/2016 06:10 AM, Mauro Carvalho Chehab wrote:
>> Em Fri, 18 Mar 2016 20:50:31 -0600
>> Shuah Khan  escreveu:
>>
>>> Fix to release stream resources from media_snd_device_delete() before
>>> media device is unregistered. Without this change, stream resource free
>>> is attempted after the media device is unregistered which would result
>>> in use-after-free errors.
>>>
>>> Signed-off-by: Shuah Khan 
>>> ---
>>>
>>> - Ran bind/unbind loop (1000 iteration) test on snd-usb-audio
>>>   while running mc_nextgen_test loop (1000 iterations) in parallel.
>>> - Ran bind/unbind and rmmod/modprobe tests on both drivers. Also
>>>   generated graphs when after bind/unbind, rmmod/modprobe. Graphs
>>>   look good.
>>> - Note: Please apply the following patch to fix memory leak:
>>>   sound/usb: Fix memory leak in media_snd_stream_delete() during unbind
>>>   https://lkml.org/lkml/2016/3/16/1050
>>
>> Yeah, a way better!
>>
>> For normal bind/unbind, it seems to be working fine. Also
>> for driver's rmmod, so:
>>
>> Tested-by: Mauro Carvalho Chehab 
>>
>> PS.:
>> ===
>>
>> There are still some troubles if we run an infinite loop
>> binding/unbinding au0828 and another one binding/unbinding
>> snd-usb-audio, like this one:
> 
> Yes. I noticed this one when I was running a loop of 1000 on au0828.
> I couldn't reproduce this when I tested this patch.
> 
> P.S: au08282 loops takes longer btw since au0828 initialization is lot more
> complex. We have to look at this one.
> 
>>
>>
>> [   91.556188] [ cut here ]
>> [   91.556500] WARNING: CPU: 1 PID: 2920 at drivers/media/media-entity.c:392 
>> __media_entity_pipeline_start+0x271/0xce0 [media]()
>> [   91.556626] Modules linked in: ir_lirc_codec lirc_dev au8522_dig xc5000 
>> tuner au8522_decoder au8522_common au0828 videobuf2_vmalloc videobuf2_memops 
>> videobuf2_v4l2 videobuf2_core tveeprom dvb_core rc_core v4l2_common videodev 
>> snd_usb_audio snd_usbmidi_lib snd_rawmidi snd_seq_device media 
>> cpufreq_powersave cpufreq_conservative cpufreq_userspace cpufreq_stats 
>> parport_pc ppdev lp parport snd_hda_codec_hdmi intel_rapl 
>> x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel iTCO_wdt kvm 
>> iTCO_vendor_support irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel 
>> ghash_clmulni_intel sha256_ssse3 sha256_generic hmac drbg 
>> snd_hda_codec_realtek i915 snd_hda_codec_generic aesni_intel aes_x86_64 
>> btusb lrw btrtl gf128mul snd_hda_intel glue_helper ablk_helper btbcm btintel 
>> cryptd psmouse snd_hda_codec bluetooth
>> [   91.556693]  snd_hwdep i2c_algo_bit sg snd_hda_core serio_raw pcspkr 
>> evdev drm_kms_helper snd_pcm rfkill drm snd_timer mei_me snd i2c_i801 
>> soundcore lpc_ich mei mfd_core battery video dw_dmac i2c_designware_platform 
>> dw_dmac_core i2c_designware_core acpi_pad button tpm_tis tpm ext4 crc16 
>> mbcache jbd2 dm_mod sd_mod hid_generic usbhid ahci libahci libata e1000e 
>> xhci_pci ptp scsi_mod ehci_pci ehci_hcd pps_core xhci_hcd fan thermal 
>> sdhci_acpi sdhci mmc_core i2c_hid hid
>> [   91.556748] CPU: 1 PID: 2920 Comm: v4l_id Tainted: G  D W   
>> 4.5.0+ #62
>> [   91.556751] Hardware name:  /NUC5i7RYB, BIOS 
>> RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
>> [   91.556754]  a0e247a0 8803a3d17b08 819447c1 
>> 
>> [   91.556759]  88009bbe17c0 8803a3d17b48 8114fd16 
>> a0e20651
>> [   91.556763]  8803a47c9c58 8803a477d2c8 8803a5ac96f8 
>> dc00
>> [   91.556768] Call Trace:
>> [   91.556774]  [] dump_stack+0x85/0xc4
>> [   91.556778]  [] warn_slowpath_common+0xc6/0x120
>> [   91.556783]  [] ? 
>> __media_entity_pipeline_start+0x271/0xce0 [media]
>> [   91.556786]  [] warn_slowpath_null+0x1a/0x20
>> [   91.556790]  [] 
>> __media_entity_pipeline_start+0x271/0xce0 [media]
>> [   91.556794]  [] ? __schedule+0x78a/0x2570
>> [   91.556797]  [] ? memset+0x28/0x30
>> [   91.556802]  [] ? media_entity_pipeline_stop+0x60/0x60 
>> [media]
>> [   91.556806]  [] ? trace_hardirqs_on+0xd/0x10
>> [   91.556810]  [] ? au0828_enable_source+0x55/0x9f0 
>> [au0828]
>> [   91.556813]  [] ? mutex_trylock+0x400/0x400
>> [   91.556818]  [] ? au0828_v4l2_close+0xb3/0x590 [au0828]
>> [   91.556822]  [] au0828_enable_source+0x3f4/0x9f0 
>> [au0828]
>> [   91.556824]  [] ? mutex_trylock+0x400/0x400
>> [   91.556834]  [] v4l_enable_media_source+0x66/0x90 
>> [videodev]
>> [   91.556839]  [] au0828_v4l2_close+0x25a/0x590 [au0828]
>> [   91.556846]  [] v4l2_release+0xf0/0x210 [videodev]
>> [   91.556849]  [] __fput+0x20f/0x6d0
>> [   91.556853]  [] fput+0xe/0x10
>> [   91.556856]  [] task_work_run+0x137/0x200
>> [   91.556859]  [] exit_to_usermode_loop+0x154/0x180
>> [   91.556863]  [] ? trace_hardirqs_on_caller+0x16/0x590
>> [   91.556866]  [] syscall_return_slowpath+0x186/0x1c0
>> [   91.556869]  [] entry_SYSCALL_64_fastpath+0xbf/0xc1
>> [   91.556872] ---[ end trace 3e95e11ff0b9ef

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

2016-03-19 Thread Shuah Khan

On 03/19/2016 06:10 AM, Mauro Carvalho Chehab wrote:
> Em Fri, 18 Mar 2016 20:50:31 -0600
> Shuah Khan  escreveu:
> 
>> Fix to release stream resources from media_snd_device_delete() before
>> media device is unregistered. Without this change, stream resource free
>> is attempted after the media device is unregistered which would result
>> in use-after-free errors.
>>
>> Signed-off-by: Shuah Khan 
>> ---
>>
>> - Ran bind/unbind loop (1000 iteration) test on snd-usb-audio
>>   while running mc_nextgen_test loop (1000 iterations) in parallel.
>> - Ran bind/unbind and rmmod/modprobe tests on both drivers. Also
>>   generated graphs when after bind/unbind, rmmod/modprobe. Graphs
>>   look good.
>> - Note: Please apply the following patch to fix memory leak:
>>   sound/usb: Fix memory leak in media_snd_stream_delete() during unbind
>>   https://lkml.org/lkml/2016/3/16/1050
> 
> Yeah, a way better!
> 
> For normal bind/unbind, it seems to be working fine. Also
> for driver's rmmod, so:
> 
> Tested-by: Mauro Carvalho Chehab 
> 
> PS.:
> ===
> 
> There are still some troubles if we run an infinite loop
> binding/unbinding au0828 and another one binding/unbinding
> snd-usb-audio, like this one:

Yes. I noticed this one when I was running a loop of 1000 on au0828.
I couldn't reproduce this when I tested this patch.

P.S: au08282 loops takes longer btw since au0828 initialization is lot more
complex. We have to look at this one.

> 
> 
> [   91.556188] [ cut here ]
> [   91.556500] WARNING: CPU: 1 PID: 2920 at drivers/media/media-entity.c:392 
> __media_entity_pipeline_start+0x271/0xce0 [media]()
> [   91.556626] Modules linked in: ir_lirc_codec lirc_dev au8522_dig xc5000 
> tuner au8522_decoder au8522_common au0828 videobuf2_vmalloc videobuf2_memops 
> videobuf2_v4l2 videobuf2_core tveeprom dvb_core rc_core v4l2_common videodev 
> snd_usb_audio snd_usbmidi_lib snd_rawmidi snd_seq_device media 
> cpufreq_powersave cpufreq_conservative cpufreq_userspace cpufreq_stats 
> parport_pc ppdev lp parport snd_hda_codec_hdmi intel_rapl 
> x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel iTCO_wdt kvm 
> iTCO_vendor_support irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel 
> ghash_clmulni_intel sha256_ssse3 sha256_generic hmac drbg 
> snd_hda_codec_realtek i915 snd_hda_codec_generic aesni_intel aes_x86_64 btusb 
> lrw btrtl gf128mul snd_hda_intel glue_helper ablk_helper btbcm btintel cryptd 
> psmouse snd_hda_codec bluetooth
> [   91.556693]  snd_hwdep i2c_algo_bit sg snd_hda_core serio_raw pcspkr evdev 
> drm_kms_helper snd_pcm rfkill drm snd_timer mei_me snd i2c_i801 soundcore 
> lpc_ich mei mfd_core battery video dw_dmac i2c_designware_platform 
> dw_dmac_core i2c_designware_core acpi_pad button tpm_tis tpm ext4 crc16 
> mbcache jbd2 dm_mod sd_mod hid_generic usbhid ahci libahci libata e1000e 
> xhci_pci ptp scsi_mod ehci_pci ehci_hcd pps_core xhci_hcd fan thermal 
> sdhci_acpi sdhci mmc_core i2c_hid hid
> [   91.556748] CPU: 1 PID: 2920 Comm: v4l_id Tainted: G  D W   4.5.0+ 
> #62
> [   91.556751] Hardware name:  /NUC5i7RYB, BIOS 
> RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
> [   91.556754]  a0e247a0 8803a3d17b08 819447c1 
> 
> [   91.556759]  88009bbe17c0 8803a3d17b48 8114fd16 
> a0e20651
> [   91.556763]  8803a47c9c58 8803a477d2c8 8803a5ac96f8 
> dc00
> [   91.556768] Call Trace:
> [   91.556774]  [] dump_stack+0x85/0xc4
> [   91.556778]  [] warn_slowpath_common+0xc6/0x120
> [   91.556783]  [] ? 
> __media_entity_pipeline_start+0x271/0xce0 [media]
> [   91.556786]  [] warn_slowpath_null+0x1a/0x20
> [   91.556790]  [] 
> __media_entity_pipeline_start+0x271/0xce0 [media]
> [   91.556794]  [] ? __schedule+0x78a/0x2570
> [   91.556797]  [] ? memset+0x28/0x30
> [   91.556802]  [] ? media_entity_pipeline_stop+0x60/0x60 
> [media]
> [   91.556806]  [] ? trace_hardirqs_on+0xd/0x10
> [   91.556810]  [] ? au0828_enable_source+0x55/0x9f0 
> [au0828]
> [   91.556813]  [] ? mutex_trylock+0x400/0x400
> [   91.556818]  [] ? au0828_v4l2_close+0xb3/0x590 [au0828]
> [   91.556822]  [] au0828_enable_source+0x3f4/0x9f0 [au0828]
> [   91.556824]  [] ? mutex_trylock+0x400/0x400
> [   91.556834]  [] v4l_enable_media_source+0x66/0x90 
> [videodev]
> [   91.556839]  [] au0828_v4l2_close+0x25a/0x590 [au0828]
> [   91.556846]  [] v4l2_release+0xf0/0x210 [videodev]
> [   91.556849]  [] __fput+0x20f/0x6d0
> [   91.556853]  [] fput+0xe/0x10
> [   91.556856]  [] task_work_run+0x137/0x200
> [   91.556859]  [] exit_to_usermode_loop+0x154/0x180
> [   91.556863]  [] ? trace_hardirqs_on_caller+0x16/0x590
> [   91.556866]  [] syscall_return_slowpath+0x186/0x1c0
> [   91.556869]  [] entry_SYSCALL_64_fastpath+0xbf/0xc1
> [   91.556872] ---[ end trace 3e95e11ff0b9efad ]---
> 
> I suspect that something is not properly protected by the graph mutex at
> either ALSA or au0828 driver.
> 
> I also got a GPF:
> 
> [   95

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

2016-03-19 Thread Shuah Khan

On 03/19/2016 04:39 AM, Mauro Carvalho Chehab wrote:
> Em Fri, 18 Mar 2016 23:57:08 -0300
> Mauro Carvalho Chehab  escreveu:
> 
>> Em Fri, 18 Mar 2016 20:50:31 -0600
>> Shuah Khan  escreveu:
>>
>>> Fix to release stream resources from media_snd_device_delete() before
>>> media device is unregistered. Without this change, stream resource free
>>> is attempted after the media device is unregistered which would result
>>> in use-after-free errors.
>>>
>>> Signed-off-by: Shuah Khan 
>>> ---
>>>
>>> - Ran bind/unbind loop (1000 iteration) test on snd-usb-audio
>>>   while running mc_nextgen_test loop (1000 iterations) in parallel.
>>> - Ran bind/unbind and rmmod/modprobe tests on both drivers. Also
>>>   generated graphs when after bind/unbind, rmmod/modprobe. Graphs
>>>   look good.
>>> - Note: Please apply the following patch to fix memory leak:
>>>   sound/usb: Fix memory leak in media_snd_stream_delete() during unbind
>>>   https://lkml.org/lkml/2016/3/16/1050
>>>
>>>  sound/usb/media.c | 7 +++
>>>  1 file changed, 7 insertions(+)
>>>
>>> diff --git a/sound/usb/media.c b/sound/usb/media.c
>>> index de4a815..e35af88 100644
>>> --- a/sound/usb/media.c
>>> +++ b/sound/usb/media.c
>>> @@ -301,6 +301,13 @@ int media_snd_device_create(struct snd_usb_audio *chip,
>>>  void media_snd_device_delete(struct snd_usb_audio *chip)
>>>  {
>>> struct media_device *mdev = chip->media_dev;
>>> +   struct snd_usb_stream *stream;
>>> +
>>> +   /* release resources */
>>> +   list_for_each_entry(stream, &chip->pcm_list, list) {
>>> +   media_snd_stream_delete(&stream->substream[0]);
>>> +   media_snd_stream_delete(&stream->substream[1]);  
>>
>> I'll look on it better tomorrow, but it sounds weird to hardcode
>> substream[0] and [1] here... are you sure that this is valid for
>> *all* devices supported by snd-usb-audio?
> 
> After looking at pcm.c and finding this:
> 
> static void snd_usb_audio_stream_free(struct snd_usb_stream *stream)
> {
>   free_substream(&stream->substream[0]);
>   free_substream(&stream->substream[1]);
>   list_del(&stream->list);
>   kfree(stream);
> }
> 
> It seems that assuming that substream is always an array with size 2
> is right.
> 
> I'll do some tests with it today with your patch.
> 

Right. snd-usb-audio uses this in several places like the one above you found.

thanks,
-- Shuah


-- 
Shuah Khan
Sr. Linux Kernel Developer
Open Source Innovation Group
Samsung Research America (Silicon Valley)
shua...@osg.samsung.com | (970) 217-8978
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

2016-03-19 Thread Mauro Carvalho Chehab

Em Fri, 18 Mar 2016 20:50:31 -0600
Shuah Khan  escreveu:

> Fix to release stream resources from media_snd_device_delete() before
> media device is unregistered. Without this change, stream resource free
> is attempted after the media device is unregistered which would result
> in use-after-free errors.
> 
> Signed-off-by: Shuah Khan 
> ---
> 
> - Ran bind/unbind loop (1000 iteration) test on snd-usb-audio
>   while running mc_nextgen_test loop (1000 iterations) in parallel.
> - Ran bind/unbind and rmmod/modprobe tests on both drivers. Also
>   generated graphs when after bind/unbind, rmmod/modprobe. Graphs
>   look good.
> - Note: Please apply the following patch to fix memory leak:
>   sound/usb: Fix memory leak in media_snd_stream_delete() during unbind
>   https://lkml.org/lkml/2016/3/16/1050

Yeah, a way better!

For normal bind/unbind, it seems to be working fine. Also
for driver's rmmod, so:

Tested-by: Mauro Carvalho Chehab 

PS.:
===

There are still some troubles if we run an infinite loop
binding/unbinding au0828 and another one binding/unbinding
snd-usb-audio, like this one:


[   91.556188] [ cut here ]
[   91.556500] WARNING: CPU: 1 PID: 2920 at drivers/media/media-entity.c:392 
__media_entity_pipeline_start+0x271/0xce0 [media]()
[   91.556626] Modules linked in: ir_lirc_codec lirc_dev au8522_dig xc5000 
tuner au8522_decoder au8522_common au0828 videobuf2_vmalloc videobuf2_memops 
videobuf2_v4l2 videobuf2_core tveeprom dvb_core rc_core v4l2_common videodev 
snd_usb_audio snd_usbmidi_lib snd_rawmidi snd_seq_device media 
cpufreq_powersave cpufreq_conservative cpufreq_userspace cpufreq_stats 
parport_pc ppdev lp parport snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal 
intel_powerclamp coretemp kvm_intel iTCO_wdt kvm iTCO_vendor_support irqbypass 
crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel sha256_ssse3 
sha256_generic hmac drbg snd_hda_codec_realtek i915 snd_hda_codec_generic 
aesni_intel aes_x86_64 btusb lrw btrtl gf128mul snd_hda_intel glue_helper 
ablk_helper btbcm btintel cryptd psmouse snd_hda_codec bluetooth
[   91.556693]  snd_hwdep i2c_algo_bit sg snd_hda_core serio_raw pcspkr evdev 
drm_kms_helper snd_pcm rfkill drm snd_timer mei_me snd i2c_i801 soundcore 
lpc_ich mei mfd_core battery video dw_dmac i2c_designware_platform dw_dmac_core 
i2c_designware_core acpi_pad button tpm_tis tpm ext4 crc16 mbcache jbd2 dm_mod 
sd_mod hid_generic usbhid ahci libahci libata e1000e xhci_pci ptp scsi_mod 
ehci_pci ehci_hcd pps_core xhci_hcd fan thermal sdhci_acpi sdhci mmc_core 
i2c_hid hid
[   91.556748] CPU: 1 PID: 2920 Comm: v4l_id Tainted: G  D W   4.5.0+ 
#62
[   91.556751] Hardware name:  /NUC5i7RYB, BIOS 
RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[   91.556754]  a0e247a0 8803a3d17b08 819447c1 

[   91.556759]  88009bbe17c0 8803a3d17b48 8114fd16 
a0e20651
[   91.556763]  8803a47c9c58 8803a477d2c8 8803a5ac96f8 
dc00
[   91.556768] Call Trace:
[   91.556774]  [] dump_stack+0x85/0xc4
[   91.556778]  [] warn_slowpath_common+0xc6/0x120
[   91.556783]  [] ? 
__media_entity_pipeline_start+0x271/0xce0 [media]
[   91.556786]  [] warn_slowpath_null+0x1a/0x20
[   91.556790]  [] __media_entity_pipeline_start+0x271/0xce0 
[media]
[   91.556794]  [] ? __schedule+0x78a/0x2570
[   91.556797]  [] ? memset+0x28/0x30
[   91.556802]  [] ? media_entity_pipeline_stop+0x60/0x60 
[media]
[   91.556806]  [] ? trace_hardirqs_on+0xd/0x10
[   91.556810]  [] ? au0828_enable_source+0x55/0x9f0 [au0828]
[   91.556813]  [] ? mutex_trylock+0x400/0x400
[   91.556818]  [] ? au0828_v4l2_close+0xb3/0x590 [au0828]
[   91.556822]  [] au0828_enable_source+0x3f4/0x9f0 [au0828]
[   91.556824]  [] ? mutex_trylock+0x400/0x400
[   91.556834]  [] v4l_enable_media_source+0x66/0x90 
[videodev]
[   91.556839]  [] au0828_v4l2_close+0x25a/0x590 [au0828]
[   91.556846]  [] v4l2_release+0xf0/0x210 [videodev]
[   91.556849]  [] __fput+0x20f/0x6d0
[   91.556853]  [] fput+0xe/0x10
[   91.556856]  [] task_work_run+0x137/0x200
[   91.556859]  [] exit_to_usermode_loop+0x154/0x180
[   91.556863]  [] ? trace_hardirqs_on_caller+0x16/0x590
[   91.556866]  [] syscall_return_slowpath+0x186/0x1c0
[   91.556869]  [] entry_SYSCALL_64_fastpath+0xbf/0xc1
[   91.556872] ---[ end trace 3e95e11ff0b9efad ]---

I suspect that something is not properly protected by the graph mutex at
either ALSA or au0828 driver.

I also got a GPF:

[   95.398931] au0828: Start Pipeline: Xceive XC5000->au0828a vbi Error -16
[   95.398936] au0828: Deactivate link Error 0
[   95.398943] tuner 6-0061: Putting tuner to sleep
[   95.398960] kasan: CONFIG_KASAN_INLINE enabled
[   95.398962] kasan: GPF could be caused by NULL-ptr deref or user memory 
access
[   95.398967] general protection fault:  [#2] SMP KASAN
[   95.399020] Modules linked in: ir_lirc_codec lirc_dev au8522_dig xc5000 
tuner au8522_decoder au8522_common au0828 vide

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

2016-03-19 Thread Mauro Carvalho Chehab

Em Fri, 18 Mar 2016 23:57:08 -0300
Mauro Carvalho Chehab  escreveu:

> Em Fri, 18 Mar 2016 20:50:31 -0600
> Shuah Khan  escreveu:
> 
> > Fix to release stream resources from media_snd_device_delete() before
> > media device is unregistered. Without this change, stream resource free
> > is attempted after the media device is unregistered which would result
> > in use-after-free errors.
> > 
> > Signed-off-by: Shuah Khan 
> > ---
> > 
> > - Ran bind/unbind loop (1000 iteration) test on snd-usb-audio
> >   while running mc_nextgen_test loop (1000 iterations) in parallel.
> > - Ran bind/unbind and rmmod/modprobe tests on both drivers. Also
> >   generated graphs when after bind/unbind, rmmod/modprobe. Graphs
> >   look good.
> > - Note: Please apply the following patch to fix memory leak:
> >   sound/usb: Fix memory leak in media_snd_stream_delete() during unbind
> >   https://lkml.org/lkml/2016/3/16/1050
> > 
> >  sound/usb/media.c | 7 +++
> >  1 file changed, 7 insertions(+)
> > 
> > diff --git a/sound/usb/media.c b/sound/usb/media.c
> > index de4a815..e35af88 100644
> > --- a/sound/usb/media.c
> > +++ b/sound/usb/media.c
> > @@ -301,6 +301,13 @@ int media_snd_device_create(struct snd_usb_audio *chip,
> >  void media_snd_device_delete(struct snd_usb_audio *chip)
> >  {
> > struct media_device *mdev = chip->media_dev;
> > +   struct snd_usb_stream *stream;
> > +
> > +   /* release resources */
> > +   list_for_each_entry(stream, &chip->pcm_list, list) {
> > +   media_snd_stream_delete(&stream->substream[0]);
> > +   media_snd_stream_delete(&stream->substream[1]);  
> 
> I'll look on it better tomorrow, but it sounds weird to hardcode
> substream[0] and [1] here... are you sure that this is valid for
> *all* devices supported by snd-usb-audio?

After looking at pcm.c and finding this:

static void snd_usb_audio_stream_free(struct snd_usb_stream *stream)
{
free_substream(&stream->substream[0]);
free_substream(&stream->substream[1]);
list_del(&stream->list);
kfree(stream);
}

It seems that assuming that substream is always an array with size 2
is right.

I'll do some tests with it today with your patch.

Regards,
Mauro

> 
> Regards,
> Mauro
> 
> > +   }
> >  
> > media_snd_mixer_delete(chip);
> >
> 
> 


-- 
Thanks,
Mauro
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

2016-03-18 Thread Mauro Carvalho Chehab

Em Fri, 18 Mar 2016 20:50:31 -0600
Shuah Khan  escreveu:

> Fix to release stream resources from media_snd_device_delete() before
> media device is unregistered. Without this change, stream resource free
> is attempted after the media device is unregistered which would result
> in use-after-free errors.
> 
> Signed-off-by: Shuah Khan 
> ---
> 
> - Ran bind/unbind loop (1000 iteration) test on snd-usb-audio
>   while running mc_nextgen_test loop (1000 iterations) in parallel.
> - Ran bind/unbind and rmmod/modprobe tests on both drivers. Also
>   generated graphs when after bind/unbind, rmmod/modprobe. Graphs
>   look good.
> - Note: Please apply the following patch to fix memory leak:
>   sound/usb: Fix memory leak in media_snd_stream_delete() during unbind
>   https://lkml.org/lkml/2016/3/16/1050
> 
>  sound/usb/media.c | 7 +++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/sound/usb/media.c b/sound/usb/media.c
> index de4a815..e35af88 100644
> --- a/sound/usb/media.c
> +++ b/sound/usb/media.c
> @@ -301,6 +301,13 @@ int media_snd_device_create(struct snd_usb_audio *chip,
>  void media_snd_device_delete(struct snd_usb_audio *chip)
>  {
>   struct media_device *mdev = chip->media_dev;
> + struct snd_usb_stream *stream;
> +
> + /* release resources */
> + list_for_each_entry(stream, &chip->pcm_list, list) {
> + media_snd_stream_delete(&stream->substream[0]);
> + media_snd_stream_delete(&stream->substream[1]);

I'll look on it better tomorrow, but it sounds weird to hardcode
substream[0] and [1] here... are you sure that this is valid for
*all* devices supported by snd-usb-audio?

Regards,
Mauro

> + }
>  
>   media_snd_mixer_delete(chip);
>  


-- 
Thanks,
Mauro
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

2016-03-18 Thread Shuah Khan

Fix to release stream resources from media_snd_device_delete() before
media device is unregistered. Without this change, stream resource free
is attempted after the media device is unregistered which would result
in use-after-free errors.

Signed-off-by: Shuah Khan 
---

- Ran bind/unbind loop (1000 iteration) test on snd-usb-audio
  while running mc_nextgen_test loop (1000 iterations) in parallel.
- Ran bind/unbind and rmmod/modprobe tests on both drivers. Also
  generated graphs when after bind/unbind, rmmod/modprobe. Graphs
  look good.
- Note: Please apply the following patch to fix memory leak:
  sound/usb: Fix memory leak in media_snd_stream_delete() during unbind
  https://lkml.org/lkml/2016/3/16/1050

 sound/usb/media.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/sound/usb/media.c b/sound/usb/media.c
index de4a815..e35af88 100644
--- a/sound/usb/media.c
+++ b/sound/usb/media.c
@@ -301,6 +301,13 @@ int media_snd_device_create(struct snd_usb_audio *chip,
 void media_snd_device_delete(struct snd_usb_audio *chip)
 {
struct media_device *mdev = chip->media_dev;
+   struct snd_usb_stream *stream;
+
+   /* release resources */
+   list_for_each_entry(stream, &chip->pcm_list, list) {
+   media_snd_stream_delete(&stream->substream[0]);
+   media_snd_stream_delete(&stream->substream[1]);
+   }
 
media_snd_mixer_delete(chip);
 
-- 
2.5.0

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

Re: [PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

[PATCH] sound/usb: fix to release stream resources from media_snd_device_delete()

10 matches

Site Navigation

Mail list logo

Footer information