[regression] snd_soc_simple_card: refcount_t: underflow; use-after-free.

[regression] snd_soc_simple_card: refcount_t: underflow; use-after-free.

[Vicente Bergas]

Hi,
in linux 5.0-rc there is a regression regarding snd_soc_simple_card.
Since updated from 4.20 there is a new error appearing in the kernel log,
although sound works fine and the system is stable.

The issue has not been bisected, but it probably lies at or arround
this commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=da215354eb55c382d3d5c426ea0e9aa7ef7c10e1

The DT node referred in the trace below is:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm64/boot/dts/rockchip/rk3399.dtsi?id=da215354eb55c382d3d5c426ea0e9aa7ef7c10e1#n1692

The kernel comes from the ArchLinuxArm distribution, its configuration is:
https://archlinuxarm.org/packages/aarch64/linux-aarch64-rc/files/config

This trace is from "dmesg -tl1,2,3,4":
OF: ERROR: Bad of_node_put() on /hdmi-sound
CPU: 2 PID: 370 Comm: kworker/2:2 Tainted: G         C        
5.0.0-rc6-1-ARCH #1
Hardware name: Sapphire-RK3399 Board (DT)
Workqueue: events deferred_probe_work_func
Call trace:
 dump_backtrace+0x0/0x1b8
 show_stack+0x24/0x30
 dump_stack+0x98/0xbc
 of_node_release+0xd0/0xd8
 kobject_put+0x8c/0x1f0
 of_node_put+0x24/0x30
 __of_get_next_child+0x50/0x70
 of_get_next_child+0x64/0x90
 asoc_simple_card_probe+0xe4/0x6b0 [snd_soc_simple_card]
 platform_drv_probe+0x58/0xa8
 really_probe+0x1f0/0x3d8
 driver_probe_device+0xe4/0x138
 __device_attach_driver+0xb4/0x140
 bus_for_each_drv+0x8c/0xd8
 __device_attach+0xdc/0x158
 device_initial_probe+0x24/0x30
 bus_probe_device+0x9c/0xa8
 deferred_probe_work_func+0xa0/0xf0
 process_one_work+0x1ac/0x400
 worker_thread+0x50/0x488
 kthread+0x130/0x138
 ret_from_fork+0x10/0x1c
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 2 PID: 370 at lib/refcount.c:187 
refcount_sub_and_test_checked+0xb8/0xd0
Modules linked in: snd_soc_hdmi_codec rockchip_vpu(C+) rockchip_rga 
videobuf2_dma_contig videobuf2_dma_sg v4l2_mem2mem videobuf2_vmalloc 
videobuf2_memops videobuf2_v4l2 videobuf2_common rc_cec snd_soc_simple_card 
realtek snd_soc_rockchip_i2s snd_soc_simple_card_utils snd_soc_rockchip_pcm 
dw_hdmi_cec dw_hdmi_i2s_audio dw_wdt videodev rtc_rk808 media 
hid_kensington dwmac_rk rockchip_saradc rockchip_thermal stmmac_platform 
stmmac squashfs loop crypto_user gpio_keys rockchipdrm analogix_dp dw_hdmi 
cec rc_core dw_mipi_dsi drm_kms_helper syscopyarea sysfillrect sysimgblt 
fb_sys_fops drm drm_panel_orientation_quirks
CPU: 2 PID: 370 Comm: kworker/2:2 Tainted: G         C        
5.0.0-rc6-1-ARCH #1
Hardware name: Sapphire-RK3399 Board (DT)
Workqueue: events deferred_probe_work_func
pstate: 80000085 (Nzcv daIf -PAN -UAO)
pc : refcount_sub_and_test_checked+0xb8/0xd0
lr : refcount_sub_and_test_checked+0xb8/0xd0
sp : ffff000012d9ba20
x29: ffff000012d9ba20 x28: 0000000000000000 
x27: 0000000000000002 x26: 0000000000000001 
x25: ffff0000115ad6c8 x24: ffff0000090bb428 
x23: ffff8000f781a740 x22: 0000000000000000 
x21: ffff8000f781a740 x20: ffff8000f781a740 
x19: ffff8000f781a790 x18: 0000000000000000 
x17: 0000000000000000 x16: 0000000000000000 
x15: ffffffffffffffff x14: 0000000000000003 
x13: 0000000000000000 x12: ffff000011810000 
x11: ffff0000115d6000 x10: ffff000011810f48 
x9 : 0000000000000000 x8 : ffff00001181f170 
x7 : 0000000000000000 x6 : 0000000000000001 
x5 : 0000000000000000 x4 : 0000000000000001 
x3 : 0000000000000007 x2 : 0000000000000007 
x1 : 86b2dbbfc7425b00 x0 : 0000000000000000 
Call trace:
 refcount_sub_and_test_checked+0xb8/0xd0
 refcount_dec_and_test_checked+0x14/0x20
 kobject_put+0x24/0x1f0
 of_node_put+0x24/0x30
 __of_get_next_child+0x50/0x70
 of_get_next_child+0x64/0x90
 asoc_simple_card_probe+0x544/0x6b0 [snd_soc_simple_card]
 platform_drv_probe+0x58/0xa8
 really_probe+0x1f0/0x3d8
 driver_probe_device+0xe4/0x138
 __device_attach_driver+0xb4/0x140
 bus_for_each_drv+0x8c/0xd8
 __device_attach+0xdc/0x158
 device_initial_probe+0x24/0x30
 bus_probe_device+0x9c/0xa8
 deferred_probe_work_func+0xa0/0xf0
 process_one_work+0x1ac/0x400
 worker_thread+0x50/0x488
 kthread+0x130/0x138
 ret_from_fork+0x10/0x1c
---[ end trace ae290e9394a14a2f ]---
asoc-simple-card hdmi-sound: ASoC: no DMI vendor name!

Regards,
  Vicente.

Re: [regression] snd_soc_simple_card: refcount_t: underflow; use-after-free.

[Kuninori Morimoto]

Hi Vicente

Thank you for your reporting

> of_node_put+0x24/0x30
> __of_get_next_child+0x50/0x70
> of_get_next_child+0x64/0x90
> asoc_simple_card_probe+0xe4/0x6b0 [snd_soc_simple_card]
> platform_drv_probe+0x58/0xa8

I can't reproduce this issue, but according to this back-trace,
I *guess* of_get_child_count() at asoc_simple_card_parse_of()
is the issue (= we need of_node_get(node) before it) ?

If so, we need to fix is not simple-card, but of.h I think
like this patch

c0a480d1acf7dc184f9f3e7cf724483b0d28dc2e
("device property: Fix usecount for of_graph_get_port_parent()")

Best regards
---
Kuninori Morimoto

Re: [regression] snd_soc_simple_card: refcount_t: underflow; use-after-free.

[Kuninori Morimoto]

Hi Vicente, again

> > of_node_put+0x24/0x30
> > __of_get_next_child+0x50/0x70
> > of_get_next_child+0x64/0x90
> > asoc_simple_card_probe+0xe4/0x6b0 [snd_soc_simple_card]
> > platform_drv_probe+0x58/0xa8
> 
> I can't reproduce this issue, but according to this back-trace,
> I *guess* of_get_child_count() at asoc_simple_card_parse_of()
> is the issue (= we need of_node_get(node) before it) ?

I could reproduce this issue.
Thank you for reporting.
I will post fixup patch soon.
Please check it.

Best regards
---
Kuninori Morimoto

Re: [regression] snd_soc_simple_card: refcount_t: underflow; use-after-free.

[Daniel Baluta]

On Fri, Feb 15, 2019 at 8:41 AM Kuninori Morimoto
<kuninori.morimoto.gx@renesas.com> wrote:
>
>
> Hi Vicente, again
>
> > > of_node_put+0x24/0x30
> > > __of_get_next_child+0x50/0x70
> > > of_get_next_child+0x64/0x90
> > > asoc_simple_card_probe+0xe4/0x6b0 [snd_soc_simple_card]
> > > platform_drv_probe+0x58/0xa8
> >
> > I can't reproduce this issue, but according to this back-trace,
> > I *guess* of_get_child_count() at asoc_simple_card_parse_of()
> > is the issue (= we need of_node_get(node) before it) ?
>
> I could reproduce this issue.
> Thank you for reporting.
> I will post fixup patch soon.
> Please check it.


Hi Kuninori, Vicente,

I think I'm experimenting the same issue.

Kuninori,

The patch that you've sent is on an older kernel (from December) and the code
has changed but the problem remains in another form.

I'm having a look at this. Not sure is a problem from ASoC or from OF core.

 1.246852] OF: ERROR: Bad of_node_put() on /sound-wm8524
[    1.252259] CPU: 3 PID: 26 Comm: kworker/3:0 Not tainted
5.0.0-rc6-next-20190215-00002-g6e04e67e1342-dirty #32
[    1.262261] Hardware name: NXP i.MX8MQ EVK (DT)
[    1.266807] Workqueue: events deferred_probe_work_func
[    1.271950] Call trace:
[    1.274406]  dump_backtrace+0x0/0x158
[    1.278074]  show_stack+0x14/0x20
[    1.281396]  dump_stack+0xa8/0xcc
[    1.284717]  of_node_release+0xb0/0xc8
[    1.288474]  kobject_put+0x74/0xf0
[    1.291879]  of_node_put+0x14/0x28
[    1.295286]  __of_get_next_child+0x44/0x70
[    1.299387]  of_get_next_child+0x3c/0x60
[    1.303315]  simple_for_each_link+0x1dc/0x230
[    1.307676]  simple_probe+0x80/0x540
[    1.311256]  platform_drv_probe+0x50/0xa0
[    1.315270]  really_probe+0x20c/0x2c0
[    1.318936]  driver_probe_device+0x58/0x108
[    1.323124]  __device_attach_driver+0x94/0xb8
[    1.327485]  bus_for_each_drv+0x68/0xd0
[    1.331325]  __device_attach+0xd8/0x140
[    1.335165]  device_initial_probe+0x10/0x18
[    1.339352]  bus_probe_device+0x94/0xa0
[    1.343193]  deferred_probe_work_func+0x70/0xa8
[    1.347730]  process_one_work+0x1e8/0x330
[    1.351744]  worker_thread+0x40/0x448
[    1.355411]  kthread+0x124/0x128
[    1.358643]  ret_from_fork+0x10/0x18