[Bugme-new] [Bug 40682] New: Oops in alsa /dev/snd/timer device with SNDRV_TIMER_IOCTL_SELECT ioctl

bugzilla-daemon at bugzilla.kernel.org bugzilla-daemon at bugzilla.kernel.org
Sun Aug 7 10:14:14 PDT 2011 

https://bugzilla.kernel.org/show_bug.cgi?id=40682

           Summary: Oops in alsa /dev/snd/timer device with
                    SNDRV_TIMER_IOCTL_SELECT ioctl
           Product: Drivers
           Version: 2.5
    Kernel Version: 2.6.29.1, ...
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Sound(ALSA)
        AssignedTo: perex at perex.cz
        ReportedBy: adam3337 at wp.pl
        Regression: No


Hi. I have this Oops

[ 6642.899997] BUG: unable to handle kernel NULL pointer dereference at
000000e8
[ 6642.900126] IP: [<c01176f5>] __ticket_spin_lock+0x5/0x15
[ 6642.900126] *pde = 00000000
[ 6642.900126] Oops: 0000 [#18] SMP
[ 6642.900126] last sysfs file: /sys/devices/pci0000:00/0000:00:14.0/class
[ 6642.900126] Modules linked in: nls_iso8859_1 nls_cp437 vfat fat usb_storage
binfmt_misc ipv6 loop sd_mod snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm_oss
snd_mixer_oss snd_pcm snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event
snd_seq snd_timer snd_seq_device mptspi mptscsih mptbase ac parport_pc parport
floppy thermal ohci_hcd scsi_transport_spi psmouse i2c_piix4 snd ehci_hcd
processor thermal_sys button serio_raw scsi_mod i2c_core pcnet32 mii pcspkr
usbcore soundcore snd_page_alloc evdev
[ 6642.900126]
[ 6642.900126] Pid: 3495, comm: exx Tainted: G      D    (2.6.29.1 #13)
VirtualBox
[ 6642.900126] EIP: 0060:[<c01176f5>] EFLAGS: 00010086 CPU: 0
[ 6642.900126] EIP is at __ticket_spin_lock+0x5/0x15
[ 6642.900126] EAX: 000000e8 EBX: 00000282 ECX: 00000000 EDX: 00000100
[ 6642.900126] ESI: 000000e8 EDI: df2e125c EBP: df514be8 ESP: daa73f38
[ 6642.900126]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 6642.900126] Process exx (pid: 3495, ti=daa72000 task=daa42810
task.ti=daa72000)
[ 6642.900126] Stack:
[ 6642.900126]  c0117792 c042f619 df2e125c da9219c0 e0c42f9d dabd48c0 da9219c0
e0c43685
[ 6642.900126]  df2e1380 00000010 dabd48c0 da9fad40 df2e125c df514be8 e0c436ae
00000010
[ 6642.900126]  c018a4d5 df80dec0 da9fad40 00000000 daa7f6c0 daa72000 c0187da1
daa7f6c0
[ 6642.900126] Call Trace:
[ 6642.900126]  [<c0117792>] default_spin_lock_flags+0x5/0x7
[ 6642.900126]  [<c042f619>] _spin_lock_irqsave+0x25/0x2b
[ 6642.900126]  [<e0c42f9d>] snd_timer_stop+0x23/0x3e [snd_timer]
[ 6642.900126]  [<e0c43685>] snd_timer_close+0x211/0x220 [snd_timer]
[ 6642.900126]  [<e0c436ae>] snd_timer_user_release+0x1a/0x35 [snd_timer]
[ 6642.900126]  [<c018a4d5>] __fput+0xa6/0x150
[ 6642.900126]  [<c0187da1>] filp_close+0x4e/0x54
[ 6642.900126]  [<c0187e0b>] sys_close+0x64/0x9f
[ 6642.900126]  [<c0103466>] syscall_call+0x7/0xb
[ 6642.900126] Code: 24 0c 89 da 89 f0 5b 5e e9 91 fd ff ff 89 4c 24 0c 89 f1
0f b7 d2 89 5c 24 10 0f b6 c0 5b 5e e9 a5 fd ff ff 90 90 ba 00 01 00 00 <3e> 66
0f c1 10 38 f2 74 06 f3 90 8a 10 eb f6 c3 53 89 c3 0f b7
[ 6642.900126] EIP: [<c01176f5>] __ticket_spin_lock+0x5/0x15 SS:ESP
0068:daa73f38
[ 6642.900126] ---[ end trace 11e604579b3dcb21 ]---

I can reproduce it with this code:
---------------------------------------------------------------
#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/types.h>
#include <linux/soundcard.h>


struct snd_timer_id {
        int dev_class;
        int dev_sclass;
        int card;
        int device;
        int subdevice;
};

struct snd_timer_select {
        struct snd_timer_id id; /* bind to timer ID */
        unsigned char reserved[32];     /* reserved */
};


#define SNDRV_TIMER_IOCTL_SELECT _IOW('T', 0x10, struct snd_timer_select)

main(int argc, char **argv)
{
int h;
struct snd_timer_select sel;

h=open("/dev/snd/timer",O_RDONLY | O_NONBLOCK);
if(h< 0)
 {
        perror("open");
        exit(0);
 }

sel.id.dev_class = 0;
sel.id.dev_sclass = 1;


if(ioctl(h, SNDRV_TIMER_IOCTL_SELECT,&sel)>=0)
 {
        printf("ok\n");
 }

close(h);
return 1;
}
------------------------------------------------------------------

Bug is placed int sound/core/timer.c in snd_timer_user_tselect function.

-- 
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the Bugme-new mailing list