git: 2a66844f606a - stable/14 - snd_hda: fix "duplicated free" on module unloading

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Michael Zhilin <mizhka_at_FreeBSD.org>
Date: Fri, 19 Apr 2024 06:57:35 UTC
The branch stable/14 has been updated by mizhka:

URL: https://cgit.FreeBSD.org/src/commit/?id=2a66844f606a35d68ad8a8061f4bea204274b3bc

commit 2a66844f606a35d68ad8a8061f4bea204274b3bc
Author:     Michael Zhilin <mizhka@FreeBSD.org>
AuthorDate: 2024-04-13 09:59:24 +0000
Commit:     Michael Zhilin <mizhka@FreeBSD.org>
CommitDate: 2024-04-19 06:37:08 +0000

    snd_hda: fix "duplicated free" on module unloading
    
    This is trivial fix of hdacc_detach to avoid duplicated free on snd_hda
    unloading.
    
    The first try of detaching (kldunload) may results into "device busy" error,
    but codec->fgs is freed by detach. Second try attempts to free codec->fgs again
    and system panicks.
    
    Here is example:
    
    pcm0: unregister: channel pcm0:virtual:dsp0.vp0 busy (pid 3428)
    pulseaudio[3428] [oss] module-oss.c: DSP shutdown.
    pcm0: detached
    hdaa0: detached
    panic: Duplicate free of 0xfffff80412ee7d20 from zone 0xfffffe006bc0ba00
    (malloc-32) slab 0xfffff80412ee7fc8(105)
    cpuid = 6
    time = 1712999565
    KDB: stack backtrace:
    db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0202f859e0
    vpanic() at vpanic+0x135/frame 0xfffffe0202f85b10
    panic() at panic+0x43/frame 0xfffffe0202f85b70
    uma_dbg_free() at uma_dbg_free+0x105/frame 0xfffffe0202f85b90
    uma_zfree_arg() at uma_zfree_arg+0x95/frame 0xfffffe0202f85be0
    free() at free+0xa1/frame 0xfffffe0202f85c20
    hdacc_detach() at hdacc_detach+0x2f/frame 0xfffffe0202f85c40
    device_detach() at device_detach+0x197/frame 0xfffffe0202f85c80
    devclass_driver_deleted() at devclass_driver_deleted+0x66/frame 0xfffffe0202f85c
    devclass_delete_driver() at devclass_delete_driver+0x81/frame 0xfffffe0202f85d00
    driver_module_handler() at driver_module_handler+0xff/frame 0xfffffe0202f85d50
    module_unload() at module_unload+0x32/frame 0xfffffe0202f85d70
    linker_file_unload() at linker_file_unload+0x1eb/frame 0xfffffe0202f85db0
    kern_kldunload() at kern_kldunload+0x18e/frame 0xfffffe0202f85e00
    amd64_syscall() at amd64_syscall+0x153/frame 0xfffffe0202f85f30
    fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0202f85f30
    
    MFC after:              3 days
    Reviewed by:            markj, christos
    Differential Revision:  https://reviews.freebsd.org/D44778
    Sponsored by:           Postgres Professional
    
    (cherry picked from commit bed0b2146faa2e9a445d9f9196c7b46f50034631)
---
 sys/dev/sound/pci/hda/hdacc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sys/dev/sound/pci/hda/hdacc.c b/sys/dev/sound/pci/hda/hdacc.c
index 123c64d9c487..009c9098ac3b 100644
--- a/sys/dev/sound/pci/hda/hdacc.c
+++ b/sys/dev/sound/pci/hda/hdacc.c
@@ -539,9 +539,10 @@ hdacc_detach(device_t dev)
 	struct hdacc_softc *codec = device_get_softc(dev);
 	int error;
 
-	error = device_delete_children(dev);
+	if ((error = device_delete_children(dev)) != 0)
+		return (error);
 	free(codec->fgs, M_HDACC);
-	return (error);
+	return (0);
 }
 
 static int