Date: Fri, 19 Apr 2024 07:23:52 GMT From: Michael Zhilin <mizhka@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: e7a1904fe1ce - stable/13 - snd_hda: fix "duplicated free" on module unloading Message-ID: <202404190723.43J7NqIa056141@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by mizhka: URL: https://cgit.FreeBSD.org/src/commit/?id=e7a1904fe1ced461b2a31f03b6592ae6564a243a commit e7a1904fe1ced461b2a31f03b6592ae6564a243a Author: Michael Zhilin <mizhka@FreeBSD.org> AuthorDate: 2024-04-13 09:59:24 +0000 Commit: Michael Zhilin <mizhka@FreeBSD.org> CommitDate: 2024-04-19 07:23:36 +0000 snd_hda: fix "duplicated free" on module unloading This is trivial fix of hdacc_detach to avoid duplicated free on snd_hda unloading. The first try of detaching (kldunload) may results into "device busy" error, but codec->fgs is freed by detach. Second try attempts to free codec->fgs again and system panicks. Here is example: pcm0: unregister: channel pcm0:virtual:dsp0.vp0 busy (pid 3428) pulseaudio[3428] [oss] module-oss.c: DSP shutdown. pcm0: detached hdaa0: detached panic: Duplicate free of 0xfffff80412ee7d20 from zone 0xfffffe006bc0ba00 (malloc-32) slab 0xfffff80412ee7fc8(105) cpuid = 6 time = 1712999565 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0202f859e0 vpanic() at vpanic+0x135/frame 0xfffffe0202f85b10 panic() at panic+0x43/frame 0xfffffe0202f85b70 uma_dbg_free() at uma_dbg_free+0x105/frame 0xfffffe0202f85b90 uma_zfree_arg() at uma_zfree_arg+0x95/frame 0xfffffe0202f85be0 free() at free+0xa1/frame 0xfffffe0202f85c20 hdacc_detach() at hdacc_detach+0x2f/frame 0xfffffe0202f85c40 device_detach() at device_detach+0x197/frame 0xfffffe0202f85c80 devclass_driver_deleted() at devclass_driver_deleted+0x66/frame 0xfffffe0202f85c devclass_delete_driver() at devclass_delete_driver+0x81/frame 0xfffffe0202f85d00 driver_module_handler() at driver_module_handler+0xff/frame 0xfffffe0202f85d50 module_unload() at module_unload+0x32/frame 0xfffffe0202f85d70 linker_file_unload() at linker_file_unload+0x1eb/frame 0xfffffe0202f85db0 kern_kldunload() at kern_kldunload+0x18e/frame 0xfffffe0202f85e00 amd64_syscall() at amd64_syscall+0x153/frame 0xfffffe0202f85f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0202f85f30 MFC after: 3 days Reviewed by: markj, christos Differential Revision: https://reviews.freebsd.org/D44778 Sponsored by: Postgres Professional (cherry picked from commit bed0b2146faa2e9a445d9f9196c7b46f50034631) --- sys/dev/sound/pci/hda/hdacc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/dev/sound/pci/hda/hdacc.c b/sys/dev/sound/pci/hda/hdacc.c index afcc145626e1..86c50a88f3e0 100644 --- a/sys/dev/sound/pci/hda/hdacc.c +++ b/sys/dev/sound/pci/hda/hdacc.c @@ -541,9 +541,10 @@ hdacc_detach(device_t dev) struct hdacc_softc *codec = device_get_softc(dev); int error; - error = device_delete_children(dev); + if ((error = device_delete_children(dev)) != 0) + return (error); free(codec->fgs, M_HDACC); - return (error); + return (0); } static int
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202404190723.43J7NqIa056141>