audioreach-driver: q6apm_audio_pkt: Fix crash issue after command tim…#59
Merged
Merged
Conversation
…eout during SSR Fix crash issue after command timeout during SSR. In q6apm_send_audio_cmd_sync(), the dev_err() calls on the command timeout and DSP error paths were using the 'dev' parameter passed into the function. During SSR, this device pointer may no longer be valid, leading to a NULL pointer dereference or use-after-free. Fix this by switching to &g_apm->adev->dev, which refers to the stable global APM device and remains valid across SSR events. In audio_pkt_release(), the audpkt_dev pointer was being obtained via cdev_to_audpkt_dev(inode->i_cdev). During SSR, the inode's cdev may have already been torn down or become invalid by the time release() is called, resulting in a crash when dereferencing the pointer. Fix this by retrieving audpkt_dev from file->private_data, which is set during audio_pkt_open() and remains valid for the lifetime of the open file descriptor. Additionally, add a NULL check guard for audpkt_dev and audpkt_dev->dev at the start of the function to safely handle any edge cases where the private data may not have been properly initialized. Signed-off-by: Mohammad Rafi Shaik <mohammad.rafi.shaik@oss.qualcomm.com>
RaviHothi
approved these changes
Apr 22, 2026
nandamajay
approved these changes
Apr 22, 2026
qti-sbojja
approved these changes
Apr 22, 2026
quic-aditrath
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix crash issue after command timeout during SSR.
In q6apm_send_audio_cmd_sync(), the dev_err() calls on the command timeout and DSP error paths were using the 'dev' parameter passed into the function. During SSR, this device pointer may no longer be valid, leading to a NULL pointer dereference or use-after-free. Fix this by switching to &g_apm->adev->dev, which refers to the stable global APM device and remains valid across SSR events.
In audio_pkt_release(), the audpkt_dev pointer was being obtained via cdev_to_audpkt_dev(inode->i_cdev). During SSR, the inode's cdev may have already been torn down or become invalid by the time release() is called, resulting in a crash when dereferencing the pointer.
Fix this by retrieving audpkt_dev from file->private_data, which is set during audio_pkt_open() and remains valid for the lifetime of the open file descriptor. Additionally, add a NULL check guard for audpkt_dev and audpkt_dev->dev at the start of the function to safely handle any edge cases where the private data may not have been properly initialized.
change Tested in Rb8 board.