From: sashiko-bot@kernel.org
To: phucduc.bui@gmail.com
Cc: wsa+renesas@sang-engineering.com, conor+dt@kernel.org,
devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v4 05/10] ASoC: renesas: fsi: Fix register access from in-flight IRQ after shutdown
Date: Fri, 05 Jun 2026 13:20:01 +0000 [thread overview]
Message-ID: <20260605132001.DA67A1F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260605121955.105661-6-phucduc.bui@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] The patch fails to completely fix the hardware hang due to improper ordering with clock shutdown and introduces a Time-Of-Check to Time-Of-Use (TOCTOU) race condition.
Pre-existing issues:
- [High] Potential NULL pointer dereference in `fsi_pointer_update()` if a DMA completion callback runs after stream shutdown.
- [High] The driver releases DMA channels in `remove` before unregistering the ALSA component, creating a Use-After-Free race condition.
--
commit c264d5f1cdc59e54f0e7191a60f9c8c00661657c
Author: bui duc phuc <phucduc.bui@gmail.com>
ASoC: renesas: fsi: Fix register access from in-flight IRQ after shutdown
This commit attempts to prevent system hangs by adding checks in the
in-flight IRQ handlers to skip hardware access if the stream is no
longer working. It relies on fsi_stream_is_working to detect if the
stream is active before reading or writing registers.
> diff --git a/sound/soc/renesas/fsi.c b/sound/soc/renesas/fsi.c
> index 429c3c9b6ede4..0f350bddeb1d5 100644
> --- a/sound/soc/renesas/fsi.c
> +++ b/sound/soc/renesas/fsi.c
> @@ -470,6 +470,10 @@ static int fsi_get_current_fifo_samples(struct fsi_priv *fsi,
>
> static void fsi_count_fifo_err(struct fsi_priv *fsi)
> {
> + if (!fsi_stream_is_working(fsi, &fsi->playback) &&
> + !fsi_stream_is_working(fsi, &fsi->capture))
> + return;
> +
[Severity: High]
Does this introduce a time-of-check to time-of-use race condition?
Since fsi_stream_is_working acquires and drops the master lock, an
interrupt can check the status and drop the lock. Before the handler
reads the hardware registers below, another thread could call
fsi_hw_shutdown, disabling the clock and causing a hang.
Additionally, when stopping the stream in fsi_dai_trigger, the hardware
shutdown is called before the substream is cleared:
sound/soc/renesas/fsi.c:fsi_dai_trigger() {
...
fsi_stream_stop(fsi, io);
if (!ret)
ret = fsi_hw_shutdown(fsi, dai->dev);
fsi_stream_quit(fsi, io);
...
}
Because the clock is disabled before io->substream is cleared, an
in-flight IRQ will still pass the fsi_stream_is_working check
and access the registers.
The same ordering issue occurs in __fsi_suspend, where io->substream is
never cleared at all.
> u32 ostatus = fsi_reg_read(fsi, DOFF_ST);
> u32 istatus = fsi_reg_read(fsi, DIFF_ST);
[ ... ]
[Severity: High]
This is a pre-existing issue, but is there a potential NULL pointer
dereference in fsi_pointer_update during stream shutdown?
When stopping a DMA stream, fsi_dma_push_start_stop uses
dmaengine_terminate_all, which terminates asynchronously:
sound/soc/renesas/fsi.c:fsi_dma_push_start_stop() {
...
dmaengine_terminate_all(io->chan);
...
}
Immediately after, fsi_stream_quit sets io->substream to NULL. If the
DMA callback fsi_dma_complete fires or is still running concurrently
after io->substream is cleared, it will call fsi_pointer_update which
dereferences the pointer without checking:
sound/soc/renesas/fsi.c:fsi_pointer_update() {
struct snd_pcm_substream *substream = io->substream;
struct snd_pcm_runtime *runtime = substream->runtime;
...
}
Could this cause a kernel panic if the callback executes after cleanup?
[Severity: High]
This is a pre-existing issue, but does fsi_remove create a use-after-free
race condition by releasing DMA channels before ALSA unregistration?
In fsi_probe, the ALSA component is registered via devres using
devm_snd_soc_register_component, meaning it unregisters automatically
after fsi_remove completes. However, fsi_remove manually destroys
the stream resources:
sound/soc/renesas/fsi.c:fsi_remove() {
...
fsi_stream_remove(&master->fsia);
fsi_stream_remove(&master->fsib);
...
}
Since the ALSA device is still accessible to userspace while the DMA
channels are being freed, an application could trigger audio playback.
If playback is started concurrently, it calls fsi_dma_transfer which
dereferences the freed channel:
sound/soc/renesas/fsi.c:fsi_dma_transfer() {
...
desc = dmaengine_prep_dma_cyclic(io->chan, ...);
...
dma_async_issue_pending(io->chan);
}
Could this lead to accessing a freed DMA channel pointer?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260605121955.105661-1-phucduc.bui@gmail.com?part=5
next prev parent reply other threads:[~2026-06-05 13:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 12:19 [PATCH v4 00/10] ASoC: renesas: fsi: Fix system hang by adding SPU clock phucduc.bui
2026-06-05 12:19 ` [PATCH v4 01/10] ASoC: dt-bindings: renesas,fsi: add support multiple clocks phucduc.bui
2026-06-05 12:30 ` sashiko-bot
2026-06-05 12:19 ` [PATCH v4 02/10] ARM: dts: renesas: r8a7740: Add clocks for FSI phucduc.bui
2026-06-05 12:19 ` [PATCH v4 03/10] ASoC: renesas: fsi: Fix trigger stop ordering phucduc.bui
2026-06-05 12:52 ` sashiko-bot
2026-06-05 12:19 ` [PATCH v4 04/10] ASoC: renesas: fsi: Move fsi_stream_is_working() phucduc.bui
2026-06-05 13:04 ` sashiko-bot
2026-06-05 12:19 ` [PATCH v4 05/10] ASoC: renesas: fsi: Fix register access from in-flight IRQ after shutdown phucduc.bui
2026-06-05 13:20 ` sashiko-bot [this message]
2026-06-05 12:19 ` [PATCH v4 06/10] ASoC: renesas: fsi: Move fsi_clk_init() phucduc.bui
2026-06-05 13:32 ` sashiko-bot
2026-06-05 12:19 ` [PATCH v4 07/10] ASoC: renesas: fsi: Use devm_clk_get_optional() for optional clocks phucduc.bui
2026-06-05 12:19 ` [PATCH v4 08/10] ASoC: renesas: fsi: refactor clock initialization phucduc.bui
2026-06-05 14:04 ` sashiko-bot
2026-06-08 11:11 ` Bui Duc Phuc
2026-06-08 0:06 ` Kuninori Morimoto
2026-06-08 11:01 ` Bui Duc Phuc
2026-06-05 12:19 ` [PATCH v4 09/10] ASoC: renesas: fsi: add fsi_clk_prepare/unprepare() phucduc.bui
2026-06-05 14:21 ` sashiko-bot
2026-06-05 12:19 ` [PATCH v4 10/10] ASoC: renesas: fsi: Add SPU clock control in hw_startup/shutdown phucduc.bui
2026-06-05 14:21 ` Mark Brown
2026-06-05 22:29 ` Bui Duc Phuc
2026-06-08 0:08 ` Kuninori Morimoto
2026-06-05 14:32 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605132001.DA67A1F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=phucduc.bui@gmail.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.