Re: [PATCH v5 06/11] ASoC: renesas: fsi: Move fsi_clk_init()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] A TOCTOU race condition in `fsi_stream_is_working()` allows concurrent stream shutdown, leading to hardware accesses while clocks are gated and NULL pointer dereferences.
--

commit 2a7ff11c2bbdedadae9c569f5a5fb36f784c525a
Author: bui duc phuc <phucduc.bui@gmail.com>

ASoC: renesas: fsi: Move fsi_clk_init()
    
Move fsi_clk_init() after set_rate() functions to prepare for subsequent
refactoring.

> diff --git a/sound/soc/renesas/fsi.c b/sound/soc/renesas/fsi.c
> index 3e3c6fd7c56b8..1df7dc0143630 100644
> --- a/sound/soc/renesas/fsi.c
> +++ b/sound/soc/renesas/fsi.c

[ ... ]

> @@ -1034,6 +970,70 @@ static int fsi_clk_set_rate_cpg(struct device *dev,
>  	return ret;
>  }
>  
> +static int fsi_clk_init(struct device *dev,

[Severity: High]
This isn't a bug introduced by this patch, but while reviewing the clock
handling in this file, does fsi_stream_is_working() have a TOCTOU race
condition that allows concurrent stream shutdown?

It appears that fsi_stream_is_working() acquires and immediately releases
master->lock before returning a boolean. Concurrently, an ALSA
SNDRV_PCM_TRIGGER_STOP on another CPU can call fsi_stream_quit(), which
acquires the lock, sets io->substream = NULL, and releases it. This can be
followed by fsi_hw_shutdown() disabling the hardware clocks.

Because the lock is dropped in fsi_stream_is_working(), can an in-flight
fsi_interrupt() on CPU 0 evaluate the check as true, after which CPU 1
processes the STOP trigger, zeroes the substream pointer, and gates the
clocks?

CPU 0 could then proceed to access hardware registers while clocks are
disabled:

sound/soc/renesas/fsi.c:fsi_count_fifo_err() {
	if (!fsi_stream_is_working(fsi, &fsi->playback) &&
	    !fsi_stream_is_working(fsi, &fsi->capture))
		return;

	u32 ostatus = fsi_reg_read(fsi, DOFF_ST);
	...
}

Would this cause a system hang due to hardware access while clocks are
gated?

Additionally, in fsi_pio_transfer(), could this same TOCTOU race allow
execution to reach fsi_pio_get_area(), which unconditionally dereferences
io->substream->runtime?

sound/soc/renesas/fsi.c:fsi_pio_transfer() {
	if (!fsi_stream_is_working(fsi, io))
		return -EINVAL;

	buf = fsi_pio_get_area(fsi, io);
	...
}

sound/soc/renesas/fsi.c:fsi_pio_get_area() {
	struct snd_pcm_runtime *runtime = io->substream->runtime;

	return runtime->dma_area + ...
}

Could this result in a NULL pointer dereference if io->substream was
zeroed? This seems to be an issue that was only partially addressed by the
earlier commit "ASoC: renesas: fsi: Fix register access from in-flight IRQ
after shutdown".

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260609013107.5995-1-phucduc.bui@gmail.com?part=6