From: sashiko-bot@kernel.org
To: phucduc.bui@gmail.com
Cc: Frank.Li@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH v2 05/11] ASoC: fsl_spdif: Use guard() for spin locks
Date: Mon, 15 Jun 2026 09:52:13 +0000 [thread overview]
Message-ID: <20260615095213.7E5851F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260615093824.115751-6-phucduc.bui@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] A TOCTOU double-fetch vulnerability on `ctrl->ready_buf` allows an out-of-bounds slab read, potentially leaking sensitive kernel heap memory to user-space.
--
commit 77e81df6d58ee7403495ad362c8b579033ed04a6
Author: bui duc phuc <phucduc.bui@gmail.com>
ASoC: fsl_spdif: Use guard() for spin locks
This patch converts the spin lock handling in fsl_spdif_subcode_get() and
fsl_spdif_qget() to use the guard() macro. It refactors the code without
changing its intended behavior.
> diff --git a/sound/soc/fsl/fsl_spdif.c b/sound/soc/fsl/fsl_spdif.c
> index 1b9be85b34c24..ad1206ed98828 100644
> --- a/sound/soc/fsl/fsl_spdif.c
> +++ b/sound/soc/fsl/fsl_spdif.c
> @@ -853,17 +853,15 @@ static int fsl_spdif_subcode_get(struct snd_kcontrol *kcontrol,
[ ... ]
> int ret = -EAGAIN;
>
> - spin_lock_irqsave(&ctrl->ctl_lock, flags);
> + guard(spinlock_irqsave)(&ctrl->ctl_lock);
> if (ctrl->ready_buf) {
> int idx = (ctrl->ready_buf - 1) * SPDIF_UBITS_SIZE;
[Severity: High]
This is a pre-existing issue, but since the compiler can fetch ctrl->ready_buf
twice (once for the if check, and once for the idx calculation), could this
lead to a Time-of-Check to Time-of-Use (TOCTOU) race?
While this code holds ctl_lock to disable local interrupts, it appears
spdif_irq_uq_err() can run on another CPU and zero ready_buf without taking
ctl_lock:
spdif_irq_uq_err() {
...
/* Drop this U/Q buffer */
ctrl->ready_buf = 0;
}
If ready_buf becomes 0 between the check and the calculation, idx would
evaluate to a negative index. This would cause the subsequent memcpy to read
out of bounds and potentially leak adjacent slab memory to user-space.
Would caching ready_buf in a local variable using READ_ONCE() prevent this?
> memcpy(&ucontrol->value.iec958.subcode[0],
> &ctrl->subcode[idx], SPDIF_UBITS_SIZE);
> ret = 0;
> }
[ ... ]
> @@ -885,17 +883,15 @@ static int fsl_spdif_qget(struct snd_kcontrol *kcontrol,
[ ... ]
> int ret = -EAGAIN;
>
> - spin_lock_irqsave(&ctrl->ctl_lock, flags);
> + guard(spinlock_irqsave)(&ctrl->ctl_lock);
> if (ctrl->ready_buf) {
> int idx = (ctrl->ready_buf - 1) * SPDIF_QSUB_SIZE;
[Severity: High]
This is also a pre-existing issue, but does the same double-fetch
vulnerability exist here?
Like the subcode getter above, if ctrl->ready_buf is zeroed by the interrupt
handler after the check, idx becomes a negative offset. This would result in
memcpy reading from the adjacent memory within the struct instead of the
intended qsub array.
> memcpy(&ucontrol->value.bytes.data[0],
> &ctrl->qsub[idx], SPDIF_QSUB_SIZE);
> ret = 0;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260615093824.115751-1-phucduc.bui@gmail.com?part=5
next prev parent reply other threads:[~2026-06-15 9:52 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-15 9:38 [PATCH v2 00/11] ASoC: fsl: Use guard() for mutex & spin locks phucduc.bui
2026-06-15 9:38 ` [PATCH v2 01/11] ASoC: fsl_asrc: Use guard() for " phucduc.bui
2026-06-15 9:51 ` sashiko-bot
2026-06-15 14:18 ` Frank Li
2026-06-15 9:38 ` [PATCH v2 02/11] ASoC: fsl_audmix: " phucduc.bui
2026-06-15 14:30 ` Frank Li
2026-06-15 9:38 ` [PATCH v2 03/11] ASoC: fsl_easrc: " phucduc.bui
2026-06-15 9:48 ` sashiko-bot
2026-06-15 14:24 ` Frank Li
2026-06-15 9:38 ` [PATCH v2 04/11] ASoC: fsl_esai: " phucduc.bui
2026-06-15 9:52 ` sashiko-bot
2026-06-15 14:15 ` Frank Li
2026-06-15 9:38 ` [PATCH v2 05/11] ASoC: fsl_spdif: " phucduc.bui
2026-06-15 9:52 ` sashiko-bot [this message]
2026-06-15 14:17 ` Frank Li
2026-06-15 9:38 ` [PATCH v2 06/11] ASoC: fsl_ssi: Use guard() for mutex locks phucduc.bui
2026-06-15 14:25 ` Frank Li
2026-06-15 9:38 ` [PATCH v2 07/11] ASoC: fsl_xcvr: Use guard() for spin locks phucduc.bui
2026-06-15 9:49 ` sashiko-bot
2026-06-15 14:19 ` Frank Li
2026-06-15 9:38 ` [PATCH v2 08/11] ASoC: imx-audio-rpmsg: " phucduc.bui
2026-06-15 9:51 ` sashiko-bot
2026-06-15 14:17 ` Frank Li
2026-06-15 9:38 ` [PATCH v2 09/11] ASoC: fsl_rpmsg: Use guard() for mutex & " phucduc.bui
2026-06-15 9:59 ` sashiko-bot
2026-06-15 14:12 ` Frank Li
2026-06-15 9:38 ` [PATCH v2 10/11] ASoC: fsl: mpc5200_dma: Use guard() for " phucduc.bui
2026-06-15 9:57 ` sashiko-bot
2026-06-15 14:14 ` Frank Li
2026-06-15 9:38 ` [PATCH v2 11/11] ASoC: fsl: mpc5200_psc_ac97: Use guard() for mutex locks phucduc.bui
2026-06-15 14:26 ` Frank Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260615095213.7E5851F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=phucduc.bui@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox