From: sashiko-bot@kernel.org
To: "Herve Codina" <herve.codina@bootlin.com>
Cc: robh@kernel.org, conor+dt@kernel.org, krzk+dt@kernel.org,
devicetree@vger.kernel.org
Subject: Re: [PATCH v3 14/17] ASoC: simple-amplifier: gpio-audio-amp: Add support for gain-ranges
Date: Thu, 14 May 2026 06:10:34 +0000 [thread overview]
Message-ID: <20260514061034.8AEEFC2BCC7@smtp.kernel.org> (raw)
In-Reply-To: <20260513081702.317117-15-herve.codina@bootlin.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
- [High] Unsynchronized freeing of dynamically allocated TLV array causes a Use-After-Free during concurrent ALSA TLV read.
- [Medium] Integer overflow in `kctrl_max` accumulation leads to validation bypass and a reachable `WARN(1)`.
- [Medium] Integer overflow in `simple_amp_cmp_ranges` can corrupt the sorted array.
- [Medium] Unprotected state modifications in ALSA control `put` handlers lead to a TOCTOU race and hardware state desynchronization.
--
commit 24a3721afe8e210f60da48c3439973f4c9f7e094
Author: Herve Codina <herve.codina@bootlin.com>
ASoC: simple-amplifier: gpio-audio-amp: Add support for gain-ranges
This commit introduces support for gain-ranges in the simple-amplifier
driver, mapping physical gain values to GPIO values through an array of
ranges and exporting them via an ALSA kcontrol with TLV range information.
diff --git a/sound/soc/codecs/simple-amplifier.c b/sound/soc/codecs/simple-amplifier.c
index 5b172e520dcd0..5759f9bc2f4ff 100644
--- a/sound/soc/codecs/simple-amplifier.c
+++ b/sound/soc/codecs/simple-amplifier.c
[ ... ]
> @@ -252,6 +312,38 @@ static int simple_amp_multi_kctrl_int_put(struct snd_kcontrol *kcontrol,
> return 1; /* The value changed */
> }
Can concurrent calls to simple_amp_multi_kctrl_int_put() and
simple_amp_single_kctrl_put() lead to hardware state desynchronization?
These handlers read the cached software state, issue hardware I/O via
gpiod_multi_set_value_cansleep(), and update the cached state without
driver-level locking.
The OSS emulation layer only holds a read lock when invoking kctl->put().
Two racing threads could pass the equality check and interleave their
hardware writes, causing the cached software state to permanently
desynchronize from the actual hardware GPIO state.
[ ... ]
> @@ -407,8 +526,17 @@ static int simple_amp_component_probe(struct snd_soc_component *component)
> return 0;
> }
>
> +static void simple_amp_component_remove(struct snd_soc_component *component)
> +{
> + struct simple_amp *simple_amp = snd_soc_component_get_drvdata(component);
> +
> + kfree(simple_amp->gain.tlv_array);
> + simple_amp->gain.tlv_array = NULL;
> +}
Does this kfree() cause a use-after-free during concurrent ALSA TLV reads?
ALSA controls remain accessible as long as a user holds an open file
descriptor, and snd_card_disconnect() does not drain active ioctls. A
concurrent SNDRV_CTL_IOCTL_TLV_READ could be blocked in copy_to_user()
reading control.tlv.p when this memory is synchronously freed.
Should the array's lifetime instead be bound to the kcontrol via the
kcontrol->private_free callback?
[ ... ]
> @@ -426,10 +554,179 @@ static int simple_amp_parse_single_gpio(struct device *dev,
> return 0;
> }
>
> +static int simple_amp_cmp_ranges(const void *a, const void *b)
> +{
> + const struct simple_amp_range *a_range = a;
> + const struct simple_amp_range *b_range = b;
> +
> + /* Ranges a and b don't overlap. This has been already checked */
> +
> + return a_range->min.gain_db - b_range->max.gain_db;
> +}
Can this subtraction mathematically overflow?
If highly negative and highly positive s32 values are provided via the
Device Tree, this operation could reverse the intended sign and break the
strict weak ordering required by sort(), corrupting the resulting array state.
Could this use safe inequality checks instead of subtraction?
[ ... ]
> +static int simple_amp_parse_ranges(struct device *dev,
> + struct simple_amp_multi *multi,
> + const char *ranges_property)
> +{
[ ... ]
> + range->nb_points = abs_diff(range->min.gpio_val,
> + range->max.gpio_val) + 1;
> +
> + multi->kctrl_max += range->nb_points;
> + }
> +
> + multi->kctrl_max -= 1;
Does this code overflow multi->kctrl_max?
A malformed Device Tree could define up to 65,536 ranges, each mapping to
65,536 points. This summation would reach exactly 4,294,967,296, completely
overflowing the u32 back to 0.
The subsequent multi->kctrl_max -= 1 operation would then underflow it to
0xFFFFFFFF, bypassing the bounds check in
simple_amp_multi_kctrl_write_gpios() and triggering a reachable WARN(1) in
simple_amp_multi_ranges_kctrl_to_gpio() which could act as a denial of
service if panic_on_warn is set.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260513081702.317117-1-herve.codina@bootlin.com?part=14
next prev parent reply other threads:[~2026-05-14 6:10 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 8:16 [PATCH v3 00/17] ASoC: Add support for GPIOs driven amplifiers Herve Codina
2026-05-13 8:16 ` [PATCH v3 01/17] of: Introduce of_property_read_s32_index() Herve Codina
2026-05-13 8:16 ` [PATCH v3 02/17] ASoC: dt-bindings: Add support for the GPIOs driven amplifier Herve Codina
2026-05-13 8:16 ` [PATCH v3 03/17] ASoC: simple-amplifier: Remove DRV_NAME defined value Herve Codina
2026-05-13 8:16 ` [PATCH v3 04/17] ASoC: simple-amplifier: Add missing headers Herve Codina
2026-05-13 8:16 ` [PATCH v3 05/17] ASoC: simple-amplifier: Remove CONFIG_OF flag and of_match_ptr() Herve Codina
2026-05-13 8:16 ` [PATCH v3 06/17] ASoC: simple-amplifier: Rename drv_event() function Herve Codina
2026-05-13 8:16 ` [PATCH v3 07/17] ASoC: simple-amplifier: Use 'simple_amp' variable name instead of 'priv' Herve Codina
2026-05-13 8:16 ` [PATCH v3 08/17] ASoC: simple-amplifier: Remove DAPM widgets and routes from the ASoC component driver Herve Codina
2026-05-14 3:32 ` sashiko-bot
2026-05-13 8:16 ` [PATCH v3 09/17] ASoC: simple-amplifier: Introduce support for gpio-audio-amp Herve Codina
2026-05-14 3:51 ` sashiko-bot
2026-05-13 8:16 ` [PATCH v3 10/17] ASoC: simple-amplifier: gpio-audio-amp: Add support for extra power supplies Herve Codina
2026-05-13 8:16 ` [PATCH v3 11/17] ASoC: simple-amplifier: gpio-audio-amp: Add support for mute gpio Herve Codina
2026-05-13 8:16 ` [PATCH v3 12/17] ASoC: simple-amplifier: gpio-audio-amp: Add support for bypass gpio Herve Codina
2026-05-14 4:54 ` sashiko-bot
2026-05-13 8:16 ` [PATCH v3 13/17] ASoC: simple-amplifier: gpio-audio-amp: Add support for basic gain Herve Codina
2026-05-13 8:16 ` [PATCH v3 14/17] ASoC: simple-amplifier: gpio-audio-amp: Add support for gain-ranges Herve Codina
2026-05-14 6:10 ` sashiko-bot [this message]
2026-05-13 8:16 ` [PATCH v3 15/17] ASoC: simple-amplifier: gpio-audio-amp: Add support for gain-labels Herve Codina
2026-05-13 8:17 ` [PATCH v3 16/17] ASoC: simple-amplifier: Update author and copyright Herve Codina
2026-05-14 6:49 ` sashiko-bot
2026-05-13 8:17 ` [PATCH v3 17/17] MAINTAINERS: Add the ASoC gpio audio amplifier entry Herve Codina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514061034.8AEEFC2BCC7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=herve.codina@bootlin.com \
--cc=krzk+dt@kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox