From: sashiko-bot@kernel.org
To: phucduc.bui@gmail.com
Cc: wsa+renesas@sang-engineering.com, conor+dt@kernel.org,
devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v4 05/10] ASoC: renesas: fsi: Fix register access from in-flight IRQ after shutdown
Date: Fri, 05 Jun 2026 13:20:01 +0000 [thread overview]
Message-ID: <20260605132001.DA67A1F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260605121955.105661-6-phucduc.bui@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] The patch fails to completely fix the hardware hang due to improper ordering with clock shutdown and introduces a Time-Of-Check to Time-Of-Use (TOCTOU) race condition.
Pre-existing issues:
- [High] Potential NULL pointer dereference in `fsi_pointer_update()` if a DMA completion callback runs after stream shutdown.
- [High] The driver releases DMA channels in `remove` before unregistering the ALSA component, creating a Use-After-Free race condition.
--
commit c264d5f1cdc59e54f0e7191a60f9c8c00661657c
Author: bui duc phuc <phucduc.bui@gmail.com>
ASoC: renesas: fsi: Fix register access from in-flight IRQ after shutdown
This commit attempts to prevent system hangs by adding checks in the
in-flight IRQ handlers to skip hardware access if the stream is no
longer working. It relies on fsi_stream_is_working to detect if the
stream is active before reading or writing registers.
> diff --git a/sound/soc/renesas/fsi.c b/sound/soc/renesas/fsi.c
> index 429c3c9b6ede4..0f350bddeb1d5 100644
> --- a/sound/soc/renesas/fsi.c
> +++ b/sound/soc/renesas/fsi.c
> @@ -470,6 +470,10 @@ static int fsi_get_current_fifo_samples(struct fsi_priv *fsi,
>
> static void fsi_count_fifo_err(struct fsi_priv *fsi)
> {
> + if (!fsi_stream_is_working(fsi, &fsi->playback) &&
> + !fsi_stream_is_working(fsi, &fsi->capture))
> + return;
> +
[Severity: High]
Does this introduce a time-of-check to time-of-use race condition?
Since fsi_stream_is_working acquires and drops the master lock, an
interrupt can check the status and drop the lock. Before the handler
reads the hardware registers below, another thread could call
fsi_hw_shutdown, disabling the clock and causing a hang.
Additionally, when stopping the stream in fsi_dai_trigger, the hardware
shutdown is called before the substream is cleared:
sound/soc/renesas/fsi.c:fsi_dai_trigger() {
...
fsi_stream_stop(fsi, io);
if (!ret)
ret = fsi_hw_shutdown(fsi, dai->dev);
fsi_stream_quit(fsi, io);
...
}
Because the clock is disabled before io->substream is cleared, an
in-flight IRQ will still pass the fsi_stream_is_working check
and access the registers.
The same ordering issue occurs in __fsi_suspend, where io->substream is
never cleared at all.
> u32 ostatus = fsi_reg_read(fsi, DOFF_ST);
> u32 istatus = fsi_reg_read(fsi, DIFF_ST);
[ ... ]
[Severity: High]
This is a pre-existing issue, but is there a potential NULL pointer
dereference in fsi_pointer_update during stream shutdown?
When stopping a DMA stream, fsi_dma_push_start_stop uses
dmaengine_terminate_all, which terminates asynchronously:
sound/soc/renesas/fsi.c:fsi_dma_push_start_stop() {
...
dmaengine_terminate_all(io->chan);
...
}
Immediately after, fsi_stream_quit sets io->substream to NULL. If the
DMA callback fsi_dma_complete fires or is still running concurrently
after io->substream is cleared, it will call fsi_pointer_update which
dereferences the pointer without checking:
sound/soc/renesas/fsi.c:fsi_pointer_update() {
struct snd_pcm_substream *substream = io->substream;
struct snd_pcm_runtime *runtime = substream->runtime;
...
}
Could this cause a kernel panic if the callback executes after cleanup?
[Severity: High]
This is a pre-existing issue, but does fsi_remove create a use-after-free
race condition by releasing DMA channels before ALSA unregistration?
In fsi_probe, the ALSA component is registered via devres using
devm_snd_soc_register_component, meaning it unregisters automatically
after fsi_remove completes. However, fsi_remove manually destroys
the stream resources:
sound/soc/renesas/fsi.c:fsi_remove() {
...
fsi_stream_remove(&master->fsia);
fsi_stream_remove(&master->fsib);
...
}
Since the ALSA device is still accessible to userspace while the DMA
channels are being freed, an application could trigger audio playback.
If playback is started concurrently, it calls fsi_dma_transfer which
dereferences the freed channel:
sound/soc/renesas/fsi.c:fsi_dma_transfer() {
...
desc = dmaengine_prep_dma_cyclic(io->chan, ...);
...
dma_async_issue_pending(io->chan);
}
Could this lead to accessing a freed DMA channel pointer?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260605121955.105661-1-phucduc.bui@gmail.com?part=5
next prev parent reply other threads:[~2026-06-05 13:20 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 12:19 [PATCH v4 00/10] ASoC: renesas: fsi: Fix system hang by adding SPU clock phucduc.bui
2026-06-05 12:19 ` [PATCH v4 01/10] ASoC: dt-bindings: renesas,fsi: add support multiple clocks phucduc.bui
2026-06-05 12:30 ` sashiko-bot
2026-06-05 12:19 ` [PATCH v4 02/10] ARM: dts: renesas: r8a7740: Add clocks for FSI phucduc.bui
2026-06-05 12:19 ` [PATCH v4 03/10] ASoC: renesas: fsi: Fix trigger stop ordering phucduc.bui
2026-06-05 12:52 ` sashiko-bot
2026-06-05 12:19 ` [PATCH v4 04/10] ASoC: renesas: fsi: Move fsi_stream_is_working() phucduc.bui
2026-06-05 13:04 ` sashiko-bot
2026-06-05 12:19 ` [PATCH v4 05/10] ASoC: renesas: fsi: Fix register access from in-flight IRQ after shutdown phucduc.bui
2026-06-05 13:20 ` sashiko-bot [this message]
2026-06-05 12:19 ` [PATCH v4 06/10] ASoC: renesas: fsi: Move fsi_clk_init() phucduc.bui
2026-06-05 13:32 ` sashiko-bot
2026-06-05 12:19 ` [PATCH v4 07/10] ASoC: renesas: fsi: Use devm_clk_get_optional() for optional clocks phucduc.bui
2026-06-05 12:19 ` [PATCH v4 08/10] ASoC: renesas: fsi: refactor clock initialization phucduc.bui
2026-06-05 14:04 ` sashiko-bot
2026-06-05 12:19 ` [PATCH v4 09/10] ASoC: renesas: fsi: add fsi_clk_prepare/unprepare() phucduc.bui
2026-06-05 14:21 ` sashiko-bot
2026-06-05 12:19 ` [PATCH v4 10/10] ASoC: renesas: fsi: Add SPU clock control in hw_startup/shutdown phucduc.bui
2026-06-05 14:21 ` Mark Brown
2026-06-05 14:32 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605132001.DA67A1F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=phucduc.bui@gmail.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox