From: Yauhen Kharuzhy <jekhor@gmail.com>
To: Cezary Rojewski <cezary.rojewski@intel.com>
Cc: linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org,
Hans de Goede <hansg@kernel.org>,
Liam Girdwood <liam.r.girdwood@linux.intel.com>,
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>,
Bard Liao <yung-chuan.liao@linux.intel.com>,
Ranjani Sridharan <ranjani.sridharan@linux.intel.com>,
Kai Vehmanen <kai.vehmanen@linux.intel.com>,
Pierre-Louis Bossart <pierre-louis.bossart@linux.dev>,
Mark Brown <broonie@kernel.org>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>
Subject: Re: [PATCH v3 3/3] ASoC: Intel: Add cht_rt5677 driver
Date: Fri, 12 Jun 2026 00:53:55 +0300 [thread overview]
Message-ID: <aispdA0YWglxIP5F@jekhomev> (raw)
In-Reply-To: <e1627940-2bfe-4281-a0ff-03b7dfc16899@intel.com>
On Thu, Jun 11, 2026 at 11:19:10AM +0200, Cezary Rojewski wrote:
> On 6/11/2026 1:51 AM, Yauhen Kharuzhy wrote:
> > Add a new ASoC machine driver for Intel Cherry Trail platforms with
> > rt5677 codec.
>
> ...
> > +static void snd_cht_rt5677_remove(struct platform_device *pdev)
> > +{
> > + struct snd_soc_card *card = platform_get_drvdata(pdev);
> > + struct cht_rt5677_private *ctx = snd_soc_card_get_drvdata(card);
> > + int i;
> > +
> > + /*
> > + * Reset the codec name in the global dailink array back to the default
> > + * to avoid a use-after-free on driver rebind (unbind/bind):
> > + * ctx->codec_name is about to be freed together with ctx (devm), but
> > + * cht_rt5677_dailink[] is a static global that persists across binds.
> > + */
>
> All of this looks like a hack and brings me closer to simply stating:
>
> NAK
>
> as I do not believe the patch has been thoroughly tested if such hacks
> exist. remove() procedure should not care about codecs->name.
I agree but it was a simplest way to fix a possible use-after-free in
probe():
ctx = kzalloc();
...
if (cht_rt5677_dailink[i].codecs->name &&
!strcmp(cht_rt5677_dailink[i].codecs->name,
RT5677_I2C_DEFAULT))
cht_rt5677_dailink[i].codecs->name = ctx->codec_name;
So, if ctx will be freed (after remove()) and probe() will be called
again, then cht_rt5677_dailink[i].codecs->name will be invalid.
Now I have checked how this issue is resolved in similar drivers. For
example, cht_bsw_rt5672.c has the same pattern with potential
use-after-free. cht_bsw_rt5645.c uses a statically allocated buffer to
store the name instead of field inside a dynamically allocated context.
Maybe a such approach with static buffer would be an acceptable compromise.
>
> > + for (i = 0; i < ARRAY_SIZE(cht_rt5677_dailink); i++) {
> > + if (cht_rt5677_dailink[i].codecs->name == ctx->codec_name) {
> > + cht_rt5677_dailink[i].codecs->name = RT5677_I2C_DEFAULT;
> > + break;
> > + }
> > + }
> > +
> > + gpiod_put(ctx->gpio_hp_en);
> > + gpiod_put(ctx->gpio_spk_en2);
> > + gpiod_put(ctx->gpio_spk_en1);
> > +}
>
> ...
>
> > diff --git a/sound/soc/intel/common/soc-acpi-intel-cht-match.c b/sound/soc/intel/common/soc-acpi-intel-cht-match.c
> > index 5e8a1dc84ee1..c719c3ec8314 100644
> > --- a/sound/soc/intel/common/soc-acpi-intel-cht-match.c
> > +++ b/sound/soc/intel/common/soc-acpi-intel-cht-match.c
> > @@ -17,12 +17,11 @@ static struct snd_soc_acpi_mach cht_surface_mach = {
> > .sof_tplg_filename = "sof-cht-rt5645.tplg",
> > };
> > -static struct snd_soc_acpi_mach cht_yogabook_mach = {
> > +static struct snd_soc_acpi_mach cht_rt5677_mach = {
> > .id = "10EC5677",
> > - .drv_name = "cht-yogabook",
> > + .drv_name = "cht-rt5677",
> > .fw_filename = "intel/fw_sst_22a8.bin",
> > - .board = "cht-yogabook",
> > - .sof_tplg_filename = "sof-cht-rt5677.tplg",
> > + .board = "cht_rt5677",
> > };
> > static struct snd_soc_acpi_mach cht_lenovo_yoga_tab3_x90_mach = {
> > @@ -41,17 +40,9 @@ static const struct dmi_system_id cht_table[] = {
> > DMI_MATCH(DMI_PRODUCT_NAME, "Surface 3"),
> > },
> > },
> > - {
> > - .ident = "Lenovo Yoga Book YB1-X91",
> > - .driver_data = (void *)&cht_yogabook_mach,
> > - /* YB1-X91L/F */
> > - .matches = {
> > - DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"),
> > - }
> > - },
> > {
> > .ident = "Lenovo Yoga Book YB1-X90",
> > - .driver_data = (void *)&cht_yogabook_mach,
> > + .driver_data = (void *)&cht_rt5677_mach,
> > /* YB1-X90L/F, codec is not listed in DSDT */
> > .matches = {
> >
> > @@ -147,19 +138,11 @@ struct snd_soc_acpi_mach snd_soc_acpi_intel_cherrytrail_machines[] = {
> > .board = "cht-bsw",
> > .sof_tplg_filename = "sof-cht-rt5670.tplg",
> > },
> > - /*
> > - * The only known Cherry Trail device with RT5677 codec and 10EC677
> > - * DSTD entry is the Lenovo Yoga Book YB1-X91. It has a device-specific
> > - * driver, so check DMI and use a machine quirk to override the default
> > - * (non-existent) machine driver.
> > - */
>
> You are removing and editing (the below table) code you've just added with
> 2/3. This looks very bad.
Argh, it should have been integrated into the second patch in the series
instead of this one... My bad, sorry.
>
> > {
> > .id = "10EC5677",
> > - .drv_name = "cht-bsw-rt5677",
> > + .drv_name = "cht-rt5677",
> > .fw_filename = "intel/fw_sst_22a8.bin",
> > - .board = "cht-bsw",
> > - .machine_quirk = cht_quirk,
> > - .sof_tplg_filename = "sof-cht-rt5677.tplg",
> > + .board = "cht_rt5677",
> > },
> > {
> > .comp_ids = &rt5645_comp_ids,
> >
>
--
Yauhen Kharuzhy
prev parent reply other threads:[~2026-06-11 21:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 23:51 [PATCH v3 0/3] Add ASoC machine driver for Cherryview tablets with RT5677 Yauhen Kharuzhy
2026-06-10 23:51 ` [PATCH v3 1/3] ASoC: Intel: soc-acpi-cht: Unify device quirks Yauhen Kharuzhy
2026-06-11 8:47 ` Cezary Rojewski
2026-06-11 14:10 ` Mark Brown
2026-06-11 18:05 ` Yauhen Kharuzhy
2026-06-11 18:12 ` Mark Brown
2026-06-10 23:51 ` [PATCH v3 2/3] ASoC: Intel: soc-acpi-cht: Add Lenovo Yoga Book entries Yauhen Kharuzhy
2026-06-11 8:50 ` Cezary Rojewski
2026-06-10 23:51 ` [PATCH v3 3/3] ASoC: Intel: Add cht_rt5677 driver Yauhen Kharuzhy
2026-06-11 9:19 ` Cezary Rojewski
2026-06-11 21:53 ` Yauhen Kharuzhy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aispdA0YWglxIP5F@jekhomev \
--to=jekhor@gmail.com \
--cc=broonie@kernel.org \
--cc=cezary.rojewski@intel.com \
--cc=hansg@kernel.org \
--cc=kai.vehmanen@linux.intel.com \
--cc=liam.r.girdwood@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=perex@perex.cz \
--cc=peter.ujfalusi@linux.intel.com \
--cc=pierre-louis.bossart@linux.dev \
--cc=ranjani.sridharan@linux.intel.com \
--cc=tiwai@suse.com \
--cc=yung-chuan.liao@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox