On 27/04/2022 09:55, Sergey Senozhatsky wrote: > On (22/04/19 08:07), Pierre-Louis Bossart wrote: >>> Your analyzes are spot on, unfortunately. But... >>> >>> As of today, the sof_get_control_data() is in the call path of >>> (ipc3-topology.c): >>> >>> sof_widget_update_ipc_comp_process() -> sof_process_load() -> >>> sof_get_control_data() >>> >>> sof_widget_update_ipc_comp_process() is the ipc_setup callback for >>> snd_soc_dapm_effect. If I'm not mistaken these only carries bin payload >>> and never MIXER/ENUM/SWITCH/VOLUME. >>> This means that the sof_get_control_data() is only called with >>> SND_SOC_TPLG_TYPE_BYTES and for that the allocated data area is correct. >>> >>> This can explain why we have not seen any issues so far. This does not >>> renders the code right, as how it is written atm is wrong. >> >> >> Sergey's results with KASAN show that there's a real-life problem though. I also don't understand how that might happen. >> >> Could it be that these results are with a specific topology where our assumptions are incorrect? > > Is there anything I can do to help? I will send a patch shortly, I think it is going to be easy to backport for you and test it. -- Péter