On (22/04/19 08:07), Pierre-Louis Bossart wrote:
Your analyzes are spot on, unfortunately. But...
As of today, the sof_get_control_data() is in the call path of (ipc3-topology.c):
sof_widget_update_ipc_comp_process() -> sof_process_load() -> sof_get_control_data()
sof_widget_update_ipc_comp_process() is the ipc_setup callback for snd_soc_dapm_effect. If I'm not mistaken these only carries bin payload and never MIXER/ENUM/SWITCH/VOLUME. This means that the sof_get_control_data() is only called with SND_SOC_TPLG_TYPE_BYTES and for that the allocated data area is correct.
This can explain why we have not seen any issues so far. This does not renders the code right, as how it is written atm is wrong.
Sergey's results with KASAN show that there's a real-life problem though. I also don't understand how that might happen.
Could it be that these results are with a specific topology where our assumptions are incorrect?
Is there anything I can do to help?