volume: validate host-supplied config and fix init error path by lgirdwood · Pull Request #10919 · thesofproject/sof

lgirdwood · 2026-06-15T14:56:26Z

Hardening of host-supplied data in the volume component, plus an error-path
fix:

avoid a use-after-free in the IPC3 init error path (the component data was
freed and then dereferenced)
validate the IPC4 init payload is large enough to cover the per-channel
config array before iterating it
require a full 32-bit word for the attenuation control payload

No functional change for valid configurations.

Copilot

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Hardens the volume component against malformed host-supplied IPC payloads and fixes a use-after-free in an IPC3 init error path.

Changes:

Add IPC4 init payload size validation before iterating per-channel config.
Tighten attenuation control payload validation to require exactly 32 bits.
Fix IPC3 init error cleanup order to avoid dereferencing freed memory.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
src/audio/volume/volume_ipc4.c	Adds IPC4 init/config size validation and tightens attenuation payload size checks.
src/audio/volume/volume_ipc3.c	Adjusts error-path frees to avoid a use-after-free during init failure.

lgirdwood · 2026-06-17T13:36:36Z

+	if (cfg->size < sizeof(*vol) + channels_count * sizeof(vol->config[0])) {
+		comp_err(dev, "Invalid init payload size %zu for %u channels",
+			 cfg->size, channels_count);
+		return -EINVAL;
+	}


No overflow here: channels_count is validated to be in [1, SOF_IPC_MAX_CHANNELS] (== 8) a few lines above, before this size check, so channels_count * sizeof(vol->config[0]) is bounded by 8 * a small struct and can't overflow size_t.

lgirdwood · 2026-06-17T13:36:34Z

+	if (data_size < (int)sizeof(uint32_t) || data_size > sizeof(uint32_t)) {
 		comp_err(dev, "attenuation data size %d is incorrect", data_size);
 		return -EINVAL;
 	}


Addressed — the check is now a single data_size != (int)sizeof(uint32_t), with the cast keeping both sides signed (no signed/unsigned comparison).

lyakh · 2026-06-16T08:27:07Z

-		mod_free(mod, cd);
+		/* free cd->vol before cd: freeing cd first would leave the
+		 * following cd->vol read dereferencing freed memory
+		 */


please remove the obvious comment

Removed the comment.

lyakh · 2026-06-16T08:29:21Z

+	/* only support attenuation in format of 32bit; the payload is
+	 * dereferenced as a uint32_t below so it must be exactly that size
+	 */
+	if (data_size < (int)sizeof(uint32_t) || data_size > sizeof(uint32_t)) {


ehm, data_size != sizeof(uint32_t)?

Done — simplified to a single data_size != (int)sizeof(uint32_t) check. (Cast to int to keep it a clean signed comparison, since data_size is int — also addresses the signed/unsigned note.)

On an invalid ramp type the init error path freed the component data then read a field from it. Free the dependent allocation before the component data and stop dereferencing it afterwards. Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

lgirdwood · 2026-06-19T13:52:49Z

Some valgrind errors:

==28717== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==28717== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==28717== Command: ../../testbench/build_testbench/install/bin/sof-testbench4 -r 48000 -R 48000 -c 2 -n 2 -b S16_LE -p 1,2 -t ../../build_tools/topology/topology2/development/sof-hda-benchmark-gain16.tplg -i chirp_test_in_746769.raw -o chirp_test_out_746769.raw
==28717== 
trace: [1781705759.963536] <inf> (ll_schedule.c:114) ll_scheduler_init()
trace: [1781705759.975209] <inf> (edf_schedule.c:112) edf_scheduler_init()
Info: Found control type 1: Analog Playback GAIN volume
Info: Found control type 1: Analog Capture GAIN volume
warning: failed  assigning pipeline for iDisp3 Tx
warning: failed  assigning pipeline for codec2_in
warning: failed  assigning pipeline for Alt Analog CPU Playback
warning: failed  assigning pipeline for codec2_out
warning: failed  assigning pipeline for Analog CPU Capture
warning: failed  assigning pipeline for iDisp1_out
warning: failed  assigning pipeline for Digital CPU Capture
warning: failed  assigning pipeline for iDisp2_out
warning: failed  assigning pipeline for Alt Analog CPU Capture
warning: failed  assigning pipeline for iDisp3_out
trace: [1781705760.021841] <inf> (handler-kernel.c:535) rx	: 0x11000004|0
trace: [1781705760.024855] <inf> (pipeline-graph.c:119) pipeline new pipe_id 0 priority 0
trace: [1781705760.028913] <inf> (handler-kernel.c:535) rx	: 0x4000009a|0x16
trace: [1781705760.040853] <inf> (handler-kernel.c:535) rx	: 0x40000006|0x14
trace: [1781705760.041364] <err> (volume_ipc4.c:134) Invalid init payload size 64 for 2 channels
trace: [1781705760.042164] <err> (generic.c:135) error -22: module specific init failed
trace: [1781705760.043427] <err> (module_adapter.c:315) -22: module initialization failed
trace: [1781705760.044139] <err> (handler-user.c:765) error: failed to init module 6 : 0
trace: [1781705760.044639] <err> (handler-kernel.c:556) ipc4: MODULE_MSG failed with err 104
error: can't set up widget gain.1.1
error: Failed tb_set_up_pipelines for playback
error: pipelines set up 0 failed -22
==28717== 
==28717== HEAP SUMMARY:
==28717==     in use at exit: 99,088 bytes in 118 blocks
==28717==   total heap usage: 147 allocs, 29 frees, 134,257 bytes allocated
==28717== 
==28717== 128 (32 direct, 96 indirect) bytes in 1 blocks are definitely lost in loss record 25 of 38
==28717==    at 0x484D953: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==28717==    by 0x18EDBC: tplg_parse_graph (graph.c:95)
==28717==    by 0x11B505: tb_register_graph (topology_ipc4.c:994)
==28717==    by 0x11B505: tb_parse_topology (topology_ipc4.c:1491)
==28717==    by 0x116328: tb_load_topology (utils.c:41)
==28717==    by 0x1140A4: pipline_test.isra.0 (testbench.c:340)
==28717==    by 0x113B83: main (testbench.c:510)
==28717== 
==28717== 331 (320 direct, 11 indirect) bytes in 1 blocks are definitely lost in loss record 30 of 38
==28717==    at 0x484D953: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==28717==    by 0x18E425: tplg_parse_pcm (pcm.c:29)
==28717==    by 0x11ACFA: tb_parse_pcm (topology_ipc4.c:1008)
==28717==    by 0x11ACFA: tb_parse_topology (topology_ipc4.c:1499)
==28717==    by 0x116328: tb_load_topology (utils.c:41)
==28717==    by 0x1140A4: pipline_test.isra.0 (testbench.c:340)
==28717==    by 0x113B83: main (testbench.c:510)
==28717== 
==28717== 1,869 (32 direct, 1,837 indirect) bytes in 1 blocks are definitely lost in loss record 35 of 38
==28717==    at 0x484D953: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==28717==    by 0x11E389: ipc4_create_pipeline (helper.c:372)
==28717==    by 0x11E389: ipc_pipeline_new (helper.c:433)
==28717==    by 0x11D4F7: ipc4_process_glb_message (handler-kernel.c:237)
==28717==    by 0x11D4F7: ipc_cmd (handler-kernel.c:549)
==28717==    by 0x1197B4: tb_ipc_message (topology_ipc4.c:50)
==28717==    by 0x1197B4: tb_mq_cmd_tx_rx.constprop.1 (topology_ipc4.c:69)
==28717==    by 0x119A9C: tb_set_up_pipeline (topology_ipc4.c:191)
==28717==    by 0x117417: tb_set_up_widget (utils_ipc4.c:272)
==28717==    by 0x1175EA: tb_set_up_widgets_playback (utils_ipc4.c:329)
==28717==    by 0x118812: tb_set_up_pipelines (utils_ipc4.c:445)
==28717==    by 0x118812: tb_set_up_all_pipelines (utils_ipc4.c:458)
==28717==    by 0x1140B4: pipline_test.isra.0 (testbench.c:346)
==28717==    by 0x113B83: main (testbench.c:510)
==28717== 
==28717== 13,338 bytes in 1 blocks are definitely lost in loss record 37 of 38
==28717==    at 0x484D953: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==28717==    by 0x11AA9F: tb_parse_topology (topology_ipc4.c:1438)
==28717==    by 0x116328: tb_load_topology (utils.c:41)
==28717==    by 0x1140A4: pipline_test.isra.0 (testbench.c:340)
==28717==    by 0x113B83: main (testbench.c:510)
==28717== 
==28717== 82,950 (77,056 direct, 5,894 indirect) bytes in 1 blocks are definitely lost in loss record 38 of 38
==28717==    at 0x484D953: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==28717==    by 0x11AA22: tb_parse_topology (topology_ipc4.c:1408)
==28717==    by 0x116328: tb_load_topology (utils.c:41)
==28717==    by 0x1140A4: pipline_test.isra.0 (testbench.c:340)
==28717==    by 0x113B83: main (testbench.c:510)
==28717== 
==28717== LEAK SUMMARY:
==28717==    definitely lost: 90,778 bytes in 5 blocks
==28717==    indirectly lost: 7,838 bytes in 112 blocks
==28717==      possibly lost: 0 bytes in 0 blocks
==28717==    still reachable: 472 bytes in 1 blocks
==28717==         suppressed: 0 bytes in 0 blocks
==28717== Reachable blocks (those to which a pointer was found) are not shown.
==28717== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==28717== 
==28717== For lists of detected and suppressed errors, rerun with: -s
==28717== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)
error: './comp_run.sh -t /tmp/oct-Wkfafm_config.sh' returned status 1
----------------------------------------------------------
gain test failed!

Init read the per-channel config[] array using the stream channel count without checking the payload was large enough, reading past the mailbox. The payload comes in two forms: an all-channels entry (channel_id set to ALL_CHANNELS_MASK) that carries a single config applied to every channel, or one config entry per channel. The per-channel loop always indexed config[channel], so the common all-channels payload (one entry) was read out of bounds for every channel beyond the first; the result was then discarded, masking the over-read. Require at least one entry before dereferencing config[0] to detect the form, require one entry per channel only for the per-channel form, and index config[] by the selected entry so no read goes past the payload. Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

The attenuation setter only rejected oversized payloads, then dereferenced the data as a 32-bit value; a shorter payload read past the mailbox. Require exactly a 32-bit payload. Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

lgirdwood · 2026-06-19T14:13:54Z

Pushed a fix: the testbench gain CI (sof-hda-benchmark-gain16) was failing init with Invalid init payload size 64 for 2 channels.

The previous size check required one config entry per channel, but the common all-channels payload (channel_id == ALL_CHANNELS_MASK) carries a single entry for all channels — a 64-byte payload = base_cfg(40) + 1 entry(24). The check wrongly rejected it.

The init loop also indexed config[channel] unconditionally, so that same single-entry payload was over-read for every channel past the first (the result was discarded, which masked the over-read in practice). Reworked to:

require at least one entry before reading config[0] to detect the form,
require one-entry-per-channel only for the explicit per-channel form,
index config[] by the selected entry so no read goes past the payload.

This both fixes the CI regression and closes the original out-of-bounds read. Commit message updated to match.

Copilot AI review requested due to automatic review settings June 15, 2026 14:56

lgirdwood requested review from dbaluta, kv2019i, lbetlej, mmaka1 and plbossart as code owners June 15, 2026 14:56

Copilot AI reviewed Jun 15, 2026

View reviewed changes

Copilot started reviewing on behalf of lgirdwood June 15, 2026 15:12 View session

singalsu approved these changes Jun 16, 2026

View reviewed changes

lyakh reviewed Jun 16, 2026

View reviewed changes

lgirdwood force-pushed the fix-volume branch from 87fb018 to 24e5f5e Compare June 17, 2026 13:36

lyakh approved these changes Jun 18, 2026

View reviewed changes

lrgirdwo added 2 commits June 19, 2026 15:13

lgirdwood force-pushed the fix-volume branch from 24e5f5e to 948a9d7 Compare June 19, 2026 14:13

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

volume: validate host-supplied config and fix init error path#10919

volume: validate host-supplied config and fix init error path#10919
lgirdwood wants to merge 3 commits into
thesofproject:mainfrom
lgirdwood:fix-volume

lgirdwood commented Jun 15, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

lgirdwood Jun 17, 2026

Uh oh!

lgirdwood Jun 17, 2026

Uh oh!

lyakh Jun 16, 2026

Uh oh!

lgirdwood Jun 17, 2026

Uh oh!

lyakh Jun 16, 2026

Uh oh!

lgirdwood Jun 17, 2026

Uh oh!

lgirdwood commented Jun 19, 2026

Uh oh!

lgirdwood commented Jun 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

lgirdwood commented Jun 15, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

lgirdwood Jun 17, 2026

Choose a reason for hiding this comment

Uh oh!

lgirdwood Jun 17, 2026

Choose a reason for hiding this comment

Uh oh!

lyakh Jun 16, 2026

Choose a reason for hiding this comment

Uh oh!

lgirdwood Jun 17, 2026

Choose a reason for hiding this comment

Uh oh!

lyakh Jun 16, 2026

Choose a reason for hiding this comment

Uh oh!

lgirdwood Jun 17, 2026

Choose a reason for hiding this comment

Uh oh!

lgirdwood commented Jun 19, 2026

Uh oh!

lgirdwood commented Jun 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants