The bug is here: *dai_name = dai->driver->name;
For for_each_component_dais, just like list_for_each_entry, the list iterator 'dai' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it will lead to a invalid memory access.
To fix the bug, use a new variable 'iter' as the list iterator, while use the original variable 'dai' as a dedicated pointer to point to the found element.
Cc: stable@vger.kernel.org Fixes: 58bf4179000a3 ("ASoC: soc-core: remove dai_drv from snd_soc_component") Signed-off-by: Xiaomeng Tong xiam0nd.tong@gmail.com --- sound/soc/soc-core.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c index 434e61b46983..064fc0347868 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c @@ -3238,7 +3238,7 @@ int snd_soc_get_dai_name(const struct of_phandle_args *args,
ret = snd_soc_component_of_xlate_dai_name(pos, args, dai_name); if (ret == -ENOTSUPP) { - struct snd_soc_dai *dai; + struct snd_soc_dai *dai = NULL, *iter; int id = -1;
switch (args->args_count) { @@ -3261,12 +3261,19 @@ int snd_soc_get_dai_name(const struct of_phandle_args *args, ret = 0;
/* find target DAI */ - for_each_component_dais(pos, dai) { - if (id == 0) + for_each_component_dais(pos, iter) { + if (id == 0) { + dai = iter; break; + } id--; }
+ if (!dai) { + ret = -EINVAL; + continue; + } + *dai_name = dai->driver->name; if (!*dai_name) *dai_name = pos->name;