The DMA complete callback uses substream's runtime data, so make sure the runtime check passes before going forward.
The callback could run while the stream is closing or after it's already closed. By then, the substream's runtime data might already been freed and cause NULL pointer dereferences.
Signed-off-by: Misael Lopez Cruz misael.lopez@ti.com Reviewed-by: Peter Ujfalusi peter.ujfalusi@ti.com --- sound/core/pcm_dmaengine.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/sound/core/pcm_dmaengine.c b/sound/core/pcm_dmaengine.c index fba365a..061a8f7 100644 --- a/sound/core/pcm_dmaengine.c +++ b/sound/core/pcm_dmaengine.c @@ -133,7 +133,12 @@ EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_set_config_from_dai_data); static void dmaengine_pcm_dma_complete(void *arg) { struct snd_pcm_substream *substream = arg; - struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream); + struct dmaengine_pcm_runtime_data *prtd; + + if (PCM_RUNTIME_CHECK(substream)) + return; + + prtd = substream_to_prtd(substream);
prtd->pos += snd_pcm_lib_period_bytes(substream); if (prtd->pos >= snd_pcm_lib_buffer_bytes(substream))