Hi,

Static analysis on linux-next with Coverity had detected a potential array out-of-bounds write issue in the following commit:

commit aa2e2785545aab21b6cb2e23f111ae0751cbcca7 Author: Srinivas Kandagatla srinivas.kandagatla@linaro.org Date: Mon Oct 26 17:09:47 2020 +0000

ASoC: qcom: sm8250: add sound card qrb5165-rb5 support

The analysis is as follows:

139 static int sm8250_snd_hw_free(struct snd_pcm_substream *substream) 140 { 141 struct snd_soc_pcm_runtime *rtd = substream->private_data; 142 struct sm8250_snd_data *data = snd_soc_card_get_drvdata(rtd->card); 143 struct snd_soc_dai *cpu_dai = asoc_rtd_to_cpu(rtd, 0); 144 struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; 145

1. Switch case value 105.

146 switch (cpu_dai->id) {

2. equality_cond: Jumping to case 105.

147 case WSA_CODEC_DMA_RX_0: 148 case WSA_CODEC_DMA_RX_1:

Out-of-bounds write (OVERRUN) 3. Condition sruntime, taking true branch. 4. Condition data->stream_prepared[cpu_dai->id], taking true branch.

149 if (sruntime && data->stream_prepared[cpu_dai->id]) { 150 sdw_disable_stream(sruntime); 151 sdw_deprepare_stream(sruntime);

Out-of-bounds write (OVERRUN) 5. overrun-local: Overrunning array data->stream_prepared of 16 bytes at byte offset 105 using index cpu_dai->id (which evaluates to 105).

152 data->stream_prepared[cpu_dai->id] = false; 153 } 154 break; 155 default: 156 break; 157 } 158 159 return 0; 160 }

So cpu_dia->id is 105 in this case statement, and yet data->steam_prepared is an array of 16 elements, so this looks suspect.

Colin