Hi, Static analysis on linux-next with Coverity had detected a potential array out-of-bounds write issue in the following commit: commit aa2e2785545aab21b6cb2e23f111ae0751cbcca7 Author: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxx> Date: Mon Oct 26 17:09:47 2020 +0000 ASoC: qcom: sm8250: add sound card qrb5165-rb5 support The analysis is as follows: 139 static int sm8250_snd_hw_free(struct snd_pcm_substream *substream) 140 { 141 struct snd_soc_pcm_runtime *rtd = substream->private_data; 142 struct sm8250_snd_data *data = snd_soc_card_get_drvdata(rtd->card); 143 struct snd_soc_dai *cpu_dai = asoc_rtd_to_cpu(rtd, 0); 144 struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; 145 1. Switch case value 105. 146 switch (cpu_dai->id) { 2. equality_cond: Jumping to case 105. 147 case WSA_CODEC_DMA_RX_0: 148 case WSA_CODEC_DMA_RX_1: Out-of-bounds write (OVERRUN) 3. Condition sruntime, taking true branch. 4. Condition data->stream_prepared[cpu_dai->id], taking true branch. 149 if (sruntime && data->stream_prepared[cpu_dai->id]) { 150 sdw_disable_stream(sruntime); 151 sdw_deprepare_stream(sruntime); Out-of-bounds write (OVERRUN) 5. overrun-local: Overrunning array data->stream_prepared of 16 bytes at byte offset 105 using index cpu_dai->id (which evaluates to 105). 152 data->stream_prepared[cpu_dai->id] = false; 153 } 154 break; 155 default: 156 break; 157 } 158 159 return 0; 160 } So cpu_dia->id is 105 in this case statement, and yet data->steam_prepared is an array of 16 elements, so this looks suspect. Colin