The "dai_id" given into LPAIF_INTFDMA_REG(...) is already the real DAI ID, not an index into v->dai_driver. Looking it up again seems entirely redundant. For IPQ806x (and SC7180 since commit 09a4f6f5d21c ("ASoC: dt-bindings: lpass: Fix and common up lpass dai ids") this is now often an out-of-bounds read because the indexes in the "dai_driver" array no longer match the actual DAI ID. Cc: Srinivasa Rao Mandadapu <srivasam@xxxxxxxxxxxxxx> Cc: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxx> Fixes: 7cb37b7bd0d3 ("ASoC: qcom: Add support for lpass hdmi driver") Signed-off-by: Stephan Gerhold <stephan@xxxxxxxxxxx> --- Changes in v2: - Extracted from https://lore.kernel.org/alsa-devel/20210114094615.58191-2-stephan@xxxxxxxxxxx/ - Change commit message to clarify that this is usually not just redundant now but actually a broken out-of-bounds lookup. --- sound/soc/qcom/lpass-lpaif-reg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/qcom/lpass-lpaif-reg.h b/sound/soc/qcom/lpass-lpaif-reg.h index 405542832e99..baf72f124ea9 100644 --- a/sound/soc/qcom/lpass-lpaif-reg.h +++ b/sound/soc/qcom/lpass-lpaif-reg.h @@ -133,7 +133,7 @@ #define LPAIF_WRDMAPERCNT_REG(v, chan) LPAIF_WRDMA_REG_ADDR(v, 0x14, (chan)) #define LPAIF_INTFDMA_REG(v, chan, reg, dai_id) \ - ((v->dai_driver[dai_id].id == LPASS_DP_RX) ? \ + ((dai_id == LPASS_DP_RX) ? \ LPAIF_HDMI_RDMA##reg##_REG(v, chan) : \ LPAIF_RDMA##reg##_REG(v, chan)) -- 2.30.0