The bug is here: mt8195_etdm_hw_params_fixup(runtime, params); For the for_each_card_rtds(), just like list_for_each_entry(), the list iterator 'runtime' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it will lead to a invalid memory access. To fix the bug, use a new variable 'iter' as the list iterator, while use the original variable 'runtime' as a dedicated pointer to point to the found element. Cc: stable@xxxxxxxxxxxxxxx Fixes: 3d00d2c07f04f ("ASoC: mediatek: mt8195: add sof support on mt8195-mt6359-rt1019-rt5682") Signed-off-by: Xiaomeng Tong <xiam0nd.tong@xxxxxxxxx> --- .../mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c b/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c index 29c2d3407cc7..dc91877e4c3c 100644 --- a/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c +++ b/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c @@ -814,7 +814,7 @@ static int mt8195_dai_link_fixup(struct snd_soc_pcm_runtime *rtd, { struct snd_soc_card *card = rtd->card; struct snd_soc_dai_link *sof_dai_link = NULL; - struct snd_soc_pcm_runtime *runtime; + struct snd_soc_pcm_runtime *runtime = NULL, *iter; struct snd_soc_dai *cpu_dai; int i, j, ret = 0; @@ -824,16 +824,17 @@ static int mt8195_dai_link_fixup(struct snd_soc_pcm_runtime *rtd, if (strcmp(rtd->dai_link->name, conn->normal_link)) continue; - for_each_card_rtds(card, runtime) { - if (strcmp(runtime->dai_link->name, conn->sof_link)) + for_each_card_rtds(card, iter) { + if (strcmp(iter->dai_link->name, conn->sof_link)) continue; - for_each_rtd_cpu_dais(runtime, j, cpu_dai) { + for_each_rtd_cpu_dais(iter, j, cpu_dai) { if (cpu_dai->stream_active[conn->stream_dir] > 0) { - sof_dai_link = runtime->dai_link; + sof_dai_link = iter->dai_link; break; } } + runtime = iter; break; } @@ -845,7 +846,8 @@ static int mt8195_dai_link_fixup(struct snd_soc_pcm_runtime *rtd, if (!strcmp(rtd->dai_link->name, "ETDM2_IN_BE") || !strcmp(rtd->dai_link->name, "ETDM1_OUT_BE")) { - mt8195_etdm_hw_params_fixup(runtime, params); + if (runtime) + mt8195_etdm_hw_params_fixup(runtime, params); } return ret; -- 2.17.1