From 112acab47d561ee7d135ee0516623802bd0a74ca Mon Sep 17 00:00:00 2001
From: Sugar Zhang <sugar.zhang@rock-chips.com>
Date: Tue, 9 Aug 2022 10:27:33 +0800
Subject: [PATCH] ASoC: dmaengine: Fix NULL pointer reference

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080
Internal error: Oops: 96000005 [#1] PREEMPT SMP
Modules linked in: bcmdhd dhd_static_buf r8168
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.110 #470
Hardware name: Rockchip RK3588 EVB1 LP4 V10 Board (DT)
pstate: 20400009 (nzCv daif +PAN -UAO -TCO BTYPE=--)
pc : dmaengine_pcm_dma_complete+0x44/0xdc
lr : pl330_tasklet+0xd4/0x2d0
sp : ffffffc01249bdf0
x29: ffffffc01249bdf0 x28: 0000000000000000
x27: ffffff8102c8c608 x26: 0000000000000002
x25: ffffff8102c8c608 x24: ffffff8102d4c600
x23: ffffff81018868c0 x22: ffffff8102c8c618
x21: 0000000000000000 x20: ffffffc010f238ec
x19: ffffff8102c8c560 x18: ffffffc012491048
x17: 0000000000000000 x16: 0000000000000000
x15: 0000000000000000 x14: 000000000007fcc4
x13: 0000000000000004 x12: 0000000a7e22d2ff
x11: 0000000000004007 x10: 0000000000000000
x9 : 0000000000003000 x8 : ffffff8030b7d480
x7 : 000000b2b5593519 x6 : 00000000003033ff
x5 : 0000000000000000 x4 : 0000000000bb82b6
x3 : ffffff8102c90b28 x2 : 0000000000000001
x1 : 0000000000000000 x0 : ffffff8102d4c600
Call trace:
 dmaengine_pcm_dma_complete+0x44/0xdc
 pl330_tasklet+0xd4/0x2d0
 tasklet_action_common+0x11c/0x414
 tasklet_action+0x28/0x38
 _stext+0x108/0x408
 __irq_exit_rcu+0xc0/0xc4
 irq_exit+0x14/0x28
 __handle_domain_irq+0x84/0xd0
 gic_handle_irq+0x78/0x154
 el1_irq+0xe4/0x1c0
 cpuidle_enter_state+0x200/0x3b8
 cpuidle_enter+0x3c/0x58
 cpuidle_idle_call+0x158/0x238
 do_idle+0xac/0xfc
 cpu_startup_entry+0x28/0x2c
 rest_init+0xd8/0xec
 arch_call_rest_init+0x14/0x24
 start_kernel+0x3d8/0x500

Signed-off-by: Sugar Zhang <sugar.zhang@rock-chips.com>
Change-Id: Ib3d3ac842d3cd249c8cc6f516178031400dbc307
---
 sound/core/pcm_dmaengine.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/sound/core/pcm_dmaengine.c b/sound/core/pcm_dmaengine.c
index c9314c9e87f1..c54dce1e6aef 100644
--- a/sound/core/pcm_dmaengine.c
+++ b/sound/core/pcm_dmaengine.c
@@ -18,6 +18,7 @@
 #include <sound/soc.h>
 
 #include <sound/dmaengine_pcm.h>
+#include "pcm_local.h"
 
 struct dmaengine_pcm_runtime_data {
 	struct dma_chan *dma_chan;
@@ -133,11 +134,20 @@ EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_set_config_from_dai_data);
 static void dmaengine_pcm_dma_complete(void *arg)
 {
 	struct snd_pcm_substream *substream = arg;
-	struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream);
+	struct dmaengine_pcm_runtime_data *prtd;
+
+	snd_pcm_stream_lock_irq(substream);
+	if (PCM_RUNTIME_CHECK(substream)) {
+		snd_pcm_stream_unlock_irq(substream);
+		return;
+	}
+
+	prtd = substream_to_prtd(substream);
 
 	prtd->pos += snd_pcm_lib_period_bytes(substream);
 	if (prtd->pos >= snd_pcm_lib_buffer_bytes(substream))
 		prtd->pos = 0;
+	snd_pcm_stream_unlock_irq(substream);
 
 	snd_pcm_period_elapsed(substream);
 }