From 4d361285925613516560f81f8c7fc96b89c8b1a8 Mon Sep 17 00:00:00 2001
From: Akinobu Mita <akinobu.mita@gmail.com>
Date: Thu, 23 Nov 2006 12:03:24 +0100
Subject: [ALSA] sound: fix PCM substream list

If snd_pcm_new_stream() fails to initalize a substream (if
snd_pcm_substream_proc_init() returns error), snd_pcm_new_stream()
immediately return without unlinking that kfree()d substram.
It causes oops when snd_pcm_free() iterates the list of substream to
free them by invalid reference.

Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
---
 sound/core/pcm.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'sound/core')

diff --git a/sound/core/pcm.c b/sound/core/pcm.c
index 5ac6e19ccb41..8e0189885516 100644
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -640,6 +640,10 @@ int snd_pcm_new_stream(struct snd_pcm *pcm, int stream, int substream_count)
 		err = snd_pcm_substream_proc_init(substream);
 		if (err < 0) {
 			snd_printk(KERN_ERR "Error in snd_pcm_stream_proc_init\n");
+			if (prev == NULL)
+				pstr->substream = NULL;
+			else
+				prev->next = NULL;
 			kfree(substream);
 			return err;
 		}
-- 
cgit v1.2.3-70-g09d2