[ALSA] sound: fix PCM substream list

If snd_pcm_new_stream() fails to initalize a substream (if
snd_pcm_substream_proc_init() returns error), snd_pcm_new_stream()
immediately return without unlinking that kfree()d substram.
It causes oops when snd_pcm_free() iterates the list of substream to
free them by invalid reference.

Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>

diff --git a/sound/core/pcm.c b/sound/core/pcm.c
index 5ac6e19..8e01898 100644 (file)
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -640,6 +640,10 @@ int snd_pcm_new_stream(struct snd_pcm *pcm, int stream, int substream_count)
                err = snd_pcm_substream_proc_init(substream);
                if (err < 0) {
                        snd_printk(KERN_ERR "Error in snd_pcm_stream_proc_init\n");
+                       if (prev == NULL)
+                               pstr->substream = NULL;
+                       else
+                               prev->next = NULL;
                        kfree(substream);
                        return err;
                }