If the timer object is created without the card for entries "SNDRV_TIMER_CLASS_CARD" and "SNDRV_TIMER_CLASS_PCM", then while reading the sound info entry in function "snd_timer_proc_read" the card information is directly dereferenced without checking for NULL and hence kernel panic occur. So as preventive measure while the creating the sound timer object is created the card information availability is checked for the mentioned entries and returned error if its NULL.
Signed-off-by: Srikanth K H srikanth.h@samsung.com --- sound/core/timer.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/sound/core/timer.c b/sound/core/timer.c index c7be4f1..06f734f 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -883,6 +883,11 @@ int snd_timer_new(struct snd_card *card, char *id, struct snd_timer_id *tid,
if (snd_BUG_ON(!tid)) return -EINVAL; + if (tid->dev_class == SNDRV_TIMER_CLASS_CARD || + tid->dev_class == SNDRV_TIMER_CLASS_PCM) { + if (WARN_ON(!card)) + return -EINVAL; + } if (rtimer) *rtimer = NULL; timer = kzalloc(sizeof(*timer), GFP_KERNEL); @@ -1192,12 +1197,10 @@ static void snd_timer_proc_read(struct snd_info_entry *entry, break; case SNDRV_TIMER_CLASS_CARD: snd_iprintf(buffer, "C%i-%i: ", - timer->card ? timer->card->number : -1, - timer->tmr_device); + timer->card->number, timer->tmr_device); break; case SNDRV_TIMER_CLASS_PCM: - snd_iprintf(buffer, "P%i-%i-%i: ", - timer->card ? timer->card->number : -1, + snd_iprintf(buffer, "P%i-%i-%i: ", timer->card->number, timer->tmr_device, timer->tmr_subdevice); break; default: