Function snd_pcm_create() will return a negative number when it fails to create a new PCM instance, thus its return value shall be checked before further manipulations of the created PCM. But in function lx_pcm_create(), at sound/pci/lx6464es/lx6464es.c:839, there is no checking of the return value of lx_pcm_create() at line 853, which may trigger an invalid memmory access error when dereferencing variable pcm at line 856. The related codes in lx_pcm_create() are as following. lx_pcm_create @@sound/pci/lx6464es/lx6464es.c:853 853 err = snd_pcm_new(chip->card, (char *)card_name, 0, 854 1, 1, &pcm); 855 856 pcm->private_data = chip; Generally, the return value of snd_pcm_create() shall be checked to make sure that the PCM instance is create successfully. Like the following codes from the same device driver. snd_azf3328_pcm @@sound/pci/azt3328.c:2225 2225 err = snd_pcm_new(chip->card, "AZF3328 DSP", AZF_PCMDEV_STD, 2226 1, 1, &pcm); 2227 if (err < 0) 2228 return err; 2229 snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, 2230 &snd_azf3328_playback_ops); Thank you RUC_Soft_Sec
I am sorry to trouble, but I want to make sure whether this a real bug or a false positive. Thank you RUC_Soft_Sec
This does look like a bug in the lx6464es.c sound driver. If you'd like to fix it, you can try sending a patch to Jaroslav Kysela <perex@perex.cz> and Takashi Iwai <tiwai@suse.de> (maintainers of the sound system).
Yes, it looks like a real bug. I fixed now in sound git tree. Thanks.
A patch referencing this bug report has been merged in Linux v3.6-rc3: commit 3bdcff70b6cd049e6f4437b955850f5db83653cc Author: Takashi Iwai <tiwai@suse.de> Date: Tue Aug 14 17:42:11 2012 +0200 ALSA: lx6464es: Add a missing error check