Function snd_pcm_create() will return a negative number when it fails to create a new PCM instance, thus its return value shall be checked before further manipulations of the created PCM. But in function poseidon_audio_init(), at drivers/media/video/tlg2300/pd-alsa.c:296, there is no checking of the return value of snd_pcm_create() at line 307, which may trigger an invalid memmory access error when dereferencing variable pcm in function snd_pcm_set_ops() called at line 308. The related codes in function poseidon_audio_init() are as following. 307 ret = snd_pcm_new(card, "poseidon audio", 0, 0, 1, &pcm); 308 snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_CAPTURE, &pcm_capture_ops); 309 pcm->info_flags = 0; Generally, the return value of snd_pcm_create() shall be checked to make sure that the PCM instance is created successfully. Like the following codes from the same device driver. em28xx_audio_init @@ drivers/media/video/em28xx/em28xx-audio.c:473 473 err = snd_pcm_new(card, "Em28xx Audio", 0, 0, 1, &pcm); 474 if (err < 0) { 475 snd_card_free(card); 476 return err; 477 } 478 479 snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_CAPTURE, &snd_em28xx_pcm_capture); 480 pcm->info_flags = 0; Thank you RUC_Soft_Sec
I am sorry to trouble, but I want to make sure whether this a real bug or a false positive. Thank you RUC_Soft_Sec
Real bug - albeit one probably near impossible to hit
A patch referencing this bug report has been merged in Linux v3.7-rc1: commit da35de640a0e9c805aba70439f524234890b96c5 Author: Alan Cox <alan@linux.intel.com> Date: Tue Sep 4 10:43:26 2012 -0300 [media] tlg2300: fix missing check for audio creation