Function snd_ctl_new1() creates a control instance from the template, and will return the newly generated instance or NULL on failure, thus the return value of snd_ctl_new1() shall be checked against NULL before used. But there is no NULL checking after the call of snd_ctl_new1() in function snd_ac97_cvol_new()(defined at sound/pci/ac97/ac97_codec.c:1267). Related codes are as following. From the source code, we can see snd_ctl_new1() is called at line 1267 and 1272, and there is no checking of their return value. snd_ac97_cvol_new() @@sound/pci/ac97/ac97_codec.c:1263 1263 if (hi_max) { 1264 /* invert */ 1265 struct snd_kcontrol_new tmp = AC97_DOUBLE(name, reg, 8, 0, lo_max, 1); 1266 tmp.index = ac97->num; 1267 kctl = snd_ctl_new1(&tmp, ac97); 1268 } else { 1269 /* invert */ 1270 struct snd_kcontrol_new tmp = AC97_SINGLE(name, reg, 0, lo_max, 1); 1271 tmp.index = ac97->num; 1272 kctl = snd_ctl_new1(&tmp, ac97); 1273 } 1274 if (reg >= AC97_PHONE && reg <= AC97_PCM) 1275 set_tlv_db_scale(kctl, db_scale_5bit_12db_max); 1276 else 1277 set_tlv_db_scale(kctl, find_db_scale(lo_max)); 1278 err = snd_ctl_add(card, kctl);
A patch referencing this bug report has been merged in Linux v3.7-rc2: commit 733a48e5ae5bf28b046fad984d458c747cbb8c21 Author: Takashi Iwai <tiwai@suse.de> Date: Thu Oct 11 16:43:40 2012 +0200 ALSA: ac97 - Fix missing NULL check in snd_ac97_cvol_new()