From: Akinobu Mita <akinobu.mita@gmail.com>

If snd_pcm_new_stream() fails to initalize a substream (if
snd_pcm_substream_proc_init() returns error), snd_pcm_new_stream()
immediately return without unlinking that kfree()d substram.

It causes oops when snd_pcm_free() iterates the list of substream to
free them by invalid reference.

Cc: Takashi Iwai <tiwai@suse.de>
Cc: Jaroslav Kysela <perex@suse.cz>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 sound/core/pcm.c |    4 ++++
 1 file changed, 4 insertions(+)

diff -puN sound/core/pcm.c~sound-fix-pcm-substream-list sound/core/pcm.c
--- a/sound/core/pcm.c~sound-fix-pcm-substream-list
+++ a/sound/core/pcm.c
@@ -638,6 +638,10 @@ int snd_pcm_new_stream(struct snd_pcm *p
 		err = snd_pcm_substream_proc_init(substream);
 		if (err < 0) {
 			snd_printk(KERN_ERR "Error in snd_pcm_stream_proc_init\n");
+			if (prev == NULL)
+				pstr->substream = NULL;
+			else
+				prev->next = NULL;
 			kfree(substream);
 			return err;
 		}
_