From d10ee9c542365bdc0a7497306e21ff6c7f2172b0 Mon Sep 17 00:00:00 2001
From: Srikanth K H <srikanth.h@samsung.com>
Date: Fri, 20 Jul 2018 11:13:51 +0530
Subject: [PATCH] ALSA: timer: catch invalid timer object creation
Git-commit: d10ee9c542365bdc0a7497306e21ff6c7f2172b0
Patch-mainline: v4.19-rc1
References: bsc#1121278

A timer object for the classes SNDRV_TIMER_CLASS_CARD and
SNDRV_TIMER_CLASS_PCM has to be associated with a card object, but we
have no check at creation time.  Such a timer object with NULL card
causes various unexpected problems, e.g. NULL dereference at reading
the sound timer proc file.

So as preventive measure while the creating the sound timer object is
created the card information availability is checked for the mentioned
entries and returned error if its NULL.

Signed-off-by: Srikanth K H <srikanth.h@samsung.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

---
 sound/core/timer.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sound/core/timer.c b/sound/core/timer.c
index b6f076bbc72d..61a0cec6e1f6 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -883,6 +883,11 @@ int snd_timer_new(struct snd_card *card, char *id, struct snd_timer_id *tid,
 
 	if (snd_BUG_ON(!tid))
 		return -EINVAL;
+	if (tid->dev_class == SNDRV_TIMER_CLASS_CARD ||
+	    tid->dev_class == SNDRV_TIMER_CLASS_PCM) {
+		if (WARN_ON(!card))
+			return -EINVAL;
+	}
 	if (rtimer)
 		*rtimer = NULL;
 	timer = kzalloc(sizeof(*timer), GFP_KERNEL);
-- 
2.20.1