[PATCH] ALSA: pcm: Fix UAF in snd_pcm_post_stop

Next message: Colin Huang via B4 Relay: "[PATCH v2 2/3] Documentation/hwmon: add Delta E50SN12051 documentation"
Previous message: Jiping Ma: "[Question] Possible scheduler regression: occasional ~3ms wake-up to sched-switch delay in cyclictest on kernel 6.6 and 6.12"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: songxiebing

Date: Wed Apr 29 2026 - 23:00:38 EST

From: Bob Song <songxiebing@xxxxxxxxxx>

Syzbot reported use-after-free in snd_pcm_post_stop when
accessing runtime->sleep / runtime->state.

The runtime struct may have been freed already by io_uring
async operations, so check for NULL before accessing.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+e29d28728f38190cecfc@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lore.kernel.org/alsa-devel/00000000000060fb5d05f2203601@xxxxxxxxxx/
Signed-off-by: Bob Song <songxiebing@xxxxxxxxxx>
---
sound/core/pcm_native.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index a541bb235cfa..31ea23218d6a 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1561,6 +1561,10 @@ static void snd_pcm_post_stop(struct snd_pcm_substream *substream,
snd_pcm_state_t state)
{
struct snd_pcm_runtime *runtime = substream->runtime;
+
+ if (!runtime)
+ return;
+
if (runtime->state != state) {
snd_pcm_trigger_tstamp(substream);
__snd_pcm_set_state(runtime, state);
--
2.25.1