| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260208102058.9794-1-officialsohamkute@gmail.com>
Date: Sun, 8 Feb 2026 15:50:58 +0530
From: Soham Kute <officialsohamkute@...il.com>
To: tiwai@...e.com
Cc: perex@...ex.cz,
linux-sound@...r.kernel.org,
linux-kernel@...r.kernel.org,
Soham Kute <officialsohamkute@...il.com>,
syzbot+16b2b67ae905feb8a289@...kaller.appspotmail.com
Subject: [PATCH] ALSA: pcm: fix use-after-free in snd_pcm_post_stop
syzbot reported a slab-use-after-free in snd_pcm_post_stop() when the
PCM runtime may already be freed during teardown.
snd_pcm_post_stop() can be called after snd_pcm_detach_substream()
releases the runtime, leading to a use-after-free when accessing
runtime state and wait queues.
Add a defensive check to avoid dereferencing a freed runtime pointer.
Reported-by: syzbot+16b2b67ae905feb8a289@...kaller.appspotmail.com
Signed-off-by: Soham Kute <officialsohamkute@...il.com>
---
sound/core/pcm_native.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index 932a9bf98..7b9e2aea5 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1542,6 +1542,10 @@ static void snd_pcm_post_stop(struct snd_pcm_substream *substream,
snd_pcm_state_t state)
{
struct snd_pcm_runtime *runtime = substream->runtime;
+
+ if (!runtime)
+ return;
+
if (runtime->state != state) {
snd_pcm_trigger_tstamp(substream);
__snd_pcm_set_state(runtime, state);
--
2.34.1
Powered by blists - more mailing lists