| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87o6lz6vj1.wl-tiwai@suse.de> Date: Sun, 08 Feb 2026 17:37:54 +0100 From: Takashi Iwai <tiwai@...e.de> To: Soham Kute <officialsohamkute@...il.com> Cc: tiwai@...e.com, perex@...ex.cz, linux-sound@...r.kernel.org, linux-kernel@...r.kernel.org, syzbot+16b2b67ae905feb8a289@...kaller.appspotmail.com Subject: Re: [PATCH] ALSA: pcm: fix use-after-free in snd_pcm_post_stop On Sun, 08 Feb 2026 11:20:58 +0100, Soham Kute wrote: > > syzbot reported a slab-use-after-free in snd_pcm_post_stop() when the > PCM runtime may already be freed during teardown. > > snd_pcm_post_stop() can be called after snd_pcm_detach_substream() > releases the runtime, leading to a use-after-free when accessing > runtime state and wait queues. > > Add a defensive check to avoid dereferencing a freed runtime pointer. > > Reported-by: syzbot+16b2b67ae905feb8a289@...kaller.appspotmail.com > > Signed-off-by: Soham Kute <officialsohamkute@...il.com> Thanks for the patch, but IMO it's rather a wrong "fix". It just papers over some place that had casually a NULL dereference due to a UAF. That is, this change itself is no fix for UAF, but just trying to avoid a casual Oops; more worse, it may still happen at another place if happening at a little bit different moment even if you plug like that. If any, we could put such a sanity check with WARN_ON() to indicate the obvious code flow error. But, still there is no much reason to put the check only here at this place. After all, the actual UAF must be fixed in the caller side. thanks, Takashi
Powered by blists - more mailing lists