| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87ecmu2rca.wl-tiwai@suse.de> Date: Mon, 09 Feb 2026 10:34:13 +0100 From: Takashi Iwai <tiwai@...e.de> To: Soham Kute <officialsohamkute@...il.com> Cc: tiwai@...e.com, perex@...ex.cz, linux-sound@...r.kernel.org, linux-kernel@...r.kernel.org, syzbot+16b2b67ae905feb8a289@...kaller.appspotmail.com Subject: Re: [PATCH] ALSA: pcm: prevent snd_pcm_action after substream detach On Sun, 08 Feb 2026 19:53:40 +0100, Soham Kute wrote: > > syzbot reported a slab use-after-free in snd_pcm_post_stop() caused by > snd_pcm_action() being invoked after snd_pcm_detach_substream() has > already freed the PCM runtime. > > The previous approach attempted to guard against NULL runtime access in > the post-action callback, which only masked the symptom. As pointed out > in review, this does not address the underlying lifetime issue. > > Fix the root cause by preventing snd_pcm_action() from running once the > substream runtime has been detached, ensuring that no PCM actions are > executed after teardown. > > Reported-by: syzbot+16b2b67ae905feb8a289@...kaller.appspotmail.com > > Signed-off-by: Soham Kute <officialsohamkute@...il.com> Thanks for the revised patch. This patch puts the check at a better place than the previous patch, but it's still misleading; this doesn't address the root cause at all. It's just plugging a hole at a middle point of the code path. I guess you're trying to fix the UAF report for aloop driver, and this was already addressed by the recent patch (included in 6.19). Please check whether you still see the problem with 6.19 release. thanks, Takashi
Powered by blists - more mailing lists