From nobody Mon Feb 9 14:31:55 2026 Received: from mail-pj1-f65.google.com (mail-pj1-f65.google.com [209.85.216.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 463AF33B6EE for ; Sun, 8 Feb 2026 10:22:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.65 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770546131; cv=none; b=oAI4jes7L8wZn0ugDh0ND8PPyjG0o0BM3t3Tb+j/xVQzzIEDeUF1arXu2g1tMHqPWLx7p1IeFG/7Ui88frIOKt2aVOApSRECayEmC3EgJielu+rBW1utWwBs03I14QhlwMDiEQ3ti6nrMQg4lGSrgaKm2J9zweB5n/ZylcDKNZA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770546131; c=relaxed/simple; bh=Cz7ehfn80ppvyadi41DqxbXL/1+dC5KJYoDecVOu8dk=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=dnAkAdiTStxHVA9I2bHS/M6s7CyKHwWzLdqhGu6imWJvDjV9NNcg7KaAygxBNFHDeaeDAftGGVFYhs7Y1W3Tu9nuLDjGHmo2WaKsPSpwdwTW6hZNBbGI++hyFTdimS4DlknqfdRKKrwMgtEJJCGNzlEMGNvA2kZ0RZjKD9l0zRc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cdjCC+lT; arc=none smtp.client-ip=209.85.216.65 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cdjCC+lT" Received: by mail-pj1-f65.google.com with SMTP id 98e67ed59e1d1-352de4c94adso444609a91.3 for ; Sun, 08 Feb 2026 02:22:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770546130; x=1771150930; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=o84JYzpW0aJdlM9C8zoxk8gq6pZWxToMJv5PSwDwwGk=; b=cdjCC+lTIMqUB942TREkNdHe/Zv2k1z7FQwWtSk3C7Wf2F1pjNOtemtF45itFr6FU3 +s85QwBszG8tXOC9JVJrk5PV20n/OKGYIfMDcKd36qXEhXIOdwtWEgY69JdgYx9XejB4 eUdrKbriU4kvI1wv3bChjGPJZl6z1lF5eKEkq3NalnSuo8iFwCPEkXvnkXhHP8FeXFwG 23UgTJVzzaj5256HgpUxSstWrOpLcNv1Mf2ocqhtRdYuSRgUd0f3v9dtmdBTWzX2Om6S rvbp3ZKeOlPHotISAVVdaATlvSDwI24B3RZta7josGkrVyy1u7zl5DD+20Aep3N9+sEp RGSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770546130; x=1771150930; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=o84JYzpW0aJdlM9C8zoxk8gq6pZWxToMJv5PSwDwwGk=; b=NSWsinqgndmxs1ZbyXOokloCv2zXeCaPgM72k9WUNXSpxbqNR35iQlQiPfCSxJ0C88 t3W0CywngHErlTKzCZ8k6hVhgyuHoNoY5FbjATLMofIUMkiy9h/jcGc+1aVmxsybjrSz ijHJSRbVkGNYCNnRzG+HstbQxwWCy+ba8WxuzCTCIOgC8ZPW+Qd3pCG8AgmD5HlFs/Sx tdpuM76S38z2Q+883QYNUGywp1nhX6RLfthOJ8ILKfzhd9qsAS3W/sS5Au5TlO3SgCn0 r4r1QI0QaNZ2wHRCNFex3x/+avFs5311L13yKMdrM8WFkrifiO6wEuxwSPWPKG5+tv6J Ffjw== X-Forwarded-Encrypted: i=1; AJvYcCW0sygjgiRNU+ENo4ShSK/y+A6p+ZcsGnCgttgltBQ49uTDuH/dCkBvZ4KhpzZ7aSQUfJUOnO6izkLVcEM=@vger.kernel.org X-Gm-Message-State: AOJu0YzS1EinXL5BoeiTiSI2xm7musS3kzy1zQb5gAfJGSasOr2D+y2p RTqvPuD6q6Cwd9gguyfT67UJVgG2FOhS5bqMT1L7+ejk3EEyF3hoHS7a X-Gm-Gg: AZuq6aJeTS7WcBtFkf9l1ZlXo6uZbjyzh0umXGP4IuxFS2ZLKbFFwUDQ8rq1vu/p4Mx 7KICKKLYolsqXuWZt9LVXK0gl0P27Or/xE5ROj+2EKUTy181Ak4bmAMa/wqAgD4fKgV0QzTskW7 E/SdEg8WuagBTcK6dtFM8ijo9Fd0DtNGNKlHdNYiXwmvsbVTueyYbSmZmoKgbtIS2vGTKez9z+H mcUutcFJ0WiAMpr/8c8fYkjMwvYbN9BvfsecleML/u3uGO/1EfAyUvXiVFd5Fq16JuN0I91eSfn BggJcCpJ/5cyekrS9NhXdEsBgHwoyDK7eNnRKiQVuAADB84RuByT2WoVDFsREFW0a/vHDa7lleh S3fA8PPRp1wq1C0zjhOJFegI6uFzT2SkzdkoaRm6mifEpTQJFjJqMrKYFf1WHTUtII8rgEDK2nw V4QhqGrsY0G6B69nPvgyHP33+Ck8PEkzDuQ4J3+mY7PefDrY6QKQKmUgcxz5+wFLmF/uuh6/VKQ V4= X-Received: by 2002:a17:902:da8e:b0:2a9:4555:99d8 with SMTP id d9443c01a7336-2a9519c3c6emr66999515ad.7.1770546130537; Sun, 08 Feb 2026 02:22:10 -0800 (PST) Received: from cute.. ([2405:201:31:d01f:5dd4:d722:2dec:7570]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a9521b9999sm89592565ad.64.2026.02.08.02.22.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 Feb 2026 02:22:10 -0800 (PST) From: Soham Kute To: tiwai@suse.com Cc: perex@perex.cz, linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org, Soham Kute , syzbot+16b2b67ae905feb8a289@syzkaller.appspotmail.com Subject: [PATCH] ALSA: pcm: fix use-after-free in snd_pcm_post_stop Date: Sun, 8 Feb 2026 15:50:58 +0530 Message-Id: <20260208102058.9794-1-officialsohamkute@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot reported a slab-use-after-free in snd_pcm_post_stop() when the PCM runtime may already be freed during teardown. snd_pcm_post_stop() can be called after snd_pcm_detach_substream() releases the runtime, leading to a use-after-free when accessing runtime state and wait queues. Add a defensive check to avoid dereferencing a freed runtime pointer. Reported-by: syzbot+16b2b67ae905feb8a289@syzkaller.appspotmail.com Signed-off-by: Soham Kute --- sound/core/pcm_native.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c index 932a9bf98..7b9e2aea5 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c @@ -1542,6 +1542,10 @@ static void snd_pcm_post_stop(struct snd_pcm_substre= am *substream, snd_pcm_state_t state) { struct snd_pcm_runtime *runtime =3D substream->runtime; + + if (!runtime) + return; + =09 if (runtime->state !=3D state) { snd_pcm_trigger_tstamp(substream); __snd_pcm_set_state(runtime, state); --=20 2.34.1