From nobody Wed Feb 11 06:53:00 2026 Received: from mail-pj1-f67.google.com (mail-pj1-f67.google.com [209.85.216.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44CDA258EC3 for ; Sun, 8 Feb 2026 18:54:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.67 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770576872; cv=none; b=cvFvYeRzT69s/7wWYrwhGkMhT7189uNAAItMAQWNr+C5dWDH2sP5sJkLYlJgS0CN8UuIv+Sbg/vCttfY/iRt4daJOB4NGu6414js5CER/40DOWjl6seQx1jkkzcpXoSiUOi+KHzJgmm1oH3q5oiU0FRlZIuPLw2CIn1NoLRNPgY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770576872; c=relaxed/simple; bh=LXYmBSfO6x+yIZrevFFTHCRtbMkdIUri01dEzgoJq6o=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=M7BQUSQRXTq1S0GeGBm1G+HeQpEMA+fDU/W3An+5o8f8jtQ2uQ3I3FZmAJkg9jC8lMY1HDE11ZudznTIZDxjrKFPItZJ7rNb2DjN4iL+fr64UZcoyAhTd86dBJru9pqb2UTE3tctfX1yo6CLrpBQOQlb4lG25XJvQLwNOxFN+tU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VM9++Kpb; arc=none smtp.client-ip=209.85.216.67 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VM9++Kpb" Received: by mail-pj1-f67.google.com with SMTP id 98e67ed59e1d1-352c7b9a961so438219a91.1 for ; Sun, 08 Feb 2026 10:54:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770576872; x=1771181672; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=9gC8y831kn5k4ckN6j0puA3kqRju65NM/epLUWWwdaU=; b=VM9++KpbBzMNjYg2FXvLMMbVtaFERbms9VJgWycxO4J2gqtJ7199gbl3AvQ5aYUImH sbanDtLbVgjYI5/CoGUq4CqWRBq9Ve0eUBs46hjahahQrwiGaZZCU/JInPxY5O9+VLtF KB3IXHAxDZWzsHIWWci1lCSdqzGKlvTQtvw1MK26xr2LC36Qrg1KubdJx52O3gjvx36E OLoVJlqx1wS2e4T5kYzrq+KCuaEIfUVPvKSec64uBToyRG6cINxQIdzvl3iAQsuHJQfD X4bCyYYw6dH5HvXFsk8UqTzxiVJ+2M3LIGg+eYwbYBvpRifOpHtzaRQ9OJtzkmaPzxu8 EiJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770576872; x=1771181672; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=9gC8y831kn5k4ckN6j0puA3kqRju65NM/epLUWWwdaU=; b=Yj4RbblNwtaTVysy9nbTpiH/XtINIRE57Ymkf4vFCUNGjEbNWI/zbRTtGoqc9DBHV8 jctx1mx5EOkzPn6Rkp49h7XvFeYmqntqZaeRI+AR3Rxm3fiFpv8ITiPU48RDGoNLcj6V AaKtvj4LZHqF+LTs35ejjOeakyyb4hAqZpfgBBp6XkfOi9xLi7DtpOfy20azpC7CG+KH BHl51v1hPeehVHHvOzIiWPJGTAPmm6/sgMy31s6Jr/366mWHy0eqaS0X3p3n1nQ60CEF bLPmAPHxiFp57IewMlQy8rnVtTx2resTLzxMSiP89Zq4Cubmtuk6ZFmWFkRldgSRk02a DeKQ== X-Forwarded-Encrypted: i=1; AJvYcCXocAEByK+xZM47TwqWbLIXAmB0Gx4y1Oj6bs8pGZaxHHPNgAfDi7MxmTYrS0EKsYibaU6rWz/a/zmvQTA=@vger.kernel.org X-Gm-Message-State: AOJu0YzU+2xSG48T2DUR0mVhnzvoM1HVanpUtrjpUvPoXEWNWL+84z9M YdGIgMwvqt2byko9IkMc6sLNl68FarTWgo0X6ctzB1Ny7MEIuUXFcay5 X-Gm-Gg: AZuq6aIlPoR0aU9gkf3mXLbav8PJ5qgSWB154HnMofTEsGp/v7MCrhU/A6B67dlFzOr kaywz9UI55avcS6cmjiXvTjh51L8aW9bMs9+z5qjzLDzk0Sk5KwazqME5X7t9lf6GlSZ2raSsgY t2qr49czFJ/jW9Xqq7UIv3g5Rt5PSfv9c1NpcqP5d3yfm7jfbMYV4+/zMibXGY27A4jela9u55T pjCJKAFtzZLGIdjsPhEFgRjkuRLdgvQm6YWlYWr9oNS4GQQyJ4g/aJPeRQ0iLR5rWkjd5KUuQdC 3WrvI0bK3w1EDdmtDuArPNlgbqzJeKQGXoyHX3dB/zKrslWsVpe+5YU/MU8hd5Qc05XK9A18m6u MMfP1ILVS1HeQ9qHPin3RwU5Gqh4MTQ9BEPS8VKmWTT4xJ4tJyvOjr+rH8azZGGBc4hXg7BdYOr AfWq+8UiSpPhszOZN2/qDlXF9eBSyK86FyUApKlZS/9UqhgJj3KdWCNB/X42CvzzTnbGiCbNm00 w== X-Received: by 2002:a17:90b:3f0f:b0:356:2c88:1e77 with SMTP id 98e67ed59e1d1-3562c88205bmr1862080a91.1.1770576871554; Sun, 08 Feb 2026 10:54:31 -0800 (PST) Received: from cute.. ([2405:201:31:d01f:6701:1a40:3367:d89]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-354c6898e82sm5379828a91.1.2026.02.08.10.54.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 Feb 2026 10:54:31 -0800 (PST) From: Soham Kute To: tiwai@suse.com Cc: perex@perex.cz, linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org, Soham Kute , syzbot+16b2b67ae905feb8a289@syzkaller.appspotmail.com Subject: [PATCH] ALSA: pcm: prevent snd_pcm_action after substream detach Date: Mon, 9 Feb 2026 00:23:40 +0530 Message-Id: <20260208185340.8379-1-officialsohamkute@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot reported a slab use-after-free in snd_pcm_post_stop() caused by snd_pcm_action() being invoked after snd_pcm_detach_substream() has already freed the PCM runtime. The previous approach attempted to guard against NULL runtime access in the post-action callback, which only masked the symptom. As pointed out in review, this does not address the underlying lifetime issue. Fix the root cause by preventing snd_pcm_action() from running once the substream runtime has been detached, ensuring that no PCM actions are executed after teardown. Reported-by: syzbot+16b2b67ae905feb8a289@syzkaller.appspotmail.com Signed-off-by: Soham Kute --- sound/core/pcm_native.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c index 932a9bf98..a29dbbc21 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c @@ -1391,6 +1391,9 @@ static int snd_pcm_action(const struct action_ops *op= s, struct snd_pcm_group *group; int res; =20 + if (WARN_ON_ONCE(!substream->runtime)) + return 0; +=09 group =3D snd_pcm_stream_group_ref(substream); if (group) res =3D snd_pcm_action_group(ops, substream, state, true); --=20 2.34.1