From: Bob Song <songxiebing@kylinos.cn>

Syzbot reported use-after-free in snd_pcm_post_stop when
accessing runtime->sleep / runtime->state.

The runtime struct may have been freed already by io_uring
async operations, so check for NULL before accessing.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+e29d28728f38190cecfc@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/alsa-devel/00000000000060fb5d05f2203601@google.com/
Signed-off-by: Bob Song <songxiebing@kylinos.cn>
---
 sound/core/pcm_native.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index a541bb235cfa..31ea23218d6a 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1561,6 +1561,10 @@ static void snd_pcm_post_stop(struct snd_pcm_substream *substream,
 			      snd_pcm_state_t state)
 {
 	struct snd_pcm_runtime *runtime = substream->runtime;
+
+	if (!runtime)
+		return;
+
 	if (runtime->state != state) {
 		snd_pcm_trigger_tstamp(substream);
 		__snd_pcm_set_state(runtime, state);
-- 
2.25.1