Re: [PATCH] ALSA: pcm: Fix NULL dereference in import_ubuf() during exit

Next message: Taniya Das: "[PATCH 0/4] clk: qcom: Add EVA clock controller support for Glymur SoC"
Previous message: Venkat Rao Bagalkote: "Re: [BUG] sched/cache: &quot;Make LLC id continuous&quot; causes NULL cpumask dereference in build_sched_domains on POWER9"
In reply to: Jiakai Xu: "[PATCH] ALSA: pcm: Fix NULL dereference in import_ubuf() during exit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Tue May 26 2026 - 01:28:17 EST

On Tue, 26 May 2026 03:32:45 +0200,
Jiakai Xu wrote:
>
> snd_pcm_oss_sync() calls snd_pcm_lib_write(substream, NULL, size) to
> fill silence. The in_kernel flag is hard-coded to false by the wrapper,
> so do_transfer() falls through to import_ubuf() with a garbage pointer
> (NULL + frame_offset). When the process is in do_exit() and current->mm
> is already NULL, import_ubuf()'s access_ok() crashes dereferencing
> mm->context.pmlen.
>
> Add a NULL guard in do_transfer() to use iov_iter_kvec() with a dummy
> kvec for the fill_silence path, avoiding the import_ubuf() call. The
> fill_silence transfer function ignores the iov_iter, so the dummy kvec
> is safe.
>
> Fixes: cf393babb37a1 ("ALSA: pcm: Add copy ops with iov_iter")
> Signed-off-by: Jiakai Xu <xujiakai24@xxxxxxxxxxxxxxxx>

This is already fixed by the upstream commit e4d3386b74fb ("ALSA: pcm:
Don't setup bogus iov_iter for silencing").

thanks,

Takashi