[PATCH] ALSA: pcm: fix use-after-free in snd_pcm_post_stop

Next message: Mike Rapoport: "Re: [PATCH RFC 09/17] userfaultfd: introduce vm_uffd_ops-&gt;alloc_folio()"
Previous message: Biju Das: "RE: [PATCH] thermal: renesas: rzg3e: Drop unused kernel-doc comments"
Next in thread: Takashi Iwai: "Re: [PATCH] ALSA: pcm: fix use-after-free in snd_pcm_post_stop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Soham Kute

Date: Sun Feb 08 2026 - 05:22:21 EST

syzbot reported a slab-use-after-free in snd_pcm_post_stop() when the
PCM runtime may already be freed during teardown.

snd_pcm_post_stop() can be called after snd_pcm_detach_substream()
releases the runtime, leading to a use-after-free when accessing
runtime state and wait queues.

Add a defensive check to avoid dereferencing a freed runtime pointer.

Reported-by: syzbot+16b2b67ae905feb8a289@xxxxxxxxxxxxxxxxxxxxxxxxx

Signed-off-by: Soham Kute <officialsohamkute@xxxxxxxxx>
---
sound/core/pcm_native.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index 932a9bf98..7b9e2aea5 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1542,6 +1542,10 @@ static void snd_pcm_post_stop(struct snd_pcm_substream *substream,
snd_pcm_state_t state)
{
struct snd_pcm_runtime *runtime = substream->runtime;
+
+ if (!runtime)
+ return;
+
if (runtime->state != state) {
snd_pcm_trigger_tstamp(substream);
__snd_pcm_set_state(runtime, state);
--
2.34.1