[PATCH] ALSA: pcm: prevent snd_pcm_action after substream detach

Next message: Vishwanath Seshagiri: "Re: [PATCH v6] virtio_net: add page_pool support for buffer allocation"
Previous message: Ziyi Guo: "[PATCH] bfs: reject inodes with zero link count in bfs_iget()"
Next in thread: Takashi Iwai: "Re: [PATCH] ALSA: pcm: prevent snd_pcm_action after substream detach"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Soham Kute

Date: Sun Feb 08 2026 - 13:54:40 EST

syzbot reported a slab use-after-free in snd_pcm_post_stop() caused by
snd_pcm_action() being invoked after snd_pcm_detach_substream() has
already freed the PCM runtime.

The previous approach attempted to guard against NULL runtime access in
the post-action callback, which only masked the symptom. As pointed out
in review, this does not address the underlying lifetime issue.

Fix the root cause by preventing snd_pcm_action() from running once the
substream runtime has been detached, ensuring that no PCM actions are
executed after teardown.

Reported-by: syzbot+16b2b67ae905feb8a289@xxxxxxxxxxxxxxxxxxxxxxxxx

Signed-off-by: Soham Kute <officialsohamkute@xxxxxxxxx>
---
sound/core/pcm_native.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index 932a9bf98..a29dbbc21 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1391,6 +1391,9 @@ static int snd_pcm_action(const struct action_ops *ops,
struct snd_pcm_group *group;
int res;

+ if (WARN_ON_ONCE(!substream->runtime))
+ return 0;
+
group = snd_pcm_stream_group_ref(substream);
if (group)
res = snd_pcm_action_group(ops, substream, state, true);
--
2.34.1