kernel/sound/core/pcm_native.c, branch linux-rolling-lts

ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()

2026-03-19T15:08:22Z

commit 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 upstream. In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lifetime. A concurrent close() on the linked stream's fd triggers snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() → snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime). No synchronization prevents kfree(runtime) from completing while the drain path dereferences the stale pointer. Fix by caching the needed runtime fields (no_period_wakeup, rate, buffer_size) into local variables while still holding the stream lock, and using the cached values after the lock is released. Fixes: f2b3614cefb6 ("ALSA: PCM - Don't check DMA time-out too shortly") Cc: stable@vger.kernel.org Signed-off-by: Mehul Rao Link: https://patch.msgid.link/20260305193508.311096-1-mehulrao@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman

ALSA: pcm: Revert bufs move in snd_pcm_xfern_frames_ioctl()

2026-03-04T12:21:35Z

[ Upstream commit 0585c53b21541cd6b17ad5ab41b371a0d52e358c ] When building with clang older than 17 targeting architectures that use asm goto for their get_user() and put_user(), such as arm64, after commit f3d233daf011 ("ALSA: pcm: Relax __free() variable declarations"), there are bogus errors around skipping over a variable declared with the cleanup attribute: sound/core/pcm_native.c:3308:6: error: cannot jump from this asm goto statement to one of its possible targets if (put_user(result, &_xfern->result)) ^ ... arch/arm64/include/asm/uaccess.h:298:2: note: expanded from macro '__put_mem_asm' asm goto( ^ sound/core/pcm_native.c:3295:6: note: possible target of asm goto statement if (put_user(0, &_xfern->result)) ^ ... sound/core/pcm_native.c:3300:8: note: jump exits scope of variable with __attribute__((cleanup)) void *bufs __free(kfree) = ^ clang-17 fixed a bug in clang's jump scope checker [1] where all labels in a function were checked as valid targets for all asm goto instances in a function, regardless of whether they were actual targets in a paricular asm goto's provided list of labels. To workaround this, revert the change done to snd_pcm_xfern_frames_ioctl() by commit f3d233daf011 ("ALSA: pcm: Relax __free() variable declarations") to avoid a variable declared with cleanup from existing between multiple uses of asm goto. There are no other uses of cleanup in this function so there should be low risk from moving this variable back to the top of the function. Link: https://github.com/ClangBuiltLinux/linux/issues/1886 [1] Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202512190802.i4Jzbcsl-lkp@intel.com/ Signed-off-by: Nathan Chancellor Link: https://patch.msgid.link/20260106-pcm_native-revert-var-move-free-for-old-clang-v1-1-06a03693423d@kernel.org Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin

ALSA: pcm: Relax __free() variable declarations

2026-02-26T22:59:11Z

[ Upstream commit f3d233daf011abbad2f6ebd0e545b42d2f378a4f ] We used to have a variable declaration with __free() initialized with NULL. This was to keep the old coding style rule, but recently it's relaxed and rather recommends to follow the new rule to declare in place of use for __free() -- which avoids potential deadlocks or UAFs with nested cleanups. Although the current code has no bug, per se, let's follow the new standard and move the declaration to the place of assignment (or directly assign the allocated result) instead of NULL initializations. Fixes: ae9213984864 ("ALSA: pcm: Use automatic cleanup of kfree()") Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20251216140634.171890-4-tiwai@suse.de Signed-off-by: Sasha Levin

ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer

2026-01-23T10:21:23Z

commit 47c27c9c9c720bc93fdc69605d0ecd9382e99047 upstream. Handle the error code from snd_pcm_buffer_access_lock() in snd_pcm_runtime_buffer_set_silence() function. Found by Alexandros Panagiotou Fixes: 93a81ca06577 ("ALSA: pcm: Fix race of buffer access at PCM OSS layer") Cc: stable@vger.kernel.org # 6.15 Signed-off-by: Jaroslav Kysela Link: https://patch.msgid.link/20260107213642.332954-1-perex@perex.cz Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman

ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT

2025-09-16T09:35:21Z

snd_pcm_group_lock_irq() acquires a spinlock_t and disables interrupts via spin_lock_irq(). This also implicitly disables the handling of softirqs such as TIMER_SOFTIRQ. On PREEMPT_RT softirqs are preemptible and spin_lock_irq() does not disable them. That means a timer can be invoked during spin_lock_irq() on the same CPU. Due to synchronisations reasons local_bh_disable() has a per-CPU lock named softirq_ctrl.lock which synchronizes individual softirq against each other. syz-bot managed to trigger a lockdep report where softirq_ctrl.lock is acquired in hrtimer_cancel() in addition to hrtimer_run_softirq(). This is a possible deadlock. The softirq_ctrl.lock can not be made part of spin_lock_irq() as this would lead to too much synchronisation against individual threads on the system. To avoid the possible deadlock, softirqs must be manually disabled before the lock is acquired. Disable softirqs before the lock is acquired on PREEMPT_RT. Reported-by: syzbot+10b4363fb0f46527f3f3@syzkaller.appspotmail.com Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Takashi Iwai

ALSA: pcm: Convert snd_pcm_sync_ptr() to user_access_begin/user_access_end()

2025-06-16T06:25:32Z

Now that snd_pcm_sync_ptr_get_user() and snd_pcm_sync_ptr_put_user() are converted to user_access_begin/user_access_end(), snd_pcm_sync_ptr_get_user() is more efficient than a raw get_user() followed by a copy_from_user(). And because copy_{to/from}_user() are generic functions focussed on transfer of big data blocks to/from user, snd_pcm_sync_ptr_put_user() is also more efficient for small amont of data. So use snd_pcm_sync_ptr_get_user() and snd_pcm_sync_ptr_put_user() in snd_pcm_sync_ptr() too. snd_pcm_ioctl_sync_ptr_buggy() is left as it is because the conversion wouldn't be straigh-forward due to the workaround it provides. Signed-off-by: Christophe Leroy Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/6ce6bc4da498ea7ea2be5f279b374370b1613b13.1749883041.git.christophe.leroy@csgroup.eu

ALSA: pcm: Replace [audio_]tstamp_[n]sec by struct __snd_timespec in struct snd_pcm_mmap_status32

2025-06-16T06:25:27Z

To match struct __snd_pcm_mmap_status and enable reuse of snd_pcm_sync_ptr_get_user() and snd_pcm_sync_ptr_put_user() by snd_pcm_sync_ptr() replace tstamp_sec and tstamp_nsec fields by a struct __snd_timespec in struct snd_pcm_mmap_status32. Do the same with audio_tstamp_sec and audio_tstamp_nsec. This is possible because struct snd_pcm_mmap_status32 is packed and __SND_STRUCT_TIME64 is always defined for kernel which means struct __snd_timespec is always defined as: struct __snd_timespec { __s32 tv_sec; __s32 tv_nsec; }; Signed-off-by: Christophe Leroy Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/df8ea1a9aff61c3e358759b1f495bdb9fb8a3e6a.1749883041.git.christophe.leroy@csgroup.eu

ALSA: pcm: Convert SNDRV_PCM_IOCTL_SYNC_PTR to user_access_begin/user_access_end()

2025-06-14T11:40:14Z

With user access protection (Called SMAP on x86 or KUAP on powerpc) each and every call to get_user() or put_user() performs heavy operations to unlock and lock kernel access to userspace. SNDRV_PCM_IOCTL_SYNC_PTR is a hot path which is called really often and needs to run as fast as possible. To improve performance, perform user accesses by blocks using user_access_begin/user_access_end() and unsafe_get_user()/ unsafe_put_user(). Before the patch the 9 calls to put_user() at the end of snd_pcm_ioctl_sync_ptr_compat() imply the following set of instructions about 9 times (access_ok - enable user - write - disable user): 0.00 : c057f858: 3d 20 7f ff lis r9,32767 0.29 : c057f85c: 39 5e 00 14 addi r10,r30,20 0.77 : c057f860: 61 29 ff fc ori r9,r9,65532 0.32 : c057f864: 7c 0a 48 40 cmplw r10,r9 0.36 : c057f868: 41 a1 fb 58 bgt c057f3c0 0.30 : c057f86c: 3d 20 dc 00 lis r9,-9216 1.95 : c057f870: 7d 3a c3 a6 mtspr 794,r9 0.33 : c057f874: 92 8a 00 00 stw r20,0(r10) 0.27 : c057f878: 3d 20 de 00 lis r9,-8704 0.28 : c057f87c: 7d 3a c3 a6 mtspr 794,r9 ... A perf profile shows that in total the 9 put_user() represent 36% of the time spent in snd_pcm_ioctl() and about 80 instructions. With this patch everything is done in 13 instructions and represent only 15% of the time spent in snd_pcm_ioctl(): 0.57 : c057f5dc: 3d 20 dc 00 lis r9,-9216 0.98 : c057f5e0: 7d 3a c3 a6 mtspr 794,r9 0.16 : c057f5e4: 92 7f 00 04 stw r19,4(r31) 0.63 : c057f5e8: 93 df 00 0c stw r30,12(r31) 0.16 : c057f5ec: 93 9f 00 10 stw r28,16(r31) 4.95 : c057f5f0: 92 9f 00 14 stw r20,20(r31) 0.19 : c057f5f4: 92 5f 00 18 stw r18,24(r31) 0.49 : c057f5f8: 92 bf 00 1c stw r21,28(r31) 0.27 : c057f5fc: 93 7f 00 20 stw r27,32(r31) 5.88 : c057f600: 93 36 00 00 stw r25,0(r22) 0.11 : c057f604: 93 17 00 00 stw r24,0(r23) 0.00 : c057f608: 3d 20 de 00 lis r9,-8704 0.79 : c057f60c: 7d 3a c3 a6 mtspr 794,r9 Note that here the access_ok() in user_write_access_begin() is skipped because the exact same verification has already been performed at the beginning of the fonction with the call to user_read_access_begin(). Signed-off-by: Christophe Leroy Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/eccd047f2dfeb550129a1d60035e2233c4401d0c.1749883041.git.christophe.leroy@csgroup.eu

ALSA: pcm: refactor copy from/to user in SNDRV_PCM_IOCTL_SYNC_PTR

2025-06-14T11:40:14Z

In an effort of optimising SNDRV_PCM_IOCTL_SYNC_PTR ioctl which is a hot path, lets first refactor the copy from and to user with macros. This is done with macros and not static inline fonctions because types differs between the different versions of snd_pcm_sync_ptr() like functions. First step is to refactor only snd_pcm_ioctl_sync_ptr_compat() and snd_pcm_ioctl_sync_ptr_x32() as it would be a performance regression for snd_pcm_sync_ptr() and snd_pcm_ioctl_sync_ptr_buggy() for now. They may be refactored after next patch. Signed-off-by: Christophe Leroy Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/f8b77932bb9ce96148ae5c3953e7ee44fa2359f8.1749883041.git.christophe.leroy@csgroup.eu

ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop

2025-06-09T07:51:47Z

At the time being recalculate_boundary() is implemented with a loop which shows up as costly in a perf profile, as depicted by the annotate below: 0.00 : c057e934: 3d 40 7f ff lis r10,32767 0.03 : c057e938: 61 4a ff ff ori r10,r10,65535 0.21 : c057e93c: 7d 49 50 50 subf r10,r9,r10 5.39 : c057e940: 7d 3c 4b 78 mr r28,r9 2.11 : c057e944: 55 29 08 3c slwi r9,r9,1 3.04 : c057e948: 7c 09 50 40 cmplw r9,r10 2.47 : c057e94c: 40 81 ff f4 ble c057e940 Total: 13.2% on that simple loop. But what the loop does is to multiply the boundary by 2 until it is over the wanted border. This can be avoided by using fls() to get the boundary value order and shift it by the appropriate number of bits at once. This change provides the following profile: 0.04 : c057f6e8: 3d 20 7f ff lis r9,32767 0.02 : c057f6ec: 61 29 ff ff ori r9,r9,65535 0.34 : c057f6f0: 7d 5a 48 50 subf r10,r26,r9 0.23 : c057f6f4: 7c 1a 50 40 cmplw r26,r10 0.02 : c057f6f8: 41 81 00 20 bgt c057f718 0.26 : c057f6fc: 7f 47 00 34 cntlzw r7,r26 0.09 : c057f700: 7d 48 00 34 cntlzw r8,r10 0.22 : c057f704: 7d 08 38 50 subf r8,r8,r7 0.04 : c057f708: 7f 5a 40 30 slw r26,r26,r8 0.35 : c057f70c: 7c 0a d0 40 cmplw r10,r26 0.13 : c057f710: 40 80 05 f8 bge c057fd08 0.00 : c057f714: 57 5a f8 7e srwi r26,r26,1 Total: 1.7% with that loopless alternative. Signed-off-by: Christophe Leroy Link: https://patch.msgid.link/4836e2cde653eebaf2709ebe30eec736bb8c67fd.1749202237.git.christophe.leroy@csgroup.eu Signed-off-by: Takashi Iwai