Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during format-change stop loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved the peer lookup under cable->lock, but the actual snd_pcm_stop() still runs after dropping that lock. A concurrent close can clear the capture entry from cable->streams[] and detach or free its runtime while the playback trigger path still holds a stale peer substream pointer. Keep a per-cable count of in-flight peer stops before dropping cable->lock, and make free_cable() wait for those stops before detaching the runtime. This preserves the existing behavior while making the peer runtime lifetime explicit.
Product status
597603d615d2b19a9e451d8cfac24372856a522d (git) before 03f52a9c170431e8f10e156b9dc0dae80b3e9198
597603d615d2b19a9e451d8cfac24372856a522d (git) before bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c
597603d615d2b19a9e451d8cfac24372856a522d (git) before 5d45e34bf001344e2966dabca1897561bbc9e913
597603d615d2b19a9e451d8cfac24372856a522d (git) before e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff
2.6.37
Any version before 2.6.37
6.12.88 (semver)
6.18.27 (semver)
7.0.4 (semver)
7.1-rc2 (original_commit_for_fix)
References
git.kernel.org/...c/03f52a9c170431e8f10e156b9dc0dae80b3e9198
git.kernel.org/...c/bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c
git.kernel.org/...c/5d45e34bf001344e2966dabca1897561bbc9e913
git.kernel.org/...c/e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff