From: Cássio Gabriel Date: Fri, 5 Jun 2026 15:48:27 +0000 (-0300) Subject: ALSA: pcm: Fix unlocked runtime state reads in xfer ioctls X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98fe3988a2efe89a1a1ded213a0561e6543e94e2;p=thirdparty%2Flinux.git ALSA: pcm: Fix unlocked runtime state reads in xfer ioctls The recent runtime state locking cleanup converted several PCM ioctl state checks to snd_pcm_get_state(), including snd_pcm_pre_prepare(), snd_pcm_drain() and snd_pcm_kernel_ioctl(). The native and compat xfer ioctl paths still sample runtime->state directly before dispatching to the PCM transfer helpers, and snd_pcm_common_ioctl() still samples the DISCONNECTED state directly in its common precheck. Use snd_pcm_get_state() for those ioctl-side prechecks as well. This keeps the externally visible ioctl entry checks consistent with the stream-locked state access used by the recent PCM state-read cleanup. Fixes: 032322b44c02 ("ALSA: pcm: oss: use proper stream lock for runtime->state access") Signed-off-by: Cássio Gabriel Link: https://patch.msgid.link/20260605-alsa-pcm-xfer-state-helper-v1-1-eba97cecf820@gmail.com Signed-off-by: Takashi Iwai --- diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c index 5313f50f17da..55ecf87586c4 100644 --- a/sound/core/pcm_compat.c +++ b/sound/core/pcm_compat.c @@ -293,7 +293,7 @@ static int snd_pcm_ioctl_xferi_compat(struct snd_pcm_substream *substream, return -ENOTTY; if (substream->stream != dir) return -EINVAL; - if (substream->runtime->state == SNDRV_PCM_STATE_OPEN) + if (snd_pcm_get_state(substream) == SNDRV_PCM_STATE_OPEN) return -EBADFD; if (get_user(buf, &data32->buf) || @@ -338,7 +338,7 @@ static int snd_pcm_ioctl_xfern_compat(struct snd_pcm_substream *substream, return -ENOTTY; if (substream->stream != dir) return -EINVAL; - if (substream->runtime->state == SNDRV_PCM_STATE_OPEN) + if (snd_pcm_get_state(substream) == SNDRV_PCM_STATE_OPEN) return -EBADFD; ch = substream->runtime->channels; diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c index 50da38b141cb..cf9a074c6ce0 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c @@ -3306,10 +3306,9 @@ static int snd_pcm_xferi_frames_ioctl(struct snd_pcm_substream *substream, struct snd_xferi __user *_xferi) { struct snd_xferi xferi; - struct snd_pcm_runtime *runtime = substream->runtime; snd_pcm_sframes_t result; - if (runtime->state == SNDRV_PCM_STATE_OPEN) + if (snd_pcm_get_state(substream) == SNDRV_PCM_STATE_OPEN) return -EBADFD; if (put_user(0, &_xferi->result)) return -EFAULT; @@ -3332,7 +3331,7 @@ static int snd_pcm_xfern_frames_ioctl(struct snd_pcm_substream *substream, void *bufs __free(kfree) = NULL; snd_pcm_sframes_t result; - if (runtime->state == SNDRV_PCM_STATE_OPEN) + if (snd_pcm_get_state(substream) == SNDRV_PCM_STATE_OPEN) return -EBADFD; if (runtime->channels > 128) return -EINVAL; @@ -3395,7 +3394,7 @@ static int snd_pcm_common_ioctl(struct file *file, if (PCM_RUNTIME_CHECK(substream)) return -ENXIO; - if (substream->runtime->state == SNDRV_PCM_STATE_DISCONNECTED) + if (snd_pcm_get_state(substream) == SNDRV_PCM_STATE_DISCONNECTED) return -EBADFD; res = snd_power_wait(substream->pcm->card);