[Problem] A data race in snd_ctl_elem_add()
Gong, Sishuai
sishuai at purdue.edu
Thu Apr 15 03:47:14 CEST 2021
Hi,
We found a data race in sound/core/control.c in linux-5.12-rc3 and we are able to reproduce it under x86.
In general, we found when 2 kernel threads are both running snd_ctl_elem_add(),
one may read a stale value of card->user_ctl_count, as shown below.
Currently, we haven’t found any explicit errors due to this data race, but it looks the reader threads
may operate in an inconsistent state, where card->user_ctl_count + 1 is actually bigger
than MAX_USER_CONTROLS, so we want to point it out.
Thread 1 Thread 2
//snd_ctl_elem_add() //snd_ctl_elem_add()
if (card->user_ctl_count + 1 > MAX_USER_CONTROLS)
return -ENOMEM;
card->user_ctl_count++;
unlock:
up_write(&card->controls_rwsem);
return err;
Thanks,
Sishuai
More information about the Alsa-devel
mailing list