linux/sound/core
Takashi Iwai 998f26f47e ALSA: control: Fix racy management of user ctl memory size account
We've got a report about the possible race in the user control element
counts (card->user_ctl_count), and it was confirmed that the race
wasn't serious in the old code up to 5.12.  There, the value
modification itself was exclusive and protected via a write semaphore,
hence it's at most concurrent reads and evaluations before the
increment.  Since it's only about the soft-limit to avoid the
exhausting memory usage, one-off isn't a big problem at all.

Meanwhile, the relevant code has been largely modified recently, and
now card->user_ctl_count was replaced with card->user_ctl_alloc_size,
and a few more places were added to access this field.  And, in this
new code, it turned out to be more serious: the modifications are
scattered in various places, and a few of them are without protection.
It implies that it may lead to an inconsistent value by racy
accesses.

For addressing it, this patch extends the range covered by the
card->controls_rwsem write lock at snd_ctl_elem_add() so that the all
code paths that modify and refer to card->user_ctl_alloc_size are
protected by the rwsem properly.

The patch adds also comments in a couple of functions to indicate that
they are under the rwsem lock.

Fixes: 66c6d1ef86 ("ALSA: control: Add memory consumption limit to user controls")
Link: https://lore.kernel.org/r/FEEBF384-44BE-42CF-8FB3-93470933F64F@purdue.edu
Link: https://lore.kernel.org/r/20210415131856.13113-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2021-04-16 09:57:49 +02:00
..
oss ALSA: core: avoid -Wempty-body warnings 2021-03-22 12:26:00 +01:00
seq Merge branch 'for-linus' into for-next 2021-01-18 17:39:23 +01:00
Kconfig ALSA: control - add generic LED trigger module as the new control layer 2021-03-30 15:33:58 +02:00
Makefile ALSA: control - add generic LED trigger module as the new control layer 2021-03-30 15:33:58 +02:00
compress_offload.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
control.c ALSA: control: Fix racy management of user ctl memory size account 2021-04-16 09:57:49 +02:00
control_compat.c ALSA: compat_ioctl: avoid compat_alloc_user_space 2020-09-21 10:37:07 +02:00
control_led.c ALSA: control_led - fix the stack usage (control element ops) 2021-04-14 14:23:05 +02:00
ctljack.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
device.c ALSA: core: Add snd_device_get_state() helper 2020-03-23 18:09:19 +01:00
hrtimer.c ALSA: timer: Replace tasklet with work 2020-09-09 18:32:52 +02:00
hwdep.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
hwdep_compat.c ALSA: compat_ioctl: avoid compat_alloc_user_space 2020-09-21 10:37:07 +02:00
info.c ALSA: info: Drop WARN_ON() from buffer NULL sanity check 2020-07-17 10:59:38 +02:00
info_oss.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
init.c ALSA: core: remove redundant spin_lock pair in snd_card_disconnect 2021-03-30 13:50:15 +02:00
isadma.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jack.c ALSA: jack: implement software jack injection via debugfs 2021-02-02 10:37:07 +01:00
memalloc.c ALSA: memalloc: Align buffer allocations in page size 2020-12-18 17:09:10 +01:00
memory.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
misc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
pcm.c ALSA: pcm: Use for_each_pcm_substream() macro 2021-02-08 16:01:01 +01:00
pcm_compat.c ALSA: pcm: Fix sparse warnings wrt snd_pcm_state_t 2020-01-31 16:23:13 +01:00
pcm_dmaengine.c ASoC: dmaengine_pcm: add peripheral configuration 2021-02-05 17:16:41 +00:00
pcm_drm_eld.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pcm_iec958.c ALSA: core: pcm_iec958: fix kernel-doc 2020-07-07 10:22:33 +02:00
pcm_lib.c ALSA: pcm: use krealloc_array() 2020-12-15 12:13:37 -08:00
pcm_local.h ALSA: pcm: Use for_each_pcm_substream() macro 2021-02-08 16:01:01 +01:00
pcm_memory.c ALSA: core: avoid -Wempty-body warnings 2021-03-22 12:26:00 +01:00
pcm_misc.c ASoC: Updates for v5.7 2020-03-30 13:43:00 +02:00
pcm_native.c ALSA: pcm: Fix couple of typos 2021-03-26 09:12:30 +01:00
pcm_param_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm_timer.c ALSA: timer: Constify snd_timer_hardware definitions 2020-01-03 09:24:07 +01:00
pcm_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rawmidi.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
rawmidi_compat.c ALSA: Avoid using timespec for struct snd_rawmidi_status 2019-12-11 22:06:16 +01:00
seq_device.c ALSA: core: avoid -Wempty-body warnings 2021-03-22 12:26:00 +01:00
sgbuf.c ALSA: memalloc: Make SG-buffer helper usable for continuous buffer, too 2020-06-15 18:01:52 +02:00
sound.c ALSA: core - add missing compress device type to /proc/asound/devices 2021-02-10 10:31:53 +01:00
sound_oss.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
timer.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
timer_compat.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
vmaster.c ALSA: Replace the word "slave" in vmaster API 2020-07-20 10:10:47 +02:00