• Takashi Iwai's avatar
    ALSA: control: Fix race between adding and removing a user element · 46447aa3
    Takashi Iwai authored
    BugLink: https://bugs.launchpad.net/bugs/1811077
    
    commit e1a7bfe3 upstream.
    
    The procedure for adding a user control element has some window opened
    for race against the concurrent removal of a user element.  This was
    caught by syzkaller, hitting a KASAN use-after-free error.
    
    This patch addresses the bug by wrapping the whole procedure to add a
    user control element with the card->controls_rwsem, instead of only
    around the increment of card->user_ctl_count.
    
    This required a slight code refactoring, too.  The function
    snd_ctl_add() is split to two parts: a core function to add the
    control element and a part calling it.  The former is called from the
    function for adding a user control element inside the controls_rwsem.
    
    One change to be noted is that snd_ctl_notify() for adding a control
    element gets called inside the controls_rwsem as well while it was
    called outside the rwsem.  But this should be OK, as snd_ctl_notify()
    takes another (finer) rwlock instead of rwsem, and the call of
    snd_ctl_notify() inside rwsem is already done in another code path.
    
    Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
    Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
    46447aa3
control.c 49.8 KB