Hi, We found a data race in sound/core/control.c in linux-5.12-rc3 and we are able to reproduce it under x86. In general, we found when 2 kernel threads are both running snd_ctl_elem_add(), one may read a stale value of card->user_ctl_count, as shown below. Currently, we haven’t found any explicit errors due to this data race, but it looks the reader threads may operate in an inconsistent state, where card->user_ctl_count + 1 is actually bigger than MAX_USER_CONTROLS, so we want to point it out. Thread 1 Thread 2 //snd_ctl_elem_add() //snd_ctl_elem_add() if (card->user_ctl_count + 1 > MAX_USER_CONTROLS) return -ENOMEM; card->user_ctl_count++; unlock: up_write(&card->controls_rwsem); return err; Thanks, Sishuai
