Patch "ALSA: seq: Fix link corruption by event error handling" has been added to the 4.10-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    ALSA: seq: Fix link corruption by event error handling

to the 4.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     alsa-seq-fix-link-corruption-by-event-error-handling.patch
and it can be found in the queue-4.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From f3ac9f737603da80c2da3e84b89e74429836bb6d Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Tue, 28 Feb 2017 22:15:51 +0100
Subject: ALSA: seq: Fix link corruption by event error handling

From: Takashi Iwai <tiwai@suse.de>

commit f3ac9f737603da80c2da3e84b89e74429836bb6d upstream.

The sequencer FIFO management has a bug that may lead to a corruption
(shortage) of the cell linked list.  When a sequencer client faces an
error at the event delivery, it tries to put back the dequeued cell.
When the first queue was put back, this forgot the tail pointer
tracking, and the link will be screwed up.

Although there is no memory corruption, the sequencer client may stall
forever at exit while flushing the pending FIFO cells in
snd_seq_pool_done(), as spotted by syzkaller.

This patch addresses the missing tail pointer tracking at
snd_seq_fifo_cell_putback().  Also the patch makes sure to clear the
cell->enxt pointer at snd_seq_fifo_event_in() for avoiding a similar
mess-up of the FIFO linked list.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/seq/seq_fifo.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/sound/core/seq/seq_fifo.c
+++ b/sound/core/seq/seq_fifo.c
@@ -135,6 +135,7 @@ int snd_seq_fifo_event_in(struct snd_seq
 	f->tail = cell;
 	if (f->head == NULL)
 		f->head = cell;
+	cell->next = NULL;
 	f->cells++;
 	spin_unlock_irqrestore(&f->lock, flags);
 
@@ -214,6 +215,8 @@ void snd_seq_fifo_cell_putback(struct sn
 		spin_lock_irqsave(&f->lock, flags);
 		cell->next = f->head;
 		f->head = cell;
+		if (!f->tail)
+			f->tail = cell;
 		f->cells++;
 		spin_unlock_irqrestore(&f->lock, flags);
 	}


Patches currently in stable-queue which might be from tiwai@suse.de are

queue-4.10/alsa-hda-add-subwoofer-support-for-dell-inspiron-17-7000-gaming.patch
queue-4.10/alsa-seq-fix-link-corruption-by-event-error-handling.patch
queue-4.10/alsa-hda-fix-micmute-hotkey-problem-for-a-lenovo-aio-machine.patch
queue-4.10/alsa-ctxfi-fallback-dma-mask-to-32bit.patch
queue-4.10/alsa-timer-reject-user-params-with-too-small-ticks.patch
queue-4.10/alsa-hda-fix-lewisburg-audio-issue.patch
queue-4.10/alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-a-dell-aio.patch