Patch "ALSA: timer: Fix race at concurrent reads" has been added to the 4.4-stable tree

Patch "ALSA: timer: Fix race at concurrent reads" has been added to the 4.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    ALSA: timer: Fix race at concurrent reads

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     alsa-timer-fix-race-at-concurrent-reads.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Mon, 8 Feb 2016 17:26:58 +0100
Subject: ALSA: timer: Fix race at concurrent reads

From: Takashi Iwai <tiwai@suse.de>

commit 4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7 upstream.

snd_timer_user_read() has a potential race among parallel reads, as
qhead and qused are updated outside the critical section due to
copy_to_user() calls.  Move them into the critical section, and also
sanitize the relevant code a bit.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/timer.c |   34 +++++++++++++++-------------------
 1 file changed, 15 insertions(+), 19 deletions(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1926,6 +1926,7 @@ static ssize_t snd_timer_user_read(struc
 {
 	struct snd_timer_user *tu;
 	long result = 0, unit;
+	int qhead;
 	int err = 0;
 
 	tu = file->private_data;
@@ -1937,7 +1938,7 @@ static ssize_t snd_timer_user_read(struc
 
 			if ((file->f_flags & O_NONBLOCK) != 0 || result > 0) {
 				err = -EAGAIN;
-				break;
+				goto _error;
 			}
 
 			set_current_state(TASK_INTERRUPTIBLE);
@@ -1952,42 +1953,37 @@ static ssize_t snd_timer_user_read(struc
 
 			if (tu->disconnected) {
 				err = -ENODEV;
-				break;
+				goto _error;
 			}
 			if (signal_pending(current)) {
 				err = -ERESTARTSYS;
-				break;
+				goto _error;
 			}
 		}
 
+		qhead = tu->qhead++;
+		tu->qhead %= tu->queue_size;
 		spin_unlock_irq(&tu->qlock);
-		if (err < 0)
-			goto _error;
 
 		if (tu->tread) {
-			if (copy_to_user(buffer, &tu->tqueue[tu->qhead++],
-					 sizeof(struct snd_timer_tread))) {
+			if (copy_to_user(buffer, &tu->tqueue[qhead],
+					 sizeof(struct snd_timer_tread)))
 				err = -EFAULT;
-				goto _error;
-			}
 		} else {
-			if (copy_to_user(buffer, &tu->queue[tu->qhead++],
-					 sizeof(struct snd_timer_read))) {
+			if (copy_to_user(buffer, &tu->queue[qhead],
+					 sizeof(struct snd_timer_read)))
 				err = -EFAULT;
-				goto _error;
-			}
 		}
 
-		tu->qhead %= tu->queue_size;
-
-		result += unit;
-		buffer += unit;
-
 		spin_lock_irq(&tu->qlock);
 		tu->qused--;
+		if (err < 0)
+			goto _error;
+		result += unit;
+		buffer += unit;
 	}
-	spin_unlock_irq(&tu->qlock);
  _error:
+	spin_unlock_irq(&tu->qlock);
 	return result > 0 ? result : err;
 }
 


Patches currently in stable-queue which might be from tiwai@suse.de are

queue-4.4/alsa-seq-fix-race-at-closing-in-virmidi-driver.patch
queue-4.4/alsa-hda-fix-bad-dereference-of-jack-object.patch
queue-4.4/alsa-usb-audio-add-quirk-for-microsoft-lifecam-hd-6000.patch
queue-4.4/alsa-rawmidi-remove-kernel-warning-for-null-user-space-buffer-check.patch
queue-4.4/alsa-usb-audio-fix-oppo-ha-1-vendor-id.patch
queue-4.4/alsa-timer-fix-race-at-concurrent-reads.patch
queue-4.4/alsa-hda-realtek-support-dell-headset-mode-for-alc225.patch
queue-4.4/alsa-hda-fix-static-checker-warning-in-patch_hdmi.c.patch
queue-4.4/alsa-seq-fix-lockdep-warnings-due-to-double-mutex-locks.patch
queue-4.4/alsa-usb-audio-fix-teac-ud-501-ud-503-nt-503-usb-delay.patch
queue-4.4/alsa-timer-fix-wrong-instance-passed-to-slave-callbacks.patch
queue-4.4/alsa-hda-disable-dynamic-clock-gating-on-broxton-before-reset.patch
queue-4.4/alsa-hda-realtek-support-headset-mode-for-alc225.patch
queue-4.4/alsa-hda-implement-loopback-control-switch-for-realtek-and-other-codecs.patch
queue-4.4/alsa-hda-realtek-new-codec-support-of-alc225.patch
queue-4.4/alsa-seq-degrade-the-error-message-for-too-many-opens.patch
queue-4.4/alsa-compress-disable-get_codec_caps-ioctl-for-some-architectures.patch
queue-4.4/alsa-rawmidi-make-snd_rawmidi_transmit-race-free.patch
queue-4.4/alsa-hda-fix-speaker-output-from-vaio-aio-machines.patch
queue-4.4/alsa-bebob-use-a-signed-return-type-for-get_formation_index.patch
queue-4.4/alsa-add-missing-dependency-on-config_snd_timer.patch
queue-4.4/alsa-dummy-implement-timer-backend-switching-more-safely.patch
queue-4.4/alsa-dummy-disable-switching-timer-backend-via-sysfs.patch
queue-4.4/alsa-seq-fix-incorrect-sanity-check-at-snd_seq_oss_synth_cleanup.patch
queue-4.4/alsa-seq-fix-yet-another-races-among-alsa-timer-accesses.patch
queue-4.4/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch
queue-4.4/revert-alsa-hda-fix-noise-on-gigabyte-z170x-mobo.patch
queue-4.4/alsa-hda-add-fixup-for-mac-mini-7-1-model.patch
queue-4.4/alsa-usb-audio-add-native-dsd-support-for-ps-audio-nuwave-dac.patch
queue-4.4/alsa-timer-fix-leftover-link-at-closing.patch
queue-4.4/alsa-rawmidi-fix-race-at-copying-updating-the-position.patch
queue-4.4/alsa-pcm-fix-potential-deadlock-in-oss-emulation.patch
queue-4.4/alsa-timer-fix-link-corruption-due-to-double-start-or-stop.patch