Patch "ALSA: timer: Fix negative queue usage by racy accesses" has been added to the 4.4-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    ALSA: timer: Fix negative queue usage by racy accesses

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     alsa-timer-fix-negative-queue-usage-by-racy-accesses.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 3fa6993fef634e05d200d141a85df0b044572364 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Mon, 4 Jul 2016 14:02:15 +0200
Subject: ALSA: timer: Fix negative queue usage by racy accesses

From: Takashi Iwai <tiwai@suse.de>

commit 3fa6993fef634e05d200d141a85df0b044572364 upstream.

The user timer tu->qused counter may go to a negative value when
multiple concurrent reads are performed since both the check and the
decrement of tu->qused are done in two individual locked contexts.
This results in bogus read outs, and the endless loop in the
user-space side.

The fix is to move the decrement of the tu->qused counter into the
same spinlock context as the zero-check of the counter.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/timer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1961,6 +1961,7 @@ static ssize_t snd_timer_user_read(struc
 
 		qhead = tu->qhead++;
 		tu->qhead %= tu->queue_size;
+		tu->qused--;
 		spin_unlock_irq(&tu->qlock);
 
 		if (tu->tread) {
@@ -1974,7 +1975,6 @@ static ssize_t snd_timer_user_read(struc
 		}
 
 		spin_lock_irq(&tu->qlock);
-		tu->qused--;
 		if (err < 0)
 			goto _error;
 		result += unit;


Patches currently in stable-queue which might be from tiwai@suse.de are

queue-4.4/alsa-hda-fix-the-headset-mic-jack-detection-on-dell-machine.patch
queue-4.4/alsa-ctl-stop-notification-after-disconnection.patch
queue-4.4/alsa-dummy-fix-a-use-after-free-at-closing.patch
queue-4.4/alsa-timer-fix-negative-queue-usage-by-racy-accesses.patch
queue-4.4/alsa-hda-fix-use-after-free-after-module-unload.patch
queue-4.4/alsa-hda-realtek-add-new-pin-definition-in-alc225-pin-quirk-table.patch
queue-4.4/alsa-hda-add-pci-id-for-kabylake-h.patch
queue-4.4/alsa-pcm-free-chmap-at-pcm-free-callback-too.patch
queue-4.4/alsa-au88x0-fix-calculation-in-vortex_wtdma_bufshift.patch
queue-4.4/alsa-hda-realtek-add-lenovo-l460-to-docking-unit-fixup.patch
queue-4.4/alsa-echoaudio-fix-memory-allocation.patch
queue-4.4/alsa-hda-realtek-add-two-more-thinkpad-ids-5050-5053-for-tpt460-fixup.patch
queue-4.4/alsa-hda-fix-read-before-array-start.patch
queue-4.4/alsa-hda-add-amd-stoney-pci-id-with-proper-driver-caps.patch