[thirdparty/kernel/stable-queue.git] / releases / 4.6.5 / alsa-timer-fix-negative-queue-usage-by-racy-accesses.patch

From 3fa6993fef634e05d200d141a85df0b044572364 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Mon, 4 Jul 2016 14:02:15 +0200
Subject: ALSA: timer: Fix negative queue usage by racy accesses

From: Takashi Iwai <tiwai@suse.de>

commit 3fa6993fef634e05d200d141a85df0b044572364 upstream.

The user timer tu->qused counter may go to a negative value when
multiple concurrent reads are performed since both the check and the
decrement of tu->qused are done in two individual locked contexts.
This results in bogus read outs, and the endless loop in the
user-space side.

The fix is to move the decrement of the tu->qused counter into the
same spinlock context as the zero-check of the counter.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/timer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1954,6 +1954,7 @@ static ssize_t snd_timer_user_read(struc
 
 		qhead = tu->qhead++;
 		tu->qhead %= tu->queue_size;
+		tu->qused--;
 		spin_unlock_irq(&tu->qlock);
 
 		if (tu->tread) {
@@ -1967,7 +1968,6 @@ static ssize_t snd_timer_user_read(struc
 		}
 
 		spin_lock_irq(&tu->qlock);
-		tu->qused--;
 		if (err < 0)
 			goto _error;
 		result += unit;
Commit	Line	Data
f969d1ba GKH	1	From 3fa6993fef634e05d200d141a85df0b044572364 Mon Sep 17 00:00:00 2001
	2	From: Takashi Iwai <tiwai@suse.de>
	3	Date: Mon, 4 Jul 2016 14:02:15 +0200
	4	Subject: ALSA: timer: Fix negative queue usage by racy accesses
	5
	6	From: Takashi Iwai <tiwai@suse.de>
	7
	8	commit 3fa6993fef634e05d200d141a85df0b044572364 upstream.
	9
	10	The user timer tu->qused counter may go to a negative value when
	11	multiple concurrent reads are performed since both the check and the
	12	decrement of tu->qused are done in two individual locked contexts.
	13	This results in bogus read outs, and the endless loop in the
	14	user-space side.
	15
	16	The fix is to move the decrement of the tu->qused counter into the
	17	same spinlock context as the zero-check of the counter.
	18
	19	Signed-off-by: Takashi Iwai <tiwai@suse.de>
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21
	22	---
	23	sound/core/timer.c \| 2 +-
	24	1 file changed, 1 insertion(+), 1 deletion(-)
	25
	26	--- a/sound/core/timer.c
	27	+++ b/sound/core/timer.c
	28	@@ -1954,6 +1954,7 @@ static ssize_t snd_timer_user_read(struc
	29
	30	qhead = tu->qhead++;
	31	tu->qhead %= tu->queue_size;
	32	+ tu->qused--;
	33	spin_unlock_irq(&tu->qlock);
	34
	35	if (tu->tread) {
	36	@@ -1967,7 +1968,6 @@ static ssize_t snd_timer_user_read(struc
	37	}
	38
	39	spin_lock_irq(&tu->qlock);
	40	- tu->qused--;
	41	if (err < 0)
	42	goto _error;
	43	result += unit;