]>
Commit | Line | Data |
---|---|---|
1 | From 3fa6993fef634e05d200d141a85df0b044572364 Mon Sep 17 00:00:00 2001 | |
2 | From: Takashi Iwai <tiwai@suse.de> | |
3 | Date: Mon, 4 Jul 2016 14:02:15 +0200 | |
4 | Subject: ALSA: timer: Fix negative queue usage by racy accesses | |
5 | ||
6 | From: Takashi Iwai <tiwai@suse.de> | |
7 | ||
8 | commit 3fa6993fef634e05d200d141a85df0b044572364 upstream. | |
9 | ||
10 | The user timer tu->qused counter may go to a negative value when | |
11 | multiple concurrent reads are performed since both the check and the | |
12 | decrement of tu->qused are done in two individual locked contexts. | |
13 | This results in bogus read outs, and the endless loop in the | |
14 | user-space side. | |
15 | ||
16 | The fix is to move the decrement of the tu->qused counter into the | |
17 | same spinlock context as the zero-check of the counter. | |
18 | ||
19 | Signed-off-by: Takashi Iwai <tiwai@suse.de> | |
20 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
21 | ||
22 | --- | |
23 | sound/core/timer.c | 2 +- | |
24 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
25 | ||
26 | --- a/sound/core/timer.c | |
27 | +++ b/sound/core/timer.c | |
28 | @@ -1954,6 +1954,7 @@ static ssize_t snd_timer_user_read(struc | |
29 | ||
30 | qhead = tu->qhead++; | |
31 | tu->qhead %= tu->queue_size; | |
32 | + tu->qused--; | |
33 | spin_unlock_irq(&tu->qlock); | |
34 | ||
35 | if (tu->tread) { | |
36 | @@ -1967,7 +1968,6 @@ static ssize_t snd_timer_user_read(struc | |
37 | } | |
38 | ||
39 | spin_lock_irq(&tu->qlock); | |
40 | - tu->qused--; | |
41 | if (err < 0) | |
42 | goto _error; | |
43 | result += unit; |