From ce23f8003a665f7f58745da8ddd1dd1e97eb967e Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 13 Jun 2017 09:20:25 +0200
Subject: [PATCH] 3.18-stable patches

added patches:
	alsa-timer-fix-race-between-read-and-ioctl.patch
---
 ...imer-fix-race-between-read-and-ioctl.patch | 57 +++++++++++++++++++
 queue-3.18/series                             |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 queue-3.18/alsa-timer-fix-race-between-read-and-ioctl.patch

diff --git a/queue-3.18/alsa-timer-fix-race-between-read-and-ioctl.patch b/queue-3.18/alsa-timer-fix-race-between-read-and-ioctl.patch
new file mode 100644
index 00000000000..86551c1cb5a
--- /dev/null
+++ b/queue-3.18/alsa-timer-fix-race-between-read-and-ioctl.patch
@@ -0,0 +1,57 @@
+From d11662f4f798b50d8c8743f433842c3e40fe3378 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 2 Jun 2017 15:03:38 +0200
+Subject: ALSA: timer: Fix race between read and ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d11662f4f798b50d8c8743f433842c3e40fe3378 upstream.
+
+The read from ALSA timer device, the function snd_timer_user_tread(),
+may access to an uninitialized struct snd_timer_user fields when the
+read is concurrently performed while the ioctl like
+snd_timer_user_tselect() is invoked.  We have already fixed the races
+among ioctls via a mutex, but we seem to have forgotten the race
+between read vs ioctl.
+
+This patch simply applies (more exactly extends the already applied
+range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
+race window.
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Tested-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1949,6 +1949,7 @@ static ssize_t snd_timer_user_read(struc
+ 
+ 	tu = file->private_data;
+ 	unit = tu->tread ? sizeof(struct snd_timer_tread) : sizeof(struct snd_timer_read);
++	mutex_lock(&tu->ioctl_lock);
+ 	spin_lock_irq(&tu->qlock);
+ 	while ((long)count - result >= unit) {
+ 		while (!tu->qused) {
+@@ -1964,7 +1965,9 @@ static ssize_t snd_timer_user_read(struc
+ 			add_wait_queue(&tu->qchange_sleep, &wait);
+ 
+ 			spin_unlock_irq(&tu->qlock);
++			mutex_unlock(&tu->ioctl_lock);
+ 			schedule();
++			mutex_lock(&tu->ioctl_lock);
+ 			spin_lock_irq(&tu->qlock);
+ 
+ 			remove_wait_queue(&tu->qchange_sleep, &wait);
+@@ -2002,6 +2005,7 @@ static ssize_t snd_timer_user_read(struc
+ 	}
+  _error:
+ 	spin_unlock_irq(&tu->qlock);
++	mutex_unlock(&tu->ioctl_lock);
+ 	return result > 0 ? result : err;
+ }
+ 
diff --git a/queue-3.18/series b/queue-3.18/series
index 8c9b6704a05..20ae887bac5 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -43,3 +43,4 @@ tracing-use-strlcpy-instead-of-strcpy-in-__trace_find_cmdline.patch
 usercopy-adjust-tests-to-deal-with-smap-pan.patch
 arm64-ensure-extension-of-smp_store_release-value.patch
 mlx5-stop-including-asm-generic-kmap_types.h.patch
+alsa-timer-fix-race-between-read-and-ioctl.patch
-- 
2.47.3