On Mon, Jun 12, 2017 at 07:12:02PM +0200, Takashi Iwai wrote: > commit d11662f4f798b50d8c8743f433842c3e40fe3378 upstream. > > The read from ALSA timer device, the function snd_timer_user_tread(), > may access to an uninitialized struct snd_timer_user fields when the > read is concurrently performed while the ioctl like > snd_timer_user_tselect() is invoked. We have already fixed the races > among ioctls via a mutex, but we seem to have forgotten the race > between read vs ioctl. > > This patch simply applies (more exactly extends the already applied > range of) tu->ioctl_lock in snd_timer_user_tread() for closing the > race window. > > Reported-by: Alexander Potapenko <glider@xxxxxxxxxx> > Tested-by: Alexander Potapenko <glider@xxxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> > --- > > This is the patch adapted to 3.18.y base that failed to apply. Wonderful, thanks for the patch, now queued up. greg k-h