From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:54541 "EHLO
        out1-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1727630AbeHJQlG (ORCPT
        <rfc822;stable@vger.kernel.org>); Fri, 10 Aug 2018 12:41:06 -0400
Date: Fri, 10 Aug 2018 16:10:58 +0200
From: Greg KH <greg@kroah.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: stable@vger.kernel.org, tadeusz.struk@intel.com
Subject: Re: [PATCH] tpm: fix race condition in tpm_common_write()
Message-ID: <20180810141058.GB6950@kroah.com>
References: <20180808123550.10475-1-jarkko.sakkinen@linux.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180808123550.10475-1-jarkko.sakkinen@linux.intel.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Wed, Aug 08, 2018 at 03:35:50PM +0300, Jarkko Sakkinen wrote:
> From: Tadeusz Struk <tadeusz.struk@intel.com>
> 
> commit 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df upstream
> 
> There is a race condition in tpm_common_write function allowing
> two threads on the same /dev/tpm<N>, or two different applications
> on the same /dev/tpmrm<N> to overwrite each other commands/responses.
> Fixed this by taking the priv->buffer_mutex early in the function.
> 
> Also converted the priv->data_pending from atomic to a regular size_t
> type. There is no need for it to be atomic since it is only touched
> under the protection of the priv->buffer_mutex.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> ---
> Manually backported for v4.4 and v4.9.

Now queued up, thanks.

greg k-h