From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Tadeusz Struk <tadeusz.struk@intel.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Subject: [PATCH 4.4 02/43] tpm: fix race condition in tpm_common_write()
Date: Tue, 14 Aug 2018 19:17:38 +0200 [thread overview]
Message-ID: <20180814171517.174295580@linuxfoundation.org> (raw)
In-Reply-To: <20180814171517.014285600@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tadeusz Struk <tadeusz.struk@intel.com>
commit 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df upstream.
There is a race condition in tpm_common_write function allowing
two threads on the same /dev/tpm<N>, or two different applications
on the same /dev/tpmrm<N> to overwrite each other commands/responses.
Fixed this by taking the priv->buffer_mutex early in the function.
Also converted the priv->data_pending from atomic to a regular size_t
type. There is no need for it to be atomic since it is only touched
under the protection of the priv->buffer_mutex.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm-dev.c | 43 ++++++++++++++++++++-----------------------
1 file changed, 20 insertions(+), 23 deletions(-)
--- a/drivers/char/tpm/tpm-dev.c
+++ b/drivers/char/tpm/tpm-dev.c
@@ -25,7 +25,7 @@ struct file_priv {
struct tpm_chip *chip;
/* Data passed to and from the tpm via the read/write calls */
- atomic_t data_pending;
+ size_t data_pending;
struct mutex buffer_mutex;
struct timer_list user_read_timer; /* user needs to claim result */
@@ -46,7 +46,7 @@ static void timeout_work(struct work_str
struct file_priv *priv = container_of(work, struct file_priv, work);
mutex_lock(&priv->buffer_mutex);
- atomic_set(&priv->data_pending, 0);
+ priv->data_pending = 0;
memset(priv->data_buffer, 0, sizeof(priv->data_buffer));
mutex_unlock(&priv->buffer_mutex);
}
@@ -72,7 +72,6 @@ static int tpm_open(struct inode *inode,
}
priv->chip = chip;
- atomic_set(&priv->data_pending, 0);
mutex_init(&priv->buffer_mutex);
setup_timer(&priv->user_read_timer, user_reader_timeout,
(unsigned long)priv);
@@ -86,28 +85,24 @@ static ssize_t tpm_read(struct file *fil
size_t size, loff_t *off)
{
struct file_priv *priv = file->private_data;
- ssize_t ret_size;
+ ssize_t ret_size = 0;
int rc;
del_singleshot_timer_sync(&priv->user_read_timer);
flush_work(&priv->work);
- ret_size = atomic_read(&priv->data_pending);
- if (ret_size > 0) { /* relay data */
- ssize_t orig_ret_size = ret_size;
- if (size < ret_size)
- ret_size = size;
+ mutex_lock(&priv->buffer_mutex);
- mutex_lock(&priv->buffer_mutex);
+ if (priv->data_pending) {
+ ret_size = min_t(ssize_t, size, priv->data_pending);
rc = copy_to_user(buf, priv->data_buffer, ret_size);
- memset(priv->data_buffer, 0, orig_ret_size);
+ memset(priv->data_buffer, 0, priv->data_pending);
if (rc)
ret_size = -EFAULT;
- mutex_unlock(&priv->buffer_mutex);
+ priv->data_pending = 0;
}
- atomic_set(&priv->data_pending, 0);
-
+ mutex_unlock(&priv->buffer_mutex);
return ret_size;
}
@@ -118,18 +113,20 @@ static ssize_t tpm_write(struct file *fi
size_t in_size = size;
ssize_t out_size;
- /* cannot perform a write until the read has cleared
- either via tpm_read or a user_read_timer timeout.
- This also prevents splitted buffered writes from blocking here.
- */
- if (atomic_read(&priv->data_pending) != 0)
- return -EBUSY;
-
if (in_size > TPM_BUFSIZE)
return -E2BIG;
mutex_lock(&priv->buffer_mutex);
+ /* Cannot perform a write until the read has cleared either via
+ * tpm_read or a user_read_timer timeout. This also prevents split
+ * buffered writes from blocking here.
+ */
+ if (priv->data_pending != 0) {
+ mutex_unlock(&priv->buffer_mutex);
+ return -EBUSY;
+ }
+
if (copy_from_user
(priv->data_buffer, (void __user *) buf, in_size)) {
mutex_unlock(&priv->buffer_mutex);
@@ -153,7 +150,7 @@ static ssize_t tpm_write(struct file *fi
return out_size;
}
- atomic_set(&priv->data_pending, out_size);
+ priv->data_pending = out_size;
mutex_unlock(&priv->buffer_mutex);
/* Set a timeout by which the reader must come claim the result */
@@ -172,7 +169,7 @@ static int tpm_release(struct inode *ino
del_singleshot_timer_sync(&priv->user_read_timer);
flush_work(&priv->work);
file->private_data = NULL;
- atomic_set(&priv->data_pending, 0);
+ priv->data_pending = 0;
clear_bit(0, &priv->chip->is_open);
kfree(priv);
return 0;
next prev parent reply other threads:[~2018-08-14 17:46 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-14 17:17 [PATCH 4.4 00/43] 4.4.148-stable review Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 01/43] ext4: fix check to prevent initializing reserved inodes Greg Kroah-Hartman
2018-08-14 17:17 ` Greg Kroah-Hartman [this message]
2018-08-14 17:17 ` [PATCH 4.4 03/43] ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 04/43] fork: unconditionally clear stack on fork Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 05/43] parisc: Enable CONFIG_MLONGCALLS by default Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 07/43] xen/netfront: dont cache skb_shinfo() Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 08/43] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 09/43] scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 10/43] root dentries need RCU-delayed freeing Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 11/43] fix mntput/mntput race Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 12/43] fix __legitimize_mnt()/mntput() race Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 13/43] IB/core: Make testing MR flags for writability a static inline function Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 14/43] IB/mlx4: Mark user MR as writable if actual virtual memory is writable Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 15/43] IB/ocrdma: fix out of bounds access to local buffer Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 16/43] ARM: dts: imx6sx: fix irq for pcie bridge Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 17/43] x86/paravirt: Fix spectre-v2 mitigations for paravirt guests Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 18/43] x86/speculation: Protect against userspace-userspace spectreRSB Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 19/43] kprobes/x86: Fix %p uses in error messages Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 20/43] x86/irqflags: Provide a declaration for native_save_fl Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 21/43] x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 22/43] x86/mm: Move swap offset/type up in PTE to work around erratum Greg Kroah-Hartman
2018-08-14 17:17 ` [PATCH 4.4 23/43] x86/mm: Fix swap entry comment and macro Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 24/43] mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1 Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 25/43] x86/speculation/l1tf: Change order of offset/type in swap entry Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 26/43] x86/speculation/l1tf: Protect swap entries against L1TF Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 27/43] x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 28/43] x86/speculation/l1tf: Make sure the first page is always reserved Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 29/43] x86/speculation/l1tf: Add sysfs reporting for l1tf Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 30/43] mm: Add vm_insert_pfn_prot() Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 31/43] mm: fix cache mode tracking in vm_insert_mixed() Greg Kroah-Hartman
2018-09-07 17:05 ` Ben Hutchings
2018-09-07 20:03 ` Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 32/43] x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 33/43] x86/speculation/l1tf: Limit swap file size to MAX_PA/2 Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 34/43] x86/bugs: Move the l1tf function and define pr_fmt properly Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 35/43] x86/speculation/l1tf: Extend 64bit swap file size limit Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 36/43] x86/cpufeatures: Add detection of L1D cache flush support Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 37/43] x86/speculation/l1tf: Protect PAE swap entries against L1TF Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 38/43] x86/speculation/l1tf: Fix up pte->pfn conversion for PAE Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 39/43] x86/speculation/l1tf: Invert all not present mappings Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 40/43] x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 41/43] x86/mm/pat: Make set_memory_np() L1TF safe Greg Kroah-Hartman
2018-09-09 16:46 ` Ben Hutchings
2018-09-09 17:06 ` Guenter Roeck
2018-09-10 7:16 ` Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 42/43] x86/mm/kmmio: Make the tracer robust against L1TF Greg Kroah-Hartman
2018-08-14 17:18 ` [PATCH 4.4 43/43] x86/speculation/l1tf: Fix up CPU feature flags Greg Kroah-Hartman
2018-08-15 6:15 ` [PATCH 4.4 00/43] 4.4.148-stable review Greg Kroah-Hartman
2018-08-15 13:10 ` Guenter Roeck
2018-08-15 20:52 ` Dan Rue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180814171517.174295580@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tadeusz.struk@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).