From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga07.intel.com ([134.134.136.100]:9135 "EHLO mga07.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727687AbeHJTOl (ORCPT ); Fri, 10 Aug 2018 15:14:41 -0400 Date: Fri, 10 Aug 2018 19:44:02 +0300 From: Jarkko Sakkinen To: Greg KH Cc: stable@vger.kernel.org, tadeusz.struk@intel.com Subject: Re: [PATCH] tpm: fix race condition in tpm_common_write() Message-ID: <20180810164401.GO4692@linux.intel.com> References: <20180808123550.10475-1-jarkko.sakkinen@linux.intel.com> <20180810141058.GB6950@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180810141058.GB6950@kroah.com> Sender: stable-owner@vger.kernel.org List-ID: On Fri, Aug 10, 2018 at 04:10:58PM +0200, Greg KH wrote: > On Wed, Aug 08, 2018 at 03:35:50PM +0300, Jarkko Sakkinen wrote: > > From: Tadeusz Struk > > > > commit 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df upstream > > > > There is a race condition in tpm_common_write function allowing > > two threads on the same /dev/tpm, or two different applications > > on the same /dev/tpmrm to overwrite each other commands/responses. > > Fixed this by taking the priv->buffer_mutex early in the function. > > > > Also converted the priv->data_pending from atomic to a regular size_t > > type. There is no need for it to be atomic since it is only touched > > under the protection of the priv->buffer_mutex. > > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > Cc: stable@vger.kernel.org > > Signed-off-by: Tadeusz Struk > > Reviewed-by: Jarkko Sakkinen > > Signed-off-by: Jarkko Sakkinen > > --- > > Manually backported for v4.4 and v4.9. > > Now queued up, thanks. Great, thank you. > greg k-h /Jarkko