diff options
| author | Tadeusz Struk <tadeusz.struk@intel.com> | 2018-05-22 14:37:18 -0700 |
|---|---|---|
| committer | Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> | 2018-05-30 20:11:31 +0300 |
| commit | 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df (patch) | |
| tree | 83807afb8ea61e77a8d2a2ed698e0c7615390938 /drivers/char/tpm/tpm-dev.h | |
| parent | 424eaf910c329ab06ad03a527ef45dcf6a328f00 (diff) | |
| download | linux-3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df.tar.gz linux-3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df.tar.bz2 linux-3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df.zip | |
tpm: fix race condition in tpm_common_write()
There is a race condition in tpm_common_write function allowing
two threads on the same /dev/tpm<N>, or two different applications
on the same /dev/tpmrm<N> to overwrite each other commands/responses.
Fixed this by taking the priv->buffer_mutex early in the function.
Also converted the priv->data_pending from atomic to a regular size_t
type. There is no need for it to be atomic since it is only touched
under the protection of the priv->buffer_mutex.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Diffstat (limited to 'drivers/char/tpm/tpm-dev.h')
| -rw-r--r-- | drivers/char/tpm/tpm-dev.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/char/tpm/tpm-dev.h b/drivers/char/tpm/tpm-dev.h index ba3b6f9dacf7..b24cfb4d3ee1 100644 --- a/drivers/char/tpm/tpm-dev.h +++ b/drivers/char/tpm/tpm-dev.h @@ -8,7 +8,7 @@ struct file_priv { struct tpm_chip *chip; /* Data passed to and from the tpm via the read/write calls */ - atomic_t data_pending; + size_t data_pending; struct mutex buffer_mutex; struct timer_list user_read_timer; /* user needs to claim result */ |