3ab2011ea3
There is a race condition in tpm_common_write function allowing
two threads on the same /dev/tpm<N>, or two different applications
on the same /dev/tpmrm<N> to overwrite each other commands/responses.
Fixed this by taking the priv->buffer_mutex early in the function.
Also converted the priv->data_pending from atomic to a regular size_t
type. There is no need for it to be atomic since it is only touched
under the protection of the priv->buffer_mutex.
Fixes: 1da177e4c3
("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
29 lines
776 B
C
29 lines
776 B
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _TPM_DEV_H
|
|
#define _TPM_DEV_H
|
|
|
|
#include "tpm.h"
|
|
|
|
struct file_priv {
|
|
struct tpm_chip *chip;
|
|
|
|
/* Data passed to and from the tpm via the read/write calls */
|
|
size_t data_pending;
|
|
struct mutex buffer_mutex;
|
|
|
|
struct timer_list user_read_timer; /* user needs to claim result */
|
|
struct work_struct work;
|
|
|
|
u8 data_buffer[TPM_BUFSIZE];
|
|
};
|
|
|
|
void tpm_common_open(struct file *file, struct tpm_chip *chip,
|
|
struct file_priv *priv);
|
|
ssize_t tpm_common_read(struct file *file, char __user *buf,
|
|
size_t size, loff_t *off);
|
|
ssize_t tpm_common_write(struct file *file, const char __user *buf,
|
|
size_t size, loff_t *off, struct tpm_space *space);
|
|
void tpm_common_release(struct file *file, struct file_priv *priv);
|
|
|
|
#endif
|