On Mon, Jun 11, 2018 at 09:12:00PM -0400, Hugo Lefeuvre wrote: > In the PI433_IOC_WR_TX_CFG case in pi433_ioctl, instance->tx_cfg is > modified using > > copy_from_user(&instance->tx_cfg, argp, sizeof(struct pi433_tx_cfg))) > > without any kind of synchronization. In the case where two threads > would execute this same command concurrently the tx_cfg field might > enter in an inconsistent state. > > Add a mutex making sure that the PI433_IOC_WR_TX_CFG case will never > be run by several threads concurrently. > > Signed-off-by: Hugo Lefeuvre <hle@xxxxxxxxxx> We read the data from the user here and then we write it to the fifo in pi433_write(). We should be using the device->tx_fifo_lock so that we don't copy over the data at the same time we're writing it to the fifo. This bug could cause a user space program to fail. regards, dan carpenter _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
