[PATCH] tpm: fix the cleanup of struct tpm_chip

[PATCH] tpm: fix the cleanup of struct tpm_chip

[Jarkko Sakkinen]

If the initialization fails before tpm_chip_register(), put_device()
will be not called, which causes release callback not to be called.
This patch fixes the issue by adding put_device() to devres list of
the parent device.

Fixes: 313d21eeab ("tpm: device class for tpm")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
cc: stable@vger.kernel.org
---
 drivers/char/tpm/tpm-chip.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 1a9dcee..ea904d1 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -136,6 +136,8 @@ struct tpm_chip *tpmm_chip_alloc(struct device *dev,
 	chip->cdev.owner = chip->pdev->driver->owner;
 	chip->cdev.kobj.parent = &chip->dev.kobj;
 
+	devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
+
 	return chip;
 }
 EXPORT_SYMBOL_GPL(tpmm_chip_alloc);
-- 
2.7.0

Re: [tpmdd-devel] [PATCH] tpm: fix the cleanup of struct tpm_chip

[Jason Gunthorpe]

On Tue, Feb 09, 2016 at 05:30:30AM +0200, Jarkko Sakkinen wrote:
> If the initialization fails before tpm_chip_register(), put_device()
> will be not called, which causes release callback not to be called.
> This patch fixes the issue by adding put_device() to devres list of
> the parent device.

Erm, if you do this, then shouldn't the device_unregister change to
device_del to keep the kref balanced?

Jason

Re: [PATCH] tpm: fix the cleanup of struct tpm_chip

[Jason Gunthorpe]

On Tue, Feb 09, 2016 at 05:30:30AM +0200, Jarkko Sakkinen wrote:
> If the initialization fails before tpm_chip_register(), put_device()
> will be not called, which causes release callback not to be called.
> This patch fixes the issue by adding put_device() to devres list of
> the parent device.

Erm, if you do this, then shouldn't the device_unregister change to
device_del to keep the kref balanced?

Jason

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

Re: [tpmdd-devel] [PATCH] tpm: fix the cleanup of struct tpm_chip

[Jarkko Sakkinen]

On Mon, Feb 08, 2016 at 10:26:55PM -0700, Jason Gunthorpe wrote:
> On Tue, Feb 09, 2016 at 05:30:30AM +0200, Jarkko Sakkinen wrote:
> > If the initialization fails before tpm_chip_register(), put_device()
> > will be not called, which causes release callback not to be called.
> > This patch fixes the issue by adding put_device() to devres list of
> > the parent device.
> 
> Erm, if you do this, then shouldn't the device_unregister change to
> device_del to keep the kref balanced?

Yes, it should. Weird, I added pr_info() (temporarily) to
tpm_dev_release() and did occur only once and no crashes whatsoever.

Anyway, you're right.

> Jason

/Jarkko

Re: [PATCH] tpm: fix the cleanup of struct tpm_chip

[Jarkko Sakkinen]

On Mon, Feb 08, 2016 at 10:26:55PM -0700, Jason Gunthorpe wrote:
> On Tue, Feb 09, 2016 at 05:30:30AM +0200, Jarkko Sakkinen wrote:
> > If the initialization fails before tpm_chip_register(), put_device()
> > will be not called, which causes release callback not to be called.
> > This patch fixes the issue by adding put_device() to devres list of
> > the parent device.
> 
> Erm, if you do this, then shouldn't the device_unregister change to
> device_del to keep the kref balanced?

Yes, it should. Weird, I added pr_info() (temporarily) to
tpm_dev_release() and did occur only once and no crashes whatsoever.

Anyway, you're right.

> Jason

/Jarkko

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

Re: [tpmdd-devel] [PATCH] tpm: fix the cleanup of struct tpm_chip

[Jarkko Sakkinen]

On Tue, Feb 09, 2016 at 08:19:51AM +0200, Jarkko Sakkinen wrote:
> On Mon, Feb 08, 2016 at 10:26:55PM -0700, Jason Gunthorpe wrote:
> > On Tue, Feb 09, 2016 at 05:30:30AM +0200, Jarkko Sakkinen wrote:
> > > If the initialization fails before tpm_chip_register(), put_device()
> > > will be not called, which causes release callback not to be called.
> > > This patch fixes the issue by adding put_device() to devres list of
> > > the parent device.
> > 
> > Erm, if you do this, then shouldn't the device_unregister change to
> > device_del to keep the kref balanced?
> 
> Yes, it should. Weird, I added pr_info() (temporarily) to
> tpm_dev_release() and did occur only once and no crashes whatsoever.
> 
> Anyway, you're right.

Update:

https://github.com/jsakkine/linux-tpmdd/commit/a1aa547bbd2178628df798c27abaad073acb2441

I tested that the release gets called (as a sanity check).

Ack?

/Jarkko

Re: [PATCH] tpm: fix the cleanup of struct tpm_chip

[Jarkko Sakkinen]

On Tue, Feb 09, 2016 at 08:19:51AM +0200, Jarkko Sakkinen wrote:
> On Mon, Feb 08, 2016 at 10:26:55PM -0700, Jason Gunthorpe wrote:
> > On Tue, Feb 09, 2016 at 05:30:30AM +0200, Jarkko Sakkinen wrote:
> > > If the initialization fails before tpm_chip_register(), put_device()
> > > will be not called, which causes release callback not to be called.
> > > This patch fixes the issue by adding put_device() to devres list of
> > > the parent device.
> > 
> > Erm, if you do this, then shouldn't the device_unregister change to
> > device_del to keep the kref balanced?
> 
> Yes, it should. Weird, I added pr_info() (temporarily) to
> tpm_dev_release() and did occur only once and no crashes whatsoever.
> 
> Anyway, you're right.

Update:

https://github.com/jsakkine/linux-tpmdd/commit/a1aa547bbd2178628df798c27abaad073acb2441

I tested that the release gets called (as a sanity check).

Ack?

/Jarkko

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

Re: [tpmdd-devel] [PATCH] tpm: fix the cleanup of struct tpm_chip

[Jason Gunthorpe]

On Tue, Feb 09, 2016 at 08:27:35AM +0200, Jarkko Sakkinen wrote:
> On Tue, Feb 09, 2016 at 08:19:51AM +0200, Jarkko Sakkinen wrote:
> > On Mon, Feb 08, 2016 at 10:26:55PM -0700, Jason Gunthorpe wrote:
> > > On Tue, Feb 09, 2016 at 05:30:30AM +0200, Jarkko Sakkinen wrote:
> > > > If the initialization fails before tpm_chip_register(), put_device()
> > > > will be not called, which causes release callback not to be called.
> > > > This patch fixes the issue by adding put_device() to devres list of
> > > > the parent device.
> > > 
> > > Erm, if you do this, then shouldn't the device_unregister change to
> > > device_del to keep the kref balanced?
> > 
> > Yes, it should. Weird, I added pr_info() (temporarily) to
> > tpm_dev_release() and did occur only once and no crashes whatsoever.

It is hard to make use after free show up in testing, testing does not
replace actually auditing these sorts of things.

> > Anyway, you're right.
> 
> Update:
> 
> https://github.com/jsakkine/linux-tpmdd/commit/a1aa547bbd2178628df798c27abaad073acb2441
> 
> I tested that the release gets called (as a sanity check).

Yeah,

Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>

Jason

Re: [PATCH] tpm: fix the cleanup of struct tpm_chip

[Jason Gunthorpe]

On Tue, Feb 09, 2016 at 08:27:35AM +0200, Jarkko Sakkinen wrote:
> On Tue, Feb 09, 2016 at 08:19:51AM +0200, Jarkko Sakkinen wrote:
> > On Mon, Feb 08, 2016 at 10:26:55PM -0700, Jason Gunthorpe wrote:
> > > On Tue, Feb 09, 2016 at 05:30:30AM +0200, Jarkko Sakkinen wrote:
> > > > If the initialization fails before tpm_chip_register(), put_device()
> > > > will be not called, which causes release callback not to be called.
> > > > This patch fixes the issue by adding put_device() to devres list of
> > > > the parent device.
> > > 
> > > Erm, if you do this, then shouldn't the device_unregister change to
> > > device_del to keep the kref balanced?
> > 
> > Yes, it should. Weird, I added pr_info() (temporarily) to
> > tpm_dev_release() and did occur only once and no crashes whatsoever.

It is hard to make use after free show up in testing, testing does not
replace actually auditing these sorts of things.

> > Anyway, you're right.
> 
> Update:
> 
> https://github.com/jsakkine/linux-tpmdd/commit/a1aa547bbd2178628df798c27abaad073acb2441
> 
> I tested that the release gets called (as a sanity check).

Yeah,

Reviewed-by: Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>

Jason

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

Re: [tpmdd-devel] [PATCH] tpm: fix the cleanup of struct tpm_chip

[Jason Gunthorpe]

On Tue, Feb 09, 2016 at 05:30:30AM +0200, Jarkko Sakkinen wrote:
> If the initialization fails before tpm_chip_register(), put_device()
> will be not called, which causes release callback not to be called.
> This patch fixes the issue by adding put_device() to devres list of
> the parent device.
> 
> Fixes: 313d21eeab ("tpm: device class for tpm")
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> cc: stable@vger.kernel.org
>  drivers/char/tpm/tpm-chip.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> index 1a9dcee..ea904d1 100644
> +++ b/drivers/char/tpm/tpm-chip.c
> @@ -136,6 +136,8 @@ struct tpm_chip *tpmm_chip_alloc(struct device *dev,
>  	chip->cdev.owner = chip->pdev->driver->owner;
>  	chip->cdev.kobj.parent = &chip->dev.kobj;
>  
> +	devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
> +

Erm, don't forget the error handling here.

Something like this:

	rc = devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
	if (rc) {
		put_device(&chip->dev);
		return ERR_PTR(rc);
	}

Jason

Re: [tpmdd-devel] [PATCH] tpm: fix the cleanup of struct tpm_chip

[Jarkko Sakkinen]

On Thu, Feb 11, 2016 at 12:34:15PM -0700, Jason Gunthorpe wrote:
> On Tue, Feb 09, 2016 at 05:30:30AM +0200, Jarkko Sakkinen wrote:
> > If the initialization fails before tpm_chip_register(), put_device()
> > will be not called, which causes release callback not to be called.
> > This patch fixes the issue by adding put_device() to devres list of
> > the parent device.
> > 
> > Fixes: 313d21eeab ("tpm: device class for tpm")
> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> > cc: stable@vger.kernel.org
> >  drivers/char/tpm/tpm-chip.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> > index 1a9dcee..ea904d1 100644
> > +++ b/drivers/char/tpm/tpm-chip.c
> > @@ -136,6 +136,8 @@ struct tpm_chip *tpmm_chip_alloc(struct device *dev,
> >  	chip->cdev.owner = chip->pdev->driver->owner;
> >  	chip->cdev.kobj.parent = &chip->dev.kobj;
> >  
> > +	devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
> > +
> 
> Erm, don't forget the error handling here.
> 
> Something like this:
> 
> 	rc = devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
> 	if (rc) {
> 		put_device(&chip->dev);
> 		return ERR_PTR(rc);
> 	}

I'll implement that as a separate commit since it is already in pull
request. Thanks.

/Jarkko

Re: [PATCH] tpm: fix the cleanup of struct tpm_chip

[Jarkko Sakkinen]

On Thu, Feb 11, 2016 at 12:34:15PM -0700, Jason Gunthorpe wrote:
> On Tue, Feb 09, 2016 at 05:30:30AM +0200, Jarkko Sakkinen wrote:
> > If the initialization fails before tpm_chip_register(), put_device()
> > will be not called, which causes release callback not to be called.
> > This patch fixes the issue by adding put_device() to devres list of
> > the parent device.
> > 
> > Fixes: 313d21eeab ("tpm: device class for tpm")
> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
> > cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> >  drivers/char/tpm/tpm-chip.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> > index 1a9dcee..ea904d1 100644
> > +++ b/drivers/char/tpm/tpm-chip.c
> > @@ -136,6 +136,8 @@ struct tpm_chip *tpmm_chip_alloc(struct device *dev,
> >  	chip->cdev.owner = chip->pdev->driver->owner;
> >  	chip->cdev.kobj.parent = &chip->dev.kobj;
> >  
> > +	devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
> > +
> 
> Erm, don't forget the error handling here.
> 
> Something like this:
> 
> 	rc = devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
> 	if (rc) {
> 		put_device(&chip->dev);
> 		return ERR_PTR(rc);
> 	}

I'll implement that as a separate commit since it is already in pull
request. Thanks.

/Jarkko

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140