From: Andrey Pronin <apronin@chromium.org>
To: peterhuewe@gmx.de, jarkko.sakkinen@linux.intel.com
Cc: jgg@ziepe.ca, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org, groeck@chromium.org,
Andrey Pronin <apronin@chromium.org>
Subject: [PATCH] tpm: avoid accessing cleared ops during shutdown
Date: Thu, 9 Jul 2020 17:22:09 -0700 [thread overview]
Message-ID: <20200710002209.6757-1-apronin@chromium.org> (raw)
This patch prevents NULL dereferencing when using chip->ops while
sending TPM2_Shutdown command if both tpm_class_shutdown handler and
tpm_del_char_device are called during system shutdown.
Both these handlers set chip->ops to NULL but don't check if it's
already NULL when they are called before using it.
This issue was revealed in Chrome OS after a recent set of changes
to the unregister order for spi controllers, such as:
b4c6230bb0ba spi: Fix controller unregister order
f40913d2dca1 spi: pxa2xx: Fix controller unregister order
and similar for other controllers.
Signed-off-by: Andrey Pronin <apronin@chromium.org>
---
drivers/char/tpm/tpm-chip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 8c77e88012e9..a410ca40a3c5 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -296,7 +296,7 @@ static int tpm_class_shutdown(struct device *dev)
struct tpm_chip *chip = container_of(dev, struct tpm_chip, dev);
down_write(&chip->ops_sem);
- if (chip->flags & TPM_CHIP_FLAG_TPM2) {
+ if (chip->ops && (chip->flags & TPM_CHIP_FLAG_TPM2)) {
if (!tpm_chip_start(chip)) {
tpm2_shutdown(chip, TPM2_SU_CLEAR);
tpm_chip_stop(chip);
@@ -479,7 +479,7 @@ static void tpm_del_char_device(struct tpm_chip *chip)
/* Make the driver uncallable. */
down_write(&chip->ops_sem);
- if (chip->flags & TPM_CHIP_FLAG_TPM2) {
+ if (chip->ops && (chip->flags & TPM_CHIP_FLAG_TPM2)) {
if (!tpm_chip_start(chip)) {
tpm2_shutdown(chip, TPM2_SU_CLEAR);
tpm_chip_stop(chip);
--
2.25.1
next reply other threads:[~2020-07-10 0:22 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-10 0:22 Andrey Pronin [this message]
2020-07-10 11:40 ` [PATCH] tpm: avoid accessing cleared ops during shutdown Jarkko Sakkinen
2020-07-10 18:25 ` Andrey Pronin
2020-07-14 11:32 ` Jarkko Sakkinen
2020-07-14 15:48 ` Guenter Roeck
2020-07-16 17:28 ` Jarkko Sakkinen
2020-07-16 17:38 ` Guenter Roeck
2020-07-23 1:56 ` Jarkko Sakkinen
2020-07-10 19:08 ` James Bottomley
2020-07-10 20:34 ` Andrey Pronin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200710002209.6757-1-apronin@chromium.org \
--to=apronin@chromium.org \
--cc=groeck@chromium.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jgg@ziepe.ca \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterhuewe@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.