From: Lino Sanfilippo <l.sanfilippo@kunbus.com>
To: Jason Gunthorpe <jgg@ziepe.ca>, Lino Sanfilippo <LinoSanfilippo@gmx.de>
Cc: peterhuewe@gmx.de, jarkko@kernel.org, stefanb@linux.vnet.ibm.com,
James.Bottomley@hansenpartnership.com, stable@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip
Date: Fri, 5 Feb 2021 15:55:09 +0100 [thread overview]
Message-ID: <3b821bf9-0f54-3473-d934-61c0c29f8957@kunbus.com> (raw)
In-Reply-To: <20210205130511.GI4718@ziepe.ca>
Hi,
On 05.02.21 14:05, Jason Gunthorpe wrote:
>>
>> Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>")
>> already introduced function tpm_devs_release() to release the extra
>> reference but did not implement the required put on chip->devs that results
>> in the call of this function.
>
> Seems wonky, the devs is just supposed to be a side thing, nothing
> should be using it as a primary reference count for a tpm.
>
> The bug here is only that tpm_common_open() did not get a kref on the
> chip before putting it in priv and linking it to the fd. See the
> comment before tpm_try_get_ops() indicating the caller must already
> have taken care to ensure the chip is valid.
>
> This should be all you need to fix the oops:
>
> diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
> index 1784530b8387bb..1b738dca7fffb5 100644
> --- a/drivers/char/tpm/tpm-dev-common.c
> +++ b/drivers/char/tpm/tpm-dev-common.c
> @@ -105,6 +105,7 @@ static void tpm_timeout_work(struct work_struct *work)
> void tpm_common_open(struct file *file, struct tpm_chip *chip,
> struct file_priv *priv, struct tpm_space *space)
> {
> + get_device(&priv->chip.dev);
> priv->chip = chip;
> priv->space = space;
> priv->response_read = true;
This is racy, isnt it? The time between we open the file and we want to grab the
reference in common_open() the chip can already be unregistered and freed.
As a matter of fact this solution was the first thing that came into my mind, too,
until I noticed the possible race condition. I can only guess that this was what
James had in mind when he chose to take the extra reference to chip->dev in
tpm_chip_alloc() instead of common_open().
>> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
>> index ddaeceb..3ace199 100644
>> +++ b/drivers/char/tpm/tpm-chip.c
>> @@ -360,8 +360,7 @@ struct tpm_chip *tpm_chip_alloc(struct device *pdev,
>> * while cdevs is in use. The corresponding put
>> * is in the tpm_devs_release (TPM2 only)
>> */
>> - if (chip->flags & TPM_CHIP_FLAG_TPM2)
>> - get_device(&chip->dev);
>> + get_device(&chip->dev);
>>
>> if (chip->dev_num == 0)
>> chip->dev.devt = MKDEV(MISC_MAJOR, TPM_MINOR);
>> @@ -422,8 +421,21 @@ struct tpm_chip *tpmm_chip_alloc(struct device *pdev,
>> rc = devm_add_action_or_reset(pdev,
>> (void (*)(void *)) put_device,
>> &chip->dev);
>> - if (rc)
>> + if (rc) {
>> + put_device(&chip->devs);
>> return ERR_PTR(rc);
>
> This isn't right read what 'or_reset' does
>
In case of failure installing the action handler devm_add_action_or_reset() puts
chip->dev for us. But we also have put chip->devs since we have retrieved a
reference to both chip->dev and chip->devs. Or do I miss something here?
> Jason
>
Regards,
Lino
next prev parent reply other threads:[~2021-02-05 22:41 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-04 23:50 [PATCH v3 0/2] TPM fixes Lino Sanfilippo
2021-02-04 23:50 ` [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip Lino Sanfilippo
2021-02-05 0:46 ` Stefan Berger
2021-02-05 1:44 ` Stefan Berger
2021-02-05 2:01 ` James Bottomley
2021-02-05 10:52 ` Lino Sanfilippo
2021-02-05 13:29 ` Stefan Berger
2021-02-05 10:34 ` Lino Sanfilippo
2021-02-05 6:50 ` Greg KH
2021-02-05 13:05 ` Jason Gunthorpe
2021-02-05 14:55 ` Lino Sanfilippo [this message]
2021-02-05 15:15 ` Jason Gunthorpe
2021-02-05 15:50 ` Lino Sanfilippo
2021-02-05 15:58 ` Jason Gunthorpe
2021-02-05 21:50 ` Lino Sanfilippo
2021-02-06 0:39 ` Jason Gunthorpe
2021-02-04 23:50 ` [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid Lino Sanfilippo
2021-02-05 0:34 ` James Bottomley
2021-02-05 2:18 ` Jarkko Sakkinen
2021-02-05 16:48 ` James Bottomley
2021-02-05 17:25 ` Jason Gunthorpe
2021-02-05 17:54 ` James Bottomley
2021-02-06 1:02 ` Jason Gunthorpe
2021-02-06 1:08 ` James Bottomley
2021-02-06 1:34 ` Jason Gunthorpe
2021-02-09 11:52 ` Lino Sanfilippo
2021-02-09 13:36 ` Jason Gunthorpe
2021-02-09 13:39 ` Lino Sanfilippo
2021-02-12 11:02 ` Jarkko Sakkinen
2021-02-12 10:59 ` Jarkko Sakkinen
2021-02-14 17:22 ` Lino Sanfilippo
2021-02-05 10:30 ` Lino Sanfilippo
2021-03-06 16:07 ` Lino Sanfilippo
2021-02-05 6:51 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3b821bf9-0f54-3473-d934-61c0c29f8957@kunbus.com \
--to=l.sanfilippo@kunbus.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=LinoSanfilippo@gmx.de \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=stable@vger.kernel.org \
--cc=stefanb@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.