All of lore.kernel.org
 help / color / mirror / Atom feed
From: Lino Sanfilippo <LinoSanfilippo@gmx.de>
To: Jason Gunthorpe <jgg@ziepe.ca>,
	Lino Sanfilippo <l.sanfilippo@kunbus.com>
Cc: peterhuewe@gmx.de, jarkko@kernel.org, stefanb@linux.vnet.ibm.com,
	James.Bottomley@hansenpartnership.com, stable@vger.kernel.org,
	linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip
Date: Fri, 5 Feb 2021 22:50:02 +0100	[thread overview]
Message-ID: <db7c90c3-d86a-65c9-81a2-be1527b47e11@gmx.de> (raw)
In-Reply-To: <20210205155808.GO4718@ziepe.ca>

On 05.02.21 at 16:58, Jason Gunthorpe wrote:
eference in the first place).
>
> No, they are all chained together because they are all in the same
> struct:
>
> struct tpm_chip {
> 	struct device dev;
> 	struct device devs;
> 	struct cdev cdev;
> 	struct cdev cdevs;
>
> dev holds the refcount on memory, when it goes 0 the whole thing is
> kfreed.
>
> The rule is dev's refcount can't go to zero while any other refcount
> is != 0.
>
> For instance devs holds a get on dev that is put back only when devs
> goes to 0:
>
> static void tpm_devs_release(struct device *dev)
> {
> 	struct tpm_chip *chip = container_of(dev, struct tpm_chip, devs);
>
> 	/* release the master device reference */
> 	put_device(&chip->dev);
> }
>
> Both cdev elements do something similar inside the cdev layer.

Well this chaining is exactly what does not work nowadays and what the patch is supposed
to fix: currently we dont ever take the extra ref (not even in TPM 2 case, note that
TPM_CHIP_FLAG_TMP2 is never set), so

-	if (chip->flags & TPM_CHIP_FLAG_TPM2)
-		get_device(&chip->dev);
+	get_device(&chip->dev);


and tpm_devs_release() is never called, since there is nothing that ever puts devs, so


+	rc = devm_add_action_or_reset(pdev,
+				      (void (*)(void *)) put_device,
+				      &chip->devs);


The race with only get_device()/putdevice() in tpm_common_open()/tpm_common_release() is:

1. tpm chip is allocated with dev refcount = 1, devs refcount = 1
2. /dev/tpmrm is opened but before we get the ref to dev in tpm_common() another thread
rmmmods the chip driver:
3. the chip is unregistered, dev is put with refcount = 0 and the whole chip struct is freed
3. Now open() proceeds, tries to grab the extra ref chip->dev from a chip that has already
been deallocated and the system crashes.

As I already wrote, that approach was my first thought, too, but since the result crashed due to the
race condition, I chose the approach in patch 1.

Regards,
Lino

> The net result is during any open() the tpm_chip is guarenteed to have
> a positive refcount.
>



  reply	other threads:[~2021-02-05 21:52 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-04 23:50 [PATCH v3 0/2] TPM fixes Lino Sanfilippo
2021-02-04 23:50 ` [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip Lino Sanfilippo
2021-02-05  0:46   ` Stefan Berger
2021-02-05  1:44     ` Stefan Berger
2021-02-05  2:01       ` James Bottomley
2021-02-05 10:52         ` Lino Sanfilippo
2021-02-05 13:29         ` Stefan Berger
2021-02-05 10:34     ` Lino Sanfilippo
2021-02-05  6:50   ` Greg KH
2021-02-05 13:05   ` Jason Gunthorpe
2021-02-05 14:55     ` Lino Sanfilippo
2021-02-05 15:15       ` Jason Gunthorpe
2021-02-05 15:50         ` Lino Sanfilippo
2021-02-05 15:58           ` Jason Gunthorpe
2021-02-05 21:50             ` Lino Sanfilippo [this message]
2021-02-06  0:39               ` Jason Gunthorpe
2021-02-04 23:50 ` [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid Lino Sanfilippo
2021-02-05  0:34   ` James Bottomley
2021-02-05  2:18     ` Jarkko Sakkinen
2021-02-05 16:48       ` James Bottomley
2021-02-05 17:25         ` Jason Gunthorpe
2021-02-05 17:54           ` James Bottomley
2021-02-06  1:02             ` Jason Gunthorpe
2021-02-06  1:08           ` James Bottomley
2021-02-06  1:34             ` Jason Gunthorpe
2021-02-09 11:52           ` Lino Sanfilippo
2021-02-09 13:36             ` Jason Gunthorpe
2021-02-09 13:39               ` Lino Sanfilippo
2021-02-12 11:02               ` Jarkko Sakkinen
2021-02-12 10:59             ` Jarkko Sakkinen
2021-02-14 17:22               ` Lino Sanfilippo
2021-02-05 10:30     ` Lino Sanfilippo
2021-03-06 16:07       ` Lino Sanfilippo
2021-02-05  6:51   ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=db7c90c3-d86a-65c9-81a2-be1527b47e11@gmx.de \
    --to=linosanfilippo@gmx.de \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=jarkko@kernel.org \
    --cc=jgg@ziepe.ca \
    --cc=l.sanfilippo@kunbus.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=peterhuewe@gmx.de \
    --cc=stable@vger.kernel.org \
    --cc=stefanb@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.