* [PATCH 1/2] crypto/ccp: Cleanup misc_dev on sev_exit()
2020-03-03 13:57 [PATCH 0/2] crypto/ccp: Properly NULL variables on sev exit John Allen
@ 2020-03-03 13:57 ` John Allen
2020-03-06 15:56 ` Tom Lendacky
2020-03-03 13:57 ` [PATCH 2/2] crypto/ccp: Cleanup sp_dev_master in psp_dev_destroy() John Allen
2020-03-12 12:38 ` [PATCH 0/2] crypto/ccp: Properly NULL variables on sev exit Herbert Xu
2 siblings, 1 reply; 6+ messages in thread
From: John Allen @ 2020-03-03 13:57 UTC (permalink / raw)
To: linux-crypto
Cc: thomas.lendacky, herbert, davem, brijesh.singh, bp, linux-kernel,
John Allen
Explicitly free and clear misc_dev in sev_exit(). Since devm_kzalloc()
associates misc_dev with the first device that gets probed, change from
devm_kzalloc() to kzalloc() and explicitly free memory in sev_exit() as
the first device probed is not guaranteed to be the last device released.
To ensure that the variable gets properly set to NULL, remove the local
definition of misc_dev.
Fixes: 200664d5237f ("crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support")
Signed-off-by: John Allen <john.allen@amd.com>
---
drivers/crypto/ccp/sev-dev.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index e467860f797d..aa591dae067c 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -896,9 +896,9 @@ EXPORT_SYMBOL_GPL(sev_guest_df_flush);
static void sev_exit(struct kref *ref)
{
- struct sev_misc_dev *misc_dev = container_of(ref, struct sev_misc_dev, refcount);
-
misc_deregister(&misc_dev->misc);
+ kfree(misc_dev);
+ misc_dev = NULL;
}
static int sev_misc_init(struct sev_device *sev)
@@ -916,7 +916,7 @@ static int sev_misc_init(struct sev_device *sev)
if (!misc_dev) {
struct miscdevice *misc;
- misc_dev = devm_kzalloc(dev, sizeof(*misc_dev), GFP_KERNEL);
+ misc_dev = kzalloc(sizeof(*misc_dev), GFP_KERNEL);
if (!misc_dev)
return -ENOMEM;
--
2.18.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] crypto/ccp: Cleanup misc_dev on sev_exit()
2020-03-03 13:57 ` [PATCH 1/2] crypto/ccp: Cleanup misc_dev on sev_exit() John Allen
@ 2020-03-06 15:56 ` Tom Lendacky
0 siblings, 0 replies; 6+ messages in thread
From: Tom Lendacky @ 2020-03-06 15:56 UTC (permalink / raw)
To: John Allen, linux-crypto; +Cc: herbert, davem, brijesh.singh, bp, linux-kernel
On 3/3/20 7:57 AM, John Allen wrote:
> Explicitly free and clear misc_dev in sev_exit(). Since devm_kzalloc()
> associates misc_dev with the first device that gets probed, change from
> devm_kzalloc() to kzalloc() and explicitly free memory in sev_exit() as
> the first device probed is not guaranteed to be the last device released.
> To ensure that the variable gets properly set to NULL, remove the local
> definition of misc_dev.
>
> Fixes: 200664d5237f ("crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support")
> Signed-off-by: John Allen <john.allen@amd.com>
Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
> drivers/crypto/ccp/sev-dev.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index e467860f797d..aa591dae067c 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -896,9 +896,9 @@ EXPORT_SYMBOL_GPL(sev_guest_df_flush);
>
> static void sev_exit(struct kref *ref)
> {
> - struct sev_misc_dev *misc_dev = container_of(ref, struct sev_misc_dev, refcount);
> -
> misc_deregister(&misc_dev->misc);
> + kfree(misc_dev);
> + misc_dev = NULL;
> }
>
> static int sev_misc_init(struct sev_device *sev)
> @@ -916,7 +916,7 @@ static int sev_misc_init(struct sev_device *sev)
> if (!misc_dev) {
> struct miscdevice *misc;
>
> - misc_dev = devm_kzalloc(dev, sizeof(*misc_dev), GFP_KERNEL);
> + misc_dev = kzalloc(sizeof(*misc_dev), GFP_KERNEL);
> if (!misc_dev)
> return -ENOMEM;
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 2/2] crypto/ccp: Cleanup sp_dev_master in psp_dev_destroy()
2020-03-03 13:57 [PATCH 0/2] crypto/ccp: Properly NULL variables on sev exit John Allen
2020-03-03 13:57 ` [PATCH 1/2] crypto/ccp: Cleanup misc_dev on sev_exit() John Allen
@ 2020-03-03 13:57 ` John Allen
2020-03-06 15:57 ` Tom Lendacky
2020-03-12 12:38 ` [PATCH 0/2] crypto/ccp: Properly NULL variables on sev exit Herbert Xu
2 siblings, 1 reply; 6+ messages in thread
From: John Allen @ 2020-03-03 13:57 UTC (permalink / raw)
To: linux-crypto
Cc: thomas.lendacky, herbert, davem, brijesh.singh, bp, linux-kernel,
John Allen
Introduce clear_psp_master_device() to ensure that sp_dev_master gets
properly cleared on the release of a psp device.
Fixes: 2a6170dfe755 ("crypto: ccp: Add Platform Security Processor (PSP) device support")
Signed-off-by: John Allen <john.allen@amd.com>
---
drivers/crypto/ccp/psp-dev.c | 3 +++
drivers/crypto/ccp/sp-dev.h | 1 +
drivers/crypto/ccp/sp-pci.c | 9 +++++++++
3 files changed, 13 insertions(+)
diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
index e95e7aa5dbf1..ae7b44599914 100644
--- a/drivers/crypto/ccp/psp-dev.c
+++ b/drivers/crypto/ccp/psp-dev.c
@@ -215,6 +215,9 @@ void psp_dev_destroy(struct sp_device *sp)
tee_dev_destroy(psp);
sp_free_psp_irq(sp, psp);
+
+ if (sp->clear_psp_master_device)
+ sp->clear_psp_master_device(sp);
}
void psp_set_sev_irq_handler(struct psp_device *psp, psp_irq_handler_t handler,
diff --git a/drivers/crypto/ccp/sp-dev.h b/drivers/crypto/ccp/sp-dev.h
index 423594608ad1..f913f1494af9 100644
--- a/drivers/crypto/ccp/sp-dev.h
+++ b/drivers/crypto/ccp/sp-dev.h
@@ -90,6 +90,7 @@ struct sp_device {
/* get and set master device */
struct sp_device*(*get_psp_master_device)(void);
void (*set_psp_master_device)(struct sp_device *);
+ void (*clear_psp_master_device)(struct sp_device *);
bool irq_registered;
bool use_tasklet;
diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c
index 56c1f61c0f84..cb6cb47053f4 100644
--- a/drivers/crypto/ccp/sp-pci.c
+++ b/drivers/crypto/ccp/sp-pci.c
@@ -146,6 +146,14 @@ static struct sp_device *psp_get_master(void)
return sp_dev_master;
}
+static void psp_clear_master(struct sp_device *sp)
+{
+ if (sp == sp_dev_master) {
+ sp_dev_master = NULL;
+ dev_dbg(sp->dev, "Cleared sp_dev_master\n");
+ }
+}
+
static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
{
struct sp_device *sp;
@@ -206,6 +214,7 @@ static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
pci_set_master(pdev);
sp->set_psp_master_device = psp_set_master;
sp->get_psp_master_device = psp_get_master;
+ sp->clear_psp_master_device = psp_clear_master;
ret = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(48));
if (ret) {
--
2.18.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 2/2] crypto/ccp: Cleanup sp_dev_master in psp_dev_destroy()
2020-03-03 13:57 ` [PATCH 2/2] crypto/ccp: Cleanup sp_dev_master in psp_dev_destroy() John Allen
@ 2020-03-06 15:57 ` Tom Lendacky
0 siblings, 0 replies; 6+ messages in thread
From: Tom Lendacky @ 2020-03-06 15:57 UTC (permalink / raw)
To: John Allen, linux-crypto; +Cc: herbert, davem, brijesh.singh, bp, linux-kernel
On 3/3/20 7:57 AM, John Allen wrote:
> Introduce clear_psp_master_device() to ensure that sp_dev_master gets
> properly cleared on the release of a psp device.
>
> Fixes: 2a6170dfe755 ("crypto: ccp: Add Platform Security Processor (PSP) device support")
> Signed-off-by: John Allen <john.allen@amd.com>
Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
> drivers/crypto/ccp/psp-dev.c | 3 +++
> drivers/crypto/ccp/sp-dev.h | 1 +
> drivers/crypto/ccp/sp-pci.c | 9 +++++++++
> 3 files changed, 13 insertions(+)
>
> diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
> index e95e7aa5dbf1..ae7b44599914 100644
> --- a/drivers/crypto/ccp/psp-dev.c
> +++ b/drivers/crypto/ccp/psp-dev.c
> @@ -215,6 +215,9 @@ void psp_dev_destroy(struct sp_device *sp)
> tee_dev_destroy(psp);
>
> sp_free_psp_irq(sp, psp);
> +
> + if (sp->clear_psp_master_device)
> + sp->clear_psp_master_device(sp);
> }
>
> void psp_set_sev_irq_handler(struct psp_device *psp, psp_irq_handler_t handler,
> diff --git a/drivers/crypto/ccp/sp-dev.h b/drivers/crypto/ccp/sp-dev.h
> index 423594608ad1..f913f1494af9 100644
> --- a/drivers/crypto/ccp/sp-dev.h
> +++ b/drivers/crypto/ccp/sp-dev.h
> @@ -90,6 +90,7 @@ struct sp_device {
> /* get and set master device */
> struct sp_device*(*get_psp_master_device)(void);
> void (*set_psp_master_device)(struct sp_device *);
> + void (*clear_psp_master_device)(struct sp_device *);
>
> bool irq_registered;
> bool use_tasklet;
> diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c
> index 56c1f61c0f84..cb6cb47053f4 100644
> --- a/drivers/crypto/ccp/sp-pci.c
> +++ b/drivers/crypto/ccp/sp-pci.c
> @@ -146,6 +146,14 @@ static struct sp_device *psp_get_master(void)
> return sp_dev_master;
> }
>
> +static void psp_clear_master(struct sp_device *sp)
> +{
> + if (sp == sp_dev_master) {
> + sp_dev_master = NULL;
> + dev_dbg(sp->dev, "Cleared sp_dev_master\n");
> + }
> +}
> +
> static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
> {
> struct sp_device *sp;
> @@ -206,6 +214,7 @@ static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
> pci_set_master(pdev);
> sp->set_psp_master_device = psp_set_master;
> sp->get_psp_master_device = psp_get_master;
> + sp->clear_psp_master_device = psp_clear_master;
>
> ret = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(48));
> if (ret) {
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 0/2] crypto/ccp: Properly NULL variables on sev exit
2020-03-03 13:57 [PATCH 0/2] crypto/ccp: Properly NULL variables on sev exit John Allen
2020-03-03 13:57 ` [PATCH 1/2] crypto/ccp: Cleanup misc_dev on sev_exit() John Allen
2020-03-03 13:57 ` [PATCH 2/2] crypto/ccp: Cleanup sp_dev_master in psp_dev_destroy() John Allen
@ 2020-03-12 12:38 ` Herbert Xu
2 siblings, 0 replies; 6+ messages in thread
From: Herbert Xu @ 2020-03-12 12:38 UTC (permalink / raw)
To: John Allen
Cc: linux-crypto, thomas.lendacky, davem, brijesh.singh, bp, linux-kernel
On Tue, Mar 03, 2020 at 07:57:22AM -0600, John Allen wrote:
> Stale pointers left in static variables misc_dev and sp_dev_master will
> trigger use-after-free error when DEBUG_TEST_DRIVER_REMOVE is configured.
>
> John Allen (2):
> crypto/ccp: Cleanup misc_dev on sev exit
> crypto/ccp: Cleanup sp_dev_master on psp device destroy
>
> drivers/crypto/ccp/psp-dev.c | 3 +++
> drivers/crypto/ccp/sev-dev.c | 6 +++---
> drivers/crypto/ccp/sp-dev.h | 1 +
> drivers/crypto/ccp/sp-pci.c | 9 +++++++++
> 4 files changed, 16 insertions(+), 3 deletions(-)
All applied. Thanks.
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 6+ messages in thread