[PATCH] tpm: Fix the driver cleanup code

[PATCH] tpm: Fix the driver cleanup code

[Azhar Shaikh]

Commit 3c1701339284353c41 ("tpm: Keep CLKRUN enabled throughout
the duration of transmit_cmd()") added code which accessed
chip->ops, even after it was set to NULL in tpm_del_char_device(),
called from tpm_chip_unregister() in error / driver exit paths.
So fix this code.

Fixes: 3c1701339284353c41 ("tpm: Keep CLKRUN enabled throughout
the duration of transmit_cmd()")

Suggested-by: Javier Martinez Canillas <javierm@redhat.com>
Suggested-by: Jason Gunthorpe <jgg@ziepe.ca>
Signed-off-by: Azhar Shaikh <azhar.shaikh@intel.com>
---
 drivers/char/tpm/tpm-chip.c     |  5 +++++
 drivers/char/tpm/tpm.h          |  1 +
 drivers/char/tpm/tpm_tis.c      |  8 ++------
 drivers/char/tpm/tpm_tis_core.c | 23 +++++++++++++++--------
 drivers/char/tpm/tpm_tis_spi.c  |  1 +
 5 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 0a62c19937b6..c88ec9a32a7e 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -346,6 +346,10 @@ static void tpm_del_char_device(struct tpm_chip *chip)
 	down_write(&chip->ops_sem);
 	if (chip->flags & TPM_CHIP_FLAG_TPM2)
 		tpm2_shutdown(chip, TPM2_SU_CLEAR);
+	if (chip->flags & TPM_CHIP_FLAG_DO_NOT_CLEAR_OPS) {
+		up_write(&chip->ops_sem);
+		return;
+	}
 	chip->ops = NULL;
 	up_write(&chip->ops_sem);
 }
@@ -454,6 +458,7 @@ int tpm_chip_register(struct tpm_chip *chip)
 
 	rc = tpm_add_legacy_sysfs(chip);
 	if (rc) {
+		chip->flags |= TPM_CHIP_FLAG_DO_NOT_CLEAR_OPS;
 		tpm_chip_unregister(chip);
 		return rc;
 	}
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index f895fba4e20d..dc2a532649e0 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -183,6 +183,7 @@ enum tpm_chip_flags {
 	TPM_CHIP_FLAG_VIRTUAL		= BIT(3),
 	TPM_CHIP_FLAG_HAVE_TIMEOUTS	= BIT(4),
 	TPM_CHIP_FLAG_ALWAYS_POWERED	= BIT(5),
+	TPM_CHIP_FLAG_DO_NOT_CLEAR_OPS	= BIT(6),
 };
 
 struct tpm_bios_log {
diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
index d29add49b033..a146ef4e499b 100644
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -273,11 +273,9 @@ static void tpm_tis_pnp_remove(struct pnp_dev *dev)
 	struct tpm_chip *chip = pnp_get_drvdata(dev);
 	struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev);
 
+	chip->flags |= TPM_CHIP_FLAG_DO_NOT_CLEAR_OPS;
 	tpm_chip_unregister(chip);
 	tpm_tis_remove(chip);
-	if (is_bsw())
-		iounmap(priv->ilb_base_addr);
-
 }
 
 static struct pnp_driver tis_pnp_driver = {
@@ -326,12 +324,10 @@ static int tpm_tis_plat_remove(struct platform_device *pdev)
 	struct tpm_chip *chip = dev_get_drvdata(&pdev->dev);
 	struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev);
 
+	chip->flags |= TPM_CHIP_FLAG_DO_NOT_CLEAR_OPS;
 	tpm_chip_unregister(chip);
 	tpm_tis_remove(chip);
 
-	if (is_bsw())
-		iounmap(priv->ilb_base_addr);
-
 	return 0;
 }
 
diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
index c2227983ed88..d9099281fc2e 100644
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -727,6 +727,14 @@ void tpm_tis_remove(struct tpm_chip *chip)
 
 	if (chip->ops->clk_enable != NULL)
 		chip->ops->clk_enable(chip, false);
+
+	if (chip->flags & TPM_CHIP_FLAG_DO_NOT_CLEAR_OPS) {
+		down_write(&chip->ops_sem);
+		chip->ops = NULL;
+		up_write(&chip->ops_sem);
+	}
+	if (priv->ilb_base_addr)
+		iounmap(priv->ilb_base_addr);
 }
 EXPORT_SYMBOL_GPL(tpm_tis_remove);
 
@@ -922,21 +930,20 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq,
 	}
 
 	rc = tpm_chip_register(chip);
-	if (rc && is_bsw())
-		iounmap(priv->ilb_base_addr);
+	if (rc)
+		goto out_err;
 
 	if (chip->ops->clk_enable != NULL)
 		chip->ops->clk_enable(chip, false);
 
-	return rc;
-out_err:
-	tpm_tis_remove(chip);
-	if (is_bsw())
-		iounmap(priv->ilb_base_addr);
+	return 0;
 
-	if (chip->ops->clk_enable != NULL)
+out_err:
+	if ((chip->ops != NULL) && (chip->ops->clk_enable != NULL))
 		chip->ops->clk_enable(chip, false);
 
+	tpm_tis_remove(chip);
+
 	return rc;
 }
 EXPORT_SYMBOL_GPL(tpm_tis_core_init);
diff --git a/drivers/char/tpm/tpm_tis_spi.c b/drivers/char/tpm/tpm_tis_spi.c
index 424ff2fde1f2..79c18cfc6519 100644
--- a/drivers/char/tpm/tpm_tis_spi.c
+++ b/drivers/char/tpm/tpm_tis_spi.c
@@ -221,6 +221,7 @@ static int tpm_tis_spi_remove(struct spi_device *dev)
 {
 	struct tpm_chip *chip = spi_get_drvdata(dev);
 
+	chip->flags |= TPM_CHIP_FLAG_DO_NOT_CLEAR_OPS;
 	tpm_chip_unregister(chip);
 	tpm_tis_remove(chip);
 	return 0;
-- 
1.9.1

Re: [PATCH] tpm: Fix the driver cleanup code

[Jason Gunthorpe]

On Thu, Dec 21, 2017 at 12:17:02PM -0800, Azhar Shaikh wrote:
> Commit 3c1701339284353c41 ("tpm: Keep CLKRUN enabled throughout
> the duration of transmit_cmd()") added code which accessed
> chip->ops, even after it was set to NULL in tpm_del_char_device(),
> called from tpm_chip_unregister() in error / driver exit paths.
> So fix this code.
> 
> Fixes: 3c1701339284353c41 ("tpm: Keep CLKRUN enabled throughout
> the duration of transmit_cmd()")
> 
> Suggested-by: Javier Martinez Canillas <javierm@redhat.com>
> Suggested-by: Jason Gunthorpe <jgg@ziepe.ca>
> Signed-off-by: Azhar Shaikh <azhar.shaikh@intel.com>
>  drivers/char/tpm/tpm-chip.c     |  5 +++++
>  drivers/char/tpm/tpm.h          |  1 +
>  drivers/char/tpm/tpm_tis.c      |  8 ++------
>  drivers/char/tpm/tpm_tis_core.c | 23 +++++++++++++++--------
>  drivers/char/tpm/tpm_tis_spi.c  |  1 +
>  5 files changed, 24 insertions(+), 14 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> index 0a62c19937b6..c88ec9a32a7e 100644
> +++ b/drivers/char/tpm/tpm-chip.c
> @@ -346,6 +346,10 @@ static void tpm_del_char_device(struct tpm_chip *chip)
>  	down_write(&chip->ops_sem);
>  	if (chip->flags & TPM_CHIP_FLAG_TPM2)
>  		tpm2_shutdown(chip, TPM2_SU_CLEAR);
> +	if (chip->flags & TPM_CHIP_FLAG_DO_NOT_CLEAR_OPS) {
> +		up_write(&chip->ops_sem);
> +		return;
> +	}

Yikes, too ugly. Figure something else out.. ops->clk_enable is always
tpm_tis_clkrun_enable at this point, so maybe call it directly in
the removal path in tpm_tis_core?

Jason

RE: [PATCH] tpm: Fix the driver cleanup code

[Shaikh, Azhar]

>-----Original Message-----
>From: Jason Gunthorpe [mailto:jgg@ziepe.ca]
>Sent: Thursday, December 21, 2017 12:27 PM
>To: Shaikh, Azhar <azhar.shaikh@intel.com>
>Cc: jarkko.sakkinen@linux.intel.com; javierm@redhat.com;
>peterhuewe@gmx.de; linux-security-module@vger.kernel.org; linux-
>integrity@vger.kernel.org; linux-kernel@vger.kernel.org; tpmdd-
>devel@lists.sourceforge.net
>Subject: Re: [PATCH] tpm: Fix the driver cleanup code
>
>On Thu, Dec 21, 2017 at 12:17:02PM -0800, Azhar Shaikh wrote:
>> Commit 3c1701339284353c41 ("tpm: Keep CLKRUN enabled throughout the
>> duration of transmit_cmd()") added code which accessed
>> chip->ops, even after it was set to NULL in tpm_del_char_device(),
>> called from tpm_chip_unregister() in error / driver exit paths.
>> So fix this code.
>>
>> Fixes: 3c1701339284353c41 ("tpm: Keep CLKRUN enabled throughout the
>> duration of transmit_cmd()")
>>
>> Suggested-by: Javier Martinez Canillas <javierm@redhat.com>
>> Suggested-by: Jason Gunthorpe <jgg@ziepe.ca>
>> Signed-off-by: Azhar Shaikh <azhar.shaikh@intel.com>
>>  drivers/char/tpm/tpm-chip.c     |  5 +++++
>>  drivers/char/tpm/tpm.h          |  1 +
>>  drivers/char/tpm/tpm_tis.c      |  8 ++------
>>  drivers/char/tpm/tpm_tis_core.c | 23 +++++++++++++++--------
>> drivers/char/tpm/tpm_tis_spi.c  |  1 +
>>  5 files changed, 24 insertions(+), 14 deletions(-)
>>
>> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
>> index 0a62c19937b6..c88ec9a32a7e 100644
>> +++ b/drivers/char/tpm/tpm-chip.c
>> @@ -346,6 +346,10 @@ static void tpm_del_char_device(struct tpm_chip
>*chip)
>>  	down_write(&chip->ops_sem);
>>  	if (chip->flags & TPM_CHIP_FLAG_TPM2)
>>  		tpm2_shutdown(chip, TPM2_SU_CLEAR);
>> +	if (chip->flags & TPM_CHIP_FLAG_DO_NOT_CLEAR_OPS) {
>> +		up_write(&chip->ops_sem);
>> +		return;
>> +	}
>
>Yikes, too ugly. Figure something else out.. ops->clk_enable is always
>tpm_tis_clkrun_enable at this point, so maybe call it directly in the removal
>path in tpm_tis_core?
>

Yes I thought about it too. But if some other chip->ops function in future, which *might* be in this same case, hence for that introduced this flag.
I can use ops->clk_enable instead of introducing the new flag.

>Jason

Regards,
Azhar Shaikh

Re: [PATCH] tpm: Fix the driver cleanup code

[Jason Gunthorpe]

On Thu, Dec 21, 2017 at 08:31:14PM +0000, Shaikh, Azhar wrote:

> Yes I thought about it too. But if some other chip->ops function in
> future, which *might* be in this same case, hence for that
> introduced this flag.

It can't be - the ops struct is constant, can't be modified, and
tpm_tis_core controls what is set. If someone future person meddles in
this then they can fix here to.

Recommend a short comment in the ops clk_enale initializer and call direct?

Jason

RE: [PATCH] tpm: Fix the driver cleanup code

[Shaikh, Azhar]

>-----Original Message-----
>From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
>owner@vger.kernel.org] On Behalf Of Jason Gunthorpe
>Sent: Thursday, December 21, 2017 12:39 PM
>To: Shaikh, Azhar <azhar.shaikh@intel.com>
>Cc: jarkko.sakkinen@linux.intel.com; javierm@redhat.com;
>peterhuewe@gmx.de; linux-security-module@vger.kernel.org; linux-
>integrity@vger.kernel.org; linux-kernel@vger.kernel.org; tpmdd-
>devel@lists.sourceforge.net
>Subject: Re: [PATCH] tpm: Fix the driver cleanup code
>
>On Thu, Dec 21, 2017 at 08:31:14PM +0000, Shaikh, Azhar wrote:
>
>> Yes I thought about it too. But if some other chip->ops function in
>> future, which *might* be in this same case, hence for that introduced
>> this flag.
>
>It can't be - the ops struct is constant, can't be modified, and tpm_tis_core
>controls what is set. If someone future person meddles in this then they can
>fix here to.
>
Yes, I checked this part. What I was referring to is any other callback function similar to clk_enable if gets added in future and then needs to
Access ops even after it is set to NULL...

>Recommend a short comment in the ops clk_enale initializer and call direct?
>

But yes I get your point now.

So do you mean something like this?

diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
index d9099281fc2e..1187e72483f2 100644
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -716,8 +716,7 @@ void tpm_tis_remove(struct tpm_chip *chip)
        u32 interrupt;
        int rc;

-       if (chip->ops->clk_enable != NULL)
-               chip->ops->clk_enable(chip, true);
+       tpm_tis_clkrun_enable(chip, true);

        rc = tpm_tis_read32(priv, reg, &interrupt);
        if (rc < 0)
@@ -725,14 +724,8 @@ void tpm_tis_remove(struct tpm_chip *chip)

        tpm_tis_write32(priv, reg, ~TPM_GLOBAL_INT_ENABLE & interrupt);

-       if (chip->ops->clk_enable != NULL)
-               chip->ops->clk_enable(chip, false);
+       tpm_tis_clkrun_enable(chip, false);

-       if (chip->flags & TPM_CHIP_FLAG_DO_NOT_CLEAR_OPS) {
-               down_write(&chip->ops_sem);
-               chip->ops = NULL;
-               up_write(&chip->ops_sem);
-       }
        if (priv->ilb_base_addr)
                iounmap(priv->ilb_base_addr);
 }

>Jason

Regards,
Azhar Shaikh

Re: [PATCH] tpm: Fix the driver cleanup code

[Jason Gunthorpe]

On Thu, Dec 21, 2017 at 09:54:26PM +0000, Shaikh, Azhar wrote:

> Yes, I checked this part. What I was referring to is any other
> callback function similar to clk_enable if gets added in future and
> then needs to Access ops even after it is set to NULL...

You can't call callback functions after tpm_unregister_chip, it isn't
allowed.

This is a special case where we know the specific implementation of
this specific callback is OK.

> But yes I get your point now.
> 
> So do you mean something like this?

Yes

Jason