Some SPI controller drivers unregister the controller in the shutdown
handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
chip->ops may be accessed when it is already NULL:
At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
(tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
calls chip->ops->clk_enable).
Avoid the NULL pointer access by testing if chip->ops is valid and skipping
the TPM 2 shutdown procedure in case it is NULL.
Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
Cc: [email protected]
Signed-off-by: Lino Sanfilippo <[email protected]>
---
Changes to v2:
- rephrased the commit message to clarify the circumstances under which
this bug triggers (as requested by Jarkko)
I was able to reproduce this issue with a SLB 9670 TPM chip controlled by
a BCM2835 SPI controller.
The approach to fix this issue in the BCM2835 driver was rejected after a
discussion on the mailing list:
https://marc.info/?l=linux-integrity&m=163285906725367&w=2
The reason for the rejection was the realization, that this issue should rather
be fixed in the TPM code:
https://marc.info/?l=linux-spi&m=163311087423271&w=2
So this is the reworked version of a patch that is supposed to do that.
drivers/char/tpm/tpm-chip.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index ddaeceb7e109..7960da490e72 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip)
/* Make the driver uncallable. */
down_write(&chip->ops_sem);
- if (chip->flags & TPM_CHIP_FLAG_TPM2) {
- if (!tpm_chip_start(chip)) {
- tpm2_shutdown(chip, TPM2_SU_CLEAR);
- tpm_chip_stop(chip);
+ /* Check if chip->ops is still valid: In case that the controller
+ * drivers shutdown handler unregisters the controller in its
+ * shutdown handler we are called twice and chip->ops to NULL.
+ */
+ if (chip->ops) {
+ if (chip->flags & TPM_CHIP_FLAG_TPM2) {
+ if (!tpm_chip_start(chip)) {
+ tpm2_shutdown(chip, TPM2_SU_CLEAR);
+ tpm_chip_stop(chip);
+ }
}
+ chip->ops = NULL;
}
- chip->ops = NULL;
up_write(&chip->ops_sem);
}
base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e
--
2.34.1
Hi,
the patch below should also fix the issue that Stefan reported here:
https://marc.info/?l=linux-integrity&m=163927245509564&w=2
Regards,
Lino
On 20.12.21 at 16:06, Lino Sanfilippo wrote:
> Some SPI controller drivers unregister the controller in the shutdown
> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
> chip->ops may be accessed when it is already NULL:
>
> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
> which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
> calls chip->ops->clk_enable).
>
> Avoid the NULL pointer access by testing if chip->ops is valid and skipping
> the TPM 2 shutdown procedure in case it is NULL.
>
> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
> Cc: [email protected]
> Signed-off-by: Lino Sanfilippo <[email protected]>
> ---
>
> Changes to v2:
> - rephrased the commit message to clarify the circumstances under which
> this bug triggers (as requested by Jarkko)
>
>
> I was able to reproduce this issue with a SLB 9670 TPM chip controlled by
> a BCM2835 SPI controller.
>
> The approach to fix this issue in the BCM2835 driver was rejected after a
> discussion on the mailing list:
>
> https://marc.info/?l=linux-integrity&m=163285906725367&w=2
>
> The reason for the rejection was the realization, that this issue should rather
> be fixed in the TPM code:
>
> https://marc.info/?l=linux-spi&m=163311087423271&w=2
>
> So this is the reworked version of a patch that is supposed to do that.
>
>
> drivers/char/tpm/tpm-chip.c | 16 +++++++++++-----
> 1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> index ddaeceb7e109..7960da490e72 100644
> --- a/drivers/char/tpm/tpm-chip.c
> +++ b/drivers/char/tpm/tpm-chip.c
> @@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip)
>
> /* Make the driver uncallable. */
> down_write(&chip->ops_sem);
> - if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> - if (!tpm_chip_start(chip)) {
> - tpm2_shutdown(chip, TPM2_SU_CLEAR);
> - tpm_chip_stop(chip);
> + /* Check if chip->ops is still valid: In case that the controller
> + * drivers shutdown handler unregisters the controller in its
> + * shutdown handler we are called twice and chip->ops to NULL.
> + */
> + if (chip->ops) {
> + if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> + if (!tpm_chip_start(chip)) {
> + tpm2_shutdown(chip, TPM2_SU_CLEAR);
> + tpm_chip_stop(chip);
> + }
> }
> + chip->ops = NULL;
> }
> - chip->ops = NULL;
> up_write(&chip->ops_sem);
> }
>
>
> base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e
>
On 12/20/21 10:06, Lino Sanfilippo wrote:
> Some SPI controller drivers unregister the controller in the shutdown
> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
> chip->ops may be accessed when it is already NULL:
>
> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
> which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
> calls chip->ops->clk_enable).
>
> Avoid the NULL pointer access by testing if chip->ops is valid and skipping
> the TPM 2 shutdown procedure in case it is NULL.
>
> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
> Cc: [email protected]
> Signed-off-by: Lino Sanfilippo <[email protected]>
> ---
>
> Changes to v2:
> - rephrased the commit message to clarify the circumstances under which
> this bug triggers (as requested by Jarkko)
>
>
> I was able to reproduce this issue with a SLB 9670 TPM chip controlled by
> a BCM2835 SPI controller.
>
> The approach to fix this issue in the BCM2835 driver was rejected after a
> discussion on the mailing list:
>
> https://marc.info/?l=linux-integrity&m=163285906725367&w=2
>
> The reason for the rejection was the realization, that this issue should rather
> be fixed in the TPM code:
>
> https://marc.info/?l=linux-spi&m=163311087423271&w=2
>
> So this is the reworked version of a patch that is supposed to do that.
>
>
> drivers/char/tpm/tpm-chip.c | 16 +++++++++++-----
> 1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> index ddaeceb7e109..7960da490e72 100644
> --- a/drivers/char/tpm/tpm-chip.c
> +++ b/drivers/char/tpm/tpm-chip.c
> @@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip)
>
> /* Make the driver uncallable. */
> down_write(&chip->ops_sem);
> - if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> - if (!tpm_chip_start(chip)) {
> - tpm2_shutdown(chip, TPM2_SU_CLEAR);
> - tpm_chip_stop(chip);
> + /* Check if chip->ops is still valid: In case that the controller
> + * drivers shutdown handler unregisters the controller in its
> + * shutdown handler we are called twice and chip->ops to NULL.
> + */
> + if (chip->ops) {
> + if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> + if (!tpm_chip_start(chip)) {
> + tpm2_shutdown(chip, TPM2_SU_CLEAR);
> + tpm_chip_stop(chip);
> + }
> }
> + chip->ops = NULL;
> }
> - chip->ops = NULL;
> up_write(&chip->ops_sem);
> }
>
>
> base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e
Fixes: 39d0099f9439 ("powerpc/pseries: Add shutdown() to vio_driver and
vio_bus")
Reviewed-by: Stefan Berger <[email protected]>
Tested-by: Stefan Berger <[email protected]>
Hi Stefan,
On 22.12.21 at 05:53, Stefan Berger wrote:
>>
>> drivers/char/tpm/tpm-chip.c | 16 +++++++++++-----
>> 1 file changed, 11 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
>> index ddaeceb7e109..7960da490e72 100644
>> --- a/drivers/char/tpm/tpm-chip.c
>> +++ b/drivers/char/tpm/tpm-chip.c
>> @@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip)
>> /* Make the driver uncallable. */
>> down_write(&chip->ops_sem);
>> - if (chip->flags & TPM_CHIP_FLAG_TPM2) {
>> - if (!tpm_chip_start(chip)) {
>> - tpm2_shutdown(chip, TPM2_SU_CLEAR);
>> - tpm_chip_stop(chip);
>> + /* Check if chip->ops is still valid: In case that the controller
>> + * drivers shutdown handler unregisters the controller in its
>> + * shutdown handler we are called twice and chip->ops to NULL.
>> + */
>> + if (chip->ops) {
>> + if (chip->flags & TPM_CHIP_FLAG_TPM2) {
>> + if (!tpm_chip_start(chip)) {
>> + tpm2_shutdown(chip, TPM2_SU_CLEAR);
>> + tpm_chip_stop(chip);
>> + }
>> }
>> + chip->ops = NULL;
>> }
>> - chip->ops = NULL;
>> up_write(&chip->ops_sem);
>> }
>>
>> base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e
>
>
> Fixes: 39d0099f9439 ("powerpc/pseries: Add shutdown() to vio_driver and vio_bus")
>
> Reviewed-by: Stefan Berger <[email protected]>
>
> Tested-by: Stefan Berger <[email protected]>
>
>
Thanks a lot for testing this.
Best regards,
Lino
On Mon, Dec 20, 2021 at 04:06:35PM +0100, Lino Sanfilippo wrote:
> Some SPI controller drivers unregister the controller in the shutdown
> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
> chip->ops may be accessed when it is already NULL:
>
> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
> which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
> calls chip->ops->clk_enable).
>
> Avoid the NULL pointer access by testing if chip->ops is valid and skipping
> the TPM 2 shutdown procedure in case it is NULL.
>
> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
> Cc: [email protected]
> Signed-off-by: Lino Sanfilippo <[email protected]>
Thank you.
Reviewed-by: Jarkko Sakkinen <[email protected]>
BR,
Jarkko
Hi,
On 29.12.21 at 01:13, Jarkko Sakkinen wrote:
> On Mon, Dec 20, 2021 at 04:06:35PM +0100, Lino Sanfilippo wrote:
>> Some SPI controller drivers unregister the controller in the shutdown
>> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
>> chip->ops may be accessed when it is already NULL:
>>
>> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
>> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
>> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
>> which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
>> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
>> calls chip->ops->clk_enable).
>>
>> Avoid the NULL pointer access by testing if chip->ops is valid and skipping
>> the TPM 2 shutdown procedure in case it is NULL.
>>
>> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
>> Cc: [email protected]
>> Signed-off-by: Lino Sanfilippo <[email protected]>
>
> Thank you.
>
> Reviewed-by: Jarkko Sakkinen <[email protected]>
>
> BR,
> Jarkko
>
Thanks a lot for the review. Please note that the latest version is v3 which
contains one more Fixes tag and also a tag for the review by Stefan. I also
adjusted the source code comment in that version which I somehow messed up in v2.
Regards,
Lino
On Wed, Dec 29, 2021 at 02:41:52AM +0100, Lino Sanfilippo wrote:
> Hi,
>
> On 29.12.21 at 01:13, Jarkko Sakkinen wrote:
> > On Mon, Dec 20, 2021 at 04:06:35PM +0100, Lino Sanfilippo wrote:
> >> Some SPI controller drivers unregister the controller in the shutdown
> >> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
> >> chip->ops may be accessed when it is already NULL:
> >>
> >> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
> >> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
> >> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
> >> which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
> >> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
> >> calls chip->ops->clk_enable).
> >>
> >> Avoid the NULL pointer access by testing if chip->ops is valid and skipping
> >> the TPM 2 shutdown procedure in case it is NULL.
> >>
> >> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
> >> Cc: [email protected]
> >> Signed-off-by: Lino Sanfilippo <[email protected]>
> >
> > Thank you.
> >
> > Reviewed-by: Jarkko Sakkinen <[email protected]>
> >
> > BR,
> > Jarkko
> >
>
> Thanks a lot for the review. Please note that the latest version is v3 which
> contains one more Fixes tag and also a tag for the review by Stefan. I also
> adjusted the source code comment in that version which I somehow messed up in v2.
Since there is no functional difference, I rather do not swap it.
I fixed a glitch:
+
+ /*
A multi-line commit needs to have this as the very first line.
You can check if the all tags were pulled by b4.
/Jarkko
On 29.12.21 at 02:46, Jarkko Sakkinen wrote:
>
> Since there is no functional difference, I rather do not swap it.
>
> I fixed a glitch:
>
> +
> + /*
>
> A multi-line commit needs to have this as the very first line.
> You can check if the all tags were pulled by b4.
>
> /Jarkko
>
I see, thanks for fixing the comment then.
Regards,
Lino