Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752377AbcD1IJ0 (ORCPT <rfc822;w@1wt.eu>);
	Thu, 28 Apr 2016 04:09:26 -0400
Received: from mga01.intel.com ([192.55.52.88]:22186 "EHLO mga01.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752287AbcD1IJT (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 28 Apr 2016 04:09:19 -0400
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.24,546,1455004800"; 
   d="scan'208";a="968228150"
Message-ID: <1461830953.3482.1.camel@linux.intel.com>
Subject: Re: [PATCH] tpm: Fix IRQ unwind ordering in TIS
From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Stefan Berger <stefanb@linux.vnet.ibm.com>,
        linux-security-module@vger.kernel.org,
        tpmdd-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org
Date: Thu, 28 Apr 2016 11:09:13 +0300
In-Reply-To: <20160427165846.GA17064@obsidianresearch.com>
References: <20160427165846.GA17064@obsidianresearch.com>
Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.18.5.2-0ubuntu1 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1683
Lines: 43

On Wed, 2016-04-27 at 10:58 -0600, Jason Gunthorpe wrote:
> The devm for the IRQ was placed on the chip, not the pdev. This can
> cause the irq to be still callable after the pdev has been cleaned up
> (eg priv kfree'd).
> 
> Found by CONFIG_DEBUG_SHIRQ=y
> 
> Reported-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
> Fixes: 233a065e0cd0 ("tpm: Get rid of chip->pdev")
> Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
> Tested-by:  Stefan Berger <stefanb@linux.vnet.ibm.com>

Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

/Jarkko

> ---
>  drivers/char/tpm/tpm_tis.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
> index a6b2d460bfc0..d88827046a42 100644
> --- a/drivers/char/tpm/tpm_tis.c
> +++ b/drivers/char/tpm/tpm_tis.c
> @@ -387,7 +387,7 @@ static void disable_interrupts(struct tpm_chip *chip)
>  	intmask &= ~TPM_GLOBAL_INT_ENABLE;
>  	iowrite32(intmask,
>  		  priv->iobase + TPM_INT_ENABLE(priv->locality));
> -	devm_free_irq(&chip->dev, priv->irq, chip);
> +	devm_free_irq(chip->dev.parent, priv->irq, chip);
>  	priv->irq = 0;
>  	chip->flags &= ~TPM_CHIP_FLAG_IRQ;
>  }
> @@ -604,7 +604,7 @@ static int tpm_tis_probe_irq_single(struct tpm_chip *chip, u32
> intmask,
>  	struct priv_data *priv = dev_get_drvdata(&chip->dev);
>  	u8 original_int_vec;
>  
> -	if (devm_request_irq(&chip->dev, irq, tis_int_handler, flags,
> +	if (devm_request_irq(chip->dev.parent, irq, tis_int_handler, flags,
>  			     dev_name(&chip->dev), chip) != 0) {
>  		dev_info(&chip->dev, "Unable to request irq: %d for probe\n",
>  			 irq);