Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp125120ybt;
        Thu, 9 Jul 2020 17:23:38 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwzrfEtsqF9muqcjRitWqFgGg3FIbfS6zpyJnmbgObz6RCp9UmxGx3ztcsorHppQN7hoXAk
X-Received: by 2002:a05:6402:13d0:: with SMTP id a16mr74812046edx.269.1594340618221;
        Thu, 09 Jul 2020 17:23:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1594340618; cv=none;
        d=google.com; s=arc-20160816;
        b=jhNDk7JjQpebfl2J1wQPclfs7iK1UNIfpbbju2QigwMMcFpt7v49Y0McMCwxl62E7s
         8DMw2TsifgoRRFdpNZlt+8TcanshlJXT3R62gpNQvMCPbvcUGPZtgbqVD+rGqguGKqu6
         bkz7xZ/OJpKGJvwZX51DdZjcU2ftstqjNnkp1+KrEmcxxsTmVEiDeKFP3MSZrUGtKbYf
         n0k5cWyHnBKSa9+yiugiuqnWUpxo+IDzPAJZnaHHHy4DIf/+gyq3A8Hg1kLamXjlyFFL
         R6+1nvURR4fdFufL3F8i86gyUX7iWJPEOlCSjhpwOmKzkkaaNVZgzLtNTY3h9I7dyS8o
         U49w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=ckUCzQFimvD7NIA+QWWbpWCLSB8Zqmc22c9Qilpan44=;
        b=OQI69AOwAjPoJJqMzQ4OJnj6fuNJCR7kIaZocynnBgQK8g2RaRP9tw2wKv5R7PW9+m
         Et2d2gp5yX/4VLkQrkDkzHvBHdprtMLUCVbBicLAC3Z+Pd9UtVti8CrkpRHj6iZueBuF
         ypApSjAP946ZXlZ0X47XnWvDdQijQLmCPKMwdkg1QVrIVNtzCnmv6TrkE8sqMmDtj0gi
         SgIm2vNocSEzELUrus3Walq5JQVxwTSlcq91wE0SSvt5N66vVLO6iR+gdNoe7qRjWDsU
         A4ktiw5D78Ah+Zt6idawgrzPAFIlwTQOF1Z7b4P9h7LjuSi7v6PIbUC3RPFPKuYQ7918
         nwmA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=ckgoHMtu;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i3si3112871edy.403.2020.07.09.17.23.15;
        Thu, 09 Jul 2020 17:23:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=ckgoHMtu;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726446AbgGJAW1 (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Thu, 9 Jul 2020 20:22:27 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54664 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726268AbgGJAW1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Jul 2020 20:22:27 -0400
Received: from mail-pf1-x444.google.com (mail-pf1-x444.google.com [IPv6:2607:f8b0:4864:20::444])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 157E4C08C5CE
        for <linux-kernel@vger.kernel.org>; Thu,  9 Jul 2020 17:22:27 -0700 (PDT)
Received: by mail-pf1-x444.google.com with SMTP id x72so1734247pfc.6
        for <linux-kernel@vger.kernel.org>; Thu, 09 Jul 2020 17:22:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=ckUCzQFimvD7NIA+QWWbpWCLSB8Zqmc22c9Qilpan44=;
        b=ckgoHMtuW/ok71oWR0jOY1AL7WiG2m/KZ0cSVRSnnNLRJGV4T3oyqnZe4i6+5CiH6T
         ZUv0jWl8XzBU6YDr5Zat6lHWAaAMqb4UBToJjBPAwJSzaOjfQww1OsjiKl3BAS9eiUKv
         iWhKmfG3dMoPDC0aGyfFjaEzw5XakcyXRvrLY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=ckUCzQFimvD7NIA+QWWbpWCLSB8Zqmc22c9Qilpan44=;
        b=XEy9wyd9re5vrHEmgbnRz2M70WQ92PDTHr6qzn0+zhkUzocUwQIyp4ZeFHQDaPc+lg
         Djy4hfs3VMd/YOl8IyOus6pc9SjHF+o1+JK7IzTr02u2jRWBXeoqdF0lppqvEa+1h/wf
         1eWPK+80ASgbO1WW9lNrtFldcNqkUq2mPMA5sIMi+AGNFTtxi9elhlGJvxx4/kl0s7/f
         9I0QNeX8ifYDy4zQ7SGE9ZNhMkwx4ysmJG3GXbbnE1X1m+21nYC2RmYmD3VdwWAqmtdD
         yGwOiGgVDGltzAImy8CZfV3ze8w8hp+fQneIftsFxgnLMFZbVYDcRb1ImRCK5qWx9TKI
         DgJQ==
X-Gm-Message-State: AOAM5316wuKm1Glgz64mbOorumV7S/MtgOMhTzuJLc9OXEJiCAokM2KL
        woDp0u9/yRvarYhh53SqI+RJiw==
X-Received: by 2002:a63:4c48:: with SMTP id m8mr57041634pgl.290.1594340546587;
        Thu, 09 Jul 2020 17:22:26 -0700 (PDT)
Received: from andrey-Z390.lan (c-67-164-102-32.hsd1.ca.comcast.net. [67.164.102.32])
        by smtp.gmail.com with ESMTPSA id i63sm3840181pfc.22.2020.07.09.17.22.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 Jul 2020 17:22:26 -0700 (PDT)
From:   Andrey Pronin <apronin@chromium.org>
To:     peterhuewe@gmx.de, jarkko.sakkinen@linux.intel.com
Cc:     jgg@ziepe.ca, linux-integrity@vger.kernel.org,
        linux-kernel@vger.kernel.org, groeck@chromium.org,
        Andrey Pronin <apronin@chromium.org>
Subject: [PATCH] tpm: avoid accessing cleared ops during shutdown
Date:   Thu,  9 Jul 2020 17:22:09 -0700
Message-Id: <20200710002209.6757-1-apronin@chromium.org>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patch prevents NULL dereferencing when using chip->ops while
sending TPM2_Shutdown command if both tpm_class_shutdown handler and
tpm_del_char_device are called during system shutdown.

Both these handlers set chip->ops to NULL but don't check if it's
already NULL when they are called before using it.

This issue was revealed in Chrome OS after a recent set of changes
to the unregister order for spi controllers, such as:
  b4c6230bb0ba spi: Fix controller unregister order
  f40913d2dca1 spi: pxa2xx: Fix controller unregister order
and similar for other controllers.

Signed-off-by: Andrey Pronin <apronin@chromium.org>
---
 drivers/char/tpm/tpm-chip.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 8c77e88012e9..a410ca40a3c5 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -296,7 +296,7 @@ static int tpm_class_shutdown(struct device *dev)
 	struct tpm_chip *chip = container_of(dev, struct tpm_chip, dev);
 
 	down_write(&chip->ops_sem);
-	if (chip->flags & TPM_CHIP_FLAG_TPM2) {
+	if (chip->ops && (chip->flags & TPM_CHIP_FLAG_TPM2)) {
 		if (!tpm_chip_start(chip)) {
 			tpm2_shutdown(chip, TPM2_SU_CLEAR);
 			tpm_chip_stop(chip);
@@ -479,7 +479,7 @@ static void tpm_del_char_device(struct tpm_chip *chip)
 
 	/* Make the driver uncallable. */
 	down_write(&chip->ops_sem);
-	if (chip->flags & TPM_CHIP_FLAG_TPM2) {
+	if (chip->ops && (chip->flags & TPM_CHIP_FLAG_TPM2)) {
 		if (!tpm_chip_start(chip)) {
 			tpm2_shutdown(chip, TPM2_SU_CLEAR);
 			tpm_chip_stop(chip);
-- 
2.25.1