Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp349679pxu; Fri, 4 Dec 2020 05:03:07 -0800 (PST) X-Google-Smtp-Source: ABdhPJwKbzg9T3lWhTEQVFYSMAKns4i3tmxvqIJJ4ZCPNrKkMUUVKhmSrspgt6SqJKgRtBb0m29L X-Received: by 2002:a17:906:1ca:: with SMTP id 10mr6811825ejj.246.1607086986944; Fri, 04 Dec 2020 05:03:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607086986; cv=none; d=google.com; s=arc-20160816; b=ZzCSAI19DKmTNyY6C+uG1A3/frmgmxRyX6NaRSSly9nEBKn0GhHPWMJvRE2pL/mqKE x6bMOK+A+oDwtWdRnvhgHwgVVBURlPMzxuExcNz1CEhR2II8oO1Ym9XxFDNg3YGAADgM iMFZg/I+RvT4QDBJEct4XeYAaVWEZBBjmo2E38/ddWDFfgMZnALeZL5ak/yNsNnTnfiS r3IjIe+gdTFONHYH/X4zrgafzPt59lXHgbW6QK66+NYqXp6ShWeAQfIQfyE1SEEHvIfV Pds9j1YCERo5K4gRTMHFt3dgGySP1RTLL/mKU2CVyBqi2EpY7bBsNA/LD4Xa9GjfGc5Y QC6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=mMB6TptaiGgF4Fosm42A4LHTb/bohqrND/1SgruKzRo=; b=BUv+47vh9E1/Prs6Mq2o+IuTpQvY9ZnU3ffXY1wdGav3Jbges80ocDuaCQ4ukcNIRX MKGH7ip4eISnC/WN5JprX3OcpC1GI1J9MKuGCWv5JN/PEAe75Udy8ecnjB0dGBsG7ORL lbYSR8BEp98pzw0LVykz4oE+ECQGoshDa4kjNEedBcFwLfQT0Vg8U5xpBqm+cvoFhx68 LWimixJ9oF60tCSzJKcdTPAm5I8/vwm8E7sCmAAyrX0xMObMFGmma0XzofTXs69UxhJ4 lwGeCwF7rxM5XJQaiM981USairGWYll+COhv7RGDXfXAyfs3IcPnktOlh64aY4rzl6To R9bQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=EwWyGtpT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l25si2822167edt.137.2020.12.04.05.02.43; Fri, 04 Dec 2020 05:03:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=EwWyGtpT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730234AbgLDM7E (ORCPT + 99 others); Fri, 4 Dec 2020 07:59:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51522 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726441AbgLDM7E (ORCPT ); Fri, 4 Dec 2020 07:59:04 -0500 Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0CB86C061A51 for ; Fri, 4 Dec 2020 04:58:24 -0800 (PST) Received: by mail-qt1-x843.google.com with SMTP id d5so3800275qtn.0 for ; Fri, 04 Dec 2020 04:58:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=mMB6TptaiGgF4Fosm42A4LHTb/bohqrND/1SgruKzRo=; b=EwWyGtpTj94igDoF8XfgXRonTlvZx6CGc8I12BZB1X6VA+Fg+dcSxLIFNTW5ALVnOu SlEvcfbUm2Np8zJw2dvHlihTrqW6jxkbVPqYIpAV2Mcw8sDlEJGU2kcW9g/+BIyUDett Xdt5G5/1vrb+GgUEA4oV2nBf1NQ8z8DlqJBMUQJfoG4zDqSXK2DQPUO9kZR7rI2tZdU6 iM+A4bd8xrhG9YSPLO39gvlZlJvDGQFXC82Ko/2fNCEV1gEPPrOFFdl/jTFdnVNgSqK3 +XzA5cXaCbWTsd9yWvOxI4LocjRS2aB3+B3Sq1JEz1EctKYU/e26KHzWQieUiEwq1+vi S+Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=mMB6TptaiGgF4Fosm42A4LHTb/bohqrND/1SgruKzRo=; b=X1ESQa1mqZct4idbMVXCvVIwHmsufuhNL36kzqXuQ912FksFM+XUOB1vQQcM6XVpwT wFs6C5178EJfKRrE9edBCeJ9sa+5lM0BlQ7TZodTibVE4ms3Y5j/6Zbb0DiqAWMtQe4i 6BHkbyjoxnv81+B8kmscGu9ohnOU7dQct4aUmrPulTXa+K8M+0QxA3KtnLp1ufao5HsO nTNT48CUo5tsBxzGJ9N7kuJPzbeMLFZVlK+eOJ+9sNFlI6ojQ5r2Dfuh8wDlqXXHf5r6 5pDQoGFCooiI7TdPxNkQQc7BijWD0eRndJ3TnKnMlarL/Kx7WoByUo4+fuPqShHSVuww GTgQ== X-Gm-Message-State: AOAM532iUhfCXUGJf+YG4eoaFgc8K2h4DVKMNqFR06svC+D/plYpPLWp fJ0xUFRINexahXmlVzW7qDAnBw== X-Received: by 2002:ac8:678d:: with SMTP id b13mr9105807qtp.332.1607086703152; Fri, 04 Dec 2020 04:58:23 -0800 (PST) Received: from ziepe.ca ([206.223.160.26]) by smtp.gmail.com with ESMTPSA id 94sm4768303qtg.57.2020.12.04.04.58.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Dec 2020 04:58:22 -0800 (PST) Received: from jgg by mlx with local (Exim 4.94) (envelope-from ) id 1klAfF-005qwi-5P; Fri, 04 Dec 2020 08:58:21 -0400 Date: Fri, 4 Dec 2020 08:58:21 -0400 From: Jason Gunthorpe To: Sergey Temerkhanov Cc: Peter Huewe , Jarkko Sakkinen , Arnd Bergmann , Greg Kroah-Hartman , Jerry Snitselaar , linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH][RFC] tpm: Rework open/close/shutdown to avoid races Message-ID: <20201204125821.GW5487@ziepe.ca> References: <20201204101805.27374-1-s.temerkhanov@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201204101805.27374-1-s.temerkhanov@gmail.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 04, 2020 at 01:18:05PM +0300, Sergey Temerkhanov wrote: > Avoid race condition at shutdown by shutting downn the TPM 2.0 > devices synchronously. This eliminates the condition when the > shutdown sequence sets chip->ops to NULL leading to the following: > > [ 1586.593561][ T8669] tpm2_del_space+0x28/0x73 > [ 1586.598718][ T8669] tpmrm_release+0x27/0x33wq > [ 1586.603774][ T8669] __fput+0x109/0x1d > [ 1586.608380][ T8669] task_work_run+0x7c/0x90 > [ 1586.613414][ T8669] prepare_exit_to_usermode+0xb8/0x128 > [ 1586.619522][ T8669] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [ 1586.626068][ T8669] RIP: 0033:0x4cb4bb > > Signed-off-by: Sergey Temerkhanov > drivers/char/tpm/tpm-chip.c | 27 --------------------------- > drivers/char/tpm/tpm-dev.c | 11 ++++++----- > drivers/char/tpm/tpmrm-dev.c | 7 +++++++ > include/linux/tpm.h | 2 +- > 4 files changed, 14 insertions(+), 33 deletions(-) > > diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c > index 1838039b0333..ede7f4790c5e 100644 > +++ b/drivers/char/tpm/tpm-chip.c > @@ -282,32 +282,6 @@ static void tpm_devs_release(struct device *dev) > put_device(&chip->dev); > } > > -/** > - * tpm_class_shutdown() - prepare the TPM device for loss of power. > - * @dev: device to which the chip is associated. > - * > - * Issues a TPM2_Shutdown command prior to loss of power, as required by the > - * TPM 2.0 spec. Then, calls bus- and device- specific shutdown code. > - * > - * Return: always 0 (i.e. success) > - */ > -static int tpm_class_shutdown(struct device *dev) > -{ > - struct tpm_chip *chip = container_of(dev, struct tpm_chip, dev); > - > - down_write(&chip->ops_sem); > - if (chip->flags & TPM_CHIP_FLAG_TPM2) { > - if (!tpm_chip_start(chip)) { > - tpm2_shutdown(chip, TPM2_SU_CLEAR); > - tpm_chip_stop(chip); > - } > - } > - chip->ops = NULL; > - up_write(&chip->ops_sem); > - > - return 0; > -} This does more than just call tpm2_shutdown, it exists to prevent use after free situations because the chip point can exist in other parts of the system beyond the lifetime of the driver. You can't call into the driver at all past shutdown, so moving tpm2_shutdown here: > @@ -39,6 +41,11 @@ static int tpmrm_release(struct inode *inode, struct file *file) > > tpm_common_release(file, fpriv); > tpm2_del_space(fpriv->chip, &priv->space); > + > + if (!atomic_dec_return(&fpriv->chip->is_open)) { > + tpm2_shutdown(fpriv->chip, TPM2_SU_CLEAR); > + tpm_chip_stop(fpriv->chip); > + } Is just wrong. Your bug is because tpmrm_release is not following the lifetime rules for chip, it probably needs to do a get on the pointer to be able to access the ops. Jason