Received: by 2002:a05:6358:e9c4:b0:b2:91dc:71ab with SMTP id hc4csp6305332rwb;
        Tue, 9 Aug 2022 12:49:28 -0700 (PDT)
X-Google-Smtp-Source: AA6agR5GeKGgK9MXzh8TeVv1rQSUxp/F/hk0zK4v7OZ0BR7WLgruTJEfiYa9fRTVKcrMqLtkAHIf
X-Received: by 2002:a17:90b:3d85:b0:1f7:6a32:3576 with SMTP id pq5-20020a17090b3d8500b001f76a323576mr79074pjb.187.1660074568558;
        Tue, 09 Aug 2022 12:49:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660074568; cv=none;
        d=google.com; s=arc-20160816;
        b=Ogn1qMS+sY630pLamGlp7Ns0TlVOyl8d2gaNXOH/treHye5ktQCYxL1cZxvhFnysEM
         8ivlgQlTUrCqokjGuV1UjIH+3WkmJLLTXKNOcHffPTbnDua3/7W4+h8TrLsfvt8q/gFl
         0xoVsSzaZJSGOT5EbX2ru9HTI6bbROU7GgJJf5icy48mlJsoMeIUlCQjvjQD57ymN+IR
         0X0q76jrijUZilYVgLTfmKOn5TlDmmDbA6dWs6/xWu1qdb/f0vXTvy11qhDqyiMR7Z1Z
         Gkl9bPj8ZiQVqLEtcg5M+S+A7kcj2LTg7IaFl9Pz+IetAYHGXWjSTaHFcGBaR/eucXYA
         tiMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=WQADmAbbPY4UNq4TbQtJ0wmwYjKdHy+t7oPSx2knkGw=;
        b=Bpwr56Si7LkHGj0EDaLOGjFWHg1O3/yJFyLVpHligNSivwslGhE1ln7PZR2IsqFPqM
         xwUCwxkuJ8F+fG7iX0L5oFoTCpzuMeyGuY/NOhiACXeZZgzAucxAVnYnZcc+Roo1E0XK
         4DH+UqFD13BPgZKi0UL+XXQXl7kA52tygd1wuX8OXciPGSsn+ic2/20FkFf2Vu7rbzGe
         RDKGg6ZwhwikmWdUyUqOG8TWRbaaLjkSqp28MyVU+1EOWteSdT8Hm/OiA+c6lzxX/ZUo
         O6d+of6d//w3FKgxl/wwc9BE5jscy4EE6tdx/tcU10tj04UhPDAGarHnpDRzZ9Jr1dL8
         LY2Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="T3xk/rfI";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id f11-20020a170902ce8b00b0016da4dcae60si17437416plg.64.2022.08.09.12.49.15;
        Tue, 09 Aug 2022 12:49:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="T3xk/rfI";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1343742AbiHITkd (ORCPT <rfc822;andreas.noever@gmail.com>
        + 99 others); Tue, 9 Aug 2022 15:40:33 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41366 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243048AbiHITkE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 9 Aug 2022 15:40:04 -0400
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B4DBC255BF
        for <linux-kernel@vger.kernel.org>; Tue,  9 Aug 2022 12:40:02 -0700 (PDT)
Received: by mail-qk1-x72e.google.com with SMTP id c16so131442qkk.10
        for <linux-kernel@vger.kernel.org>; Tue, 09 Aug 2022 12:40:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=WQADmAbbPY4UNq4TbQtJ0wmwYjKdHy+t7oPSx2knkGw=;
        b=T3xk/rfIHpnSaArGMKToaLTdDcPztKs73hwbF/4oilTSRO/u+Y5EH66x921BEN+iwS
         n8Efv/cl0XGLh75r3nPSGiSRcCWOIMa4+iO2L2boSNmbA+An9VwgOdQ57BecRqDId3cr
         93aVbwUsrAk/jVP3NrBx8OlA8Som+xmHbXQmc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=WQADmAbbPY4UNq4TbQtJ0wmwYjKdHy+t7oPSx2knkGw=;
        b=d2C1jOFvKDs0+HRy2jvoF1MGaFFiib+mbZl/eQbdbDCy0EogTGaaw235YseOjhUfgs
         EKh/YXvIz9DvTdDOIztLsXfSaNlUNTO1liaxNbTwsfU4n5cKFwFdYU7tN3vBxzRflE1w
         SFdRFEEp2DjEsQTIy12Sp8WshDwzRgvyzotvHwKDAtynyDCMviVQPADoKT868U6VdYIl
         0PBhpSv9cxsOUn2XLiUqBzDXt0jRMqgPMLFhV4m/Q2COzQY92UcMHr3ULoimzr4gYyBI
         qSLDhj6E+kmhs/0j1YNhukx3PVWisSt+m0bK47RotYJZOI6qvvvSLh/uqzhJkQ7BweH7
         ps1Q==
X-Gm-Message-State: ACgBeo3ROlhky58u4jCd4qrH32A2xHUzoxPKSpOXpx+rXn7aelaLRD8P
        fff2Nz/VMpypZ56uW7aP69bQnQ==
X-Received: by 2002:a05:620a:c4f:b0:6b8:ea30:2d4a with SMTP id u15-20020a05620a0c4f00b006b8ea302d4amr18690230qki.717.1660074001883;
        Tue, 09 Aug 2022 12:40:01 -0700 (PDT)
Received: from trappist.c.googlers.com.com (128.174.85.34.bc.googleusercontent.com. [34.85.174.128])
        by smtp.gmail.com with ESMTPSA id w19-20020a05620a445300b006b9264191b5sm9562422qkp.32.2022.08.09.12.40.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Aug 2022 12:40:01 -0700 (PDT)
From:   Sven van Ashbrook <svenva@chromium.org>
To:     Peter Huewe <peterhuewe@gmx.de>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        Jason Gunthorpe <jgg@ziepe.ca>, Hao Wu <hao.wu@rubrik.com>,
        Yi Chou <yich@google.com>,
        Andrey Pronin <apronin@chromium.org>,
        Sven van Ashbrook <svenva@chromium.org>,
        James Morris <james.morris@microsoft.com>
Cc:     stable@vger.kernel.org, linux-integrity@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH] tpm: fix potential race condition in suspend/resume
Date:   Tue,  9 Aug 2022 19:39:18 +0000
Message-Id: <20220809193921.544546-1-svenva@chromium.org>
X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Concurrent accesses to the tpm chip are prevented by allowing only a
single thread at a time to obtain a tpm chip reference through
tpm_try_get_ops(). However, the tpm's suspend function does not use
this mechanism, so when the tpm api is called by a kthread which
does not get frozen on suspend (such as the hw_random kthread)
it's possible that the tpm is used when already in suspend, or
in use while in the process of suspending.

This is seen on certain ChromeOS platforms - low-probability warnings
are generated during suspend. In this case, the tpm attempted to read data
from a tpm chip on an already-suspended bus.

  i2c_designware i2c_designware.1: Transfer while suspended

Fix:
1. prevent concurrent execution of tpm accesses and suspend/
   resume, by letting suspend/resume grab the tpm_mutex.
2. before commencing a tpm access, check if the tpm chip is already
   suspended. Fail with -EAGAIN if so.

Tested by running 6000 suspend/resume cycles back-to-back on a
ChromeOS "brya" device. The intermittent warnings reliably
disappear after applying this patch. No system issues were observed.

Cc: <stable@vger.kernel.org>
Fixes: e891db1a18bf ("tpm: turn on TPM on suspend for TPM 1.x")
Signed-off-by: Sven van Ashbrook <svenva@chromium.org>
---
 drivers/char/tpm/tpm-interface.c | 16 ++++++++++++++++
 include/linux/tpm.h              |  2 ++
 2 files changed, 18 insertions(+)

diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index 1621ce818705..16ca490fd483 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -82,6 +82,11 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip, void *buf, size_t bufsiz)
 		return -E2BIG;
 	}
 
+	if (chip->is_suspended) {
+		dev_info(&chip->dev, "blocking transmit while suspended\n");
+		return -EAGAIN;
+	}
+
 	rc = chip->ops->send(chip, buf, count);
 	if (rc < 0) {
 		if (rc != -EPIPE)
@@ -394,6 +399,8 @@ int tpm_pm_suspend(struct device *dev)
 	if (!chip)
 		return -ENODEV;
 
+	mutex_lock(&chip->tpm_mutex);
+
 	if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED)
 		goto suspended;
 
@@ -411,6 +418,11 @@ int tpm_pm_suspend(struct device *dev)
 	}
 
 suspended:
+	if (!rc)
+		chip->is_suspended = true;
+
+	mutex_unlock(&chip->tpm_mutex);
+
 	return rc;
 }
 EXPORT_SYMBOL_GPL(tpm_pm_suspend);
@@ -426,6 +438,10 @@ int tpm_pm_resume(struct device *dev)
 	if (chip == NULL)
 		return -ENODEV;
 
+	mutex_lock(&chip->tpm_mutex);
+	chip->is_suspended = false;
+	mutex_unlock(&chip->tpm_mutex);
+
 	return 0;
 }
 EXPORT_SYMBOL_GPL(tpm_pm_resume);
diff --git a/include/linux/tpm.h b/include/linux/tpm.h
index d7c67581929f..0fbc1a43ae80 100644
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -131,6 +131,8 @@ struct tpm_chip {
 	int dev_num;		/* /dev/tpm# */
 	unsigned long is_open;	/* only one allowed */
 
+	bool is_suspended;
+
 	char hwrng_name[64];
 	struct hwrng hwrng;
 
-- 
2.37.1.559.g78731f0fdb-goog