On Wed, Jun 16, 2021 at 08:53:01PM +0200, Jason Gunthorpe wrote:

On Tue, Jun 15, 2021 at 11:14:08AM +0200, Vincent Whitchurch wrote:

quoted

The code added by commit 8979b02aaf1d6de8 ("tpm: Fix reference count to
main device") tries to take an extra reference to the main device only
for TPM2 by looking at the flags, but the flags are actually not set
at the time when tpm_chip_alloc() is called, so no extra reference is
ever taken, leading to a use-after-free if the TPM modules are removed
when the tpmrm device is in use.

Please read this

https://lore.kernel.org/linux-integrity/20210205172528.GP4718@ziepe.ca/ (local)

Thank you for the pointer.  I see that Lino already posted your proposal
as a real patch as you requested so I will drop this.

 https://lore.kernel.org/linux-integrity/1613949567-1181-2-git-send-email-LinoSanfilippo@gmx.de/ (local)