Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid

[PATCH v3 0/2] TPM fixes · Lino Sanfilippo <LinoSanfilippo@gmx.de> · 2021-02-04
[PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Lino Sanfilippo <LinoSanfilippo@gmx.de> · 2021-02-04
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Stefan Berger <stefanb@linux.ibm.com> · 2021-02-05
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Stefan Berger <stefanb@linux.ibm.com> · 2021-02-05
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · James Bottomley <James.Bottomley@HansenPartnership.com> · 2021-02-05
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Lino Sanfilippo <hidden> · 2021-02-05
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Stefan Berger <stefanb@linux.ibm.com> · 2021-02-06
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Lino Sanfilippo <hidden> · 2021-02-05
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Greg KH <gregkh@linuxfoundation.org> · 2021-02-05
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Jason Gunthorpe <jgg@ziepe.ca> · 2021-02-06
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Lino Sanfilippo <hidden> · 2021-02-05
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Jason Gunthorpe <jgg@ziepe.ca> · 2021-02-05
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Lino Sanfilippo <hidden> · 2021-02-05
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Jason Gunthorpe <jgg@ziepe.ca> · 2021-02-05
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Lino Sanfilippo <LinoSanfilippo@gmx.de> · 2021-02-05
Re: [PATCH v3 1/2] tpm: fix reference counting for struct tpm_chip · Jason Gunthorpe <jgg@ziepe.ca> · 2021-02-06
[PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Lino Sanfilippo <LinoSanfilippo@gmx.de> · 2021-02-04
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · James Bottomley <James.Bottomley@HansenPartnership.com> · 2021-02-05
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-05
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · James Bottomley <James.Bottomley@HansenPartnership.com> · 2021-02-05
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Jason Gunthorpe <jgg@ziepe.ca> · 2021-02-05
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · James Bottomley <James.Bottomley@HansenPartnership.com> · 2021-02-05
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Jason Gunthorpe <jgg@ziepe.ca> · 2021-02-06
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · James Bottomley <James.Bottomley@HansenPartnership.com> · 2021-02-06
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Jason Gunthorpe <jgg@ziepe.ca> · 2021-02-06
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Lino Sanfilippo <hidden> · 2021-02-09
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Jason Gunthorpe <jgg@ziepe.ca> · 2021-02-09
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Lino Sanfilippo <hidden> · 2021-02-09
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-12
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Jarkko Sakkinen <jarkko@kernel.org> · 2021-02-12
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Lino Sanfilippo <LinoSanfilippo@gmx.de> · 2021-02-14
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Lino Sanfilippo <hidden> · 2021-02-05
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Lino Sanfilippo <LinoSanfilippo@gmx.de> · 2021-03-06
Re: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid · Greg KH <gregkh@linuxfoundation.org> · 2021-02-05

From: Jarkko Sakkinen <jarkko@kernel.org>
Date: 2021-02-05 02:19:59
Also in: linux-integrity, lkml

On Thu, Feb 04, 2021 at 04:34:11PM -0800, James Bottomley wrote:

On Fri, 2021-02-05 at 00:50 +0100, Lino Sanfilippo wrote:

quoted

From: Lino Sanfilippo <redacted>

In tpm2_del_space() chip->ops is used for flushing the sessions.
However
this function may be called after tpm_chip_unregister() which sets
the chip->ops pointer to NULL.
Avoid a possible NULL pointer dereference by checking if chip->ops is
still
valid before accessing it.

Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of
tpm_transmit()")
Signed-off-by: Lino Sanfilippo <redacted>
---
 drivers/char/tpm/tpm2-space.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-

space.c
index 784b8b3..9a29a40 100644

--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c

@@ -58,12 +58,17 @@ int tpm2_init_space(struct tpm_space *space,

unsigned int buf_size)
 
 void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space)
 {
-	mutex_lock(&chip->tpm_mutex);
-	if (!tpm_chip_start(chip)) {
-		tpm2_flush_sessions(chip, space);
-		tpm_chip_stop(chip);
+	down_read(&chip->ops_sem);
+	if (chip->ops) {
+		mutex_lock(&chip->tpm_mutex);
+		if (!tpm_chip_start(chip)) {
+			tpm2_flush_sessions(chip, space);
+			tpm_chip_stop(chip);
+		}
+		mutex_unlock(&chip->tpm_mutex);
 	}
-	mutex_unlock(&chip->tpm_mutex);
+	up_read(&chip->ops_sem);
+
 	kfree(space->context_buf);
 	kfree(space->session_buf);
 }


Actually, this still isn't right.  As I said to the last person who
reported this, we should be doing a get/put on the ops, not rolling our
own here:

https://lore.kernel.org/linux-integrity/e7566e1e48f5be9dca034b4bfb67683b5d3cb88f.camel@HansenPartnership.com/ (local)

The reporter went silent before we could get this tested, but could you
try, please, because your patch is still hand rolling the ops get/put,
just slightly better than it had been done previously.

James

Thanks for pointing this out. I'd strongly support Jason's proposal:

https://lore.kernel.org/linux-integrity/20201215175624.GG5487@ziepe.ca/ (local)

It's the best long-term way to fix this.

Honestly, I have to admit that this thread leaked from me. It happened
exactly at the time when I was on vacation. Something must have gone wrong
when I pulled emails after that.

/Jarkko

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help