Re: [PATCH 2/2] tpm: Fix crash on tmprm release

From: Jarkko Sakkinen
Date: Tue Jun 15 2021 - 09:18:53 EST

Next message: Michael Ellerman: "Re: [RFC PATCH 09/10] powerpc: snapshot thread flags"
Previous message: David Laight: "RE: [PATCH 1/3] riscv: optimized memcpy"
In reply to: Vincent Whitchurch: "[PATCH 2/2] tpm: Fix crash on tmprm release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 15, 2021 at 11:14:09AM +0200, Vincent Whitchurch wrote:
> If the tpm_tis module is removed (or a system shutdown is triggered)
> while the tpmrm device is use, the kernel crashes due to chip->ops being
> NULL:
>
> # exec 3<>/dev/tpmrm0
> # rmmod tpm_tis
> # exit
> ==================================================================
> BUG: KASAN: null-ptr-deref in tpm_chip_start+0x2d/0x120 [tpm]
> Read of size 8 at addr 0000000000000060 by task sh/994
>
> Call Trace:
> kasan_report.cold.13+0x10f/0x111
> tpm_chip_start+0x2d/0x120 [tpm]
> tpm2_del_space+0x2c/0xa0 [tpm]
> tpmrm_release+0x3f/0x50 [tpm]
> __fput+0x110/0x3c0
> task_work_run+0x94/0xd0
> do_exit+0x683/0x13e0
> do_group_exit+0x8b/0x140
> do_syscall_64+0x3c/0x80
> ==================================================================
>
> Fix this by making tpm2_del_space() use tpm_try_get_ops(). The latter
> already includes the calls to tpm_chip_start() and tpm_chip_stop().

This lacks explanation why migrating to tpm_try_get_ops() fixes the
issue. Saying that doing something fixes something is not good enough
explanation. So, can you extend this paragraph just a bit in the next
version?

>
> Signed-off-by: Vincent Whitchurch <vincent.whitchurch@xxxxxxxx>
> ---
> drivers/char/tpm/tpm2-space.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
> index 784b8b3cb903..e1111261021f 100644
> --- a/drivers/char/tpm/tpm2-space.c
> +++ b/drivers/char/tpm/tpm2-space.c
> @@ -58,12 +58,10 @@ int tpm2_init_space(struct tpm_space *space, unsigned int buf_size)
>
> void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space)
> {
> - mutex_lock(&chip->tpm_mutex);
> - if (!tpm_chip_start(chip)) {
> + if (!tpm_try_get_ops(chip)) {
> tpm2_flush_sessions(chip, space);
> - tpm_chip_stop(chip);
> + tpm_put_ops(chip);
> }
> - mutex_unlock(&chip->tpm_mutex);
> kfree(space->context_buf);
> kfree(space->session_buf);
> }
> --
> 2.28.0
>
>

/Jarkko

Next message: Michael Ellerman: "Re: [RFC PATCH 09/10] powerpc: snapshot thread flags"
Previous message: David Laight: "RE: [PATCH 1/3] riscv: optimized memcpy"
In reply to: Vincent Whitchurch: "[PATCH 2/2] tpm: Fix crash on tmprm release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]