| Message ID | 20210615091410.17007-2-vincent.whitchurch@axis.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] tpm: Fix tpmrm reference counting | expand |
On Tue, Jun 15, 2021 at 11:14:09AM +0200, Vincent Whitchurch wrote: > If the tpm_tis module is removed (or a system shutdown is triggered) > while the tpmrm device is use, the kernel crashes due to chip->ops being > NULL: > > # exec 3<>/dev/tpmrm0 > # rmmod tpm_tis > # exit > ================================================================== > BUG: KASAN: null-ptr-deref in tpm_chip_start+0x2d/0x120 [tpm] > Read of size 8 at addr 0000000000000060 by task sh/994 > > Call Trace: > kasan_report.cold.13+0x10f/0x111 > tpm_chip_start+0x2d/0x120 [tpm] > tpm2_del_space+0x2c/0xa0 [tpm] > tpmrm_release+0x3f/0x50 [tpm] > __fput+0x110/0x3c0 > task_work_run+0x94/0xd0 > do_exit+0x683/0x13e0 > do_group_exit+0x8b/0x140 > do_syscall_64+0x3c/0x80 > ================================================================== > > Fix this by making tpm2_del_space() use tpm_try_get_ops(). The latter > already includes the calls to tpm_chip_start() and tpm_chip_stop(). This lacks explanation why migrating to tpm_try_get_ops() fixes the issue. Saying that doing something fixes something is not good enough explanation. So, can you extend this paragraph just a bit in the next version? > > Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> > --- > drivers/char/tpm/tpm2-space.c | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) > > diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c > index 784b8b3cb903..e1111261021f 100644 > --- a/drivers/char/tpm/tpm2-space.c > +++ b/drivers/char/tpm/tpm2-space.c > @@ -58,12 +58,10 @@ int tpm2_init_space(struct tpm_space *space, unsigned int buf_size) > > void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space) > { > - mutex_lock(&chip->tpm_mutex); > - if (!tpm_chip_start(chip)) { > + if (!tpm_try_get_ops(chip)) { > tpm2_flush_sessions(chip, space); > - tpm_chip_stop(chip); > + tpm_put_ops(chip); > } > - mutex_unlock(&chip->tpm_mutex); > kfree(space->context_buf); > kfree(space->session_buf); > } > -- > 2.28.0 > > /Jarkko
On Tue, Jun 15, 2021 at 03:18:48PM +0200, Jarkko Sakkinen wrote: > On Tue, Jun 15, 2021 at 11:14:09AM +0200, Vincent Whitchurch wrote: > > If the tpm_tis module is removed (or a system shutdown is triggered) > > while the tpmrm device is use, the kernel crashes due to chip->ops being > > NULL: > > > > # exec 3<>/dev/tpmrm0 > > # rmmod tpm_tis > > # exit > > ================================================================== > > BUG: KASAN: null-ptr-deref in tpm_chip_start+0x2d/0x120 [tpm] > > Read of size 8 at addr 0000000000000060 by task sh/994 > > > > Call Trace: > > kasan_report.cold.13+0x10f/0x111 > > tpm_chip_start+0x2d/0x120 [tpm] > > tpm2_del_space+0x2c/0xa0 [tpm] > > tpmrm_release+0x3f/0x50 [tpm] > > __fput+0x110/0x3c0 > > task_work_run+0x94/0xd0 > > do_exit+0x683/0x13e0 > > do_group_exit+0x8b/0x140 > > do_syscall_64+0x3c/0x80 > > ================================================================== > > > > Fix this by making tpm2_del_space() use tpm_try_get_ops(). The latter > > already includes the calls to tpm_chip_start() and tpm_chip_stop(). > > This lacks explanation why migrating to tpm_try_get_ops() fixes the > issue. Saying that doing something fixes something is not good enough > explanation. So, can you extend this paragraph just a bit in the next > version? Thank you for the review, but I see now that James already proposed a more-or-less identical fix earlier, so I'll let that patch run its due course: https://lore.kernel.org/linux-integrity/e7566e1e48f5be9dca034b4bfb67683b5d3cb88f.camel@HansenPartnership.com/ https://lore.kernel.org/linux-integrity/327f4c87-e652-6cbe-c624-16a6edf0c31d@kunbus.com/
On 6/15/21 05:14, Vincent Whitchurch wrote: > If the tpm_tis module is removed (or a system shutdown is triggered) > while the tpmrm device is use, the kernel crashes due to chip->ops being > NULL: > > # exec 3<>/dev/tpmrm0 > # rmmod tpm_tis > # exit > ================================================================== > BUG: KASAN: null-ptr-deref in tpm_chip_start+0x2d/0x120 [tpm] > Read of size 8 at addr 0000000000000060 by task sh/994 > > Call Trace: > kasan_report.cold.13+0x10f/0x111 > tpm_chip_start+0x2d/0x120 [tpm] > tpm2_del_space+0x2c/0xa0 [tpm] > tpmrm_release+0x3f/0x50 [tpm] > __fput+0x110/0x3c0 > task_work_run+0x94/0xd0 > do_exit+0x683/0x13e0 > do_group_exit+0x8b/0x140 > do_syscall_64+0x3c/0x80 > ================================================================== > > Fix this by making tpm2_del_space() use tpm_try_get_ops(). The latter > already includes the calls to tpm_chip_start() and tpm_chip_stop(). > > Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> As a follow-up to this message here: https://lkml.org/lkml/2022/3/1/552 Tested-by: Stefan Berger <stefanb@linux.ibm.com> > --- > drivers/char/tpm/tpm2-space.c | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) > > diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c > index 784b8b3cb903..e1111261021f 100644 > --- a/drivers/char/tpm/tpm2-space.c > +++ b/drivers/char/tpm/tpm2-space.c > @@ -58,12 +58,10 @@ int tpm2_init_space(struct tpm_space *space, unsigned int buf_size) > > void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space) > { > - mutex_lock(&chip->tpm_mutex); > - if (!tpm_chip_start(chip)) { > + if (!tpm_try_get_ops(chip)) { > tpm2_flush_sessions(chip, space); > - tpm_chip_stop(chip); > + tpm_put_ops(chip); > } > - mutex_unlock(&chip->tpm_mutex); > kfree(space->context_buf); > kfree(space->session_buf); > }
diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c index 784b8b3cb903..e1111261021f 100644 --- a/drivers/char/tpm/tpm2-space.c +++ b/drivers/char/tpm/tpm2-space.c @@ -58,12 +58,10 @@ int tpm2_init_space(struct tpm_space *space, unsigned int buf_size) void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space) { - mutex_lock(&chip->tpm_mutex); - if (!tpm_chip_start(chip)) { + if (!tpm_try_get_ops(chip)) { tpm2_flush_sessions(chip, space); - tpm_chip_stop(chip); + tpm_put_ops(chip); } - mutex_unlock(&chip->tpm_mutex); kfree(space->context_buf); kfree(space->session_buf); }
If the tpm_tis module is removed (or a system shutdown is triggered) while the tpmrm device is use, the kernel crashes due to chip->ops being NULL: # exec 3<>/dev/tpmrm0 # rmmod tpm_tis # exit ================================================================== BUG: KASAN: null-ptr-deref in tpm_chip_start+0x2d/0x120 [tpm] Read of size 8 at addr 0000000000000060 by task sh/994 Call Trace: kasan_report.cold.13+0x10f/0x111 tpm_chip_start+0x2d/0x120 [tpm] tpm2_del_space+0x2c/0xa0 [tpm] tpmrm_release+0x3f/0x50 [tpm] __fput+0x110/0x3c0 task_work_run+0x94/0xd0 do_exit+0x683/0x13e0 do_group_exit+0x8b/0x140 do_syscall_64+0x3c/0x80 ================================================================== Fix this by making tpm2_del_space() use tpm_try_get_ops(). The latter already includes the calls to tpm_chip_start() and tpm_chip_stop(). Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> --- drivers/char/tpm/tpm2-space.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)