From patchwork Thu Feb 4 23:50:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lino Sanfilippo X-Patchwork-Id: 376851 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, MIME_BASE64_TEXT, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1D8CC4332B for ; Thu, 4 Feb 2021 23:53:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AC8F864FA9 for ; Thu, 4 Feb 2021 23:53:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231345AbhBDXw7 (ORCPT ); Thu, 4 Feb 2021 18:52:59 -0500 Received: from mout.gmx.net ([212.227.15.15]:58187 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231239AbhBDXw5 (ORCPT ); Thu, 4 Feb 2021 18:52:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1612482672; bh=3ITnrUmgpoREt7A8+/KZYb1DEC4DF6i6j7F4yydeo6c=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=jp6Dw9g8Zsbp6o5/S88Cy4nDr9rDr1xQZDWZsXZ2Vv4cl+oQD82h95367s4EdDshS 69lp7Dz97brz7C0MKIKRsnItmuBYvofJdPECfgzyyYXxmRd0sqvfX/TJ53p5V4crM/ qHy1ad1kxNlya5AvBsES49naTOJ49VRTM0Vz+JCY= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from Venus.fritz.box ([78.42.220.31]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MKKUv-1lN0Ge3aFr-00Lkpm; Fri, 05 Feb 2021 00:51:11 +0100 From: Lino Sanfilippo To: peterhuewe@gmx.de, jarkko@kernel.org Cc: jgg@ziepe.ca, stefanb@linux.vnet.ibm.com, James.Bottomley@hansenpartnership.com, stable@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, LinoSanfilippo@gmx.de, Lino Sanfilippo Subject: [PATCH v3 2/2] tpm: in tpm2_del_space check if ops pointer is still valid Date: Fri, 5 Feb 2021 00:50:43 +0100 Message-Id: <1612482643-11796-3-git-send-email-LinoSanfilippo@gmx.de> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1612482643-11796-1-git-send-email-LinoSanfilippo@gmx.de> References: <1612482643-11796-1-git-send-email-LinoSanfilippo@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:RswaLHu/9erJ2Tp2QWvHm/a/KaCjM6zsK2OLBsiQZEGxLHQB0Kt uChSLi++YeHcSQrWm437t2QIZlE2df2VOC6HCk9poPFrh+iHcQ4q44sCEbQuNMMAgp1n7Tt eLwxt2m1F6vOaMb0phPeIdjOaMomWMxPkAzxNPg8lKpzXMLNsAZUgWYsEWGuUTsMZxgNKXd IHy6j/xG8S5igk9Cvsq4w== X-UI-Out-Filterresults: notjunk:1; V03:K0:gUxVhZFlBIU=:WcwaAZcnoISX6uLZt4csmp 9p4M2k5DHTWo1qqYKFCH46h6bQrUMvflplAdqWDIi2YlPmSPaA/0Me7QKS5RFbkPlf9m+uk7X YgHNxUQkCFT/chgTPgGOLboYj2bSELke86NuPQRXiy65i/LW4Z6L69DLRHVHdCEiDld6z+xaR 9DSfBYwkCMeNI/XzPrsCUoKx+3745l520PIcaTb0D5pBqur4DN8hjClOieCgeLO6KyEisp3cQ NcZTMdSfFOxYBrC+PzlBcmoUiidrkSthLzlrm1w7QZqQAVrSffSgO/MvPF7K8SiBYTTmQW3s/ RcLlilZJeu7o6T47wmu87jCezi2AFzQ0e1Z2rKnIt3TiP3zbcS3IJ8QB8B9wL+nMF6KalFyPJ vK4a87+Vi7XawGi3Fu4G5855k+F77l4a6NXV3c/2BLyDV8a0+pt6xu8Zc2kzURTcqAwrdQ578 IQOEzjhdci61cEHMFJgL3ecx+e7ZO12Mr+QRXyoUAtzK+8eunVbV/a+8ALyucA5CPtfSP+cRK 3WF/+kiCW3OsL+jgYhWo2aPDGemcCI59DlxO5xjJohSs/kwbRBEvgQXuDyWbVAHQzZiTZqgZ6 twf/X50L4W25oSbBNXifzEtwlXerBq2WJE+DBMOOtTOrfcRl2nQBpJU3BnVcZQXWb8SQ4kdPF GMheG/wdtMX7ROjJMguV1Lu+MpaPSfse0/ldftNXW453jdSSpDmO0M0ID4u24O6qtNNBSOuGs RlB5x3yoDxk9m/c+GAk6WeVcOJPPzHL07Ueasnoa658uXzTHLoJ+ci1w4yOr0HtLEmcK7B3uP KPTAkDhCsPY2wR9lNCO7aSD4WkjCouXJx/hIh7l3lqkTBwP6PdLB/ODhRGS62dmUFAuqR4eVC MqF6bFb8sMichW8pjcNw== Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Lino Sanfilippo In tpm2_del_space() chip->ops is used for flushing the sessions. However this function may be called after tpm_chip_unregister() which sets the chip->ops pointer to NULL. Avoid a possible NULL pointer dereference by checking if chip->ops is still valid before accessing it. Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()") Signed-off-by: Lino Sanfilippo Tested-by: Lino Sanfilippo --- drivers/char/tpm/tpm2-space.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c index 784b8b3..9a29a40 100644 --- a/drivers/char/tpm/tpm2-space.c +++ b/drivers/char/tpm/tpm2-space.c @@ -58,12 +58,17 @@ int tpm2_init_space(struct tpm_space *space, unsigned int buf_size) void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space) { - mutex_lock(&chip->tpm_mutex); - if (!tpm_chip_start(chip)) { - tpm2_flush_sessions(chip, space); - tpm_chip_stop(chip); + down_read(&chip->ops_sem); + if (chip->ops) { + mutex_lock(&chip->tpm_mutex); + if (!tpm_chip_start(chip)) { + tpm2_flush_sessions(chip, space); + tpm_chip_stop(chip); + } + mutex_unlock(&chip->tpm_mutex); } - mutex_unlock(&chip->tpm_mutex); + up_read(&chip->ops_sem); + kfree(space->context_buf); kfree(space->session_buf); }