From patchwork Fri Feb 12 23:19:12 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Gunthorpe X-Patchwork-Id: 582322 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id B83B3140B0E for ; Sat, 13 Feb 2016 10:19:31 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1aUMzk-0008DP-2W; Fri, 12 Feb 2016 23:19:24 +0000 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1aUMzj-0008DJ-2O for tpmdd-devel@lists.sourceforge.net; Fri, 12 Feb 2016 23:19:23 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of obsidianresearch.com designates 184.70.90.242 as permitted sender) client-ip=184.70.90.242; envelope-from=jgunthorpe@obsidianresearch.com; helo=quartz.orcorp.ca; Received: from quartz.orcorp.ca ([184.70.90.242]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) id 1aUMzh-00045T-T6 for tpmdd-devel@lists.sourceforge.net; Fri, 12 Feb 2016 23:19:22 +0000 Received: from [10.0.0.160] (helo=jggl.edm.orcorp.ca) by quartz.orcorp.ca with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84) (envelope-from ) id 1aUMzY-0003zr-LV; Fri, 12 Feb 2016 16:19:12 -0700 Received: from jgg by jggl.edm.orcorp.ca with local (Exim 4.84) (envelope-from ) id 1aUMzY-0003m4-Fi; Fri, 12 Feb 2016 16:19:12 -0700 Date: Fri, 12 Feb 2016 16:19:12 -0700 From: Jason Gunthorpe To: Stefan Berger Message-ID: <20160212231912.GA7034@obsidianresearch.com> References: <201602112226.u1BMQZ59031657@d01av02.pok.ibm.com> <20160211235611.GB16304@obsidianresearch.com> <201602120353.u1C3rYif023135@d01av05.pok.ibm.com> <20160212184051.GB4289@obsidianresearch.com> <201602122031.u1CKVIOp028400@d03av03.boulder.ibm.com> <20160212203956.GB10540@obsidianresearch.com> <201602122044.u1CKiMbR023495@d03av03.boulder.ibm.com> <20160212211538.GA20737@obsidianresearch.com> <201602122223.u1CMNJXl023711@d01av01.pok.ibm.com> <201602122247.u1CMlFni023527@d03av04.boulder.ibm.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <201602122247.u1CMlFni023527@d03av04.boulder.ibm.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-Broken-Reverse-DNS: no host name found for IP address 10.0.0.160 X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1aUMzh-00045T-T6 Cc: dhowells@redhat.com, tpmdd-devel@lists.sourceforge.net, dwmw2@infradead.org Subject: Re: [tpmdd-devel] [PATCH v5 4/5] Initialize TPM and get durations and timeouts X-BeenThere: tpmdd-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Tpm Device Driver maintainance List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces@lists.sourceforge.net On Fri, Feb 12, 2016 at 05:47:11PM -0500, Stefan Berger wrote: > Also I am zeroing tpm_chip and vtpm_dev structures before the free. > Nothing bad happens in any combination of device opening / closing > tests I did. That won't help detect use after free. You won't be able to find this with open/close testing, a RPC has to be done on /dev/tpmX at the right time, and even if there is some tricky reason why cdev works, kapi doesn't have any protection. Try this, lets make the user-after-free into a null-pointer-deref. Much easier to spot. ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -305,6 +305,8 @@ void tpm_chip_unregister(struct tpm_chip *chip) sysfs_remove_link(&chip->pdev->kobj, "ppi"); tpm1_chip_unregister(chip); + chip->priv = NULL; + chip->ops = NULL; tpm_dev_del_device(chip); } EXPORT_SYMBOL_GPL(tpm_chip_unregister);