releases/5.16.18/tpm-use-try_get_ops-in-tpm-space.c.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9 Mon Sep 17 00:00:00 2001
 From: James Bottomley <James.Bottomley@HansenPartnership.com>
 Date: Mon, 7 Mar 2022 15:58:03 -0500
 Subject: tpm: use try_get_ops() in tpm-space.c

 From: James Bottomley <James.Bottomley@HansenPartnership.com>

 commit fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9 upstream.

 As part of the series conversion to remove nested TPM operations:

 https://lore.kernel.org/all/20190205224723.19671-1-jarkko.sakkinen@linux.intel.com/

 exposure of the chip->tpm_mutex was removed from much of the upper
 level code.  In this conversion, tpm2_del_space() was missed.  This
 didn't matter much because it's usually called closely after a
 converted operation, so there's only a very tiny race window where the
 chip can be removed before the space flushing is done which causes a
 NULL deref on the mutex.  However, there are reports of this window
 being hit in practice, so fix this by converting tpm2_del_space() to
 use tpm_try_get_ops(), which performs all the teardown checks before
 acquring the mutex.

 Cc: stable@vger.kernel.org # 5.4.x
 Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
 Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
 Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/char/tpm/tpm2-space.c |    8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

 --- a/drivers/char/tpm/tpm2-space.c
 +++ b/drivers/char/tpm/tpm2-space.c
 @@ -58,12 +58,12 @@ int tpm2_init_space(struct tpm_space *sp

  void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space)
  {
 -	mutex_lock(&chip->tpm_mutex);
 -	if (!tpm_chip_start(chip)) {
 +
 +	if (tpm_try_get_ops(chip) == 0) {
  		tpm2_flush_sessions(chip, space);
 -		tpm_chip_stop(chip);
 +		tpm_put_ops(chip);
  	}
 -	mutex_unlock(&chip->tpm_mutex);
 +
  	kfree(space->context_buf);
  	kfree(space->session_buf);
  }
	From fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9 Mon Sep 17 00:00:00 2001
	From: James Bottomley <James.Bottomley@HansenPartnership.com>
	Date: Mon, 7 Mar 2022 15:58:03 -0500
	Subject: tpm: use try_get_ops() in tpm-space.c

	From: James Bottomley <James.Bottomley@HansenPartnership.com>

	commit fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9 upstream.

	As part of the series conversion to remove nested TPM operations:

	https://lore.kernel.org/all/20190205224723.19671-1-jarkko.sakkinen@linux.intel.com/

	exposure of the chip->tpm_mutex was removed from much of the upper
	level code. In this conversion, tpm2_del_space() was missed. This
	didn't matter much because it's usually called closely after a
	converted operation, so there's only a very tiny race window where the
	chip can be removed before the space flushing is done which causes a
	NULL deref on the mutex. However, there are reports of this window
	being hit in practice, so fix this by converting tpm2_del_space() to
	use tpm_try_get_ops(), which performs all the teardown checks before
	acquring the mutex.

	Cc: stable@vger.kernel.org # 5.4.x
	Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
	Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
	Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/char/tpm/tpm2-space.c \| 8 ++++----
	1 file changed, 4 insertions(+), 4 deletions(-)

	--- a/drivers/char/tpm/tpm2-space.c
	+++ b/drivers/char/tpm/tpm2-space.c
	@@ -58,12 +58,12 @@ int tpm2_init_space(struct tpm_space *sp

	void tpm2_del_space(struct tpm_chip chip, struct tpm_space space)
	{
	- mutex_lock(&chip->tpm_mutex);
	- if (!tpm_chip_start(chip)) {
	+
	+ if (tpm_try_get_ops(chip) == 0) {
	tpm2_flush_sessions(chip, space);
	- tpm_chip_stop(chip);
	+ tpm_put_ops(chip);
	}
	- mutex_unlock(&chip->tpm_mutex);
	+
	kfree(space->context_buf);
	kfree(space->session_buf);
	}