Jason Gunthorpe <[email protected]> wrote on 02/12/2016
03:39:56 PM:
>
> On Fri, Feb 12, 2016 at 03:31:13PM -0500, Stefan Berger wrote:
>
> > Where is the race? I tested the following:
> > The tpm_vtpm module use counter increases with every server file
> > descriptor being handed out, so every run of ./vtpmctrl increases
it by
> > 1.
> > Every opening of /dev/tpm%d (exec 1XY<>/dev/tpm%d) increases the
> > tpm_vtpm module use counter also by 1.
> > If the vtpmctrl's die, the module use counter decreases for every
> > vtpmctrl termiating. However, the use counter is still at the
number of
> > open /dev/tpm%d devices.
> > vtpm_dev and chip structures only get free'd once the file
descriptor
> > is close. So it looks like expected good behavior to me. We cannot
> > remove the 'backend' module following the usage counter increase,
so
> > this is good too.
>
> We don't expect tpm_chip_unregister to run concurrently with any
> in-progress operation, that isn't properly synchronized.
>
> So your driver will call tpm_chip_unregister and then put_device it's
> structure, but the tpm_chip is still active and could still generate a
> callback to vtpm code resulting in use-after-free.
What I observed is that both tpm_chip and vtpm_dev structures are freed
once the last one of two sides (/dev/tpmX or server side file descriptor)
closes. Closing means there's no more code being executed by an
application. So how can we have something still executing in the driver
when both sides closed?
Stefan
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
