On Fri, Feb 12, 2016 at 03:31:13PM -0500, Stefan Berger wrote: > Where is the race? I tested the following: > The tpm_vtpm module use counter increases with every server file > descriptor being handed out, so every run of ./vtpmctrl increases it by > 1. > Every opening of /dev/tpm%d (exec 1XY<>/dev/tpm%d) increases the > tpm_vtpm module use counter also by 1. > If the vtpmctrl's die, the module use counter decreases for every > vtpmctrl termiating. However, the use counter is still at the number of > open /dev/tpm%d devices. > vtpm_dev and chip structures only get free'd once the file descriptor > is close. So it looks like expected good behavior to me. We cannot > remove the 'backend' module following the usage counter increase, so > this is good too.
We don't expect tpm_chip_unregister to run concurrently with any in-progress operation, that isn't properly synchronized. So your driver will call tpm_chip_unregister and then put_device it's structure, but the tpm_chip is still active and could still generate a callback to vtpm code resulting in use-after-free. Jason ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ tpmdd-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
