[PATCH] tpm: Fix IRQ unwind ordering in TIS

[PATCH] tpm: Fix IRQ unwind ordering in TIS

[Jason Gunthorpe]

The devm for the IRQ was placed on the chip, not the pdev. This can
cause the irq to be still callable after the pdev has been cleaned up
(eg priv kfree'd).

Found by CONFIG_DEBUG_SHIRQ=y

Reported-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Fixes: 233a065e0cd0 ("tpm: Get rid of chip->pdev")
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Tested-by:  Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 drivers/char/tpm/tpm_tis.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
index a6b2d460bfc0..d88827046a42 100644
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -387,7 +387,7 @@ static void disable_interrupts(struct tpm_chip *chip)
 	intmask &= ~TPM_GLOBAL_INT_ENABLE;
 	iowrite32(intmask,
 		  priv->iobase + TPM_INT_ENABLE(priv->locality));
-	devm_free_irq(&chip->dev, priv->irq, chip);
+	devm_free_irq(chip->dev.parent, priv->irq, chip);
 	priv->irq = 0;
 	chip->flags &= ~TPM_CHIP_FLAG_IRQ;
 }
@@ -604,7 +604,7 @@ static int tpm_tis_probe_irq_single(struct tpm_chip *chip, u32 intmask,
 	struct priv_data *priv = dev_get_drvdata(&chip->dev);
 	u8 original_int_vec;
 
-	if (devm_request_irq(&chip->dev, irq, tis_int_handler, flags,
+	if (devm_request_irq(chip->dev.parent, irq, tis_int_handler, flags,
 			     dev_name(&chip->dev), chip) != 0) {
 		dev_info(&chip->dev, "Unable to request irq: %d for probe\n",
 			 irq);
-- 
2.1.4

Re: [PATCH] tpm: Fix IRQ unwind ordering in TIS

[Jarkko Sakkinen]

On Wed, 2016-04-27 at 10:58 -0600, Jason Gunthorpe wrote:
> The devm for the IRQ was placed on the chip, not the pdev. This can
> cause the irq to be still callable after the pdev has been cleaned up
> (eg priv kfree'd).
> 
> Found by CONFIG_DEBUG_SHIRQ=y
> 
> Reported-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
> Fixes: 233a065e0cd0 ("tpm: Get rid of chip->pdev")
> Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
> Tested-by:  Stefan Berger <stefanb@linux.vnet.ibm.com>

Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

/Jarkko

> ---
>  drivers/char/tpm/tpm_tis.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
> index a6b2d460bfc0..d88827046a42 100644
> --- a/drivers/char/tpm/tpm_tis.c
> +++ b/drivers/char/tpm/tpm_tis.c
> @@ -387,7 +387,7 @@ static void disable_interrupts(struct tpm_chip *chip)
>  	intmask &= ~TPM_GLOBAL_INT_ENABLE;
>  	iowrite32(intmask,
>  		  priv->iobase + TPM_INT_ENABLE(priv->locality));
> -	devm_free_irq(&chip->dev, priv->irq, chip);
> +	devm_free_irq(chip->dev.parent, priv->irq, chip);
>  	priv->irq = 0;
>  	chip->flags &= ~TPM_CHIP_FLAG_IRQ;
>  }
> @@ -604,7 +604,7 @@ static int tpm_tis_probe_irq_single(struct tpm_chip *chip, u32
> intmask,
>  	struct priv_data *priv = dev_get_drvdata(&chip->dev);
>  	u8 original_int_vec;
>  
> -	if (devm_request_irq(&chip->dev, irq, tis_int_handler, flags,
> +	if (devm_request_irq(chip->dev.parent, irq, tis_int_handler, flags,
>  			     dev_name(&chip->dev), chip) != 0) {
>  		dev_info(&chip->dev, "Unable to request irq: %d for probe\n",
>  			 irq);

Re: [PATCH] tpm: Fix IRQ unwind ordering in TIS

[Jarkko Sakkinen]

On Thu, 2016-04-28 at 11:09 +0300, Jarkko Sakkinen wrote:
> On Wed, 2016-04-27 at 10:58 -0600, Jason Gunthorpe wrote:
> > 
> > The devm for the IRQ was placed on the chip, not the pdev. This can
> > cause the irq to be still callable after the pdev has been cleaned up
> > (eg priv kfree'd).
> >  
> > Found by CONFIG_DEBUG_SHIRQ=y
> >  
> > Reported-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
> > Fixes: 233a065e0cd0 ("tpm: Get rid of chip->pdev")
> > Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
> > Tested-by:  Stefan Berger <stefanb@linux.vnet.ibm.com>
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

And applied  and merged to next.

/Jarkko

> /Jarkko
> 
> > 
> > ---
> >  drivers/char/tpm/tpm_tis.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >  
> > diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
> > index a6b2d460bfc0..d88827046a42 100644
> > --- a/drivers/char/tpm/tpm_tis.c
> > +++ b/drivers/char/tpm/tpm_tis.c
> > @@ -387,7 +387,7 @@ static void disable_interrupts(struct tpm_chip *chip)
> >  	intmask &= ~TPM_GLOBAL_INT_ENABLE;
> >  	iowrite32(intmask,
> >  		  priv->iobase + TPM_INT_ENABLE(priv->locality));
> > -	devm_free_irq(&chip->dev, priv->irq, chip);
> > +	devm_free_irq(chip->dev.parent, priv->irq, chip);
> >  	priv->irq = 0;
> >  	chip->flags &= ~TPM_CHIP_FLAG_IRQ;
> >  }
> > @@ -604,7 +604,7 @@ static int tpm_tis_probe_irq_single(struct tpm_chip *chip, u32
> > intmask,
> >  	struct priv_data *priv = dev_get_drvdata(&chip->dev);
> >  	u8 original_int_vec;
> >  
> > -	if (devm_request_irq(&chip->dev, irq, tis_int_handler, flags,
> > +	if (devm_request_irq(chip->dev.parent, irq, tis_int_handler, flags,
> >  			     dev_name(&chip->dev), chip) != 0) {
> >  		dev_info(&chip->dev, "Unable to request irq: %d for probe\n",
> >  			 irq);