On Fri, Feb 05, 2021 at 04:50:13PM +0100, Lino Sanfilippo wrote:
>
> On 05.02.21 16:15, Jason Gunthorpe wrote:
> >
> > No, the cdev layer holds the refcount on the device while open is
> > being called.
> >
> Yes, but the reference that is responsible for the chip deallocation is chip->dev
> which is linked to chip->cdev and represents /dev/tpm, not /dev/tpmrm.
> You are right, we dont have the issue with /dev/tpm for the reason you mentioned.
> But /dev/tpmrm is represented by chip->cdevs and keeping this ref held by the cdev
> layer wont protect us from the chip being freed (which is the reason why we need
> the chip->dev reference in the first place).
No, they are all chained together because they are all in the same
struct:
struct tpm_chip {
struct device dev;
struct device devs;
struct cdev cdev;
struct cdev cdevs;
dev holds the refcount on memory, when it goes 0 the whole thing is
kfreed.
The rule is dev's refcount can't go to zero while any other refcount
is != 0.
For instance devs holds a get on dev that is put back only when devs
goes to 0:
static void tpm_devs_release(struct device *dev)
{
struct tpm_chip *chip = container_of(dev, struct tpm_chip, devs);
/* release the master device reference */
put_device(&chip->dev);
}
Both cdev elements do something similar inside the cdev layer.
The net result is during any open() the tpm_chip is guarenteed to have
a positive refcount.
Jason
