Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1fbc5e95 authored by Kent Yoder's avatar Kent Yoder
Browse files

tpm_i2c_stm_st33: fix oops when i2c client is unavailable 



When no i2c bus exists, user-space can cause an oops by triggering a
device probe through a message sent to an i2c "new_device" sysfs entry.
Adding a check for a NULL i2c client structure in the probe function
closes the hole.

This patch also fixes accessing the NULL client struct in the print
function call reporting the error.

Reported-by: default avatarPeter Hüwe <PeterHuewe@gmx.de>
Signed-off-by: default avatarKent Yoder <key@linux.vnet.ibm.com>
parent d4593353

drivers/char/tpm/tpm_i2c_stm_st33.c

+11 −5
Original line number Diff line number Diff line
@@ -658,7 +658,8 @@ tpm_st33_i2c_probe(struct i2c_client *client, const struct i2c_device_id *id) 
	err = 0;



	if (client == NULL) {

		dev_info(&client->dev, "client is NULL. exiting.\n");

		pr_info("%s: i2c client is NULL. Device not accessible.\n",

			__func__);

		err = -ENODEV;

		goto end;

	}
@@ -677,6 +678,13 @@ tpm_st33_i2c_probe(struct i2c_client *client, const struct i2c_device_id *id) 
	}



	platform_data = client->dev.platform_data;



	if (!platform_data) {

		dev_info(&client->dev, "chip not available\n");

		err = -ENODEV;

		goto _tpm_clean_answer;

	}



	platform_data->tpm_i2c_buffer[0] =

	    kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL);

	if (platform_data->tpm_i2c_buffer[0] == NULL) {
@@ -759,7 +767,6 @@ tpm_st33_i2c_probe(struct i2c_client *client, const struct i2c_device_id *id) 
	tpm_get_timeouts(chip);



	i2c_set_clientdata(client, chip);

	platform_data->bChipF = false;



	dev_info(chip->dev, "TPM I2C Initialized\n");

	return 0;
@@ -779,7 +786,6 @@ tpm_st33_i2c_probe(struct i2c_client *client, const struct i2c_device_id *id) 
	platform_data->tpm_i2c_buffer[0] = NULL;

_tpm_clean_answer:

	tpm_remove_hardware(chip->dev);

	platform_data->bChipF = true;

end:

	pr_info("TPM I2C initialisation fail\n");

	return err;
@@ -803,8 +809,8 @@ static __devexit int tpm_st33_i2c_remove(struct i2c_client *client) 
		gpio_free(pin_infos->io_serirq);

		gpio_free(pin_infos->io_lpcpd);



		if (pin_infos->bChipF != true)

		tpm_remove_hardware(chip->dev);



		if (pin_infos->tpm_i2c_buffer[1] != NULL) {

			kzfree(pin_infos->tpm_i2c_buffer[1]);

			pin_infos->tpm_i2c_buffer[1] = NULL;

drivers/char/tpm/tpm_i2c_stm_st33.h

+0 −1
Original line number Diff line number Diff line
@@ -53,7 +53,6 @@ struct st33zp24_platform_data { 
	int io_serirq;

	int io_lpcpd;

	struct i2c_client *client;

	bool bChipF;

	u8 *tpm_i2c_buffer[2]; /* 0 Request 1 Response */

	struct completion irq_detection;

	struct mutex lock;