From patchwork Thu Nov 5 10:20:21 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jarkko Sakkinen X-Patchwork-Id: 540326 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 293241413E0 for ; Thu, 5 Nov 2015 21:20:52 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1ZuHez-0001b8-2Y; Thu, 05 Nov 2015 10:20:49 +0000 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1ZuHex-0001b3-FY for tpmdd-devel@lists.sourceforge.net; Thu, 05 Nov 2015 10:20:47 +0000 X-ACL-Warn: Received: from mga14.intel.com ([192.55.52.115]) by sog-mx-1.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1ZuHev-0001K0-Fp for tpmdd-devel@lists.sourceforge.net; Thu, 05 Nov 2015 10:20:47 +0000 Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga103.fm.intel.com with ESMTP; 05 Nov 2015 02:20:39 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.20,247,1444719600"; d="scan'208";a="594454130" Received: from bdrobeso-mobl3.amr.corp.intel.com (HELO localhost) ([10.252.2.220]) by FMSMGA003.fm.intel.com with ESMTP; 05 Nov 2015 02:20:32 -0800 From: Jarkko Sakkinen To: Peter Huewe , Marcel Selhorst Date: Thu, 5 Nov 2015 12:20:21 +0200 Message-Id: <1446718824-5249-2-git-send-email-jarkko.sakkinen@linux.intel.com> X-Mailer: git-send-email 2.5.0 In-Reply-To: <1446718824-5249-1-git-send-email-jarkko.sakkinen@linux.intel.com> References: <1446718824-5249-1-git-send-email-jarkko.sakkinen@linux.intel.com> X-Spam-Score: -0.0 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain X-Headers-End: 1ZuHev-0001K0-Fp Cc: open list , "moderated list:TPM DEVICE DRIVER" , Christophe JAILLET Subject: [tpmdd-devel] [PATCH 1/3] TPM: Avoid reference to potentially freed memory X-BeenThere: tpmdd-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Tpm Device Driver maintainance List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: tpmdd-devel-bounces@lists.sourceforge.net From: Christophe JAILLET Reference to the 'np' node is dropped before dereferencing the 'sizep' and 'basep' pointers, which could by then point to junk if the node has been freed. Refactor code to call 'of_node_put' later. Fixes: c5df39262dd5 ("drivers/char/tpm: Add securityfs support for event log") Signed-off-by: Christophe JAILLET Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm_of.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c index 1141456..570f30c 100644 --- a/drivers/char/tpm/tpm_of.c +++ b/drivers/char/tpm/tpm_of.c @@ -53,17 +53,18 @@ int read_log(struct tpm_bios_log *log) goto cleanup_eio; } - of_node_put(np); log->bios_event_log = kmalloc(*sizep, GFP_KERNEL); if (!log->bios_event_log) { pr_err("%s: ERROR - Not enough memory for BIOS measurements\n", __func__); + of_node_put(np); return -ENOMEM; } log->bios_event_log_end = log->bios_event_log + *sizep; memcpy(log->bios_event_log, __va(*basep), *sizep); + of_node_put(np); return 0;