From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761752AbdADSom (ORCPT ); Wed, 4 Jan 2017 13:44:42 -0500 Received: from quartz.orcorp.ca ([184.70.90.242]:39597 "EHLO quartz.orcorp.ca" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750827AbdADSoa (ORCPT ); Wed, 4 Jan 2017 13:44:30 -0500 Date: Wed, 4 Jan 2017 11:44:22 -0700 From: Jason Gunthorpe To: Stefan Berger Cc: Jarkko Sakkinen , linux-security-module@vger.kernel.org, tpmdd-devel@lists.sourceforge.net, open list Subject: Re: [tpmdd-devel] [PATCH RFC 2/4] tpm: validate TPM 2.0 commands Message-ID: <20170104184422.GA12283@obsidianresearch.com> References: <20170102132213.22880-1-jarkko.sakkinen@linux.intel.com> <20170102132213.22880-3-jarkko.sakkinen@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-Broken-Reverse-DNS: no host name found for IP address 10.0.0.156 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 04, 2017 at 01:04:59PM -0500, Stefan Berger wrote: > > @@ -943,7 +943,9 @@ EXPORT_SYMBOL_GPL(tpm2_probe); > > */ > > int tpm2_auto_startup(struct tpm_chip *chip) > > { > > + u32 nr_commands; > > int rc; > > + int i; > > > > rc = tpm_get_timeouts(chip); > > if (rc) > > @@ -967,8 +969,49 @@ int tpm2_auto_startup(struct tpm_chip *chip) > > } > > } > > > > + rc = tpm2_get_tpm_pt(chip, TPM_PT_TOTAL_COMMANDS, &nr_commands, > NULL); > > + if (rc) > > + return rc; > > + > > + chip->cc_attrs_tbl = devm_kzalloc(&chip->dev, 4 * nr_commands, > > + GFP_KERNEL); > For some reason this devm_kzalloc bombs for the vtpm proxy driver. The > only reason I could come up with is that it's being called before > tpm_add_char_device() has been called. It would also fail if nr_commands is wrong, and this should be one of the array safe allocation functions since nr_command is data from the TPM... Jason