[Vivid] tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma

Message ID	1423864643-7318-1-git-send-email-chris.j.arges@canonical.com
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Chris J Arges <chris.j.arges@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [Vivid][PATCH] tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma Date: Fri, 13 Feb 2015 15:57:23 -0600 Message-Id: <1423864643-7318-1-git-send-email-chris.j.arges@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com

Message ID

1423864643-7318-1-git-send-email-chris.j.arges@canonical.com

State

New

Headers

From: Chris J Arges <chris.j.arges@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [Vivid][PATCH] tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma
Date: Fri, 13 Feb 2015 15:57:23 -0600
Message-Id: <1423864643-7318-1-git-send-email-chris.j.arges@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

Commit Message

Chris J Arges Feb. 13, 2015, 9:57 p.m. UTC

From: "Hon Ching (Vicky) Lo" <honclo@linux.vnet.ibm.com>

There was an oops in tpm_ibmvtpm_get_desired_dma, which caused
kernel panic during boot when vTPM is enabled in Power partition
configured in AMS mode.

vio_bus_probe calls vio_cmo_bus_probe which calls
tpm_ibmvtpm_get_desired_dma to get the size needed for DMA allocation.
The problem is, vio_cmo_bus_probe is called before calling probe, which
for vtpm is tpm_ibmvtpm_probe and it's this function that initializes
and sets up vtpm's CRQ and gets required data values.  Therefore,
since this has not yet been done, NULL is returned in attempt to get
the size for DMA allocation.

We added a NULL check.  In addition, a default buffer size will
be set when NULL is returned.

Cc: <stable@vger.kernel.org>
Signed-off-by: Hon Ching (Vicky) Lo <honclo@linux.vnet.ibm.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
(cherry picked from commit 84eb186bc37c0900b53077ca21cf6dd15823a232)
Signed-off-by: Chris J Arges <chris.j.arges@canonical.com>
---
 drivers/char/tpm/tpm_ibmvtpm.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Stefan Bader Feb. 16, 2015, 9:23 a.m. UTC | #1

Looks safe.

Leann Ogasawara Feb. 18, 2015, 3:36 a.m. UTC | #2

Applied to Vivid master-next and unstable branches.

Thanks,
Leann

On Fri, 2015-02-13 at 15:57 -0600, Chris J Arges wrote:
> From: "Hon Ching (Vicky) Lo" <honclo@linux.vnet.ibm.com>
> 
> There was an oops in tpm_ibmvtpm_get_desired_dma, which caused
> kernel panic during boot when vTPM is enabled in Power partition
> configured in AMS mode.
> 
> vio_bus_probe calls vio_cmo_bus_probe which calls
> tpm_ibmvtpm_get_desired_dma to get the size needed for DMA allocation.
> The problem is, vio_cmo_bus_probe is called before calling probe, which
> for vtpm is tpm_ibmvtpm_probe and it's this function that initializes
> and sets up vtpm's CRQ and gets required data values.  Therefore,
> since this has not yet been done, NULL is returned in attempt to get
> the size for DMA allocation.
> 
> We added a NULL check.  In addition, a default buffer size will
> be set when NULL is returned.
> 
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Hon Ching (Vicky) Lo <honclo@linux.vnet.ibm.com>
> Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
> (cherry picked from commit 84eb186bc37c0900b53077ca21cf6dd15823a232)
> Signed-off-by: Chris J Arges <chris.j.arges@canonical.com>
> ---
>  drivers/char/tpm/tpm_ibmvtpm.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c
> index af74c57..4109222 100644
> --- a/drivers/char/tpm/tpm_ibmvtpm.c
> +++ b/drivers/char/tpm/tpm_ibmvtpm.c
> @@ -307,6 +307,14 @@ static int tpm_ibmvtpm_remove(struct vio_dev *vdev)
>  static unsigned long tpm_ibmvtpm_get_desired_dma(struct vio_dev *vdev)
>  {
>  	struct ibmvtpm_dev *ibmvtpm = ibmvtpm_get_data(&vdev->dev);
> +
> +	/* ibmvtpm initializes at probe time, so the data we are
> +	* asking for may not be set yet. Estimate that 4K required
> +	* for TCE-mapped buffer in addition to CRQ.
> +	*/
> +	if (!ibmvtpm)
> +		return CRQ_RES_BUF_SIZE + PAGE_SIZE;
> +
>  	return CRQ_RES_BUF_SIZE + ibmvtpm->rtce_size;
>  }
>  
> -- 
> 1.9.1
> 
>

diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c
index af74c57..4109222 100644
--- a/drivers/char/tpm/tpm_ibmvtpm.c
+++ b/drivers/char/tpm/tpm_ibmvtpm.c
@@ -307,6 +307,14 @@  static int tpm_ibmvtpm_remove(struct vio_dev *vdev)
 static unsigned long tpm_ibmvtpm_get_desired_dma(struct vio_dev *vdev)
 {
 	struct ibmvtpm_dev *ibmvtpm = ibmvtpm_get_data(&vdev->dev);
+
+	/* ibmvtpm initializes at probe time, so the data we are
+	* asking for may not be set yet. Estimate that 4K required
+	* for TCE-mapped buffer in addition to CRQ.
+	*/
+	if (!ibmvtpm)
+		return CRQ_RES_BUF_SIZE + PAGE_SIZE;
+
 	return CRQ_RES_BUF_SIZE + ibmvtpm->rtce_size;
 }

[Vivid] tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma

Commit Message

Comments

Patch