tpm: Clean up TPM space after command failure

[ Upstream commit e3aaebcbb7c6b403416f442d1de70d437ce313a7 ]

tpm_dev_transmit prepares the TPM space before attempting command
transmission. However if the command fails no rollback of this
preparation is done. This can result in transient handles being leaked
if the device is subsequently closed with no further commands performed.

Fix this by flushing the space in the event of command transmission
failure.

Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces")
Signed-off-by: Jonathan McDowell <noodles@meta.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
index dc4c0a0a512903235d9c580789cf2c74453ad5c0..56e56a09cc9051fac37e6fbf517604b6d8630ce6 100644 (file)
--- a/drivers/char/tpm/tpm-dev-common.c
+++ b/drivers/char/tpm/tpm-dev-common.c
@@ -47,6 +47,8 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space,
 
        if (!ret)
                ret = tpm2_commit_space(chip, space, buf, &len);
+       else
+               tpm2_flush_space(chip);
 
 out_rc:
        return ret ? ret : len;

diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
index ffb35f0154c16c463082962426dcc7bdaa4c3a38..c57404c6b98c9d32ced9aa2e16d13f20fab3bb65 100644 (file)
--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -166,6 +166,9 @@ void tpm2_flush_space(struct tpm_chip *chip)
        struct tpm_space *space = &chip->work_space;
        int i;
 
+       if (!space)
+               return;
+
        for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++)
                if (space->context_tbl[i] && ~space->context_tbl[i])
                        tpm2_flush_context(chip, space->context_tbl[i]);