tpm: Clean up TPM space after command failure

[ Upstream commit e3aaebcbb7c6b403416f442d1de70d437ce313a7 ]

tpm_dev_transmit prepares the TPM space before attempting command
transmission. However if the command fails no rollback of this
preparation is done. This can result in transient handles being leaked
if the device is subsequently closed with no further commands performed.

Fix this by flushing the space in the event of command transmission
failure.

Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces")
Signed-off-by: Jonathan McDowell <noodles@meta.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
index b99e1941c52c98359863ed1bfb9c785ed22ceabe..fde81ecbd6a3bef5491ce4348c96ec8e3ed8860c 100644 (file)
--- a/drivers/char/tpm/tpm-dev-common.c
+++ b/drivers/char/tpm/tpm-dev-common.c
@@ -48,6 +48,8 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space,
 
        if (!ret)
                ret = tpm2_commit_space(chip, space, buf, &len);
+       else
+               tpm2_flush_space(chip);
 
 out_rc:
        return ret ? ret : len;

diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
index ffb35f0154c16c463082962426dcc7bdaa4c3a38..c57404c6b98c9d32ced9aa2e16d13f20fab3bb65 100644 (file)
--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -166,6 +166,9 @@ void tpm2_flush_space(struct tpm_chip *chip)
        struct tpm_space *space = &chip->work_space;
        int i;
 
+       if (!space)
+               return;
+
        for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++)
                if (space->context_tbl[i] && ~space->context_tbl[i])
                        tpm2_flush_context(chip, space->context_tbl[i]);