From: Jarkko Sakkinen <jarkko@kernel.org>
To: Gunnar Kudrjavets <gunnarku@amazon.com>
Cc: peterhuewe@gmx.de, jgg@ziepe.ca, kyarlagadda@nvidia.com,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
Justinien Bouron <jbouron@amazon.com>
Subject: Re: [PATCH] tpm_tis: Fix undefined behavior in tpm_tis_spi_transfer_half()
Date: Thu, 18 Sep 2025 18:54:07 +0300 [thread overview]
Message-ID: <aMwrH5dWQo9nG1D7@kernel.org> (raw)
In-Reply-To: <20250917153022.18567-1-gunnarku@amazon.com>
On Wed, Sep 17, 2025 at 03:29:56PM +0000, Gunnar Kudrjavets wrote:
> When len is 0, the while loop in tpm_tis_spi_transfer_half() never
> executes, leaving ret uninitialized. This will lead to undefined
> behavior when the function returns.
>
> The issue was introduced when tpm_tis_spi_transfer() was refactored
> to call tpm_tis_spi_transfer_half() or tpm_tis_spi_transfer_full().
> While ret is properly initialized in tpm_tis_spi_transfer_full(), it
> was missed in tpm_tis_spi_transfer_half().
>
> Initialize ret to 0 at the beginning of the function to ensure
> defined behavior in all code paths.
>
> Found by GCC 14.2.0 static analyzer with -fanalyzer.
>
> Fixes: a86a42ac2bd6 ("tpm_tis_spi: Add hardware wait polling")
> Signed-off-by: Gunnar Kudrjavets <gunnarku@amazon.com>
> Reviewed-by: Justinien Bouron <jbouron@amazon.com>
> ---
> drivers/char/tpm/tpm_tis_spi_main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/char/tpm/tpm_tis_spi_main.c b/drivers/char/tpm/tpm_tis_spi_main.c
> index 61b42c83ced8..1b6d79662ca1 100644
> --- a/drivers/char/tpm/tpm_tis_spi_main.c
> +++ b/drivers/char/tpm/tpm_tis_spi_main.c
> @@ -85,7 +85,7 @@ static int tpm_tis_spi_transfer_half(struct tpm_tis_data *data, u32 addr,
> struct spi_transfer spi_xfer[3];
> struct spi_message m;
> u8 transfer_len;
> - int ret;
> + int ret = 0;
>
> while (len) {
> transfer_len = min_t(u16, len, MAX_SPI_FRAMESIZE);
>
> base-commit: 5aca7966d2a7255ba92fd5e63268dd767b223aa5
> --
> 2.47.3
>
Thank you.
I just applied the earlier fix, and I'll apply this too (before next
PR).
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
prev parent reply other threads:[~2025-09-18 15:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-17 15:29 [PATCH] tpm_tis: Fix undefined behavior in tpm_tis_spi_transfer_half() Gunnar Kudrjavets
2025-09-17 22:13 ` Paul Menzel
2025-09-18 8:55 ` Stefano Garzarella
2025-09-18 15:54 ` Jarkko Sakkinen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aMwrH5dWQo9nG1D7@kernel.org \
--to=jarkko@kernel.org \
--cc=gunnarku@amazon.com \
--cc=jbouron@amazon.com \
--cc=jgg@ziepe.ca \
--cc=kyarlagadda@nvidia.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterhuewe@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.