From: Christophe Ricard Date: Mon, 1 Dec 2014 18:32:46 +0000 (+0100) Subject: tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send X-Git-Tag: firefly_0821_release~176^2~2350^2~45 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=1ba3b0b6f218072afe8372d12f1b6bf26a26008e;p=firefly-linux-kernel-4.4.55.git tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send When sending data in tpm_stm_i2c_send, each loop iteration send buf. Send buf + i instead as the goal of this for loop is to send a number of byte from buf that fit in burstcnt. Once those byte are sent, we are supposed to send the next ones. The driver was working because the burstcount value returns always the maximum size for a TPM command or response. (0x800 for a command and 0x400 for a response). Cc: stable@vger.kernel.org Reviewed-by: Jason Gunthorpe Signed-off-by: Christophe Ricard Signed-off-by: Peter Huewe --- diff --git a/drivers/char/tpm/tpm_i2c_stm_st33.c b/drivers/char/tpm/tpm_i2c_stm_st33.c index 5271b75d7661..d2031c43caa1 100644 --- a/drivers/char/tpm/tpm_i2c_stm_st33.c +++ b/drivers/char/tpm/tpm_i2c_stm_st33.c @@ -487,7 +487,7 @@ static int tpm_stm_i2c_send(struct tpm_chip *chip, unsigned char *buf, if (burstcnt < 0) return burstcnt; size = min_t(int, len - i - 1, burstcnt); - ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf, size); + ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf + i, size); if (ret < 0) goto out_err;