On Wed, Apr 08, 2026 at 04:43:37PM +0000, Gunnar Kudrjavets wrote:
> tpm2_read_public() calls tpm_buf_init() but fails to call
> tpm_buf_destroy() on two exit paths, leaking a page allocation:
>
> 1. When name_size() returns an error (unrecognized hash algorithm),
> the function returns directly without destroying the buffer.
>
> 2. On the success path, the buffer is never destroyed before
> returning.
>
> All other error paths in the function correctly call
> tpm_buf_destroy() before returning.
>
> Fix both by adding the missing tpm_buf_destroy() calls.
>
> Fixes: bda1cbf73c6e ("tpm2-sessions: Fix tpm2_read_public range checks")
> Signed-off-by: Gunnar Kudrjavets <[email protected]>
> Reviewed-by: Justinien Bouron <[email protected]>
> ---
> drivers/char/tpm/tpm2-sessions.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/char/tpm/tpm2-sessions.c
> b/drivers/char/tpm/tpm2-sessions.c
> index 09df6353ef04..f7c6c043fef4 100644
> --- a/drivers/char/tpm/tpm2-sessions.c
> +++ b/drivers/char/tpm/tpm2-sessions.c
> @@ -203,8 +203,10 @@ static int tpm2_read_public(struct tpm_chip *chip, u32
> handle, void *name)
> rc = tpm_buf_read_u16(&buf, &offset);
> name_size_alg = name_size(&buf.data[offset]);
>
> - if (name_size_alg < 0)
> + if (name_size_alg < 0) {
> + tpm_buf_destroy(&buf);
> return name_size_alg;
> + }
>
> if (rc != name_size_alg) {
> tpm_buf_destroy(&buf);
> @@ -217,6 +219,7 @@ static int tpm2_read_public(struct tpm_chip *chip, u32
> handle, void *name)
> }
>
> memcpy(name, &buf.data[offset], rc);
> + tpm_buf_destroy(&buf);
> return name_size_alg;
> }
> #endif /* CONFIG_TCG_TPM2_HMAC */
>
> base-commit: 03e5553f5fb99cb47c315e167a604a9c69e6f724
> --
> 2.47.3
>
Reviewed-by: Jarkko Sakkinen <[email protected]>
Applied.
BR, Jarkko
