[3.13.y-ckt stable] Patch "tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Tue Mar 31 18:45:28 UTC 2015

This is a note to let you know that I have just added a patch titled

    tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send

to the linux-3.13.y-queue branch of the 3.13.y-ckt extended stable tree 
which can be found at:


This patch is scheduled to be released in version 3.13.11-ckt18.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y-ckt tree, see



>From 78f9e166a642468a7c525481b76c6337369574ed Mon Sep 17 00:00:00 2001
From: Christophe Ricard <christophe.ricard at gmail.com>
Date: Mon, 1 Dec 2014 19:32:46 +0100
Subject: tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send

commit 1ba3b0b6f218072afe8372d12f1b6bf26a26008e upstream.

When sending data in tpm_stm_i2c_send, each loop iteration send buf.
Send buf + i instead as the goal of this for loop is to send a number
of byte from buf that fit in burstcnt. Once those byte are sent, we are
supposed to send the next ones.

The driver was working because the burstcount value returns always the maximum size for a TPM
command or response. (0x800 for a command and 0x400 for a response).

Reviewed-by: Jason Gunthorpe <jgunthorpe at obsidianresearch.com>
Signed-off-by: Christophe Ricard <christophe-h.ricard at st.com>
Signed-off-by: Peter Huewe <peterhuewe at gmx.de>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
 drivers/char/tpm/tpm_i2c_stm_st33.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm_i2c_stm_st33.c b/drivers/char/tpm/tpm_i2c_stm_st33.c
index b2cb24c..2a95ca3 100644
--- a/drivers/char/tpm/tpm_i2c_stm_st33.c
+++ b/drivers/char/tpm/tpm_i2c_stm_st33.c
@@ -488,7 +488,7 @@ static int tpm_stm_i2c_send(struct tpm_chip *chip, unsigned char *buf,
 		if (burstcnt < 0)
 			return burstcnt;
 		size = min_t(int, len - i - 1, burstcnt);
-		ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf, size);
+		ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf + i, size);
 		if (ret < 0)
 			goto out_err;


More information about the kernel-team mailing list