The memory was not zeroed for new_res, which caused devm_ioremap_resource() not to use dev_name() but instead whatever garbage was pointed by new_res->name.
The problem crb_check_resource is different. There not zeroing the name pointer causes use-after-free. Signed-off-by: Jarkko Sakkinen <[email protected]> Fixes: 1bd047be37d9 ("tpm_crb: Use devm_ioremap_resource") --- drivers/char/tpm/tpm_crb.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index 916332c..151689d 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -227,8 +227,10 @@ static int crb_check_resource(struct acpi_resource *ares, void *data) struct crb_priv *priv = data; struct resource res; - if (acpi_dev_resource_memory(ares, &res)) + if (acpi_dev_resource_memory(ares, &res)) { + res.name = NULL; priv->res = res; + } return 1; } @@ -236,11 +238,13 @@ static int crb_check_resource(struct acpi_resource *ares, void *data) static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv, u64 start, u32 size) { - struct resource new_res = { - .start = start, - .end = start + size - 1, - .flags = IORESOURCE_MEM, - }; + struct resource new_res; + + memset(&new_res, 0, sizeof(new_res)); + + new_res.start = start; + new_res.end = start + size - 1; + new_res.flags = IORESOURCE_MEM; /* Detect a 64 bit address on a 32 bit system */ if (start != new_res.start) -- 2.7.0
