tpm_tis_remove() leads to calling tpm_tis_ready() with the IO region
unmapped and chip->locality == -1 (locality released). This leads to a
crash in mmio_write_bytes().
The patch implements these changes:
tpm_tis_remove(): Unmap the IO region after calling tpm_tis_cleanup().
tpm_tis_cleanup(): Request locality before IO output and releasing
locality.
Signed-off-by: Heinrich Schuchardt <heinrich.schucha...@canonical.com>
---
drivers/tpm/tpm2_tis_core.c | 6 ++++++
drivers/tpm/tpm2_tis_mmio.c | 5 ++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/tpm/tpm2_tis_core.c b/drivers/tpm/tpm2_tis_core.c
index ec8c730fe9..51392c4584 100644
--- a/drivers/tpm/tpm2_tis_core.c
+++ b/drivers/tpm/tpm2_tis_core.c
@@ -378,8 +378,14 @@ out:
int tpm_tis_cleanup(struct udevice *dev)
{
struct tpm_chip *chip = dev_get_priv(dev);
+ int ret;
+
+ ret = tpm_tis_request_locality(dev, 0);
+ if (ret)
+ return ret;
tpm_tis_ready(dev);
+
tpm_tis_release_locality(dev, chip->locality);
return 0;
diff --git a/drivers/tpm/tpm2_tis_mmio.c b/drivers/tpm/tpm2_tis_mmio.c
index 9cedff2225..a646ce41ff 100644
--- a/drivers/tpm/tpm2_tis_mmio.c
+++ b/drivers/tpm/tpm2_tis_mmio.c
@@ -118,10 +118,13 @@ iounmap:
static int tpm_tis_remove(struct udevice *dev)
{
struct tpm_tis_chip_data *drv_data = (void *)dev_get_driver_data(dev);
+ int ret;
+
+ ret = tpm_tis_cleanup(dev);
iounmap(drv_data->iobase);
- return tpm_tis_cleanup(dev);
+ return ret;
}
static const struct tpm_ops tpm_tis_ops = {
--
2.32.0
