tpm_buf_append() guards against overflow of the underlying buffer by comparing the running length against PAGE_SIZE. Every other site in the TPM core uses TPM_BUFSIZE (4096) as the protocol-level cap on TPM command and response sizes.
On 4K-page kernels PAGE_SIZE == TPM_BUFSIZE, so the two caps coincide and the inconsistency is invisible. On kernels with a larger base page size, e.g. CONFIG_ARM64_64K_PAGES=y or 16K pages, PAGE_SIZE exceeds TPM_BUFSIZE. This is a latent bug rather than user-visible bug, given most of the cases PAGE_SIZE = 4096. The mismatch is still worth fixing because future callers (e.g. the proposed TPM_BUFSIZE increase to 8 KiB, and the Secure Launch tpm_buf rework) rely on the overflow flag being authoritative. Use TPM_BUFSIZE instead of PAGE_SIZE so the append-time check matches the transmit-time cap on every page size. Signed-off-by: Breno Leitao <[email protected]> Fixes: a74f8b36352e ("tpm: introduce tpm_buf") --- drivers/char/tpm/tpm-buf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm-buf.c b/drivers/char/tpm/tpm-buf.c index dc882fc9fa9e..8da5de0f7159 100644 --- a/drivers/char/tpm/tpm-buf.c +++ b/drivers/char/tpm/tpm-buf.c @@ -7,6 +7,8 @@ #include <linux/module.h> #include <linux/tpm.h> +#include "tpm.h" + /** * tpm_buf_init() - Allocate and initialize a TPM command * @buf: A &tpm_buf @@ -108,7 +110,7 @@ void tpm_buf_append(struct tpm_buf *buf, const u8 *new_data, u16 new_length) if (buf->flags & TPM_BUF_OVERFLOW) return; - if ((buf->length + new_length) > PAGE_SIZE) { + if ((buf->length + new_length) > TPM_BUFSIZE) { WARN(1, "tpm_buf: write overflow\n"); buf->flags |= TPM_BUF_OVERFLOW; return; --- base-commit: c1ecb239fa3456529a32255359fc78b69eb9d847 change-id: 20260524-tpm-402b8478fec9 Best regards, -- Breno Leitao <[email protected]>
