diff options
Diffstat (limited to 'drivers/char/tpm/tpm-dev-common.c')
-rw-r--r-- | drivers/char/tpm/tpm-dev-common.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 610638a80383..230b99288024 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -22,9 +22,9 @@ #include "tpm.h" #include "tpm-dev.h" -static void user_reader_timeout(unsigned long ptr) +static void user_reader_timeout(struct timer_list *t) { - struct file_priv *priv = (struct file_priv *)ptr; + struct file_priv *priv = from_timer(priv, t, user_read_timer); pr_warn("TPM user space timeout is deprecated (pid=%d)\n", task_tgid_nr(current)); @@ -48,8 +48,7 @@ void tpm_common_open(struct file *file, struct tpm_chip *chip, priv->chip = chip; atomic_set(&priv->data_pending, 0); mutex_init(&priv->buffer_mutex); - setup_timer(&priv->user_read_timer, user_reader_timeout, - (unsigned long)priv); + timer_setup(&priv->user_read_timer, user_reader_timeout, 0); INIT_WORK(&priv->work, timeout_work); file->private_data = priv; @@ -110,6 +109,12 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf, return -EFAULT; } + if (in_size < 6 || + in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2)))) { + mutex_unlock(&priv->buffer_mutex); + return -EINVAL; + } + /* atomic tpm command send and result receive. We only hold the ops * lock during this period so that the tpm can be unregistered even if * the char dev is held open. |