--- /dev/null
+From jens.wiklander@linaro.org Tue Aug 23 10:28:47 2022
+From: Jens Wiklander <jens.wiklander@linaro.org>
+Date: Tue, 23 Aug 2022 10:23:26 +0200
+Subject: tee: fix memory leak in tee_shm_register()
+To: stable@vger.kernel.org
+Cc: Greg KH <gregkh@linuxfoundation.org>, Jens Wiklander <jens.wiklander@linaro.org>, Pavel Machek <pavel@denx.de>
+Message-ID: <20220823082326.9155-1-jens.wiklander@linaro.org>
+
+From: Jens Wiklander <jens.wiklander@linaro.org>
+
+Moves the access_ok() check for valid memory range from user space from
+the function tee_shm_register() to tee_ioctl_shm_register(). With this
+we error out early before anything is done that must be undone on error.
+
+Fixes: 578c349570d2 ("tee: add overflow check in register_shm_helper()")
+Cc: stable@vger.kernel.org # 5.10
+Reported-by: Pavel Machek <pavel@denx.de>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/tee_core.c | 3 +++
+ drivers/tee/tee_shm.c | 3 ---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/tee/tee_core.c
++++ b/drivers/tee/tee_core.c
+@@ -334,6 +334,9 @@ tee_ioctl_shm_register(struct tee_contex
+ if (data.flags)
+ return -EINVAL;
+
++ if (!access_ok((void __user *)(unsigned long)data.addr, data.length))
++ return -EFAULT;
++
+ shm = tee_shm_register(ctx, data.addr, data.length,
+ TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED);
+ if (IS_ERR(shm))
+--- a/drivers/tee/tee_shm.c
++++ b/drivers/tee/tee_shm.c
+@@ -222,9 +222,6 @@ struct tee_shm *tee_shm_register(struct
+ goto err;
+ }
+
+- if (!access_ok((void __user *)addr, length))
+- return ERR_PTR(-EFAULT);
+-
+ mutex_lock(&teedev->mutex);
+ shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL);
+ mutex_unlock(&teedev->mutex);
projects / thirdparty / kernel / stable-queue.git / commitdiff
