5.15-stable patches

added patches:
	tee-fix-tee_shm_register-for-kernel-tee-drivers.patch

diff --git a/queue-5.15/series b/queue-5.15/series
index 14d3b30ad423e0c27c51f201c57b59b0669a5293..c8ac14ab9be15717f9bdc171b5c3c589171473a3 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -136,3 +136,4 @@ kvm-x86-emulator-em_sysexit-should-update-ctxt-mode.patch
 kvm-x86-emulator-introduce-emulator_recalc_and_set_mode.patch
 kvm-x86-emulator-update-the-emulation-mode-after-rsm.patch
 kvm-x86-emulator-update-the-emulation-mode-after-cr0-write.patch
+tee-fix-tee_shm_register-for-kernel-tee-drivers.patch

diff --git a/queue-5.15/tee-fix-tee_shm_register-for-kernel-tee-drivers.patch b/queue-5.15/tee-fix-tee_shm_register-for-kernel-tee-drivers.patch
new file mode 100644 (file)
index 0000000..aec5e3e
--- /dev/null
+++ b/queue-5.15/tee-fix-tee_shm_register-for-kernel-tee-drivers.patch
@@ -0,0 +1,64 @@
+From sumit.garg@linaro.org  Tue Nov  8 13:16:54 2022
+From: Sumit Garg <sumit.garg@linaro.org>
+Date: Tue,  8 Nov 2022 16:23:01 +0530
+Subject: tee: Fix tee_shm_register() for kernel TEE drivers
+To: stable@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, jens.wiklander@linaro.org, jerome.forissier@linaro.org, Sumit Garg <sumit.garg@linaro.org>, Sahil Malhotra <sahil.malhotra@nxp.com>
+Message-ID: <20221108105301.1925751-1-sumit.garg@linaro.org>
+
+From: Sumit Garg <sumit.garg@linaro.org>
+
+Commit 056d3fed3d1f ("tee: add tee_shm_register_{user,kernel}_buf()")
+refactored tee_shm_register() into corresponding user and kernel space
+functions named tee_shm_register_{user,kernel}_buf(). The upstream fix
+commit 573ae4f13f63 ("tee: add overflow check in register_shm_helper()")
+only applied to tee_shm_register_user_buf().
+
+But the stable kernel 4.19, 5.4, 5.10 and 5.15 don't have the above
+mentioned tee_shm_register() refactoring commit. Hence a direct backport
+wasn't possible and the fix has to be rather applied to
+tee_ioctl_shm_register().
+
+Somehow the fix was correctly backported to 4.19 and 5.4 stable kernels
+but the backports for 5.10 and 5.15 stable kernels were broken as fix
+was applied to common tee_shm_register() function which broke its kernel
+space users such as trusted keys driver.
+
+Fortunately the backport for 5.10 stable kernel was incidently fixed by:
+commit 606fe84a4185 ("tee: fix memory leak in tee_shm_register()"). So
+fix the backport for 5.15 stable kernel as well.
+
+Fixes: 578c349570d2 ("tee: add overflow check in register_shm_helper()")
+Cc: stable@vger.kernel.org # 5.15
+Reported-by: Sahil Malhotra <sahil.malhotra@nxp.com>
+Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/tee_core.c |    3 +++
+ drivers/tee/tee_shm.c  |    3 ---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/tee/tee_core.c
++++ b/drivers/tee/tee_core.c
+@@ -334,6 +334,9 @@ tee_ioctl_shm_register(struct tee_contex
+       if (data.flags)
+               return -EINVAL;
+ 
++      if (!access_ok((void __user *)(unsigned long)data.addr, data.length))
++              return -EFAULT;
++
+       shm = tee_shm_register(ctx, data.addr, data.length,
+                              TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED);
+       if (IS_ERR(shm))
+--- a/drivers/tee/tee_shm.c
++++ b/drivers/tee/tee_shm.c
+@@ -223,9 +223,6 @@ struct tee_shm *tee_shm_register(struct
+               goto err;
+       }
+ 
+-      if (!access_ok((void __user *)addr, length))
+-              return ERR_PTR(-EFAULT);
+-
+       mutex_lock(&teedev->mutex);
+       shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL);
+       mutex_unlock(&teedev->mutex);