From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 23 Aug 2022 08:29:30 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v4.9.326~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08709702a9b939727143ac8ac4b61a7f16481a03;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	tee-fix-memory-leak-in-tee_shm_register.patch
---

diff --git a/queue-5.10/series b/queue-5.10/series
index 770284047ed..0b580c42bd1 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -156,3 +156,4 @@ can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch
 pci-err-retain-status-from-error-notification.patch
 qrtr-convert-qrtr_ports-from-idr-to-xarray.patch
 bpf-fix-kasan-use-after-free-read-in-compute_effective_progs.patch
+tee-fix-memory-leak-in-tee_shm_register.patch
diff --git a/queue-5.10/tee-fix-memory-leak-in-tee_shm_register.patch b/queue-5.10/tee-fix-memory-leak-in-tee_shm_register.patch
new file mode 100644
index 00000000000..5c2c387d296
--- /dev/null
+++ b/queue-5.10/tee-fix-memory-leak-in-tee_shm_register.patch
@@ -0,0 +1,48 @@
+From jens.wiklander@linaro.org  Tue Aug 23 10:28:47 2022
+From: Jens Wiklander <jens.wiklander@linaro.org>
+Date: Tue, 23 Aug 2022 10:23:26 +0200
+Subject: tee: fix memory leak in tee_shm_register()
+To: stable@vger.kernel.org
+Cc: Greg KH <gregkh@linuxfoundation.org>, Jens Wiklander <jens.wiklander@linaro.org>, Pavel Machek <pavel@denx.de>
+Message-ID: <20220823082326.9155-1-jens.wiklander@linaro.org>
+
+From: Jens Wiklander <jens.wiklander@linaro.org>
+
+Moves the access_ok() check for valid memory range from user space from
+the function tee_shm_register() to tee_ioctl_shm_register(). With this
+we error out early before anything is done that must be undone on error.
+
+Fixes: 578c349570d2 ("tee: add overflow check in register_shm_helper()")
+Cc: stable@vger.kernel.org # 5.10
+Reported-by: Pavel Machek <pavel@denx.de>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/tee_core.c |    3 +++
+ drivers/tee/tee_shm.c  |    3 ---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/tee/tee_core.c
++++ b/drivers/tee/tee_core.c
+@@ -334,6 +334,9 @@ tee_ioctl_shm_register(struct tee_contex
+ 	if (data.flags)
+ 		return -EINVAL;
+ 
++	if (!access_ok((void __user *)(unsigned long)data.addr, data.length))
++		return -EFAULT;
++
+ 	shm = tee_shm_register(ctx, data.addr, data.length,
+ 			       TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED);
+ 	if (IS_ERR(shm))
+--- a/drivers/tee/tee_shm.c
++++ b/drivers/tee/tee_shm.c
+@@ -222,9 +222,6 @@ struct tee_shm *tee_shm_register(struct
+ 		goto err;
+ 	}
+ 
+-	if (!access_ok((void __user *)addr, length))
+-		return ERR_PTR(-EFAULT);
+-
+ 	mutex_lock(&teedev->mutex);
+ 	shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL);
+ 	mutex_unlock(&teedev->mutex);