From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Aug 2022 10:01:54 +0000 (+0200)
Subject: updated queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch
X-Git-Tag: v4.9.326~52
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a710c88802148366a363fe672783f0b5a40d5333;p=thirdparty%2Fkernel%2Fstable-queue.git

updated queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch
---

diff --git a/queue-5.4/series b/queue-5.4/series
index e8634929a9b..5ce30ede81b 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -281,7 +281,6 @@ tcp-fix-over-estimation-in-sk_forced_mem_schedule.patch
 scsi-sg-allow-waiting-for-commands-to-complete-on-removed-device.patch
 revert-net-usb-ax88179_178a-needs-flag_send_zlp.patch
 bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
-tee-add-overflow-check-in-register_shm_helper.patch
 net-9p-initialize-the-iounit-field-during-fid-creation.patch
 net_sched-cls_route-disallow-handle-of-0.patch
 alsa-info-fix-llseek-return-value-when-using-callback.patch
@@ -326,3 +325,4 @@ nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch
 xen-xenbus-fix-return-type-in-xenbus_file_read.patch
 atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch
 dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch
+tee-add-overflow-check-in-register_shm_helper.patch
diff --git a/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch b/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch
index 9a87677089d..381c7e8dbba 100644
--- a/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch
+++ b/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch
@@ -40,20 +40,22 @@ Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay@gmail.com>
 Suggested-by: Jerome Forissier <jerome.forissier@linaro.org>
 Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[JW: backport to stable-5.4 + update commit message]
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
- drivers/tee/tee_shm.c |    3 +++
+ drivers/tee/tee_core.c |    3 +++
  1 file changed, 3 insertions(+)
 
---- a/drivers/tee/tee_shm.c
-+++ b/drivers/tee/tee_shm.c
-@@ -239,6 +239,9 @@ struct tee_shm *tee_shm_register(struct
- 		goto err;
- 	}
+--- a/drivers/tee/tee_core.c
++++ b/drivers/tee/tee_core.c
+@@ -182,6 +182,9 @@ tee_ioctl_shm_register(struct tee_contex
+ 	if (data.flags)
+ 		return -EINVAL;
  
-+	if (!access_ok((void __user *)addr, length))
-+		return ERR_PTR(-EFAULT);
++	if (!access_ok((void __user *)(unsigned long)data.addr, data.length))
++		return -EFAULT;
 +
- 	mutex_lock(&teedev->mutex);
- 	list_add_tail(&shm->link, &ctx->list_shm);
- 	mutex_unlock(&teedev->mutex);
+ 	shm = tee_shm_register(ctx, data.addr, data.length,
+ 			       TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED);
+ 	if (IS_ERR(shm))