tee: fix memory leak in tee_shm_register()

Moves the access_ok() check for valid memory range from user space from
the function tee_shm_register() to tee_ioctl_shm_register(). With this
we error out early before anything is done that must be undone on error.

Fixes: 578c349570d2 ("tee: add overflow check in register_shm_helper()")
Cc: stable@vger.kernel.org # 5.10
Reported-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
index e07f997cf8dd3b5132be4d20a21245e092301376..9cc4a7b63b0d6068faa29d65ab7c44be59081716 100644 (file)
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -334,6 +334,9 @@ tee_ioctl_shm_register(struct tee_context *ctx,
        if (data.flags)
                return -EINVAL;
 
+       if (!access_ok((void __user *)(unsigned long)data.addr, data.length))
+               return -EFAULT;
+
        shm = tee_shm_register(ctx, data.addr, data.length,
                               TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED);
        if (IS_ERR(shm))

diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
index 6e662fb131d554616d38ba9c57be9a1f662b9547..499fccba3d74bd5471eea8aa609811c00ea17029 100644 (file)
--- a/drivers/tee/tee_shm.c
+++ b/drivers/tee/tee_shm.c
@@ -222,9 +222,6 @@ struct tee_shm *tee_shm_register(struct tee_context *ctx, unsigned long addr,
                goto err;
        }
 
-       if (!access_ok((void __user *)addr, length))
-               return ERR_PTR(-EFAULT);
-
        mutex_lock(&teedev->mutex);
        shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL);
        mutex_unlock(&teedev->mutex);