From: Greg Kroah-Hartman Date: Tue, 8 Nov 2022 12:17:38 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.9.333~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=35d5050603e3bfdcd34d07f9ec861be4c00703d4;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: tee-fix-tee_shm_register-for-kernel-tee-drivers.patch --- diff --git a/queue-5.15/series b/queue-5.15/series index 14d3b30ad42..c8ac14ab9be 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -136,3 +136,4 @@ kvm-x86-emulator-em_sysexit-should-update-ctxt-mode.patch kvm-x86-emulator-introduce-emulator_recalc_and_set_mode.patch kvm-x86-emulator-update-the-emulation-mode-after-rsm.patch kvm-x86-emulator-update-the-emulation-mode-after-cr0-write.patch +tee-fix-tee_shm_register-for-kernel-tee-drivers.patch diff --git a/queue-5.15/tee-fix-tee_shm_register-for-kernel-tee-drivers.patch b/queue-5.15/tee-fix-tee_shm_register-for-kernel-tee-drivers.patch new file mode 100644 index 00000000000..aec5e3ed2a9 --- /dev/null +++ b/queue-5.15/tee-fix-tee_shm_register-for-kernel-tee-drivers.patch @@ -0,0 +1,64 @@ +From sumit.garg@linaro.org Tue Nov 8 13:16:54 2022 +From: Sumit Garg +Date: Tue, 8 Nov 2022 16:23:01 +0530 +Subject: tee: Fix tee_shm_register() for kernel TEE drivers +To: stable@vger.kernel.org +Cc: gregkh@linuxfoundation.org, jens.wiklander@linaro.org, jerome.forissier@linaro.org, Sumit Garg , Sahil Malhotra +Message-ID: <20221108105301.1925751-1-sumit.garg@linaro.org> + +From: Sumit Garg + +Commit 056d3fed3d1f ("tee: add tee_shm_register_{user,kernel}_buf()") +refactored tee_shm_register() into corresponding user and kernel space +functions named tee_shm_register_{user,kernel}_buf(). The upstream fix +commit 573ae4f13f63 ("tee: add overflow check in register_shm_helper()") +only applied to tee_shm_register_user_buf(). + +But the stable kernel 4.19, 5.4, 5.10 and 5.15 don't have the above +mentioned tee_shm_register() refactoring commit. Hence a direct backport +wasn't possible and the fix has to be rather applied to +tee_ioctl_shm_register(). + +Somehow the fix was correctly backported to 4.19 and 5.4 stable kernels +but the backports for 5.10 and 5.15 stable kernels were broken as fix +was applied to common tee_shm_register() function which broke its kernel +space users such as trusted keys driver. + +Fortunately the backport for 5.10 stable kernel was incidently fixed by: +commit 606fe84a4185 ("tee: fix memory leak in tee_shm_register()"). So +fix the backport for 5.15 stable kernel as well. + +Fixes: 578c349570d2 ("tee: add overflow check in register_shm_helper()") +Cc: stable@vger.kernel.org # 5.15 +Reported-by: Sahil Malhotra +Signed-off-by: Sumit Garg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/tee_core.c | 3 +++ + drivers/tee/tee_shm.c | 3 --- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/tee/tee_core.c ++++ b/drivers/tee/tee_core.c +@@ -334,6 +334,9 @@ tee_ioctl_shm_register(struct tee_contex + if (data.flags) + return -EINVAL; + ++ if (!access_ok((void __user *)(unsigned long)data.addr, data.length)) ++ return -EFAULT; ++ + shm = tee_shm_register(ctx, data.addr, data.length, + TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED); + if (IS_ERR(shm)) +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -223,9 +223,6 @@ struct tee_shm *tee_shm_register(struct + goto err; + } + +- if (!access_ok((void __user *)addr, length)) +- return ERR_PTR(-EFAULT); +- + mutex_lock(&teedev->mutex); + shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL); + mutex_unlock(&teedev->mutex);