This is a note to let you know that I've just added the patch titled
tee: Fix tee_shm_register() for kernel TEE drivers
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tee-fix-tee_shm_register-for-kernel-tee-drivers.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From sumit.garg@xxxxxxxxxx Tue Nov 8 13:16:54 2022
From: Sumit Garg <sumit.garg@xxxxxxxxxx>
Date: Tue, 8 Nov 2022 16:23:01 +0530
Subject: tee: Fix tee_shm_register() for kernel TEE drivers
To: stable@xxxxxxxxxxxxxxx
Cc: gregkh@xxxxxxxxxxxxxxxxxxx, jens.wiklander@xxxxxxxxxx, jerome.forissier@xxxxxxxxxx, Sumit Garg <sumit.garg@xxxxxxxxxx>, Sahil Malhotra <sahil.malhotra@xxxxxxx>
Message-ID: <20221108105301.1925751-1-sumit.garg@xxxxxxxxxx>
From: Sumit Garg <sumit.garg@xxxxxxxxxx>
Commit 056d3fed3d1f ("tee: add tee_shm_register_{user,kernel}_buf()")
refactored tee_shm_register() into corresponding user and kernel space
functions named tee_shm_register_{user,kernel}_buf(). The upstream fix
commit 573ae4f13f63 ("tee: add overflow check in register_shm_helper()")
only applied to tee_shm_register_user_buf().
But the stable kernel 4.19, 5.4, 5.10 and 5.15 don't have the above
mentioned tee_shm_register() refactoring commit. Hence a direct backport
wasn't possible and the fix has to be rather applied to
tee_ioctl_shm_register().
Somehow the fix was correctly backported to 4.19 and 5.4 stable kernels
but the backports for 5.10 and 5.15 stable kernels were broken as fix
was applied to common tee_shm_register() function which broke its kernel
space users such as trusted keys driver.
Fortunately the backport for 5.10 stable kernel was incidently fixed by:
commit 606fe84a4185 ("tee: fix memory leak in tee_shm_register()"). So
fix the backport for 5.15 stable kernel as well.
Fixes: 578c349570d2 ("tee: add overflow check in register_shm_helper()")
Cc: stable@xxxxxxxxxxxxxxx # 5.15
Reported-by: Sahil Malhotra <sahil.malhotra@xxxxxxx>
Signed-off-by: Sumit Garg <sumit.garg@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/tee/tee_core.c | 3 +++
drivers/tee/tee_shm.c | 3 ---
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -334,6 +334,9 @@ tee_ioctl_shm_register(struct tee_contex
if (data.flags)
return -EINVAL;
+ if (!access_ok((void __user *)(unsigned long)data.addr, data.length))
+ return -EFAULT;
+
shm = tee_shm_register(ctx, data.addr, data.length,
TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED);
if (IS_ERR(shm))
--- a/drivers/tee/tee_shm.c
+++ b/drivers/tee/tee_shm.c
@@ -223,9 +223,6 @@ struct tee_shm *tee_shm_register(struct
goto err;
}
- if (!access_ok((void __user *)addr, length))
- return ERR_PTR(-EFAULT);
-
mutex_lock(&teedev->mutex);
shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL);
mutex_unlock(&teedev->mutex);
Patches currently in stable-queue which might be from sumit.garg@xxxxxxxxxx are
queue-5.15/tee-fix-tee_shm_register-for-kernel-tee-drivers.patch
