On Thu, Dec 16, 2021 at 6:47 AM Sumit Garg <sumit.garg@xxxxxxxxxx> wrote:
>
> Pointer to the allocated pages (struct page *page) has already
> progressed towards the end of allocation. It is incorrect to perform
> __free_pages(page, order) using this pointer as we would free any
> arbitrary pages. Fix this by stop modifying the page pointer.
>
> Fixes: ec185dd3ab25 ("optee: Fix memory leak when failing to register shm pages")
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: Patrik Lantz <patrik.lantz@xxxxxxxx>
> Signed-off-by: Sumit Garg <sumit.garg@xxxxxxxxxx>
> Reviewed-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx>
> ---
>
> Changes since v1:
> - Added stable CC tag.
> - Picked up Tyler's review tag.
>
> drivers/tee/optee/core.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
I'm picking up this.
Thanks,
Jens
>
> diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
> index ab2edfcc6c70..2a66a5203d2f 100644
> --- a/drivers/tee/optee/core.c
> +++ b/drivers/tee/optee/core.c
> @@ -48,10 +48,8 @@ int optee_pool_op_alloc_helper(struct tee_shm_pool_mgr *poolm,
> goto err;
> }
>
> - for (i = 0; i < nr_pages; i++) {
> - pages[i] = page;
> - page++;
> - }
> + for (i = 0; i < nr_pages; i++)
> + pages[i] = page + i;
>
> shm->flags |= TEE_SHM_REGISTER;
> rc = shm_register(shm->ctx, shm, pages, nr_pages,
> --
> 2.25.1
>
