Unverified Commit 84bc3c0b authored by Arnd Bergmann's avatar Arnd Bergmann
Browse files

Merge tag 'tee-fixes-for-v6.17' of... 

Merge tag 'tee-fixes-for-v6.17' of https://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee into arm/fixes

TEE fixes for v6.17

- Fixing a memory leak in the error path for tee_dyn_shm_alloc_helper()
- Fixing a NULL pointer dereference in tee_shm_put()

* tag 'tee-fixes-for-v6.17' of https://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee:
  tee: fix memory leak in tee_dyn_shm_alloc_helper
  tee: fix NULL pointer dereference in tee_shm_put

Link: https://lore.kernel.org/r/20250819122641.GA3486750@rayden


Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
parents e6e70990 50a74d00

drivers/tee/tee_shm.c

+10 −4
Original line number Diff line number Diff line
@@ -230,7 +230,7 @@ int tee_dyn_shm_alloc_helper(struct tee_shm *shm, size_t size, size_t align, 
	pages = kcalloc(nr_pages, sizeof(*pages), GFP_KERNEL);

	if (!pages) {

		rc = -ENOMEM;

		goto err;

		goto err_pages;

	}



	for (i = 0; i < nr_pages; i++)
@@ -243,11 +243,13 @@ int tee_dyn_shm_alloc_helper(struct tee_shm *shm, size_t size, size_t align, 
		rc = shm_register(shm->ctx, shm, pages, nr_pages,

				  (unsigned long)shm->kaddr);

		if (rc)

			goto err;

			goto err_kfree;

	}



	return 0;

err:

err_kfree:

	kfree(pages);

err_pages:

	free_pages_exact(shm->kaddr, shm->size);

	shm->kaddr = NULL;

	return rc;
@@ -560,9 +562,13 @@ EXPORT_SYMBOL_GPL(tee_shm_get_from_id); 
 */

void tee_shm_put(struct tee_shm *shm)

{

	struct tee_device *teedev = shm->ctx->teedev;

	struct tee_device *teedev;

	bool do_release = false;



	if (!shm || !shm->ctx || !shm->ctx->teedev)

		return;



	teedev = shm->ctx->teedev;

	mutex_lock(&teedev->mutex);

	if (refcount_dec_and_test(&shm->refcount)) {

		/*