Re: [PATCH] tee: shm: fix shm leak in register_shm_helper()

Next message: syzbot: "[syzbot] [integrity?] [lsm?] WARNING: bad unlock balance in __filemap_add_folio"
Previous message: Gary Guo: "Re: [PATCH V15 2/7] dma-resv: Fix undefined symbol when CONFIG_DMA_SHARED_BUFFER is disabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Wiklander

Date: Mon Apr 27 2026 - 09:41:36 EST

Hi,

On Mon, Apr 13, 2026 at 11:03 AM Sumit Garg <sumit.garg@xxxxxxxxxx> wrote:
>
> On Wed, Apr 08, 2026 at 06:52:03PM +0300, Georgiy Osokin wrote:
> > register_shm_helper() allocates shm before calling
> > iov_iter_npages(). If iov_iter_npages() returns 0, the function
> > jumps to err_ctx_put and leaks shm.
> >
> > This can be triggered by TEE_IOC_SHM_REGISTER with
> > struct tee_ioctl_shm_register_data where length is 0.
> >
> > Jump to err_free_shm instead.
> >
> > Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Cc: lvc-project@xxxxxxxxxxxxxxxx
> > Signed-off-by: Georgiy Osokin <g.osokin@xxxxxxxxxxxx>
> > ---
> > drivers/tee/tee_shm.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Thanks for the fix, FWIW:
>
> Reviewed-by: Sumit Garg <sumit.garg@xxxxxxxxxxxxxxxx>

Looks good. I'm picking up this.

Cheers,
Jens