[lvc-project] [PATCH] tee: shm: fix shm leak in register_shm_helper()
Jens Wiklander
jens.wiklander at linaro.org
Mon Apr 27 16:41:07 MSK 2026
Hi,
On Mon, Apr 13, 2026 at 11:03 AM Sumit Garg <sumit.garg at kernel.org> wrote:
>
> On Wed, Apr 08, 2026 at 06:52:03PM +0300, Georgiy Osokin wrote:
> > register_shm_helper() allocates shm before calling
> > iov_iter_npages(). If iov_iter_npages() returns 0, the function
> > jumps to err_ctx_put and leaks shm.
> >
> > This can be triggered by TEE_IOC_SHM_REGISTER with
> > struct tee_ioctl_shm_register_data where length is 0.
> >
> > Jump to err_free_shm instead.
> >
> > Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration")
> > Cc: stable at vger.kernel.org
> > Cc: lvc-project at linuxtesting.org
> > Signed-off-by: Georgiy Osokin <g.osokin at auroraos.dev>
> > ---
> > drivers/tee/tee_shm.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Thanks for the fix, FWIW:
>
> Reviewed-by: Sumit Garg <sumit.garg at oss.qualcomm.com>
Looks good. I'm picking up this.
Cheers,
Jens
More information about the lvc-project
mailing list