[PATCH] tee: optee: Fix incorrect page free bug

[PATCH] tee: optee: Fix incorrect page free bug

[Sumit Garg]

[-- Attachment #1: Type: text/plain, Size: 1071 bytes --]

Pointer to the allocated pages (struct page *page) has already
progressed towards the end of allocation. It is incorrect to perform
__free_pages(page, order) using this pointer as we would free any
arbitrary pages. Fix this by stop modifying the page pointer.

Fixes: ec185dd3ab25 ("optee: Fix memory leak when failing to register shm pages")
Reported-by: Patrik Lantz <patrik.lantz@axis.com>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
---
 drivers/tee/optee/core.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
index ab2edfcc6c70..2a66a5203d2f 100644
--- a/drivers/tee/optee/core.c
+++ b/drivers/tee/optee/core.c
@@ -48,10 +48,8 @@ int optee_pool_op_alloc_helper(struct tee_shm_pool_mgr *poolm,
 			goto err;
 		}
 
-		for (i = 0; i < nr_pages; i++) {
-			pages[i] = page;
-			page++;
-		}
+		for (i = 0; i < nr_pages; i++)
+			pages[i] = page + i;
 
 		shm->flags |= TEE_SHM_REGISTER;
 		rc = shm_register(shm->ctx, shm, pages, nr_pages,
-- 
2.25.1

Re: [PATCH] tee: optee: Fix incorrect page free bug

[Jens Wiklander]

[-- Attachment #1: Type: text/plain, Size: 1485 bytes --]

On Wed, Dec 15, 2021 at 11:20 AM Sumit Garg <sumit.garg@linaro.org> wrote:
>
> Pointer to the allocated pages (struct page *page) has already
> progressed towards the end of allocation. It is incorrect to perform
> __free_pages(page, order) using this pointer as we would free any
> arbitrary pages. Fix this by stop modifying the page pointer.
>
> Fixes: ec185dd3ab25 ("optee: Fix memory leak when failing to register shm pages")
> Reported-by: Patrik Lantz <patrik.lantz@axis.com>
> Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
> ---
>  drivers/tee/optee/core.c | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)

Looks good to me, but I think we should cc stable since that was done
in the patch fixed by this.

Thanks,
Jens

>
> diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
> index ab2edfcc6c70..2a66a5203d2f 100644
> --- a/drivers/tee/optee/core.c
> +++ b/drivers/tee/optee/core.c
> @@ -48,10 +48,8 @@ int optee_pool_op_alloc_helper(struct tee_shm_pool_mgr *poolm,
>                         goto err;
>                 }
>
> -               for (i = 0; i < nr_pages; i++) {
> -                       pages[i] = page;
> -                       page++;
> -               }
> +               for (i = 0; i < nr_pages; i++)
> +                       pages[i] = page + i;
>
>                 shm->flags |= TEE_SHM_REGISTER;
>                 rc = shm_register(shm->ctx, shm, pages, nr_pages,
> --
> 2.25.1
>

Re: [PATCH] tee: optee: Fix incorrect page free bug

[Tyler Hicks]

[-- Attachment #1: Type: text/plain, Size: 1274 bytes --]

On 2021-12-15 15:50:11, Sumit Garg wrote:
> Pointer to the allocated pages (struct page *page) has already
> progressed towards the end of allocation. It is incorrect to perform
> __free_pages(page, order) using this pointer as we would free any
> arbitrary pages. Fix this by stop modifying the page pointer.
> 
> Fixes: ec185dd3ab25 ("optee: Fix memory leak when failing to register shm pages")
> Reported-by: Patrik Lantz <patrik.lantz@axis.com>
> Signed-off-by: Sumit Garg <sumit.garg@linaro.org>

Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com>

Thanks for fixing this!

Tyler

> ---
>  drivers/tee/optee/core.c | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
> index ab2edfcc6c70..2a66a5203d2f 100644
> --- a/drivers/tee/optee/core.c
> +++ b/drivers/tee/optee/core.c
> @@ -48,10 +48,8 @@ int optee_pool_op_alloc_helper(struct tee_shm_pool_mgr *poolm,
>  			goto err;
>  		}
>  
> -		for (i = 0; i < nr_pages; i++) {
> -			pages[i] = page;
> -			page++;
> -		}
> +		for (i = 0; i < nr_pages; i++)
> +			pages[i] = page + i;
>  
>  		shm->flags |= TEE_SHM_REGISTER;
>  		rc = shm_register(shm->ctx, shm, pages, nr_pages,
> -- 
> 2.25.1
> 

Re: [PATCH] tee: optee: Fix incorrect page free bug

[Tyler Hicks]

[-- Attachment #1: Type: text/plain, Size: 1860 bytes --]

On 2021-12-15 16:29:08, Jens Wiklander wrote:
> On Wed, Dec 15, 2021 at 11:20 AM Sumit Garg <sumit.garg@linaro.org> wrote:
> >
> > Pointer to the allocated pages (struct page *page) has already
> > progressed towards the end of allocation. It is incorrect to perform
> > __free_pages(page, order) using this pointer as we would free any
> > arbitrary pages. Fix this by stop modifying the page pointer.
> >
> > Fixes: ec185dd3ab25 ("optee: Fix memory leak when failing to register shm pages")
> > Reported-by: Patrik Lantz <patrik.lantz@axis.com>
> > Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
> > ---
> >  drivers/tee/optee/core.c | 6 ++----
> >  1 file changed, 2 insertions(+), 4 deletions(-)
> 
> Looks good to me, but I think we should cc stable since that was done
> in the patch fixed by this.

Yes, please add the 'Cc: stable(a)vger.kernel.org' tag because it will
ensure that it'll be applied to the affected stable kernels or, if
there's a conflict, that we'll get an email notification to provide a
manual backport.

Tyler

> 
> Thanks,
> Jens
> 
> >
> > diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
> > index ab2edfcc6c70..2a66a5203d2f 100644
> > --- a/drivers/tee/optee/core.c
> > +++ b/drivers/tee/optee/core.c
> > @@ -48,10 +48,8 @@ int optee_pool_op_alloc_helper(struct tee_shm_pool_mgr *poolm,
> >                         goto err;
> >                 }
> >
> > -               for (i = 0; i < nr_pages; i++) {
> > -                       pages[i] = page;
> > -                       page++;
> > -               }
> > +               for (i = 0; i < nr_pages; i++)
> > +                       pages[i] = page + i;
> >
> >                 shm->flags |= TEE_SHM_REGISTER;
> >                 rc = shm_register(shm->ctx, shm, pages, nr_pages,
> > --
> > 2.25.1
> >
>