TEE fixes for v7.1

Fixing:
 - params_from_user() cleanup in error path in tee_ioctl_supp_recv()
 - possible tee_shm leak in error path in register_shm_helper()
 - padding in struct tee_ioctl_object_invoke_arg
 -----BEGIN PGP SIGNATURE-----
 
 iQJOBAABCgA4FiEE0qerISgy2SKkqO79Wr/6JGat8H4FAmoNXF4aHGplbnMud2lr
 bGFuZGVyQGxpbmFyby5vcmcACgkQWr/6JGat8H7G0xAA4+Rytz+NnQJk/qh+6crH
 so6W3QtQPOlPcXRbiUO/eYQLiuhxP3OHvy1v+FGk9/InRDIL2WEPaglKzeHw1k7Z
 dtHc3fte9+rMpXQi0VpWle+iIDmbcSZo6i0LEq4K6K0zR+uHLvDiye31SN7Xh9y+
 M2kmu3EYEuCnYcLScJASWXFh8zkBuE3ouxlRd237qy1ZaqirPSIBLfukES2/nKnd
 q16nSAb55oASCFE1tAJ/7p7ADIogYwY8zdIC9wPidcmCLC43cBpKcGMVukXY1TM/
 H8qjY+eNQXu5wZbs08DXAFZcqfoPykUKtN66gaKj+eHfEuu/y67Fs1RV/L1fY4ER
 82S69KGUY+uh9xBLV4WIAmF79VZLtFX9y55DyfzPIC7PLlu0/ov2+1pWcy5h/5Xl
 W2gQOTap0MnhTBPOzBN2kFArkC/lmgoufUGifIKGbxYw06ZaORUnIAUOorcItoq4
 Sl1Yl48hQ5Wr1J6N++sa75O7cvoNX3zgLSEfJkZv8IvebZH2U8coTJBdmr1lD7pI
 6W/QwQ4ZbNN2fhmQ1262coDddMEUFbDe60bKWDfnO9gCCvYtRSbWxX5j2ksclRw2
 gr6t9giURM9H2IYMEDA5UaXH7WRCmKU1Mu3SqdsklHCwoXA6ie3gg1xRn3gY1Bw+
 mGG1LrAIVXbVuDvoLEa2PE8=
 =iyqH
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmoYQSwACgkQmmx57+YA
 GNltaw/8CTK3hikzjTaIbJBDsXE46oNAn244rAYo8HXMM64sqrPHyEBIKPfdRpEp
 /jshVeNAfT6nA7qnt+PLPfB3w45L0Ugl29DmSIc2Drsb7Mzs0TCVfiW4tkBITbd5
 9/n7FKNnIMvtEpUhZRSvgGZiJ98dC16R5aTmnCgXNSild6VLpu3sCrResX15Mkj5
 SbKjOZmv7NziUEWAROrnznYZV+VIQiXLbYV5a66NxgSUptud55dcJWoyXXqTczzj
 +mA7RVPErcbNOCtBRzLmPVN0J9bIFQg8HGqacEhwQtslixkz2zcriNLQN/KjtXtF
 TDs3vy0LFb8TCYbe9P8QJHAuoKSVhCuifLy0v28Z7ozf5cIZ4nEPuvjomC8Mcr6e
 MjArB4Zb8QGk9MVAKg0Pt6a1tkA+5Ij1sxHJks4n3hGw0O1WJAH65VI2q53FoHPq
 7isFbT5DS21OuoxUSZF+i+VacDsD5HEOfQVuoD3LNhKyRAlhaLA2ytf37ZOQtTAQ
 RR8ccjyssZbCqXMvyjcOiIgNwAmRQ/KkDNzWLNTdCPp7lZ6OzNfWKG5ljx9QG4zV
 qzcE8GgUjZnyuy+C8yN15vGhvXW6WSYfSQBzN7lpJI0Crq9IoUTch2aKjxBiXlhD
 MpXD/8FVueRXtLRj7h8nmVGSFP82lR15EPfYImpSe8WXVIs7Tyw=
 =CNbC
 -----END PGP SIGNATURE-----

Merge tag 'tee-fixes-for-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee into arm/fixes

TEE fixes for v7.1

Fixing:
- params_from_user() cleanup in error path in tee_ioctl_supp_recv()
- possible tee_shm leak in error path in register_shm_helper()
- padding in struct tee_ioctl_object_invoke_arg

* tag 'tee-fixes-for-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee:
  tee: fix params_from_user() error path in tee_ioctl_supp_recv
  tee: shm: fix shm leak in register_shm_helper()
  tee: fix tee_ioctl_object_invoke_arg padding

Signed-off-by: Arnd Bergmann <arnd@arndb.de>

drivers/tee/tee_core.c

@@ -530,11 +530,24 @@ static int params_to_user(struct tee_ioctl_param __user *uparams,
 	return 0;
 }
 
+static void free_params(struct tee_param *params, size_t num_params)
+{
+	size_t n;
+
+	if (!params)
+		return;
+
+	for (n = 0; n < num_params; n++)
+		if (tee_param_is_memref(params + n) && params[n].u.memref.shm)
+			tee_shm_put(params[n].u.memref.shm);
+
+	kfree(params);
+}
+
 static int tee_ioctl_open_session(struct tee_context *ctx,
 				  struct tee_ioctl_buf_data __user *ubuf)
 {
 	int rc;
-	size_t n;
 	struct tee_ioctl_buf_data buf;
 	struct tee_ioctl_open_session_arg __user *uarg;
 	struct tee_ioctl_open_session_arg arg;
@@ -595,16 +608,7 @@ out:
 	 */
 	if (rc && have_session && ctx->teedev->desc->ops->close_session)
 		ctx->teedev->desc->ops->close_session(ctx, arg.session);
-
-	if (params) {
-		/* Decrease ref count for all valid shared memory pointers */
-		for (n = 0; n < arg.num_params; n++)
-			if (tee_param_is_memref(params + n) &&
-			    params[n].u.memref.shm)
-				tee_shm_put(params[n].u.memref.shm);
-		kfree(params);
-	}
-
+	free_params(params, arg.num_params);
 	return rc;
 }
 
@@ -612,7 +616,6 @@ static int tee_ioctl_invoke(struct tee_context *ctx,
 			    struct tee_ioctl_buf_data __user *ubuf)
 {
 	int rc;
-	size_t n;
 	struct tee_ioctl_buf_data buf;
 	struct tee_ioctl_invoke_arg __user *uarg;
 	struct tee_ioctl_invoke_arg arg;
@@ -657,14 +660,7 @@ static int tee_ioctl_invoke(struct tee_context *ctx,
 	}
 	rc = params_to_user(uparams, arg.num_params, params);
 out:
-	if (params) {
-		/* Decrease ref count for all valid shared memory pointers */
-		for (n = 0; n < arg.num_params; n++)
-			if (tee_param_is_memref(params + n) &&
-			    params[n].u.memref.shm)
-				tee_shm_put(params[n].u.memref.shm);
-		kfree(params);
-	}
+	free_params(params, arg.num_params);
 	return rc;
 }
 
@@ -672,7 +668,6 @@ static int tee_ioctl_object_invoke(struct tee_context *ctx,
 				   struct tee_ioctl_buf_data __user *ubuf)
 {
 	int rc;
-	size_t n;
 	struct tee_ioctl_buf_data buf;
 	struct tee_ioctl_object_invoke_arg __user *uarg;
 	struct tee_ioctl_object_invoke_arg arg;
@@ -716,14 +711,7 @@ static int tee_ioctl_object_invoke(struct tee_context *ctx,
 	}
 	rc = params_to_user(uparams, arg.num_params, params);
 out:
-	if (params) {
-		/* Decrease ref count for all valid shared memory pointers */
-		for (n = 0; n < arg.num_params; n++)
-			if (tee_param_is_memref(params + n) &&
-			    params[n].u.memref.shm)
-				tee_shm_put(params[n].u.memref.shm);
-		kfree(params);
-	}
+	free_params(params, arg.num_params);
 	return rc;
 }
 
@@ -846,9 +834,15 @@ static int tee_ioctl_supp_recv(struct tee_context *ctx,
 		return -ENOMEM;
 
 	rc = params_from_user(ctx, params, num_params, uarg->params);
-	if (rc)
-		goto out;
+	if (rc) {
+		free_params(params, num_params);
+		return rc;
+	}
 
+	/*
+	 * supp_recv() may consume and replace the supplied parameters, so the
+	 * final cleanup cannot use free_params() like the other ioctl paths.
+	 */
 	rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params);
 	if (rc)
 		goto out;

drivers/tee/tee_shm.c

@@ -435,7 +435,7 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
 	num_pages = iov_iter_npages(iter, INT_MAX);
 	if (!num_pages) {
 		ret = ERR_PTR(-ENOMEM);
-		goto err_ctx_put;
+		goto err_free_shm;
 	}
 
 	shm->pages = kzalloc_objs(*shm->pages, num_pages);

include/uapi/linux/tee.h

@@ -470,6 +470,7 @@ struct tee_ioctl_object_invoke_arg {
 	__u32 op;
 	__u32 ret;
 	__u32 num_params;
+	__u32 :32;
 	/* num_params tells the actual number of element in params */
 	struct tee_ioctl_param params[];
 };