From nobody Fri Apr 10 00:56:56 2026 Received: from cstnet.cn (smtp81.cstnet.cn [159.226.251.81]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A73B2405EB for ; Thu, 5 Mar 2026 08:35:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.81 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772699735; cv=none; b=a6QzfUblUmUXVKMrcRXO8D55Q/03gbNLX/JnV7W09/FNOpPn9rj2uwbmfS+M0QOieq82Ov6ypkt2T1LlumhJCjEBYqvEkSil9GZiaegOD8b3Dkz6qj/3eHtsqXz2Vvhv/PrhLL7y7ir3sRkNw0O/vZLqdp/JeOnsXclvIT3p6h4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772699735; c=relaxed/simple; bh=qi2gvNOfECN7vaAATzCixIJYHiZZsVyva3vSSYYg13w=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=eoJIEbnkETb3aL7v3kbyaruTIbiW69tskJx8+5HO08p8MW1wju/ZC3wMVkqm734f1LVJ1YUSN4wgtgB9rrMkGGgOnM+hrq8r7o2Argq4hLyawOd5o5QsWGCTF6WvD+k5jtQqcxqDvCimpLBnZacgkPkPLRuTM3C6E8JvRMA/jJ4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.81 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost (unknown [124.16.138.129]) by APP-03 (Coremail) with SMTP id rQCowABnieBOQKlp8MneCQ--.11139S2; Thu, 05 Mar 2026 16:35:26 +0800 (CST) From: Chen Ni To: jens.wiklander@linaro.org Cc: sumit.garg@kernel.org, ulf.hansson@linaro.org, op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, Chen Ni Subject: [PATCH] optee: Check return value of tee_shm_get_va() Date: Thu, 5 Mar 2026 16:33:11 +0800 Message-Id: <20260305083312.1040969-1-nichen@iscas.ac.cn> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: rQCowABnieBOQKlp8MneCQ--.11139S2 X-Coremail-Antispam: 1UD129KBjvdXoWrKw1ruFy5Cr1UCrWxKryxuFg_yoWkAFc_Cr 9xJ3ZrGr1vyw12qF98Kan3Zr92yF4DZF4vvws2vay3Ja17Xw1xXFyxZr17Xr4xG397JFyq krWUG345XFn8ujkaLaAFLSUrUUUUbb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbs8FF20E14v26r1j6r4UM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr0_ Cr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s 1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E2Ix0 cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r4j6F4UMcvjeVCFs4IE7xkEbVWUJVW8Jw ACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7CjxVAaw2AFwI0_JF0_ Jw1lc2xSY4AK67AK6r43MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI 8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AK xVWUAVWUtwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI 8IcVCY1x0267AKxVWUJVW8JwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280 aVAFwI0_Gr0_Cr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43 ZEXa7VUUcyCPUUUUU== X-CM-SenderInfo: xqlfxv3q6l2u1dvotugofq/ Content-Type: text/plain; charset="utf-8" The function tee_shm_get_va() can return an error pointer if the shared memory is not properly mapped or if the offset is invalid. Without this check, passing the error pointer to subsequent memory operations could lead to a kernel panic. Add a check for IS_ERR() on the return value of tee_shm_get_va(). Fixes: f0c8431568ee ("optee: probe RPMB device using RPMB subsystem") Signed-off-by: Chen Ni --- drivers/tee/optee/rpc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c index b0ed4cb49452..32f7742c094c 100644 --- a/drivers/tee/optee/rpc.c +++ b/drivers/tee/optee/rpc.c @@ -393,6 +393,11 @@ static void handle_rpc_func_rpmb_frames(struct tee_con= text *ctx, params[0].u.memref.shm_offs); p1 =3D tee_shm_get_va(params[1].u.memref.shm, params[1].u.memref.shm_offs); + if (IS_ERR(p0) || IS_ERR(p1)) { + arg->ret =3D TEEC_ERROR_BAD_PARAMETERS; + goto out; + } + if (rpmb_route_frames(rdev, p0, params[0].u.memref.size, p1, params[1].u.memref.size)) { arg->ret =3D TEEC_ERROR_BAD_PARAMETERS; --=20 2.25.1