[PATCH] optee: Check return value of tee_shm_get_va()

5 Mar 2026

The function tee_shm_get_va() can return an error pointer if the shared
memory is not properly mapped or if the offset is invalid. Without this
check, passing the error pointer to subsequent memory operations could
lead to a kernel panic.
Add a check for IS_ERR() on the return value of tee_shm_get_va().
Fixes: f0c8431568ee ("optee: probe RPMB device using RPMB subsystem")
Signed-off-by: Chen Ni nichen@iscas.ac.cn
---
 drivers/tee/optee/rpc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c
index b0ed4cb49452..32f7742c094c 100644
--- a/drivers/tee/optee/rpc.c
+++ b/drivers/tee/optee/rpc.c
@@ -393,6 +393,11 @@ static void handle_rpc_func_rpmb_frames(struct tee_context *ctx,
    		    params[0].u.memref.shm_offs);
    p1 = tee_shm_get_va(params[1].u.memref.shm,
    		    params[1].u.memref.shm_offs);
+	if (IS_ERR(p0) || IS_ERR(p1)) {
+		arg->ret = TEEC_ERROR_BAD_PARAMETERS;
+		goto out;
+	}
+
    if (rpmb_route_frames(rdev, p0, params[0].u.memref.size, p1,
    		      params[1].u.memref.size)) {
    	arg->ret = TEEC_ERROR_BAD_PARAMETERS;
-- 
2.25.1


    

2026

2025

2024

2023

2022

2021

2020

[PATCH] optee: Check return value of tee_shm_get_va()