From 94c2f2e1cb08073cd688bd51638920b1cc6ad166 Mon Sep 17 00:00:00 2001
From: Etienne Carriere <etienne.carriere@linaro.org>
Date: Mon, 16 Apr 2018 09:43:27 +0200
Subject: [PATCH] tee: fix unbalanced context refcount in register shm from fd

Successful registration of a memory reference in the scope of a
TEE content must increase the context refcount. This change
adds this missing refcount increase.

The context refcount is already decremented when such shm reference
is freed by its owner, in tee_shm_release(), hence current unbalance
refcount before this path is applied.

Fixes: 9f9806e01ee7 ("tee: new ioctl to a register tee_shm from a dmabuf file descriptor")

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (Qemu armv7/v8)
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
---
 drivers/tee/tee_shm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
index eaea8946105b77..0d920b12c03342 100644
--- a/drivers/tee/tee_shm.c
+++ b/drivers/tee/tee_shm.c
@@ -372,6 +372,8 @@ struct tee_shm *tee_shm_register_fd(struct tee_context *ctx, int fd)
 	if (!tee_device_get(ctx->teedev))
 		return ERR_PTR(-EINVAL);
 
+	teedev_ctx_get(ctx);
+
 	ref = kzalloc(sizeof(*ref), GFP_KERNEL);
 	if (!ref) {
 		rc = ERR_PTR(-ENOMEM);
@@ -452,6 +454,7 @@ struct tee_shm *tee_shm_register_fd(struct tee_context *ctx, int fd)
 			dma_buf_put(ref->dmabuf);
 	}
 	kfree(ref);
+	teedev_ctx_put(ctx);
 	tee_device_put(ctx->teedev);
 	return rc;
 }