summaryrefslogtreecommitdiff
path: root/drivers/tee
diff options
context:
space:
mode:
authorYang Yingliang <yangyingliang@huawei.com>2022-06-28 14:52:16 +0800
committerJens Wiklander <jens.wiklander@linaro.org>2022-07-08 09:56:38 +0200
commitd4fac258d971bead9a6b5c5ebe2f0e415d05d110 (patch)
treeda7b45bf53bb774259ba15bdec966bdec938af73 /drivers/tee
parentb13baccc3850ca8b8cccbf8ed9912dbaa0fdf7f3 (diff)
downloadlwn-d4fac258d971bead9a6b5c5ebe2f0e415d05d110.tar.gz
lwn-d4fac258d971bead9a6b5c5ebe2f0e415d05d110.zip
optee: smc_abi.c: fix wrong pointer passed to IS_ERR/PTR_ERR()
In optee_smc_do_call_with_arg() there is a code path when the argument struct for RPC is passed appended to the primary argument struct. When the address of the RPC struct is retrieved there's an invalid check for success. It should be 'rpc_arg' pass to IS_ERR/PTR_ERR(). Fixes: ed8faf6c8f8c ("optee: add OPTEE_SMC_CALL_WITH_RPC_ARG and OPTEE_SMC_CALL_WITH_REGD_ARG") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> [jw: added background to the problem] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Diffstat (limited to 'drivers/tee')
-rw-r--r--drivers/tee/optee/smc_abi.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c
index 385cb0aee610..a1c1fa1a9c28 100644
--- a/drivers/tee/optee/smc_abi.c
+++ b/drivers/tee/optee/smc_abi.c
@@ -884,8 +884,8 @@ static int optee_smc_do_call_with_arg(struct tee_context *ctx,
rpc_arg_offs = OPTEE_MSG_GET_ARG_SIZE(arg->num_params);
rpc_arg = tee_shm_get_va(shm, offs + rpc_arg_offs);
- if (IS_ERR(arg))
- return PTR_ERR(arg);
+ if (IS_ERR(rpc_arg))
+ return PTR_ERR(rpc_arg);
}
if (rpc_arg && tee_shm_is_dynamic(shm)) {