diff options
| author | Arnd Bergmann <arnd@arndb.de> | 2025-05-10 11:09:43 +0200 |
|---|---|---|
| committer | Arnd Bergmann <arnd@arndb.de> | 2025-05-10 11:09:49 +0200 |
| commit | 9477c3e68e0ada4655939b4d49fa79377f0882f3 (patch) | |
| tree | d5118dcf168f1f017f09852d187275a54c66be4d | |
| parent | 85751585e42829666dfb7ab15155df060615cb46 (diff) | |
| parent | 39bb67edcc582b3b386a9ec983da67fa8a10ec03 (diff) | |
Merge tag 'tee-for-v6.16' of https://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee into soc/drivers
Small TEE updates for v6.16
- Remove an unnecessary NULL check before release_firmware() in the
OP-TEE driver
- Prevent a size wrap in the TEE subsystem. The wrap would have been caught
later in the code so no security consequences.
* tag 'tee-for-v6.16' of https://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee:
tee: Prevent size calculation wraparound on 32-bit kernels
tee: optee: smc: remove unnecessary NULL check before release_firmware()
Link: https://lore.kernel.org/r/20250509065114.GA4188600@rayden
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
| -rw-r--r-- | drivers/tee/optee/smc_abi.c | 3 | ||||
| -rw-r--r-- | drivers/tee/tee_core.c | 11 |
2 files changed, 7 insertions, 7 deletions
diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c index f0c3ac1103bb..26f8f7bbbe56 100644 --- a/drivers/tee/optee/smc_abi.c +++ b/drivers/tee/optee/smc_abi.c @@ -1551,8 +1551,7 @@ fw_load: data_pa_high, data_pa_low, 0, 0, 0, &res); if (!rc) rc = res.a0; - if (fw) - release_firmware(fw); + release_firmware(fw); kfree(data_buf); if (!rc) { diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index d113679b1e2d..acc7998758ad 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -10,6 +10,7 @@ #include <linux/fs.h> #include <linux/idr.h> #include <linux/module.h> +#include <linux/overflow.h> #include <linux/slab.h> #include <linux/tee_core.h> #include <linux/uaccess.h> @@ -19,7 +20,7 @@ #define TEE_NUM_DEVICES 32 -#define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x)) +#define TEE_IOCTL_PARAM_SIZE(x) (size_mul(sizeof(struct tee_param), (x))) #define TEE_UUID_NS_NAME_SIZE 128 @@ -487,7 +488,7 @@ static int tee_ioctl_open_session(struct tee_context *ctx, if (copy_from_user(&arg, uarg, sizeof(arg))) return -EFAULT; - if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) + if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len) return -EINVAL; if (arg.num_params) { @@ -565,7 +566,7 @@ static int tee_ioctl_invoke(struct tee_context *ctx, if (copy_from_user(&arg, uarg, sizeof(arg))) return -EFAULT; - if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) + if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len) return -EINVAL; if (arg.num_params) { @@ -699,7 +700,7 @@ static int tee_ioctl_supp_recv(struct tee_context *ctx, if (get_user(num_params, &uarg->num_params)) return -EFAULT; - if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len) + if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) != buf.buf_len) return -EINVAL; params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); @@ -798,7 +799,7 @@ static int tee_ioctl_supp_send(struct tee_context *ctx, get_user(num_params, &uarg->num_params)) return -EFAULT; - if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len) + if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) > buf.buf_len) return -EINVAL; params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); |