From: Robertus Diawan Chris <robertusdchris@gmail.com>
To: amirreza.zarrabi@oss.qualcomm.com, jens.wiklander@linaro.org,
sumit.garg@kernel.org
Cc: linux-arm-msm@vger.kernel.org, op-tee@lists.trustedfirmware.org,
linux-kernel@vger.kernel.org,
linux-kernel-mentees@lists.linuxfoundation.org,
skhan@linuxfoundation.org, me@brighamcampbell.com
Subject: [PATCH] tee: qcomtee: add missing va_end in early return qcomtee_object_user_init()
Date: Wed, 13 May 2026 16:10:31 +0700 [thread overview]
Message-ID: <20260513091031.145826-1-robertusdchris@gmail.com> (raw)
qcomtee_object_user_init() is a variadic function and when the function
return because there's no dispatch callback in QCOMTEE_OBJECT_TYPE_CB
case, there's no va_end to cleanup "ap" object initialized by va_start
and that can cause undefined behavior. So make sure to use va_end before
returning the error code when there's no dispatch callback.
This is reported by Coverity Scan as "Missing varargs init or cleanup".
Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver")
Signed-off-by: Robertus Diawan Chris <robertusdchris@gmail.com>
---
I don't have the device, so I am not sure how to test this change.
Thank you.
drivers/tee/qcomtee/core.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c
index b1cb50e434f0..901a31e8201f 100644
--- a/drivers/tee/qcomtee/core.c
+++ b/drivers/tee/qcomtee/core.c
@@ -306,8 +306,10 @@ int qcomtee_object_user_init(struct qcomtee_object *object,
break;
case QCOMTEE_OBJECT_TYPE_CB:
object->ops = ops;
- if (!object->ops->dispatch)
- return -EINVAL;
+ if (!object->ops->dispatch) {
+ ret = -EINVAL;
+ goto out;
+ }
/* If failed, "no-name". */
object->name = kvasprintf_const(GFP_KERNEL, fmt, ap);
@@ -320,6 +322,8 @@ int qcomtee_object_user_init(struct qcomtee_object *object,
default:
ret = -EINVAL;
}
+
+out:
va_end(ap);
return ret;
base-commit: 5d6919055dec134de3c40167a490f33c74c12581
--
2.54.0
next reply other threads:[~2026-05-13 9:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 9:10 Robertus Diawan Chris [this message]
2026-05-15 1:23 ` [PATCH] tee: qcomtee: add missing va_end in early return qcomtee_object_user_init() Amirreza Zarrabi
2026-05-15 1:23 ` Amirreza Zarrabi via OP-TEE
2026-05-15 1:31 ` Amirreza Zarrabi
2026-05-15 1:31 ` Amirreza Zarrabi via OP-TEE
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513091031.145826-1-robertusdchris@gmail.com \
--to=robertusdchris@gmail.com \
--cc=amirreza.zarrabi@oss.qualcomm.com \
--cc=jens.wiklander@linaro.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=me@brighamcampbell.com \
--cc=op-tee@lists.trustedfirmware.org \
--cc=skhan@linuxfoundation.org \
--cc=sumit.garg@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.