Small TEE updates for v6.16

- Remove an unnecessary NULL check before release_firmware() in the OP-TEE driver - Prevent a size wrap in the TEE subsystem. The wrap would have been caught later in the code so no security consequences. -----BEGIN PGP SIGNATURE----- iQJOBAABCgA4FiEE0qerISgy2SKkqO79Wr/6JGat8H4FAmgdpWMaHGplbnMud2lr bGFuZGVyQGxpbmFyby5vcmcACgkQWr/6JGat8H49ERAA5G3mxeo6rWBuUgADEo4y k1PfsVmlKVCwpXts8qTyIQ+CQdsfwXF8hFZCJFg686yncOY4H3FvsAJjsJU7c68L 0LaW96Goq2WR8GHvMF7kkA/cofX0Vms2WDEw1D9qlFFNZChZ/cIcpyCei1LHh4M+ qxsAUCILbs6sGwOVf06UvNEh1UM82HV1De54uMdilxQoyqGlL4iqSxyP46VqT8zr 8dhAcBJjOlkzaSiceWUo+JQwNaKuPzGOu4KswUEF6Hi5hrRoZBmfjL0NmwsbxqAD AcmFss3OWVv9TCJuxqCjfS/yMbi+Xh9xI6Hu4/aBGD80ulfZjgGaaykFi1rbQlKW gzjcaSqIoW4Sz/1Oi2JDtoXj7nX8j4SNDw1KB6L/7EymFQ7YkfxFwOuKcCtGLQin 5iK2nQpto0yK1wCV6w51syTkPBTKvMKXqhu6QpKYUg2huplXaGcaEriTS8HxMTb1 SKAFoI4db3LiCZn1Z9Wza3e6AVgXRprUspIEVL7168JCOicolZU7tgCsQ/p+5fCp ZjoYVFyp2MmGcirTBxF9G0rN5IihCxWLtuCsjI1kUmKQpXaXVHCbd+aZ/HBQ8Ucu J77xukgz03uAX9suu1wwZ+BiOfgS91VYuk95CODQcd0i8wpNUHUgDSqr+Av86v0k SHNLaPWAxExrquradxnRJ3w= =7Y5x -----END PGP SIGNATURE----- gpgsig -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEiK/NIGsWEZVxh/FrYKtH/8kJUicFAmgfF90ACgkQYKtH/8kJ UicYIhAAkMOmV8js1PGdbQuotEc33tb1+ViSp6NmYFfcgrRnyUph4clyJXvXGIj5 KUAwAkf1tAwZXJXfflyQJ02EseVD1lNWW67N99W8Ic+fzpsS7it2lN8yn8FHptGH DDo3JSzRaphq0xm9/duG0oCcYVBYCuFDouJ32pJHoFkaBI5cNuh0Yve5Z0Oua9sb yv1ADuuzS43uZHy6+FCSVPv0ydPNtEvMrPE2oabhu1HbLAxzWbg7Rr0ah7cO4fig Sx8Q/JDLwFnAM/W4G2s1BzMW8U5dfBV749+26YPqPUGlIvYCH/DJQx0ip+r5xH2+ wcelHZc/d9GZ3H5BTHxzuSvHScOQ7b9PwXD9cryGTAr+zd+02w5z/M3BiCeE5VA7 VwfssQDLiLwaYGXKjmwEZ4r+UZB9q/QaVNmOCoi+XuVlIKNLrfFmmH1CUwnISU67 db0SHVSNU9Nn3MNQB+037OMiL0KrnXfdfpd554G7pfZAHbAmc9y7i7P9/njfqjc9 QW2hIsz5IdoUBqm2Mm49S2CEfpuGq1/iAr04nCEf5gNhTqcT9AXtDfCm5x8jfLBY +06WeqGHzFH9HLBBVFyCRxKwh09LdU73Km+GW+eFwaMs0bzyL9+NMwf8aNuve1Zv DzGAVZHQUBhjba1Hzw48V1WMDq2LGtXzMuIFyFGKX2XpiYZq4jk= =sEK2 -----END PGP SIGNATURE----- Merge tag 'tee-for-v6.16' of https://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee into soc/drivers Small TEE updates for v6.16 - Remove an unnecessary NULL check before release_firmware() in the OP-TEE driver - Prevent a size wrap in the TEE subsystem. The wrap would have been caught later in the code so no security consequences. * tag 'tee-for-v6.16' of https://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee: tee: Prevent size calculation wraparound on 32-bit kernels tee: optee: smc: remove unnecessary NULL check before release_firmware() Link: https://lore.kernel.org/r/20250509065114.GA4188600@rayden Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2026-06-01 02:53:36 +02:00 · 2025-05-10 11:09:43 +02:00 · 2025-05-10 11:09:43 +02:00 · 9477c3e68e
commit 9477c3e68e
parent 85751585e4 39bb67edcc
2 changed files with 7 additions and 7 deletions
--- a/drivers/tee/optee/smc_abi.c
+++ b/drivers/tee/optee/smc_abi.c
@ -1551,8 +1551,7 @@ static int optee_load_fw(struct platform_device *pdev,
 		  data_pa_high, data_pa_low, 0, 0, 0, &res);
 	if (!rc)
 		rc = res.a0;
-	if (fw)
-		release_firmware(fw);
+	release_firmware(fw);
 	kfree(data_buf);

 	if (!rc) {
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@ -10,6 +10,7 @@
 #include <linux/fs.h>
 #include <linux/idr.h>
 #include <linux/module.h>
+#include <linux/overflow.h>
 #include <linux/slab.h>
 #include <linux/tee_core.h>
 #include <linux/uaccess.h>
@ -19,7 +20,7 @@

 #define TEE_NUM_DEVICES	32

-#define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x))
+#define TEE_IOCTL_PARAM_SIZE(x) (size_mul(sizeof(struct tee_param), (x)))

 #define TEE_UUID_NS_NAME_SIZE	128

@ -487,7 +488,7 @@ static int tee_ioctl_open_session(struct tee_context *ctx,
 	if (copy_from_user(&arg, uarg, sizeof(arg)))
 		return -EFAULT;

-	if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
+	if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len)
 		return -EINVAL;

 	if (arg.num_params) {
@ -565,7 +566,7 @@ static int tee_ioctl_invoke(struct tee_context *ctx,
 	if (copy_from_user(&arg, uarg, sizeof(arg)))
 		return -EFAULT;

-	if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
+	if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len)
 		return -EINVAL;

 	if (arg.num_params) {
@ -699,7 +700,7 @@ static int tee_ioctl_supp_recv(struct tee_context *ctx,
 	if (get_user(num_params, &uarg->num_params))
 		return -EFAULT;

-	if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len)
+	if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) != buf.buf_len)
 		return -EINVAL;

 	params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
@ -798,7 +799,7 @@ static int tee_ioctl_supp_send(struct tee_context *ctx,
 	    get_user(num_params, &uarg->num_params))
 		return -EFAULT;

-	if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len)
+	if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) > buf.buf_len)
 		return -EINVAL;

 	params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);