qcomtee_object_user_init() is a variadic function and when the function return because there's no dispatch callback in QCOMTEE_OBJECT_TYPE_CB case, there's no va_end to cleanup "ap" object initialized by va_start and that can cause undefined behavior. So make sure to use va_end before returning the error code when there's no dispatch callback.
This is reported by Coverity Scan as "Missing varargs init or cleanup".
Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Robertus Diawan Chris robertusdchris@gmail.com Reviewed-by: Amirreza Zarrabi amirreza.zarrabi@oss.qualcomm.com --- v1 -> v2: - Use "break" statement instead of "goto" statement. There's va_end outside of switch-case, so we only need to go out from switch-case instead of using a label (suggested by Amirreza Zarrabi). - Add "Reviewed-by" tag from Amirreza Zarrabi.
v1: https://lore.kernel.org/all/20260513091031.145826-1-robertusdchris@gmail.com...
I don't have the device, so I am not sure how to test this change. Thank you.
drivers/tee/qcomtee/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c index b1cb50e434f0..60fe3b5776e3 100644 --- a/drivers/tee/qcomtee/core.c +++ b/drivers/tee/qcomtee/core.c @@ -306,8 +306,10 @@ int qcomtee_object_user_init(struct qcomtee_object *object, break; case QCOMTEE_OBJECT_TYPE_CB: object->ops = ops; - if (!object->ops->dispatch) - return -EINVAL; + if (!object->ops->dispatch) { + ret = -EINVAL; + break; + }
/* If failed, "no-name". */ object->name = kvasprintf_const(GFP_KERNEL, fmt, ap);
base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8
Hi,
On Tue, May 19, 2026 at 4:05 AM Robertus Diawan Chris robertusdchris@gmail.com wrote:
qcomtee_object_user_init() is a variadic function and when the function return because there's no dispatch callback in QCOMTEE_OBJECT_TYPE_CB case, there's no va_end to cleanup "ap" object initialized by va_start and that can cause undefined behavior. So make sure to use va_end before returning the error code when there's no dispatch callback.
This is reported by Coverity Scan as "Missing varargs init or cleanup".
Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Robertus Diawan Chris robertusdchris@gmail.com Reviewed-by: Amirreza Zarrabi amirreza.zarrabi@oss.qualcomm.com
v1 -> v2:
- Use "break" statement instead of "goto" statement. There's va_end outside of switch-case, so we only need to go out from switch-case instead of using a label (suggested by Amirreza Zarrabi).
- Add "Reviewed-by" tag from Amirreza Zarrabi.
v1: https://lore.kernel.org/all/20260513091031.145826-1-robertusdchris@gmail.com...
I don't have the device, so I am not sure how to test this change. Thank you.
drivers/tee/qcomtee/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
Looks good. I'm picking up this.
Cheers, Jens
diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c index b1cb50e434f0..60fe3b5776e3 100644 --- a/drivers/tee/qcomtee/core.c +++ b/drivers/tee/qcomtee/core.c @@ -306,8 +306,10 @@ int qcomtee_object_user_init(struct qcomtee_object *object, break; case QCOMTEE_OBJECT_TYPE_CB: object->ops = ops;
if (!object->ops->dispatch)return -EINVAL;
if (!object->ops->dispatch) {ret = -EINVAL;break;} /* If failed, "no-name". */ object->name = kvasprintf_const(GFP_KERNEL, fmt, ap);base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8
2.54.0
op-tee@lists.trustedfirmware.org
-
Jens Wiklander -
Robertus Diawan Chris