Uninitialized pointers with `__free` attribute can cause undefined behavior as the memory assigned randomly to the pointer is freed automatically when the pointer goes out of scope.
qcomtee doesn't have any bugs related to this as of now, but it is better to initialize and assign pointers with `__free` attribute in one statement to ensure proper scope-based cleanup
Reported-by: Dan Carpenter dan.carpenter@linaro.org Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/ Signed-off-by: Ally Heev allyheev@gmail.com --- Changes in v3: - fixed commit message and description - Link to v2: https://lore.kernel.org/r/20251110-aheev-uninitialized-free-attr-tee-v2-1-02...
Changes in v2: - initializing variables to NULL at the declaration - Link to v1: https://lore.kernel.org/r/20251105-aheev-uninitialized-free-attr-tee-v1-1-2e... --- drivers/tee/qcomtee/call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index ac134452cc9cfd384c28d41547545f2c5748d86c..65f9140d4e1f8909d072004fd24730543e320d74 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -645,7 +645,7 @@ static void qcomtee_get_version(struct tee_device *teedev, static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id, u32 *version) { - struct qcomtee_object_invoke_ctx *oic __free(kfree); + struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_object *client_env, *service; struct qcomtee_arg u[3] = { 0 }; int result;
--- base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac change-id: 20251105-aheev-uninitialized-free-attr-tee-0221e45ec5a2
Best regards,
On Tue, Nov 11, 2025 at 01:26:42PM +0530, Ally Heev wrote:
Uninitialized pointers with `__free` attribute can cause undefined behavior as the memory assigned randomly to the pointer is freed automatically when the pointer goes out of scope.
qcomtee doesn't have any bugs related to this as of now, but it is better to initialize and assign pointers with `__free` attribute in one statement to ensure proper scope-based cleanup
Reported-by: Dan Carpenter dan.carpenter@linaro.org Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/ Signed-off-by: Ally Heev allyheev@gmail.com
Changes in v3:
- fixed commit message and description
- Link to v2: https://lore.kernel.org/r/20251110-aheev-uninitialized-free-attr-tee-v2-1-02...
Changes in v2:
- initializing variables to NULL at the declaration
- Link to v1: https://lore.kernel.org/r/20251105-aheev-uninitialized-free-attr-tee-v1-1-2e...
drivers/tee/qcomtee/call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Sumit Garg sumit.garg@oss.qualcomm.com
-Sumit
diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index ac134452cc9cfd384c28d41547545f2c5748d86c..65f9140d4e1f8909d072004fd24730543e320d74 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -645,7 +645,7 @@ static void qcomtee_get_version(struct tee_device *teedev, static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id, u32 *version) {
- struct qcomtee_object_invoke_ctx *oic __free(kfree);
- struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_object *client_env, *service; struct qcomtee_arg u[3] = { 0 }; int result;
base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac change-id: 20251105-aheev-uninitialized-free-attr-tee-0221e45ec5a2
Best regards,
Ally Heev allyheev@gmail.com
On Wed, Nov 12, 2025 at 8:53 AM Sumit Garg sumit.garg@kernel.org wrote:
On Tue, Nov 11, 2025 at 01:26:42PM +0530, Ally Heev wrote:
Uninitialized pointers with `__free` attribute can cause undefined behavior as the memory assigned randomly to the pointer is freed automatically when the pointer goes out of scope.
qcomtee doesn't have any bugs related to this as of now, but it is better to initialize and assign pointers with `__free` attribute in one statement to ensure proper scope-based cleanup
Reported-by: Dan Carpenter dan.carpenter@linaro.org Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/ Signed-off-by: Ally Heev allyheev@gmail.com
Changes in v3:
- fixed commit message and description
- Link to v2: https://lore.kernel.org/r/20251110-aheev-uninitialized-free-attr-tee-v2-1-02...
Changes in v2:
- initializing variables to NULL at the declaration
- Link to v1: https://lore.kernel.org/r/20251105-aheev-uninitialized-free-attr-tee-v1-1-2e...
drivers/tee/qcomtee/call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Sumit Garg sumit.garg@oss.qualcomm.com
I'm picking up this.
Thanks, Jens
-Sumit
diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index ac134452cc9cfd384c28d41547545f2c5748d86c..65f9140d4e1f8909d072004fd24730543e320d74 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -645,7 +645,7 @@ static void qcomtee_get_version(struct tee_device *teedev, static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id, u32 *version) {
struct qcomtee_object_invoke_ctx *oic __free(kfree);
struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_object *client_env, *service; struct qcomtee_arg u[3] = { 0 }; int result;
base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac change-id: 20251105-aheev-uninitialized-free-attr-tee-0221e45ec5a2
Best regards,
Ally Heev allyheev@gmail.com
op-tee@lists.trustedfirmware.org
-
Ally Heev -
Jens Wiklander -
Sumit Garg