Skip to content

Commit b83685b

Browse files
Dan Carpenterjenswi-linaro
Dan Carpenter
authored and
jenswi-linaro
committed
tee: amdtee: fix memory leak in amdtee_open_session()
On these error paths the "sess" variable isn't freed. It's a refcounted pointer so we need to call kref_put(). I re-arranged the code a bit so the error case is always handled before the success case and the error paths are indented two tabs. Fixes: 757cc3e ("tee: add AMD-TEE driver") Reviewed-by: Rijo Thomas <[email protected]> Signed-off-by: Dan Carpenter <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
1 parent 11a48a5 commit b83685b

File tree

1 file changed

+24
-24
lines changed

1 file changed

+24
-24
lines changed

drivers/tee/amdtee/core.c

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -212,6 +212,19 @@ static int copy_ta_binary(struct tee_context *ctx, void *ptr, void **ta,
212212
return rc;
213213
}
214214

215+
static void destroy_session(struct kref *ref)
216+
{
217+
struct amdtee_session *sess = container_of(ref, struct amdtee_session,
218+
refcount);
219+
220+
/* Unload the TA from TEE */
221+
handle_unload_ta(sess->ta_handle);
222+
mutex_lock(&session_list_mutex);
223+
list_del(&sess->list_node);
224+
mutex_unlock(&session_list_mutex);
225+
kfree(sess);
226+
}
227+
215228
int amdtee_open_session(struct tee_context *ctx,
216229
struct tee_ioctl_open_session_arg *arg,
217230
struct tee_param *param)
@@ -236,15 +249,13 @@ int amdtee_open_session(struct tee_context *ctx,
236249

237250
/* Load the TA binary into TEE environment */
238251
handle_load_ta(ta, ta_size, arg);
239-
if (arg->ret == TEEC_SUCCESS) {
240-
mutex_lock(&session_list_mutex);
241-
sess = alloc_session(ctxdata, arg->session);
242-
mutex_unlock(&session_list_mutex);
243-
}
244-
245252
if (arg->ret != TEEC_SUCCESS)
246253
goto out;
247254

255+
mutex_lock(&session_list_mutex);
256+
sess = alloc_session(ctxdata, arg->session);
257+
mutex_unlock(&session_list_mutex);
258+
248259
if (!sess) {
249260
rc = -ENOMEM;
250261
goto out;
@@ -259,40 +270,29 @@ int amdtee_open_session(struct tee_context *ctx,
259270

260271
if (i >= TEE_NUM_SESSIONS) {
261272
pr_err("reached maximum session count %d\n", TEE_NUM_SESSIONS);
273+
kref_put(&sess->refcount, destroy_session);
262274
rc = -ENOMEM;
263275
goto out;
264276
}
265277

266278
/* Open session with loaded TA */
267279
handle_open_session(arg, &session_info, param);
268-
269-
if (arg->ret == TEEC_SUCCESS) {
270-
sess->session_info[i] = session_info;
271-
set_session_id(sess->ta_handle, i, &arg->session);
272-
} else {
280+
if (arg->ret != TEEC_SUCCESS) {
273281
pr_err("open_session failed %d\n", arg->ret);
274282
spin_lock(&sess->lock);
275283
clear_bit(i, sess->sess_mask);
276284
spin_unlock(&sess->lock);
285+
kref_put(&sess->refcount, destroy_session);
286+
goto out;
277287
}
288+
289+
sess->session_info[i] = session_info;
290+
set_session_id(sess->ta_handle, i, &arg->session);
278291
out:
279292
free_pages((u64)ta, get_order(ta_size));
280293
return rc;
281294
}
282295

283-
static void destroy_session(struct kref *ref)
284-
{
285-
struct amdtee_session *sess = container_of(ref, struct amdtee_session,
286-
refcount);
287-
288-
/* Unload the TA from TEE */
289-
handle_unload_ta(sess->ta_handle);
290-
mutex_lock(&session_list_mutex);
291-
list_del(&sess->list_node);
292-
mutex_unlock(&session_list_mutex);
293-
kfree(sess);
294-
}
295-
296296
int amdtee_close_session(struct tee_context *ctx, u32 session)
297297
{
298298
struct amdtee_context_data *ctxdata = ctx->data;

0 commit comments

Comments
 (0)