On Fri, May 02, 2025 at 11:59:21AM +0200, Jens Wiklander wrote:
> Break out the memref handling into a separate helper function.
> No change in behavior.
>
> Signed-off-by: Jens Wiklander <jens.wiklan...@linaro.org>
> ---
> drivers/tee/tee_core.c | 94 ++++++++++++++++++++++++------------------
> 1 file changed, 54 insertions(+), 40 deletions(-)
Reviewed-by: Sumit Garg <sumit.g...@oss.qualcomm.com>
-Sumit
>
> diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
> index 685afcaa3ea1..820e394b9054 100644
> --- a/drivers/tee/tee_core.c
> +++ b/drivers/tee/tee_core.c
> @@ -353,6 +353,55 @@ tee_ioctl_shm_register(struct tee_context *ctx,
> return ret;
> }
>
> +static int param_from_user_memref(struct tee_context *ctx,
> + struct tee_param_memref *memref,
> + struct tee_ioctl_param *ip)
> +{
> + struct tee_shm *shm;
> +
> + /*
> + * If a NULL pointer is passed to a TA in the TEE,
> + * the ip.c IOCTL parameters is set to TEE_MEMREF_NULL
> + * indicating a NULL memory reference.
> + */
> + if (ip->c != TEE_MEMREF_NULL) {
> + /*
> + * If we fail to get a pointer to a shared
> + * memory object (and increase the ref count)
> + * from an identifier we return an error. All
> + * pointers that has been added in params have
> + * an increased ref count. It's the callers
> + * responibility to do tee_shm_put() on all
> + * resolved pointers.
> + */
> + shm = tee_shm_get_from_id(ctx, ip->c);
> + if (IS_ERR(shm))
> + return PTR_ERR(shm);
> +
> + /*
> + * Ensure offset + size does not overflow
> + * offset and does not overflow the size of
> + * the referred shared memory object.
> + */
> + if ((ip->a + ip->b) < ip->a ||
> + (ip->a + ip->b) > shm->size) {
> + tee_shm_put(shm);
> + return -EINVAL;
> + }
> + } else if (ctx->cap_memref_null) {
> + /* Pass NULL pointer to OP-TEE */
> + shm = NULL;
> + } else {
> + return -EINVAL;
> + }
> +
> + memref->shm_offs = ip->a;
> + memref->size = ip->b;
> + memref->shm = shm;
> +
> + return 0;
> +}
> +
> static int params_from_user(struct tee_context *ctx, struct tee_param
> *params,
> size_t num_params,
> struct tee_ioctl_param __user *uparams)
> @@ -360,8 +409,8 @@ static int params_from_user(struct tee_context *ctx,
> struct tee_param *params,
> size_t n;
>
> for (n = 0; n < num_params; n++) {
> - struct tee_shm *shm;
> struct tee_ioctl_param ip;
> + int rc;
>
> if (copy_from_user(&ip, uparams + n, sizeof(ip)))
> return -EFAULT;
> @@ -384,45 +433,10 @@ static int params_from_user(struct tee_context *ctx,
> struct tee_param *params,
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
> - /*
> - * If a NULL pointer is passed to a TA in the TEE,
> - * the ip.c IOCTL parameters is set to TEE_MEMREF_NULL
> - * indicating a NULL memory reference.
> - */
> - if (ip.c != TEE_MEMREF_NULL) {
> - /*
> - * If we fail to get a pointer to a shared
> - * memory object (and increase the ref count)
> - * from an identifier we return an error. All
> - * pointers that has been added in params have
> - * an increased ref count. It's the callers
> - * responibility to do tee_shm_put() on all
> - * resolved pointers.
> - */
> - shm = tee_shm_get_from_id(ctx, ip.c);
> - if (IS_ERR(shm))
> - return PTR_ERR(shm);
> -
> - /*
> - * Ensure offset + size does not overflow
> - * offset and does not overflow the size of
> - * the referred shared memory object.
> - */
> - if ((ip.a + ip.b) < ip.a ||
> - (ip.a + ip.b) > shm->size) {
> - tee_shm_put(shm);
> - return -EINVAL;
> - }
> - } else if (ctx->cap_memref_null) {
> - /* Pass NULL pointer to OP-TEE */
> - shm = NULL;
> - } else {
> - return -EINVAL;
> - }
> -
> - params[n].u.memref.shm_offs = ip.a;
> - params[n].u.memref.size = ip.b;
> - params[n].u.memref.shm = shm;
> + rc = param_from_user_memref(ctx, ¶ms[n].u.memref,
> + &ip);
> + if (rc)
> + return rc;
> break;
> default:
> /* Unknown attribute */
> --
> 2.43.0
>
