drivers/tee/qcomtee/call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Uninitialized pointers with `__free` attribute can cause undefined
behavior as the memory assigned randomly to the pointer is freed
automatically when the pointer goes out of scope.
qcomtee doesn't have any bugs related to this as of now, but
it is better to initialize and assign pointers with `__free`
attribute in one statement to ensure proper scope-based cleanup
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/
Signed-off-by: Ally Heev <allyheev@gmail.com>
---
Changes in v3:
- fixed commit message and description
- Link to v2: https://lore.kernel.org/r/20251110-aheev-uninitialized-free-attr-tee-v2-1-023ffba9ea0f@gmail.com
Changes in v2:
- initializing variables to NULL at the declaration
- Link to v1: https://lore.kernel.org/r/20251105-aheev-uninitialized-free-attr-tee-v1-1-2e1ee8483bc5@gmail.com
---
drivers/tee/qcomtee/call.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c
index ac134452cc9cfd384c28d41547545f2c5748d86c..65f9140d4e1f8909d072004fd24730543e320d74 100644
--- a/drivers/tee/qcomtee/call.c
+++ b/drivers/tee/qcomtee/call.c
@@ -645,7 +645,7 @@ static void qcomtee_get_version(struct tee_device *teedev,
static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id,
u32 *version)
{
- struct qcomtee_object_invoke_ctx *oic __free(kfree);
+ struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL;
struct qcomtee_object *client_env, *service;
struct qcomtee_arg u[3] = { 0 };
int result;
---
base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac
change-id: 20251105-aheev-uninitialized-free-attr-tee-0221e45ec5a2
Best regards,
--
Ally Heev <allyheev@gmail.com>On Tue, Nov 11, 2025 at 01:26:42PM +0530, Ally Heev wrote:
> Uninitialized pointers with `__free` attribute can cause undefined
> behavior as the memory assigned randomly to the pointer is freed
> automatically when the pointer goes out of scope.
>
> qcomtee doesn't have any bugs related to this as of now, but
> it is better to initialize and assign pointers with `__free`
> attribute in one statement to ensure proper scope-based cleanup
>
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/
> Signed-off-by: Ally Heev <allyheev@gmail.com>
> ---
> Changes in v3:
> - fixed commit message and description
> - Link to v2: https://lore.kernel.org/r/20251110-aheev-uninitialized-free-attr-tee-v2-1-023ffba9ea0f@gmail.com
>
> Changes in v2:
> - initializing variables to NULL at the declaration
> - Link to v1: https://lore.kernel.org/r/20251105-aheev-uninitialized-free-attr-tee-v1-1-2e1ee8483bc5@gmail.com
> ---
> drivers/tee/qcomtee/call.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
-Sumit
>
> diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c
> index ac134452cc9cfd384c28d41547545f2c5748d86c..65f9140d4e1f8909d072004fd24730543e320d74 100644
> --- a/drivers/tee/qcomtee/call.c
> +++ b/drivers/tee/qcomtee/call.c
> @@ -645,7 +645,7 @@ static void qcomtee_get_version(struct tee_device *teedev,
> static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id,
> u32 *version)
> {
> - struct qcomtee_object_invoke_ctx *oic __free(kfree);
> + struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL;
> struct qcomtee_object *client_env, *service;
> struct qcomtee_arg u[3] = { 0 };
> int result;
>
> ---
> base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac
> change-id: 20251105-aheev-uninitialized-free-attr-tee-0221e45ec5a2
>
> Best regards,
> --
> Ally Heev <allyheev@gmail.com>
>
On Wed, Nov 12, 2025 at 8:53 AM Sumit Garg <sumit.garg@kernel.org> wrote:
>
> On Tue, Nov 11, 2025 at 01:26:42PM +0530, Ally Heev wrote:
> > Uninitialized pointers with `__free` attribute can cause undefined
> > behavior as the memory assigned randomly to the pointer is freed
> > automatically when the pointer goes out of scope.
> >
> > qcomtee doesn't have any bugs related to this as of now, but
> > it is better to initialize and assign pointers with `__free`
> > attribute in one statement to ensure proper scope-based cleanup
> >
> > Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> > Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/
> > Signed-off-by: Ally Heev <allyheev@gmail.com>
> > ---
> > Changes in v3:
> > - fixed commit message and description
> > - Link to v2: https://lore.kernel.org/r/20251110-aheev-uninitialized-free-attr-tee-v2-1-023ffba9ea0f@gmail.com
> >
> > Changes in v2:
> > - initializing variables to NULL at the declaration
> > - Link to v1: https://lore.kernel.org/r/20251105-aheev-uninitialized-free-attr-tee-v1-1-2e1ee8483bc5@gmail.com
> > ---
> > drivers/tee/qcomtee/call.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
I'm picking up this.
Thanks,
Jens
>
> -Sumit
>
> >
> > diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c
> > index ac134452cc9cfd384c28d41547545f2c5748d86c..65f9140d4e1f8909d072004fd24730543e320d74 100644
> > --- a/drivers/tee/qcomtee/call.c
> > +++ b/drivers/tee/qcomtee/call.c
> > @@ -645,7 +645,7 @@ static void qcomtee_get_version(struct tee_device *teedev,
> > static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id,
> > u32 *version)
> > {
> > - struct qcomtee_object_invoke_ctx *oic __free(kfree);
> > + struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL;
> > struct qcomtee_object *client_env, *service;
> > struct qcomtee_arg u[3] = { 0 };
> > int result;
> >
> > ---
> > base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac
> > change-id: 20251105-aheev-uninitialized-free-attr-tee-0221e45ec5a2
> >
> > Best regards,
> > --
> > Ally Heev <allyheev@gmail.com>
> >
© 2016 - 2026 Red Hat, Inc.