From: Dan Carpenter <dan.carpenter@linaro.org>
Date: Thu, 18 Sep 2025 09:50:26 +0000 (+0300)
Subject: tee: qcom: prevent potential off by one read
X-Git-Tag: v6.18-rc3~24^2~5^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b14bb2e7821bdd133afeb5e623fd6c5a2273ecf6;p=thirdparty%2Fkernel%2Flinux.git

tee: qcom: prevent potential off by one read

Re-order these checks to check if "i" is a valid array index before using
it.  This prevents a potential off by one read access.

Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
---

diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c
index cc17a48d0ab74..ac134452cc9cf 100644
--- a/drivers/tee/qcomtee/call.c
+++ b/drivers/tee/qcomtee/call.c
@@ -308,7 +308,7 @@ out_failed:
 	}
 
 	/* Release any IO and OO objects not processed. */
-	for (; u[i].type && i < num_params; i++) {
+	for (; i < num_params && u[i].type; i++) {
 		if (u[i].type == QCOMTEE_ARG_TYPE_OO ||
 		    u[i].type == QCOMTEE_ARG_TYPE_IO)
 			qcomtee_object_put(u[i].o);