The `stm32_bsec_optee_ta_open()` function initializes a `struct
tee_context *ctx` through a pointer-to-pointer. However, its counterpart
`stm32_bsec_optee_ta_close()` expects the context pointer directly - not
its address.
Passing `&ctx` (i.e., a `struct tee_context **`) caused incorrect access,
leading to stack corruption. This was detected by the refcounter infrastructure.
Fix this by passing `ctx` directly to `stm32_bsec_optee_ta_close()`.
This bug affected both STM32MP1 and STM32MP13 board implementations.
Signed-off-by: Oleksij Rempel <o.rem...@pengutronix.de>
---
arch/arm/boards/protonic-stm32mp1/board.c | 4 ++--
arch/arm/boards/protonic-stm32mp13/board.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arm/boards/protonic-stm32mp1/board.c
b/arch/arm/boards/protonic-stm32mp1/board.c
index 86cda1676b48..4c8ad9e53388 100644
--- a/arch/arm/boards/protonic-stm32mp1/board.c
+++ b/arch/arm/boards/protonic-stm32mp1/board.c
@@ -121,12 +121,12 @@ static int prt_stm32_read_serial(struct device *dev)
serial[PRT_STM32_SERIAL_LEN] = 0;
- stm32_bsec_optee_ta_close(&ctx);
+ stm32_bsec_optee_ta_close(ctx);
return prt_stm32_set_serial(dev, serial);
exit_pta_read:
- stm32_bsec_optee_ta_close(&ctx);
+ stm32_bsec_optee_ta_close(ctx);
dev_err(dev, "Failed to read serial: %pe\n", ERR_PTR(ret));
return ret;
}
diff --git a/arch/arm/boards/protonic-stm32mp13/board.c
b/arch/arm/boards/protonic-stm32mp13/board.c
index d48a6dbf8e44..4268db2b384c 100644
--- a/arch/arm/boards/protonic-stm32mp13/board.c
+++ b/arch/arm/boards/protonic-stm32mp13/board.c
@@ -104,12 +104,12 @@ static int prt_stm32_read_serial(struct device *dev)
serial[PRT_STM32_SERIAL_LEN] = 0;
- stm32_bsec_optee_ta_close(&ctx);
+ stm32_bsec_optee_ta_close(ctx);
return prt_stm32_set_serial(dev, serial);
exit_pta_read:
- stm32_bsec_optee_ta_close(&ctx);
+ stm32_bsec_optee_ta_close(ctx);
dev_err(dev, "Failed to read serial: %pe\n", ERR_PTR(ret));
return ret;
}
--
2.39.5
