xen/arm: optee: fix possible memory leaks

translate_noncontig() allocates domheap page for translated list
before calling to allocate_optee_shm_buf(), which can fail for number
of reason. Anyways, after fail we need to free the allocated page(s).

Another leak is possible if the same translate_noncontig() function
fails to get domain page. In this case it should free allocated
optee_shm_buf prior exit. This will also free allocated domheap page.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

diff --git a/xen/arch/arm/tee/optee.c b/xen/arch/arm/tee/optee.c
index 6df0d44eb9172b31d637db9c6c94adc02d55737f..131d2f9a8a15f17812dfc33b89d7761d31076f85 100644 (file)
--- a/xen/arch/arm/tee/optee.c
+++ b/xen/arch/arm/tee/optee.c
@@ -781,7 +781,10 @@ static int translate_noncontig(struct optee_domain *ctx,
     optee_shm_buf = allocate_optee_shm_buf(ctx, param->u.tmem.shm_ref,
                                            pg_count, xen_pgs, order);
     if ( IS_ERR(optee_shm_buf) )
+    {
+        free_domheap_pages(xen_pgs, order);
         return PTR_ERR(optee_shm_buf);
+    }
 
     gfn = gaddr_to_gfn(param->u.tmem.buf_ptr &
                        ~(OPTEE_MSG_NONCONTIG_PAGE_SIZE - 1));
@@ -807,7 +810,7 @@ static int translate_noncontig(struct optee_domain *ctx,
         {
             guest_pg = get_domain_ram_page(gfn);
             if ( !guest_pg )
-                return -EINVAL;
+                goto free_shm_buf;
 
             guest_data = __map_domain_page(guest_pg);
             xen_data = __map_domain_page(xen_pgs);
@@ -854,6 +857,7 @@ err_unmap:
     unmap_domain_page(guest_data);
     unmap_domain_page(xen_data);
     put_page(guest_pg);
+free_shm_buf:
     free_optee_shm_buf(ctx, optee_shm_buf->cookie);
 
     return -EINVAL;