optee: smc_abi.c: fix wrong pointer passed to IS_ERR/PTR_ERR()

In optee_smc_do_call_with_arg() there is a code path when the argument
struct for RPC is passed appended to the primary argument struct. When
the address of the RPC struct is retrieved there's an invalid check for
success. It should be 'rpc_arg' pass to IS_ERR/PTR_ERR().

Fixes: fb2586f9a035 ("optee: add OPTEE_SMC_CALL_WITH_RPC_ARG and OPTEE_SMC_CALL_WITH_REGD_ARG")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
[jw: added background to the problem]
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c
index 385cb0aee61013b53c9dc55b9cb9b44695d7a179..a1c1fa1a9c28a7374337dc571a5a28db575f2317 100644 (file)
--- a/drivers/tee/optee/smc_abi.c
+++ b/drivers/tee/optee/smc_abi.c
@@ -884,8 +884,8 @@ static int optee_smc_do_call_with_arg(struct tee_context *ctx,
 
                rpc_arg_offs = OPTEE_MSG_GET_ARG_SIZE(arg->num_params);
                rpc_arg = tee_shm_get_va(shm, offs + rpc_arg_offs);
-               if (IS_ERR(arg))
-                       return PTR_ERR(arg);
+               if (IS_ERR(rpc_arg))
+                       return PTR_ERR(rpc_arg);
        }
 
        if  (rpc_arg && tee_shm_is_dynamic(shm)) {