- OP-TEE - lists.trustedfirmware.org

by Jens Wiklander

Hello arm-soc maintainers, Please pull these small fixes for the TEE QTEE driver introduced in v6.18 merge window. Thanks, Jens The following changes since commit dcc7a571a3665a16581b5b18ca6b113f60a9a41a: Documentation: tee: Add Qualcomm TEE driver (2025-09-15 17:34:06 +0200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-qcomtee-fixes-for-v6.18 for you to fetch changes up to 3b63efa21bc6acc1a0fadd1dd0f0e1988a4c0177: tee: QCOMTEE should depend on ARCH_QCOM (2025-10-02 08:31:10 +0200) ---------------------------------------------------------------- TEE QTEE fixes for v6.18 - Adds ARCH_QCOM dependency for the QTEE driver - Fixing return values for copy_from_user() failures - Guarding against potential off by one read ---------------------------------------------------------------- Dan Carpenter (2): tee: qcom: prevent potential off by one read tee: qcom: return -EFAULT instead of -EINVAL if copy_from_user() fails Geert Uytterhoeven (1): tee: QCOMTEE should depend on ARCH_QCOM drivers/tee/qcomtee/Kconfig | 1 + drivers/tee/qcomtee/call.c | 2 +- drivers/tee/qcomtee/core.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-)

3 weeks, 3 days

1
0
0 0

[PATCH] tee: qcom: depend on ARCH_QCOM

by Peter Robinson

Add a dependency on ARCH_QCOM, and compile test, as the driver depnds on QCom specific Trusted Applications (TAs) and it's only, currently at least, supported on QCom hardware. Fixes: d6e290837e50f ("tee: add Qualcomm TEE driver") Signed-off-by: Peter Robinson <pbrobinson(a)gmail.com> --- drivers/tee/qcomtee/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/tee/qcomtee/Kconfig b/drivers/tee/qcomtee/Kconfig index 927686abceb15..9f19dee08db49 100644 --- a/drivers/tee/qcomtee/Kconfig +++ b/drivers/tee/qcomtee/Kconfig @@ -2,6 +2,7 @@ # Qualcomm Trusted Execution Environment Configuration config QCOMTEE tristate "Qualcomm TEE Support" + depends on ARCH_QCOM || COMPILE_TEST depends on !CPU_BIG_ENDIAN select QCOM_SCM select QCOM_TZMEM_MODE_SHMBRIDGE -- 2.51.0

3 weeks, 3 days

2
2
0 0

[PATCH] tee: QCOMTEE should depend on ARCH_QCOM

by Geert Uytterhoeven

The Qualcomm Trusted Execution Environment (QTEE) is only available on Qualcomm SoCs. Hence add a dependency on ARCH_QCOM, to prevent asking the user about this driver when configuring a kernel without Qualcomm platform support. Fixes: d6e290837e50f73f ("tee: add Qualcomm TEE driver") Signed-off-by: Geert Uytterhoeven <geert+renesas(a)glider.be> --- drivers/tee/qcomtee/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/tee/qcomtee/Kconfig b/drivers/tee/qcomtee/Kconfig index 927686abceb1536e..9f19dee08db491c3 100644 --- a/drivers/tee/qcomtee/Kconfig +++ b/drivers/tee/qcomtee/Kconfig @@ -2,6 +2,7 @@ # Qualcomm Trusted Execution Environment Configuration config QCOMTEE tristate "Qualcomm TEE Support" + depends on ARCH_QCOM || COMPILE_TEST depends on !CPU_BIG_ENDIAN select QCOM_SCM select QCOM_TZMEM_MODE_SHMBRIDGE -- 2.43.0

3 weeks, 4 days

3
2
0 0

[PATCH] MAINTAINERS: Mark the OP-TEE mailing list moderated

by Geert Uytterhoeven

After sending a patch to op-tee(a)lists.trustedfirmware.org, I got the typical response for a moderated list: Your mail to 'op-tee(a)lists.trustedfirmware.org' with the subject [...] Is being held until the list moderator can review it for approval. The message is being held because: The message is not from a list member Either the message will get posted to the list, or you will receive notification of the moderator's decision. Mark this mailing list moderated in MAINTAINERS. Signed-off-by: Geert Uytterhoeven <geert+renesas(a)glider.be> --- MAINTAINERS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index fc755a50fb150498..5aa2e501231f2aa6 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -19115,14 +19115,14 @@ F: drivers/net/phy/ncn* OP-TEE DRIVER M: Jens Wiklander <jens.wiklander(a)linaro.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: Documentation/ABI/testing/sysfs-bus-optee-devices F: drivers/tee/optee/ OP-TEE RANDOM NUMBER GENERATOR (RNG) DRIVER M: Sumit Garg <sumit.garg(a)kernel.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: drivers/char/hw_random/optee-rng.c @@ -25116,7 +25116,7 @@ F: include/media/i2c/tw9910.h TEE SUBSYSTEM M: Jens Wiklander <jens.wiklander(a)linaro.org> R: Sumit Garg <sumit.garg(a)kernel.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: Documentation/ABI/testing/sysfs-class-tee F: Documentation/driver-api/tee.rst -- 2.43.0

3 weeks, 5 days

2
1
0 0

[PATCH next] tee: qcom: prevent potential off by one read

by Dan Carpenter

Re-order these checks to check if "i" is a valid array index before using it. This prevents a potential off by one read access. Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- drivers/tee/qcomtee/call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index cc17a48d0ab7..ac134452cc9c 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -308,7 +308,7 @@ static int qcomtee_params_from_args(struct tee_param *params, } /* Release any IO and OO objects not processed. */ - for (; u[i].type && i < num_params; i++) { + for (; i < num_params && u[i].type; i++) { if (u[i].type == QCOMTEE_ARG_TYPE_OO || u[i].type == QCOMTEE_ARG_TYPE_IO) qcomtee_object_put(u[i].o); -- 2.51.0

1 month

4
9
0 0

[GIT PULL] TEE fix2 for v6.17

by Jens Wiklander

Hello arm-soc maintainers, Please pull this fix in the TEE subsystem. Thanks, Jens The following changes since commit 8f5ae30d69d7543eee0d70083daf4de8fe15d585: Linux 6.17-rc1 (2025-08-10 19:41:16 +0300) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-shm-register-fix-for-v6.17 for you to fetch changes up to d5cf5b37064b1699d946e8b7ab4ac7d7d101814c: tee: fix register_shm_helper() (2025-09-22 08:47:00 +0200) ---------------------------------------------------------------- TEE fix2 for v6.17 Fixing incorrect error handling for a call to iov_iter_extract_pages(). ---------------------------------------------------------------- Jens Wiklander (1): tee: fix register_shm_helper() drivers/tee/tee_shm.c | 8 ++++++++ 1 file changed, 8 insertions(+)

1 month

1
0
0 0

[PATCH v2] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Tested-by: Masami Ichikawa <masami256(a)gmail.com> Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- Changes from v1 - Refactor the if statement as requested by Sumit - Adding Tested-by: Masami Ichikawa <masami256(a)gmail.com - Link to v1: https://lore.kernel.org/op-tee/20250919124217.2934718-1-jens.wiklander@lina… --- drivers/tee/tee_shm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..76c54e1dc98c 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -319,6 +319,14 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, if (unlikely(len <= 0)) { ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; + } else if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + /* + * If we only got a few pages, update to release the + * correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; } /* -- 2.43.0

1 month

2
2
0 0

Linaro OP-TEE Contribution, LOC, monthly meeting September 23

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ - Pull request for the Secure Data Path patchset [1], accepted by arm-soc [2] - Pull request for the QCOMTEE driver patchset [3] has not been accepted yet. It also has a few error reports or patches pending since it was included in Linux-next Are there any other topics? Cheers, Jens [1] https://lore.kernel.org/op-tee/20250912101752.GA1453408@rayden/ [2] https://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git/commit/?id=8204… [3] https://lore.kernel.org/op-tee/20250915174957.GA2040478@rayden/

1 month

1
0
0 0

[PATCH] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/tee_shm.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..6ed7d030f4ed 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -316,7 +316,16 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0, &off); - if (unlikely(len <= 0)) { + if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + if (len > 0) { + /* + * If we only got a few pages, update to release + * the correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; + } ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; } -- 2.43.0

1 month

3
3
0 0

[PATCH] tee: qcom: return -EFAULT instead of -EINVAL if copy_from_user() fails

by Dan Carpenter

If copy_from_user() fails, the correct error code is -EFAULT, not -EINVAL. Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- drivers/tee/qcomtee/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c index 783acc59cfa9..b6715ada7700 100644 --- a/drivers/tee/qcomtee/core.c +++ b/drivers/tee/qcomtee/core.c @@ -424,7 +424,7 @@ static int qcomtee_prepare_msg(struct qcomtee_object_invoke_ctx *oic, if (!(u[i].flags & QCOMTEE_ARG_FLAGS_UADDR)) memcpy(msgptr, u[i].b.addr, u[i].b.size); else if (copy_from_user(msgptr, u[i].b.uaddr, u[i].b.size)) - return -EINVAL; + return -EFAULT; offset += qcomtee_msg_offset_align(u[i].b.size); ib++; -- 2.51.0

1 month, 1 week

3
2
0 0

2025

2024

2023

2022

2021

2020

OP-TEE