- OP-TEE - lists.trustedfirmware.org

by Peter Robinson

Add a dependency on ARCH_QCOM, and compile test, as the driver depnds on QCom specific Trusted Applications (TAs) and it's only, currently at least, supported on QCom hardware. Fixes: d6e290837e50f ("tee: add Qualcomm TEE driver") Signed-off-by: Peter Robinson <pbrobinson(a)gmail.com> --- drivers/tee/qcomtee/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/tee/qcomtee/Kconfig b/drivers/tee/qcomtee/Kconfig index 927686abceb15..9f19dee08db49 100644 --- a/drivers/tee/qcomtee/Kconfig +++ b/drivers/tee/qcomtee/Kconfig @@ -2,6 +2,7 @@ # Qualcomm Trusted Execution Environment Configuration config QCOMTEE tristate "Qualcomm TEE Support" + depends on ARCH_QCOM || COMPILE_TEST depends on !CPU_BIG_ENDIAN select QCOM_SCM select QCOM_TZMEM_MODE_SHMBRIDGE -- 2.51.0

2 months, 1 week

2
2
0 0

[PATCH] tee: QCOMTEE should depend on ARCH_QCOM

by Geert Uytterhoeven

The Qualcomm Trusted Execution Environment (QTEE) is only available on Qualcomm SoCs. Hence add a dependency on ARCH_QCOM, to prevent asking the user about this driver when configuring a kernel without Qualcomm platform support. Fixes: d6e290837e50f73f ("tee: add Qualcomm TEE driver") Signed-off-by: Geert Uytterhoeven <geert+renesas(a)glider.be> --- drivers/tee/qcomtee/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/tee/qcomtee/Kconfig b/drivers/tee/qcomtee/Kconfig index 927686abceb1536e..9f19dee08db491c3 100644 --- a/drivers/tee/qcomtee/Kconfig +++ b/drivers/tee/qcomtee/Kconfig @@ -2,6 +2,7 @@ # Qualcomm Trusted Execution Environment Configuration config QCOMTEE tristate "Qualcomm TEE Support" + depends on ARCH_QCOM || COMPILE_TEST depends on !CPU_BIG_ENDIAN select QCOM_SCM select QCOM_TZMEM_MODE_SHMBRIDGE -- 2.43.0

2 months, 1 week

3
2
0 0

[PATCH] MAINTAINERS: Mark the OP-TEE mailing list moderated

by Geert Uytterhoeven

After sending a patch to op-tee(a)lists.trustedfirmware.org, I got the typical response for a moderated list: Your mail to 'op-tee(a)lists.trustedfirmware.org' with the subject [...] Is being held until the list moderator can review it for approval. The message is being held because: The message is not from a list member Either the message will get posted to the list, or you will receive notification of the moderator's decision. Mark this mailing list moderated in MAINTAINERS. Signed-off-by: Geert Uytterhoeven <geert+renesas(a)glider.be> --- MAINTAINERS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index fc755a50fb150498..5aa2e501231f2aa6 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -19115,14 +19115,14 @@ F: drivers/net/phy/ncn* OP-TEE DRIVER M: Jens Wiklander <jens.wiklander(a)linaro.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: Documentation/ABI/testing/sysfs-bus-optee-devices F: drivers/tee/optee/ OP-TEE RANDOM NUMBER GENERATOR (RNG) DRIVER M: Sumit Garg <sumit.garg(a)kernel.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: drivers/char/hw_random/optee-rng.c @@ -25116,7 +25116,7 @@ F: include/media/i2c/tw9910.h TEE SUBSYSTEM M: Jens Wiklander <jens.wiklander(a)linaro.org> R: Sumit Garg <sumit.garg(a)kernel.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: Documentation/ABI/testing/sysfs-class-tee F: Documentation/driver-api/tee.rst -- 2.43.0

2 months, 1 week

2
1
0 0

[PATCH next] tee: qcom: prevent potential off by one read

by Dan Carpenter

Re-order these checks to check if "i" is a valid array index before using it. This prevents a potential off by one read access. Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- drivers/tee/qcomtee/call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index cc17a48d0ab7..ac134452cc9c 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -308,7 +308,7 @@ static int qcomtee_params_from_args(struct tee_param *params, } /* Release any IO and OO objects not processed. */ - for (; u[i].type && i < num_params; i++) { + for (; i < num_params && u[i].type; i++) { if (u[i].type == QCOMTEE_ARG_TYPE_OO || u[i].type == QCOMTEE_ARG_TYPE_IO) qcomtee_object_put(u[i].o); -- 2.51.0

2 months, 2 weeks

4
9
0 0

[GIT PULL] TEE fix2 for v6.17

by Jens Wiklander

Hello arm-soc maintainers, Please pull this fix in the TEE subsystem. Thanks, Jens The following changes since commit 8f5ae30d69d7543eee0d70083daf4de8fe15d585: Linux 6.17-rc1 (2025-08-10 19:41:16 +0300) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-shm-register-fix-for-v6.17 for you to fetch changes up to d5cf5b37064b1699d946e8b7ab4ac7d7d101814c: tee: fix register_shm_helper() (2025-09-22 08:47:00 +0200) ---------------------------------------------------------------- TEE fix2 for v6.17 Fixing incorrect error handling for a call to iov_iter_extract_pages(). ---------------------------------------------------------------- Jens Wiklander (1): tee: fix register_shm_helper() drivers/tee/tee_shm.c | 8 ++++++++ 1 file changed, 8 insertions(+)

2 months, 2 weeks

1
0
0 0

[PATCH v2] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Tested-by: Masami Ichikawa <masami256(a)gmail.com> Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- Changes from v1 - Refactor the if statement as requested by Sumit - Adding Tested-by: Masami Ichikawa <masami256(a)gmail.com - Link to v1: https://lore.kernel.org/op-tee/20250919124217.2934718-1-jens.wiklander@lina… --- drivers/tee/tee_shm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..76c54e1dc98c 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -319,6 +319,14 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, if (unlikely(len <= 0)) { ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; + } else if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + /* + * If we only got a few pages, update to release the + * correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; } /* -- 2.43.0

2 months, 2 weeks

2
2
0 0

Linaro OP-TEE Contribution, LOC, monthly meeting September 23

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ - Pull request for the Secure Data Path patchset [1], accepted by arm-soc [2] - Pull request for the QCOMTEE driver patchset [3] has not been accepted yet. It also has a few error reports or patches pending since it was included in Linux-next Are there any other topics? Cheers, Jens [1] https://lore.kernel.org/op-tee/20250912101752.GA1453408@rayden/ [2] https://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git/commit/?id=8204… [3] https://lore.kernel.org/op-tee/20250915174957.GA2040478@rayden/

2 months, 3 weeks

1
0
0 0

[PATCH] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/tee_shm.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..6ed7d030f4ed 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -316,7 +316,16 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0, &off); - if (unlikely(len <= 0)) { + if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + if (len > 0) { + /* + * If we only got a few pages, update to release + * the correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; + } ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; } -- 2.43.0

2 months, 3 weeks

3
3
0 0

[PATCH] tee: qcom: return -EFAULT instead of -EINVAL if copy_from_user() fails

by Dan Carpenter

If copy_from_user() fails, the correct error code is -EFAULT, not -EINVAL. Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- drivers/tee/qcomtee/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c index 783acc59cfa9..b6715ada7700 100644 --- a/drivers/tee/qcomtee/core.c +++ b/drivers/tee/qcomtee/core.c @@ -424,7 +424,7 @@ static int qcomtee_prepare_msg(struct qcomtee_object_invoke_ctx *oic, if (!(u[i].flags & QCOMTEE_ARG_FLAGS_UADDR)) memcpy(msgptr, u[i].b.addr, u[i].b.size); else if (copy_from_user(msgptr, u[i].b.uaddr, u[i].b.size)) - return -EINVAL; + return -EFAULT; offset += qcomtee_msg_offset_align(u[i].b.size); ib++; -- 2.51.0

2 months, 3 weeks

3
2
0 0

[BUG] tee_shm: NULL pointer dereference in unpin_user_pages() on invalid shm pages

by Masami Ichikawa

Hi. While doing my fuzzing work, I found the following kernel crash by NULL pointer dereference in Linux 6.17-rc5. [ 16.143987] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 [ 16.144141] Mem abort info: [ 16.144215] ESR = 0x0000000096000004 [ 16.144246] EC = 0x25 ** replaying previous printk message ** [ 16.144246] EC = 0x25: DABT (current EL), IL = 32 bits [ 16.144271] SET = 0, FnV = 0 [ 16.144289] EA = 0, S1PTW = 0 [ 16.144308] FSC = 0x04: level 0 translation fault [ 16.144325] Data abort info: [ 16.144335] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 16.144346] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 16.144358] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 16.144412] user pgtable: 4k pages, 52-bit VAs, pgdp=0000000048b34b00 [ 16.144432] [0000000000000008] pgd=0800000040bb3403, p4d=0000000000000000 [ 16.144876] Internal error: Oops: 0000000096000004 [#1] SMP [ 16.146429] Modules linked in: [ 16.146775] CPU: 0 UID: 0 PID: 148 Comm: xtest Not tainted 6.17.0-rc5 #58 PREEMPT [ 16.146995] Hardware name: linux,dummy-virt (DT) [ 16.147181] pstate: 21402005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 16.147330] pc : unpin_user_pages+0x78/0xd0 [ 16.147763] lr : unpin_user_pages+0xa0/0xd0 [ 16.147842] sp : ffff800084403d20 [ 16.147912] x29: ffff800084403d20 x28: fff00000054aa300 x27: 0000000000000000 [ 16.148089] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 [ 16.148235] x23: fff00000004fb5a8 x22: 0000000000000001 x21: 000000000000000d [ 16.148401] x20: fff0000000b2f9c0 x19: 0000000000000011 x18: 0000000000000001 [ 16.148544] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 16.148659] x14: 0000000000000002 x13: 0000000000000002 x12: 0000000000037d0f [ 16.148786] x11: fff0000001dad708 x10: 000000000000003f x9 : 0000000000000d1b [ 16.148925] x8 : 00000000000007e0 x7 : 0000000000000001 x6 : 000000000000000d [ 16.149039] x5 : ffffffffffffffff x4 : ffffffffffffffff x3 : 000000000000000e [ 16.149167] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffc1ffc0fd68c0 [ 16.149351] Call trace: [ 16.149520] unpin_user_pages+0x78/0xd0 (P) [ 16.149684] tee_shm_put+0x134/0x184 [ 16.149783] tee_shm_fop_release+0x14/0x24 [ 16.149866] __fput+0xcc/0x2dc [ 16.149925] fput_close_sync+0x40/0x108 [ 16.149991] __arm64_sys_close+0x38/0x7c [ 16.150058] invoke_syscall+0x48/0x110 [ 16.150127] el0_svc_common.constprop.0+0x40/0xe8 [ 16.150227] do_el0_svc+0x20/0x2c [ 16.150303] el0_svc+0x34/0xf0 [ 16.150369] el0t_64_sync_handler+0xa0/0xe4 [ 16.150439] el0t_64_sync+0x198/0x19c [ 16.150629] Code: aa0203e3 eb02027f 54000109 f8627a82 (f9400444) [ 16.150940] ---[ end trace 0000000000000000 ]--- [ 16.151230] Kernel panic - not syncing: Oops: Fatal exception [ 16.151466] SMP: stopping secondary CPUs [ 16.151838] Kernel Offset: disabled [ 16.151911] CPU features: 0x000000,0000d180,2bbe33e1,957e7f3f [ 16.152019] Memory Limit: none [ 16.152284] ---[ end Kernel panic - not syncing: Oops: Fatal exception ]--- decode_stacktrace.sh shows the following call sequence. [ 20.554057] unpin_user_pages (./include/linux/page-flags.h:284 mm/gup.c:259 mm/gup.c:420 mm/gup.c:400) (P) [ 20.554204] tee_shm_put (drivers/tee/tee_shm.c:42 drivers/tee/tee_shm.c:57 drivers/tee/tee_shm.c:587) [ 20.554291] tee_shm_fop_release (drivers/tee/tee_shm.c:437) [ 20.554366] __fput (fs/file_table.c:469) [ 20.554429] fput_close_sync (fs/file_table.c:574) [ 20.554496] __arm64_sys_close (fs/open.c:1590 fs/open.c:1572 fs/open.c:1572) [ 20.554565] invoke_syscall (./arch/arm64/include/asm/current.h:19 arch/arm64/kernel/syscall.c:54) [ 20.554639] el0_svc_common.constprop.0 (./include/linux/thread_info.h:135 arch/arm64/kernel/syscall.c:140) [ 20.554719] do_el0_svc (arch/arm64/kernel/syscall.c:152) [ 20.554782] el0_svc (./arch/arm64/include/asm/irqflags.h:55 ./arch/arm64/include/asm/irqflags.h:76 arch/arm64/kernel/entry-common.c:169 arch/arm64/kernel/entry-common.c:182 arch/arm64/kernel/entry-common.c:880) [ 20.554842] el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:899) [ 20.554914] el0t_64_sync (arch/arm64/kernel/entry.S:596) I set up a test environment using qemu_v8.xml in the OP-TEE/manifest repository. ## Test case This test is based on xtest_tee_test_1004 included in xtest in the optee_test repository. For fuzzing, the following data is created using xtest_crypto_test(). It creates parameters like this. op.params[0].tmpref.buffer = crypt_in; // crypt_in = malloc(sizeof(uint8_t) * 0xff); op.params[0].tmpref.size = input_len; // 0xffff op.params[1].tmpref.buffer = crypt_out; // crypt_out = malloc(sizeof(uint8_t) * 0xff); op.params[1].tmpref.size = input_len; // 0xffff When TEEC_InvokeCommand() in libteec was called with above parameters, it printed folloing errorr then, linux kernel was crashed. ERR [152] LT:TEEC_InvokeCommand:730: TEE_IOC_INVOKE failed ## Crash scenario 1. modified version of xtest_crypto_test() creates parameters. 2. xtest_crypto_test() calls TEEC_InvokeCommand() in the libteec. 3. TEEC_InvokeCommand calls ioctl(2). 4. tee_ioctl_invoke() in the tee_core.c is called by ioctl(2). 5. tee_ioctl_invoke() calles params_from_user(). 6. In the params_from_user(), it returned -EINVAL because of following if condition was true. if ((ip.a + ip.b) < ip.a || (ip.a + ip.b) > shm->size) { tee_shm_put(shm); return -EINVAL; } 7. tee_ioctl_invoke() recive an error from params_from_user() so that it run clean up process(in the out label). 8. tee_ioctl_invoke() returns -EINVAL. 9. TEEC_InvokeCommand() prints an error log then calls teec_free_temp_refs() in libteec. 10. teec_free_temp_refs() calls TEEC_ReleaseSharedMemory(). 11. TEEC_ReleaseSharedMemory() calls close(2). 12. tee_shm_put() in the tee_shm.c is called. 13. tee_shm_put() calls tee_shm_release(). 14. tee_shm_release() calls release_registered_pages(). 15. release_registered_pages() calls unpin_user_pages(). 16. Null pointer dereference is happened in unpin_user_pages(). ## Debugging I added following debug logs in the tee_shm_release() } else if (shm->flags & TEE_SHM_DYNAMIC) { int rc = teedev->desc->ops->shm_unregister(shm->ctx, shm); size_t i; if (rc) dev_err(teedev->dev.parent, "unregister shm %p failed: %d", shm, rc); pr_info("%s:%d: shm->num_pages: 0x%lx, shm->size: 0x%lx\n", __func__, __LINE__, shm->num_pages, shm->size); for (i = 0; i < shm->num_pages; i++) { if (!shm->pages[i]) { pr_info("%s:%d: shm->pages[%ld] is NULL", __func__, __LINE__, i); } } release_registered_pages(shm); } It showed the following logs. [ 21.350894] tee_shm_release:57: shm->num_pages: 0x11, shm->size: 0xd690 [ 21.350977] tee_shm_release:60: shm->pages[14] is NULL [ 21.351003] tee_shm_release:60: shm->pages[15] is NULL [ 21.351012] tee_shm_release:60: shm->pages[16] is NULL According to the above logs, shm->num_pages is 17 but the pages array contains NULL pointers so that it causes a NULL pointer dereference bug. I have confirmed that I can prevent NULL pointer dereference by making the following changes. diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 2a7d253d9c55..c5d39a0efbdb 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -34,9 +34,16 @@ static void shm_get_kernel_pages(struct page **pages, size_t page_count) static void release_registered_pages(struct tee_shm *shm) { if (shm->pages) { - if (shm->flags & TEE_SHM_USER_MAPPED) - unpin_user_pages(shm->pages, shm->num_pages); - else + if (shm->flags & TEE_SHM_USER_MAPPED) { + size_t num_pages = 0; + size_t i; + for (i = 0; i < shm->num_pages; i++, num_pages++) { + if (!shm->pages[i]) + break; + } + + unpin_user_pages(shm->pages, num_pages); + } else shm_put_kernel_pages(shm->pages, shm->num_pages); kfree(shm->pages); Regards, -- Masami Ichikawa

2 months, 3 weeks

3
5
0 0

2025

2024

2023

2022

2021

2020

OP-TEE