- OP-TEE - lists.trustedfirmware.org

[PATCH v3] tee: optee: prevent use-after-free when the client exits before the supplicant

by Amirreza Zarrabi

Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the client wait as killable so it can be interrupted during shutdown or after a supplicant crash. This changes the original lifetime expectations: the client task can now terminate while the supplicant is still processing its request. If the client exits first it removes the request from its queue and kfree()s it, while the request ID remains in supp->idr. A subsequent lookup on the supplicant path then dereferences freed memory, leading to a use-after-free. Serialise access to the request with supp->mutex: * Hold supp->mutex in optee_supp_recv() and optee_supp_send() while looking up and touching the request. * Let optee_supp_thrd_req() notice that the client has terminated and signal optee_supp_send() accordingly. With these changes the request cannot be freed while the supplicant still has a reference, eliminating the race. Fixes: 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> --- Changes in v3: - Introduce processed flag instead of -1 for req->id. - Update optee_supp_release() as reported by Michael Wu. - Use mutex instead of guard. - Link to v2: https://lore.kernel.org/r/20250617-fix-use-after-free-v2-1-1fbfafec5917@oss… Changes in v2: - Replace the static variable with a sentinel value. - Fix the issue with returning the popped request to the supplicant. - Link to v1: https://lore.kernel.org/r/20250605-fix-use-after-free-v1-1-a70d23bff248@oss… --- drivers/tee/optee/supp.c | 122 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 86 insertions(+), 36 deletions(-) diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c index d0f397c90242..0ec66008df19 100644 --- a/drivers/tee/optee/supp.c +++ b/drivers/tee/optee/supp.c @@ -10,7 +10,11 @@ struct optee_supp_req { struct list_head link; + int id; + bool in_queue; + bool processed; + u32 func; u32 ret; size_t num_params; @@ -19,6 +23,9 @@ struct optee_supp_req { struct completion c; }; +/* It is temporary request used for invalid pending request in supp->idr. */ +#define INVALID_REQ_PTR ((struct optee_supp_req *)ERR_PTR(-ENOENT)) + void optee_supp_init(struct optee_supp *supp) { memset(supp, 0, sizeof(*supp)); @@ -46,6 +53,10 @@ void optee_supp_release(struct optee_supp *supp) /* Abort all request retrieved by supplicant */ idr_for_each_entry(&supp->idr, req, id) { idr_remove(&supp->idr, id); + /* Skip if request was already marked invalid */ + if (IS_ERR(req)) + continue; + req->ret = TEEC_ERROR_COMMUNICATION; complete(&req->c); } @@ -102,6 +113,7 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, mutex_lock(&supp->mutex); list_add_tail(&req->link, &supp->reqs); req->in_queue = true; + req->processed = false; mutex_unlock(&supp->mutex); /* Tell an eventual waiter there's a new request */ @@ -117,21 +129,40 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, if (wait_for_completion_killable(&req->c)) { mutex_lock(&supp->mutex); if (req->in_queue) { + /* Supplicant has not seen this request yet. */ list_del(&req->link); req->in_queue = false; + + ret = TEEC_ERROR_COMMUNICATION; + } else if (req->processed) { + /* + * Supplicant has processed this request. Ignore the + * kill signal for now and submit the result. + */ + ret = req->ret; + } else { + /* + * Supplicant is in the middle of processing this + * request. Replace req with INVALID_REQ_PTR so that + * the ID remains busy, causing optee_supp_send() to + * fail on the next call to supp_pop_req() with this ID. + */ + idr_replace(&supp->idr, INVALID_REQ_PTR, req->id); + ret = TEEC_ERROR_COMMUNICATION; } + mutex_unlock(&supp->mutex); - req->ret = TEEC_ERROR_COMMUNICATION; + } else { + ret = req->ret; } - ret = req->ret; kfree(req); return ret; } static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp, - int num_params, int *id) + int num_params) { struct optee_supp_req *req; @@ -153,8 +184,8 @@ static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp, return ERR_PTR(-EINVAL); } - *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL); - if (*id < 0) + req->id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL); + if (req->id < 0) return ERR_PTR(-ENOMEM); list_del(&req->link); @@ -214,7 +245,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, struct optee *optee = tee_get_drvdata(teedev); struct optee_supp *supp = &optee->supp; struct optee_supp_req *req = NULL; - int id; size_t num_meta; int rc; @@ -224,15 +254,48 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, while (true) { mutex_lock(&supp->mutex); - req = supp_pop_entry(supp, *num_params - num_meta, &id); - mutex_unlock(&supp->mutex); - if (req) { - if (IS_ERR(req)) - return PTR_ERR(req); - break; + req = supp_pop_entry(supp, *num_params - num_meta); + if (!req) { + mutex_unlock(&supp->mutex); + goto wait_for_request; + } + + if (IS_ERR(req)) { + rc = PTR_ERR(req); + mutex_unlock(&supp->mutex); + + return rc; } + /* + * Process the request while holding the lock, so that + * optee_supp_thrd_req() doesn't pull the request from under us. + */ + + if (num_meta) { + /* + * tee-supplicant support meta parameters -> + * requests can be processed asynchronously. + */ + param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT | + TEE_IOCTL_PARAM_ATTR_META; + param->u.value.a = req->id; + param->u.value.b = 0; + param->u.value.c = 0; + } else { + supp->req_id = req->id; + } + + *func = req->func; + *num_params = req->num_params + num_meta; + memcpy(param + num_meta, req->param, + sizeof(struct tee_param) * req->num_params); + + mutex_unlock(&supp->mutex); + return 0; + +wait_for_request: /* * If we didn't get a request we'll block in * wait_for_completion() to avoid needless spinning. @@ -243,29 +306,10 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, */ if (wait_for_completion_interruptible(&supp->reqs_c)) return -ERESTARTSYS; - } - if (num_meta) { - /* - * tee-supplicant support meta parameters -> requsts can be - * processed asynchronously. - */ - param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT | - TEE_IOCTL_PARAM_ATTR_META; - param->u.value.a = id; - param->u.value.b = 0; - param->u.value.c = 0; - } else { - mutex_lock(&supp->mutex); - supp->req_id = id; - mutex_unlock(&supp->mutex); + /* Check for the next request in the queue. */ } - *func = req->func; - *num_params = req->num_params + num_meta; - memcpy(param + num_meta, req->param, - sizeof(struct tee_param) * req->num_params); - return 0; } @@ -297,12 +341,18 @@ static struct optee_supp_req *supp_pop_req(struct optee_supp *supp, if (!req) return ERR_PTR(-ENOENT); + /* optee_supp_thrd_req() already returned to optee. */ + if (IS_ERR(req)) + goto failed_req; + if ((num_params - nm) != req->num_params) return ERR_PTR(-EINVAL); + *num_meta = nm; +failed_req: idr_remove(&supp->idr, id); supp->req_id = -1; - *num_meta = nm; + return req; } @@ -328,9 +378,8 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params, mutex_lock(&supp->mutex); req = supp_pop_req(supp, num_params, param, &num_meta); - mutex_unlock(&supp->mutex); - if (IS_ERR(req)) { + mutex_unlock(&supp->mutex); /* Something is wrong, let supplicant restart. */ return PTR_ERR(req); } @@ -355,9 +404,10 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params, } } req->ret = ret; - + req->processed = true; /* Let the requesting thread continue */ complete(&req->c); + mutex_unlock(&supp->mutex); return 0; } --- base-commit: 3f24e4edcd1b8981c6b448ea2680726dedd87279 change-id: 20250604-fix-use-after-free-8ff1b5d5d774 Best regards, -- Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>

3 months

3
9
1 0

Linaro OP-TEE Contribution, LOC, monthly meeting January 27

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ - OP-TEE version 4.9.0 released - Following our discussion at the last LOC regarding exporting OP-TEE version information via sysfs, the latest version of the patch [1] has been accepted. - Any other topics? [1] https://lore.kernel.org/op-tee/20260112154833.78546-1-aristo.chen@canonical… Cheers, Jens

3 months, 2 weeks

1
0
0 0

Rebase linaro-swg/kernel to v6.18

by Jens Wiklander

Hi, I've just rebased the linaro-swg/kernel optee branch on v6.18 from v6.14. By rebasing, we eliminated a few workarounds on the optee branch and gained FF-A version 1.2 support in the kernel. Cheers, Jens

3 months, 3 weeks

1
0
0 0

[PATCH][next] optee: make read-only array attr static const

by Colin Ian King

Don't populate the read-only array attr on the stack at run time, instead make it static const. Signed-off-by: Colin Ian King <coking(a)nvidia.com> --- drivers/tee/optee/rpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c index 97fc5b14db0c..1758eb7e6e8b 100644 --- a/drivers/tee/optee/rpc.c +++ b/drivers/tee/optee/rpc.c @@ -43,7 +43,7 @@ static void handle_rpc_func_cmd_i2c_transfer(struct tee_context *ctx, struct i2c_msg msg = { }; size_t i; int ret = -EOPNOTSUPP; - u8 attr[] = { + static const u8 attr[] = { TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT, TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT, TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT, -- 2.51.0

3 months, 3 weeks

7
7
0 0

[GIT PULL] TEE sysfs for 6.20

by Jens Wiklander

Hello arm-soc maintainers, Please pull these two patches adding a generic TEE revision sysfs attribute and implement support for OP-TEE. Thanks, Jens The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8: Linux 6.19-rc1 (2025-12-14 16:05:07 +1200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-sysfs-for-6.20 for you to fetch changes up to c19faf5a62315d5e0e65dde49b7b59e30330b9c2: tee: optee: store OS revision for TEE core (2026-01-15 10:35:14 +0100) ---------------------------------------------------------------- TEE sysfs for 6.20 - Add an optional generic sysfs attribute for TEE revision - Implement revision reporting for OP-TEE using both SMC and FF-A ABIs ---------------------------------------------------------------- Aristo Chen (2): tee: add revision sysfs attribute tee: optee: store OS revision for TEE core Documentation/ABI/testing/sysfs-class-tee | 10 ++++++ drivers/tee/optee/core.c | 23 +++++++++++++ drivers/tee/optee/ffa_abi.c | 54 +++++++++++++++++++++++-------- drivers/tee/optee/optee_private.h | 19 +++++++++++ drivers/tee/optee/smc_abi.c | 15 +++++++-- drivers/tee/tee_core.c | 51 ++++++++++++++++++++++++++++- include/linux/tee_core.h | 9 ++++++ 7 files changed, 163 insertions(+), 18 deletions(-)

3 months, 3 weeks

1
0
0 0

[GIT PULL] AMDTEE update for 6.20

by Jens Wiklander

Hello arm-soc maintainers, Please pull this small patch removing unused return variables in a couple of functions in the AMDTEE driver in the TEE subsystem. Thanks, Jens The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8: Linux 6.19-rc1 (2025-12-14 16:05:07 +1200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/amdtee-update-for-6.20 for you to fetch changes up to a0db08f47c836251fbaccf711e12fe8428235465: tee: amdtee: Remove unused return variables (2026-01-14 10:20:51 +0100) ---------------------------------------------------------------- AMDTEE update for 6.20 Remove unused return variables ---------------------------------------------------------------- Thorsten Blum (1): tee: amdtee: Remove unused return variables drivers/tee/amdtee/call.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)

3 months, 3 weeks

1
0
0 0

[GIT PULL] TEE bus callbacks for 6.20

by Jens Wiklander

Hello arm-soc maintainers, Please pull these updates adding TEE bus callbacks to let the users of the bus get rid of the struct device_driver callbacks .probe(), .remove() and .shutdown(). The maintainers for the updated drivers using the TEE bus have agreed to take these changes via my tree, with the exception of the maintainer for drivers/firmware/broadcom/tee_bnxt_fw.c, who has remained silent during the review. However, the changes in the drivers are straight forward so it's better to take these patches too rather than excluding them. Further details are in the last patch set: https://lore.kernel.org/op-tee/cover.1765791463.git.u.kleine-koenig@baylibr… Thanks, Jens The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8: Linux 6.19-rc1 (2025-12-14 16:05:07 +1200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-bus-callback-for-6.20 for you to fetch changes up to e82d0477fd80707221c3d110f56d05506de2698c: tpm/tpm_ftpm_tee: Fix kdoc after function renames (2026-01-15 10:28:33 +0100) ---------------------------------------------------------------- TEE bus callback for 6.20 - Move from generic device_driver to TEE bus-specific callbacks - Add module_tee_client_driver() and registration helpers to reduce boilerplate - Convert several client drivers (TPM, KEYS, firmware, EFI, hwrng, and RTC) - Update documentation and fix kernel-doc warnings ---------------------------------------------------------------- Uwe Kleine-König (18): tee: Add some helpers to reduce boilerplate for tee client drivers tee: Add probe, remove and shutdown bus callbacks to tee_client_driver tee: Adapt documentation to cover recent additions rtc: optee: Migrate to use tee specific driver registration function rtc: optee: Make use of tee bus methods hwrng: optee - Make use of module_tee_client_driver() hwrng: optee - Make use of tee bus methods efi: stmm: Make use of module_tee_client_driver() efi: stmm: Make use of tee bus methods firmware: arm_scmi: optee: Make use of module_tee_client_driver() firmware: arm_scmi: Make use of tee bus methods firmware: tee_bnxt: Make use of module_tee_client_driver() firmware: tee_bnxt: Make use of tee bus methods KEYS: trusted: Migrate to use tee specific driver registration function KEYS: trusted: Make use of tee bus methods tpm/tpm_ftpm_tee: Make use of tee specific driver registration tpm/tpm_ftpm_tee: Make use of tee bus methods tpm/tpm_ftpm_tee: Fix kdoc after function renames Documentation/driver-api/tee.rst | 18 +----- drivers/char/hw_random/optee-rng.c | 26 ++------- drivers/char/tpm/tpm_ftpm_tee.c | 35 ++++++++---- drivers/firmware/arm_scmi/transports/optee.c | 32 ++++------- drivers/firmware/broadcom/tee_bnxt_fw.c | 30 +++------- drivers/firmware/efi/stmm/tee_stmm_efi.c | 25 ++------- drivers/rtc/rtc-optee.c | 27 +++------ drivers/tee/tee_core.c | 84 ++++++++++++++++++++++++++++ include/linux/tee_drv.h | 12 ++++ security/keys/trusted-keys/trusted_tee.c | 17 +++--- 10 files changed, 166 insertions(+), 140 deletions(-)

3 months, 3 weeks

1
0
0 0

[GIT PULL] OP-TEE update for 6.20

by Jens Wiklander

Hello arm-soc maintainers, Please pull these three small updates for OP-TEE driver in the TEE subsystem, and for the OP-TEE mailing list. Thanks, Jens The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8: Linux 6.19-rc1 (2025-12-14 16:05:07 +1200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/optee-update-for-6.20 for you to fetch changes up to 94ea7063fae835e800768d3b0507f0994ef03878: optee: make read-only array attr static const (2026-01-16 10:35:05 +0100) ---------------------------------------------------------------- OP-TEE update for 6.20 - A micro optimization by making a local array static const - Update OP-TEE mailing list as moderated - Update an outdated comment for cmd_alloc_suppl() ---------------------------------------------------------------- Colin Ian King (1): optee: make read-only array attr static const Geert Uytterhoeven (1): MAINTAINERS: Mark the OP-TEE mailing list moderated Julia Lawall (1): optee: update outdated comment MAINTAINERS | 6 +++--- drivers/tee/optee/rpc.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-)

3 months, 3 weeks

1
0
0 0

[GIT PULL] QCOMTEE fixes for 6.20

by Jens Wiklander

Hello arm-soc maintainers, Please pull thes three small fixes for the QCOMTEE driver in the TEE subsystem. Thanks, Jens The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8: Linux 6.19-rc1 (2025-12-14 16:05:07 +1200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/qcomtee-fixes-for-6.20 for you to fetch changes up to 1c05d9a4cab2abfb93ebce5edaa17752126b6d35: tee: qcomtee: user: Fix confusing cleanup.h syntax (2026-01-05 10:21:09 +0100) ---------------------------------------------------------------- QCOMTEE fixes for 6.20 Small cleanups for the qcomtee driver to align with recommended coding practices for the cleanup.h infrastructure. ---------------------------------------------------------------- Krzysztof Kozlowski (3): tee: qcomtee: call: Fix confusing cleanup.h syntax tee: qcomtee: mem: Fix confusing cleanup.h syntax tee: qcomtee: user: Fix confusing cleanup.h syntax drivers/tee/qcomtee/call.c | 17 ++++++++--------- drivers/tee/qcomtee/mem_obj.c | 4 ++-- drivers/tee/qcomtee/user_obj.c | 8 ++++---- 3 files changed, 14 insertions(+), 15 deletions(-)

3 months, 3 weeks

1
0
0 0

OP-TEE 4.9.0 has been released

by Jens Wiklander

Hi, I'm pleased to announce that OP-TEE version 4.9.0 is now available. The list of changes can be found in the changelog [1]. A big thank you to everyone who participated with contributions and helping out with testing the release [2]. [1] https://github.com/OP-TEE/optee_os/blob/4.9.0/CHANGELOG.md [2] https://github.com/OP-TEE/optee_os/commit/c2b0684fcd89929976a8726e6e3af922b… Regards, Jens

3 months, 3 weeks

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

OP-TEE