Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.17.13 2018-05-07T09:51:03Z 2018-05-07T09:51:03Z Etienne Carriere etienne.carriere@linaro.org 2018-04-29T12:22:29Z urn:sha1:ab9d3db5b320a052452b9cd035599ee3c84bbee9 This change prevents userland from referencing TEE shared memory outside the area initially allocated by its owner. Prior this change an application could not reference or access memory it did not own but it could reference memory not explicitly allocated by owner but still allocated to the owner due to the memory allocation granule. Reported-by: Alexandre Jutras <alexandre.jutras@nxp.com> Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2018-05-07T09:50:25Z Jann Horn jannh@google.com 2018-04-04T19:03:21Z urn:sha1:bb765d1c331f62b59049d35607ed2e365802bef9 Bump the file's refcount before moving the reference into the fd table, not afterwards. The old code could drop the file's refcount to zero for a short moment before calling get_file() via get_dma_buf(). This code can only be triggered on ARM systems that use Linaro's OP-TEE. Fixes: 967c9cca2cc5 ("tee: generic TEE subsystem") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2018-03-06T10:03:55Z Jérôme Forissier jerome.forissier@linaro.org 2017-11-24T14:47:18Z urn:sha1:5c5f80307ab27c53b56569245a0b12f4e3b577de When the driver initializes, report the following information about the OP-TEE OS: - major and minor version, - build identifier (if available). Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Matthias Brugger <mbruger@suse.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2018-03-06T10:03:55Z Jérôme Forissier jerome.forissier@linaro.org 2017-11-24T14:47:17Z urn:sha1:6e112de0427874500fb9c373595481653ae4078d In the OPTEE_SMC_CALL_GET_OS_REVISION request, the previously reserved parameter a2 is now documented as being an optional build identifier (such as an SCM revision or commit ID, for instance). A new structure optee_smc_call_get_os_revision_result is introduced to be used when querying the secure OS version, instead of re-using the struct defined for OPTEE_SMC_CALLS_REVISION. Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Matthias Brugger <mbruger@suse.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2018-03-06T10:03:55Z Peng Fan peng.fan@nxp.com 2018-01-15T09:27:35Z urn:sha1:7dd003aec2016e90d33f25f90ad4cebb12224a8a The privileged dev id range is [TEE_NUM_DEVICES / 2, TEE_NUM_DEVICES). The non-privileged dev id range is [0, TEE_NUM_DEVICES / 2). So when finding a slot for them, need to use different max value. Signed-off-by: Peng Fan <peng.fan@nxp.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2018-01-12T02:05:06Z Olof Johansson olof@lixom.net 2018-01-12T02:05:06Z urn:sha1:ffdc98c4f25b1f4fb96cd9190917b53a760f3fec This pull request updates the previous tee-drv-dynamic-shm-for-v4.16 pull request with five new patches fixing review comments and errors. Apart from three small fixes there's two larger patches that in the end checks that memory to be registered really is normal cached memory. * tag 'tee-drv-dynamic-shm+fixes-for-v4.16' of https://git.linaro.org/people/jens.wiklander/linux-tee: tee: shm: Potential NULL dereference calling tee_shm_register() tee: shm: don't put_page on null shm->pages tee: shm: make function __tee_shm_alloc static tee: optee: check type of registered shared memory tee: add start argument to shm_register callback Signed-off-by: Olof Johansson <olof@lixom.net> 2018-01-09T13:34:00Z Dan Carpenter dan.carpenter@oracle.com 2018-01-06T09:22:30Z urn:sha1:2490cdf6435b1d3cac0dbf710cd752487c67c296 get_user_pages_fast() can return zero in certain error paths. We should handle that or else it means we accidentally return ERR_PTR(0) which is NULL instead of an error pointer. The callers are not expecting that and will crash with a NULL dereference. Fixes: 033ddf12bcf5 ("tee: add register user memory") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2017-12-28T21:20:10Z Colin Ian King colin.king@canonical.com 2017-12-22T17:51:50Z urn:sha1:c94f31b526fe658c25dd2d07c90486a85437f01c In the case that shm->pages fails to allocate, the current exit error path will try to put_page on a null shm->pages and cause a null pointer dereference when accessing shm->pages[n]. Fix this by only performing the put_page and kfree on shm->pages if it is not null. Detected by CoverityScan, CID#1463283 ("Dereference after null check") Fixes: 033ddf12bcf5 ("tee: add register user memory") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2017-12-28T21:19:57Z Colin Ian King colin.king@canonical.com 2017-12-22T17:01:22Z urn:sha1:80ec6f5de60b6934f145b2f7e5369592bcab85f3 The function __tee_shm_alloc is local to the source and does not need to be in global scope, so make it static. Cleans up sparse warning: symbol '__tee_shm_alloc' was not declared. Should it be static? Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2017-12-28T12:21:27Z Jens Wiklander jens.wiklander@linaro.org 2017-12-28T10:14:05Z urn:sha1:cdbcf83d29c1bf2aaa65260e74beaac1bcdc231c Checks the memory type of the pages to be registered as shared memory. Only normal cached memory is allowed. Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>