Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.15.7 2021-05-05T11:00:11+00:00 2021-05-05T11:00:11+00:00 Rijo Thomas Rijo-john.Thomas@amd.com 2021-04-14T17:38:27+00:00 urn:sha1:9f015b3765bf593b3ed5d3b588e409dc0ffa9f85 Same Trusted Application (TA) can be loaded in multiple TEE contexts. If it is a single instance TA, the TA should not get unloaded from AMD Secure Processor, while it is still in use in another TEE context. Therefore reference count TA and unload it when the count becomes zero. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Reviewed-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com> Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Acked-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2020-11-09T07:59:00+00:00 Rijo Thomas Rijo-john.Thomas@amd.com 2020-11-04T06:26:10+00:00 urn:sha1:be353be27874f40837327d9a39e3ad2149ab66d3 Synchronize access to shm or shared memory buffer list to prevent race conditions due to concurrent updates to shared shm list by multiple threads. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Reviewed-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com> Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2020-11-09T07:58:54+00:00 Rijo Thomas Rijo-john.Thomas@amd.com 2020-11-04T06:26:09+00:00 urn:sha1:ff1f855804cdbbb6db7b9b6df6cab783d1a40d66 The driver maintains a list of shared memory buffers along with their mapped buffer id's in a global linked list. These buffers need to be unmapped after use by the user-space client. The global shared memory list is initialized to zero entries in the function amdtee_open(). This clearing of list entries can be a source for memory leak on secure side if the global linked list previously held some mapped buffer entries allocated from another TEE context. Fix potential memory leak issue by moving global shared memory list to AMD-TEE driver context data structure. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Reviewed-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com> Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2020-03-25T13:27:27+00:00 Arnd Bergmann arnd@arndb.de 2020-03-25T12:52:50+00:00 urn:sha1:47039b55f8e2002baa7c00f35a7fd11361a8726c tee: amdtee: out of bounds read in find_session() * tag 'tee-amdtee-fix2-for-5.6' of https://git.linaro.org/people/jens.wiklander/linux-tee: tee: amdtee: out of bounds read in find_session() Link: https://lore.kernel.org/r/20200320063446.GA9892@jade Signed-off-by: Arnd Bergmann <arnd@arndb.de> 2020-03-10T07:12:04+00:00 Dan Carpenter dan.carpenter@oracle.com 2020-02-27T16:19:54+00:00 urn:sha1:36fa3e50085e3858dd506e4431b9abd1bcb1f542 The "index" is a user provided value from 0-USHRT_MAX. If it's over TEE_NUM_SESSIONS (31) then it results in an out of bounds read when we call test_bit(index, sess->sess_mask). Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Acked-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2020-02-27T15:22:05+00:00 Dan Carpenter dan.carpenter@oracle.com 2020-02-24T10:51:39+00:00 urn:sha1:b83685bceedbeed33a6adc2d0579a011708d2b18 On these error paths the "sess" variable isn't freed. It's a refcounted pointer so we need to call kref_put(). I re-arranged the code a bit so the error case is always handled before the success case and the error paths are indented two tabs. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Reviewed-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2020-01-22T08:21:11+00:00 Colin Ian King colin.king@canonical.com 2020-01-16T15:48:52+00:00 urn:sha1:48d625e4c4cec813cdd1e439864a8ffc0b5081f1 Currently the memory allocation failure checks on drv_data and amdtee are using IS_ERR rather than checking for a null pointer. Fix these checks to use the conventional null pointer check. Addresses-Coverity: ("Dereference null return") Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Signed-off-by: Colin Ian King <colin.king@canonical.com> Reviewed-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2020-01-16T07:18:14+00:00 Rijo Thomas Rijo-john.Thomas@amd.com 2020-01-09T12:53:22+00:00 urn:sha1:279c075dc1d25f888f1a7423ecd1fdcdc54eba6a Remove NULL check for pool variable, since in the current code path it is guaranteed to be non-NULL. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2020-01-16T07:18:13+00:00 Rijo Thomas Rijo-john.Thomas@amd.com 2020-01-09T12:53:21+00:00 urn:sha1:f9568eae924717c37f8f1a42a22eaa1754a96053 Rename err label to err_device_unregister for better readability. Suggested-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2020-01-16T07:18:13+00:00 Rijo Thomas Rijo-john.Thomas@amd.com 2020-01-09T12:53:20+00:00 urn:sha1:2929015535fa355f604564ae5e542fd3c9179410 Currently, if tee_device_alloc() fails, then tee_device_unregister() is a no-op. Therefore, skip the function call to tee_device_unregister() by introducing a new goto label 'err_free_pool'. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>