Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.11 2025-04-29T08:57:57+00:00 2025-04-29T08:57:57+00:00 Mario Limonciello mario.limonciello@amd.com 2025-04-21T15:22:23+00:00 urn:sha1:136deca59b1613c22aebfb0c8508dd02363c7142 Various headers have been added over time that are not added alphabetically and a private header is used before one of the linux/ headers. Resort the list. Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2025-04-29T08:57:40+00:00 Mario Limonciello mario.limonciello@amd.com 2025-04-21T15:22:22+00:00 urn:sha1:7b0323666b260faef6db1a9fbe9bcce0c9bd750f amd-tee inconsistently uses the word amd-tee in error messages. Add a `pr_fmt()` define and remove the hardcoded use of amd-tee. Also, remove the unnecessary driver init successful message because there will be a message if failed and a user can assume it was successful otherwise. Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2024-04-03T07:19:31+00:00 Sumit Garg sumit.garg@linaro.org 2024-03-25T15:11:01+00:00 urn:sha1:0439fcff304acdedfc493dbf900dce86922fd31f Since commit 25559c22cef8 ("tee: add kernel internal client interface"), it has been a common include/linux/tee_drv.h header file which is shared to hold TEE subsystem internal bits along with the APIs exposed to the TEE client drivers. However, this practice is prone to TEE subsystem internal APIs abuse and especially so with the new TEE implementation drivers being added to reuse existing functionality. In order to address this split TEE subsystem internal bits as a separate header file: include/linux/tee_core.h which should be the one used by TEE implementation drivers. With that include/linux/tee_drv.h lists only APIs exposed by TEE subsystem to the TEE client drivers. Signed-off-by: Sumit Garg <sumit.garg@linaro.org> Signed-off-by: Balint Dobszay <balint.dobszay@arm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2023-10-03T17:13:53+00:00 Rijo Thomas Rijo-john.Thomas@amd.com 2023-09-29T07:00:24+00:00 urn:sha1:f4384b3e54ea813868bb81a861bf5b2406e15d8f There is a potential race condition in amdtee_close_session that may cause use-after-free in amdtee_open_session. For instance, if a session has refcount == 1, and one thread tries to free this session via: kref_put(&sess->refcount, destroy_session); the reference count will get decremented, and the next step would be to call destroy_session(). However, if in another thread, amdtee_open_session() is called before destroy_session() has completed execution, alloc_session() may return 'sess' that will be freed up later in destroy_session() leading to use-after-free in amdtee_open_session. To fix this issue, treat decrement of sess->refcount and removal of 'sess' from session list in destroy_session() as a critical section, so that it is executed atomically. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Cc: stable@vger.kernel.org Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Reviewed-by: Sumit Garg <sumit.garg@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2023-02-28T17:39:19+00:00 Rijo Thomas Rijo-john.Thomas@amd.com 2023-02-28T09:41:20+00:00 urn:sha1:f8502fba45bd30e1a6a354d9d898bc99d1a11e6d There is a potential race condition in amdtee_open_session that may lead to use-after-free. For instance, in amdtee_open_session() after sess->sess_mask is set, and before setting: sess->session_info[i] = session_info; if amdtee_close_session() closes this same session, then 'sess' data structure will be released, causing kernel panic when 'sess' is accessed within amdtee_open_session(). The solution is to set the bit sess->sess_mask as the last step in amdtee_open_session(). Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Cc: stable@vger.kernel.org Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Acked-by: Sumit Garg <sumit.garg@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2021-11-29T08:55:49+00:00 Dan Carpenter dan.carpenter@oracle.com 2021-11-24T14:54:04+00:00 urn:sha1:9d7482771fac8d8e38e763263f2ca0ca12dd22c6 The __get_free_pages() function does not return error pointers it returns NULL so fix this condition to avoid a NULL dereference. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2021-05-05T11:00:11+00:00 Rijo Thomas Rijo-john.Thomas@amd.com 2021-04-14T17:38:27+00:00 urn:sha1:9f015b3765bf593b3ed5d3b588e409dc0ffa9f85 Same Trusted Application (TA) can be loaded in multiple TEE contexts. If it is a single instance TA, the TA should not get unloaded from AMD Secure Processor, while it is still in use in another TEE context. Therefore reference count TA and unload it when the count becomes zero. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Reviewed-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com> Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Acked-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2020-11-09T07:59:00+00:00 Rijo Thomas Rijo-john.Thomas@amd.com 2020-11-04T06:26:10+00:00 urn:sha1:be353be27874f40837327d9a39e3ad2149ab66d3 Synchronize access to shm or shared memory buffer list to prevent race conditions due to concurrent updates to shared shm list by multiple threads. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Reviewed-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com> Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2020-11-09T07:58:54+00:00 Rijo Thomas Rijo-john.Thomas@amd.com 2020-11-04T06:26:09+00:00 urn:sha1:ff1f855804cdbbb6db7b9b6df6cab783d1a40d66 The driver maintains a list of shared memory buffers along with their mapped buffer id's in a global linked list. These buffers need to be unmapped after use by the user-space client. The global shared memory list is initialized to zero entries in the function amdtee_open(). This clearing of list entries can be a source for memory leak on secure side if the global linked list previously held some mapped buffer entries allocated from another TEE context. Fix potential memory leak issue by moving global shared memory list to AMD-TEE driver context data structure. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Reviewed-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com> Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2020-03-25T13:27:27+00:00 Arnd Bergmann arnd@arndb.de 2020-03-25T12:52:50+00:00 urn:sha1:47039b55f8e2002baa7c00f35a7fd11361a8726c tee: amdtee: out of bounds read in find_session() * tag 'tee-amdtee-fix2-for-5.6' of https://git.linaro.org/people/jens.wiklander/linux-tee: tee: amdtee: out of bounds read in find_session() Link: https://lore.kernel.org/r/20200320063446.GA9892@jade Signed-off-by: Arnd Bergmann <arnd@arndb.de>