Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.36 2026-06-19T11:44:02+00:00 2026-06-19T11:44:02+00:00 Georgiy Osokin g.osokin@auroraos.dev 2026-04-08T15:52:03+00:00 urn:sha1:c10c9c48b2903f41ed4c532043b0576e86228236 commit 26682f5efc276e3ad96d102019472bfbf03833b2 upstream. register_shm_helper() allocates shm before calling iov_iter_npages(). If iov_iter_npages() returns 0, the function jumps to err_ctx_put and leaks shm. This can be triggered by TEE_IOC_SHM_REGISTER with struct tee_ioctl_shm_register_data where length is 0. Jump to err_free_shm instead. Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Cc: stable@vger.kernel.org Cc: lvc-project@linuxtesting.org Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev> Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-06-19T11:43:51+00:00 Robertus Diawan Chris robertusdchris@gmail.com 2026-05-19T02:05:28+00:00 urn:sha1:8db2fabb5ecd9e4917a938d6021fd0a2f4bfbfc5 [ Upstream commit 471c18323dfdfe7844e193b896a9267ae23a1026 ] qcomtee_object_user_init() is a variadic function and when the function return because there's no dispatch callback in QCOMTEE_OBJECT_TYPE_CB case, there's no va_end to cleanup "ap" object initialized by va_start and that can cause undefined behavior. So make sure to use va_end before returning the error code when there's no dispatch callback. This is reported by Coverity Scan as "Missing varargs init or cleanup". Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Robertus Diawan Chris <robertusdchris@gmail.com> Reviewed-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-19T11:43:51+00:00 Amirreza Zarrabi amirreza.zarrabi@oss.qualcomm.com 2026-02-16T22:24:06+00:00 urn:sha1:d5b57bb314d79e99bebb58a53588fa11dd4dbf69 [ Upstream commit 387a926ee166814611acecb960207fe2f3c4fd3e ] Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the client wait as killable so it can be interrupted during shutdown or after a supplicant crash. This changes the original lifetime expectations: the client task can now terminate while the supplicant is still processing its request. If the client exits first it removes the request from its queue and kfree()s it, while the request ID remains in supp->idr. A subsequent lookup on the supplicant path then dereferences freed memory, leading to a use-after-free. Serialise access to the request with supp->mutex: * Hold supp->mutex in optee_supp_recv() and optee_supp_send() while looking up and touching the request. * Let optee_supp_thrd_req() notice that the client has terminated and signal optee_supp_send() accordingly. With these changes the request cannot be freed while the supplicant still has a reference, eliminating the race. Fixes: 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com> Tested-by: Ox Yeh <ox.yeh@mediatek.com> Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-03-25T10:10:38+00:00 Matthew Wilcox willy@infradead.org 2026-02-20T08:49:59+00:00 urn:sha1:c2f6107728ea36b8ad7deb69c1e556b03103d58f [ Upstream commit 08d9a4580f71120be3c5b221af32dca00a48ceb0 ] Earlier TEE subsystem assumed to refcount all the memory pages to be shared with TEE implementation to be refcounted. However, the slab allocations within the kernel don't allow refcounting kernel pages. It is rather better to trust the kernel clients to not free pages while being shared with TEE implementation. Hence, remove refcounting of kernel pages from register_shm_helper() API. Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page") Reported-by: Marco Felsch <m.felsch@pengutronix.de> Reported-by: Sven Püschel <s.pueschel@pengutronix.de> Signed-off-by: Matthew Wilcox <willy@infradead.org> Co-developed-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Tested-by: Sven Püschel <s.pueschel@pengutronix.de> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-11-21T20:27:20+00:00 Arnd Bergmann arnd@arndb.de 2025-11-21T20:27:20+00:00 urn:sha1:fe7cdcd1bacec3a54ec94131292b5c883cec50cf QCOMTEE fixes2 for v6.18 - initialize result before use in in error path - fix uninitialized pointers with free attribute * tag 'qcomtee-fixes2-for-6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee: tee: qcomtee: initialize result before use in release worker tee: qcomtee: fix uninitialized pointers with free attribute Signed-off-by: Arnd Bergmann <arnd@arndb.de> 2025-11-17T09:19:29+00:00 Amirreza Zarrabi amirreza.zarrabi@oss.qualcomm.com 2025-11-14T03:38:42+00:00 urn:sha1:e19d7f7e92e061707252eab2b71d2c3be09b2e96 Initialize result to 0 so the error path doesn't read it uninitialized when the invoke fails. Fixes a Smatch warning. Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/op-tee/7c1e0de2-7d42-4c6b-92fe-0e4fe5d650b5@oss.qualcomm.com/ Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com> Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2025-11-14T07:42:07+00:00 Ally Heev allyheev@gmail.com 2025-11-11T07:56:42+00:00 urn:sha1:ac5ae0a5ce22640f73677d40730a37f43df442d1 Uninitialized pointers with `__free` attribute can cause undefined behavior as the memory assigned randomly to the pointer is freed automatically when the pointer goes out of scope. qcomtee doesn't have any bugs related to this as of now, but it is better to initialize and assign pointers with `__free` attribute in one statement to ensure proper scope-based cleanup Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/ Signed-off-by: Ally Heev <allyheev@gmail.com> Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2025-10-17T13:26:52+00:00 Arnd Bergmann arnd@arndb.de 2025-10-17T13:26:23+00:00 urn:sha1:1d4e7d9f6b7e4e45ec8ca03ae1bbc6ae7165b6f0 TEE QTEE fixes for v6.18 - Adds ARCH_QCOM dependency for the QTEE driver - Fixing return values for copy_from_user() failures - Guarding against potential off by one read * tag 'tee-qcomtee-fixes-for-v6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee: tee: QCOMTEE should depend on ARCH_QCOM tee: qcom: return -EFAULT instead of -EINVAL if copy_from_user() fails tee: qcom: prevent potential off by one read 2025-10-02T06:31:10+00:00 Geert Uytterhoeven geert+renesas@glider.be 2025-09-30T14:44:27+00:00 urn:sha1:3b63efa21bc6acc1a0fadd1dd0f0e1988a4c0177 The Qualcomm Trusted Execution Environment (QTEE) is only available on Qualcomm SoCs. Hence add a dependency on ARCH_QCOM, to prevent asking the user about this driver when configuring a kernel without Qualcomm platform support. Fixes: d6e290837e50f73f ("tee: add Qualcomm TEE driver") Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 2025-10-02T00:32:51+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-10-02T00:32:51+00:00 urn:sha1:38057e323657695ec8f814aff0cdd1c7e00d3e9b Pull SoC driver updates from Arnd Bergmann: "Lots of platform specific updates for Qualcomm SoCs, including a new TEE subsystem driver for the Qualcomm QTEE firmware interface. Added support for the Apple A11 SoC in drivers that are shared with the M1/M2 series, among more updates for those. Smaller platform specific driver updates for Renesas, ASpeed, Broadcom, Nvidia, Mediatek, Amlogic, TI, Allwinner, and Freescale SoCs. Driver updates in the cache controller, memory controller and reset controller subsystems. SCMI firmware updates to add more features and improve robustness. This includes support for having multiple SCMI providers in a single system. TEE subsystem support for protected DMA-bufs, allowing hardware to access memory areas that managed by the kernel but remain inaccessible from the CPU in EL1/EL0" * tag 'soc-drivers-6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (139 commits) soc/fsl/qbman: Use for_each_online_cpu() instead of for_each_cpu() soc: fsl: qe: Drop legacy-of-mm-gpiochip.h header from GPIO driver soc: fsl: qe: Change GPIO driver to a proper platform driver tee: fix register_shm_helper() pmdomain: apple: Add "apple,t8103-pmgr-pwrstate" dt-bindings: spmi: Add Apple A11 and T2 compatible serial: qcom-geni: Load UART qup Firmware from linux side spi: geni-qcom: Load spi qup Firmware from linux side i2c: qcom-geni: Load i2c qup Firmware from linux side soc: qcom: geni-se: Add support to load QUP SE Firmware via Linux subsystem soc: qcom: geni-se: Cleanup register defines and update copyright dt-bindings: qcom: se-common: Add QUP Peripheral-specific properties for I2C, SPI, and SERIAL bus Documentation: tee: Add Qualcomm TEE driver tee: qcom: enable TEE_IOC_SHM_ALLOC ioctl tee: qcom: add primordial object tee: add Qualcomm TEE driver tee: increase TEE_MAX_ARG_SIZE to 4096 tee: add TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF tee: add TEE_IOCTL_PARAM_ATTR_TYPE_UBUF tee: add close_context to TEE driver operation ...