Patch "tee: optee: do not check memref size on return from Secure World" has been added to the 4.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 07 May 2021 23:36:35 -0400

This is a note to let you know that I've just added the patch titled

    tee: optee: do not check memref size on return from Secure World

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tee-optee-do-not-check-memref-size-on-return-from-se.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7870482acee573d6f6cc80d4d2ced86ede270597
Author: Jerome Forissier <jerome@xxxxxxxxxxxxx>
Date:   Mon Mar 22 11:40:37 2021 +0100

    tee: optee: do not check memref size on return from Secure World
    
    [ Upstream commit c650b8dc7a7910eb25af0aac1720f778b29e679d ]
    
    When Secure World returns, it may have changed the size attribute of the
    memory references passed as [in/out] parameters. The GlobalPlatform TEE
    Internal Core API specification does not restrict the values that this
    size can take. In particular, Secure World may increase the value to be
    larger than the size of the input buffer to indicate that it needs more.
    
    Therefore, the size check in optee_from_msg_param() is incorrect and
    needs to be removed. This fixes a number of failed test cases in the
    GlobalPlatform TEE Initial Configuratiom Test Suite v2_0_0_0-2017_06_09
    when OP-TEE is compiled without dynamic shared memory support
    (CFG_CORE_DYN_SHM=n).
    
    Reviewed-by: Sumit Garg <sumit.garg@xxxxxxxxxx>
    Suggested-by: Jens Wiklander <jens.wiklander@xxxxxxxxxx>
    Signed-off-by: Jerome Forissier <jerome@xxxxxxxxxxxxx>
    Signed-off-by: Jens Wiklander <jens.wiklander@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
index 2f254f957b0a..1d71fcb13dba 100644
--- a/drivers/tee/optee/core.c
+++ b/drivers/tee/optee/core.c
@@ -87,16 +87,6 @@ int optee_from_msg_param(struct tee_param *params, size_t num_params,
 				return rc;
 			p->u.memref.shm_offs = mp->u.tmem.buf_ptr - pa;
 			p->u.memref.shm = shm;
-
-			/* Check that the memref is covered by the shm object */
-			if (p->u.memref.size) {
-				size_t o = p->u.memref.shm_offs +
-					   p->u.memref.size - 1;
-
-				rc = tee_shm_get_pa(shm, o, NULL);
-				if (rc)
-					return rc;
-			}
 			break;
 		case OPTEE_MSG_ATTR_TYPE_RMEM_INPUT:
 		case OPTEE_MSG_ATTR_TYPE_RMEM_OUTPUT:






