* [PATCH v2] tee: optee: prevent use-after-free when the client exits before the supplicant
@ 2025-06-18 4:26 Amirreza Zarrabi
2025-06-19 14:07 ` Jens Wiklander
0 siblings, 1 reply; 2+ messages in thread
From: Amirreza Zarrabi @ 2025-06-18 4:26 UTC (permalink / raw)
To: Jens Wiklander, Sumit Garg, Arnd Bergmann
Cc: linux-arm-msm, op-tee, linux-kernel, Amirreza Zarrabi
Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the
client wait as killable so it can be interrupted during shutdown or
after a supplicant crash. This changes the original lifetime expectations:
the client task can now terminate while the supplicant is still processing
its request.
If the client exits first it removes the request from its queue and
kfree()s it, while the request ID remains in supp->idr. A subsequent
lookup on the supplicant path then dereferences freed memory, leading to
a use-after-free.
Serialise access to the request with supp->mutex:
* Hold supp->mutex in optee_supp_recv() and optee_supp_send() while
looking up and touching the request.
* Let optee_supp_thrd_req() notice that the client has terminated and
signal optee_supp_send() accordingly.
With these changes the request cannot be freed while the supplicant still
has a reference, eliminating the race.
Fixes: 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop")
Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
---
Changes in v2:
- Replace the static variable with a sentinel value.
- Fix the issue with returning the popped request to the supplicant.
- Link to v1: https://lore.kernel.org/r/20250605-fix-use-after-free-v1-1-a70d23bff248@oss.qualcomm.com
---
drivers/tee/optee/supp.c | 110 ++++++++++++++++++++++++++++++++---------------
1 file changed, 75 insertions(+), 35 deletions(-)
diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c
index d0f397c90242..fa39f5f226aa 100644
--- a/drivers/tee/optee/supp.c
+++ b/drivers/tee/optee/supp.c
@@ -9,6 +9,7 @@
struct optee_supp_req {
struct list_head link;
+ int id;
bool in_queue;
u32 func;
@@ -19,6 +20,9 @@ struct optee_supp_req {
struct completion c;
};
+/* It is temporary request used for invalid pending request in supp->idr. */
+#define INVALID_REQ_PTR ((struct optee_supp_req *)ERR_PTR(-ENOENT))
+
void optee_supp_init(struct optee_supp *supp)
{
memset(supp, 0, sizeof(*supp));
@@ -102,6 +106,7 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
mutex_lock(&supp->mutex);
list_add_tail(&req->link, &supp->reqs);
req->in_queue = true;
+ req->id = -1;
mutex_unlock(&supp->mutex);
/* Tell an eventual waiter there's a new request */
@@ -117,21 +122,40 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
if (wait_for_completion_killable(&req->c)) {
mutex_lock(&supp->mutex);
if (req->in_queue) {
+ /* Supplicant has not seen this request yet. */
list_del(&req->link);
req->in_queue = false;
+
+ ret = TEEC_ERROR_COMMUNICATION;
+ } else if (req->id == -1) {
+ /*
+ * Supplicant has processed this request. Ignore the
+ * kill signal for now and submit the result.
+ */
+ ret = req->ret;
+ } else {
+ /*
+ * Supplicant is in the middle of processing this
+ * request. Replace req with INVALID_REQ_PTR so that
+ * the ID remains busy, causing optee_supp_send() to
+ * fail on the next call to supp_pop_req() with this ID.
+ */
+ idr_replace(&supp->idr, INVALID_REQ_PTR, req->id);
+ ret = TEEC_ERROR_COMMUNICATION;
}
+
mutex_unlock(&supp->mutex);
- req->ret = TEEC_ERROR_COMMUNICATION;
+ } else {
+ ret = req->ret;
}
- ret = req->ret;
kfree(req);
return ret;
}
static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
- int num_params, int *id)
+ int num_params)
{
struct optee_supp_req *req;
@@ -153,8 +177,8 @@ static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
return ERR_PTR(-EINVAL);
}
- *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
- if (*id < 0)
+ req->id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
+ if (req->id < 0)
return ERR_PTR(-ENOMEM);
list_del(&req->link);
@@ -214,7 +238,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
struct optee *optee = tee_get_drvdata(teedev);
struct optee_supp *supp = &optee->supp;
struct optee_supp_req *req = NULL;
- int id;
size_t num_meta;
int rc;
@@ -223,16 +246,47 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
return rc;
while (true) {
- mutex_lock(&supp->mutex);
- req = supp_pop_entry(supp, *num_params - num_meta, &id);
- mutex_unlock(&supp->mutex);
+ scoped_guard(mutex, &supp->mutex) {
+ req = supp_pop_entry(supp, *num_params - num_meta);
+ if (!req)
+ goto wait_for_request;
- if (req) {
if (IS_ERR(req))
return PTR_ERR(req);
- break;
+
+ /*
+ * Process the request while holding the lock,
+ * so that optee_supp_thrd_req() doesn't pull the
+ * request out from under us.
+ */
+
+ if (num_meta) {
+ /*
+ * tee-supplicant support meta parameters ->
+ * requests can be processed asynchronously.
+ */
+ param->attr =
+ TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
+ TEE_IOCTL_PARAM_ATTR_META;
+ param->u.value.a = req->id;
+ param->u.value.b = 0;
+ param->u.value.c = 0;
+ } else {
+ supp->req_id = req->id;
+ }
+
+ *func = req->func;
+ *num_params = req->num_params + num_meta;
+ memcpy(param + num_meta, req->param,
+ sizeof(struct tee_param) * req->num_params);
+
+ return 0;
}
+ /* Check for the next request in the queue. */
+ continue;
+
+wait_for_request:
/*
* If we didn't get a request we'll block in
* wait_for_completion() to avoid needless spinning.
@@ -245,27 +299,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
return -ERESTARTSYS;
}
- if (num_meta) {
- /*
- * tee-supplicant support meta parameters -> requsts can be
- * processed asynchronously.
- */
- param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
- TEE_IOCTL_PARAM_ATTR_META;
- param->u.value.a = id;
- param->u.value.b = 0;
- param->u.value.c = 0;
- } else {
- mutex_lock(&supp->mutex);
- supp->req_id = id;
- mutex_unlock(&supp->mutex);
- }
-
- *func = req->func;
- *num_params = req->num_params + num_meta;
- memcpy(param + num_meta, req->param,
- sizeof(struct tee_param) * req->num_params);
-
return 0;
}
@@ -297,12 +330,19 @@ static struct optee_supp_req *supp_pop_req(struct optee_supp *supp,
if (!req)
return ERR_PTR(-ENOENT);
+ /* optee_supp_thrd_req() already returned to optee. */
+ if (IS_ERR(req))
+ goto failed_req;
+
if ((num_params - nm) != req->num_params)
return ERR_PTR(-EINVAL);
+ req->id = -1;
+ *num_meta = nm;
+failed_req:
idr_remove(&supp->idr, id);
supp->req_id = -1;
- *num_meta = nm;
+
return req;
}
@@ -328,9 +368,8 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
mutex_lock(&supp->mutex);
req = supp_pop_req(supp, num_params, param, &num_meta);
- mutex_unlock(&supp->mutex);
-
if (IS_ERR(req)) {
+ mutex_unlock(&supp->mutex);
/* Something is wrong, let supplicant restart. */
return PTR_ERR(req);
}
@@ -358,6 +397,7 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
/* Let the requesting thread continue */
complete(&req->c);
+ mutex_unlock(&supp->mutex);
return 0;
}
---
base-commit: 3be1a7a31fbda82f3604b6c31e4f390110de1b46
change-id: 20250604-fix-use-after-free-8ff1b5d5d774
Best regards,
--
Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2] tee: optee: prevent use-after-free when the client exits before the supplicant
2025-06-18 4:26 [PATCH v2] tee: optee: prevent use-after-free when the client exits before the supplicant Amirreza Zarrabi
@ 2025-06-19 14:07 ` Jens Wiklander
0 siblings, 0 replies; 2+ messages in thread
From: Jens Wiklander @ 2025-06-19 14:07 UTC (permalink / raw)
To: Amirreza Zarrabi
Cc: Sumit Garg, Arnd Bergmann, linux-arm-msm, op-tee, linux-kernel
Hi Amir,
On Wed, Jun 18, 2025 at 6:26 AM Amirreza Zarrabi
<amirreza.zarrabi@oss.qualcomm.com> wrote:
>
> Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the
> client wait as killable so it can be interrupted during shutdown or
> after a supplicant crash. This changes the original lifetime expectations:
> the client task can now terminate while the supplicant is still processing
> its request.
>
> If the client exits first it removes the request from its queue and
> kfree()s it, while the request ID remains in supp->idr. A subsequent
> lookup on the supplicant path then dereferences freed memory, leading to
> a use-after-free.
>
> Serialise access to the request with supp->mutex:
>
> * Hold supp->mutex in optee_supp_recv() and optee_supp_send() while
> looking up and touching the request.
> * Let optee_supp_thrd_req() notice that the client has terminated and
> signal optee_supp_send() accordingly.
>
> With these changes the request cannot be freed while the supplicant still
> has a reference, eliminating the race.
>
> Fixes: 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop")
> Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
> ---
> Changes in v2:
> - Replace the static variable with a sentinel value.
> - Fix the issue with returning the popped request to the supplicant.
> - Link to v1: https://lore.kernel.org/r/20250605-fix-use-after-free-v1-1-a70d23bff248@oss.qualcomm.com
> ---
> drivers/tee/optee/supp.c | 110 ++++++++++++++++++++++++++++++++---------------
> 1 file changed, 75 insertions(+), 35 deletions(-)
>
> diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c
> index d0f397c90242..fa39f5f226aa 100644
> --- a/drivers/tee/optee/supp.c
> +++ b/drivers/tee/optee/supp.c
> @@ -9,6 +9,7 @@
>
> struct optee_supp_req {
> struct list_head link;
> + int id;
>
> bool in_queue;
> u32 func;
> @@ -19,6 +20,9 @@ struct optee_supp_req {
> struct completion c;
> };
>
> +/* It is temporary request used for invalid pending request in supp->idr. */
> +#define INVALID_REQ_PTR ((struct optee_supp_req *)ERR_PTR(-ENOENT))
> +
> void optee_supp_init(struct optee_supp *supp)
> {
> memset(supp, 0, sizeof(*supp));
> @@ -102,6 +106,7 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
> mutex_lock(&supp->mutex);
> list_add_tail(&req->link, &supp->reqs);
> req->in_queue = true;
> + req->id = -1;
> mutex_unlock(&supp->mutex);
>
> /* Tell an eventual waiter there's a new request */
> @@ -117,21 +122,40 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
> if (wait_for_completion_killable(&req->c)) {
> mutex_lock(&supp->mutex);
> if (req->in_queue) {
> + /* Supplicant has not seen this request yet. */
> list_del(&req->link);
> req->in_queue = false;
> +
> + ret = TEEC_ERROR_COMMUNICATION;
> + } else if (req->id == -1) {
> + /*
> + * Supplicant has processed this request. Ignore the
> + * kill signal for now and submit the result.
> + */
> + ret = req->ret;
> + } else {
> + /*
> + * Supplicant is in the middle of processing this
> + * request. Replace req with INVALID_REQ_PTR so that
> + * the ID remains busy, causing optee_supp_send() to
> + * fail on the next call to supp_pop_req() with this ID.
> + */
> + idr_replace(&supp->idr, INVALID_REQ_PTR, req->id);
> + ret = TEEC_ERROR_COMMUNICATION;
> }
> +
> mutex_unlock(&supp->mutex);
> - req->ret = TEEC_ERROR_COMMUNICATION;
> + } else {
> + ret = req->ret;
> }
>
> - ret = req->ret;
> kfree(req);
>
> return ret;
> }
>
> static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
> - int num_params, int *id)
> + int num_params)
> {
> struct optee_supp_req *req;
>
> @@ -153,8 +177,8 @@ static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
> return ERR_PTR(-EINVAL);
> }
>
> - *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
> - if (*id < 0)
> + req->id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
I'd prefer only assigning positive values to req->id. Even if
idr_alloc() might never return -1 it's still a bit messy.
Cheers,
Jens
> + if (req->id < 0)
> return ERR_PTR(-ENOMEM);
>
> list_del(&req->link);
> @@ -214,7 +238,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
> struct optee *optee = tee_get_drvdata(teedev);
> struct optee_supp *supp = &optee->supp;
> struct optee_supp_req *req = NULL;
> - int id;
> size_t num_meta;
> int rc;
>
> @@ -223,16 +246,47 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
> return rc;
>
> while (true) {
> - mutex_lock(&supp->mutex);
> - req = supp_pop_entry(supp, *num_params - num_meta, &id);
> - mutex_unlock(&supp->mutex);
> + scoped_guard(mutex, &supp->mutex) {
> + req = supp_pop_entry(supp, *num_params - num_meta);
> + if (!req)
> + goto wait_for_request;
>
> - if (req) {
> if (IS_ERR(req))
> return PTR_ERR(req);
> - break;
> +
> + /*
> + * Process the request while holding the lock,
> + * so that optee_supp_thrd_req() doesn't pull the
> + * request out from under us.
> + */
> +
> + if (num_meta) {
> + /*
> + * tee-supplicant support meta parameters ->
> + * requests can be processed asynchronously.
> + */
> + param->attr =
> + TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
> + TEE_IOCTL_PARAM_ATTR_META;
> + param->u.value.a = req->id;
> + param->u.value.b = 0;
> + param->u.value.c = 0;
> + } else {
> + supp->req_id = req->id;
> + }
> +
> + *func = req->func;
> + *num_params = req->num_params + num_meta;
> + memcpy(param + num_meta, req->param,
> + sizeof(struct tee_param) * req->num_params);
> +
> + return 0;
> }
>
> + /* Check for the next request in the queue. */
> + continue;
> +
> +wait_for_request:
> /*
> * If we didn't get a request we'll block in
> * wait_for_completion() to avoid needless spinning.
> @@ -245,27 +299,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
> return -ERESTARTSYS;
> }
>
> - if (num_meta) {
> - /*
> - * tee-supplicant support meta parameters -> requsts can be
> - * processed asynchronously.
> - */
> - param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
> - TEE_IOCTL_PARAM_ATTR_META;
> - param->u.value.a = id;
> - param->u.value.b = 0;
> - param->u.value.c = 0;
> - } else {
> - mutex_lock(&supp->mutex);
> - supp->req_id = id;
> - mutex_unlock(&supp->mutex);
> - }
> -
> - *func = req->func;
> - *num_params = req->num_params + num_meta;
> - memcpy(param + num_meta, req->param,
> - sizeof(struct tee_param) * req->num_params);
> -
> return 0;
> }
>
> @@ -297,12 +330,19 @@ static struct optee_supp_req *supp_pop_req(struct optee_supp *supp,
> if (!req)
> return ERR_PTR(-ENOENT);
>
> + /* optee_supp_thrd_req() already returned to optee. */
> + if (IS_ERR(req))
> + goto failed_req;
> +
> if ((num_params - nm) != req->num_params)
> return ERR_PTR(-EINVAL);
>
> + req->id = -1;
> + *num_meta = nm;
> +failed_req:
> idr_remove(&supp->idr, id);
> supp->req_id = -1;
> - *num_meta = nm;
> +
>
> return req;
> }
> @@ -328,9 +368,8 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
>
> mutex_lock(&supp->mutex);
> req = supp_pop_req(supp, num_params, param, &num_meta);
> - mutex_unlock(&supp->mutex);
> -
> if (IS_ERR(req)) {
> + mutex_unlock(&supp->mutex);
> /* Something is wrong, let supplicant restart. */
> return PTR_ERR(req);
> }
> @@ -358,6 +397,7 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
>
> /* Let the requesting thread continue */
> complete(&req->c);
> + mutex_unlock(&supp->mutex);
>
> return 0;
> }
>
> ---
> base-commit: 3be1a7a31fbda82f3604b6c31e4f390110de1b46
> change-id: 20250604-fix-use-after-free-8ff1b5d5d774
>
> Best regards,
> --
> Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-06-19 14:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-18 4:26 [PATCH v2] tee: optee: prevent use-after-free when the client exits before the supplicant Amirreza Zarrabi
2025-06-19 14:07 ` Jens Wiklander
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).