For drivers that can transfer data to the TEE without using shared
memory from client, it is necessary to receive the user address
directly, bypassing any processing by the TEE subsystem. Introduce
TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT/OUTPUT/INOUT to represent
userspace buffers.
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
---
drivers/tee/tee_core.c | 33 +++++++++++++++++++++++++++++++++
include/linux/tee_drv.h | 6 ++++++
include/uapi/linux/tee.h | 22 ++++++++++++++++------
3 files changed, 55 insertions(+), 6 deletions(-)
diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
index b9ea5a85278c..74e40ed83fa7 100644
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -387,6 +387,17 @@ static int params_from_user(struct tee_context *ctx, struct tee_param *params,
params[n].u.value.b = ip.b;
params[n].u.value.c = ip.c;
break;
+ case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT:
+ case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
+ case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
+ params[n].u.ubuf.uaddr = u64_to_user_ptr(ip.a);
+ params[n].u.ubuf.size = ip.b;
+
+ if (!access_ok(params[n].u.ubuf.uaddr,
+ params[n].u.ubuf.size))
+ return -EFAULT;
+
+ break;
case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
@@ -455,6 +466,11 @@ static int params_to_user(struct tee_ioctl_param __user *uparams,
put_user(p->u.value.c, &up->c))
return -EFAULT;
break;
+ case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
+ case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
+ if (put_user((u64)p->u.ubuf.size, &up->b))
+ return -EFAULT;
+ break;
case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
if (put_user((u64)p->u.memref.size, &up->b))
@@ -655,6 +671,13 @@ static int params_to_supp(struct tee_context *ctx,
ip.b = p->u.value.b;
ip.c = p->u.value.c;
break;
+ case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT:
+ case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
+ case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
+ ip.a = (u64)p->u.ubuf.uaddr;
+ ip.b = p->u.ubuf.size;
+ ip.c = 0;
+ break;
case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
@@ -757,6 +780,16 @@ static int params_from_supp(struct tee_param *params, size_t num_params,
p->u.value.b = ip.b;
p->u.value.c = ip.c;
break;
+ case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
+ case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
+ p->u.ubuf.uaddr = u64_to_user_ptr(ip.a);
+ p->u.ubuf.size = ip.b;
+
+ if (!access_ok(params[n].u.ubuf.uaddr,
+ params[n].u.ubuf.size))
+ return -EFAULT;
+
+ break;
case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
/*
diff --git a/include/linux/tee_drv.h b/include/linux/tee_drv.h
index a54c203000ed..78bbf12f02f0 100644
--- a/include/linux/tee_drv.h
+++ b/include/linux/tee_drv.h
@@ -82,6 +82,11 @@ struct tee_param_memref {
struct tee_shm *shm;
};
+struct tee_param_ubuf {
+ void * __user uaddr;
+ size_t size;
+};
+
struct tee_param_value {
u64 a;
u64 b;
@@ -92,6 +97,7 @@ struct tee_param {
u64 attr;
union {
struct tee_param_memref memref;
+ struct tee_param_ubuf ubuf;
struct tee_param_value value;
} u;
};
diff --git a/include/uapi/linux/tee.h b/include/uapi/linux/tee.h
index d0430bee8292..3e9b1ec5dfde 100644
--- a/include/uapi/linux/tee.h
+++ b/include/uapi/linux/tee.h
@@ -151,6 +151,13 @@ struct tee_ioctl_buf_data {
#define TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT 6
#define TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT 7 /* input and output */
+/*
+ * These defines userspace buffer parameters.
+ */
+#define TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT 8
+#define TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT 9
+#define TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT 10 /* input and output */
+
/*
* Mask for the type part of the attribute, leaves room for more types
*/
@@ -186,14 +193,17 @@ struct tee_ioctl_buf_data {
/**
* struct tee_ioctl_param - parameter
* @attr: attributes
- * @a: if a memref, offset into the shared memory object, else a value parameter
- * @b: if a memref, size of the buffer, else a value parameter
+ * @a: if a memref, offset into the shared memory object,
+ * else if a ubuf, address of the user buffer,
+ * else a value parameter
+ * @b: if a memref or ubuf, size of the buffer, else a value parameter
* @c: if a memref, shared memory identifier, else a value parameter
*
- * @attr & TEE_PARAM_ATTR_TYPE_MASK indicates if memref or value is used in
- * the union. TEE_PARAM_ATTR_TYPE_VALUE_* indicates value and
- * TEE_PARAM_ATTR_TYPE_MEMREF_* indicates memref. TEE_PARAM_ATTR_TYPE_NONE
- * indicates that none of the members are used.
+ * @attr & TEE_PARAM_ATTR_TYPE_MASK indicates if memref, ubuf, or value is
+ * used in the union. TEE_PARAM_ATTR_TYPE_VALUE_* indicates value,
+ * TEE_PARAM_ATTR_TYPE_MEMREF_* indicates memref, and TEE_PARAM_ATTR_TYPE_UBUF_*
+ * indicates ubuf. TEE_PARAM_ATTR_TYPE_NONE indicates that none of the members
+ * are used.
*
* Shared memory is allocated with TEE_IOC_SHM_ALLOC which returns an
* identifier representing the shared memory object. A memref can reference
--
2.34.1On 5/27/25 1:56 AM, Amirreza Zarrabi wrote:
> For drivers that can transfer data to the TEE without using shared
> memory from client, it is necessary to receive the user address
> directly, bypassing any processing by the TEE subsystem. Introduce
> TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT/OUTPUT/INOUT to represent
> userspace buffers.
>
Could you expand on this, what is the issue with normal MEMREF?
Andrew
> Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
> Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
> Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
> ---
> drivers/tee/tee_core.c | 33 +++++++++++++++++++++++++++++++++
> include/linux/tee_drv.h | 6 ++++++
> include/uapi/linux/tee.h | 22 ++++++++++++++++------
> 3 files changed, 55 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
> index b9ea5a85278c..74e40ed83fa7 100644
> --- a/drivers/tee/tee_core.c
> +++ b/drivers/tee/tee_core.c
> @@ -387,6 +387,17 @@ static int params_from_user(struct tee_context *ctx, struct tee_param *params,
> params[n].u.value.b = ip.b;
> params[n].u.value.c = ip.c;
> break;
> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT:
> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
> + params[n].u.ubuf.uaddr = u64_to_user_ptr(ip.a);
> + params[n].u.ubuf.size = ip.b;
> +
> + if (!access_ok(params[n].u.ubuf.uaddr,
> + params[n].u.ubuf.size))
> + return -EFAULT;
> +
> + break;
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
> @@ -455,6 +466,11 @@ static int params_to_user(struct tee_ioctl_param __user *uparams,
> put_user(p->u.value.c, &up->c))
> return -EFAULT;
> break;
> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
> + if (put_user((u64)p->u.ubuf.size, &up->b))
> + return -EFAULT;
> + break;
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
> if (put_user((u64)p->u.memref.size, &up->b))
> @@ -655,6 +671,13 @@ static int params_to_supp(struct tee_context *ctx,
> ip.b = p->u.value.b;
> ip.c = p->u.value.c;
> break;
> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT:
> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
> + ip.a = (u64)p->u.ubuf.uaddr;
> + ip.b = p->u.ubuf.size;
> + ip.c = 0;
> + break;
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
> @@ -757,6 +780,16 @@ static int params_from_supp(struct tee_param *params, size_t num_params,
> p->u.value.b = ip.b;
> p->u.value.c = ip.c;
> break;
> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
> + p->u.ubuf.uaddr = u64_to_user_ptr(ip.a);
> + p->u.ubuf.size = ip.b;
> +
> + if (!access_ok(params[n].u.ubuf.uaddr,
> + params[n].u.ubuf.size))
> + return -EFAULT;
> +
> + break;
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
> /*
> diff --git a/include/linux/tee_drv.h b/include/linux/tee_drv.h
> index a54c203000ed..78bbf12f02f0 100644
> --- a/include/linux/tee_drv.h
> +++ b/include/linux/tee_drv.h
> @@ -82,6 +82,11 @@ struct tee_param_memref {
> struct tee_shm *shm;
> };
>
> +struct tee_param_ubuf {
> + void * __user uaddr;
> + size_t size;
> +};
> +
> struct tee_param_value {
> u64 a;
> u64 b;
> @@ -92,6 +97,7 @@ struct tee_param {
> u64 attr;
> union {
> struct tee_param_memref memref;
> + struct tee_param_ubuf ubuf;
> struct tee_param_value value;
> } u;
> };
> diff --git a/include/uapi/linux/tee.h b/include/uapi/linux/tee.h
> index d0430bee8292..3e9b1ec5dfde 100644
> --- a/include/uapi/linux/tee.h
> +++ b/include/uapi/linux/tee.h
> @@ -151,6 +151,13 @@ struct tee_ioctl_buf_data {
> #define TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT 6
> #define TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT 7 /* input and output */
>
> +/*
> + * These defines userspace buffer parameters.
> + */
> +#define TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT 8
> +#define TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT 9
> +#define TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT 10 /* input and output */
> +
> /*
> * Mask for the type part of the attribute, leaves room for more types
> */
> @@ -186,14 +193,17 @@ struct tee_ioctl_buf_data {
> /**
> * struct tee_ioctl_param - parameter
> * @attr: attributes
> - * @a: if a memref, offset into the shared memory object, else a value parameter
> - * @b: if a memref, size of the buffer, else a value parameter
> + * @a: if a memref, offset into the shared memory object,
> + * else if a ubuf, address of the user buffer,
> + * else a value parameter
> + * @b: if a memref or ubuf, size of the buffer, else a value parameter
> * @c: if a memref, shared memory identifier, else a value parameter
> *
> - * @attr & TEE_PARAM_ATTR_TYPE_MASK indicates if memref or value is used in
> - * the union. TEE_PARAM_ATTR_TYPE_VALUE_* indicates value and
> - * TEE_PARAM_ATTR_TYPE_MEMREF_* indicates memref. TEE_PARAM_ATTR_TYPE_NONE
> - * indicates that none of the members are used.
> + * @attr & TEE_PARAM_ATTR_TYPE_MASK indicates if memref, ubuf, or value is
> + * used in the union. TEE_PARAM_ATTR_TYPE_VALUE_* indicates value,
> + * TEE_PARAM_ATTR_TYPE_MEMREF_* indicates memref, and TEE_PARAM_ATTR_TYPE_UBUF_*
> + * indicates ubuf. TEE_PARAM_ATTR_TYPE_NONE indicates that none of the members
> + * are used.
> *
> * Shared memory is allocated with TEE_IOC_SHM_ALLOC which returns an
> * identifier representing the shared memory object. A memref can reference
>
Hi Andrew,
On 6/12/2025 8:40 AM, Andrew Davis wrote:
> On 5/27/25 1:56 AM, Amirreza Zarrabi wrote:
>> For drivers that can transfer data to the TEE without using shared
>> memory from client, it is necessary to receive the user address
>> directly, bypassing any processing by the TEE subsystem. Introduce
>> TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT/OUTPUT/INOUT to represent
>> userspace buffers.
>>
>
> Could you expand on this, what is the issue with normal MEMREF?
>
QTEE supports two types of data passing: (1) memory objects and (2) buffers.
A memory object can be a normal shared memory (shm) instance. However, a
buffer is an [offset, size] pair referring to the transport memory shared
with QTEE (established at the begining of the invocation).
There is no direct representation of VALUE in the QTEE ABI, so even basic
data types, such as int, must be passed as a buffer [offset, sizeof(int)].
VALUE cannot be used because it only represents a u64 data size. While MEMREF
is an option, it requires additional ioctl calls and memory copies.
For example, if you need to send three integers to QTEE, you would require:
(1) Three ioctl calls to allocate three shared memory pages.
(2) Three memcpy operations to copy each integer into its respective shared memory.
(3) Three memcpy operations to transfer data from shared memory to the
transport buffer shared with QTEE.
You can optimize this slightly by making a single ioctl call for shared
memory allocation. However, the backend still needs to inspect the shared
memory, parse it, and extract the data and size information.
With UBUF user pass user address and size, and ther is only one copy_from_use
in the backend.
Regards,
Amir
> Andrew
>
>> Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
>> Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
>> Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
>> ---
>> drivers/tee/tee_core.c | 33 +++++++++++++++++++++++++++++++++
>> include/linux/tee_drv.h | 6 ++++++
>> include/uapi/linux/tee.h | 22 ++++++++++++++++------
>> 3 files changed, 55 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
>> index b9ea5a85278c..74e40ed83fa7 100644
>> --- a/drivers/tee/tee_core.c
>> +++ b/drivers/tee/tee_core.c
>> @@ -387,6 +387,17 @@ static int params_from_user(struct tee_context *ctx, struct tee_param *params,
>> params[n].u.value.b = ip.b;
>> params[n].u.value.c = ip.c;
>> break;
>> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT:
>> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
>> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
>> + params[n].u.ubuf.uaddr = u64_to_user_ptr(ip.a);
>> + params[n].u.ubuf.size = ip.b;
>> +
>> + if (!access_ok(params[n].u.ubuf.uaddr,
>> + params[n].u.ubuf.size))
>> + return -EFAULT;
>> +
>> + break;
>> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
>> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
>> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
>> @@ -455,6 +466,11 @@ static int params_to_user(struct tee_ioctl_param __user *uparams,
>> put_user(p->u.value.c, &up->c))
>> return -EFAULT;
>> break;
>> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
>> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
>> + if (put_user((u64)p->u.ubuf.size, &up->b))
>> + return -EFAULT;
>> + break;
>> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
>> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
>> if (put_user((u64)p->u.memref.size, &up->b))
>> @@ -655,6 +671,13 @@ static int params_to_supp(struct tee_context *ctx,
>> ip.b = p->u.value.b;
>> ip.c = p->u.value.c;
>> break;
>> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT:
>> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
>> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
>> + ip.a = (u64)p->u.ubuf.uaddr;
>> + ip.b = p->u.ubuf.size;
>> + ip.c = 0;
>> + break;
>> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
>> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
>> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
>> @@ -757,6 +780,16 @@ static int params_from_supp(struct tee_param *params, size_t num_params,
>> p->u.value.b = ip.b;
>> p->u.value.c = ip.c;
>> break;
>> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
>> + case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
>> + p->u.ubuf.uaddr = u64_to_user_ptr(ip.a);
>> + p->u.ubuf.size = ip.b;
>> +
>> + if (!access_ok(params[n].u.ubuf.uaddr,
>> + params[n].u.ubuf.size))
>> + return -EFAULT;
>> +
>> + break;
>> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
>> case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
>> /*
>> diff --git a/include/linux/tee_drv.h b/include/linux/tee_drv.h
>> index a54c203000ed..78bbf12f02f0 100644
>> --- a/include/linux/tee_drv.h
>> +++ b/include/linux/tee_drv.h
>> @@ -82,6 +82,11 @@ struct tee_param_memref {
>> struct tee_shm *shm;
>> };
>> +struct tee_param_ubuf {
>> + void * __user uaddr;
>> + size_t size;
>> +};
>> +
>> struct tee_param_value {
>> u64 a;
>> u64 b;
>> @@ -92,6 +97,7 @@ struct tee_param {
>> u64 attr;
>> union {
>> struct tee_param_memref memref;
>> + struct tee_param_ubuf ubuf;
>> struct tee_param_value value;
>> } u;
>> };
>> diff --git a/include/uapi/linux/tee.h b/include/uapi/linux/tee.h
>> index d0430bee8292..3e9b1ec5dfde 100644
>> --- a/include/uapi/linux/tee.h
>> +++ b/include/uapi/linux/tee.h
>> @@ -151,6 +151,13 @@ struct tee_ioctl_buf_data {
>> #define TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT 6
>> #define TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT 7 /* input and output */
>> +/*
>> + * These defines userspace buffer parameters.
>> + */
>> +#define TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT 8
>> +#define TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT 9
>> +#define TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT 10 /* input and output */
>> +
>> /*
>> * Mask for the type part of the attribute, leaves room for more types
>> */
>> @@ -186,14 +193,17 @@ struct tee_ioctl_buf_data {
>> /**
>> * struct tee_ioctl_param - parameter
>> * @attr: attributes
>> - * @a: if a memref, offset into the shared memory object, else a value parameter
>> - * @b: if a memref, size of the buffer, else a value parameter
>> + * @a: if a memref, offset into the shared memory object,
>> + * else if a ubuf, address of the user buffer,
>> + * else a value parameter
>> + * @b: if a memref or ubuf, size of the buffer, else a value parameter
>> * @c: if a memref, shared memory identifier, else a value parameter
>> *
>> - * @attr & TEE_PARAM_ATTR_TYPE_MASK indicates if memref or value is used in
>> - * the union. TEE_PARAM_ATTR_TYPE_VALUE_* indicates value and
>> - * TEE_PARAM_ATTR_TYPE_MEMREF_* indicates memref. TEE_PARAM_ATTR_TYPE_NONE
>> - * indicates that none of the members are used.
>> + * @attr & TEE_PARAM_ATTR_TYPE_MASK indicates if memref, ubuf, or value is
>> + * used in the union. TEE_PARAM_ATTR_TYPE_VALUE_* indicates value,
>> + * TEE_PARAM_ATTR_TYPE_MEMREF_* indicates memref, and TEE_PARAM_ATTR_TYPE_UBUF_*
>> + * indicates ubuf. TEE_PARAM_ATTR_TYPE_NONE indicates that none of the members
>> + * are used.
>> *
>> * Shared memory is allocated with TEE_IOC_SHM_ALLOC which returns an
>> * identifier representing the shared memory object. A memref can reference
>>
Hi Amirreza,
kernel test robot noticed the following build warnings:
[auto build test WARNING on 3be1a7a31fbda82f3604b6c31e4f390110de1b46]
url: https://github.com/intel-lab-lkp/linux/commits/Amirreza-Zarrabi/tee-allow-a-driver-to-allocate-a-tee_device-without-a-pool/20250527-151020
base: 3be1a7a31fbda82f3604b6c31e4f390110de1b46
patch link: https://lore.kernel.org/r/20250526-qcom-tee-using-tee-ss-without-mem-obj-v5-3-024e3221b0b9%40oss.qualcomm.com
patch subject: [PATCH v5 03/12] tee: add TEE_IOCTL_PARAM_ATTR_TYPE_UBUF
config: arm64-randconfig-r121-20250527 (https://download.01.org/0day-ci/archive/20250528/202505280721.abBn0GaE-lkp@intel.com/config)
compiler: aarch64-linux-gcc (GCC) 8.5.0
reproduce: (https://download.01.org/0day-ci/archive/20250528/202505280721.abBn0GaE-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202505280721.abBn0GaE-lkp@intel.com/
sparse warnings: (new ones prefixed by >>)
drivers/tee/tee_core.c:393:48: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *[noderef] uaddr @@ got void [noderef] __user * @@
drivers/tee/tee_core.c:393:48: sparse: expected void *[noderef] uaddr
drivers/tee/tee_core.c:393:48: sparse: got void [noderef] __user *
>> drivers/tee/tee_core.c:396:56: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void const [noderef] __user *addr @@ got void *[noderef] uaddr @@
drivers/tee/tee_core.c:396:56: sparse: expected void const [noderef] __user *addr
drivers/tee/tee_core.c:396:56: sparse: got void *[noderef] uaddr
drivers/tee/tee_core.c:785:41: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *[noderef] uaddr @@ got void [noderef] __user * @@
drivers/tee/tee_core.c:785:41: sparse: expected void *[noderef] uaddr
drivers/tee/tee_core.c:785:41: sparse: got void [noderef] __user *
drivers/tee/tee_core.c:788:56: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void const [noderef] __user *addr @@ got void *[noderef] uaddr @@
drivers/tee/tee_core.c:788:56: sparse: expected void const [noderef] __user *addr
drivers/tee/tee_core.c:788:56: sparse: got void *[noderef] uaddr
drivers/tee/tee_core.c:396:46: sparse: sparse: dereference of noderef expression
drivers/tee/tee_core.c:396:46: sparse: sparse: dereference of noderef expression
drivers/tee/tee_core.c:677:37: sparse: sparse: dereference of noderef expression
drivers/tee/tee_core.c:788:46: sparse: sparse: dereference of noderef expression
drivers/tee/tee_core.c:788:46: sparse: sparse: dereference of noderef expression
vim +396 drivers/tee/tee_core.c
361
362 static int params_from_user(struct tee_context *ctx, struct tee_param *params,
363 size_t num_params,
364 struct tee_ioctl_param __user *uparams)
365 {
366 size_t n;
367
368 for (n = 0; n < num_params; n++) {
369 struct tee_shm *shm;
370 struct tee_ioctl_param ip;
371
372 if (copy_from_user(&ip, uparams + n, sizeof(ip)))
373 return -EFAULT;
374
375 /* All unused attribute bits has to be zero */
376 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK)
377 return -EINVAL;
378
379 params[n].attr = ip.attr;
380 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
381 case TEE_IOCTL_PARAM_ATTR_TYPE_NONE:
382 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
383 break;
384 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT:
385 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
386 params[n].u.value.a = ip.a;
387 params[n].u.value.b = ip.b;
388 params[n].u.value.c = ip.c;
389 break;
390 case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT:
391 case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT:
392 case TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INOUT:
393 params[n].u.ubuf.uaddr = u64_to_user_ptr(ip.a);
394 params[n].u.ubuf.size = ip.b;
395
> 396 if (!access_ok(params[n].u.ubuf.uaddr,
397 params[n].u.ubuf.size))
398 return -EFAULT;
399
400 break;
401 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
402 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
403 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
404 /*
405 * If a NULL pointer is passed to a TA in the TEE,
406 * the ip.c IOCTL parameters is set to TEE_MEMREF_NULL
407 * indicating a NULL memory reference.
408 */
409 if (ip.c != TEE_MEMREF_NULL) {
410 /*
411 * If we fail to get a pointer to a shared
412 * memory object (and increase the ref count)
413 * from an identifier we return an error. All
414 * pointers that has been added in params have
415 * an increased ref count. It's the callers
416 * responibility to do tee_shm_put() on all
417 * resolved pointers.
418 */
419 shm = tee_shm_get_from_id(ctx, ip.c);
420 if (IS_ERR(shm))
421 return PTR_ERR(shm);
422
423 /*
424 * Ensure offset + size does not overflow
425 * offset and does not overflow the size of
426 * the referred shared memory object.
427 */
428 if ((ip.a + ip.b) < ip.a ||
429 (ip.a + ip.b) > shm->size) {
430 tee_shm_put(shm);
431 return -EINVAL;
432 }
433 } else if (ctx->cap_memref_null) {
434 /* Pass NULL pointer to OP-TEE */
435 shm = NULL;
436 } else {
437 return -EINVAL;
438 }
439
440 params[n].u.memref.shm_offs = ip.a;
441 params[n].u.memref.size = ip.b;
442 params[n].u.memref.shm = shm;
443 break;
444 default:
445 /* Unknown attribute */
446 return -EINVAL;
447 }
448 }
449 return 0;
450 }
451
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
© 2016 - 2025 Red Hat, Inc.