* [PATCH 0/2] AMD-TEE driver bug fixes
@ 2020-11-04 6:26 Rijo Thomas
2020-11-04 6:26 ` [PATCH 1/2] tee: amdtee: fix memory leak due to reset of global shm list Rijo Thomas
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Rijo Thomas @ 2020-11-04 6:26 UTC (permalink / raw)
To: Jens Wiklander; +Cc: Rijo Thomas, Devaraj Rangasamy, op-tee, linux-kernel
AMD-TEE driver keeps track of shared memory buffers and their
corresponding buffer id's in a global linked list. These buffers are
used to share data between x86 and AMD Secure Processor. This patchset
fixes issues related to maintaining mapped buffers in a shared linked
list.
Rijo Thomas (2):
tee: amdtee: fix memory leak due to reset of global shm list
tee: amdtee: synchronize access to shm list
drivers/tee/amdtee/amdtee_private.h | 8 ++++----
drivers/tee/amdtee/core.c | 26 +++++++++++++++++++-------
2 files changed, 23 insertions(+), 11 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] tee: amdtee: fix memory leak due to reset of global shm list
2020-11-04 6:26 [PATCH 0/2] AMD-TEE driver bug fixes Rijo Thomas
@ 2020-11-04 6:26 ` Rijo Thomas
2020-11-04 6:26 ` [PATCH 2/2] tee: amdtee: synchronize access to " Rijo Thomas
2020-11-09 7:47 ` [PATCH 0/2] AMD-TEE driver bug fixes Jens Wiklander
2 siblings, 0 replies; 4+ messages in thread
From: Rijo Thomas @ 2020-11-04 6:26 UTC (permalink / raw)
To: Jens Wiklander; +Cc: Rijo Thomas, Devaraj Rangasamy, op-tee, linux-kernel
The driver maintains a list of shared memory buffers along with their
mapped buffer id's in a global linked list. These buffers need to be
unmapped after use by the user-space client.
The global shared memory list is initialized to zero entries in the
function amdtee_open(). This clearing of list entries can be a source
for memory leak on secure side if the global linked list previously
held some mapped buffer entries allocated from another TEE context.
Fix potential memory leak issue by moving global shared memory list
to AMD-TEE driver context data structure.
Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Reviewed-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com>
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
---
drivers/tee/amdtee/amdtee_private.h | 7 +++----
drivers/tee/amdtee/core.c | 18 +++++++++++-------
2 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/drivers/tee/amdtee/amdtee_private.h b/drivers/tee/amdtee/amdtee_private.h
index d7f798c3394b..97df16a17285 100644
--- a/drivers/tee/amdtee/amdtee_private.h
+++ b/drivers/tee/amdtee/amdtee_private.h
@@ -64,9 +64,12 @@ struct amdtee_session {
/**
* struct amdtee_context_data - AMD-TEE driver context data
* @sess_list: Keeps track of sessions opened in current TEE context
+ * @shm_list: Keeps track of buffers allocated and mapped in current TEE
+ * context
*/
struct amdtee_context_data {
struct list_head sess_list;
+ struct list_head shm_list;
};
struct amdtee_driver_data {
@@ -89,10 +92,6 @@ struct amdtee_shm_data {
u32 buf_id;
};
-struct amdtee_shm_context {
- struct list_head shmdata_list;
-};
-
#define LOWER_TWO_BYTE_MASK 0x0000FFFF
/**
diff --git a/drivers/tee/amdtee/core.c b/drivers/tee/amdtee/core.c
index 27b4cd77d0db..ce61c68ec58c 100644
--- a/drivers/tee/amdtee/core.c
+++ b/drivers/tee/amdtee/core.c
@@ -20,7 +20,6 @@
static struct amdtee_driver_data *drv_data;
static DEFINE_MUTEX(session_list_mutex);
-static struct amdtee_shm_context shmctx;
static void amdtee_get_version(struct tee_device *teedev,
struct tee_ioctl_version_data *vers)
@@ -42,7 +41,7 @@ static int amdtee_open(struct tee_context *ctx)
return -ENOMEM;
INIT_LIST_HEAD(&ctxdata->sess_list);
- INIT_LIST_HEAD(&shmctx.shmdata_list);
+ INIT_LIST_HEAD(&ctxdata->shm_list);
ctx->data = ctxdata;
return 0;
@@ -152,10 +151,11 @@ static struct amdtee_session *find_session(struct amdtee_context_data *ctxdata,
u32 get_buffer_id(struct tee_shm *shm)
{
- u32 buf_id = 0;
+ struct amdtee_context_data *ctxdata = shm->ctx->data;
struct amdtee_shm_data *shmdata;
+ u32 buf_id = 0;
- list_for_each_entry(shmdata, &shmctx.shmdata_list, shm_node)
+ list_for_each_entry(shmdata, &ctxdata->shm_list, shm_node)
if (shmdata->kaddr == shm->kaddr) {
buf_id = shmdata->buf_id;
break;
@@ -333,8 +333,9 @@ int amdtee_close_session(struct tee_context *ctx, u32 session)
int amdtee_map_shmem(struct tee_shm *shm)
{
- struct shmem_desc shmem;
+ struct amdtee_context_data *ctxdata;
struct amdtee_shm_data *shmnode;
+ struct shmem_desc shmem;
int rc, count;
u32 buf_id;
@@ -362,7 +363,8 @@ int amdtee_map_shmem(struct tee_shm *shm)
shmnode->kaddr = shm->kaddr;
shmnode->buf_id = buf_id;
- list_add(&shmnode->shm_node, &shmctx.shmdata_list);
+ ctxdata = shm->ctx->data;
+ list_add(&shmnode->shm_node, &ctxdata->shm_list);
pr_debug("buf_id :[%x] kaddr[%p]\n", shmnode->buf_id, shmnode->kaddr);
@@ -371,6 +373,7 @@ int amdtee_map_shmem(struct tee_shm *shm)
void amdtee_unmap_shmem(struct tee_shm *shm)
{
+ struct amdtee_context_data *ctxdata;
struct amdtee_shm_data *shmnode;
u32 buf_id;
@@ -381,7 +384,8 @@ void amdtee_unmap_shmem(struct tee_shm *shm)
/* Unmap the shared memory from TEE */
handle_unmap_shmem(buf_id);
- list_for_each_entry(shmnode, &shmctx.shmdata_list, shm_node)
+ ctxdata = shm->ctx->data;
+ list_for_each_entry(shmnode, &ctxdata->shm_list, shm_node)
if (buf_id == shmnode->buf_id) {
list_del(&shmnode->shm_node);
kfree(shmnode);
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] tee: amdtee: synchronize access to shm list
2020-11-04 6:26 [PATCH 0/2] AMD-TEE driver bug fixes Rijo Thomas
2020-11-04 6:26 ` [PATCH 1/2] tee: amdtee: fix memory leak due to reset of global shm list Rijo Thomas
@ 2020-11-04 6:26 ` Rijo Thomas
2020-11-09 7:47 ` [PATCH 0/2] AMD-TEE driver bug fixes Jens Wiklander
2 siblings, 0 replies; 4+ messages in thread
From: Rijo Thomas @ 2020-11-04 6:26 UTC (permalink / raw)
To: Jens Wiklander; +Cc: Rijo Thomas, Devaraj Rangasamy, op-tee, linux-kernel
Synchronize access to shm or shared memory buffer list to prevent
race conditions due to concurrent updates to shared shm list by
multiple threads.
Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Reviewed-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com>
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
---
drivers/tee/amdtee/amdtee_private.h | 1 +
drivers/tee/amdtee/core.c | 8 ++++++++
2 files changed, 9 insertions(+)
diff --git a/drivers/tee/amdtee/amdtee_private.h b/drivers/tee/amdtee/amdtee_private.h
index 97df16a17285..337c8d82f74e 100644
--- a/drivers/tee/amdtee/amdtee_private.h
+++ b/drivers/tee/amdtee/amdtee_private.h
@@ -70,6 +70,7 @@ struct amdtee_session {
struct amdtee_context_data {
struct list_head sess_list;
struct list_head shm_list;
+ struct mutex shm_mutex; /* synchronizes access to @shm_list */
};
struct amdtee_driver_data {
diff --git a/drivers/tee/amdtee/core.c b/drivers/tee/amdtee/core.c
index ce61c68ec58c..8a6a8f30bb42 100644
--- a/drivers/tee/amdtee/core.c
+++ b/drivers/tee/amdtee/core.c
@@ -42,6 +42,7 @@ static int amdtee_open(struct tee_context *ctx)
INIT_LIST_HEAD(&ctxdata->sess_list);
INIT_LIST_HEAD(&ctxdata->shm_list);
+ mutex_init(&ctxdata->shm_mutex);
ctx->data = ctxdata;
return 0;
@@ -85,6 +86,7 @@ static void amdtee_release(struct tee_context *ctx)
list_del(&sess->list_node);
release_session(sess);
}
+ mutex_destroy(&ctxdata->shm_mutex);
kfree(ctxdata);
ctx->data = NULL;
@@ -155,11 +157,13 @@ u32 get_buffer_id(struct tee_shm *shm)
struct amdtee_shm_data *shmdata;
u32 buf_id = 0;
+ mutex_lock(&ctxdata->shm_mutex);
list_for_each_entry(shmdata, &ctxdata->shm_list, shm_node)
if (shmdata->kaddr == shm->kaddr) {
buf_id = shmdata->buf_id;
break;
}
+ mutex_unlock(&ctxdata->shm_mutex);
return buf_id;
}
@@ -364,7 +368,9 @@ int amdtee_map_shmem(struct tee_shm *shm)
shmnode->kaddr = shm->kaddr;
shmnode->buf_id = buf_id;
ctxdata = shm->ctx->data;
+ mutex_lock(&ctxdata->shm_mutex);
list_add(&shmnode->shm_node, &ctxdata->shm_list);
+ mutex_unlock(&ctxdata->shm_mutex);
pr_debug("buf_id :[%x] kaddr[%p]\n", shmnode->buf_id, shmnode->kaddr);
@@ -385,12 +391,14 @@ void amdtee_unmap_shmem(struct tee_shm *shm)
handle_unmap_shmem(buf_id);
ctxdata = shm->ctx->data;
+ mutex_lock(&ctxdata->shm_mutex);
list_for_each_entry(shmnode, &ctxdata->shm_list, shm_node)
if (buf_id == shmnode->buf_id) {
list_del(&shmnode->shm_node);
kfree(shmnode);
break;
}
+ mutex_unlock(&ctxdata->shm_mutex);
}
int amdtee_invoke_func(struct tee_context *ctx,
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] AMD-TEE driver bug fixes
2020-11-04 6:26 [PATCH 0/2] AMD-TEE driver bug fixes Rijo Thomas
2020-11-04 6:26 ` [PATCH 1/2] tee: amdtee: fix memory leak due to reset of global shm list Rijo Thomas
2020-11-04 6:26 ` [PATCH 2/2] tee: amdtee: synchronize access to " Rijo Thomas
@ 2020-11-09 7:47 ` Jens Wiklander
2 siblings, 0 replies; 4+ messages in thread
From: Jens Wiklander @ 2020-11-09 7:47 UTC (permalink / raw)
To: Rijo Thomas; +Cc: Devaraj Rangasamy, op-tee, Linux Kernel Mailing List
Hi Rijo,
On Wed, Nov 4, 2020 at 7:26 AM Rijo Thomas <Rijo-john.Thomas@amd.com> wrote:
>
> AMD-TEE driver keeps track of shared memory buffers and their
> corresponding buffer id's in a global linked list. These buffers are
> used to share data between x86 and AMD Secure Processor. This patchset
> fixes issues related to maintaining mapped buffers in a shared linked
> list.
>
> Rijo Thomas (2):
> tee: amdtee: fix memory leak due to reset of global shm list
> tee: amdtee: synchronize access to shm list
>
> drivers/tee/amdtee/amdtee_private.h | 8 ++++----
> drivers/tee/amdtee/core.c | 26 +++++++++++++++++++-------
> 2 files changed, 23 insertions(+), 11 deletions(-)
This series looks good. I'll pick it up.
Thanks,
Jens
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-11-09 7:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-04 6:26 [PATCH 0/2] AMD-TEE driver bug fixes Rijo Thomas
2020-11-04 6:26 ` [PATCH 1/2] tee: amdtee: fix memory leak due to reset of global shm list Rijo Thomas
2020-11-04 6:26 ` [PATCH 2/2] tee: amdtee: synchronize access to " Rijo Thomas
2020-11-09 7:47 ` [PATCH 0/2] AMD-TEE driver bug fixes Jens Wiklander
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).