[PATCH v8 2/4] tee: generic TEE subsystem

All of lore.kernel.org
 help / color / mirror / Atom feed

From: jens.wiklander@linaro.org (Jens Wiklander)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v8 2/4] tee: generic TEE subsystem
Date: Fri, 12 Feb 2016 12:30:07 +0100	[thread overview]
Message-ID: <20160212113006.GA30447@ermac> (raw)
In-Reply-To: <20160212045159.GQ17997@ZenIV.linux.org.uk>

On Fri, Feb 12, 2016 at 04:51:59AM +0000, Al Viro wrote:
> On Thu, Feb 11, 2016 at 06:14:35PM +0100, Jens Wiklander wrote:
> 
> > +static int tee_ioctl_shm_alloc(struct tee_context *ctx,
> > +		struct tee_ioctl_shm_alloc_data __user *udata)
> > +{
> > +	long ret;
> > +	struct tee_ioctl_shm_alloc_data data;
> > +	struct tee_shm *shm;
> > +
> > +	if (copy_from_user(&data, udata, sizeof(data)))
> > +		return -EFAULT;
> > +
> > +	/* Currently no input flags are supported */
> > +	if (data.flags)
> > +		return -EINVAL;
> > +
> > +	data.fd = -1;
> > +
> > +	shm = tee_shm_alloc(ctx->teedev, data.size,
> > +			    TEE_SHM_MAPPED | TEE_SHM_DMA_BUF);
> > +	if (IS_ERR(shm))
> > +		return PTR_ERR(shm);
> > +
> > +	data.flags = shm->flags;
> > +	data.size = shm->size;
> > +	data.fd = tee_shm_get_fd(shm);
> > +	if (data.fd < 0) {
> > +		ret = data.fd;
> > +		goto err;
> > +	}
> > +
> > +	if (copy_to_user(udata, &data, sizeof(data))) {
> > +		ret = -EFAULT;
> > +		goto err;
> > +	}
> > +	/*
> > +	 * When user space closes the file descriptor the shared memory
> > +	 * should be freed
> > +	 */
> > +	tee_shm_put(shm);
> > +	return 0;
> > +err:
> > +	if (data.fd >= 0)
> > +		tee_shm_put_fd(data.fd);
> 
> This is completely broken.  Don't ever use that pattern.  Once something
> is in descriptor table, that's _it_.  You are already past the point of
> no return and there is no way to clean up.
> 
> In ABIs like that (and struct containing descriptor *is* a bad ABI design)
> solution is
> 	* allocate a descriptor
> 	* do everything that might fail, including copy_to_user()/put_user(),
> etc.
> 	* if failed, release unused descriptor and do fput(), if you already
> have a struct file reference that needs to be released.
> 	* FINALLY, when nothing no failures are possible, fd_install() the
> sucker in place.
> 
> And yes, dma_buf_fd() encourages that kind of braindamage.  It's tolerable
> only in one case - when we are about to return descriptor number directly
> as return value of syscall and really can't fail anymore.  Not the case
> here.

Thanks for the feedback, I'll change to return the descriptor in the
return value instead.

--
Jens

WARNING: multiple messages have this Message-ID (diff)

From: Jens Wiklander <jens.wiklander@linaro.org>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org, devicetree@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	valentin.manea@huawei.com, jean-michel.delorme@st.com,
	emmanuel.michel@st.com, javier@javigon.com,
	Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Michal Simek <michal.simek@xilinx.com>,
	Rob Herring <robh+dt@kernel.org>,
	Will Deacon <will.deacon@arm.com>, Arnd Bergmann <arnd@arndb.de>
Subject: Re: [PATCH v8 2/4] tee: generic TEE subsystem
Date: Fri, 12 Feb 2016 12:30:07 +0100	[thread overview]
Message-ID: <20160212113006.GA30447@ermac> (raw)
In-Reply-To: <20160212045159.GQ17997@ZenIV.linux.org.uk>

On Fri, Feb 12, 2016 at 04:51:59AM +0000, Al Viro wrote:
> On Thu, Feb 11, 2016 at 06:14:35PM +0100, Jens Wiklander wrote:
> 
> > +static int tee_ioctl_shm_alloc(struct tee_context *ctx,
> > +		struct tee_ioctl_shm_alloc_data __user *udata)
> > +{
> > +	long ret;
> > +	struct tee_ioctl_shm_alloc_data data;
> > +	struct tee_shm *shm;
> > +
> > +	if (copy_from_user(&data, udata, sizeof(data)))
> > +		return -EFAULT;
> > +
> > +	/* Currently no input flags are supported */
> > +	if (data.flags)
> > +		return -EINVAL;
> > +
> > +	data.fd = -1;
> > +
> > +	shm = tee_shm_alloc(ctx->teedev, data.size,
> > +			    TEE_SHM_MAPPED | TEE_SHM_DMA_BUF);
> > +	if (IS_ERR(shm))
> > +		return PTR_ERR(shm);
> > +
> > +	data.flags = shm->flags;
> > +	data.size = shm->size;
> > +	data.fd = tee_shm_get_fd(shm);
> > +	if (data.fd < 0) {
> > +		ret = data.fd;
> > +		goto err;
> > +	}
> > +
> > +	if (copy_to_user(udata, &data, sizeof(data))) {
> > +		ret = -EFAULT;
> > +		goto err;
> > +	}
> > +	/*
> > +	 * When user space closes the file descriptor the shared memory
> > +	 * should be freed
> > +	 */
> > +	tee_shm_put(shm);
> > +	return 0;
> > +err:
> > +	if (data.fd >= 0)
> > +		tee_shm_put_fd(data.fd);
> 
> This is completely broken.  Don't ever use that pattern.  Once something
> is in descriptor table, that's _it_.  You are already past the point of
> no return and there is no way to clean up.
> 
> In ABIs like that (and struct containing descriptor *is* a bad ABI design)
> solution is
> 	* allocate a descriptor
> 	* do everything that might fail, including copy_to_user()/put_user(),
> etc.
> 	* if failed, release unused descriptor and do fput(), if you already
> have a struct file reference that needs to be released.
> 	* FINALLY, when nothing no failures are possible, fd_install() the
> sucker in place.
> 
> And yes, dma_buf_fd() encourages that kind of braindamage.  It's tolerable
> only in one case - when we are about to return descriptor number directly
> as return value of syscall and really can't fail anymore.  Not the case
> here.

Thanks for the feedback, I'll change to return the descriptor in the
return value instead.

WARNING: multiple messages have this Message-ID (diff)

From: Jens Wiklander <jens.wiklander@linaro.org>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org, devicetree@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	valentin.manea@huawei.com, jean-michel.delorme@st.com,
	emmanuel.michel@st.com, javier@javigon.com,
	Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Michal Simek <michal.simek@xilinx.com>,
	Rob Herring <robh+dt@kernel.org>,
	Will Deacon <will.deacon@arm.com>, Arnd Bergmann <arnd@arndb.de>
Subject: Re: [PATCH v8 2/4] tee: generic TEE subsystem
Date: Fri, 12 Feb 2016 12:30:07 +0100	[thread overview]
Message-ID: <20160212113006.GA30447@ermac> (raw)
In-Reply-To: <20160212045159.GQ17997@ZenIV.linux.org.uk>

On Fri, Feb 12, 2016 at 04:51:59AM +0000, Al Viro wrote:
> On Thu, Feb 11, 2016 at 06:14:35PM +0100, Jens Wiklander wrote:
> 
> > +static int tee_ioctl_shm_alloc(struct tee_context *ctx,
> > +		struct tee_ioctl_shm_alloc_data __user *udata)
> > +{
> > +	long ret;
> > +	struct tee_ioctl_shm_alloc_data data;
> > +	struct tee_shm *shm;
> > +
> > +	if (copy_from_user(&data, udata, sizeof(data)))
> > +		return -EFAULT;
> > +
> > +	/* Currently no input flags are supported */
> > +	if (data.flags)
> > +		return -EINVAL;
> > +
> > +	data.fd = -1;
> > +
> > +	shm = tee_shm_alloc(ctx->teedev, data.size,
> > +			    TEE_SHM_MAPPED | TEE_SHM_DMA_BUF);
> > +	if (IS_ERR(shm))
> > +		return PTR_ERR(shm);
> > +
> > +	data.flags = shm->flags;
> > +	data.size = shm->size;
> > +	data.fd = tee_shm_get_fd(shm);
> > +	if (data.fd < 0) {
> > +		ret = data.fd;
> > +		goto err;
> > +	}
> > +
> > +	if (copy_to_user(udata, &data, sizeof(data))) {
> > +		ret = -EFAULT;
> > +		goto err;
> > +	}
> > +	/*
> > +	 * When user space closes the file descriptor the shared memory
> > +	 * should be freed
> > +	 */
> > +	tee_shm_put(shm);
> > +	return 0;
> > +err:
> > +	if (data.fd >= 0)
> > +		tee_shm_put_fd(data.fd);
> 
> This is completely broken.  Don't ever use that pattern.  Once something
> is in descriptor table, that's _it_.  You are already past the point of
> no return and there is no way to clean up.
> 
> In ABIs like that (and struct containing descriptor *is* a bad ABI design)
> solution is
> 	* allocate a descriptor
> 	* do everything that might fail, including copy_to_user()/put_user(),
> etc.
> 	* if failed, release unused descriptor and do fput(), if you already
> have a struct file reference that needs to be released.
> 	* FINALLY, when nothing no failures are possible, fd_install() the
> sucker in place.
> 
> And yes, dma_buf_fd() encourages that kind of braindamage.  It's tolerable
> only in one case - when we are about to return descriptor number directly
> as return value of syscall and really can't fail anymore.  Not the case
> here.

Thanks for the feedback, I'll change to return the descriptor in the
return value instead.

--
Jens

next prev parent reply	other threads:[~2016-02-12 11:30 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-11 17:14 [PATCH v8 0/4] generic TEE subsystem Jens Wiklander
2016-02-11 17:14 ` Jens Wiklander
2016-02-11 17:14 ` [PATCH v8 1/4] dt/bindings: add bindings for optee Jens Wiklander
2016-02-11 17:14   ` Jens Wiklander
2016-02-11 17:14   ` Jens Wiklander
2016-02-11 17:14 ` [PATCH v8 2/4] tee: generic TEE subsystem Jens Wiklander
2016-02-11 17:14   ` Jens Wiklander
2016-02-11 17:14   ` Jens Wiklander
2016-02-12  3:15   ` Greg Kroah-Hartman
2016-02-12  3:15     ` Greg Kroah-Hartman
2016-02-12  4:51   ` Al Viro
2016-02-12  4:51     ` Al Viro
2016-02-12  4:51     ` Al Viro
2016-02-12 11:30     ` Jens Wiklander [this message]
2016-02-12 11:30       ` Jens Wiklander
2016-02-12 11:30       ` Jens Wiklander
2016-02-11 17:14 ` [PATCH v8 3/4] tee: add OP-TEE driver Jens Wiklander
2016-02-11 17:14   ` Jens Wiklander
2016-02-11 17:14 ` [PATCH v8 4/4] Documentation: tee subsystem and op-tee driver Jens Wiklander
2016-02-11 17:14   ` Jens Wiklander
2016-02-11 17:14   ` Jens Wiklander
2016-02-11 21:08   ` Randy Dunlap
2016-02-11 21:08     ` Randy Dunlap
2016-02-11 21:08     ` Randy Dunlap
2016-03-02 11:15 ` [PATCH v8 0/4] generic TEE subsystem Andreas Dannenberg
2016-03-02 11:15   ` Andreas Dannenberg
2016-03-02 11:15   ` Andreas Dannenberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160212113006.GA30447@ermac \
    --to=jens.wiklander@linaro.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.