[PATCH] optee: immediately free RPC buffers that are released by OP-TEE

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] optee: immediately free RPC buffers that are released by OP-TEE
@ 2022-05-04  5:49 Jens Wiklander
  2022-05-04 19:59 ` Volodymyr Babchuk
  0 siblings, 1 reply; 3+ messages in thread
From: Jens Wiklander @ 2022-05-04  5:49 UTC (permalink / raw)
  To: xen-devel
  Cc: Jens Wiklander, Volodymyr Babchuk, Stefano Stabellini,
	Julien Grall

This commit fixes a case overlooked in [1].

There are two kinds of shared memory buffers used by OP-TEE:
1. Normal payload buffer
2. Internal command structure buffers

The internal command structure buffers are represented with a shadow
copy internally in Xen since this buffer can contain physical addresses
that may need to be translated between real physical address and guest
physical address without leaking information to the guest.

[1] fixes the problem when releasing the normal payload buffers. The
internal command structure buffers must be released in the same way.
Failure to follow this order opens a window where the guest has freed
the shared memory but Xen is still tracking the buffer.

During this window the guest may happen to recycle this particular
shared memory in some other thread and try to use it. Xen will block
this which will lead to spurious failures to register a new shared
memory block.

Fix this by freeing the internal command structure buffers first before
informing the guest that the buffer can be freed.

[1] 5b13eb1d978e ("optee: immediately free buffers that are released by OP-TEE")

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
---
 xen/arch/arm/tee/optee.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/xen/arch/arm/tee/optee.c b/xen/arch/arm/tee/optee.c
index 8a39fe33b0ef..539a862fd185 100644
--- a/xen/arch/arm/tee/optee.c
+++ b/xen/arch/arm/tee/optee.c
@@ -1149,6 +1149,11 @@ static int handle_rpc_return(struct optee_domain *ctx,
             call->rpc_data_cookie = 0;
         }
         unmap_domain_page(shm_rpc->xen_arg);
+    } else if ( call->rpc_op == OPTEE_SMC_RPC_FUNC_FREE ) {
+        uint64_t cookie = regpair_to_uint64(get_user_reg(regs, 1),
+                                            get_user_reg(regs, 2));
+
+        free_shm_rpc(ctx, cookie);
     }

     return ret;
@@ -1598,13 +1603,6 @@ static void handle_rpc(struct optee_domain *ctx, struct cpu_user_regs *regs)
     case OPTEE_SMC_RPC_FUNC_ALLOC:
         handle_rpc_func_alloc(ctx, regs, call);
         return;
-    case OPTEE_SMC_RPC_FUNC_FREE:
-    {
-        uint64_t cookie = regpair_to_uint64(call->rpc_params[0],
-                                            call->rpc_params[1]);
-        free_shm_rpc(ctx, cookie);
-        break;
-    }
     case OPTEE_SMC_RPC_FUNC_FOREIGN_INTR:
         break;
     case OPTEE_SMC_RPC_FUNC_CMD:
-- 
2.31.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] optee: immediately free RPC buffers that are released by OP-TEE
  2022-05-04  5:49 [PATCH] optee: immediately free RPC buffers that are released by OP-TEE Jens Wiklander
@ 2022-05-04 19:59 ` Volodymyr Babchuk
  2022-05-04 21:40   ` Stefano Stabellini
  0 siblings, 1 reply; 3+ messages in thread
From: Volodymyr Babchuk @ 2022-05-04 19:59 UTC (permalink / raw)
  To: Jens Wiklander
  Cc: xen-devel@lists.xenproject.org, Stefano Stabellini, Julien Grall


Hello Jens,

Jens Wiklander <jens.wiklander@linaro.org> writes:

> This commit fixes a case overlooked in [1].
>
> There are two kinds of shared memory buffers used by OP-TEE:
> 1. Normal payload buffer
> 2. Internal command structure buffers
>
> The internal command structure buffers are represented with a shadow
> copy internally in Xen since this buffer can contain physical addresses
> that may need to be translated between real physical address and guest
> physical address without leaking information to the guest.
>
> [1] fixes the problem when releasing the normal payload buffers. The
> internal command structure buffers must be released in the same way.
> Failure to follow this order opens a window where the guest has freed
> the shared memory but Xen is still tracking the buffer.
>
> During this window the guest may happen to recycle this particular
> shared memory in some other thread and try to use it. Xen will block
> this which will lead to spurious failures to register a new shared
> memory block.
>
> Fix this by freeing the internal command structure buffers first before
> informing the guest that the buffer can be freed.
>
> [1] 5b13eb1d978e ("optee: immediately free buffers that are released by OP-TEE")
>
> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

Thank you for the fix:

Reviewed-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>


-- 
Volodymyr Babchuk at EPAM

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] optee: immediately free RPC buffers that are released by OP-TEE
  2022-05-04 19:59 ` Volodymyr Babchuk
@ 2022-05-04 21:40   ` Stefano Stabellini
  0 siblings, 0 replies; 3+ messages in thread
From: Stefano Stabellini @ 2022-05-04 21:40 UTC (permalink / raw)
  To: Volodymyr Babchuk
  Cc: Jens Wiklander, xen-devel@lists.xenproject.org,
	Stefano Stabellini, Julien Grall

On Wed, 4 May 2022, Volodymyr Babchuk wrote:
> Hello Jens,
> 
> Jens Wiklander <jens.wiklander@linaro.org> writes:
> 
> > This commit fixes a case overlooked in [1].
> >
> > There are two kinds of shared memory buffers used by OP-TEE:
> > 1. Normal payload buffer
> > 2. Internal command structure buffers
> >
> > The internal command structure buffers are represented with a shadow
> > copy internally in Xen since this buffer can contain physical addresses
> > that may need to be translated between real physical address and guest
> > physical address without leaking information to the guest.
> >
> > [1] fixes the problem when releasing the normal payload buffers. The
> > internal command structure buffers must be released in the same way.
> > Failure to follow this order opens a window where the guest has freed
> > the shared memory but Xen is still tracking the buffer.
> >
> > During this window the guest may happen to recycle this particular
> > shared memory in some other thread and try to use it. Xen will block
> > this which will lead to spurious failures to register a new shared
> > memory block.
> >
> > Fix this by freeing the internal command structure buffers first before
> > informing the guest that the buffer can be freed.
> >
> > [1] 5b13eb1d978e ("optee: immediately free buffers that are released by OP-TEE")
> >
> > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> 
> Thank you for the fix:
> 
> Reviewed-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>

committed with a small code syle fix


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-05-04 21:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-04  5:49 [PATCH] optee: immediately free RPC buffers that are released by OP-TEE Jens Wiklander
2022-05-04 19:59 ` Volodymyr Babchuk
2022-05-04 21:40   ` Stefano Stabellini

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.