From: Jens Wiklander <jens.wiklander@linaro.org>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, devicetree@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
valentin.manea@huawei.com, jean-michel.delorme@st.com,
emmanuel.michel@st.com, javier@javigon.com,
Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
Mark Rutland <mark.rutland@arm.com>,
Michal Simek <michal.simek@xilinx.com>,
Rob Herring <robh+dt@kernel.org>,
Will Deacon <will.deacon@arm.com>, Arnd Bergmann <arnd@arndb.de>
Subject: Re: [PATCH v8 2/4] tee: generic TEE subsystem
Date: Fri, 12 Feb 2016 12:30:07 +0100 [thread overview]
Message-ID: <20160212113006.GA30447@ermac> (raw)
In-Reply-To: <20160212045159.GQ17997@ZenIV.linux.org.uk>
On Fri, Feb 12, 2016 at 04:51:59AM +0000, Al Viro wrote:
> On Thu, Feb 11, 2016 at 06:14:35PM +0100, Jens Wiklander wrote:
>
> > +static int tee_ioctl_shm_alloc(struct tee_context *ctx,
> > + struct tee_ioctl_shm_alloc_data __user *udata)
> > +{
> > + long ret;
> > + struct tee_ioctl_shm_alloc_data data;
> > + struct tee_shm *shm;
> > +
> > + if (copy_from_user(&data, udata, sizeof(data)))
> > + return -EFAULT;
> > +
> > + /* Currently no input flags are supported */
> > + if (data.flags)
> > + return -EINVAL;
> > +
> > + data.fd = -1;
> > +
> > + shm = tee_shm_alloc(ctx->teedev, data.size,
> > + TEE_SHM_MAPPED | TEE_SHM_DMA_BUF);
> > + if (IS_ERR(shm))
> > + return PTR_ERR(shm);
> > +
> > + data.flags = shm->flags;
> > + data.size = shm->size;
> > + data.fd = tee_shm_get_fd(shm);
> > + if (data.fd < 0) {
> > + ret = data.fd;
> > + goto err;
> > + }
> > +
> > + if (copy_to_user(udata, &data, sizeof(data))) {
> > + ret = -EFAULT;
> > + goto err;
> > + }
> > + /*
> > + * When user space closes the file descriptor the shared memory
> > + * should be freed
> > + */
> > + tee_shm_put(shm);
> > + return 0;
> > +err:
> > + if (data.fd >= 0)
> > + tee_shm_put_fd(data.fd);
>
> This is completely broken. Don't ever use that pattern. Once something
> is in descriptor table, that's _it_. You are already past the point of
> no return and there is no way to clean up.
>
> In ABIs like that (and struct containing descriptor *is* a bad ABI design)
> solution is
> * allocate a descriptor
> * do everything that might fail, including copy_to_user()/put_user(),
> etc.
> * if failed, release unused descriptor and do fput(), if you already
> have a struct file reference that needs to be released.
> * FINALLY, when nothing no failures are possible, fd_install() the
> sucker in place.
>
> And yes, dma_buf_fd() encourages that kind of braindamage. It's tolerable
> only in one case - when we are about to return descriptor number directly
> as return value of syscall and really can't fail anymore. Not the case
> here.
Thanks for the feedback, I'll change to return the descriptor in the
return value instead.
next prev parent reply other threads:[~2016-02-12 11:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-11 17:14 [PATCH v8 0/4] generic TEE subsystem Jens Wiklander
2016-02-11 17:14 ` [PATCH v8 1/4] dt/bindings: add bindings for optee Jens Wiklander
2016-02-11 17:14 ` [PATCH v8 2/4] tee: generic TEE subsystem Jens Wiklander
2016-02-12 3:15 ` Greg Kroah-Hartman
[not found] ` <1455210877-15748-3-git-send-email-jens.wiklander-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2016-02-12 4:51 ` Al Viro
2016-02-12 11:30 ` Jens Wiklander [this message]
2016-02-11 17:14 ` [PATCH v8 3/4] tee: add OP-TEE driver Jens Wiklander
[not found] ` <1455210877-15748-1-git-send-email-jens.wiklander-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2016-02-11 17:14 ` [PATCH v8 4/4] Documentation: tee subsystem and op-tee driver Jens Wiklander
[not found] ` <1455210877-15748-5-git-send-email-jens.wiklander-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2016-02-11 21:08 ` Randy Dunlap
2016-03-02 11:15 ` [PATCH v8 0/4] generic TEE subsystem Andreas Dannenberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160212113006.GA30447@ermac \
--to=jens.wiklander@linaro.org \
--cc=arnd@arndb.de \
--cc=devicetree@vger.kernel.org \
--cc=emmanuel.michel@st.com \
--cc=gregkh@linuxfoundation.org \
--cc=javier@javigon.com \
--cc=jean-michel.delorme@st.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=michal.simek@xilinx.com \
--cc=robh+dt@kernel.org \
--cc=valentin.manea@huawei.com \
--cc=viro@ZenIV.linux.org.uk \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).