* [RFT PATCH v2] tee: shm: Remove refcounting of kernel pages
@ 2026-02-20 8:49 Sumit Garg via OP-TEE
2026-02-27 15:15 ` Sven Püschel
0 siblings, 1 reply; 3+ messages in thread
From: Sumit Garg via OP-TEE @ 2026-02-20 8:49 UTC (permalink / raw)
To: op-tee; +Cc: vbabka, akpm, willy, m.felsch, s.pueschel, Sumit Garg
From: Matthew Wilcox <willy@infradead.org>
Earlier TEE subsystem assumed to refcount all the memory pages to be
shared with TEE implementation to be refcounted. However, the slab
allocations within the kernel don't allow refcounting kernel pages.
It is rather better to trust the kernel clients to not free pages while
being shared with TEE implementation. Hence, remove refcounting of kernel
pages from register_shm_helper() API.
Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page")
Reported-by: Marco Felsch <m.felsch@pengutronix.de>
Reported-by: Sven Püschel <s.pueschel@pengutronix.de>
Signed-off-by: Matthew Wilcox <willy@infradead.org>
Co-developed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
---
Changes in v2:
- Attribute Matthew as the author of this patch.
- Fix check for user pages.
drivers/tee/tee_shm.c | 27 ---------------------------
1 file changed, 27 deletions(-)
diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
index 4a47de4bb2e5..898707ca21a8 100644
--- a/drivers/tee/tee_shm.c
+++ b/drivers/tee/tee_shm.c
@@ -23,29 +23,11 @@ struct tee_shm_dma_mem {
struct page *page;
};
-static void shm_put_kernel_pages(struct page **pages, size_t page_count)
-{
- size_t n;
-
- for (n = 0; n < page_count; n++)
- put_page(pages[n]);
-}
-
-static void shm_get_kernel_pages(struct page **pages, size_t page_count)
-{
- size_t n;
-
- for (n = 0; n < page_count; n++)
- get_page(pages[n]);
-}
-
static void release_registered_pages(struct tee_shm *shm)
{
if (shm->pages) {
if (shm->flags & TEE_SHM_USER_MAPPED)
unpin_user_pages(shm->pages, shm->num_pages);
- else
- shm_put_kernel_pages(shm->pages, shm->num_pages);
kfree(shm->pages);
}
@@ -477,13 +459,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
goto err_put_shm_pages;
}
- /*
- * iov_iter_extract_kvec_pages does not get reference on the pages,
- * get a reference on them.
- */
- if (iov_iter_is_kvec(iter))
- shm_get_kernel_pages(shm->pages, num_pages);
-
shm->offset = off;
shm->size = len;
shm->num_pages = num_pages;
@@ -499,8 +474,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
err_put_shm_pages:
if (!iov_iter_is_kvec(iter))
unpin_user_pages(shm->pages, shm->num_pages);
- else
- shm_put_kernel_pages(shm->pages, shm->num_pages);
err_free_shm_pages:
kfree(shm->pages);
err_free_shm:
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [RFT PATCH v2] tee: shm: Remove refcounting of kernel pages
2026-02-20 8:49 [RFT PATCH v2] tee: shm: Remove refcounting of kernel pages Sumit Garg via OP-TEE
@ 2026-02-27 15:15 ` Sven Püschel
2026-03-11 6:47 ` Jens Wiklander
0 siblings, 1 reply; 3+ messages in thread
From: Sven Püschel @ 2026-02-27 15:15 UTC (permalink / raw)
To: Sumit Garg, op-tee; +Cc: vbabka, akpm, willy, m.felsch, Sumit Garg, kernel
On 2/20/26 9:49 AM, Sumit Garg wrote:
> From: Matthew Wilcox <willy@infradead.org>
>
> Earlier TEE subsystem assumed to refcount all the memory pages to be
> shared with TEE implementation to be refcounted. However, the slab
> allocations within the kernel don't allow refcounting kernel pages.
>
> It is rather better to trust the kernel clients to not free pages while
> being shared with TEE implementation. Hence, remove refcounting of kernel
> pages from register_shm_helper() API.
>
> Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page")
> Reported-by: Marco Felsch <m.felsch@pengutronix.de>
> Reported-by: Sven Püschel <s.pueschel@pengutronix.de>
> Signed-off-by: Matthew Wilcox <willy@infradead.org>
> Co-developed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
> Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Tested-by: Sven Püschel <s.pueschel@pengutronix.de>
tested with a30b36143a41 ("Linux 6.19.4") and removed my reported
warning stacktrace.
Sincerely
Sven
> ---
>
> Changes in v2:
> - Attribute Matthew as the author of this patch.
> - Fix check for user pages.
>
> drivers/tee/tee_shm.c | 27 ---------------------------
> 1 file changed, 27 deletions(-)
>
> diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
> index 4a47de4bb2e5..898707ca21a8 100644
> --- a/drivers/tee/tee_shm.c
> +++ b/drivers/tee/tee_shm.c
> @@ -23,29 +23,11 @@ struct tee_shm_dma_mem {
> struct page *page;
> };
>
> -static void shm_put_kernel_pages(struct page **pages, size_t page_count)
> -{
> - size_t n;
> -
> - for (n = 0; n < page_count; n++)
> - put_page(pages[n]);
> -}
> -
> -static void shm_get_kernel_pages(struct page **pages, size_t page_count)
> -{
> - size_t n;
> -
> - for (n = 0; n < page_count; n++)
> - get_page(pages[n]);
> -}
> -
> static void release_registered_pages(struct tee_shm *shm)
> {
> if (shm->pages) {
> if (shm->flags & TEE_SHM_USER_MAPPED)
> unpin_user_pages(shm->pages, shm->num_pages);
> - else
> - shm_put_kernel_pages(shm->pages, shm->num_pages);
>
> kfree(shm->pages);
> }
> @@ -477,13 +459,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
> goto err_put_shm_pages;
> }
>
> - /*
> - * iov_iter_extract_kvec_pages does not get reference on the pages,
> - * get a reference on them.
> - */
> - if (iov_iter_is_kvec(iter))
> - shm_get_kernel_pages(shm->pages, num_pages);
> -
> shm->offset = off;
> shm->size = len;
> shm->num_pages = num_pages;
> @@ -499,8 +474,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
> err_put_shm_pages:
> if (!iov_iter_is_kvec(iter))
> unpin_user_pages(shm->pages, shm->num_pages);
> - else
> - shm_put_kernel_pages(shm->pages, shm->num_pages);
> err_free_shm_pages:
> kfree(shm->pages);
> err_free_shm:
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFT PATCH v2] tee: shm: Remove refcounting of kernel pages
2026-02-27 15:15 ` Sven Püschel
@ 2026-03-11 6:47 ` Jens Wiklander
0 siblings, 0 replies; 3+ messages in thread
From: Jens Wiklander @ 2026-03-11 6:47 UTC (permalink / raw)
To: Sven Püschel
Cc: Sumit Garg, op-tee, vbabka, akpm, willy, m.felsch, Sumit Garg,
kernel
On Fri, Feb 27, 2026 at 4:15 PM Sven Püschel <s.pueschel@pengutronix.de> wrote:
>
> On 2/20/26 9:49 AM, Sumit Garg wrote:
>
> > From: Matthew Wilcox <willy@infradead.org>
> >
> > Earlier TEE subsystem assumed to refcount all the memory pages to be
> > shared with TEE implementation to be refcounted. However, the slab
> > allocations within the kernel don't allow refcounting kernel pages.
> >
> > It is rather better to trust the kernel clients to not free pages while
> > being shared with TEE implementation. Hence, remove refcounting of kernel
> > pages from register_shm_helper() API.
> >
> > Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page")
> > Reported-by: Marco Felsch <m.felsch@pengutronix.de>
> > Reported-by: Sven Püschel <s.pueschel@pengutronix.de>
> > Signed-off-by: Matthew Wilcox <willy@infradead.org>
> > Co-developed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
> > Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
>
> Tested-by: Sven Püschel <s.pueschel@pengutronix.de>
>
> tested with a30b36143a41 ("Linux 6.19.4") and removed my reported
> warning stacktrace.
I'm picking up this.
Thanks,
Jens
>
>
> Sincerely
> Sven
>
> > ---
> >
> > Changes in v2:
> > - Attribute Matthew as the author of this patch.
> > - Fix check for user pages.
> >
> > drivers/tee/tee_shm.c | 27 ---------------------------
> > 1 file changed, 27 deletions(-)
> >
> > diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
> > index 4a47de4bb2e5..898707ca21a8 100644
> > --- a/drivers/tee/tee_shm.c
> > +++ b/drivers/tee/tee_shm.c
> > @@ -23,29 +23,11 @@ struct tee_shm_dma_mem {
> > struct page *page;
> > };
> >
> > -static void shm_put_kernel_pages(struct page **pages, size_t page_count)
> > -{
> > - size_t n;
> > -
> > - for (n = 0; n < page_count; n++)
> > - put_page(pages[n]);
> > -}
> > -
> > -static void shm_get_kernel_pages(struct page **pages, size_t page_count)
> > -{
> > - size_t n;
> > -
> > - for (n = 0; n < page_count; n++)
> > - get_page(pages[n]);
> > -}
> > -
> > static void release_registered_pages(struct tee_shm *shm)
> > {
> > if (shm->pages) {
> > if (shm->flags & TEE_SHM_USER_MAPPED)
> > unpin_user_pages(shm->pages, shm->num_pages);
> > - else
> > - shm_put_kernel_pages(shm->pages, shm->num_pages);
> >
> > kfree(shm->pages);
> > }
> > @@ -477,13 +459,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
> > goto err_put_shm_pages;
> > }
> >
> > - /*
> > - * iov_iter_extract_kvec_pages does not get reference on the pages,
> > - * get a reference on them.
> > - */
> > - if (iov_iter_is_kvec(iter))
> > - shm_get_kernel_pages(shm->pages, num_pages);
> > -
> > shm->offset = off;
> > shm->size = len;
> > shm->num_pages = num_pages;
> > @@ -499,8 +474,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
> > err_put_shm_pages:
> > if (!iov_iter_is_kvec(iter))
> > unpin_user_pages(shm->pages, shm->num_pages);
> > - else
> > - shm_put_kernel_pages(shm->pages, shm->num_pages);
> > err_free_shm_pages:
> > kfree(shm->pages);
> > err_free_shm:
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-11 6:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-20 8:49 [RFT PATCH v2] tee: shm: Remove refcounting of kernel pages Sumit Garg via OP-TEE
2026-02-27 15:15 ` Sven Püschel
2026-03-11 6:47 ` Jens Wiklander
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox