tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'amdtee-fixes-for-5.10' of git://git.linaro.org:/people/jens.wiklander/linux-tee into arm/fixes

AMD-TEE driver bug fixes

AMD-TEE driver keeps track of shared memory buffers and their
corresponding buffer id's in a global linked list. These buffers are
used to share data between x86 and AMD Secure Processor. This pull
request fixes issues related to maintaining mapped buffers in a shared
linked list.

* tag 'amdtee-fixes-for-5.10' of git://git.linaro.org:/people/jens.wiklander/linux-tee:
tee: amdtee: synchronize access to shm list
tee: amdtee: fix memory leak due to reset of global shm list

Link: https://lore.kernel.org/r/20201109080809.GA3862873@jade
Signed-off-by: Arnd Bergmann <arnd@arndb.de>

Arnd Bergmann 0461a1ae 53bf2776

+23 -11
+4 -4
drivers/tee/amdtee/amdtee_private.h
··· 64 64 /** 65 65 * struct amdtee_context_data - AMD-TEE driver context data 66 66 * @sess_list: Keeps track of sessions opened in current TEE context 67 + * @shm_list: Keeps track of buffers allocated and mapped in current TEE 68 + * context 67 69 */ 68 70 struct amdtee_context_data { 69 71 struct list_head sess_list; 72 + struct list_head shm_list; 73 + struct mutex shm_mutex; /* synchronizes access to @shm_list */ 70 74 }; 71 75 72 76 struct amdtee_driver_data { ··· 91 87 struct list_head shm_node; 92 88 void *kaddr; 93 89 u32 buf_id; 94 - }; 95 - 96 - struct amdtee_shm_context { 97 - struct list_head shmdata_list; 98 90 }; 99 91 100 92 #define LOWER_TWO_BYTE_MASK 0x0000FFFF
+19 -7
drivers/tee/amdtee/core.c
··· 20 20 21 21 static struct amdtee_driver_data *drv_data; 22 22 static DEFINE_MUTEX(session_list_mutex); 23 - static struct amdtee_shm_context shmctx; 24 23 25 24 static void amdtee_get_version(struct tee_device *teedev, 26 25 struct tee_ioctl_version_data *vers) ··· 41 42 return -ENOMEM; 42 43 43 44 INIT_LIST_HEAD(&ctxdata->sess_list); 44 - INIT_LIST_HEAD(&shmctx.shmdata_list); 45 + INIT_LIST_HEAD(&ctxdata->shm_list); 46 + mutex_init(&ctxdata->shm_mutex); 45 47 46 48 ctx->data = ctxdata; 47 49 return 0; ··· 86 86 list_del(&sess->list_node); 87 87 release_session(sess); 88 88 } 89 + mutex_destroy(&ctxdata->shm_mutex); 89 90 kfree(ctxdata); 90 91 91 92 ctx->data = NULL; ··· 153 152 154 153 u32 get_buffer_id(struct tee_shm *shm) 155 154 { 156 - u32 buf_id = 0; 155 + struct amdtee_context_data *ctxdata = shm->ctx->data; 157 156 struct amdtee_shm_data *shmdata; 157 + u32 buf_id = 0; 158 158 159 - list_for_each_entry(shmdata, &shmctx.shmdata_list, shm_node) 159 + mutex_lock(&ctxdata->shm_mutex); 160 + list_for_each_entry(shmdata, &ctxdata->shm_list, shm_node) 160 161 if (shmdata->kaddr == shm->kaddr) { 161 162 buf_id = shmdata->buf_id; 162 163 break; 163 164 } 165 + mutex_unlock(&ctxdata->shm_mutex); 164 166 165 167 return buf_id; 166 168 } ··· 337 333 338 334 int amdtee_map_shmem(struct tee_shm *shm) 339 335 { 340 - struct shmem_desc shmem; 336 + struct amdtee_context_data *ctxdata; 341 337 struct amdtee_shm_data *shmnode; 338 + struct shmem_desc shmem; 342 339 int rc, count; 343 340 u32 buf_id; 344 341 ··· 367 362 368 363 shmnode->kaddr = shm->kaddr; 369 364 shmnode->buf_id = buf_id; 370 - list_add(&shmnode->shm_node, &shmctx.shmdata_list); 365 + ctxdata = shm->ctx->data; 366 + mutex_lock(&ctxdata->shm_mutex); 367 + list_add(&shmnode->shm_node, &ctxdata->shm_list); 368 + mutex_unlock(&ctxdata->shm_mutex); 371 369 372 370 pr_debug("buf_id :[%x] kaddr[%p]\n", shmnode->buf_id, shmnode->kaddr); 373 371 ··· 379 371 380 372 void amdtee_unmap_shmem(struct tee_shm *shm) 381 373 { 374 + struct amdtee_context_data *ctxdata; 382 375 struct amdtee_shm_data *shmnode; 383 376 u32 buf_id; 384 377 ··· 390 381 /* Unmap the shared memory from TEE */ 391 382 handle_unmap_shmem(buf_id); 392 383 393 - list_for_each_entry(shmnode, &shmctx.shmdata_list, shm_node) 384 + ctxdata = shm->ctx->data; 385 + mutex_lock(&ctxdata->shm_mutex); 386 + list_for_each_entry(shmnode, &ctxdata->shm_list, shm_node) 394 387 if (buf_id == shmnode->buf_id) { 395 388 list_del(&shmnode->shm_node); 396 389 kfree(shmnode); 397 390 break; 398 391 } 392 + mutex_unlock(&ctxdata->shm_mutex); 399 393 } 400 394 401 395 int amdtee_invoke_func(struct tee_context *ctx,