tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tee: don't assign shm id for private shms

Private shared memory object must not be referenced from user space. To
guarantee that, don't assign an id to shared memory objects which are
driver private.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

Jens Wiklander f1bbaced c180f9bb

+20 -14
+2 -1
drivers/tee/tee_private.h
··· 37 37 * @num_users: number of active users of this device 38 38 * @c_no_user: completion used when unregistering the device 39 39 * @mutex: mutex protecting @num_users and @idr 40 - * @idr: register of shared memory object allocated on this device 40 + * @idr: register of user space shared memory objects allocated or 41 + * registered on this device 41 42 * @pool: shared memory pool 42 43 */ 43 44 struct tee_device {
+18 -13
drivers/tee/tee_shm.c
··· 15 15 { 16 16 struct tee_device *teedev = shm->teedev; 17 17 18 - mutex_lock(&teedev->mutex); 19 - idr_remove(&teedev->idr, shm->id); 20 - mutex_unlock(&teedev->mutex); 18 + if (shm->flags & TEE_SHM_DMA_BUF) { 19 + mutex_lock(&teedev->mutex); 20 + idr_remove(&teedev->idr, shm->id); 21 + mutex_unlock(&teedev->mutex); 22 + } 21 23 22 24 if (shm->flags & TEE_SHM_POOL) { 23 25 struct tee_shm_pool_mgr *poolm; ··· 139 137 goto err_kfree; 140 138 } 141 139 142 - mutex_lock(&teedev->mutex); 143 - shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL); 144 - mutex_unlock(&teedev->mutex); 145 - if (shm->id < 0) { 146 - ret = ERR_PTR(shm->id); 147 - goto err_pool_free; 148 - } 149 140 150 141 if (flags & TEE_SHM_DMA_BUF) { 151 142 DEFINE_DMA_BUF_EXPORT_INFO(exp_info); 143 + 144 + mutex_lock(&teedev->mutex); 145 + shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL); 146 + mutex_unlock(&teedev->mutex); 147 + if (shm->id < 0) { 148 + ret = ERR_PTR(shm->id); 149 + goto err_pool_free; 150 + } 152 151 153 152 exp_info.ops = &tee_shm_dma_buf_ops; 154 153 exp_info.size = shm->size; ··· 168 165 169 166 return shm; 170 167 err_rem: 171 - mutex_lock(&teedev->mutex); 172 - idr_remove(&teedev->idr, shm->id); 173 - mutex_unlock(&teedev->mutex); 168 + if (flags & TEE_SHM_DMA_BUF) { 169 + mutex_lock(&teedev->mutex); 170 + idr_remove(&teedev->idr, shm->id); 171 + mutex_unlock(&teedev->mutex); 172 + } 174 173 err_pool_free: 175 174 poolm->ops->free(poolm, shm); 176 175 err_kfree: