Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5139194pxj; Wed, 9 Jun 2021 10:01:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyHXTzriKF7sz/C52yQla6SQ8wvWXEKhsbBrpOaHbUS93tFvSpEJWCboMFTwIzyyASHwTls X-Received: by 2002:a05:6402:1d0c:: with SMTP id dg12mr392345edb.155.1623258091581; Wed, 09 Jun 2021 10:01:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623258091; cv=none; d=google.com; s=arc-20160816; b=R7/gWtqzOcbhoefmBtIlXpvhgRhbTVrNXpFOXLdJF7JrQjRBw/Mp2olgvY11vtTULK YCrn6WyStsuSKZBmO+wAQMDZ9qmXDwzpFvmJgtO4eXm/4PxiSwiKYtSdG2O7xrYW1QIK RCPtJKbCHK4qxZ+c4i9YkR/2UVzgu9HpXi+/snsho8yJWPFl56W4XlZTrlvH5PcYFrjl aJBUiMfUdlKdCg16vaWpZ6tFW5V3Vv+/AhYW2CUCzt+sCmz541Wr58ufL/Ffz+6d6mzd HG341LJP+fe9cNfVZZIqRZT2iCqRCVNhkpIznqDFKH9Hs2DRicbwz1uczcm12RHmUGUl RvRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=lofS09cFjt2gMLe3PpZAwsHKE9enmufslzb5/Qk49r0=; b=dxzmUX1YfRPH/X2kx+O07Wolzy2AjBvWi1j8tyMFPyt37BlSZe3qZ3xSKSQRsZ0adv yiDeLM5HO0uHG4FZjwOuqyirFZywS9Wwyd3QzfWvimBYUBYxUc46rp5mdA11sBhDE8Mj 4PRkyGphohJODajpsL0RZIYwxmSM2csBC9bg324hgbQ2saCA2+HJy5xEZJmuw5Z3OZ1k nItAjpS0wkW3wD6tImvnhWJri0dBoCmaQ0pTcLT7A+bTsEpEa4TS1Sc6G2LfpfX0fB1G Oex4lnHAouLoinClVBngj5Q/vcvrsU4gdHPdLAPSrzn2SwRTBg8BBnsV5hWEZKNEqwZB DfYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b="UawExBB/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 8si260115ejx.753.2021.06.09.10.01.07; Wed, 09 Jun 2021 10:01:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b="UawExBB/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234304AbhFIA1p (ORCPT + 99 others); Tue, 8 Jun 2021 20:27:45 -0400 Received: from linux.microsoft.com ([13.77.154.182]:55108 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234207AbhFIA1n (ORCPT ); Tue, 8 Jun 2021 20:27:43 -0400 Received: from sequoia.work.tihix.com (162-237-133-238.lightspeed.rcsntx.sbcglobal.net [162.237.133.238]) by linux.microsoft.com (Postfix) with ESMTPSA id 172BE20B83C5; Tue, 8 Jun 2021 17:25:49 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 172BE20B83C5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1623198350; bh=lofS09cFjt2gMLe3PpZAwsHKE9enmufslzb5/Qk49r0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UawExBB/BhWl4jWGfzA9Xrg6JcZ2w9ZwnygdbIEui88c6ctXCJkiVvuv/yd4iygEW Xct9kvw4ObpNAxy+vdu9vOdPsjs6pD6+2X+Rt55CG2YCxTPIN1ONqpGXbgtf9JSaDg rjCWrwjD2+YNKoUiURDDPoEe9xlCUiMJA6O1Mhnw= From: Tyler Hicks To: Jens Wiklander , Allen Pais , Sumit Garg , Peter Huewe , Jarkko Sakkinen , Jason Gunthorpe , Vikas Gupta Cc: Thirupathaiah Annapureddy , Pavel Tatashin , =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= , op-tee@lists.trustedfirmware.org, linux-integrity@vger.kernel.org, bcm-kernel-feedback-list@broadcom.com, linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 4/7] optee: Clear stale cache entries during initialization Date: Tue, 8 Jun 2021 19:23:23 -0500 Message-Id: <20210609002326.210024-5-tyhicks@linux.microsoft.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210609002326.210024-1-tyhicks@linux.microsoft.com> References: <20210609002326.210024-1-tyhicks@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The shm cache could contain invalid addresses if optee_disable_shm_cache() was not called from the .shutdown hook of the previous kernel before a kexec. These addresses could be unmapped or they could point to mapped but unintended locations in memory. Clear the shared memory cache, while being careful to not translate the addresses returned from OPTEE_SMC_DISABLE_SHM_CACHE, during driver initialization. Once all pre-cache shm objects are removed, proceed with enabling the cache so that we know that we can handle cached shm objects with confidence later in the .shutdown hook. Signed-off-by: Tyler Hicks --- drivers/tee/optee/call.c | 11 ++++++++++- drivers/tee/optee/core.c | 13 +++++++++++-- drivers/tee/optee/optee_private.h | 2 +- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/drivers/tee/optee/call.c b/drivers/tee/optee/call.c index 6e6eb836e9b6..5dcba6105ed7 100644 --- a/drivers/tee/optee/call.c +++ b/drivers/tee/optee/call.c @@ -419,8 +419,10 @@ void optee_enable_shm_cache(struct optee *optee) * optee_disable_shm_cache() - Disables caching of some shared memory allocation * in OP-TEE * @optee: main service struct + * @is_mapped: true if the cached shared memory addresses were mapped by this + * kernel, are safe to dereference, and should be freed */ -void optee_disable_shm_cache(struct optee *optee) +void optee_disable_shm_cache(struct optee *optee, bool is_mapped) { struct optee_call_waiter w; @@ -439,6 +441,13 @@ void optee_disable_shm_cache(struct optee *optee) if (res.result.status == OPTEE_SMC_RETURN_OK) { struct tee_shm *shm; + /* + * Shared memory references that were not mapped by + * this kernel must be ignored to prevent a crash. + */ + if (!is_mapped) + continue; + shm = reg_pair_to_ptr(res.result.shm_upper32, res.result.shm_lower32); tee_shm_free(shm); diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c index 0987074d7ed0..6974e1104bd4 100644 --- a/drivers/tee/optee/core.c +++ b/drivers/tee/optee/core.c @@ -589,7 +589,7 @@ static int optee_remove(struct platform_device *pdev) * reference counters and also avoid wild pointers in secure world * into the old shared memory range. */ - optee_disable_shm_cache(optee); + optee_disable_shm_cache(optee, true); /* * The two devices have to be unregistered before we can free the @@ -619,7 +619,7 @@ static int optee_remove(struct platform_device *pdev) */ static void optee_shutdown(struct platform_device *pdev) { - optee_disable_shm_cache(platform_get_drvdata(pdev)); + optee_disable_shm_cache(platform_get_drvdata(pdev), true); } static int optee_probe(struct platform_device *pdev) @@ -716,6 +716,15 @@ static int optee_probe(struct platform_device *pdev) optee->memremaped_shm = memremaped_shm; optee->pool = pool; + /* + * Ensure that there are no pre-existing shm objects before enabling + * the shm cache so that there's no chance of receiving an invalid + * address during shutdown. This could occur, for example, if we're + * kexec booting from an older kernel that did not properly cleanup the + * shm cache. + */ + optee_disable_shm_cache(optee, false); + optee_enable_shm_cache(optee); if (optee->sec_caps & OPTEE_SMC_SEC_CAP_DYNAMIC_SHM) diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h index e25b216a14ef..16d8c82213e7 100644 --- a/drivers/tee/optee/optee_private.h +++ b/drivers/tee/optee/optee_private.h @@ -158,7 +158,7 @@ int optee_invoke_func(struct tee_context *ctx, struct tee_ioctl_invoke_arg *arg, int optee_cancel_req(struct tee_context *ctx, u32 cancel_id, u32 session); void optee_enable_shm_cache(struct optee *optee); -void optee_disable_shm_cache(struct optee *optee); +void optee_disable_shm_cache(struct optee *optee, bool is_mapped); int optee_shm_register(struct tee_context *ctx, struct tee_shm *shm, struct page **pages, size_t num_pages, -- 2.25.1