Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3014424pxj; Mon, 14 Jun 2021 12:18:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwwCLKaQm517rErVm/kLwBsHMWst2IaZ28mNuUzD/3jWb60C1pF9dyH080nwSHWUxmJiHSx X-Received: by 2002:a05:6402:31eb:: with SMTP id dy11mr18688911edb.165.1623698314918; Mon, 14 Jun 2021 12:18:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623698314; cv=none; d=google.com; s=arc-20160816; b=PNb+BaU8c+YjHZRf4NuCcguBO5+IM5Jn7ey8sNVWvbziCDWVekGhuiIq1tyifSP+U8 yK0TRxfBGGqZUFaDOQfOtz2cycMmVjgc9gGSdMc7jKfHrLa2PNR/c8xQiuGR2bBP0w2g N737oc9x5kVwVZQSvT4efl1sb0FkQuFPuzTACOslk0yzp4a08YBSY1P2P7n9pE9OT1kS Fg1vWg9Qwr/t089Z+ZoQ7cwBTML/qEm+GdnKF02obdJzLeNUC7MYfEuOosHfdW/qzZ9t mV1nlDJMijtHjL24iXLhVal7wTw0afYqtrflnCsWHPaXcBKLOa/rEoxbsl4pVsQYR5ht s3bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Wy8kQavMtXmWXRWEMXyBLTsbu5eZVxKlmyQPGuM6Q58=; b=yiZrDhd+f6R6ujBe9yF6o52VV/KvvQxx4tH0pfptVsdV9StIb+dvflmhF08/cXYQb+ NVE1sanqbJxsZe9O1dnSh/9i20G2S+xSJIfYsLf/1Jf3lGTis28povUCDQzsBFFtE9RZ Se/xBZKAAcZTF0SmKtsIGdlJofjos4WucFdLJenYXRHD9g4Az95erwJl/l9AiCHve1ag cXu1H14QDTVt+dIWiH0JOpPiHw4mETtjVE/flC1YykFzrDO6zbMW+B0FdPWqDmubkDUA Ni6V+TlnFI2ynsV7jXETsLNevnjKBl6UcCu9X62Ri6/i9bsbIRHbuho4dZClbgtDZvXM g7ag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FWr0n7oP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a27si13759300edm.396.2021.06.14.12.18.11; Mon, 14 Jun 2021 12:18:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FWr0n7oP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233541AbhFNTR0 (ORCPT + 99 others); Mon, 14 Jun 2021 15:17:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34548 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233169AbhFNTR0 (ORCPT ); Mon, 14 Jun 2021 15:17:26 -0400 Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0EB39C061574 for ; Mon, 14 Jun 2021 12:15:10 -0700 (PDT) Received: by mail-lf1-x129.google.com with SMTP id j2so22707995lfg.9 for ; Mon, 14 Jun 2021 12:15:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=Wy8kQavMtXmWXRWEMXyBLTsbu5eZVxKlmyQPGuM6Q58=; b=FWr0n7oPVWQ+3ixl2B6aJCUI1aaCUd3rD6xJGopgi+G3S51eI5WKQ6RLQjpPrczgUw Uv0FHlvR2bzE518D6Y8Nnd/A9KiVMaCI2gSxXq8KXbC9nPq7xPZUmdAb20/xqNrBMm2Q CGXZz1OHoOXQIUe+85wv+Fkcar+3OSXseqHfWbcgWwW0BU6jkdXwsT97JMQNw7Tf/2+X p7oPoA/6/h+DD9SL5oa6HWhxT5QuVdVfooxkkHO+C3hr+rcIBRMMAX8k0bck9jBNCTh1 Jm3gyrqgrVOn9jD0nZlU0ZGZpJBRY8kw5pL418zBh/RpWSEEhpl0Xk+GqptBgSYtL73c 9Cyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=Wy8kQavMtXmWXRWEMXyBLTsbu5eZVxKlmyQPGuM6Q58=; b=uODHapUIBZDXk1aJ3YojI115lmyM4goYDQRBgsobmmk1q1SSl5rUWiUFz69zHr1GCQ PL2yPnPgarITrLXG1b/JOEcSyTYMIsfCAeIlbqPxLopCQUatRpWeMC1nDkRjtT3BUUg0 lVtLhI0ye/ePCpNSFQZ/l2Y2v+uK6DU/NkmI24vVyHktvgU8NVWcnWQM6X2+60tT0wcF SosFVMS5z0Qi8XhCaIU52HKK4zHZQ7oxu3zoaiSi0HsRMxwuUlyri6k1OUBiuULehdSk hUXhF0x/0izu5RfZuMImIoY+KnzBMUMiYSmKswoI4eEI3iPkzcpi2FMD4lG9+UeovFFA Rfqg== X-Gm-Message-State: AOAM5329rezTD6ZrZO1DiP/bb74l0ulm/VqU7hQyugTr/GaszWpRazF8 sP6ZfNmILXFhUQUuKoxXKEdiFg== X-Received: by 2002:a19:480a:: with SMTP id v10mr12826757lfa.565.1623698108333; Mon, 14 Jun 2021 12:15:08 -0700 (PDT) Received: from jade (h-79-136-85-3.A175.priv.bahnhof.se. [79.136.85.3]) by smtp.gmail.com with ESMTPSA id i5sm1559817lfe.113.2021.06.14.12.15.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jun 2021 12:15:07 -0700 (PDT) Date: Mon, 14 Jun 2021 21:15:06 +0200 From: Jens Wiklander To: Tyler Hicks Cc: Allen Pais , Sumit Garg , Peter Huewe , Jarkko Sakkinen , Jason Gunthorpe , Vikas Gupta , Thirupathaiah Annapureddy , Pavel Tatashin , =?utf-8?B?UmFmYcWCIE1pxYJlY2tp?= , op-tee@lists.trustedfirmware.org, linux-integrity@vger.kernel.org, bcm-kernel-feedback-list@broadcom.com, linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v4 4/8] optee: Clear stale cache entries during initialization Message-ID: <20210614191506.GA1373417@jade> References: <20210610210913.536081-1-tyhicks@linux.microsoft.com> <20210610210913.536081-5-tyhicks@linux.microsoft.com> <20210614082715.GC1033436@jade> <20210614190646.GW4910@sequoia> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20210614190646.GW4910@sequoia> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 14, 2021 at 02:06:46PM -0500, Tyler Hicks wrote: > On 2021-06-14 10:27:15, Jens Wiklander wrote: > > On Thu, Jun 10, 2021 at 04:09:09PM -0500, Tyler Hicks wrote: > > > The shm cache could contain invalid addresses if > > > optee_disable_shm_cache() was not called from the .shutdown hook of the > > > previous kernel before a kexec. These addresses could be unmapped or > > > they could point to mapped but unintended locations in memory. > > > > > > Clear the shared memory cache, while being careful to not translate the > > > addresses returned from OPTEE_SMC_DISABLE_SHM_CACHE, during driver > > > initialization. Once all pre-cache shm objects are removed, proceed with > > > enabling the cache so that we know that we can handle cached shm objects > > > with confidence later in the .shutdown hook. > > > > > > Signed-off-by: Tyler Hicks > > > --- > > > drivers/tee/optee/call.c | 11 ++++++++++- > > > drivers/tee/optee/core.c | 13 +++++++++++-- > > > drivers/tee/optee/optee_private.h | 2 +- > > > 3 files changed, 22 insertions(+), 4 deletions(-) > > > > > > diff --git a/drivers/tee/optee/call.c b/drivers/tee/optee/call.c > > > index 6e6eb836e9b6..5dcba6105ed7 100644 > > > --- a/drivers/tee/optee/call.c > > > +++ b/drivers/tee/optee/call.c > > > @@ -419,8 +419,10 @@ void optee_enable_shm_cache(struct optee *optee) > > > * optee_disable_shm_cache() - Disables caching of some shared memory allocation > > > * in OP-TEE > > > * @optee: main service struct > > > + * @is_mapped: true if the cached shared memory addresses were mapped by this > > > + * kernel, are safe to dereference, and should be freed > > > */ > > > -void optee_disable_shm_cache(struct optee *optee) > > > +void optee_disable_shm_cache(struct optee *optee, bool is_mapped) > > > { > > > struct optee_call_waiter w; > > > > > > @@ -439,6 +441,13 @@ void optee_disable_shm_cache(struct optee *optee) > > > if (res.result.status == OPTEE_SMC_RETURN_OK) { > > > struct tee_shm *shm; > > > > > > + /* > > > + * Shared memory references that were not mapped by > > > + * this kernel must be ignored to prevent a crash. > > > + */ > > > + if (!is_mapped) > > > + continue; > > > + > > > shm = reg_pair_to_ptr(res.result.shm_upper32, > > > res.result.shm_lower32); > > > tee_shm_free(shm); > > > diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c > > > index 0987074d7ed0..6974e1104bd4 100644 > > > --- a/drivers/tee/optee/core.c > > > +++ b/drivers/tee/optee/core.c > > > @@ -589,7 +589,7 @@ static int optee_remove(struct platform_device *pdev) > > > * reference counters and also avoid wild pointers in secure world > > > * into the old shared memory range. > > > */ > > > - optee_disable_shm_cache(optee); > > > + optee_disable_shm_cache(optee, true); > > > > Naked "true" or "false" parameters are normally not very descriptive. > > Would it make sense to write this as: > > optee_disable_shm_cache(optee, true /*is_mapped*/); > > instead (same for the other call sites in this patch)? That way it would > > be easier to see what it is that is true or false. > > Yeah, I understand the issue with the naked bools. What about turning > 'optee_disable_shm_cache(struct optee *optee, bool is_mapped)' into > '__optee_disable_shm_cache(struct optee *optee, bool is_mapped)' and > introducing these two wrappers: > > /** > * optee_disable_shm_cache() - Disables caching of mapped shared memory > * allocations in OP-TEE > * @optee: main service struct > */ > void optee_disable_shm_cache(struct optee *optee) > { > return __optee_disable_shm_cache(optee, true); > } > > /** > * optee_disable_unmapped_shm_cache() - Disables caching of shared memory > * allocations in OP-TEE which are not > * currently mapped > * @optee: main service struct > */ > void optee_disable_unmapped_shm_cache(struct optee *optee) > { > return __optee_disable_shm_cache(optee, false); > } > > Existing callers of optee_disable_shm_cache() remain unchanged and we just add > one caller of optee_disable_unmapped_shm_cache() with this patch. > Sounds good. Jens