lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3ab115bf-7ac6-452f-b760-0d631b6e75dd@quicinc.com>
Date: Fri, 22 Nov 2024 12:08:41 +1100
From: Amirreza Zarrabi <quic_azarrabi@...cinc.com>
To: Jens Wiklander <jens.wiklander@...aro.org>
CC: Sumit Garg <sumit.garg@...aro.org>, <op-tee@...ts.trustedfirmware.org>,
        <linux-kernel@...r.kernel.org>, <linux-arm-msm@...r.kernel.org>
Subject: Re: [PATCH RFC 3/3] tee: introduce orphan tee_shm and default context


On 11/21/2024 11:08 PM, Jens Wiklander wrote:

Hi Jens,

> Hi Amirreza,
> 
> On Thu, Nov 21, 2024 at 2:37 AM Amirreza Zarrabi
> <quic_azarrabi@...cinc.com> wrote:
>>
>> The default context has a lifespan similar to the tee_device.
>> It is used as a context for shared memory if the context to which the
>> shared memory belongs is released, making the tee_shm an orphan.
>> This allows the driver implementing shm_unregister to safely make
>> subsequent calls, such as to a supplicant if needed.
>>
>> It also enables users to free the shared memory while the driver is
>> blocked on unregister_tee_device safely.
>>
>> Preferably, this should be used for all driver internal uses, using
>> teedev_get_def_context rather than calling teedev_open.
>>
>> Signed-off-by: Amirreza Zarrabi <quic_azarrabi@...cinc.com>
>> ---
>>  drivers/tee/optee/core.c    |  2 +-
>>  drivers/tee/optee/ffa_abi.c |  2 +-
>>  drivers/tee/optee/smc_abi.c |  2 +-
>>  drivers/tee/tee_core.c      | 83 +++++++++++++++++++++++++++++----------------
>>  drivers/tee/tee_private.h   |  3 --
>>  drivers/tee/tee_shm.c       | 18 ++--------
>>  include/linux/tee_core.h    | 15 ++++++++
>>  include/linux/tee_drv.h     |  7 ----
>>  8 files changed, 73 insertions(+), 59 deletions(-)
>>
>> diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
>> index c75fddc83576..78d43d0c8014 100644
>> --- a/drivers/tee/optee/core.c
>> +++ b/drivers/tee/optee/core.c
>> @@ -173,7 +173,7 @@ void optee_remove_common(struct optee *optee)
>>
>>         optee_notif_uninit(optee);
>>         optee_shm_arg_cache_uninit(optee);
>> -       teedev_close_context(optee->ctx);
>> +
>>         /*
>>          * The two devices have to be unregistered before we can free the
>>          * other resources.
>> diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c
>> index f3af5666bb11..6ad94f0788ad 100644
>> --- a/drivers/tee/optee/ffa_abi.c
>> +++ b/drivers/tee/optee/ffa_abi.c
>> @@ -949,7 +949,7 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
>>         optee_shm_arg_cache_init(optee, arg_cache_flags);
>>         mutex_init(&optee->rpmb_dev_mutex);
>>         ffa_dev_set_drvdata(ffa_dev, optee);
>> -       ctx = teedev_open(optee->teedev);
>> +       ctx = teedev_get_def_context(optee->teedev);
>>         if (IS_ERR(ctx)) {
>>                 rc = PTR_ERR(ctx);
>>                 goto err_rhashtable_free;
>> diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c
>> index e9456e3e74cc..c77a3e631d04 100644
>> --- a/drivers/tee/optee/smc_abi.c
>> +++ b/drivers/tee/optee/smc_abi.c
>> @@ -1722,7 +1722,7 @@ static int optee_probe(struct platform_device *pdev)
>>         mutex_init(&optee->rpmb_dev_mutex);
>>
>>         platform_set_drvdata(pdev, optee);
>> -       ctx = teedev_open(optee->teedev);
>> +       ctx = teedev_get_def_context(optee->teedev);
>>         if (IS_ERR(ctx)) {
>>                 rc = PTR_ERR(ctx);
>>                 goto err_supp_uninit;
>> diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
>> index 93f3b330aec8..805e1336089d 100644
>> --- a/drivers/tee/tee_core.c
>> +++ b/drivers/tee/tee_core.c
>> @@ -57,7 +57,6 @@ struct tee_context *teedev_open(struct tee_device *teedev)
>>                 goto err;
>>         }
>>
>> -       kref_init(&ctx->refcount);
>>         ctx->teedev = teedev;
>>         INIT_LIST_HEAD(&ctx->list_shm);
>>         rc = teedev->desc->ops->open(ctx);
>> @@ -73,36 +72,43 @@ struct tee_context *teedev_open(struct tee_device *teedev)
>>  }
>>  EXPORT_SYMBOL_GPL(teedev_open);
>>
>> -void teedev_ctx_get(struct tee_context *ctx)
>> +struct tee_context *teedev_get_def_context(struct tee_device *teedev)
>>  {
>> -       if (ctx->releasing)
>> -               return;
>> +       int rc;
>> +       struct tee_context *ctx = &teedev->def_ctx;
>>
>> -       kref_get(&ctx->refcount);
>> -}
>> +       ctx->teedev = teedev;
>> +       INIT_LIST_HEAD(&ctx->list_shm);
>> +       rc = teedev->desc->ops->open(ctx);
>> +       if (rc)
>> +               return ERR_PTR(rc);
> 
> I think ctx->teedev and ctx->list_shm must always be initialized or
> &teedev->def_ctx can't be used in teedev_close_context().

True, but &teedev->def_ctx is never used in teedev_close_context().
The closing of the &teedev->def_ctx simply ignored. So once opened,
&teedev->def_ctx will always remain open until the tee_device is alive. 

> We could initialize teedev->def_ctx on the first call to teedev_open()
> on that tee_device. We need a way to tell the
> teedev->desc->ops->open() to the backed driver that it's initializing
> the default context though, or optee_open() can't handle the
> tee-supplicant case properly.
> 

That's a good point. This way, it is guaranteed that there is one def_ctx
per teedev. There should be a way to tell the open() callback that it is
a def_ctx, so it is not registered as a supplicant context.


> Should we allow this function to be called more than once for each teedev?

Yes, moving to teedev_open() will fix the issue.

> Do we need serialization in this function if it's called after the
> driver is probed?
> 

True. I'll make sure there is no race.

>>
>> -static void teedev_ctx_release(struct kref *ref)
>> -{
>> -       struct tee_context *ctx = container_of(ref, struct tee_context,
>> -                                              refcount);
>> -       ctx->releasing = true;
>> -       ctx->teedev->desc->ops->release(ctx);
>> -       kfree(ctx);
>> +       return ctx;
>>  }
>> +EXPORT_SYMBOL_GPL(teedev_get_def_context);
>>
>> -void teedev_ctx_put(struct tee_context *ctx)
>> +void teedev_close_context(struct tee_context *ctx)
>>  {
>> -       if (ctx->releasing)
>> +       struct tee_device *teedev = ctx->teedev;
>> +       struct tee_shm *shm;
>> +
>> +       if (ctx == &teedev->def_ctx)
>>                 return;
>>
>> -       kref_put(&ctx->refcount, teedev_ctx_release);
>> -}
>> +       teedev->desc->ops->release(ctx);
>>
>> -void teedev_close_context(struct tee_context *ctx)
>> -{
>> -       struct tee_device *teedev = ctx->teedev;
>> +       mutex_lock(&teedev->mutex);
>> +       list_for_each_entry(shm, &ctx->list_shm, link) {
>> +               /* Context released. However, shm still holding a teedev reference.
>> +                * Replace shm->ctx with the default context so that tee_shm_get_from_id()
>> +                * fails (i.e. it is not accessible from userspace) but shm still
>> +                * holds a valid context for further clean up, e.g. shm_unregister().
>> +                */
> 
> /*
>  * Please format
>  * multiline comments
>  * like this. Please
>  * keep the lines at
>  * max 80 columns
>  * here and at other
>  * places in the patch-
>  * set.
>  */
> 

Ack.

>> +               shm->ctx = &teedev->def_ctx;
> 
> shm->ctx will always point to a valid context, even if it is the
> default context. It seems that we can always get hold of the correct
> teedev via shm->ctx->teedev. Do we need "tee: revert removal of
> redundant teedev in struct tee_shm"?
> 

It was there in case we wanted to use NULL, but with def_ctx, it is not
necessary. I am withdrawing that commit. :).

> Shouldn't the shm be removed from the ctx->list_shm and be moved to
> teedev->def_ctx.list_shm?
>

Not really. If we put shm in the teedev->def_ctx.list_shm, by the time
we are closing the def_ctx, the list is guaranteed to be empty.

However, I understand it is cleaner and more consistent to do that rather
than making changes to tee_shm_put().

I'll do it.

>> +       }
>> +       mutex_unlock(&teedev->mutex);
>>
>> -       teedev_ctx_put(ctx);
>> +       kfree(ctx);
>>         tee_device_put(teedev);
>>  }
>>  EXPORT_SYMBOL_GPL(teedev_close_context);
>> @@ -946,6 +952,8 @@ struct tee_device *tee_device_alloc(const struct tee_desc *teedesc,
>>
>>         teedev->desc = teedesc;
>>         teedev->pool = pool;
>> +       /* Only open default context when teedev_get_def_context() called. */
>> +       teedev->def_ctx.teedev = NULL;
>>
>>         return teedev;
>>  err_devt:
>> @@ -1027,16 +1035,31 @@ EXPORT_SYMBOL_GPL(tee_device_register);
>>
>>  void tee_device_put(struct tee_device *teedev)
>>  {
>> -       mutex_lock(&teedev->mutex);
>> -       /* Shouldn't put in this state */
>> -       if (!WARN_ON(!teedev->desc)) {
>> -               teedev->num_users--;
>> -               if (!teedev->num_users) {
>> -                       teedev->desc = NULL;
>> -                       complete(&teedev->c_no_users);
>> -               }
>> +       const struct tee_desc *desc;
>> +
>> +       scoped_guard(mutex, &teedev->mutex) {
>> +               desc = teedev->desc;
>> +
>> +               /* Shouldn't put in this state */
>> +               if (WARN_ON(!desc))
>> +                       return;
>> +
>> +               /* If there is still users for teedev */
>> +               if (--teedev->num_users)
> 
> Please do teedev->num_users-- first and then check. It makes the code
> easier to read.

Ack.

> 
>> +                       return;
>> +
>> +               /* tee_device_unregister() has been called and there is no
>> +                * user in userspace or kernel, including orphan shm for teedev.
>> +                * Set teedev->desc to NULL, so that teedev can not be reused.
>> +                */
>> +               teedev->desc = NULL;
>>         }
>> -       mutex_unlock(&teedev->mutex);
>> +
>> +       /* Release the default context */
>> +       desc->ops->release(&teedev->def_ctx);
> 
> This should only be done if teedev->def_ctx has been initialized.
> 

Ack.

> Cheers,
> Jens

Thank you very much for your comments :).
If you're okay with introducing def_ctx, I'll prepare a complete patchset
with all the details. 

Best Regards,
Amir


> 
>> +       teedev->def_ctx.teedev = NULL;
>> +
>> +       complete(&teedev->c_no_users);
>>  }
>>
>>  bool tee_device_get(struct tee_device *teedev)
>> diff --git a/drivers/tee/tee_private.h b/drivers/tee/tee_private.h
>> index 9bc50605227c..6c7bcc308958 100644
>> --- a/drivers/tee/tee_private.h
>> +++ b/drivers/tee/tee_private.h
>> @@ -17,9 +17,6 @@ int tee_shm_get_fd(struct tee_shm *shm);
>>  bool tee_device_get(struct tee_device *teedev);
>>  void tee_device_put(struct tee_device *teedev);
>>
>> -void teedev_ctx_get(struct tee_context *ctx);
>> -void teedev_ctx_put(struct tee_context *ctx);
>> -
>>  struct tee_shm *tee_shm_alloc_user_buf(struct tee_context *ctx, size_t size);
>>  struct tee_shm *tee_shm_register_user_buf(struct tee_context *ctx,
>>                                           unsigned long addr, size_t length);
>> diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
>> index c0164c0f4a01..f07274291edf 100644
>> --- a/drivers/tee/tee_shm.c
>> +++ b/drivers/tee/tee_shm.c
>> @@ -59,8 +59,6 @@ static void tee_shm_release(struct tee_shm *shm)
>>                 release_registered_pages(shm);
>>         }
>>
>> -       teedev_ctx_put(shm->ctx);
>> -
>>         kfree(shm);
>>
>>         tee_device_put(teedev);
>> @@ -93,13 +91,6 @@ static struct tee_shm *shm_alloc_helper(struct tee_context *ctx, size_t size,
>>         shm->flags = flags;
>>         shm->teedev = teedev;
>>         shm->id = id;
>> -
>> -       /*
>> -        * We're assigning this as it is needed if the shm is to be
>> -        * registered. If this function returns OK then the caller expected
>> -        * to call teedev_ctx_get() or clear shm->ctx in case it's not
>> -        * needed any longer.
>> -        */
>>         shm->ctx = ctx;
>>
>>         rc = teedev->pool->ops->alloc(teedev->pool, shm, size, align);
>> @@ -112,7 +103,6 @@ static struct tee_shm *shm_alloc_helper(struct tee_context *ctx, size_t size,
>>         list_add_tail(&shm->link, &ctx->list_shm);
>>         mutex_unlock(&teedev->mutex);
>>
>> -       teedev_ctx_get(ctx);
>>         return shm;
>>  err_kfree:
>>         kfree(shm);
>> @@ -295,12 +285,10 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
>>                 goto err_dev_put;
>>         }
>>
>> -       teedev_ctx_get(ctx);
>> -
>>         shm = kzalloc(sizeof(*shm), GFP_KERNEL);
>>         if (!shm) {
>>                 ret = ERR_PTR(-ENOMEM);
>> -               goto err_ctx_put;
>> +               goto err_dev_put;
>>         }
>>
>>         refcount_set(&shm->refcount, 1);
>> @@ -313,7 +301,7 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
>>         num_pages = iov_iter_npages(iter, INT_MAX);
>>         if (!num_pages) {
>>                 ret = ERR_PTR(-ENOMEM);
>> -               goto err_ctx_put;
>> +               goto err_dev_put;
>>         }
>>
>>         shm->pages = kcalloc(num_pages, sizeof(*shm->pages), GFP_KERNEL);
>> @@ -361,8 +349,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
>>         kfree(shm->pages);
>>  err_free_shm:
>>         kfree(shm);
>> -err_ctx_put:
>> -       teedev_ctx_put(ctx);
>>  err_dev_put:
>>         tee_device_put(teedev);
>>         return ret;
>> diff --git a/include/linux/tee_core.h b/include/linux/tee_core.h
>> index a38494d6b5f4..13393ddac530 100644
>> --- a/include/linux/tee_core.h
>> +++ b/include/linux/tee_core.h
>> @@ -44,6 +44,7 @@
>>   * @idr:       register of user space shared memory objects allocated or
>>   *             registered on this device
>>   * @pool:      shared memory pool
>> + * @def_ctx:   default context used if there is no context available, e.g. internal driver calls.
>>   */
>>  struct tee_device {
>>         char name[TEE_MAX_DEV_NAME_LEN];
>> @@ -60,6 +61,7 @@ struct tee_device {
>>
>>         struct idr idr;
>>         struct tee_shm_pool *pool;
>> +       struct tee_context def_ctx;
>>  };
>>
>>  /**
>> @@ -309,6 +311,19 @@ static inline bool tee_param_is_memref(struct tee_param *param)
>>   */
>>  struct tee_context *teedev_open(struct tee_device *teedev);
>>
>> +/**
>> + * teedev_get_def_context() - Get default context for a struct tee_device
>> + * @teedev:    Device to open
>> + *
>> + * Unlike a context that returned from teedev_open(), the default context is static
>> + * and available as long as @teedev has a user ''other then this context''. This context
>> + * can be used for driver internal operation and clean up where a context should be
>> + * available, while tee_device_unregister() is waiting for other users to go away.
>> + *
>> + * @return a pointer to struct tee_context on success or an ERR_PTR on failure.
>> + */
>> +struct tee_context *teedev_get_def_context(struct tee_device *teedev);
>> +
>>  /**
>>   * teedev_close_context() - closes a struct tee_context
>>   * @ctx:       The struct tee_context to close
>> diff --git a/include/linux/tee_drv.h b/include/linux/tee_drv.h
>> index 1b57cddfecc8..9633e14ba484 100644
>> --- a/include/linux/tee_drv.h
>> +++ b/include/linux/tee_drv.h
>> @@ -7,7 +7,6 @@
>>  #define __TEE_DRV_H
>>
>>  #include <linux/device.h>
>> -#include <linux/kref.h>
>>  #include <linux/list.h>
>>  #include <linux/mod_devicetable.h>
>>  #include <linux/tee.h>
>> @@ -25,10 +24,6 @@ struct tee_device;
>>   * @teedev:    pointer to this drivers struct tee_device
>>   * @list_shm:  List of shared memory object owned by this context
>>   * @data:      driver specific context data, managed by the driver
>> - * @refcount:  reference counter for this structure
>> - * @releasing:  flag that indicates if context is being released right now.
>> - *             It is needed to break circular dependency on context during
>> - *              shared memory release.
>>   * @supp_nowait: flag that indicates that requests in this context should not
>>   *              wait for tee-supplicant daemon to be started if not present
>>   *              and just return with an error code. It is needed for requests
>> @@ -41,8 +36,6 @@ struct tee_context {
>>         struct tee_device *teedev;
>>         struct list_head list_shm;
>>         void *data;
>> -       struct kref refcount;
>> -       bool releasing;
>>         bool supp_nowait;
>>         bool cap_memref_null;
>>  };
>>
>> --
>> 2.34.1
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ