optee: Clear stale cache entries during initialization

commit b5c10dd04b7418793517e3286cde5c04759a86de upstream.

The shm cache could contain invalid addresses if
optee_disable_shm_cache() was not called from the .shutdown hook of the
previous kernel before a kexec. These addresses could be unmapped or
they could point to mapped but unintended locations in memory.

Clear the shared memory cache, while being careful to not translate the
addresses returned from OPTEE_SMC_DISABLE_SHM_CACHE, during driver
initialization. Once all pre-cache shm objects are removed, proceed with
enabling the cache so that we know that we can handle cached shm objects
with confidence later in the .shutdown hook.

Cc: stable@vger.kernel.org
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/tee/optee/call.c b/drivers/tee/optee/call.c
index ea79482ebda4670033537fbb190e209374eacf4e..4b5069f88d786b7f9ec012317d2f3fdc0a87c855 100644 (file)
--- a/drivers/tee/optee/call.c
+++ b/drivers/tee/optee/call.c
@@ -407,11 +407,13 @@ void optee_enable_shm_cache(struct optee *optee)
 }
 
 /**
- * optee_disable_shm_cache() - Disables caching of some shared memory allocation
- *                           in OP-TEE
+ * __optee_disable_shm_cache() - Disables caching of some shared memory
+ *                               allocation in OP-TEE
  * @optee:     main service struct
+ * @is_mapped: true if the cached shared memory addresses were mapped by this
+ *             kernel, are safe to dereference, and should be freed
  */
-void optee_disable_shm_cache(struct optee *optee)
+static void __optee_disable_shm_cache(struct optee *optee, bool is_mapped)
 {
        struct optee_call_waiter w;
 
@@ -430,6 +432,13 @@ void optee_disable_shm_cache(struct optee *optee)
                if (res.result.status == OPTEE_SMC_RETURN_OK) {
                        struct tee_shm *shm;
 
+                       /*
+                        * Shared memory references that were not mapped by
+                        * this kernel must be ignored to prevent a crash.
+                        */
+                       if (!is_mapped)
+                               continue;
+
                        shm = reg_pair_to_ptr(res.result.shm_upper32,
                                              res.result.shm_lower32);
                        tee_shm_free(shm);
@@ -440,6 +449,27 @@ void optee_disable_shm_cache(struct optee *optee)
        optee_cq_wait_final(&optee->call_queue, &w);
 }
 
+/**
+ * optee_disable_shm_cache() - Disables caching of mapped shared memory
+ *                             allocations in OP-TEE
+ * @optee:     main service struct
+ */
+void optee_disable_shm_cache(struct optee *optee)
+{
+       return __optee_disable_shm_cache(optee, true);
+}
+
+/**
+ * optee_disable_unmapped_shm_cache() - Disables caching of shared memory
+ *                                      allocations in OP-TEE which are not
+ *                                      currently mapped
+ * @optee:     main service struct
+ */
+void optee_disable_unmapped_shm_cache(struct optee *optee)
+{
+       return __optee_disable_shm_cache(optee, false);
+}
+
 #define PAGELIST_ENTRIES_PER_PAGE                              \
        ((OPTEE_MSG_NONCONTIG_PAGE_SIZE / sizeof(u64)) - 1)
 

diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
index ba6cfba589a6970c2e62fe6026022a7331117f69..432dd38921dd988176c6c04a6afcb3aac5b8d1f2 100644 (file)
--- a/drivers/tee/optee/core.c
+++ b/drivers/tee/optee/core.c
@@ -628,6 +628,15 @@ static struct optee *optee_probe(struct device_node *np)
        optee->memremaped_shm = memremaped_shm;
        optee->pool = pool;
 
+       /*
+        * Ensure that there are no pre-existing shm objects before enabling
+        * the shm cache so that there's no chance of receiving an invalid
+        * address during shutdown. This could occur, for example, if we're
+        * kexec booting from an older kernel that did not properly cleanup the
+        * shm cache.
+        */
+       optee_disable_unmapped_shm_cache(optee);
+
        optee_enable_shm_cache(optee);
 
        if (optee->sec_caps & OPTEE_SMC_SEC_CAP_DYNAMIC_SHM)

diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h
index d9c5037b4e03e9175861ad1c6049699c38f1f547..3eeaad2a28686063379f3fb768be48d0f24b302e 100644 (file)
--- a/drivers/tee/optee/optee_private.h
+++ b/drivers/tee/optee/optee_private.h
@@ -152,6 +152,7 @@ int optee_cancel_req(struct tee_context *ctx, u32 cancel_id, u32 session);
 
 void optee_enable_shm_cache(struct optee *optee);
 void optee_disable_shm_cache(struct optee *optee);
+void optee_disable_unmapped_shm_cache(struct optee *optee);
 
 int optee_shm_register(struct tee_context *ctx, struct tee_shm *shm,
                       struct page **pages, size_t num_pages,