From: Greg Kroah-Hartman Date: Fri, 18 Feb 2022 13:02:33 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.9.303~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=505e448c1ba682d1d2906cd8228b620b54b26c0a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: optee-use-driver-internal-tee_context-for-some-rpc.patch --- diff --git a/queue-5.15/optee-use-driver-internal-tee_context-for-some-rpc.patch b/queue-5.15/optee-use-driver-internal-tee_context-for-some-rpc.patch new file mode 100644 index 00000000000..b939f262faf --- /dev/null +++ b/queue-5.15/optee-use-driver-internal-tee_context-for-some-rpc.patch @@ -0,0 +1,130 @@ +From aceeafefff736057e8f93f19bbfbef26abd94604 Mon Sep 17 00:00:00 2001 +From: Jens Wiklander +Date: Thu, 27 Jan 2022 15:29:39 +0100 +Subject: optee: use driver internal tee_context for some rpc + +From: Jens Wiklander + +commit aceeafefff736057e8f93f19bbfbef26abd94604 upstream. + +Adds a driver private tee_context by moving the tee_context in struct +optee_notif to struct optee. This tee_context was previously used when +doing internal calls to secure world to deliver notification. + +The new driver internal tee_context is now also when allocating driver +private shared memory. This decouples the shared memory object from its +original tee_context. This is needed when the life time of such a memory +allocation outlives the client tee_context. + +This patch fixes the problem described below: + +The addition of a shutdown hook by commit f25889f93184 ("optee: fix tee out +of memory failure seen during kexec reboot") introduced a kernel shutdown +regression that can be triggered after running the OP-TEE xtest suites. + +Once the shutdown hook is called it is not possible to communicate any more +with the supplicant process because the system is not scheduling task any +longer. Thus if the optee driver shutdown path receives a supplicant RPC +request from the OP-TEE we will deadlock the kernel's shutdown. + +Fixes: f25889f93184 ("optee: fix tee out of memory failure seen during kexec reboot") +Fixes: 217e0250cccb ("tee: use reference counting for tee_context") +Reported-by: Lars Persson +Cc: stable@vger.kernel.org +Reviewed-by: Sumit Garg +[JW: backport to 5.15-stable + update commit message] +Signed-off-by: Jens Wiklander +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/optee/core.c | 8 ++++++++ + drivers/tee/optee/optee_private.h | 2 ++ + drivers/tee/optee/rpc.c | 8 +++++--- + 3 files changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/tee/optee/core.c ++++ b/drivers/tee/optee/core.c +@@ -588,6 +588,7 @@ static int optee_remove(struct platform_ + /* Unregister OP-TEE specific client devices on TEE bus */ + optee_unregister_devices(); + ++ teedev_close_context(optee->ctx); + /* + * Ask OP-TEE to free all cached shared memory objects to decrease + * reference counters and also avoid wild pointers in secure world +@@ -633,6 +634,7 @@ static int optee_probe(struct platform_d + struct optee *optee = NULL; + void *memremaped_shm = NULL; + struct tee_device *teedev; ++ struct tee_context *ctx; + u32 sec_caps; + int rc; + +@@ -719,6 +721,12 @@ static int optee_probe(struct platform_d + optee_supp_init(&optee->supp); + optee->memremaped_shm = memremaped_shm; + optee->pool = pool; ++ ctx = teedev_open(optee->teedev); ++ if (IS_ERR(ctx)) { ++ rc = rc = PTR_ERR(ctx); ++ goto err; ++ } ++ optee->ctx = ctx; + + /* + * Ensure that there are no pre-existing shm objects before enabling +--- a/drivers/tee/optee/optee_private.h ++++ b/drivers/tee/optee/optee_private.h +@@ -70,6 +70,7 @@ struct optee_supp { + * struct optee - main service struct + * @supp_teedev: supplicant device + * @teedev: client device ++ * @ctx: driver internal TEE context + * @invoke_fn: function to issue smc or hvc + * @call_queue: queue of threads waiting to call @invoke_fn + * @wait_queue: queue of threads from secure world waiting for a +@@ -87,6 +88,7 @@ struct optee { + struct tee_device *supp_teedev; + struct tee_device *teedev; + optee_invoke_fn *invoke_fn; ++ struct tee_context *ctx; + struct optee_call_queue call_queue; + struct optee_wait_queue wait_queue; + struct optee_supp supp; +--- a/drivers/tee/optee/rpc.c ++++ b/drivers/tee/optee/rpc.c +@@ -285,6 +285,7 @@ static struct tee_shm *cmd_alloc_suppl(s + } + + static void handle_rpc_func_cmd_shm_alloc(struct tee_context *ctx, ++ struct optee *optee, + struct optee_msg_arg *arg, + struct optee_call_ctx *call_ctx) + { +@@ -314,7 +315,8 @@ static void handle_rpc_func_cmd_shm_allo + shm = cmd_alloc_suppl(ctx, sz); + break; + case OPTEE_RPC_SHM_TYPE_KERNEL: +- shm = tee_shm_alloc(ctx, sz, TEE_SHM_MAPPED | TEE_SHM_PRIV); ++ shm = tee_shm_alloc(optee->ctx, sz, ++ TEE_SHM_MAPPED | TEE_SHM_PRIV); + break; + default: + arg->ret = TEEC_ERROR_BAD_PARAMETERS; +@@ -471,7 +473,7 @@ static void handle_rpc_func_cmd(struct t + break; + case OPTEE_RPC_CMD_SHM_ALLOC: + free_pages_list(call_ctx); +- handle_rpc_func_cmd_shm_alloc(ctx, arg, call_ctx); ++ handle_rpc_func_cmd_shm_alloc(ctx, optee, arg, call_ctx); + break; + case OPTEE_RPC_CMD_SHM_FREE: + handle_rpc_func_cmd_shm_free(ctx, arg); +@@ -502,7 +504,7 @@ void optee_handle_rpc(struct tee_context + + switch (OPTEE_SMC_RETURN_GET_RPC_FUNC(param->a0)) { + case OPTEE_SMC_RPC_FUNC_ALLOC: +- shm = tee_shm_alloc(ctx, param->a1, ++ shm = tee_shm_alloc(optee->ctx, param->a1, + TEE_SHM_MAPPED | TEE_SHM_PRIV); + if (!IS_ERR(shm) && !tee_shm_get_pa(shm, 0, &pa)) { + reg_pair_from_64(¶m->a1, ¶m->a2, pa); diff --git a/queue-5.15/series b/queue-5.15/series index b93edb9cb80..07bdfb5debc 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -66,3 +66,4 @@ drm-i915-opregion-check-port-number-bounds-for-swsci-display-power-state.patch drm-i915-fix-dbuf-slice-config-lookup.patch drm-i915-fix-mbus-join-config-lookup.patch vsock-remove-vsock-from-connected-table-when-connect-is-interrupted-by-a-signal.patch +optee-use-driver-internal-tee_context-for-some-rpc.patch