[xen staging] optee: immediately free RPC buffers that are released by OP-TEE

[patchbot@xxxxxxx]

commit 5d2d5365ffadf075fd812038ab0841a3e868f906
Author:     Jens Wiklander <jens.wiklander@xxxxxxxxxx>
AuthorDate: Wed May 4 07:49:12 2022 +0200
Commit:     Stefano Stabellini <stefano.stabellini@xxxxxxxxxx>
CommitDate: Wed May 4 14:38:35 2022 -0700

    optee: immediately free RPC buffers that are released by OP-TEE
    
    This commit fixes a case overlooked in [1].
    
    There are two kinds of shared memory buffers used by OP-TEE:
    1. Normal payload buffer
    2. Internal command structure buffers
    
    The internal command structure buffers are represented with a shadow
    copy internally in Xen since this buffer can contain physical addresses
    that may need to be translated between real physical address and guest
    physical address without leaking information to the guest.
    
    [1] fixes the problem when releasing the normal payload buffers. The
    internal command structure buffers must be released in the same way.
    Failure to follow this order opens a window where the guest has freed
    the shared memory but Xen is still tracking the buffer.
    
    During this window the guest may happen to recycle this particular
    shared memory in some other thread and try to use it. Xen will block
    this which will lead to spurious failures to register a new shared
    memory block.
    
    Fix this by freeing the internal command structure buffers first before
    informing the guest that the buffer can be freed.
    
    [1] 5b13eb1d978e ("optee: immediately free buffers that are released by 
OP-TEE")
    
    Signed-off-by: Jens Wiklander <jens.wiklander@xxxxxxxxxx>
    Reviewed-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>
    [stefano: minor code style fix]
    Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxx>
---
 xen/arch/arm/tee/optee.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/xen/arch/arm/tee/optee.c b/xen/arch/arm/tee/optee.c
index f49b3c0226..9cb9f16d43 100644
--- a/xen/arch/arm/tee/optee.c
+++ b/xen/arch/arm/tee/optee.c
@@ -1136,6 +1136,13 @@ static int handle_rpc_return(struct optee_domain *ctx,
         }
         unmap_domain_page(shm_rpc->xen_arg);
     }
+    else if ( call->rpc_op == OPTEE_SMC_RPC_FUNC_FREE )
+    {
+        uint64_t cookie = regpair_to_uint64(get_user_reg(regs, 1),
+                                            get_user_reg(regs, 2));
+
+        free_shm_rpc(ctx, cookie);
+    }
 
     return ret;
 }
@@ -1584,13 +1591,6 @@ static void handle_rpc(struct optee_domain *ctx, struct 
cpu_user_regs *regs)
     case OPTEE_SMC_RPC_FUNC_ALLOC:
         handle_rpc_func_alloc(ctx, regs, call);
         return;
-    case OPTEE_SMC_RPC_FUNC_FREE:
-    {
-        uint64_t cookie = regpair_to_uint64(call->rpc_params[0],
-                                            call->rpc_params[1]);
-        free_shm_rpc(ctx, cookie);
-        break;
-    }
     case OPTEE_SMC_RPC_FUNC_FOREIGN_INTR:
         break;
     case OPTEE_SMC_RPC_FUNC_CMD:
--
generated by git-patchbot for /home/xen/git/xen.git#staging