On Tue, Sep 3, 2024 at 7:50 PM T.J. Mercier tjmercier@google.com wrote:
On Fri, Aug 30, 2024 at 12:04 AM Jens Wiklander jens.wiklander@linaro.org wrote:
From: Etienne Carriere etienne.carriere@linaro.org
Enable userspace to create a tee_shm object that refers to a dmabuf reference.
Userspace registers the dmabuf file descriptor as in a tee_shm object. The registration is completed with a tee_shm file descriptor returned to userspace.
Userspace is free to close the dmabuf file descriptor now since all the resources are now held via the tee_shm object.
Closing the tee_shm file descriptor will release all resources used by the tee_shm object.
This change only support dmabuf references that relates to physically contiguous memory buffers.
New tee_shm flag to identify tee_shm objects built from a registered dmabuf, TEE_SHM_DMA_BUF.
Signed-off-by: Etienne Carriere etienne.carriere@linaro.org Signed-off-by: Olivier Masse olivier.masse@nxp.com Signed-off-by: Jens Wiklander jens.wiklander@linaro.org
drivers/tee/tee_core.c | 38 ++++++++++++++ drivers/tee/tee_shm.c | 104 +++++++++++++++++++++++++++++++++++++-- include/linux/tee_drv.h | 11 +++++ include/uapi/linux/tee.h | 29 +++++++++++ 4 files changed, 179 insertions(+), 3 deletions(-)
diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index e59c20d74b36..3dfd5428d58c 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -356,6 +356,42 @@ tee_ioctl_shm_register(struct tee_context *ctx, return ret; }
+static int tee_ioctl_shm_register_fd(struct tee_context *ctx,
struct tee_ioctl_shm_register_fd_data __user *udata)+{
struct tee_ioctl_shm_register_fd_data data;struct tee_shm *shm;long ret;if (copy_from_user(&data, udata, sizeof(data)))return -EFAULT;/* Currently no input flags are supported */if (data.flags)return -EINVAL;shm = tee_shm_register_fd(ctx, data.fd);if (IS_ERR(shm))return -EINVAL;data.id = shm->id;data.flags = shm->flags;data.size = shm->size;if (copy_to_user(udata, &data, sizeof(data)))ret = -EFAULT;elseret = tee_shm_get_fd(shm);/** When user space closes the file descriptor the shared memory* should be freed or if tee_shm_get_fd() failed then it will* be freed immediately.*/tee_shm_put(shm);return ret;+}
static int params_from_user(struct tee_context *ctx, struct tee_param *params, size_t num_params, struct tee_ioctl_param __user *uparams) @@ -830,6 +866,8 @@ static long tee_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) return tee_ioctl_shm_alloc(ctx, uarg); case TEE_IOC_SHM_REGISTER: return tee_ioctl_shm_register(ctx, uarg);
case TEE_IOC_SHM_REGISTER_FD:return tee_ioctl_shm_register_fd(ctx, uarg); case TEE_IOC_OPEN_SESSION: return tee_ioctl_open_session(ctx, uarg); case TEE_IOC_INVOKE:diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 731d9028b67f..a1cb3c8b6423 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -4,6 +4,7 @@ */ #include <linux/anon_inodes.h> #include <linux/device.h> +#include <linux/dma-buf.h> #include <linux/idr.h> #include <linux/mm.h> #include <linux/sched.h> @@ -14,6 +15,14 @@ #include <linux/highmem.h> #include "tee_private.h"
+/* extra references appended to shm object for registered shared memory */ +struct tee_shm_dmabuf_ref {
struct tee_shm shm;struct dma_buf *dmabuf;struct dma_buf_attachment *attach;struct sg_table *sgt;+};
static void shm_put_kernel_pages(struct page **pages, size_t page_count) { size_t n; @@ -44,7 +53,16 @@ static void release_registered_pages(struct tee_shm *shm)
static void tee_shm_release(struct tee_device *teedev, struct tee_shm *shm) {
if (shm->flags & TEE_SHM_POOL) {
if (shm->flags & TEE_SHM_DMA_BUF) {struct tee_shm_dmabuf_ref *ref;ref = container_of(shm, struct tee_shm_dmabuf_ref, shm);dma_buf_unmap_attachment(ref->attach, ref->sgt,DMA_BIDIRECTIONAL);dma_buf_detach(ref->dmabuf, ref->attach);dma_buf_put(ref->dmabuf);} else if (shm->flags & TEE_SHM_POOL) { teedev->pool->ops->free(teedev->pool, shm); } else if (shm->flags & TEE_SHM_DYNAMIC) { int rc = teedev->desc->ops->shm_unregister(shm->ctx, shm);@@ -56,7 +74,8 @@ static void tee_shm_release(struct tee_device *teedev, struct tee_shm *shm) release_registered_pages(shm); }
teedev_ctx_put(shm->ctx);
if (shm->ctx)teedev_ctx_put(shm->ctx); kfree(shm);@@ -168,7 +187,7 @@ struct tee_shm *tee_shm_alloc_user_buf(struct tee_context *ctx, size_t size)
- tee_client_invoke_func(). The memory allocated is later freed with a
- call to tee_shm_free().
- @returns a pointer to 'struct tee_shm'
*/
- @returns a pointer to 'struct tee_shm' on success, and ERR_PTR on failure
struct tee_shm *tee_shm_alloc_kernel_buf(struct tee_context *ctx, size_t size) { @@ -178,6 +197,85 @@ struct tee_shm *tee_shm_alloc_kernel_buf(struct tee_context *ctx, size_t size) } EXPORT_SYMBOL_GPL(tee_shm_alloc_kernel_buf);
+struct tee_shm *tee_shm_register_fd(struct tee_context *ctx, int fd) +{
struct tee_shm_dmabuf_ref *ref;int rc;if (!tee_device_get(ctx->teedev))return ERR_PTR(-EINVAL);teedev_ctx_get(ctx);ref = kzalloc(sizeof(*ref), GFP_KERNEL);if (!ref) {rc = -ENOMEM;goto err_put_tee;}refcount_set(&ref->shm.refcount, 1);ref->shm.ctx = ctx;ref->shm.id = -1;ref->dmabuf = dma_buf_get(fd);if (IS_ERR(ref->dmabuf)) {rc = PTR_ERR(ref->dmabuf);goto err_put_dmabuf;}Hi,
Most of the gotos in the errors paths from here on look offset by one to me. Attempting to put a dmabuf after failing to get, detaching after failing to attach, unmapping after failing to map, removing an IDR after failing to allocate one.
You're right, I'll fix them.
Thanks, Jens
ref->attach = dma_buf_attach(ref->dmabuf, &ref->shm.ctx->teedev->dev);if (IS_ERR(ref->attach)) {rc = PTR_ERR(ref->attach);goto err_detach;}ref->sgt = dma_buf_map_attachment(ref->attach, DMA_BIDIRECTIONAL);if (IS_ERR(ref->sgt)) {rc = PTR_ERR(ref->sgt);goto err_unmap_attachement;}if (sg_nents(ref->sgt->sgl) != 1) {rc = PTR_ERR(ref->sgt->sgl);goto err_unmap_attachement;}ref->shm.paddr = page_to_phys(sg_page(ref->sgt->sgl));ref->shm.size = ref->sgt->sgl->length;ref->shm.flags = TEE_SHM_DMA_BUF;mutex_lock(&ref->shm.ctx->teedev->mutex);ref->shm.id = idr_alloc(&ref->shm.ctx->teedev->idr, &ref->shm,1, 0, GFP_KERNEL);mutex_unlock(&ref->shm.ctx->teedev->mutex);if (ref->shm.id < 0) {rc = ref->shm.id;goto err_idr_remove;}return &ref->shm;+err_idr_remove:
mutex_lock(&ctx->teedev->mutex);idr_remove(&ctx->teedev->idr, ref->shm.id);mutex_unlock(&ctx->teedev->mutex);+err_unmap_attachement:
dma_buf_unmap_attachment(ref->attach, ref->sgt, DMA_BIDIRECTIONAL);+err_detach:
dma_buf_detach(ref->dmabuf, ref->attach);+err_put_dmabuf:
dma_buf_put(ref->dmabuf);kfree(ref);+err_put_tee:
teedev_ctx_put(ctx);tee_device_put(ctx->teedev);return ERR_PTR(rc);+} +EXPORT_SYMBOL_GPL(tee_shm_register_fd);
/**
- tee_shm_alloc_priv_buf() - Allocate shared memory for a privately shared
kernel bufferdiff --git a/include/linux/tee_drv.h b/include/linux/tee_drv.h index 71632e3c5f18..6a1fee689007 100644 --- a/include/linux/tee_drv.h +++ b/include/linux/tee_drv.h @@ -25,6 +25,7 @@ #define TEE_SHM_USER_MAPPED BIT(1) /* Memory mapped in user space */ #define TEE_SHM_POOL BIT(2) /* Memory allocated from pool */ #define TEE_SHM_PRIV BIT(3) /* Memory private to TEE driver */ +#define TEE_SHM_DMA_BUF BIT(4) /* Memory with dma-buf handle */
struct device; struct tee_device; @@ -275,6 +276,16 @@ void *tee_get_drvdata(struct tee_device *teedev); struct tee_shm *tee_shm_alloc_priv_buf(struct tee_context *ctx, size_t size); struct tee_shm *tee_shm_alloc_kernel_buf(struct tee_context *ctx, size_t size);
+/**
- tee_shm_register_fd() - Register shared memory from file descriptor
- @ctx: Context that allocates the shared memory
- @fd: Shared memory file descriptor reference
- @returns a pointer to 'struct tee_shm' on success, and ERR_PTR on failure
- */
+struct tee_shm *tee_shm_register_fd(struct tee_context *ctx, int fd);
struct tee_shm *tee_shm_register_kernel_buf(struct tee_context *ctx, void *addr, size_t length);
diff --git a/include/uapi/linux/tee.h b/include/uapi/linux/tee.h index 23e57164693c..77bc8ef24d3c 100644 --- a/include/uapi/linux/tee.h +++ b/include/uapi/linux/tee.h @@ -117,6 +117,35 @@ struct tee_ioctl_shm_alloc_data { #define TEE_IOC_SHM_ALLOC _IOWR(TEE_IOC_MAGIC, TEE_IOC_BASE + 1, \ struct tee_ioctl_shm_alloc_data)
+/**
- struct tee_ioctl_shm_register_fd_data - Shared memory registering argument
- @fd: [in] File descriptor identifying the shared memory
- @size: [out] Size of shared memory to allocate
- @flags: [in] Flags to/from allocation.
- @id: [out] Identifier of the shared memory
- The flags field should currently be zero as input. Updated by the call
- with actual flags as defined by TEE_IOCTL_SHM_* above.
- This structure is used as argument for TEE_IOC_SHM_REGISTER_FD below.
- */
+struct tee_ioctl_shm_register_fd_data {
__s64 fd;__u64 size;__u32 flags;__s32 id;+} __aligned(8);
+/**
- TEE_IOC_SHM_REGISTER_FD - register a shared memory from a file descriptor
- Returns a file descriptor on success or < 0 on failure
- The returned file descriptor refers to the shared memory object in kernel
- land. The shared memory is freed when the descriptor is closed.
- */
+#define TEE_IOC_SHM_REGISTER_FD _IOWR(TEE_IOC_MAGIC, TEE_IOC_BASE + 8, \
struct tee_ioctl_shm_register_fd_data)/**
- struct tee_ioctl_buf_data - Variable sized buffer
- @buf_ptr: [in] A __user pointer to a buffer
-- 2.34.1