• Zhizhou Zhang's avatar
    tee: optee: avoid possible double list_del() · 50efaf4b
    Zhizhou Zhang authored
    [ Upstream commit b2d102bd ]
    This bug occurs when:
    - a new request arrives, one thread(let's call it A) is pending in
      optee_supp_req() with req->busy is initial value false.
    - tee-supplicant is killed, then optee_supp_release() is called, this
      function calls list_del(&req->link), and set supp->ctx to NULL. And
      it also wake up process A.
    - process A continues, it firstly checks supp->ctx which is NULL,
      then checks req->busy which is false, at last run list_del(&req->link).
      This triggers double list_del() and results kernel panic.
    For solve this problem, we rename req->busy to req->in_queue, and
    associate it with state of whether req is linked to supp->reqs. So we
    can just only check req->in_queue to make decision calling list_del()
    or not.
    Signed-off-by: 's avatarZhizhou Zhang <zhizhouzhang@asrmicro.com>
    Signed-off-by: 's avatarJens Wiklander <jens.wiklander@linaro.org>
    Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
Last commit
Last update
optee Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
tee_core.c Loading commit data...
tee_private.h Loading commit data...
tee_shm.c Loading commit data...
tee_shm_pool.c Loading commit data...