Bugfix reference counter on file descriptor.
Before this all user space allocated shared memory allocations where only freed when the session was closed due to the refcount being +1 too much.
Signed-off-by: Jens Wiklander jens.wiklander@linaro.org --- drivers/sec-hw/tee.c | 5 +++++ drivers/sec-hw/tee_shm.c | 7 ++++--- 2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/sec-hw/tee.c b/drivers/sec-hw/tee.c index 4f4badb..28d8bc6 100644 --- a/drivers/sec-hw/tee.c +++ b/drivers/sec-hw/tee.c @@ -117,6 +117,11 @@ static long tee_ioctl_shm_alloc(struct tee_filp *teefilp, ret = -EFAULT; goto err; } + /* + * When user space closes the file descriptor the shared memory + * should be freed + */ + tee_shm_put(shm); return 0; err: if (data.fd >= 0) diff --git a/drivers/sec-hw/tee_shm.c b/drivers/sec-hw/tee_shm.c index 61ca5aa..6050644 100644 --- a/drivers/sec-hw/tee_shm.c +++ b/drivers/sec-hw/tee_shm.c @@ -123,6 +123,7 @@ struct tee_shm *tee_shm_alloc(struct tee_device *teedev, ret = ERR_CAST(shm->dmabuf); goto err; } + get_dma_buf(shm->dmabuf);
mutex = &teeshm_list_mutex; list_shm = &teeshm_list; @@ -188,8 +189,6 @@ int tee_shm_fd(struct tee_shm *shm) return -EINVAL;
fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC); - if (fd >= 0) - get_dma_buf(shm->dmabuf); return fd; } EXPORT_SYMBOL_GPL(tee_shm_fd); @@ -391,8 +390,10 @@ struct tee_shm *tee_shm_get_from_fd(int fd) if (IS_ERR(dmabuf)) return ERR_CAST(dmabuf);
- if (!is_shm_dma_buf(dmabuf)) + if (!is_shm_dma_buf(dmabuf)) { + dma_buf_put(dmabuf); return ERR_PTR(-EINVAL); + } return dmabuf->priv; } EXPORT_SYMBOL_GPL(tee_shm_get_from_fd);