From patchwork Fri Aug 23 18:48:49 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
X-Patchwork-Id: 11112221
Return-Path: <SRS0=xWPo=WT=lists.xenproject.org=xen-devel-bounces@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9004D184E
	for <patchwork-xen-devel@patchwork.kernel.org>;
 Fri, 23 Aug 2019 18:50:25 +0000 (UTC)
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 6A34521874
	for <patchwork-xen-devel@patchwork.kernel.org>;
 Fri, 23 Aug 2019 18:50:25 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (2048-bit key)
 header.d=epam.com header.i=@epam.com header.b="S1l7SoBS"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6A34521874
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=quarantine dis=none) header.from=epam.com
Authentication-Results: mail.kernel.org;
 spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.89)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1i1EcL-0001ic-7z; Fri, 23 Aug 2019 18:48:57 +0000
Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]
 helo=us1-amaz-eas2.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from
 <SRS0=gZL1=WT=epam.com=volodymyr_babchuk@srs-us1.protection.inumbo.net>)
 id 1i1EcK-0001iW-Bq
 for xen-devel@lists.xenproject.org; Fri, 23 Aug 2019 18:48:56 +0000
X-Inumbo-ID: a56b2061-c5d6-11e9-adef-12813bfff9fa
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (unknown
 [40.107.14.44]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS
 id a56b2061-c5d6-11e9-adef-12813bfff9fa;
 Fri, 23 Aug 2019 18:48:50 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=DnbCvGBozHSs5M6E5a9CP2YGRqWyqMVTC42XNMohs7HJ7tJBMQd0PugSrJB+Agd6L2vaDxuxEtfqEHpUF4XCn2P1d9qQsAkMNLN96AazxPu1Llaz5L89KTYNCylk/bNTTVpUP9+uBMMAzjLxNo9VhspeXceikq+XH5XCKzK9UzgcRbZGeLQSlCWzevqYBly9xq9Gg43Eg1+iGsVqBlSXVVmZ92+qC7g2MwW72Nv1tLyMpIakJhvRq1s30JWnXjYG1tRKYw0VkNPEoNS255jze5AZl+kCxWrZUXUtM2eX+obUal1HUX01eOywL81+ETszmrJZUB3fQgfkK1FFaIGN2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=IlJ90XUs8jVx5CifVbLC/0YeGQuKvGEl+NnI+DNdQL8=;
 b=mvniO9dy+U/viT3yQDD/ZyowFjNzPammKmDjI6zJMMS1WRRatAs3jdFLN/pnS1sUexjXmxqtAzfX+H94OntGL+qQa29X/JJc28Qc6IQXcjhmWbVPVoZO1NJb8Qlp/o4EIlK7wakt16D7LMjweJVnMkxNguR+7i+UNXDmUGRMDG/UYWQ2vcF0TlVAwh7U4wtpLI25GzlV20ksBTlPpksNPYf6vbv5JC4VGbyPPKaSQ8rFQI357OOhFEKVovjG1lADrz/eTiiiHPOW/ouRlFHyiYej517f0/jQv0WHm5tr744NEw4Mqy7L4ssS0hXo5hCrN46wrpQD4uwtBePE7qFIOw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com;
 dkim=pass header.d=epam.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=epam.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=IlJ90XUs8jVx5CifVbLC/0YeGQuKvGEl+NnI+DNdQL8=;
 b=S1l7SoBSaGvNcdoI1cfDWFBbk8cHx9MIaz1ZIIZIY4QutXTfMjCuQKTLrBqSYzLEI7z4fPea48fvg0u+TUNJL5EQLEhrdAGxt3YY11Ea0x1U17im8Rpaz5zzrO1zpnpYGnPCR7Zjk4vz1DrME4R9QEXNcflszRIgRsdkUenn7nulX66jtmC6XcndHqqvmU05gKxhP5lwpTqgi7FU1Ft/bmR7ID0eiDm5ppWmR6gHOVEqNvFA512CgkDofQLkkBuKYPxFGLEsjnmNgL9osS2JGDz+0Z4EVRndKujlmkdOWLOhFEcw4Z36E6R1dcviWj1WeAiwMGpSJJFsxAmmdmUDEQ==
Received: from AM0PR03MB4148.eurprd03.prod.outlook.com (20.177.40.10) by
 AM0PR03MB4690.eurprd03.prod.outlook.com (20.177.41.22) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2178.18; Fri, 23 Aug 2019 18:48:49 +0000
Received: from AM0PR03MB4148.eurprd03.prod.outlook.com
 ([fe80::71e3:834d:5708:5a0a]) by AM0PR03MB4148.eurprd03.prod.outlook.com
 ([fe80::71e3:834d:5708:5a0a%5]) with mapi id 15.20.2199.015; Fri, 23 Aug 2019
 18:48:49 +0000
From: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Thread-Topic: [PATCH 3/5] xen/arm: optee: limit number of shared buffers
Thread-Index: AQHVWeNm60BkuvqDyUmm6mdhz0g5CQ==
Date: Fri, 23 Aug 2019 18:48:49 +0000
Message-ID: <20190823184826.14525-4-volodymyr_babchuk@epam.com>
References: <20190823184826.14525-1-volodymyr_babchuk@epam.com>
In-Reply-To: <20190823184826.14525-1-volodymyr_babchuk@epam.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=Volodymyr_Babchuk@epam.com;
x-originating-ip: [85.223.209.22]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b18b73af-a232-4443-793e-08d727fa8961
x-microsoft-antispam: BCL:0; PCL:0;
 RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020);
 SRVR:AM0PR03MB4690;
x-ms-traffictypediagnostic: AM0PR03MB4690:|AM0PR03MB4690:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: 
 <AM0PR03MB46909EEB6C911D05A8A6D899E6A40@AM0PR03MB4690.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4941;
x-forefront-prvs: 0138CD935C
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10009020)(4636009)(346002)(136003)(376002)(39860400002)(366004)(396003)(189003)(199004)(6436002)(305945005)(25786009)(76176011)(81166006)(71190400001)(478600001)(7736002)(81156014)(5660300002)(8676002)(71200400001)(4326008)(186003)(6506007)(99286004)(2351001)(6486002)(1076003)(2501003)(26005)(2906002)(6916009)(66446008)(55236004)(66946007)(91956017)(14454004)(76116006)(66476007)(66556008)(36756003)(64756008)(6116002)(6512007)(446003)(11346002)(3846002)(476003)(2616005)(316002)(54906003)(86362001)(80792005)(102836004)(5640700003)(8936002)(66066001)(14444005)(486006)(256004)(53936002);
 DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR03MB4690;
 H:AM0PR03MB4148.eurprd03.prod.outlook.com; FPR:; SPF:None; LANG:en;
 PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: epam.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 
 0rWoOZNscxMr0JhkFwQWedbXhnAPVi2TNFfQE5N3/8pXc4Zd3au6PwuDV8p6sxW6mRhFwGSpv+zCOpk8r9CZrVURQ0l6Q03REb5Y60ZmrqrxLlnj2BpQIXWeiDQmCS/9LvfzqgRJWRQ1iYdeJd2osWJorndH5IKCNchK7z0rtO9tGgQxkNFRoWsxaVmCIcv4Tkv4y6VJDjtk4J6QTBsC7sUJMBbYDAiC6H/HgAytEpPagC84ta1FTI9pewqFrjLzosM94JqMuyginWeDJgLyImtZNjVnAOuryJ/5FJtutt7lXj9anRrxsj1w1otWjM9QipxefTiucdrguXVrQHYg9kA5B5dDQuAgES8IfYjZPUohmE3DGRx8UnrziFaqXQeGJKX5CQA0mPsX8vl0iDnM+4iBVQ23XK6Fd1U8Bdxvlpo=
MIME-Version: 1.0
X-OriginatorOrg: epam.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 b18b73af-a232-4443-793e-08d727fa8961
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Aug 2019 18:48:49.5149 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b41b72d0-4e9f-4c26-8a69-f949f367c91d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 
 7+w9gHe4dYIOpDE/gLTOrPiIB80e0TeIHZTZxUMfTkRpx0VbDB5J9duZnwuJMiMtULPWfgaWsE3KEkuXgYuU7Wq/QCx1xl1Z2lrVfSJlm/E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR03MB4690
Subject: [Xen-devel] [PATCH 3/5] xen/arm: optee: limit number of shared
 buffers
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Cc: "tee-dev@lists.linaro.org" <tee-dev@lists.linaro.org>,
 Julien Grall <julien.grall@arm.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

We want to limit number of shared buffers that guest can register in
OP-TEE. Every such buffer consumes XEN resources and we don't want
guest to exhaust XEN. So we choose arbitrary limit for shared buffers.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
---
 xen/arch/arm/tee/optee.c | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/xen/arch/arm/tee/optee.c b/xen/arch/arm/tee/optee.c
index a84ffa3089..3ce6e7fa55 100644
--- a/xen/arch/arm/tee/optee.c
+++ b/xen/arch/arm/tee/optee.c
@@ -83,6 +83,14 @@
  */
 #define MAX_SHM_BUFFER_PG       512
 
+/*
+ * Limits the number of shared buffers that guest can have at once.
+ * This is to prevent case, when guests tricks XEN into exhausting
+ * own memory by allocating zillions of one-byte buffers. Value is
+ * chosen arbitrary.
+ */
+#define MAX_SHM_BUFFER_COUNT   16
+
 #define OPTEE_KNOWN_NSEC_CAPS OPTEE_SMC_NSEC_CAP_UNIPROCESSOR
 #define OPTEE_KNOWN_SEC_CAPS (OPTEE_SMC_SEC_CAP_HAVE_RESERVED_SHM | \
                               OPTEE_SMC_SEC_CAP_UNREGISTERED_SHM | \
@@ -144,6 +152,7 @@ struct optee_domain {
     struct list_head optee_shm_buf_list;
     atomic_t call_count;
     atomic_t optee_shm_buf_pages;
+    atomic_t optee_shm_buf_count;
     spinlock_t lock;
 };
 
@@ -231,6 +240,7 @@ static int optee_domain_init(struct domain *d)
     INIT_LIST_HEAD(&ctx->optee_shm_buf_list);
     atomic_set(&ctx->call_count, 0);
     atomic_set(&ctx->optee_shm_buf_pages, 0);
+    atomic_set(&ctx->optee_shm_buf_count, 0);
     spin_lock_init(&ctx->lock);
 
     d->arch.tee = ctx;
@@ -479,23 +489,26 @@ static struct optee_shm_buf *allocate_optee_shm_buf(struct optee_domain *ctx,
     struct optee_shm_buf *optee_shm_buf, *optee_shm_buf_tmp;
     int old, new;
     int err_code;
+    int count;
+
+    count = atomic_add_unless(&ctx->optee_shm_buf_count, 1,
+                              MAX_SHM_BUFFER_COUNT);
+    if ( count == MAX_SHM_BUFFER_COUNT )
+        return ERR_PTR(-ENOMEM);
 
     do
     {
         old = atomic_read(&ctx->optee_shm_buf_pages);
         new = old + pages_cnt;
         if ( new >= MAX_TOTAL_SMH_BUF_PG )
-            return ERR_PTR(-ENOMEM);
+        {
+            err_code = -ENOMEM;
+            goto err_dec_cnt;
+        }
     }
     while ( unlikely(old != atomic_cmpxchg(&ctx->optee_shm_buf_pages,
                                            old, new)) );
 
-    /*
-     * TODO: Guest can try to register many small buffers, thus, forcing
-     * XEN to allocate context for every buffer. Probably we need to
-     * limit not only total number of pages pinned but also number
-     * of buffer objects.
-     */
     optee_shm_buf = xzalloc_bytes(sizeof(struct optee_shm_buf) +
                                   pages_cnt * sizeof(struct page *));
     if ( !optee_shm_buf )
@@ -531,6 +544,8 @@ static struct optee_shm_buf *allocate_optee_shm_buf(struct optee_domain *ctx,
 err:
     xfree(optee_shm_buf);
     atomic_sub(pages_cnt, &ctx->optee_shm_buf_pages);
+err_dec_cnt:
+    atomic_dec(&ctx->optee_shm_buf_count);
 
     return ERR_PTR(err_code);
 }
@@ -573,6 +588,7 @@ static void free_optee_shm_buf(struct optee_domain *ctx, uint64_t cookie)
     free_pg_list(optee_shm_buf);
 
     atomic_sub(optee_shm_buf->page_cnt, &ctx->optee_shm_buf_pages);
+    atomic_dec(&ctx->optee_shm_buf_count);
 
     xfree(optee_shm_buf);
 }