• Zhizhou Zhang's avatar
    tee: optee: avoid possible double list_del() · b2d102bd
    Zhizhou Zhang authored
    This bug occurs when:
    
    - a new request arrives, one thread(let's call it A) is pending in
      optee_supp_req() with req->busy is initial value false.
    
    - tee-supplicant is killed, then optee_supp_release() is called, this
      function calls list_del(&req->link), and set supp->ctx to NULL. And
      it also wake up process A.
    
    - process A continues, it firstly checks supp->ctx which is NULL,
      then checks req->busy which is false, at last run list_del(&req->link).
      This triggers double list_del() and results kernel panic.
    
    For solve this problem, we rename req->busy to req->in_queue, and
    associate it with state of whether req is linked to supp->reqs. So we
    can just only check req->in_queue to make decision calling list_del()
    or not.
    Signed-off-by: default avatarZhizhou Zhang <zhizhouzhang@asrmicro.com>
    Signed-off-by: default avatarJens Wiklander <jens.wiklander@linaro.org>
    b2d102bd
supp.c 9.07 KB