1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2015-2017, 2019-2021 Linaro Limited 4 */ 5 #include <linux/anon_inodes.h> 6 #include <linux/device.h> 7 #include <linux/dma-buf.h> 8 #include <linux/dma-mapping.h> 9 #include <linux/highmem.h> 10 #include <linux/idr.h> 11 #include <linux/io.h> 12 #include <linux/mm.h> 13 #include <linux/sched.h> 14 #include <linux/slab.h> 15 #include <linux/tee_core.h> 16 #include <linux/uaccess.h> 17 #include <linux/uio.h> 18 #include "tee_private.h" 19 20 struct tee_shm_dma_mem { 21 struct tee_shm shm; 22 dma_addr_t dma_addr; 23 struct page *page; 24 }; 25 26 static void release_registered_pages(struct tee_shm *shm) 27 { 28 if (shm->pages) { 29 if (shm->flags & TEE_SHM_USER_MAPPED) 30 unpin_user_pages(shm->pages, shm->num_pages); 31 32 kfree(shm->pages); 33 } 34 } 35 36 static void tee_shm_release(struct tee_device *teedev, struct tee_shm *shm) 37 { 38 void *p = shm; 39 40 if (shm->flags & TEE_SHM_DMA_MEM) { 41 #if IS_ENABLED(CONFIG_TEE_DMABUF_HEAPS) 42 struct tee_shm_dma_mem *dma_mem; 43 44 dma_mem = container_of(shm, struct tee_shm_dma_mem, shm); 45 p = dma_mem; 46 dma_free_pages(&teedev->dev, shm->size, dma_mem->page, 47 dma_mem->dma_addr, DMA_BIDIRECTIONAL); 48 #endif 49 } else if (shm->flags & TEE_SHM_DMA_BUF) { 50 struct tee_shm_dmabuf_ref *ref; 51 52 ref = container_of(shm, struct tee_shm_dmabuf_ref, shm); 53 p = ref; 54 dma_buf_put(ref->dmabuf); 55 } else if (shm->flags & TEE_SHM_POOL) { 56 teedev->pool->ops->free(teedev->pool, shm); 57 } else if (shm->flags & TEE_SHM_DYNAMIC) { 58 int rc = teedev->desc->ops->shm_unregister(shm->ctx, shm); 59 60 if (rc) 61 dev_err(teedev->dev.parent, 62 "unregister shm %p failed: %d", shm, rc); 63 64 release_registered_pages(shm); 65 } 66 67 teedev_ctx_put(shm->ctx); 68 69 kfree(p); 70 71 tee_device_put(teedev); 72 } 73 74 static struct tee_shm *shm_alloc_helper(struct tee_context *ctx, size_t size, 75 size_t align, u32 flags, int id) 76 { 77 struct tee_device *teedev = ctx->teedev; 78 struct tee_shm *shm; 79 void *ret; 80 int rc; 81 82 if (!tee_device_get(teedev)) 83 return ERR_PTR(-EINVAL); 84 85 if (!teedev->pool) { 86 /* teedev has been detached from driver */ 87 ret = ERR_PTR(-EINVAL); 88 goto err_dev_put; 89 } 90 91 shm = kzalloc_obj(*shm); 92 if (!shm) { 93 ret = ERR_PTR(-ENOMEM); 94 goto err_dev_put; 95 } 96 97 refcount_set(&shm->refcount, 1); 98 shm->flags = flags; 99 shm->id = id; 100 101 /* 102 * We're assigning this as it is needed if the shm is to be 103 * registered. If this function returns OK then the caller expected 104 * to call teedev_ctx_get() or clear shm->ctx in case it's not 105 * needed any longer. 106 */ 107 shm->ctx = ctx; 108 109 rc = teedev->pool->ops->alloc(teedev->pool, shm, size, align); 110 if (rc) { 111 ret = ERR_PTR(rc); 112 goto err_kfree; 113 } 114 115 teedev_ctx_get(ctx); 116 return shm; 117 err_kfree: 118 kfree(shm); 119 err_dev_put: 120 tee_device_put(teedev); 121 return ret; 122 } 123 124 /** 125 * tee_shm_alloc_user_buf() - Allocate shared memory for user space 126 * @ctx: Context that allocates the shared memory 127 * @size: Requested size of shared memory 128 * 129 * Memory allocated as user space shared memory is automatically freed when 130 * the TEE file pointer is closed. The primary usage of this function is 131 * when the TEE driver doesn't support registering ordinary user space 132 * memory. 133 * 134 * @returns a pointer to 'struct tee_shm' 135 */ 136 struct tee_shm *tee_shm_alloc_user_buf(struct tee_context *ctx, size_t size) 137 { 138 u32 flags = TEE_SHM_DYNAMIC | TEE_SHM_POOL; 139 struct tee_device *teedev = ctx->teedev; 140 struct tee_shm *shm; 141 void *ret; 142 int id; 143 144 mutex_lock(&teedev->mutex); 145 id = idr_alloc(&teedev->idr, NULL, 1, 0, GFP_KERNEL); 146 mutex_unlock(&teedev->mutex); 147 if (id < 0) 148 return ERR_PTR(id); 149 150 shm = shm_alloc_helper(ctx, size, PAGE_SIZE, flags, id); 151 if (IS_ERR(shm)) { 152 mutex_lock(&teedev->mutex); 153 idr_remove(&teedev->idr, id); 154 mutex_unlock(&teedev->mutex); 155 return shm; 156 } 157 158 mutex_lock(&teedev->mutex); 159 ret = idr_replace(&teedev->idr, shm, id); 160 mutex_unlock(&teedev->mutex); 161 if (IS_ERR(ret)) { 162 tee_shm_free(shm); 163 return ret; 164 } 165 166 return shm; 167 } 168 169 /** 170 * tee_shm_alloc_kernel_buf() - Allocate shared memory for kernel buffer 171 * @ctx: Context that allocates the shared memory 172 * @size: Requested size of shared memory 173 * 174 * The returned memory registered in secure world and is suitable to be 175 * passed as a memory buffer in parameter argument to 176 * tee_client_invoke_func(). The memory allocated is later freed with a 177 * call to tee_shm_free(). 178 * 179 * @returns a pointer to 'struct tee_shm' on success, and ERR_PTR on failure 180 */ 181 struct tee_shm *tee_shm_alloc_kernel_buf(struct tee_context *ctx, size_t size) 182 { 183 u32 flags = TEE_SHM_DYNAMIC | TEE_SHM_POOL; 184 185 return shm_alloc_helper(ctx, size, PAGE_SIZE, flags, -1); 186 } 187 EXPORT_SYMBOL_GPL(tee_shm_alloc_kernel_buf); 188 189 struct tee_shm *tee_shm_register_fd(struct tee_context *ctx, int fd) 190 { 191 struct tee_shm_dmabuf_ref *ref; 192 int rc; 193 194 if (!tee_device_get(ctx->teedev)) 195 return ERR_PTR(-EINVAL); 196 197 teedev_ctx_get(ctx); 198 199 ref = kzalloc_obj(*ref); 200 if (!ref) { 201 rc = -ENOMEM; 202 goto err_put_tee; 203 } 204 205 refcount_set(&ref->shm.refcount, 1); 206 ref->shm.ctx = ctx; 207 ref->shm.id = -1; 208 ref->shm.flags = TEE_SHM_DMA_BUF; 209 210 ref->dmabuf = dma_buf_get(fd); 211 if (IS_ERR(ref->dmabuf)) { 212 rc = PTR_ERR(ref->dmabuf); 213 goto err_kfree_ref; 214 } 215 216 rc = tee_heap_update_from_dma_buf(ctx->teedev, ref->dmabuf, 217 &ref->offset, &ref->shm, 218 &ref->parent_shm); 219 if (rc) 220 goto err_put_dmabuf; 221 222 mutex_lock(&ref->shm.ctx->teedev->mutex); 223 ref->shm.id = idr_alloc(&ref->shm.ctx->teedev->idr, &ref->shm, 224 1, 0, GFP_KERNEL); 225 mutex_unlock(&ref->shm.ctx->teedev->mutex); 226 if (ref->shm.id < 0) { 227 rc = ref->shm.id; 228 goto err_put_dmabuf; 229 } 230 231 return &ref->shm; 232 233 err_put_dmabuf: 234 dma_buf_put(ref->dmabuf); 235 err_kfree_ref: 236 kfree(ref); 237 err_put_tee: 238 teedev_ctx_put(ctx); 239 tee_device_put(ctx->teedev); 240 241 return ERR_PTR(rc); 242 } 243 EXPORT_SYMBOL_GPL(tee_shm_register_fd); 244 245 /** 246 * tee_shm_alloc_priv_buf() - Allocate shared memory for a privately shared 247 * kernel buffer 248 * @ctx: Context that allocates the shared memory 249 * @size: Requested size of shared memory 250 * 251 * This function returns similar shared memory as 252 * tee_shm_alloc_kernel_buf(), but with the difference that the memory 253 * might not be registered in secure world in case the driver supports 254 * passing memory not registered in advance. 255 * 256 * This function should normally only be used internally in the TEE 257 * drivers. 258 * 259 * @returns a pointer to 'struct tee_shm' 260 */ 261 struct tee_shm *tee_shm_alloc_priv_buf(struct tee_context *ctx, size_t size) 262 { 263 u32 flags = TEE_SHM_PRIV | TEE_SHM_POOL; 264 265 return shm_alloc_helper(ctx, size, sizeof(long) * 2, flags, -1); 266 } 267 EXPORT_SYMBOL_GPL(tee_shm_alloc_priv_buf); 268 269 #if IS_ENABLED(CONFIG_TEE_DMABUF_HEAPS) 270 /** 271 * tee_shm_alloc_dma_mem() - Allocate DMA memory as shared memory object 272 * @ctx: Context that allocates the shared memory 273 * @page_count: Number of pages 274 * 275 * The allocated memory is expected to be lent (made inaccessible to the 276 * kernel) to the TEE while it's used and returned (accessible to the 277 * kernel again) before it's freed. 278 * 279 * This function should normally only be used internally in the TEE 280 * drivers. 281 * 282 * @returns a pointer to 'struct tee_shm' 283 */ 284 struct tee_shm *tee_shm_alloc_dma_mem(struct tee_context *ctx, 285 size_t page_count) 286 { 287 struct tee_device *teedev = ctx->teedev; 288 struct tee_shm_dma_mem *dma_mem; 289 dma_addr_t dma_addr; 290 struct page *page; 291 292 if (!tee_device_get(teedev)) 293 return ERR_PTR(-EINVAL); 294 295 page = dma_alloc_pages(&teedev->dev, page_count * PAGE_SIZE, 296 &dma_addr, DMA_BIDIRECTIONAL, GFP_KERNEL); 297 if (!page) 298 goto err_put_teedev; 299 300 dma_mem = kzalloc_obj(*dma_mem); 301 if (!dma_mem) 302 goto err_free_pages; 303 304 refcount_set(&dma_mem->shm.refcount, 1); 305 dma_mem->shm.ctx = ctx; 306 dma_mem->shm.paddr = page_to_phys(page); 307 dma_mem->dma_addr = dma_addr; 308 dma_mem->page = page; 309 dma_mem->shm.size = page_count * PAGE_SIZE; 310 dma_mem->shm.flags = TEE_SHM_DMA_MEM; 311 312 teedev_ctx_get(ctx); 313 314 return &dma_mem->shm; 315 316 err_free_pages: 317 dma_free_pages(&teedev->dev, page_count * PAGE_SIZE, page, dma_addr, 318 DMA_BIDIRECTIONAL); 319 err_put_teedev: 320 tee_device_put(teedev); 321 322 return ERR_PTR(-ENOMEM); 323 } 324 EXPORT_SYMBOL_GPL(tee_shm_alloc_dma_mem); 325 #else 326 struct tee_shm *tee_shm_alloc_dma_mem(struct tee_context *ctx, 327 size_t page_count) 328 { 329 return ERR_PTR(-EINVAL); 330 } 331 EXPORT_SYMBOL_GPL(tee_shm_alloc_dma_mem); 332 #endif 333 334 int tee_dyn_shm_alloc_helper(struct tee_shm *shm, size_t size, size_t align, 335 int (*shm_register)(struct tee_context *ctx, 336 struct tee_shm *shm, 337 struct page **pages, 338 size_t num_pages, 339 unsigned long start)) 340 { 341 size_t nr_pages = roundup(size, PAGE_SIZE) / PAGE_SIZE; 342 struct page **pages; 343 unsigned int i; 344 int rc = 0; 345 346 /* 347 * Ignore alignment since this is already going to be page aligned 348 * and there's no need for any larger alignment. 349 */ 350 shm->kaddr = alloc_pages_exact(nr_pages * PAGE_SIZE, 351 GFP_KERNEL | __GFP_ZERO); 352 if (!shm->kaddr) 353 return -ENOMEM; 354 355 shm->paddr = virt_to_phys(shm->kaddr); 356 shm->size = nr_pages * PAGE_SIZE; 357 358 pages = kzalloc_objs(*pages, nr_pages); 359 if (!pages) { 360 rc = -ENOMEM; 361 goto err_pages; 362 } 363 364 for (i = 0; i < nr_pages; i++) 365 pages[i] = virt_to_page((u8 *)shm->kaddr + i * PAGE_SIZE); 366 367 shm->pages = pages; 368 shm->num_pages = nr_pages; 369 370 if (shm_register) { 371 rc = shm_register(shm->ctx, shm, pages, nr_pages, 372 (unsigned long)shm->kaddr); 373 if (rc) 374 goto err_kfree; 375 } 376 377 return 0; 378 err_kfree: 379 kfree(pages); 380 err_pages: 381 free_pages_exact(shm->kaddr, shm->size); 382 shm->kaddr = NULL; 383 return rc; 384 } 385 EXPORT_SYMBOL_GPL(tee_dyn_shm_alloc_helper); 386 387 void tee_dyn_shm_free_helper(struct tee_shm *shm, 388 int (*shm_unregister)(struct tee_context *ctx, 389 struct tee_shm *shm)) 390 { 391 if (shm_unregister) 392 shm_unregister(shm->ctx, shm); 393 free_pages_exact(shm->kaddr, shm->size); 394 shm->kaddr = NULL; 395 kfree(shm->pages); 396 shm->pages = NULL; 397 } 398 EXPORT_SYMBOL_GPL(tee_dyn_shm_free_helper); 399 400 static struct tee_shm * 401 register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, 402 int id) 403 { 404 struct tee_device *teedev = ctx->teedev; 405 struct tee_shm *shm; 406 unsigned long start, addr; 407 size_t num_pages, off; 408 ssize_t len; 409 void *ret; 410 int rc; 411 412 if (!tee_device_get(teedev)) 413 return ERR_PTR(-EINVAL); 414 415 if (!teedev->desc->ops->shm_register || 416 !teedev->desc->ops->shm_unregister) { 417 ret = ERR_PTR(-ENOTSUPP); 418 goto err_dev_put; 419 } 420 421 teedev_ctx_get(ctx); 422 423 shm = kzalloc_obj(*shm); 424 if (!shm) { 425 ret = ERR_PTR(-ENOMEM); 426 goto err_ctx_put; 427 } 428 429 refcount_set(&shm->refcount, 1); 430 shm->flags = flags; 431 shm->ctx = ctx; 432 shm->id = id; 433 addr = untagged_addr((unsigned long)iter_iov_addr(iter)); 434 start = rounddown(addr, PAGE_SIZE); 435 num_pages = iov_iter_npages(iter, INT_MAX); 436 if (!num_pages) { 437 ret = ERR_PTR(-ENOMEM); 438 goto err_ctx_put; 439 } 440 441 shm->pages = kzalloc_objs(*shm->pages, num_pages); 442 if (!shm->pages) { 443 ret = ERR_PTR(-ENOMEM); 444 goto err_free_shm; 445 } 446 447 len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0, 448 &off); 449 if (unlikely(len <= 0)) { 450 ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); 451 goto err_free_shm_pages; 452 } else if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { 453 /* 454 * If we only got a few pages, update to release the 455 * correct amount below. 456 */ 457 shm->num_pages = len / PAGE_SIZE; 458 ret = ERR_PTR(-ENOMEM); 459 goto err_put_shm_pages; 460 } 461 462 shm->offset = off; 463 shm->size = len; 464 shm->num_pages = num_pages; 465 466 rc = teedev->desc->ops->shm_register(ctx, shm, shm->pages, 467 shm->num_pages, start); 468 if (rc) { 469 ret = ERR_PTR(rc); 470 goto err_put_shm_pages; 471 } 472 473 return shm; 474 err_put_shm_pages: 475 if (!iov_iter_is_kvec(iter)) 476 unpin_user_pages(shm->pages, shm->num_pages); 477 err_free_shm_pages: 478 kfree(shm->pages); 479 err_free_shm: 480 kfree(shm); 481 err_ctx_put: 482 teedev_ctx_put(ctx); 483 err_dev_put: 484 tee_device_put(teedev); 485 return ret; 486 } 487 488 /** 489 * tee_shm_register_user_buf() - Register a userspace shared memory buffer 490 * @ctx: Context that registers the shared memory 491 * @addr: The userspace address of the shared buffer 492 * @length: Length of the shared buffer 493 * 494 * @returns a pointer to 'struct tee_shm' 495 */ 496 struct tee_shm *tee_shm_register_user_buf(struct tee_context *ctx, 497 unsigned long addr, size_t length) 498 { 499 u32 flags = TEE_SHM_USER_MAPPED | TEE_SHM_DYNAMIC; 500 struct tee_device *teedev = ctx->teedev; 501 struct tee_shm *shm; 502 struct iov_iter iter; 503 void *ret; 504 int id; 505 506 if (!access_ok((void __user *)addr, length)) 507 return ERR_PTR(-EFAULT); 508 509 mutex_lock(&teedev->mutex); 510 id = idr_alloc(&teedev->idr, NULL, 1, 0, GFP_KERNEL); 511 mutex_unlock(&teedev->mutex); 512 if (id < 0) 513 return ERR_PTR(id); 514 515 iov_iter_ubuf(&iter, ITER_DEST, (void __user *)addr, length); 516 shm = register_shm_helper(ctx, &iter, flags, id); 517 if (IS_ERR(shm)) { 518 mutex_lock(&teedev->mutex); 519 idr_remove(&teedev->idr, id); 520 mutex_unlock(&teedev->mutex); 521 return shm; 522 } 523 524 mutex_lock(&teedev->mutex); 525 ret = idr_replace(&teedev->idr, shm, id); 526 mutex_unlock(&teedev->mutex); 527 if (IS_ERR(ret)) { 528 tee_shm_free(shm); 529 return ret; 530 } 531 532 return shm; 533 } 534 535 /** 536 * tee_shm_register_kernel_buf() - Register kernel memory to be shared with 537 * secure world 538 * @ctx: Context that registers the shared memory 539 * @addr: The buffer 540 * @length: Length of the buffer 541 * 542 * @returns a pointer to 'struct tee_shm' 543 */ 544 545 struct tee_shm *tee_shm_register_kernel_buf(struct tee_context *ctx, 546 void *addr, size_t length) 547 { 548 u32 flags = TEE_SHM_DYNAMIC; 549 struct kvec kvec; 550 struct iov_iter iter; 551 552 kvec.iov_base = addr; 553 kvec.iov_len = length; 554 iov_iter_kvec(&iter, ITER_DEST, &kvec, 1, length); 555 556 return register_shm_helper(ctx, &iter, flags, -1); 557 } 558 EXPORT_SYMBOL_GPL(tee_shm_register_kernel_buf); 559 560 static int tee_shm_fop_release(struct inode *inode, struct file *filp) 561 { 562 tee_shm_put(filp->private_data); 563 return 0; 564 } 565 566 static int tee_shm_fop_mmap(struct file *filp, struct vm_area_struct *vma) 567 { 568 struct tee_shm *shm = filp->private_data; 569 size_t size = vma->vm_end - vma->vm_start; 570 571 /* Refuse sharing shared memory provided by application */ 572 if (shm->flags & TEE_SHM_USER_MAPPED) 573 return -EINVAL; 574 /* Refuse sharing registered DMA_bufs with the application */ 575 if (shm->flags & TEE_SHM_DMA_BUF) 576 return -EINVAL; 577 578 /* check for overflowing the buffer's size */ 579 if (vma->vm_pgoff + vma_pages(vma) > shm->size >> PAGE_SHIFT) 580 return -EINVAL; 581 582 return remap_pfn_range(vma, vma->vm_start, shm->paddr >> PAGE_SHIFT, 583 size, vma->vm_page_prot); 584 } 585 586 static const struct file_operations tee_shm_fops = { 587 .owner = THIS_MODULE, 588 .release = tee_shm_fop_release, 589 .mmap = tee_shm_fop_mmap, 590 }; 591 592 /** 593 * tee_shm_get_fd() - Increase reference count and return file descriptor 594 * @shm: Shared memory handle 595 * @returns user space file descriptor to shared memory 596 */ 597 int tee_shm_get_fd(struct tee_shm *shm) 598 { 599 int fd; 600 601 if (shm->id < 0) 602 return -EINVAL; 603 604 /* matched by tee_shm_put() in tee_shm_op_release() */ 605 refcount_inc(&shm->refcount); 606 fd = anon_inode_getfd("tee_shm", &tee_shm_fops, shm, O_RDWR); 607 if (fd < 0) 608 tee_shm_put(shm); 609 return fd; 610 } 611 612 /** 613 * tee_shm_free() - Free shared memory 614 * @shm: Handle to shared memory to free 615 */ 616 void tee_shm_free(struct tee_shm *shm) 617 { 618 tee_shm_put(shm); 619 } 620 EXPORT_SYMBOL_GPL(tee_shm_free); 621 622 /** 623 * tee_shm_get_va() - Get virtual address of a shared memory plus an offset 624 * @shm: Shared memory handle 625 * @offs: Offset from start of this shared memory 626 * @returns virtual address of the shared memory + offs if offs is within 627 * the bounds of this shared memory, else an ERR_PTR 628 */ 629 void *tee_shm_get_va(struct tee_shm *shm, size_t offs) 630 { 631 if (!shm->kaddr) 632 return ERR_PTR(-EINVAL); 633 if (offs >= shm->size) 634 return ERR_PTR(-EINVAL); 635 return (char *)shm->kaddr + offs; 636 } 637 EXPORT_SYMBOL_GPL(tee_shm_get_va); 638 639 /** 640 * tee_shm_get_pa() - Get physical address of a shared memory plus an offset 641 * @shm: Shared memory handle 642 * @offs: Offset from start of this shared memory 643 * @pa: Physical address to return 644 * @returns 0 if offs is within the bounds of this shared memory, else an 645 * error code. 646 */ 647 int tee_shm_get_pa(struct tee_shm *shm, size_t offs, phys_addr_t *pa) 648 { 649 if (offs >= shm->size) 650 return -EINVAL; 651 if (pa) 652 *pa = shm->paddr + offs; 653 return 0; 654 } 655 EXPORT_SYMBOL_GPL(tee_shm_get_pa); 656 657 /** 658 * tee_shm_get_from_id() - Find shared memory object and increase reference 659 * count 660 * @ctx: Context owning the shared memory 661 * @id: Id of shared memory object 662 * @returns a pointer to 'struct tee_shm' on success or an ERR_PTR on failure 663 */ 664 struct tee_shm *tee_shm_get_from_id(struct tee_context *ctx, int id) 665 { 666 struct tee_device *teedev; 667 struct tee_shm *shm; 668 669 if (!ctx) 670 return ERR_PTR(-EINVAL); 671 672 teedev = ctx->teedev; 673 mutex_lock(&teedev->mutex); 674 shm = idr_find(&teedev->idr, id); 675 /* 676 * If the tee_shm was found in the IDR it must have a refcount 677 * larger than 0 due to the guarantee in tee_shm_put() below. So 678 * it's safe to use refcount_inc(). 679 */ 680 if (!shm || shm->ctx != ctx) 681 shm = ERR_PTR(-EINVAL); 682 else 683 refcount_inc(&shm->refcount); 684 mutex_unlock(&teedev->mutex); 685 return shm; 686 } 687 EXPORT_SYMBOL_GPL(tee_shm_get_from_id); 688 689 /** 690 * tee_shm_put() - Decrease reference count on a shared memory handle 691 * @shm: Shared memory handle 692 */ 693 void tee_shm_put(struct tee_shm *shm) 694 { 695 struct tee_device *teedev; 696 bool do_release = false; 697 698 if (!shm || !shm->ctx || !shm->ctx->teedev) 699 return; 700 701 teedev = shm->ctx->teedev; 702 mutex_lock(&teedev->mutex); 703 if (refcount_dec_and_test(&shm->refcount)) { 704 /* 705 * refcount has reached 0, we must now remove it from the 706 * IDR before releasing the mutex. This will guarantee that 707 * the refcount_inc() in tee_shm_get_from_id() never starts 708 * from 0. 709 */ 710 if (shm->id >= 0) 711 idr_remove(&teedev->idr, shm->id); 712 do_release = true; 713 } 714 mutex_unlock(&teedev->mutex); 715 716 if (do_release) 717 tee_shm_release(teedev, shm); 718 } 719 EXPORT_SYMBOL_GPL(tee_shm_put); 720