1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2015, Linaro Limited 4 */ 5 #include <linux/device.h> 6 #include <linux/slab.h> 7 #include <linux/uaccess.h> 8 #include "optee_private.h" 9 10 struct optee_supp_req { 11 struct list_head link; 12 13 bool in_queue; 14 u32 func; 15 u32 ret; 16 size_t num_params; 17 struct tee_param *param; 18 19 struct completion c; 20 }; 21 optee_supp_init(struct optee_supp * supp)22 void optee_supp_init(struct optee_supp *supp) 23 { 24 memset(supp, 0, sizeof(*supp)); 25 mutex_init(&supp->mutex); 26 init_completion(&supp->reqs_c); 27 idr_init(&supp->idr); 28 INIT_LIST_HEAD(&supp->reqs); 29 supp->req_id = -1; 30 } 31 optee_supp_uninit(struct optee_supp * supp)32 void optee_supp_uninit(struct optee_supp *supp) 33 { 34 mutex_destroy(&supp->mutex); 35 idr_destroy(&supp->idr); 36 } 37 optee_supp_release(struct optee_supp * supp)38 void optee_supp_release(struct optee_supp *supp) 39 { 40 int id; 41 struct optee_supp_req *req; 42 struct optee_supp_req *req_tmp; 43 44 mutex_lock(&supp->mutex); 45 46 /* Abort all request retrieved by supplicant */ 47 idr_for_each_entry(&supp->idr, req, id) { 48 idr_remove(&supp->idr, id); 49 req->ret = TEEC_ERROR_COMMUNICATION; 50 complete(&req->c); 51 } 52 53 /* Abort all queued requests */ 54 list_for_each_entry_safe(req, req_tmp, &supp->reqs, link) { 55 list_del(&req->link); 56 req->in_queue = false; 57 req->ret = TEEC_ERROR_COMMUNICATION; 58 complete(&req->c); 59 } 60 61 supp->ctx = NULL; 62 supp->req_id = -1; 63 64 mutex_unlock(&supp->mutex); 65 } 66 67 /** 68 * optee_supp_thrd_req() - request service from supplicant 69 * @ctx: context doing the request 70 * @func: function requested 71 * @num_params: number of elements in @param array 72 * @param: parameters for function 73 * 74 * Returns result of operation to be passed to secure world 75 */ optee_supp_thrd_req(struct tee_context * ctx,u32 func,size_t num_params,struct tee_param * param)76 u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, 77 struct tee_param *param) 78 79 { 80 struct optee *optee = tee_get_drvdata(ctx->teedev); 81 struct optee_supp *supp = &optee->supp; 82 struct optee_supp_req *req; 83 u32 ret; 84 85 /* 86 * Return in case there is no supplicant available and 87 * non-blocking request. 88 */ 89 if (!supp->ctx && ctx->supp_nowait) 90 return TEEC_ERROR_COMMUNICATION; 91 92 req = kzalloc(sizeof(*req), GFP_KERNEL); 93 if (!req) 94 return TEEC_ERROR_OUT_OF_MEMORY; 95 96 init_completion(&req->c); 97 req->func = func; 98 req->num_params = num_params; 99 req->param = param; 100 101 /* Insert the request in the request list */ 102 mutex_lock(&supp->mutex); 103 list_add_tail(&req->link, &supp->reqs); 104 req->in_queue = true; 105 mutex_unlock(&supp->mutex); 106 107 /* Tell an eventual waiter there's a new request */ 108 complete(&supp->reqs_c); 109 110 /* 111 * Wait for supplicant to process and return result, once we've 112 * returned from wait_for_completion(&req->c) successfully we have 113 * exclusive access again. Allow the wait to be killable such that 114 * the wait doesn't turn into an indefinite state if the supplicant 115 * gets hung for some reason. 116 */ 117 if (wait_for_completion_killable(&req->c)) { 118 mutex_lock(&supp->mutex); 119 if (req->in_queue) { 120 list_del(&req->link); 121 req->in_queue = false; 122 } 123 mutex_unlock(&supp->mutex); 124 req->ret = TEEC_ERROR_COMMUNICATION; 125 } 126 127 ret = req->ret; 128 kfree(req); 129 130 return ret; 131 } 132 supp_pop_entry(struct optee_supp * supp,int num_params,int * id)133 static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp, 134 int num_params, int *id) 135 { 136 struct optee_supp_req *req; 137 138 if (supp->req_id != -1) { 139 /* 140 * Supplicant should not mix synchronous and asnynchronous 141 * requests. 142 */ 143 return ERR_PTR(-EINVAL); 144 } 145 146 if (list_empty(&supp->reqs)) 147 return NULL; 148 149 req = list_first_entry(&supp->reqs, struct optee_supp_req, link); 150 151 if (num_params < req->num_params) { 152 /* Not enough room for parameters */ 153 return ERR_PTR(-EINVAL); 154 } 155 156 *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL); 157 if (*id < 0) 158 return ERR_PTR(-ENOMEM); 159 160 list_del(&req->link); 161 req->in_queue = false; 162 163 return req; 164 } 165 supp_check_recv_params(size_t num_params,struct tee_param * params,size_t * num_meta)166 static int supp_check_recv_params(size_t num_params, struct tee_param *params, 167 size_t *num_meta) 168 { 169 size_t n; 170 171 if (!num_params) 172 return -EINVAL; 173 174 /* 175 * If there's memrefs we need to decrease those as they where 176 * increased earlier and we'll even refuse to accept any below. 177 */ 178 for (n = 0; n < num_params; n++) 179 if (tee_param_is_memref(params + n) && params[n].u.memref.shm) 180 tee_shm_put(params[n].u.memref.shm); 181 182 /* 183 * We only expect parameters as TEE_IOCTL_PARAM_ATTR_TYPE_NONE with 184 * or without the TEE_IOCTL_PARAM_ATTR_META bit set. 185 */ 186 for (n = 0; n < num_params; n++) 187 if (params[n].attr && 188 params[n].attr != TEE_IOCTL_PARAM_ATTR_META) 189 return -EINVAL; 190 191 /* At most we'll need one meta parameter so no need to check for more */ 192 if (params->attr == TEE_IOCTL_PARAM_ATTR_META) 193 *num_meta = 1; 194 else 195 *num_meta = 0; 196 197 return 0; 198 } 199 200 /** 201 * optee_supp_recv() - receive request for supplicant 202 * @ctx: context receiving the request 203 * @func: requested function in supplicant 204 * @num_params: number of elements allocated in @param, updated with number 205 * used elements 206 * @param: space for parameters for @func 207 * 208 * Returns 0 on success or <0 on failure 209 */ optee_supp_recv(struct tee_context * ctx,u32 * func,u32 * num_params,struct tee_param * param)210 int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, 211 struct tee_param *param) 212 { 213 struct tee_device *teedev = ctx->teedev; 214 struct optee *optee = tee_get_drvdata(teedev); 215 struct optee_supp *supp = &optee->supp; 216 struct optee_supp_req *req = NULL; 217 int id; 218 size_t num_meta; 219 int rc; 220 221 rc = supp_check_recv_params(*num_params, param, &num_meta); 222 if (rc) 223 return rc; 224 225 while (true) { 226 mutex_lock(&supp->mutex); 227 req = supp_pop_entry(supp, *num_params - num_meta, &id); 228 mutex_unlock(&supp->mutex); 229 230 if (req) { 231 if (IS_ERR(req)) 232 return PTR_ERR(req); 233 break; 234 } 235 236 /* 237 * If we didn't get a request we'll block in 238 * wait_for_completion() to avoid needless spinning. 239 * 240 * This is where supplicant will be hanging most of 241 * the time, let's make this interruptable so we 242 * can easily restart supplicant if needed. 243 */ 244 if (wait_for_completion_interruptible(&supp->reqs_c)) 245 return -ERESTARTSYS; 246 } 247 248 if (num_meta) { 249 /* 250 * tee-supplicant support meta parameters -> requsts can be 251 * processed asynchronously. 252 */ 253 param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT | 254 TEE_IOCTL_PARAM_ATTR_META; 255 param->u.value.a = id; 256 param->u.value.b = 0; 257 param->u.value.c = 0; 258 } else { 259 mutex_lock(&supp->mutex); 260 supp->req_id = id; 261 mutex_unlock(&supp->mutex); 262 } 263 264 *func = req->func; 265 *num_params = req->num_params + num_meta; 266 memcpy(param + num_meta, req->param, 267 sizeof(struct tee_param) * req->num_params); 268 269 return 0; 270 } 271 supp_pop_req(struct optee_supp * supp,size_t num_params,struct tee_param * param,size_t * num_meta)272 static struct optee_supp_req *supp_pop_req(struct optee_supp *supp, 273 size_t num_params, 274 struct tee_param *param, 275 size_t *num_meta) 276 { 277 struct optee_supp_req *req; 278 int id; 279 size_t nm; 280 const u32 attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT | 281 TEE_IOCTL_PARAM_ATTR_META; 282 283 if (!num_params) 284 return ERR_PTR(-EINVAL); 285 286 if (supp->req_id == -1) { 287 if (param->attr != attr) 288 return ERR_PTR(-EINVAL); 289 id = param->u.value.a; 290 nm = 1; 291 } else { 292 id = supp->req_id; 293 nm = 0; 294 } 295 296 req = idr_find(&supp->idr, id); 297 if (!req) 298 return ERR_PTR(-ENOENT); 299 300 if ((num_params - nm) != req->num_params) 301 return ERR_PTR(-EINVAL); 302 303 idr_remove(&supp->idr, id); 304 supp->req_id = -1; 305 *num_meta = nm; 306 307 return req; 308 } 309 310 /** 311 * optee_supp_send() - send result of request from supplicant 312 * @ctx: context sending result 313 * @ret: return value of request 314 * @num_params: number of parameters returned 315 * @param: returned parameters 316 * 317 * Returns 0 on success or <0 on failure. 318 */ optee_supp_send(struct tee_context * ctx,u32 ret,u32 num_params,struct tee_param * param)319 int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params, 320 struct tee_param *param) 321 { 322 struct tee_device *teedev = ctx->teedev; 323 struct optee *optee = tee_get_drvdata(teedev); 324 struct optee_supp *supp = &optee->supp; 325 struct optee_supp_req *req; 326 size_t n; 327 size_t num_meta; 328 329 mutex_lock(&supp->mutex); 330 req = supp_pop_req(supp, num_params, param, &num_meta); 331 mutex_unlock(&supp->mutex); 332 333 if (IS_ERR(req)) { 334 /* Something is wrong, let supplicant restart. */ 335 return PTR_ERR(req); 336 } 337 338 /* Update out and in/out parameters */ 339 for (n = 0; n < req->num_params; n++) { 340 struct tee_param *p = req->param + n; 341 342 switch (p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 343 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 344 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 345 p->u.value.a = param[n + num_meta].u.value.a; 346 p->u.value.b = param[n + num_meta].u.value.b; 347 p->u.value.c = param[n + num_meta].u.value.c; 348 break; 349 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 350 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 351 p->u.memref.size = param[n + num_meta].u.memref.size; 352 break; 353 default: 354 break; 355 } 356 } 357 req->ret = ret; 358 359 /* Let the requesting thread continue */ 360 complete(&req->c); 361 362 return 0; 363 } 364