1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2015, Linaro Limited
4 */
5 #include <linux/device.h>
6 #include <linux/slab.h>
7 #include <linux/uaccess.h>
8 #include "optee_private.h"
9
10 struct optee_supp_req {
11 struct list_head link;
12
13 bool in_queue;
14 u32 func;
15 u32 ret;
16 size_t num_params;
17 struct tee_param *param;
18
19 struct completion c;
20 };
21
optee_supp_init(struct optee_supp * supp)22 void optee_supp_init(struct optee_supp *supp)
23 {
24 memset(supp, 0, sizeof(*supp));
25 mutex_init(&supp->mutex);
26 init_completion(&supp->reqs_c);
27 idr_init(&supp->idr);
28 INIT_LIST_HEAD(&supp->reqs);
29 supp->req_id = -1;
30 }
31
optee_supp_uninit(struct optee_supp * supp)32 void optee_supp_uninit(struct optee_supp *supp)
33 {
34 mutex_destroy(&supp->mutex);
35 idr_destroy(&supp->idr);
36 }
37
optee_supp_release(struct optee_supp * supp)38 void optee_supp_release(struct optee_supp *supp)
39 {
40 int id;
41 struct optee_supp_req *req;
42 struct optee_supp_req *req_tmp;
43
44 mutex_lock(&supp->mutex);
45
46 /* Abort all request retrieved by supplicant */
47 idr_for_each_entry(&supp->idr, req, id) {
48 idr_remove(&supp->idr, id);
49 req->ret = TEEC_ERROR_COMMUNICATION;
50 complete(&req->c);
51 }
52
53 /* Abort all queued requests */
54 list_for_each_entry_safe(req, req_tmp, &supp->reqs, link) {
55 list_del(&req->link);
56 req->in_queue = false;
57 req->ret = TEEC_ERROR_COMMUNICATION;
58 complete(&req->c);
59 }
60
61 supp->ctx = NULL;
62 supp->req_id = -1;
63
64 mutex_unlock(&supp->mutex);
65 }
66
67 /**
68 * optee_supp_thrd_req() - request service from supplicant
69 * @ctx: context doing the request
70 * @func: function requested
71 * @num_params: number of elements in @param array
72 * @param: parameters for function
73 *
74 * Returns result of operation to be passed to secure world
75 */
optee_supp_thrd_req(struct tee_context * ctx,u32 func,size_t num_params,struct tee_param * param)76 u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
77 struct tee_param *param)
78
79 {
80 struct optee *optee = tee_get_drvdata(ctx->teedev);
81 struct optee_supp *supp = &optee->supp;
82 struct optee_supp_req *req;
83 u32 ret;
84
85 /*
86 * Return in case there is no supplicant available and
87 * non-blocking request.
88 */
89 if (!supp->ctx && ctx->supp_nowait)
90 return TEEC_ERROR_COMMUNICATION;
91
92 req = kzalloc(sizeof(*req), GFP_KERNEL);
93 if (!req)
94 return TEEC_ERROR_OUT_OF_MEMORY;
95
96 init_completion(&req->c);
97 req->func = func;
98 req->num_params = num_params;
99 req->param = param;
100
101 /* Insert the request in the request list */
102 mutex_lock(&supp->mutex);
103 list_add_tail(&req->link, &supp->reqs);
104 req->in_queue = true;
105 mutex_unlock(&supp->mutex);
106
107 /* Tell an eventual waiter there's a new request */
108 complete(&supp->reqs_c);
109
110 /*
111 * Wait for supplicant to process and return result, once we've
112 * returned from wait_for_completion(&req->c) successfully we have
113 * exclusive access again. Allow the wait to be killable such that
114 * the wait doesn't turn into an indefinite state if the supplicant
115 * gets hung for some reason.
116 */
117 if (wait_for_completion_killable(&req->c)) {
118 mutex_lock(&supp->mutex);
119 if (req->in_queue) {
120 list_del(&req->link);
121 req->in_queue = false;
122 }
123 mutex_unlock(&supp->mutex);
124 req->ret = TEEC_ERROR_COMMUNICATION;
125 }
126
127 ret = req->ret;
128 kfree(req);
129
130 return ret;
131 }
132
supp_pop_entry(struct optee_supp * supp,int num_params,int * id)133 static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
134 int num_params, int *id)
135 {
136 struct optee_supp_req *req;
137
138 if (supp->req_id != -1) {
139 /*
140 * Supplicant should not mix synchronous and asnynchronous
141 * requests.
142 */
143 return ERR_PTR(-EINVAL);
144 }
145
146 if (list_empty(&supp->reqs))
147 return NULL;
148
149 req = list_first_entry(&supp->reqs, struct optee_supp_req, link);
150
151 if (num_params < req->num_params) {
152 /* Not enough room for parameters */
153 return ERR_PTR(-EINVAL);
154 }
155
156 *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
157 if (*id < 0)
158 return ERR_PTR(-ENOMEM);
159
160 list_del(&req->link);
161 req->in_queue = false;
162
163 return req;
164 }
165
supp_check_recv_params(size_t num_params,struct tee_param * params,size_t * num_meta)166 static int supp_check_recv_params(size_t num_params, struct tee_param *params,
167 size_t *num_meta)
168 {
169 size_t n;
170
171 if (!num_params)
172 return -EINVAL;
173
174 /*
175 * If there's memrefs we need to decrease those as they where
176 * increased earlier and we'll even refuse to accept any below.
177 */
178 for (n = 0; n < num_params; n++)
179 if (tee_param_is_memref(params + n) && params[n].u.memref.shm)
180 tee_shm_put(params[n].u.memref.shm);
181
182 /*
183 * We only expect parameters as TEE_IOCTL_PARAM_ATTR_TYPE_NONE with
184 * or without the TEE_IOCTL_PARAM_ATTR_META bit set.
185 */
186 for (n = 0; n < num_params; n++)
187 if (params[n].attr &&
188 params[n].attr != TEE_IOCTL_PARAM_ATTR_META)
189 return -EINVAL;
190
191 /* At most we'll need one meta parameter so no need to check for more */
192 if (params->attr == TEE_IOCTL_PARAM_ATTR_META)
193 *num_meta = 1;
194 else
195 *num_meta = 0;
196
197 return 0;
198 }
199
200 /**
201 * optee_supp_recv() - receive request for supplicant
202 * @ctx: context receiving the request
203 * @func: requested function in supplicant
204 * @num_params: number of elements allocated in @param, updated with number
205 * used elements
206 * @param: space for parameters for @func
207 *
208 * Returns 0 on success or <0 on failure
209 */
optee_supp_recv(struct tee_context * ctx,u32 * func,u32 * num_params,struct tee_param * param)210 int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
211 struct tee_param *param)
212 {
213 struct tee_device *teedev = ctx->teedev;
214 struct optee *optee = tee_get_drvdata(teedev);
215 struct optee_supp *supp = &optee->supp;
216 struct optee_supp_req *req = NULL;
217 int id;
218 size_t num_meta;
219 int rc;
220
221 rc = supp_check_recv_params(*num_params, param, &num_meta);
222 if (rc)
223 return rc;
224
225 while (true) {
226 mutex_lock(&supp->mutex);
227 req = supp_pop_entry(supp, *num_params - num_meta, &id);
228 mutex_unlock(&supp->mutex);
229
230 if (req) {
231 if (IS_ERR(req))
232 return PTR_ERR(req);
233 break;
234 }
235
236 /*
237 * If we didn't get a request we'll block in
238 * wait_for_completion() to avoid needless spinning.
239 *
240 * This is where supplicant will be hanging most of
241 * the time, let's make this interruptable so we
242 * can easily restart supplicant if needed.
243 */
244 if (wait_for_completion_interruptible(&supp->reqs_c))
245 return -ERESTARTSYS;
246 }
247
248 if (num_meta) {
249 /*
250 * tee-supplicant support meta parameters -> requsts can be
251 * processed asynchronously.
252 */
253 param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
254 TEE_IOCTL_PARAM_ATTR_META;
255 param->u.value.a = id;
256 param->u.value.b = 0;
257 param->u.value.c = 0;
258 } else {
259 mutex_lock(&supp->mutex);
260 supp->req_id = id;
261 mutex_unlock(&supp->mutex);
262 }
263
264 *func = req->func;
265 *num_params = req->num_params + num_meta;
266 memcpy(param + num_meta, req->param,
267 sizeof(struct tee_param) * req->num_params);
268
269 return 0;
270 }
271
supp_pop_req(struct optee_supp * supp,size_t num_params,struct tee_param * param,size_t * num_meta)272 static struct optee_supp_req *supp_pop_req(struct optee_supp *supp,
273 size_t num_params,
274 struct tee_param *param,
275 size_t *num_meta)
276 {
277 struct optee_supp_req *req;
278 int id;
279 size_t nm;
280 const u32 attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
281 TEE_IOCTL_PARAM_ATTR_META;
282
283 if (!num_params)
284 return ERR_PTR(-EINVAL);
285
286 if (supp->req_id == -1) {
287 if (param->attr != attr)
288 return ERR_PTR(-EINVAL);
289 id = param->u.value.a;
290 nm = 1;
291 } else {
292 id = supp->req_id;
293 nm = 0;
294 }
295
296 req = idr_find(&supp->idr, id);
297 if (!req)
298 return ERR_PTR(-ENOENT);
299
300 if ((num_params - nm) != req->num_params)
301 return ERR_PTR(-EINVAL);
302
303 idr_remove(&supp->idr, id);
304 supp->req_id = -1;
305 *num_meta = nm;
306
307 return req;
308 }
309
310 /**
311 * optee_supp_send() - send result of request from supplicant
312 * @ctx: context sending result
313 * @ret: return value of request
314 * @num_params: number of parameters returned
315 * @param: returned parameters
316 *
317 * Returns 0 on success or <0 on failure.
318 */
optee_supp_send(struct tee_context * ctx,u32 ret,u32 num_params,struct tee_param * param)319 int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
320 struct tee_param *param)
321 {
322 struct tee_device *teedev = ctx->teedev;
323 struct optee *optee = tee_get_drvdata(teedev);
324 struct optee_supp *supp = &optee->supp;
325 struct optee_supp_req *req;
326 size_t n;
327 size_t num_meta;
328
329 mutex_lock(&supp->mutex);
330 req = supp_pop_req(supp, num_params, param, &num_meta);
331 mutex_unlock(&supp->mutex);
332
333 if (IS_ERR(req)) {
334 /* Something is wrong, let supplicant restart. */
335 return PTR_ERR(req);
336 }
337
338 /* Update out and in/out parameters */
339 for (n = 0; n < req->num_params; n++) {
340 struct tee_param *p = req->param + n;
341
342 switch (p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
343 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
344 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
345 p->u.value.a = param[n + num_meta].u.value.a;
346 p->u.value.b = param[n + num_meta].u.value.b;
347 p->u.value.c = param[n + num_meta].u.value.c;
348 break;
349 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
350 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
351 p->u.memref.size = param[n + num_meta].u.memref.size;
352 break;
353 default:
354 break;
355 }
356 }
357 req->ret = ret;
358
359 /* Let the requesting thread continue */
360 complete(&req->c);
361
362 return 0;
363 }
364