]>
Commit | Line | Data |
---|---|---|
967c9cca JW |
1 | /* |
2 | * Copyright (c) 2015-2016, Linaro Limited | |
3 | * | |
4 | * This software is licensed under the terms of the GNU General Public | |
5 | * License version 2, as published by the Free Software Foundation, and | |
6 | * may be copied, distributed, and modified under those terms. | |
7 | * | |
8 | * This program is distributed in the hope that it will be useful, | |
9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
11 | * GNU General Public License for more details. | |
12 | * | |
13 | */ | |
14 | ||
15 | #define pr_fmt(fmt) "%s: " fmt, __func__ | |
16 | ||
17 | #include <linux/cdev.h> | |
18 | #include <linux/device.h> | |
19 | #include <linux/fs.h> | |
20 | #include <linux/idr.h> | |
21 | #include <linux/module.h> | |
22 | #include <linux/slab.h> | |
23 | #include <linux/tee_drv.h> | |
24 | #include <linux/uaccess.h> | |
25 | #include "tee_private.h" | |
26 | ||
27 | #define TEE_NUM_DEVICES 32 | |
28 | ||
29 | #define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x)) | |
30 | ||
31 | /* | |
32 | * Unprivileged devices in the lower half range and privileged devices in | |
33 | * the upper half range. | |
34 | */ | |
35 | static DECLARE_BITMAP(dev_mask, TEE_NUM_DEVICES); | |
36 | static DEFINE_SPINLOCK(driver_lock); | |
37 | ||
38 | static struct class *tee_class; | |
39 | static dev_t tee_devt; | |
40 | ||
41 | static int tee_open(struct inode *inode, struct file *filp) | |
42 | { | |
43 | int rc; | |
44 | struct tee_device *teedev; | |
45 | struct tee_context *ctx; | |
46 | ||
47 | teedev = container_of(inode->i_cdev, struct tee_device, cdev); | |
48 | if (!tee_device_get(teedev)) | |
49 | return -EINVAL; | |
50 | ||
51 | ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); | |
52 | if (!ctx) { | |
53 | rc = -ENOMEM; | |
54 | goto err; | |
55 | } | |
56 | ||
57 | ctx->teedev = teedev; | |
58 | INIT_LIST_HEAD(&ctx->list_shm); | |
59 | filp->private_data = ctx; | |
60 | rc = teedev->desc->ops->open(ctx); | |
61 | if (rc) | |
62 | goto err; | |
63 | ||
64 | return 0; | |
65 | err: | |
66 | kfree(ctx); | |
67 | tee_device_put(teedev); | |
68 | return rc; | |
69 | } | |
70 | ||
71 | static int tee_release(struct inode *inode, struct file *filp) | |
72 | { | |
73 | struct tee_context *ctx = filp->private_data; | |
74 | struct tee_device *teedev = ctx->teedev; | |
75 | struct tee_shm *shm; | |
76 | ||
77 | ctx->teedev->desc->ops->release(ctx); | |
78 | mutex_lock(&ctx->teedev->mutex); | |
79 | list_for_each_entry(shm, &ctx->list_shm, link) | |
80 | shm->ctx = NULL; | |
81 | mutex_unlock(&ctx->teedev->mutex); | |
82 | kfree(ctx); | |
83 | tee_device_put(teedev); | |
84 | return 0; | |
85 | } | |
86 | ||
87 | static int tee_ioctl_version(struct tee_context *ctx, | |
88 | struct tee_ioctl_version_data __user *uvers) | |
89 | { | |
90 | struct tee_ioctl_version_data vers; | |
91 | ||
92 | ctx->teedev->desc->ops->get_version(ctx->teedev, &vers); | |
059cf566 JW |
93 | |
94 | if (ctx->teedev->desc->flags & TEE_DESC_PRIVILEGED) | |
95 | vers.gen_caps |= TEE_GEN_CAP_PRIVILEGED; | |
96 | ||
967c9cca JW |
97 | if (copy_to_user(uvers, &vers, sizeof(vers))) |
98 | return -EFAULT; | |
059cf566 | 99 | |
967c9cca JW |
100 | return 0; |
101 | } | |
102 | ||
103 | static int tee_ioctl_shm_alloc(struct tee_context *ctx, | |
104 | struct tee_ioctl_shm_alloc_data __user *udata) | |
105 | { | |
106 | long ret; | |
107 | struct tee_ioctl_shm_alloc_data data; | |
108 | struct tee_shm *shm; | |
109 | ||
110 | if (copy_from_user(&data, udata, sizeof(data))) | |
111 | return -EFAULT; | |
112 | ||
113 | /* Currently no input flags are supported */ | |
114 | if (data.flags) | |
115 | return -EINVAL; | |
116 | ||
117 | data.id = -1; | |
118 | ||
119 | shm = tee_shm_alloc(ctx, data.size, TEE_SHM_MAPPED | TEE_SHM_DMA_BUF); | |
120 | if (IS_ERR(shm)) | |
121 | return PTR_ERR(shm); | |
122 | ||
123 | data.id = shm->id; | |
124 | data.flags = shm->flags; | |
125 | data.size = shm->size; | |
126 | ||
127 | if (copy_to_user(udata, &data, sizeof(data))) | |
128 | ret = -EFAULT; | |
129 | else | |
130 | ret = tee_shm_get_fd(shm); | |
131 | ||
132 | /* | |
133 | * When user space closes the file descriptor the shared memory | |
134 | * should be freed or if tee_shm_get_fd() failed then it will | |
135 | * be freed immediately. | |
136 | */ | |
137 | tee_shm_put(shm); | |
138 | return ret; | |
139 | } | |
140 | ||
141 | static int params_from_user(struct tee_context *ctx, struct tee_param *params, | |
142 | size_t num_params, | |
143 | struct tee_ioctl_param __user *uparams) | |
144 | { | |
145 | size_t n; | |
146 | ||
147 | for (n = 0; n < num_params; n++) { | |
148 | struct tee_shm *shm; | |
149 | struct tee_ioctl_param ip; | |
150 | ||
151 | if (copy_from_user(&ip, uparams + n, sizeof(ip))) | |
152 | return -EFAULT; | |
153 | ||
154 | /* All unused attribute bits has to be zero */ | |
155 | if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_TYPE_MASK) | |
156 | return -EINVAL; | |
157 | ||
158 | params[n].attr = ip.attr; | |
159 | switch (ip.attr) { | |
160 | case TEE_IOCTL_PARAM_ATTR_TYPE_NONE: | |
161 | case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: | |
162 | break; | |
163 | case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: | |
164 | case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: | |
165 | params[n].u.value.a = ip.a; | |
166 | params[n].u.value.b = ip.b; | |
167 | params[n].u.value.c = ip.c; | |
168 | break; | |
169 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: | |
170 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: | |
171 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: | |
172 | /* | |
173 | * If we fail to get a pointer to a shared memory | |
174 | * object (and increase the ref count) from an | |
175 | * identifier we return an error. All pointers that | |
176 | * has been added in params have an increased ref | |
177 | * count. It's the callers responibility to do | |
178 | * tee_shm_put() on all resolved pointers. | |
179 | */ | |
180 | shm = tee_shm_get_from_id(ctx, ip.c); | |
181 | if (IS_ERR(shm)) | |
182 | return PTR_ERR(shm); | |
183 | ||
0135a915 EC |
184 | /* |
185 | * Ensure offset + size does not overflow offset | |
186 | * and does not overflow the size of the referred | |
187 | * shared memory object. | |
188 | */ | |
189 | if ((ip.a + ip.b) < ip.a || | |
190 | (ip.a + ip.b) > shm->size) { | |
191 | tee_shm_put(shm); | |
192 | return -EINVAL; | |
193 | } | |
194 | ||
967c9cca JW |
195 | params[n].u.memref.shm_offs = ip.a; |
196 | params[n].u.memref.size = ip.b; | |
197 | params[n].u.memref.shm = shm; | |
198 | break; | |
199 | default: | |
200 | /* Unknown attribute */ | |
201 | return -EINVAL; | |
202 | } | |
203 | } | |
204 | return 0; | |
205 | } | |
206 | ||
207 | static int params_to_user(struct tee_ioctl_param __user *uparams, | |
208 | size_t num_params, struct tee_param *params) | |
209 | { | |
210 | size_t n; | |
211 | ||
212 | for (n = 0; n < num_params; n++) { | |
213 | struct tee_ioctl_param __user *up = uparams + n; | |
214 | struct tee_param *p = params + n; | |
215 | ||
216 | switch (p->attr) { | |
217 | case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: | |
218 | case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: | |
219 | if (put_user(p->u.value.a, &up->a) || | |
220 | put_user(p->u.value.b, &up->b) || | |
221 | put_user(p->u.value.c, &up->c)) | |
222 | return -EFAULT; | |
223 | break; | |
224 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: | |
225 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: | |
226 | if (put_user((u64)p->u.memref.size, &up->b)) | |
227 | return -EFAULT; | |
228 | default: | |
229 | break; | |
230 | } | |
231 | } | |
232 | return 0; | |
233 | } | |
234 | ||
235 | static bool param_is_memref(struct tee_param *param) | |
236 | { | |
237 | switch (param->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { | |
238 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: | |
239 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: | |
240 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: | |
241 | return true; | |
242 | default: | |
243 | return false; | |
244 | } | |
245 | } | |
246 | ||
247 | static int tee_ioctl_open_session(struct tee_context *ctx, | |
248 | struct tee_ioctl_buf_data __user *ubuf) | |
249 | { | |
250 | int rc; | |
251 | size_t n; | |
252 | struct tee_ioctl_buf_data buf; | |
253 | struct tee_ioctl_open_session_arg __user *uarg; | |
254 | struct tee_ioctl_open_session_arg arg; | |
255 | struct tee_ioctl_param __user *uparams = NULL; | |
256 | struct tee_param *params = NULL; | |
257 | bool have_session = false; | |
258 | ||
259 | if (!ctx->teedev->desc->ops->open_session) | |
260 | return -EINVAL; | |
261 | ||
262 | if (copy_from_user(&buf, ubuf, sizeof(buf))) | |
263 | return -EFAULT; | |
264 | ||
265 | if (buf.buf_len > TEE_MAX_ARG_SIZE || | |
266 | buf.buf_len < sizeof(struct tee_ioctl_open_session_arg)) | |
267 | return -EINVAL; | |
268 | ||
269 | uarg = u64_to_user_ptr(buf.buf_ptr); | |
270 | if (copy_from_user(&arg, uarg, sizeof(arg))) | |
271 | return -EFAULT; | |
272 | ||
273 | if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) | |
274 | return -EINVAL; | |
275 | ||
276 | if (arg.num_params) { | |
277 | params = kcalloc(arg.num_params, sizeof(struct tee_param), | |
278 | GFP_KERNEL); | |
279 | if (!params) | |
280 | return -ENOMEM; | |
281 | uparams = uarg->params; | |
282 | rc = params_from_user(ctx, params, arg.num_params, uparams); | |
283 | if (rc) | |
284 | goto out; | |
285 | } | |
286 | ||
287 | rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params); | |
288 | if (rc) | |
289 | goto out; | |
290 | have_session = true; | |
291 | ||
292 | if (put_user(arg.session, &uarg->session) || | |
293 | put_user(arg.ret, &uarg->ret) || | |
294 | put_user(arg.ret_origin, &uarg->ret_origin)) { | |
295 | rc = -EFAULT; | |
296 | goto out; | |
297 | } | |
298 | rc = params_to_user(uparams, arg.num_params, params); | |
299 | out: | |
300 | /* | |
301 | * If we've succeeded to open the session but failed to communicate | |
302 | * it back to user space, close the session again to avoid leakage. | |
303 | */ | |
304 | if (rc && have_session && ctx->teedev->desc->ops->close_session) | |
305 | ctx->teedev->desc->ops->close_session(ctx, arg.session); | |
306 | ||
307 | if (params) { | |
308 | /* Decrease ref count for all valid shared memory pointers */ | |
309 | for (n = 0; n < arg.num_params; n++) | |
310 | if (param_is_memref(params + n) && | |
311 | params[n].u.memref.shm) | |
312 | tee_shm_put(params[n].u.memref.shm); | |
313 | kfree(params); | |
314 | } | |
315 | ||
316 | return rc; | |
317 | } | |
318 | ||
319 | static int tee_ioctl_invoke(struct tee_context *ctx, | |
320 | struct tee_ioctl_buf_data __user *ubuf) | |
321 | { | |
322 | int rc; | |
323 | size_t n; | |
324 | struct tee_ioctl_buf_data buf; | |
325 | struct tee_ioctl_invoke_arg __user *uarg; | |
326 | struct tee_ioctl_invoke_arg arg; | |
327 | struct tee_ioctl_param __user *uparams = NULL; | |
328 | struct tee_param *params = NULL; | |
329 | ||
330 | if (!ctx->teedev->desc->ops->invoke_func) | |
331 | return -EINVAL; | |
332 | ||
333 | if (copy_from_user(&buf, ubuf, sizeof(buf))) | |
334 | return -EFAULT; | |
335 | ||
336 | if (buf.buf_len > TEE_MAX_ARG_SIZE || | |
337 | buf.buf_len < sizeof(struct tee_ioctl_invoke_arg)) | |
338 | return -EINVAL; | |
339 | ||
340 | uarg = u64_to_user_ptr(buf.buf_ptr); | |
341 | if (copy_from_user(&arg, uarg, sizeof(arg))) | |
342 | return -EFAULT; | |
343 | ||
344 | if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) | |
345 | return -EINVAL; | |
346 | ||
347 | if (arg.num_params) { | |
348 | params = kcalloc(arg.num_params, sizeof(struct tee_param), | |
349 | GFP_KERNEL); | |
350 | if (!params) | |
351 | return -ENOMEM; | |
352 | uparams = uarg->params; | |
353 | rc = params_from_user(ctx, params, arg.num_params, uparams); | |
354 | if (rc) | |
355 | goto out; | |
356 | } | |
357 | ||
358 | rc = ctx->teedev->desc->ops->invoke_func(ctx, &arg, params); | |
359 | if (rc) | |
360 | goto out; | |
361 | ||
362 | if (put_user(arg.ret, &uarg->ret) || | |
363 | put_user(arg.ret_origin, &uarg->ret_origin)) { | |
364 | rc = -EFAULT; | |
365 | goto out; | |
366 | } | |
367 | rc = params_to_user(uparams, arg.num_params, params); | |
368 | out: | |
369 | if (params) { | |
370 | /* Decrease ref count for all valid shared memory pointers */ | |
371 | for (n = 0; n < arg.num_params; n++) | |
372 | if (param_is_memref(params + n) && | |
373 | params[n].u.memref.shm) | |
374 | tee_shm_put(params[n].u.memref.shm); | |
375 | kfree(params); | |
376 | } | |
377 | return rc; | |
378 | } | |
379 | ||
380 | static int tee_ioctl_cancel(struct tee_context *ctx, | |
381 | struct tee_ioctl_cancel_arg __user *uarg) | |
382 | { | |
383 | struct tee_ioctl_cancel_arg arg; | |
384 | ||
385 | if (!ctx->teedev->desc->ops->cancel_req) | |
386 | return -EINVAL; | |
387 | ||
388 | if (copy_from_user(&arg, uarg, sizeof(arg))) | |
389 | return -EFAULT; | |
390 | ||
391 | return ctx->teedev->desc->ops->cancel_req(ctx, arg.cancel_id, | |
392 | arg.session); | |
393 | } | |
394 | ||
395 | static int | |
396 | tee_ioctl_close_session(struct tee_context *ctx, | |
397 | struct tee_ioctl_close_session_arg __user *uarg) | |
398 | { | |
399 | struct tee_ioctl_close_session_arg arg; | |
400 | ||
401 | if (!ctx->teedev->desc->ops->close_session) | |
402 | return -EINVAL; | |
403 | ||
404 | if (copy_from_user(&arg, uarg, sizeof(arg))) | |
405 | return -EFAULT; | |
406 | ||
407 | return ctx->teedev->desc->ops->close_session(ctx, arg.session); | |
408 | } | |
409 | ||
410 | static int params_to_supp(struct tee_context *ctx, | |
411 | struct tee_ioctl_param __user *uparams, | |
412 | size_t num_params, struct tee_param *params) | |
413 | { | |
414 | size_t n; | |
415 | ||
416 | for (n = 0; n < num_params; n++) { | |
417 | struct tee_ioctl_param ip; | |
418 | struct tee_param *p = params + n; | |
419 | ||
420 | ip.attr = p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK; | |
421 | switch (p->attr) { | |
422 | case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: | |
423 | case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: | |
424 | ip.a = p->u.value.a; | |
425 | ip.b = p->u.value.b; | |
426 | ip.c = p->u.value.c; | |
427 | break; | |
428 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: | |
429 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: | |
430 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: | |
431 | ip.b = p->u.memref.size; | |
432 | if (!p->u.memref.shm) { | |
433 | ip.a = 0; | |
434 | ip.c = (u64)-1; /* invalid shm id */ | |
435 | break; | |
436 | } | |
437 | ip.a = p->u.memref.shm_offs; | |
438 | ip.c = p->u.memref.shm->id; | |
439 | break; | |
440 | default: | |
441 | ip.a = 0; | |
442 | ip.b = 0; | |
443 | ip.c = 0; | |
444 | break; | |
445 | } | |
446 | ||
447 | if (copy_to_user(uparams + n, &ip, sizeof(ip))) | |
448 | return -EFAULT; | |
449 | } | |
450 | ||
451 | return 0; | |
452 | } | |
453 | ||
454 | static int tee_ioctl_supp_recv(struct tee_context *ctx, | |
455 | struct tee_ioctl_buf_data __user *ubuf) | |
456 | { | |
457 | int rc; | |
458 | struct tee_ioctl_buf_data buf; | |
459 | struct tee_iocl_supp_recv_arg __user *uarg; | |
460 | struct tee_param *params; | |
461 | u32 num_params; | |
462 | u32 func; | |
463 | ||
464 | if (!ctx->teedev->desc->ops->supp_recv) | |
465 | return -EINVAL; | |
466 | ||
467 | if (copy_from_user(&buf, ubuf, sizeof(buf))) | |
468 | return -EFAULT; | |
469 | ||
470 | if (buf.buf_len > TEE_MAX_ARG_SIZE || | |
471 | buf.buf_len < sizeof(struct tee_iocl_supp_recv_arg)) | |
472 | return -EINVAL; | |
473 | ||
474 | uarg = u64_to_user_ptr(buf.buf_ptr); | |
475 | if (get_user(num_params, &uarg->num_params)) | |
476 | return -EFAULT; | |
477 | ||
478 | if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len) | |
479 | return -EINVAL; | |
480 | ||
481 | params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); | |
482 | if (!params) | |
483 | return -ENOMEM; | |
484 | ||
485 | rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params); | |
486 | if (rc) | |
487 | goto out; | |
488 | ||
489 | if (put_user(func, &uarg->func) || | |
490 | put_user(num_params, &uarg->num_params)) { | |
491 | rc = -EFAULT; | |
492 | goto out; | |
493 | } | |
494 | ||
495 | rc = params_to_supp(ctx, uarg->params, num_params, params); | |
496 | out: | |
497 | kfree(params); | |
498 | return rc; | |
499 | } | |
500 | ||
501 | static int params_from_supp(struct tee_param *params, size_t num_params, | |
502 | struct tee_ioctl_param __user *uparams) | |
503 | { | |
504 | size_t n; | |
505 | ||
506 | for (n = 0; n < num_params; n++) { | |
507 | struct tee_param *p = params + n; | |
508 | struct tee_ioctl_param ip; | |
509 | ||
510 | if (copy_from_user(&ip, uparams + n, sizeof(ip))) | |
511 | return -EFAULT; | |
512 | ||
513 | /* All unused attribute bits has to be zero */ | |
514 | if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_TYPE_MASK) | |
515 | return -EINVAL; | |
516 | ||
517 | p->attr = ip.attr; | |
518 | switch (ip.attr) { | |
519 | case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: | |
520 | case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: | |
521 | /* Only out and in/out values can be updated */ | |
522 | p->u.value.a = ip.a; | |
523 | p->u.value.b = ip.b; | |
524 | p->u.value.c = ip.c; | |
525 | break; | |
526 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: | |
527 | case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: | |
528 | /* | |
529 | * Only the size of the memref can be updated. | |
530 | * Since we don't have access to the original | |
531 | * parameters here, only store the supplied size. | |
532 | * The driver will copy the updated size into the | |
533 | * original parameters. | |
534 | */ | |
535 | p->u.memref.shm = NULL; | |
536 | p->u.memref.shm_offs = 0; | |
537 | p->u.memref.size = ip.b; | |
538 | break; | |
539 | default: | |
540 | memset(&p->u, 0, sizeof(p->u)); | |
541 | break; | |
542 | } | |
543 | } | |
544 | return 0; | |
545 | } | |
546 | ||
547 | static int tee_ioctl_supp_send(struct tee_context *ctx, | |
548 | struct tee_ioctl_buf_data __user *ubuf) | |
549 | { | |
550 | long rc; | |
551 | struct tee_ioctl_buf_data buf; | |
552 | struct tee_iocl_supp_send_arg __user *uarg; | |
553 | struct tee_param *params; | |
554 | u32 num_params; | |
555 | u32 ret; | |
556 | ||
557 | /* Not valid for this driver */ | |
558 | if (!ctx->teedev->desc->ops->supp_send) | |
559 | return -EINVAL; | |
560 | ||
561 | if (copy_from_user(&buf, ubuf, sizeof(buf))) | |
562 | return -EFAULT; | |
563 | ||
564 | if (buf.buf_len > TEE_MAX_ARG_SIZE || | |
565 | buf.buf_len < sizeof(struct tee_iocl_supp_send_arg)) | |
566 | return -EINVAL; | |
567 | ||
568 | uarg = u64_to_user_ptr(buf.buf_ptr); | |
569 | if (get_user(ret, &uarg->ret) || | |
570 | get_user(num_params, &uarg->num_params)) | |
571 | return -EFAULT; | |
572 | ||
573 | if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len) | |
574 | return -EINVAL; | |
575 | ||
576 | params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); | |
577 | if (!params) | |
578 | return -ENOMEM; | |
579 | ||
580 | rc = params_from_supp(params, num_params, uarg->params); | |
581 | if (rc) | |
582 | goto out; | |
583 | ||
584 | rc = ctx->teedev->desc->ops->supp_send(ctx, ret, num_params, params); | |
585 | out: | |
586 | kfree(params); | |
587 | return rc; | |
588 | } | |
589 | ||
590 | static long tee_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) | |
591 | { | |
592 | struct tee_context *ctx = filp->private_data; | |
593 | void __user *uarg = (void __user *)arg; | |
594 | ||
595 | switch (cmd) { | |
596 | case TEE_IOC_VERSION: | |
597 | return tee_ioctl_version(ctx, uarg); | |
598 | case TEE_IOC_SHM_ALLOC: | |
599 | return tee_ioctl_shm_alloc(ctx, uarg); | |
600 | case TEE_IOC_OPEN_SESSION: | |
601 | return tee_ioctl_open_session(ctx, uarg); | |
602 | case TEE_IOC_INVOKE: | |
603 | return tee_ioctl_invoke(ctx, uarg); | |
604 | case TEE_IOC_CANCEL: | |
605 | return tee_ioctl_cancel(ctx, uarg); | |
606 | case TEE_IOC_CLOSE_SESSION: | |
607 | return tee_ioctl_close_session(ctx, uarg); | |
608 | case TEE_IOC_SUPPL_RECV: | |
609 | return tee_ioctl_supp_recv(ctx, uarg); | |
610 | case TEE_IOC_SUPPL_SEND: | |
611 | return tee_ioctl_supp_send(ctx, uarg); | |
612 | default: | |
613 | return -EINVAL; | |
614 | } | |
615 | } | |
616 | ||
617 | static const struct file_operations tee_fops = { | |
618 | .owner = THIS_MODULE, | |
619 | .open = tee_open, | |
620 | .release = tee_release, | |
621 | .unlocked_ioctl = tee_ioctl, | |
622 | .compat_ioctl = tee_ioctl, | |
623 | }; | |
624 | ||
625 | static void tee_release_device(struct device *dev) | |
626 | { | |
627 | struct tee_device *teedev = container_of(dev, struct tee_device, dev); | |
628 | ||
629 | spin_lock(&driver_lock); | |
630 | clear_bit(teedev->id, dev_mask); | |
631 | spin_unlock(&driver_lock); | |
632 | mutex_destroy(&teedev->mutex); | |
633 | idr_destroy(&teedev->idr); | |
634 | kfree(teedev); | |
635 | } | |
636 | ||
637 | /** | |
638 | * tee_device_alloc() - Allocate a new struct tee_device instance | |
639 | * @teedesc: Descriptor for this driver | |
640 | * @dev: Parent device for this device | |
641 | * @pool: Shared memory pool, NULL if not used | |
642 | * @driver_data: Private driver data for this device | |
643 | * | |
644 | * Allocates a new struct tee_device instance. The device is | |
645 | * removed by tee_device_unregister(). | |
646 | * | |
647 | * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure | |
648 | */ | |
649 | struct tee_device *tee_device_alloc(const struct tee_desc *teedesc, | |
650 | struct device *dev, | |
651 | struct tee_shm_pool *pool, | |
652 | void *driver_data) | |
653 | { | |
654 | struct tee_device *teedev; | |
655 | void *ret; | |
656 | int rc; | |
657 | int offs = 0; | |
658 | ||
659 | if (!teedesc || !teedesc->name || !teedesc->ops || | |
660 | !teedesc->ops->get_version || !teedesc->ops->open || | |
661 | !teedesc->ops->release || !pool) | |
662 | return ERR_PTR(-EINVAL); | |
663 | ||
664 | teedev = kzalloc(sizeof(*teedev), GFP_KERNEL); | |
665 | if (!teedev) { | |
666 | ret = ERR_PTR(-ENOMEM); | |
667 | goto err; | |
668 | } | |
669 | ||
670 | if (teedesc->flags & TEE_DESC_PRIVILEGED) | |
671 | offs = TEE_NUM_DEVICES / 2; | |
672 | ||
673 | spin_lock(&driver_lock); | |
674 | teedev->id = find_next_zero_bit(dev_mask, TEE_NUM_DEVICES, offs); | |
675 | if (teedev->id < TEE_NUM_DEVICES) | |
676 | set_bit(teedev->id, dev_mask); | |
677 | spin_unlock(&driver_lock); | |
678 | ||
679 | if (teedev->id >= TEE_NUM_DEVICES) { | |
680 | ret = ERR_PTR(-ENOMEM); | |
681 | goto err; | |
682 | } | |
683 | ||
684 | snprintf(teedev->name, sizeof(teedev->name), "tee%s%d", | |
685 | teedesc->flags & TEE_DESC_PRIVILEGED ? "priv" : "", | |
686 | teedev->id - offs); | |
687 | ||
688 | teedev->dev.class = tee_class; | |
689 | teedev->dev.release = tee_release_device; | |
690 | teedev->dev.parent = dev; | |
691 | ||
692 | teedev->dev.devt = MKDEV(MAJOR(tee_devt), teedev->id); | |
693 | ||
694 | rc = dev_set_name(&teedev->dev, "%s", teedev->name); | |
695 | if (rc) { | |
696 | ret = ERR_PTR(rc); | |
697 | goto err_devt; | |
698 | } | |
699 | ||
700 | cdev_init(&teedev->cdev, &tee_fops); | |
701 | teedev->cdev.owner = teedesc->owner; | |
702 | teedev->cdev.kobj.parent = &teedev->dev.kobj; | |
703 | ||
704 | dev_set_drvdata(&teedev->dev, driver_data); | |
705 | device_initialize(&teedev->dev); | |
706 | ||
707 | /* 1 as tee_device_unregister() does one final tee_device_put() */ | |
708 | teedev->num_users = 1; | |
709 | init_completion(&teedev->c_no_users); | |
710 | mutex_init(&teedev->mutex); | |
711 | idr_init(&teedev->idr); | |
712 | ||
713 | teedev->desc = teedesc; | |
714 | teedev->pool = pool; | |
715 | ||
716 | return teedev; | |
717 | err_devt: | |
718 | unregister_chrdev_region(teedev->dev.devt, 1); | |
719 | err: | |
720 | pr_err("could not register %s driver\n", | |
721 | teedesc->flags & TEE_DESC_PRIVILEGED ? "privileged" : "client"); | |
722 | if (teedev && teedev->id < TEE_NUM_DEVICES) { | |
723 | spin_lock(&driver_lock); | |
724 | clear_bit(teedev->id, dev_mask); | |
725 | spin_unlock(&driver_lock); | |
726 | } | |
727 | kfree(teedev); | |
728 | return ret; | |
729 | } | |
730 | EXPORT_SYMBOL_GPL(tee_device_alloc); | |
731 | ||
732 | static ssize_t implementation_id_show(struct device *dev, | |
733 | struct device_attribute *attr, char *buf) | |
734 | { | |
735 | struct tee_device *teedev = container_of(dev, struct tee_device, dev); | |
736 | struct tee_ioctl_version_data vers; | |
737 | ||
738 | teedev->desc->ops->get_version(teedev, &vers); | |
739 | return scnprintf(buf, PAGE_SIZE, "%d\n", vers.impl_id); | |
740 | } | |
741 | static DEVICE_ATTR_RO(implementation_id); | |
742 | ||
743 | static struct attribute *tee_dev_attrs[] = { | |
744 | &dev_attr_implementation_id.attr, | |
745 | NULL | |
746 | }; | |
747 | ||
748 | static const struct attribute_group tee_dev_group = { | |
749 | .attrs = tee_dev_attrs, | |
750 | }; | |
751 | ||
752 | /** | |
753 | * tee_device_register() - Registers a TEE device | |
754 | * @teedev: Device to register | |
755 | * | |
756 | * tee_device_unregister() need to be called to remove the @teedev if | |
757 | * this function fails. | |
758 | * | |
759 | * @returns < 0 on failure | |
760 | */ | |
761 | int tee_device_register(struct tee_device *teedev) | |
762 | { | |
763 | int rc; | |
764 | ||
765 | if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) { | |
766 | dev_err(&teedev->dev, "attempt to register twice\n"); | |
767 | return -EINVAL; | |
768 | } | |
769 | ||
770 | rc = cdev_add(&teedev->cdev, teedev->dev.devt, 1); | |
771 | if (rc) { | |
772 | dev_err(&teedev->dev, | |
773 | "unable to cdev_add() %s, major %d, minor %d, err=%d\n", | |
774 | teedev->name, MAJOR(teedev->dev.devt), | |
775 | MINOR(teedev->dev.devt), rc); | |
776 | return rc; | |
777 | } | |
778 | ||
779 | rc = device_add(&teedev->dev); | |
780 | if (rc) { | |
781 | dev_err(&teedev->dev, | |
782 | "unable to device_add() %s, major %d, minor %d, err=%d\n", | |
783 | teedev->name, MAJOR(teedev->dev.devt), | |
784 | MINOR(teedev->dev.devt), rc); | |
785 | goto err_device_add; | |
786 | } | |
787 | ||
788 | rc = sysfs_create_group(&teedev->dev.kobj, &tee_dev_group); | |
789 | if (rc) { | |
790 | dev_err(&teedev->dev, | |
791 | "failed to create sysfs attributes, err=%d\n", rc); | |
792 | goto err_sysfs_create_group; | |
793 | } | |
794 | ||
795 | teedev->flags |= TEE_DEVICE_FLAG_REGISTERED; | |
796 | return 0; | |
797 | ||
798 | err_sysfs_create_group: | |
799 | device_del(&teedev->dev); | |
800 | err_device_add: | |
801 | cdev_del(&teedev->cdev); | |
802 | return rc; | |
803 | } | |
804 | EXPORT_SYMBOL_GPL(tee_device_register); | |
805 | ||
806 | void tee_device_put(struct tee_device *teedev) | |
807 | { | |
808 | mutex_lock(&teedev->mutex); | |
809 | /* Shouldn't put in this state */ | |
810 | if (!WARN_ON(!teedev->desc)) { | |
811 | teedev->num_users--; | |
812 | if (!teedev->num_users) { | |
813 | teedev->desc = NULL; | |
814 | complete(&teedev->c_no_users); | |
815 | } | |
816 | } | |
817 | mutex_unlock(&teedev->mutex); | |
818 | } | |
819 | ||
820 | bool tee_device_get(struct tee_device *teedev) | |
821 | { | |
822 | mutex_lock(&teedev->mutex); | |
823 | if (!teedev->desc) { | |
824 | mutex_unlock(&teedev->mutex); | |
825 | return false; | |
826 | } | |
827 | teedev->num_users++; | |
828 | mutex_unlock(&teedev->mutex); | |
829 | return true; | |
830 | } | |
831 | ||
832 | /** | |
833 | * tee_device_unregister() - Removes a TEE device | |
834 | * @teedev: Device to unregister | |
835 | * | |
836 | * This function should be called to remove the @teedev even if | |
837 | * tee_device_register() hasn't been called yet. Does nothing if | |
838 | * @teedev is NULL. | |
839 | */ | |
840 | void tee_device_unregister(struct tee_device *teedev) | |
841 | { | |
842 | if (!teedev) | |
843 | return; | |
844 | ||
845 | if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) { | |
846 | sysfs_remove_group(&teedev->dev.kobj, &tee_dev_group); | |
847 | cdev_del(&teedev->cdev); | |
848 | device_del(&teedev->dev); | |
849 | } | |
850 | ||
851 | tee_device_put(teedev); | |
852 | wait_for_completion(&teedev->c_no_users); | |
853 | ||
854 | /* | |
855 | * No need to take a mutex any longer now since teedev->desc was | |
856 | * set to NULL before teedev->c_no_users was completed. | |
857 | */ | |
858 | ||
859 | teedev->pool = NULL; | |
860 | ||
861 | put_device(&teedev->dev); | |
862 | } | |
863 | EXPORT_SYMBOL_GPL(tee_device_unregister); | |
864 | ||
865 | /** | |
866 | * tee_get_drvdata() - Return driver_data pointer | |
867 | * @teedev: Device containing the driver_data pointer | |
868 | * @returns the driver_data pointer supplied to tee_register(). | |
869 | */ | |
870 | void *tee_get_drvdata(struct tee_device *teedev) | |
871 | { | |
872 | return dev_get_drvdata(&teedev->dev); | |
873 | } | |
874 | EXPORT_SYMBOL_GPL(tee_get_drvdata); | |
875 | ||
876 | static int __init tee_init(void) | |
877 | { | |
878 | int rc; | |
879 | ||
880 | tee_class = class_create(THIS_MODULE, "tee"); | |
881 | if (IS_ERR(tee_class)) { | |
882 | pr_err("couldn't create class\n"); | |
883 | return PTR_ERR(tee_class); | |
884 | } | |
885 | ||
886 | rc = alloc_chrdev_region(&tee_devt, 0, TEE_NUM_DEVICES, "tee"); | |
887 | if (rc) { | |
888 | pr_err("failed to allocate char dev region\n"); | |
889 | class_destroy(tee_class); | |
890 | tee_class = NULL; | |
891 | } | |
892 | ||
893 | return rc; | |
894 | } | |
895 | ||
896 | static void __exit tee_exit(void) | |
897 | { | |
898 | class_destroy(tee_class); | |
899 | tee_class = NULL; | |
900 | unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES); | |
901 | } | |
902 | ||
903 | subsys_initcall(tee_init); | |
904 | module_exit(tee_exit); | |
905 | ||
906 | MODULE_AUTHOR("Linaro"); | |
907 | MODULE_DESCRIPTION("TEE Driver"); | |
908 | MODULE_VERSION("1.0"); | |
909 | MODULE_LICENSE("GPL v2"); |