1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2015, Linaro Limited
4 */
5 #include <linux/device.h>
6 #include <linux/slab.h>
7 #include <linux/uaccess.h>
8 #include "optee_private.h"
9
10 struct optee_supp_req {
11 struct list_head link;
12
13 bool in_queue;
14 u32 func;
15 u32 ret;
16 size_t num_params;
17 struct tee_param *param;
18
19 struct completion c;
20 };
21
optee_supp_init(struct optee_supp * supp)22 void optee_supp_init(struct optee_supp *supp)
23 {
24 memset(supp, 0, sizeof(*supp));
25 mutex_init(&supp->mutex);
26 init_completion(&supp->reqs_c);
27 idr_init(&supp->idr);
28 INIT_LIST_HEAD(&supp->reqs);
29 supp->req_id = -1;
30 }
31
optee_supp_uninit(struct optee_supp * supp)32 void optee_supp_uninit(struct optee_supp *supp)
33 {
34 mutex_destroy(&supp->mutex);
35 idr_destroy(&supp->idr);
36 }
37
optee_supp_release(struct optee_supp * supp)38 void optee_supp_release(struct optee_supp *supp)
39 {
40 int id;
41 struct optee_supp_req *req;
42 struct optee_supp_req *req_tmp;
43
44 mutex_lock(&supp->mutex);
45
46 /* Abort all request retrieved by supplicant */
47 idr_for_each_entry(&supp->idr, req, id) {
48 idr_remove(&supp->idr, id);
49 req->ret = TEEC_ERROR_COMMUNICATION;
50 complete(&req->c);
51 }
52
53 /* Abort all queued requests */
54 list_for_each_entry_safe(req, req_tmp, &supp->reqs, link) {
55 list_del(&req->link);
56 req->in_queue = false;
57 req->ret = TEEC_ERROR_COMMUNICATION;
58 complete(&req->c);
59 }
60
61 supp->ctx = NULL;
62 supp->req_id = -1;
63
64 mutex_unlock(&supp->mutex);
65 }
66
67 /**
68 * optee_supp_thrd_req() - request service from supplicant
69 * @ctx: context doing the request
70 * @func: function requested
71 * @num_params: number of elements in @param array
72 * @param: parameters for function
73 *
74 * Returns result of operation to be passed to secure world
75 */
optee_supp_thrd_req(struct tee_context * ctx,u32 func,size_t num_params,struct tee_param * param)76 u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
77 struct tee_param *param)
78
79 {
80 struct optee *optee = tee_get_drvdata(ctx->teedev);
81 struct optee_supp *supp = &optee->supp;
82 struct optee_supp_req *req;
83 bool interruptable;
84 u32 ret;
85 unsigned long timeleft;
86 int id;
87 struct optee_supp_req *get_req;
88
89 /*
90 * Return in case there is no supplicant available and
91 * non-blocking request.
92 */
93 if (!supp->ctx && ctx->supp_nowait)
94 return TEEC_ERROR_COMMUNICATION;
95
96 req = kzalloc(sizeof(*req), GFP_KERNEL);
97 if (!req)
98 return TEEC_ERROR_OUT_OF_MEMORY;
99
100 init_completion(&req->c);
101 req->func = func;
102 req->num_params = num_params;
103 req->param = param;
104
105 /* Insert the request in the request list */
106 mutex_lock(&supp->mutex);
107 list_add_tail(&req->link, &supp->reqs);
108 req->in_queue = true;
109 mutex_unlock(&supp->mutex);
110
111 /* Tell an eventual waiter there's a new request */
112 complete(&supp->reqs_c);
113
114 /*
115 * Wait for supplicant to process and return result, once we've
116 * returned from wait_for_completion(&req->c) successfully we have
117 * exclusive access again.
118 */
119 while (wait_for_completion_interruptible(&req->c)) {
120 pr_err("Warning, Interrupting an RPC to supplicant!\n");
121 timeleft = wait_for_completion_timeout(&req->c, msecs_to_jiffies(2000));
122 if (timeleft) {
123 /* get completion, it means tee-supplicant is alive. */
124 break;
125 } else {
126 /* timeout, it means tee-supplicant is dead, interrupting an RPC. */
127 interruptable = true;
128 }
129
130 mutex_lock(&supp->mutex);
131 if (interruptable) {
132 /*
133 * There's no supplicant available and since the
134 * supp->mutex currently is held none can
135 * become available until the mutex released
136 * again.
137 *
138 * Interrupting an RPC to supplicant is only
139 * allowed as a way of slightly improving the user
140 * experience in case the supplicant hasn't been
141 * started yet. During normal operation the supplicant
142 * will serve all requests in a timely manner and
143 * interrupting then wouldn't make sense.
144 */
145 if (req->in_queue) {
146 list_del(&req->link);
147 req->in_queue = false;
148 }
149
150 idr_for_each_entry(&supp->idr, get_req, id) {
151 if (get_req == req) {
152 idr_remove(&supp->idr, id);
153 supp->req_id = -1;
154 break;
155 }
156 }
157 }
158 mutex_unlock(&supp->mutex);
159
160 if (interruptable) {
161 req->ret = TEEC_ERROR_COMMUNICATION;
162 break;
163 }
164 }
165
166 ret = req->ret;
167 kfree(req);
168
169 return ret;
170 }
171
supp_pop_entry(struct optee_supp * supp,int num_params,int * id)172 static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
173 int num_params, int *id)
174 {
175 struct optee_supp_req *req;
176
177 if (supp->req_id != -1) {
178 /*
179 * Supplicant should not mix synchronous and asnynchronous
180 * requests.
181 */
182 return ERR_PTR(-EINVAL);
183 }
184
185 if (list_empty(&supp->reqs))
186 return NULL;
187
188 req = list_first_entry(&supp->reqs, struct optee_supp_req, link);
189
190 if (num_params < req->num_params) {
191 /* Not enough room for parameters */
192 return ERR_PTR(-EINVAL);
193 }
194
195 *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
196 if (*id < 0)
197 return ERR_PTR(-ENOMEM);
198
199 list_del(&req->link);
200 req->in_queue = false;
201
202 return req;
203 }
204
supp_check_recv_params(size_t num_params,struct tee_param * params,size_t * num_meta)205 static int supp_check_recv_params(size_t num_params, struct tee_param *params,
206 size_t *num_meta)
207 {
208 size_t n;
209
210 if (!num_params)
211 return -EINVAL;
212
213 /*
214 * If there's memrefs we need to decrease those as they where
215 * increased earlier and we'll even refuse to accept any below.
216 */
217 for (n = 0; n < num_params; n++)
218 if (tee_param_is_memref(params + n) && params[n].u.memref.shm)
219 tee_shm_put(params[n].u.memref.shm);
220
221 /*
222 * We only expect parameters as TEE_IOCTL_PARAM_ATTR_TYPE_NONE with
223 * or without the TEE_IOCTL_PARAM_ATTR_META bit set.
224 */
225 for (n = 0; n < num_params; n++)
226 if (params[n].attr &&
227 params[n].attr != TEE_IOCTL_PARAM_ATTR_META)
228 return -EINVAL;
229
230 /* At most we'll need one meta parameter so no need to check for more */
231 if (params->attr == TEE_IOCTL_PARAM_ATTR_META)
232 *num_meta = 1;
233 else
234 *num_meta = 0;
235
236 return 0;
237 }
238
239 /**
240 * optee_supp_recv() - receive request for supplicant
241 * @ctx: context receiving the request
242 * @func: requested function in supplicant
243 * @num_params: number of elements allocated in @param, updated with number
244 * used elements
245 * @param: space for parameters for @func
246 *
247 * Returns 0 on success or <0 on failure
248 */
optee_supp_recv(struct tee_context * ctx,u32 * func,u32 * num_params,struct tee_param * param)249 int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
250 struct tee_param *param)
251 {
252 struct tee_device *teedev = ctx->teedev;
253 struct optee *optee = tee_get_drvdata(teedev);
254 struct optee_supp *supp = &optee->supp;
255 struct optee_supp_req *req = NULL;
256 int id;
257 size_t num_meta;
258 int rc;
259
260 rc = supp_check_recv_params(*num_params, param, &num_meta);
261 if (rc)
262 return rc;
263
264 while (true) {
265 mutex_lock(&supp->mutex);
266 req = supp_pop_entry(supp, *num_params - num_meta, &id);
267 mutex_unlock(&supp->mutex);
268
269 if (req) {
270 if (IS_ERR(req))
271 return PTR_ERR(req);
272 break;
273 }
274
275 /*
276 * If we didn't get a request we'll block in
277 * wait_for_completion() to avoid needless spinning.
278 *
279 * This is where supplicant will be hanging most of
280 * the time, let's make this interruptable so we
281 * can easily restart supplicant if needed.
282 */
283 if (wait_for_completion_interruptible(&supp->reqs_c))
284 return -ERESTARTSYS;
285 }
286
287 if (num_meta) {
288 /*
289 * tee-supplicant support meta parameters -> requsts can be
290 * processed asynchronously.
291 */
292 param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
293 TEE_IOCTL_PARAM_ATTR_META;
294 param->u.value.a = id;
295 param->u.value.b = 0;
296 param->u.value.c = 0;
297 } else {
298 mutex_lock(&supp->mutex);
299 supp->req_id = id;
300 mutex_unlock(&supp->mutex);
301 }
302
303 *func = req->func;
304 *num_params = req->num_params + num_meta;
305 memcpy(param + num_meta, req->param,
306 sizeof(struct tee_param) * req->num_params);
307
308 return 0;
309 }
310
supp_pop_req(struct optee_supp * supp,size_t num_params,struct tee_param * param,size_t * num_meta)311 static struct optee_supp_req *supp_pop_req(struct optee_supp *supp,
312 size_t num_params,
313 struct tee_param *param,
314 size_t *num_meta)
315 {
316 struct optee_supp_req *req;
317 int id;
318 size_t nm;
319 const u32 attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
320 TEE_IOCTL_PARAM_ATTR_META;
321
322 if (!num_params)
323 return ERR_PTR(-EINVAL);
324
325 if (supp->req_id == -1) {
326 if (param->attr != attr)
327 return ERR_PTR(-EINVAL);
328 id = param->u.value.a;
329 nm = 1;
330 } else {
331 id = supp->req_id;
332 nm = 0;
333 }
334
335 req = idr_find(&supp->idr, id);
336 if (!req)
337 return ERR_PTR(-ENOENT);
338
339 if ((num_params - nm) != req->num_params)
340 return ERR_PTR(-EINVAL);
341
342 idr_remove(&supp->idr, id);
343 supp->req_id = -1;
344 *num_meta = nm;
345
346 return req;
347 }
348
349 /**
350 * optee_supp_send() - send result of request from supplicant
351 * @ctx: context sending result
352 * @ret: return value of request
353 * @num_params: number of parameters returned
354 * @param: returned parameters
355 *
356 * Returns 0 on success or <0 on failure.
357 */
optee_supp_send(struct tee_context * ctx,u32 ret,u32 num_params,struct tee_param * param)358 int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
359 struct tee_param *param)
360 {
361 struct tee_device *teedev = ctx->teedev;
362 struct optee *optee = tee_get_drvdata(teedev);
363 struct optee_supp *supp = &optee->supp;
364 struct optee_supp_req *req;
365 size_t n;
366 size_t num_meta;
367
368 mutex_lock(&supp->mutex);
369 req = supp_pop_req(supp, num_params, param, &num_meta);
370 mutex_unlock(&supp->mutex);
371
372 if (IS_ERR(req)) {
373 /* Something is wrong, let supplicant restart. */
374 return PTR_ERR(req);
375 }
376
377 /* Update out and in/out parameters */
378 for (n = 0; n < req->num_params; n++) {
379 struct tee_param *p = req->param + n;
380
381 switch (p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
382 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
383 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
384 p->u.value.a = param[n + num_meta].u.value.a;
385 p->u.value.b = param[n + num_meta].u.value.b;
386 p->u.value.c = param[n + num_meta].u.value.c;
387 break;
388 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
389 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
390 p->u.memref.size = param[n + num_meta].u.memref.size;
391 break;
392 default:
393 break;
394 }
395 }
396 req->ret = ret;
397
398 /* Let the requesting thread continue */
399 complete(&req->c);
400
401 return 0;
402 }
403