search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'trace-printf-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace...
[drm/drm-misc.git] / drivers / tee / tee_shm.c
blobdaf6e5cfd59ae2a5f98d56113d4c3e23ca175256
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2015-2017, 2019-2021 Linaro Limited
4 */
5 #include <linux/anon_inodes.h>
6 #include <linux/device.h>
7 #include <linux/idr.h>
8 #include <linux/io.h>
9 #include <linux/mm.h>
10 #include <linux/sched.h>
11 #include <linux/slab.h>
12 #include <linux/tee_core.h>
13 #include <linux/uaccess.h>
14 #include <linux/uio.h>
15 #include <linux/highmem.h>
16 #include "tee_private.h"
17
18 static void shm_put_kernel_pages(struct page **pages, size_t page_count)
19 {
20 size_t n;
21
22 for (n = 0; n < page_count; n++)
23 put_page(pages[n]);
24 }
25
26 static void shm_get_kernel_pages(struct page **pages, size_t page_count)
27 {
28 size_t n;
29
30 for (n = 0; n < page_count; n++)
31 get_page(pages[n]);
32 }
33
34 static void release_registered_pages(struct tee_shm *shm)
35 {
36 if (shm->pages) {
37 if (shm->flags & TEE_SHM_USER_MAPPED)
38 unpin_user_pages(shm->pages, shm->num_pages);
39 else
40 shm_put_kernel_pages(shm->pages, shm->num_pages);
41
42 kfree(shm->pages);
43 }
44 }
45
46 static void tee_shm_release(struct tee_device *teedev, struct tee_shm *shm)
47 {
48 if (shm->flags & TEE_SHM_POOL) {
49 teedev->pool->ops->free(teedev->pool, shm);
50 } else if (shm->flags & TEE_SHM_DYNAMIC) {
51 int rc = teedev->desc->ops->shm_unregister(shm->ctx, shm);
52
53 if (rc)
54 dev_err(teedev->dev.parent,
55 "unregister shm %p failed: %d", shm, rc);
56
57 release_registered_pages(shm);
58 }
59
60 teedev_ctx_put(shm->ctx);
61
62 kfree(shm);
63
64 tee_device_put(teedev);
65 }
66
67 static struct tee_shm *shm_alloc_helper(struct tee_context *ctx, size_t size,
68 size_t align, u32 flags, int id)
69 {
70 struct tee_device *teedev = ctx->teedev;
71 struct tee_shm *shm;
72 void *ret;
73 int rc;
74
75 if (!tee_device_get(teedev))
76 return ERR_PTR(-EINVAL);
77
78 if (!teedev->pool) {
79 /* teedev has been detached from driver */
80 ret = ERR_PTR(-EINVAL);
81 goto err_dev_put;
82 }
83
84 shm = kzalloc(sizeof(*shm), GFP_KERNEL);
85 if (!shm) {
86 ret = ERR_PTR(-ENOMEM);
87 goto err_dev_put;
88 }
89
90 refcount_set(&shm->refcount, 1);
91 shm->flags = flags;
92 shm->id = id;
93
94 /*
95 * We're assigning this as it is needed if the shm is to be
96 * registered. If this function returns OK then the caller expected
97 * to call teedev_ctx_get() or clear shm->ctx in case it's not
98 * needed any longer.
99 */
100 shm->ctx = ctx;
101
102 rc = teedev->pool->ops->alloc(teedev->pool, shm, size, align);
103 if (rc) {
104 ret = ERR_PTR(rc);
105 goto err_kfree;
106 }
107
108 teedev_ctx_get(ctx);
109 return shm;
110 err_kfree:
111 kfree(shm);
112 err_dev_put:
113 tee_device_put(teedev);
114 return ret;
115 }
116
117 /**
118 * tee_shm_alloc_user_buf() - Allocate shared memory for user space
119 * @ctx: Context that allocates the shared memory
120 * @size: Requested size of shared memory
121 *
122 * Memory allocated as user space shared memory is automatically freed when
123 * the TEE file pointer is closed. The primary usage of this function is
124 * when the TEE driver doesn't support registering ordinary user space
125 * memory.
126 *
127 * @returns a pointer to 'struct tee_shm'
128 */
129 struct tee_shm *tee_shm_alloc_user_buf(struct tee_context *ctx, size_t size)
130 {
131 u32 flags = TEE_SHM_DYNAMIC | TEE_SHM_POOL;
132 struct tee_device *teedev = ctx->teedev;
133 struct tee_shm *shm;
134 void *ret;
135 int id;
136
137 mutex_lock(&teedev->mutex);
138 id = idr_alloc(&teedev->idr, NULL, 1, 0, GFP_KERNEL);
139 mutex_unlock(&teedev->mutex);
140 if (id < 0)
141 return ERR_PTR(id);
142
143 shm = shm_alloc_helper(ctx, size, PAGE_SIZE, flags, id);
144 if (IS_ERR(shm)) {
145 mutex_lock(&teedev->mutex);
146 idr_remove(&teedev->idr, id);
147 mutex_unlock(&teedev->mutex);
148 return shm;
149 }
150
151 mutex_lock(&teedev->mutex);
152 ret = idr_replace(&teedev->idr, shm, id);
153 mutex_unlock(&teedev->mutex);
154 if (IS_ERR(ret)) {
155 tee_shm_free(shm);
156 return ret;
157 }
158
159 return shm;
160 }
161
162 /**
163 * tee_shm_alloc_kernel_buf() - Allocate shared memory for kernel buffer
164 * @ctx: Context that allocates the shared memory
165 * @size: Requested size of shared memory
166 *
167 * The returned memory registered in secure world and is suitable to be
168 * passed as a memory buffer in parameter argument to
169 * tee_client_invoke_func(). The memory allocated is later freed with a
170 * call to tee_shm_free().
171 *
172 * @returns a pointer to 'struct tee_shm'
173 */
174 struct tee_shm *tee_shm_alloc_kernel_buf(struct tee_context *ctx, size_t size)
175 {
176 u32 flags = TEE_SHM_DYNAMIC | TEE_SHM_POOL;
177
178 return shm_alloc_helper(ctx, size, PAGE_SIZE, flags, -1);
179 }
180 EXPORT_SYMBOL_GPL(tee_shm_alloc_kernel_buf);
181
182 /**
183 * tee_shm_alloc_priv_buf() - Allocate shared memory for a privately shared
184 * kernel buffer
185 * @ctx: Context that allocates the shared memory
186 * @size: Requested size of shared memory
187 *
188 * This function returns similar shared memory as
189 * tee_shm_alloc_kernel_buf(), but with the difference that the memory
190 * might not be registered in secure world in case the driver supports
191 * passing memory not registered in advance.
192 *
193 * This function should normally only be used internally in the TEE
194 * drivers.
195 *
196 * @returns a pointer to 'struct tee_shm'
197 */
198 struct tee_shm *tee_shm_alloc_priv_buf(struct tee_context *ctx, size_t size)
199 {
200 u32 flags = TEE_SHM_PRIV | TEE_SHM_POOL;
201
202 return shm_alloc_helper(ctx, size, sizeof(long) * 2, flags, -1);
203 }
204 EXPORT_SYMBOL_GPL(tee_shm_alloc_priv_buf);
205
206 int tee_dyn_shm_alloc_helper(struct tee_shm *shm, size_t size, size_t align,
207 int (*shm_register)(struct tee_context *ctx,
208 struct tee_shm *shm,
209 struct page **pages,
210 size_t num_pages,
211 unsigned long start))
212 {
213 size_t nr_pages = roundup(size, PAGE_SIZE) / PAGE_SIZE;
214 struct page **pages;
215 unsigned int i;
216 int rc = 0;
217
218 /*
219 * Ignore alignment since this is already going to be page aligned
220 * and there's no need for any larger alignment.
221 */
222 shm->kaddr = alloc_pages_exact(nr_pages * PAGE_SIZE,
223 GFP_KERNEL | __GFP_ZERO);
224 if (!shm->kaddr)
225 return -ENOMEM;
226
227 shm->paddr = virt_to_phys(shm->kaddr);
228 shm->size = nr_pages * PAGE_SIZE;
229
230 pages = kcalloc(nr_pages, sizeof(*pages), GFP_KERNEL);
231 if (!pages) {
232 rc = -ENOMEM;
233 goto err;
234 }
235
236 for (i = 0; i < nr_pages; i++)
237 pages[i] = virt_to_page((u8 *)shm->kaddr + i * PAGE_SIZE);
238
239 shm->pages = pages;
240 shm->num_pages = nr_pages;
241
242 if (shm_register) {
243 rc = shm_register(shm->ctx, shm, pages, nr_pages,
244 (unsigned long)shm->kaddr);
245 if (rc)
246 goto err;
247 }
248
249 return 0;
250 err:
251 free_pages_exact(shm->kaddr, shm->size);
252 shm->kaddr = NULL;
253 return rc;
254 }
255 EXPORT_SYMBOL_GPL(tee_dyn_shm_alloc_helper);
256
257 void tee_dyn_shm_free_helper(struct tee_shm *shm,
258 int (*shm_unregister)(struct tee_context *ctx,
259 struct tee_shm *shm))
260 {
261 if (shm_unregister)
262 shm_unregister(shm->ctx, shm);
263 free_pages_exact(shm->kaddr, shm->size);
264 shm->kaddr = NULL;
265 kfree(shm->pages);
266 shm->pages = NULL;
267 }
268 EXPORT_SYMBOL_GPL(tee_dyn_shm_free_helper);
269
270 static struct tee_shm *
271 register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
272 int id)
273 {
274 struct tee_device *teedev = ctx->teedev;
275 struct tee_shm *shm;
276 unsigned long start, addr;
277 size_t num_pages, off;
278 ssize_t len;
279 void *ret;
280 int rc;
281
282 if (!tee_device_get(teedev))
283 return ERR_PTR(-EINVAL);
284
285 if (!teedev->desc->ops->shm_register ||
286 !teedev->desc->ops->shm_unregister) {
287 ret = ERR_PTR(-ENOTSUPP);
288 goto err_dev_put;
289 }
290
291 teedev_ctx_get(ctx);
292
293 shm = kzalloc(sizeof(*shm), GFP_KERNEL);
294 if (!shm) {
295 ret = ERR_PTR(-ENOMEM);
296 goto err_ctx_put;
297 }
298
299 refcount_set(&shm->refcount, 1);
300 shm->flags = flags;
301 shm->ctx = ctx;
302 shm->id = id;
303 addr = untagged_addr((unsigned long)iter_iov_addr(iter));
304 start = rounddown(addr, PAGE_SIZE);
305 num_pages = iov_iter_npages(iter, INT_MAX);
306 if (!num_pages) {
307 ret = ERR_PTR(-ENOMEM);
308 goto err_ctx_put;
309 }
310
311 shm->pages = kcalloc(num_pages, sizeof(*shm->pages), GFP_KERNEL);
312 if (!shm->pages) {
313 ret = ERR_PTR(-ENOMEM);
314 goto err_free_shm;
315 }
316
317 len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0,
318 &off);
319 if (unlikely(len <= 0)) {
320 ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM);
321 goto err_free_shm_pages;
322 }
323
324 /*
325 * iov_iter_extract_kvec_pages does not get reference on the pages,
326 * get a reference on them.
327 */
328 if (iov_iter_is_kvec(iter))
329 shm_get_kernel_pages(shm->pages, num_pages);
330
331 shm->offset = off;
332 shm->size = len;
333 shm->num_pages = num_pages;
334
335 rc = teedev->desc->ops->shm_register(ctx, shm, shm->pages,
336 shm->num_pages, start);
337 if (rc) {
338 ret = ERR_PTR(rc);
339 goto err_put_shm_pages;
340 }
341
342 return shm;
343 err_put_shm_pages:
344 if (!iov_iter_is_kvec(iter))
345 unpin_user_pages(shm->pages, shm->num_pages);
346 else
347 shm_put_kernel_pages(shm->pages, shm->num_pages);
348 err_free_shm_pages:
349 kfree(shm->pages);
350 err_free_shm:
351 kfree(shm);
352 err_ctx_put:
353 teedev_ctx_put(ctx);
354 err_dev_put:
355 tee_device_put(teedev);
356 return ret;
357 }
358
359 /**
360 * tee_shm_register_user_buf() - Register a userspace shared memory buffer
361 * @ctx: Context that registers the shared memory
362 * @addr: The userspace address of the shared buffer
363 * @length: Length of the shared buffer
364 *
365 * @returns a pointer to 'struct tee_shm'
366 */
367 struct tee_shm *tee_shm_register_user_buf(struct tee_context *ctx,
368 unsigned long addr, size_t length)
369 {
370 u32 flags = TEE_SHM_USER_MAPPED | TEE_SHM_DYNAMIC;
371 struct tee_device *teedev = ctx->teedev;
372 struct tee_shm *shm;
373 struct iov_iter iter;
374 void *ret;
375 int id;
376
377 if (!access_ok((void __user *)addr, length))
378 return ERR_PTR(-EFAULT);
379
380 mutex_lock(&teedev->mutex);
381 id = idr_alloc(&teedev->idr, NULL, 1, 0, GFP_KERNEL);
382 mutex_unlock(&teedev->mutex);
383 if (id < 0)
384 return ERR_PTR(id);
385
386 iov_iter_ubuf(&iter, ITER_DEST, (void __user *)addr, length);
387 shm = register_shm_helper(ctx, &iter, flags, id);
388 if (IS_ERR(shm)) {
389 mutex_lock(&teedev->mutex);
390 idr_remove(&teedev->idr, id);
391 mutex_unlock(&teedev->mutex);
392 return shm;
393 }
394
395 mutex_lock(&teedev->mutex);
396 ret = idr_replace(&teedev->idr, shm, id);
397 mutex_unlock(&teedev->mutex);
398 if (IS_ERR(ret)) {
399 tee_shm_free(shm);
400 return ret;
401 }
402
403 return shm;
404 }
405
406 /**
407 * tee_shm_register_kernel_buf() - Register kernel memory to be shared with
408 * secure world
409 * @ctx: Context that registers the shared memory
410 * @addr: The buffer
411 * @length: Length of the buffer
412 *
413 * @returns a pointer to 'struct tee_shm'
414 */
415
416 struct tee_shm *tee_shm_register_kernel_buf(struct tee_context *ctx,
417 void *addr, size_t length)
418 {
419 u32 flags = TEE_SHM_DYNAMIC;
420 struct kvec kvec;
421 struct iov_iter iter;
422
423 kvec.iov_base = addr;
424 kvec.iov_len = length;
425 iov_iter_kvec(&iter, ITER_DEST, &kvec, 1, length);
426
427 return register_shm_helper(ctx, &iter, flags, -1);
428 }
429 EXPORT_SYMBOL_GPL(tee_shm_register_kernel_buf);
430
431 static int tee_shm_fop_release(struct inode *inode, struct file *filp)
432 {
433 tee_shm_put(filp->private_data);
434 return 0;
435 }
436
437 static int tee_shm_fop_mmap(struct file *filp, struct vm_area_struct *vma)
438 {
439 struct tee_shm *shm = filp->private_data;
440 size_t size = vma->vm_end - vma->vm_start;
441
442 /* Refuse sharing shared memory provided by application */
443 if (shm->flags & TEE_SHM_USER_MAPPED)
444 return -EINVAL;
445
446 /* check for overflowing the buffer's size */
447 if (vma->vm_pgoff + vma_pages(vma) > shm->size >> PAGE_SHIFT)
448 return -EINVAL;
449
450 return remap_pfn_range(vma, vma->vm_start, shm->paddr >> PAGE_SHIFT,
451 size, vma->vm_page_prot);
452 }
453
454 static const struct file_operations tee_shm_fops = {
455 .owner = THIS_MODULE,
456 .release = tee_shm_fop_release,
457 .mmap = tee_shm_fop_mmap,
458 };
459
460 /**
461 * tee_shm_get_fd() - Increase reference count and return file descriptor
462 * @shm: Shared memory handle
463 * @returns user space file descriptor to shared memory
464 */
465 int tee_shm_get_fd(struct tee_shm *shm)
466 {
467 int fd;
468
469 if (shm->id < 0)
470 return -EINVAL;
471
472 /* matched by tee_shm_put() in tee_shm_op_release() */
473 refcount_inc(&shm->refcount);
474 fd = anon_inode_getfd("tee_shm", &tee_shm_fops, shm, O_RDWR);
475 if (fd < 0)
476 tee_shm_put(shm);
477 return fd;
478 }
479
480 /**
481 * tee_shm_free() - Free shared memory
482 * @shm: Handle to shared memory to free
483 */
484 void tee_shm_free(struct tee_shm *shm)
485 {
486 tee_shm_put(shm);
487 }
488 EXPORT_SYMBOL_GPL(tee_shm_free);
489
490 /**
491 * tee_shm_get_va() - Get virtual address of a shared memory plus an offset
492 * @shm: Shared memory handle
493 * @offs: Offset from start of this shared memory
494 * @returns virtual address of the shared memory + offs if offs is within
495 * the bounds of this shared memory, else an ERR_PTR
496 */
497 void *tee_shm_get_va(struct tee_shm *shm, size_t offs)
498 {
499 if (!shm->kaddr)
500 return ERR_PTR(-EINVAL);
501 if (offs >= shm->size)
502 return ERR_PTR(-EINVAL);
503 return (char *)shm->kaddr + offs;
504 }
505 EXPORT_SYMBOL_GPL(tee_shm_get_va);
506
507 /**
508 * tee_shm_get_pa() - Get physical address of a shared memory plus an offset
509 * @shm: Shared memory handle
510 * @offs: Offset from start of this shared memory
511 * @pa: Physical address to return
512 * @returns 0 if offs is within the bounds of this shared memory, else an
513 * error code.
514 */
515 int tee_shm_get_pa(struct tee_shm *shm, size_t offs, phys_addr_t *pa)
516 {
517 if (offs >= shm->size)
518 return -EINVAL;
519 if (pa)
520 *pa = shm->paddr + offs;
521 return 0;
522 }
523 EXPORT_SYMBOL_GPL(tee_shm_get_pa);
524
525 /**
526 * tee_shm_get_from_id() - Find shared memory object and increase reference
527 * count
528 * @ctx: Context owning the shared memory
529 * @id: Id of shared memory object
530 * @returns a pointer to 'struct tee_shm' on success or an ERR_PTR on failure
531 */
532 struct tee_shm *tee_shm_get_from_id(struct tee_context *ctx, int id)
533 {
534 struct tee_device *teedev;
535 struct tee_shm *shm;
536
537 if (!ctx)
538 return ERR_PTR(-EINVAL);
539
540 teedev = ctx->teedev;
541 mutex_lock(&teedev->mutex);
542 shm = idr_find(&teedev->idr, id);
543 /*
544 * If the tee_shm was found in the IDR it must have a refcount
545 * larger than 0 due to the guarantee in tee_shm_put() below. So
546 * it's safe to use refcount_inc().
547 */
548 if (!shm || shm->ctx != ctx)
549 shm = ERR_PTR(-EINVAL);
550 else
551 refcount_inc(&shm->refcount);
552 mutex_unlock(&teedev->mutex);
553 return shm;
554 }
555 EXPORT_SYMBOL_GPL(tee_shm_get_from_id);
556
557 /**
558 * tee_shm_put() - Decrease reference count on a shared memory handle
559 * @shm: Shared memory handle
560 */
561 void tee_shm_put(struct tee_shm *shm)
562 {
563 struct tee_device *teedev = shm->ctx->teedev;
564 bool do_release = false;
565
566 mutex_lock(&teedev->mutex);
567 if (refcount_dec_and_test(&shm->refcount)) {
568 /*
569 * refcount has reached 0, we must now remove it from the
570 * IDR before releasing the mutex. This will guarantee that
571 * the refcount_inc() in tee_shm_get_from_id() never starts
572 * from 0.
573 */
574 if (shm->id >= 0)
575 idr_remove(&teedev->idr, shm->id);
576 do_release = true;
577 }
578 mutex_unlock(&teedev->mutex);
579
580 if (do_release)
581 tee_shm_release(teedev, shm);
582 }
583 EXPORT_SYMBOL_GPL(tee_shm_put);
Kernel DRM miscellaneous fixes and cross-tree changes