tools, slub: Fix off-by-one buffer corruption after readlink() call
[linux-2.6/linux-mips.git] / arch / arm / mach-msm / scm.c
blob232f97a045041cdd98e53e9f04dc6c2aaebc7f36
1 /* Copyright (c) 2010, Code Aurora Forum. All rights reserved.
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 and
5 * only version 2 as published by the Free Software Foundation.
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
18 #include <linux/slab.h>
19 #include <linux/io.h>
20 #include <linux/module.h>
21 #include <linux/mutex.h>
22 #include <linux/errno.h>
23 #include <linux/err.h>
25 #include <asm/cacheflush.h>
27 #include "scm.h"
29 /* Cache line size for msm8x60 */
30 #define CACHELINESIZE 32
32 #define SCM_ENOMEM -5
33 #define SCM_EOPNOTSUPP -4
34 #define SCM_EINVAL_ADDR -3
35 #define SCM_EINVAL_ARG -2
36 #define SCM_ERROR -1
37 #define SCM_INTERRUPTED 1
39 static DEFINE_MUTEX(scm_lock);
41 /**
42 * struct scm_command - one SCM command buffer
43 * @len: total available memory for command and response
44 * @buf_offset: start of command buffer
45 * @resp_hdr_offset: start of response buffer
46 * @id: command to be executed
47 * @buf: buffer returned from scm_get_command_buffer()
49 * An SCM command is laid out in memory as follows:
51 * ------------------- <--- struct scm_command
52 * | command header |
53 * ------------------- <--- scm_get_command_buffer()
54 * | command buffer |
55 * ------------------- <--- struct scm_response and
56 * | response header | scm_command_to_response()
57 * ------------------- <--- scm_get_response_buffer()
58 * | response buffer |
59 * -------------------
61 * There can be arbitrary padding between the headers and buffers so
62 * you should always use the appropriate scm_get_*_buffer() routines
63 * to access the buffers in a safe manner.
65 struct scm_command {
66 u32 len;
67 u32 buf_offset;
68 u32 resp_hdr_offset;
69 u32 id;
70 u32 buf[0];
73 /**
74 * struct scm_response - one SCM response buffer
75 * @len: total available memory for response
76 * @buf_offset: start of response data relative to start of scm_response
77 * @is_complete: indicates if the command has finished processing
79 struct scm_response {
80 u32 len;
81 u32 buf_offset;
82 u32 is_complete;
85 /**
86 * alloc_scm_command() - Allocate an SCM command
87 * @cmd_size: size of the command buffer
88 * @resp_size: size of the response buffer
90 * Allocate an SCM command, including enough room for the command
91 * and response headers as well as the command and response buffers.
93 * Returns a valid &scm_command on success or %NULL if the allocation fails.
95 static struct scm_command *alloc_scm_command(size_t cmd_size, size_t resp_size)
97 struct scm_command *cmd;
98 size_t len = sizeof(*cmd) + sizeof(struct scm_response) + cmd_size +
99 resp_size;
101 cmd = kzalloc(PAGE_ALIGN(len), GFP_KERNEL);
102 if (cmd) {
103 cmd->len = len;
104 cmd->buf_offset = offsetof(struct scm_command, buf);
105 cmd->resp_hdr_offset = cmd->buf_offset + cmd_size;
107 return cmd;
111 * free_scm_command() - Free an SCM command
112 * @cmd: command to free
114 * Free an SCM command.
116 static inline void free_scm_command(struct scm_command *cmd)
118 kfree(cmd);
122 * scm_command_to_response() - Get a pointer to a scm_response
123 * @cmd: command
125 * Returns a pointer to a response for a command.
127 static inline struct scm_response *scm_command_to_response(
128 const struct scm_command *cmd)
130 return (void *)cmd + cmd->resp_hdr_offset;
134 * scm_get_command_buffer() - Get a pointer to a command buffer
135 * @cmd: command
137 * Returns a pointer to the command buffer of a command.
139 static inline void *scm_get_command_buffer(const struct scm_command *cmd)
141 return (void *)cmd->buf;
145 * scm_get_response_buffer() - Get a pointer to a response buffer
146 * @rsp: response
148 * Returns a pointer to a response buffer of a response.
150 static inline void *scm_get_response_buffer(const struct scm_response *rsp)
152 return (void *)rsp + rsp->buf_offset;
155 static int scm_remap_error(int err)
157 switch (err) {
158 case SCM_ERROR:
159 return -EIO;
160 case SCM_EINVAL_ADDR:
161 case SCM_EINVAL_ARG:
162 return -EINVAL;
163 case SCM_EOPNOTSUPP:
164 return -EOPNOTSUPP;
165 case SCM_ENOMEM:
166 return -ENOMEM;
168 return -EINVAL;
171 static u32 smc(u32 cmd_addr)
173 int context_id;
174 register u32 r0 asm("r0") = 1;
175 register u32 r1 asm("r1") = (u32)&context_id;
176 register u32 r2 asm("r2") = cmd_addr;
177 do {
178 asm volatile(
179 __asmeq("%0", "r0")
180 __asmeq("%1", "r0")
181 __asmeq("%2", "r1")
182 __asmeq("%3", "r2")
183 "smc #0 @ switch to secure world\n"
184 : "=r" (r0)
185 : "r" (r0), "r" (r1), "r" (r2)
186 : "r3");
187 } while (r0 == SCM_INTERRUPTED);
189 return r0;
192 static int __scm_call(const struct scm_command *cmd)
194 int ret;
195 u32 cmd_addr = virt_to_phys(cmd);
198 * Flush the entire cache here so callers don't have to remember
199 * to flush the cache when passing physical addresses to the secure
200 * side in the buffer.
202 flush_cache_all();
203 ret = smc(cmd_addr);
204 if (ret < 0)
205 ret = scm_remap_error(ret);
207 return ret;
211 * scm_call() - Send an SCM command
212 * @svc_id: service identifier
213 * @cmd_id: command identifier
214 * @cmd_buf: command buffer
215 * @cmd_len: length of the command buffer
216 * @resp_buf: response buffer
217 * @resp_len: length of the response buffer
219 * Sends a command to the SCM and waits for the command to finish processing.
221 int scm_call(u32 svc_id, u32 cmd_id, const void *cmd_buf, size_t cmd_len,
222 void *resp_buf, size_t resp_len)
224 int ret;
225 struct scm_command *cmd;
226 struct scm_response *rsp;
228 cmd = alloc_scm_command(cmd_len, resp_len);
229 if (!cmd)
230 return -ENOMEM;
232 cmd->id = (svc_id << 10) | cmd_id;
233 if (cmd_buf)
234 memcpy(scm_get_command_buffer(cmd), cmd_buf, cmd_len);
236 mutex_lock(&scm_lock);
237 ret = __scm_call(cmd);
238 mutex_unlock(&scm_lock);
239 if (ret)
240 goto out;
242 rsp = scm_command_to_response(cmd);
243 do {
244 u32 start = (u32)rsp;
245 u32 end = (u32)scm_get_response_buffer(rsp) + resp_len;
246 start &= ~(CACHELINESIZE - 1);
247 while (start < end) {
248 asm ("mcr p15, 0, %0, c7, c6, 1" : : "r" (start)
249 : "memory");
250 start += CACHELINESIZE;
252 } while (!rsp->is_complete);
254 if (resp_buf)
255 memcpy(resp_buf, scm_get_response_buffer(rsp), resp_len);
256 out:
257 free_scm_command(cmd);
258 return ret;
260 EXPORT_SYMBOL(scm_call);
262 u32 scm_get_version(void)
264 int context_id;
265 static u32 version = -1;
266 register u32 r0 asm("r0");
267 register u32 r1 asm("r1");
269 if (version != -1)
270 return version;
272 mutex_lock(&scm_lock);
274 r0 = 0x1 << 8;
275 r1 = (u32)&context_id;
276 do {
277 asm volatile(
278 __asmeq("%0", "r0")
279 __asmeq("%1", "r1")
280 __asmeq("%2", "r0")
281 __asmeq("%3", "r1")
282 "smc #0 @ switch to secure world\n"
283 : "=r" (r0), "=r" (r1)
284 : "r" (r0), "r" (r1)
285 : "r2", "r3");
286 } while (r0 == SCM_INTERRUPTED);
288 version = r1;
289 mutex_unlock(&scm_lock);
291 return version;
293 EXPORT_SYMBOL(scm_get_version);