1 /*
2 * Copyright (c) 2015-2016, Linaro Limited
3 *
4 * This software is licensed under the terms of the GNU General Public
5 * License version 2, as published by the Free Software Foundation, and
6 * may be copied, distributed, and modified under those terms.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 */
14
15 #define pr_fmt(fmt) "%s: " fmt, __func__
16
17 #include <linux/cdev.h>
18 #include <linux/device.h>
19 #include <linux/fs.h>
20 #include <linux/idr.h>
21 #include <linux/module.h>
22 #include <linux/slab.h>
23 #include <linux/tee_drv.h>
24 #include <linux/uaccess.h>
25 #include "tee_private.h"
26
27 #define TEE_NUM_DEVICES 32
28
29 #define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x))
30
31 /*
32 * Unprivileged devices in the lower half range and privileged devices in
33 * the upper half range.
34 */
35 static DECLARE_BITMAP(dev_mask, TEE_NUM_DEVICES);
36 static DEFINE_SPINLOCK(driver_lock);
37
38 static struct class *tee_class;
39 static dev_t tee_devt;
40
tee_open(struct inode * inode,struct file * filp)41 static int tee_open(struct inode *inode, struct file *filp)
42 {
43 int rc;
44 struct tee_device *teedev;
45 struct tee_context *ctx;
46
47 teedev = container_of(inode->i_cdev, struct tee_device, cdev);
48 if (!tee_device_get(teedev))
49 return -EINVAL;
50
51 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
52 if (!ctx) {
53 rc = -ENOMEM;
54 goto err;
55 }
56
57 ctx->teedev = teedev;
58 INIT_LIST_HEAD(&ctx->list_shm);
59 filp->private_data = ctx;
60 rc = teedev->desc->ops->open(ctx);
61 if (rc)
62 goto err;
63
64 return 0;
65 err:
66 kfree(ctx);
67 tee_device_put(teedev);
68 return rc;
69 }
70
tee_release(struct inode * inode,struct file * filp)71 static int tee_release(struct inode *inode, struct file *filp)
72 {
73 struct tee_context *ctx = filp->private_data;
74 struct tee_device *teedev = ctx->teedev;
75 struct tee_shm *shm;
76
77 ctx->teedev->desc->ops->release(ctx);
78 mutex_lock(&ctx->teedev->mutex);
79 list_for_each_entry(shm, &ctx->list_shm, link)
80 shm->ctx = NULL;
81 mutex_unlock(&ctx->teedev->mutex);
82 kfree(ctx);
83 tee_device_put(teedev);
84 return 0;
85 }
86
tee_ioctl_version(struct tee_context * ctx,struct tee_ioctl_version_data __user * uvers)87 static int tee_ioctl_version(struct tee_context *ctx,
88 struct tee_ioctl_version_data __user *uvers)
89 {
90 struct tee_ioctl_version_data vers;
91
92 ctx->teedev->desc->ops->get_version(ctx->teedev, &vers);
93
94 if (ctx->teedev->desc->flags & TEE_DESC_PRIVILEGED)
95 vers.gen_caps |= TEE_GEN_CAP_PRIVILEGED;
96
97 if (copy_to_user(uvers, &vers, sizeof(vers)))
98 return -EFAULT;
99
100 return 0;
101 }
102
tee_ioctl_shm_alloc(struct tee_context * ctx,struct tee_ioctl_shm_alloc_data __user * udata)103 static int tee_ioctl_shm_alloc(struct tee_context *ctx,
104 struct tee_ioctl_shm_alloc_data __user *udata)
105 {
106 long ret;
107 struct tee_ioctl_shm_alloc_data data;
108 struct tee_shm *shm;
109
110 if (copy_from_user(&data, udata, sizeof(data)))
111 return -EFAULT;
112
113 /* Currently no input flags are supported */
114 if (data.flags)
115 return -EINVAL;
116
117 data.id = -1;
118
119 shm = tee_shm_alloc(ctx, data.size, TEE_SHM_MAPPED | TEE_SHM_DMA_BUF);
120 if (IS_ERR(shm))
121 return PTR_ERR(shm);
122
123 data.id = shm->id;
124 data.flags = shm->flags;
125 data.size = shm->size;
126
127 if (copy_to_user(udata, &data, sizeof(data)))
128 ret = -EFAULT;
129 else
130 ret = tee_shm_get_fd(shm);
131
132 /*
133 * When user space closes the file descriptor the shared memory
134 * should be freed or if tee_shm_get_fd() failed then it will
135 * be freed immediately.
136 */
137 tee_shm_put(shm);
138 return ret;
139 }
140
params_from_user(struct tee_context * ctx,struct tee_param * params,size_t num_params,struct tee_ioctl_param __user * uparams)141 static int params_from_user(struct tee_context *ctx, struct tee_param *params,
142 size_t num_params,
143 struct tee_ioctl_param __user *uparams)
144 {
145 size_t n;
146
147 for (n = 0; n < num_params; n++) {
148 struct tee_shm *shm;
149 struct tee_ioctl_param ip;
150
151 if (copy_from_user(&ip, uparams + n, sizeof(ip)))
152 return -EFAULT;
153
154 /* All unused attribute bits has to be zero */
155 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_TYPE_MASK)
156 return -EINVAL;
157
158 params[n].attr = ip.attr;
159 switch (ip.attr) {
160 case TEE_IOCTL_PARAM_ATTR_TYPE_NONE:
161 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
162 break;
163 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT:
164 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
165 params[n].u.value.a = ip.a;
166 params[n].u.value.b = ip.b;
167 params[n].u.value.c = ip.c;
168 break;
169 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
170 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
171 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
172 /*
173 * If we fail to get a pointer to a shared memory
174 * object (and increase the ref count) from an
175 * identifier we return an error. All pointers that
176 * has been added in params have an increased ref
177 * count. It's the callers responibility to do
178 * tee_shm_put() on all resolved pointers.
179 */
180 shm = tee_shm_get_from_id(ctx, ip.c);
181 if (IS_ERR(shm))
182 return PTR_ERR(shm);
183
184 /*
185 * Ensure offset + size does not overflow offset
186 * and does not overflow the size of the referred
187 * shared memory object.
188 */
189 if ((ip.a + ip.b) < ip.a ||
190 (ip.a + ip.b) > shm->size) {
191 tee_shm_put(shm);
192 return -EINVAL;
193 }
194
195 params[n].u.memref.shm_offs = ip.a;
196 params[n].u.memref.size = ip.b;
197 params[n].u.memref.shm = shm;
198 break;
199 default:
200 /* Unknown attribute */
201 return -EINVAL;
202 }
203 }
204 return 0;
205 }
206
params_to_user(struct tee_ioctl_param __user * uparams,size_t num_params,struct tee_param * params)207 static int params_to_user(struct tee_ioctl_param __user *uparams,
208 size_t num_params, struct tee_param *params)
209 {
210 size_t n;
211
212 for (n = 0; n < num_params; n++) {
213 struct tee_ioctl_param __user *up = uparams + n;
214 struct tee_param *p = params + n;
215
216 switch (p->attr) {
217 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
218 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
219 if (put_user(p->u.value.a, &up->a) ||
220 put_user(p->u.value.b, &up->b) ||
221 put_user(p->u.value.c, &up->c))
222 return -EFAULT;
223 break;
224 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
225 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
226 if (put_user((u64)p->u.memref.size, &up->b))
227 return -EFAULT;
228 default:
229 break;
230 }
231 }
232 return 0;
233 }
234
param_is_memref(struct tee_param * param)235 static bool param_is_memref(struct tee_param *param)
236 {
237 switch (param->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
238 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
239 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
240 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
241 return true;
242 default:
243 return false;
244 }
245 }
246
tee_ioctl_open_session(struct tee_context * ctx,struct tee_ioctl_buf_data __user * ubuf)247 static int tee_ioctl_open_session(struct tee_context *ctx,
248 struct tee_ioctl_buf_data __user *ubuf)
249 {
250 int rc;
251 size_t n;
252 struct tee_ioctl_buf_data buf;
253 struct tee_ioctl_open_session_arg __user *uarg;
254 struct tee_ioctl_open_session_arg arg;
255 struct tee_ioctl_param __user *uparams = NULL;
256 struct tee_param *params = NULL;
257 bool have_session = false;
258
259 if (!ctx->teedev->desc->ops->open_session)
260 return -EINVAL;
261
262 if (copy_from_user(&buf, ubuf, sizeof(buf)))
263 return -EFAULT;
264
265 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
266 buf.buf_len < sizeof(struct tee_ioctl_open_session_arg))
267 return -EINVAL;
268
269 uarg = u64_to_user_ptr(buf.buf_ptr);
270 if (copy_from_user(&arg, uarg, sizeof(arg)))
271 return -EFAULT;
272
273 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
274 return -EINVAL;
275
276 if (arg.num_params) {
277 params = kcalloc(arg.num_params, sizeof(struct tee_param),
278 GFP_KERNEL);
279 if (!params)
280 return -ENOMEM;
281 uparams = uarg->params;
282 rc = params_from_user(ctx, params, arg.num_params, uparams);
283 if (rc)
284 goto out;
285 }
286
287 rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params);
288 if (rc)
289 goto out;
290 have_session = true;
291
292 if (put_user(arg.session, &uarg->session) ||
293 put_user(arg.ret, &uarg->ret) ||
294 put_user(arg.ret_origin, &uarg->ret_origin)) {
295 rc = -EFAULT;
296 goto out;
297 }
298 rc = params_to_user(uparams, arg.num_params, params);
299 out:
300 /*
301 * If we've succeeded to open the session but failed to communicate
302 * it back to user space, close the session again to avoid leakage.
303 */
304 if (rc && have_session && ctx->teedev->desc->ops->close_session)
305 ctx->teedev->desc->ops->close_session(ctx, arg.session);
306
307 if (params) {
308 /* Decrease ref count for all valid shared memory pointers */
309 for (n = 0; n < arg.num_params; n++)
310 if (param_is_memref(params + n) &&
311 params[n].u.memref.shm)
312 tee_shm_put(params[n].u.memref.shm);
313 kfree(params);
314 }
315
316 return rc;
317 }
318
tee_ioctl_invoke(struct tee_context * ctx,struct tee_ioctl_buf_data __user * ubuf)319 static int tee_ioctl_invoke(struct tee_context *ctx,
320 struct tee_ioctl_buf_data __user *ubuf)
321 {
322 int rc;
323 size_t n;
324 struct tee_ioctl_buf_data buf;
325 struct tee_ioctl_invoke_arg __user *uarg;
326 struct tee_ioctl_invoke_arg arg;
327 struct tee_ioctl_param __user *uparams = NULL;
328 struct tee_param *params = NULL;
329
330 if (!ctx->teedev->desc->ops->invoke_func)
331 return -EINVAL;
332
333 if (copy_from_user(&buf, ubuf, sizeof(buf)))
334 return -EFAULT;
335
336 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
337 buf.buf_len < sizeof(struct tee_ioctl_invoke_arg))
338 return -EINVAL;
339
340 uarg = u64_to_user_ptr(buf.buf_ptr);
341 if (copy_from_user(&arg, uarg, sizeof(arg)))
342 return -EFAULT;
343
344 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
345 return -EINVAL;
346
347 if (arg.num_params) {
348 params = kcalloc(arg.num_params, sizeof(struct tee_param),
349 GFP_KERNEL);
350 if (!params)
351 return -ENOMEM;
352 uparams = uarg->params;
353 rc = params_from_user(ctx, params, arg.num_params, uparams);
354 if (rc)
355 goto out;
356 }
357
358 rc = ctx->teedev->desc->ops->invoke_func(ctx, &arg, params);
359 if (rc)
360 goto out;
361
362 if (put_user(arg.ret, &uarg->ret) ||
363 put_user(arg.ret_origin, &uarg->ret_origin)) {
364 rc = -EFAULT;
365 goto out;
366 }
367 rc = params_to_user(uparams, arg.num_params, params);
368 out:
369 if (params) {
370 /* Decrease ref count for all valid shared memory pointers */
371 for (n = 0; n < arg.num_params; n++)
372 if (param_is_memref(params + n) &&
373 params[n].u.memref.shm)
374 tee_shm_put(params[n].u.memref.shm);
375 kfree(params);
376 }
377 return rc;
378 }
379
tee_ioctl_cancel(struct tee_context * ctx,struct tee_ioctl_cancel_arg __user * uarg)380 static int tee_ioctl_cancel(struct tee_context *ctx,
381 struct tee_ioctl_cancel_arg __user *uarg)
382 {
383 struct tee_ioctl_cancel_arg arg;
384
385 if (!ctx->teedev->desc->ops->cancel_req)
386 return -EINVAL;
387
388 if (copy_from_user(&arg, uarg, sizeof(arg)))
389 return -EFAULT;
390
391 return ctx->teedev->desc->ops->cancel_req(ctx, arg.cancel_id,
392 arg.session);
393 }
394
395 static int
tee_ioctl_close_session(struct tee_context * ctx,struct tee_ioctl_close_session_arg __user * uarg)396 tee_ioctl_close_session(struct tee_context *ctx,
397 struct tee_ioctl_close_session_arg __user *uarg)
398 {
399 struct tee_ioctl_close_session_arg arg;
400
401 if (!ctx->teedev->desc->ops->close_session)
402 return -EINVAL;
403
404 if (copy_from_user(&arg, uarg, sizeof(arg)))
405 return -EFAULT;
406
407 return ctx->teedev->desc->ops->close_session(ctx, arg.session);
408 }
409
params_to_supp(struct tee_context * ctx,struct tee_ioctl_param __user * uparams,size_t num_params,struct tee_param * params)410 static int params_to_supp(struct tee_context *ctx,
411 struct tee_ioctl_param __user *uparams,
412 size_t num_params, struct tee_param *params)
413 {
414 size_t n;
415
416 for (n = 0; n < num_params; n++) {
417 struct tee_ioctl_param ip;
418 struct tee_param *p = params + n;
419
420 ip.attr = p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK;
421 switch (p->attr) {
422 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT:
423 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
424 ip.a = p->u.value.a;
425 ip.b = p->u.value.b;
426 ip.c = p->u.value.c;
427 break;
428 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
429 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
430 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
431 ip.b = p->u.memref.size;
432 if (!p->u.memref.shm) {
433 ip.a = 0;
434 ip.c = (u64)-1; /* invalid shm id */
435 break;
436 }
437 ip.a = p->u.memref.shm_offs;
438 ip.c = p->u.memref.shm->id;
439 break;
440 default:
441 ip.a = 0;
442 ip.b = 0;
443 ip.c = 0;
444 break;
445 }
446
447 if (copy_to_user(uparams + n, &ip, sizeof(ip)))
448 return -EFAULT;
449 }
450
451 return 0;
452 }
453
tee_ioctl_supp_recv(struct tee_context * ctx,struct tee_ioctl_buf_data __user * ubuf)454 static int tee_ioctl_supp_recv(struct tee_context *ctx,
455 struct tee_ioctl_buf_data __user *ubuf)
456 {
457 int rc;
458 struct tee_ioctl_buf_data buf;
459 struct tee_iocl_supp_recv_arg __user *uarg;
460 struct tee_param *params;
461 u32 num_params;
462 u32 func;
463
464 if (!ctx->teedev->desc->ops->supp_recv)
465 return -EINVAL;
466
467 if (copy_from_user(&buf, ubuf, sizeof(buf)))
468 return -EFAULT;
469
470 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
471 buf.buf_len < sizeof(struct tee_iocl_supp_recv_arg))
472 return -EINVAL;
473
474 uarg = u64_to_user_ptr(buf.buf_ptr);
475 if (get_user(num_params, &uarg->num_params))
476 return -EFAULT;
477
478 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len)
479 return -EINVAL;
480
481 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
482 if (!params)
483 return -ENOMEM;
484
485 rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params);
486 if (rc)
487 goto out;
488
489 if (put_user(func, &uarg->func) ||
490 put_user(num_params, &uarg->num_params)) {
491 rc = -EFAULT;
492 goto out;
493 }
494
495 rc = params_to_supp(ctx, uarg->params, num_params, params);
496 out:
497 kfree(params);
498 return rc;
499 }
500
params_from_supp(struct tee_param * params,size_t num_params,struct tee_ioctl_param __user * uparams)501 static int params_from_supp(struct tee_param *params, size_t num_params,
502 struct tee_ioctl_param __user *uparams)
503 {
504 size_t n;
505
506 for (n = 0; n < num_params; n++) {
507 struct tee_param *p = params + n;
508 struct tee_ioctl_param ip;
509
510 if (copy_from_user(&ip, uparams + n, sizeof(ip)))
511 return -EFAULT;
512
513 /* All unused attribute bits has to be zero */
514 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_TYPE_MASK)
515 return -EINVAL;
516
517 p->attr = ip.attr;
518 switch (ip.attr) {
519 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
520 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
521 /* Only out and in/out values can be updated */
522 p->u.value.a = ip.a;
523 p->u.value.b = ip.b;
524 p->u.value.c = ip.c;
525 break;
526 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
527 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
528 /*
529 * Only the size of the memref can be updated.
530 * Since we don't have access to the original
531 * parameters here, only store the supplied size.
532 * The driver will copy the updated size into the
533 * original parameters.
534 */
535 p->u.memref.shm = NULL;
536 p->u.memref.shm_offs = 0;
537 p->u.memref.size = ip.b;
538 break;
539 default:
540 memset(&p->u, 0, sizeof(p->u));
541 break;
542 }
543 }
544 return 0;
545 }
546
tee_ioctl_supp_send(struct tee_context * ctx,struct tee_ioctl_buf_data __user * ubuf)547 static int tee_ioctl_supp_send(struct tee_context *ctx,
548 struct tee_ioctl_buf_data __user *ubuf)
549 {
550 long rc;
551 struct tee_ioctl_buf_data buf;
552 struct tee_iocl_supp_send_arg __user *uarg;
553 struct tee_param *params;
554 u32 num_params;
555 u32 ret;
556
557 /* Not valid for this driver */
558 if (!ctx->teedev->desc->ops->supp_send)
559 return -EINVAL;
560
561 if (copy_from_user(&buf, ubuf, sizeof(buf)))
562 return -EFAULT;
563
564 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
565 buf.buf_len < sizeof(struct tee_iocl_supp_send_arg))
566 return -EINVAL;
567
568 uarg = u64_to_user_ptr(buf.buf_ptr);
569 if (get_user(ret, &uarg->ret) ||
570 get_user(num_params, &uarg->num_params))
571 return -EFAULT;
572
573 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len)
574 return -EINVAL;
575
576 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
577 if (!params)
578 return -ENOMEM;
579
580 rc = params_from_supp(params, num_params, uarg->params);
581 if (rc)
582 goto out;
583
584 rc = ctx->teedev->desc->ops->supp_send(ctx, ret, num_params, params);
585 out:
586 kfree(params);
587 return rc;
588 }
589
tee_ioctl(struct file * filp,unsigned int cmd,unsigned long arg)590 static long tee_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
591 {
592 struct tee_context *ctx = filp->private_data;
593 void __user *uarg = (void __user *)arg;
594
595 switch (cmd) {
596 case TEE_IOC_VERSION:
597 return tee_ioctl_version(ctx, uarg);
598 case TEE_IOC_SHM_ALLOC:
599 return tee_ioctl_shm_alloc(ctx, uarg);
600 case TEE_IOC_OPEN_SESSION:
601 return tee_ioctl_open_session(ctx, uarg);
602 case TEE_IOC_INVOKE:
603 return tee_ioctl_invoke(ctx, uarg);
604 case TEE_IOC_CANCEL:
605 return tee_ioctl_cancel(ctx, uarg);
606 case TEE_IOC_CLOSE_SESSION:
607 return tee_ioctl_close_session(ctx, uarg);
608 case TEE_IOC_SUPPL_RECV:
609 return tee_ioctl_supp_recv(ctx, uarg);
610 case TEE_IOC_SUPPL_SEND:
611 return tee_ioctl_supp_send(ctx, uarg);
612 default:
613 return -EINVAL;
614 }
615 }
616
617 static const struct file_operations tee_fops = {
618 .owner = THIS_MODULE,
619 .open = tee_open,
620 .release = tee_release,
621 .unlocked_ioctl = tee_ioctl,
622 .compat_ioctl = tee_ioctl,
623 };
624
tee_release_device(struct device * dev)625 static void tee_release_device(struct device *dev)
626 {
627 struct tee_device *teedev = container_of(dev, struct tee_device, dev);
628
629 spin_lock(&driver_lock);
630 clear_bit(teedev->id, dev_mask);
631 spin_unlock(&driver_lock);
632 mutex_destroy(&teedev->mutex);
633 idr_destroy(&teedev->idr);
634 kfree(teedev);
635 }
636
637 /**
638 * tee_device_alloc() - Allocate a new struct tee_device instance
639 * @teedesc: Descriptor for this driver
640 * @dev: Parent device for this device
641 * @pool: Shared memory pool, NULL if not used
642 * @driver_data: Private driver data for this device
643 *
644 * Allocates a new struct tee_device instance. The device is
645 * removed by tee_device_unregister().
646 *
647 * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure
648 */
tee_device_alloc(const struct tee_desc * teedesc,struct device * dev,struct tee_shm_pool * pool,void * driver_data)649 struct tee_device *tee_device_alloc(const struct tee_desc *teedesc,
650 struct device *dev,
651 struct tee_shm_pool *pool,
652 void *driver_data)
653 {
654 struct tee_device *teedev;
655 void *ret;
656 int rc;
657 int offs = 0;
658
659 if (!teedesc || !teedesc->name || !teedesc->ops ||
660 !teedesc->ops->get_version || !teedesc->ops->open ||
661 !teedesc->ops->release || !pool)
662 return ERR_PTR(-EINVAL);
663
664 teedev = kzalloc(sizeof(*teedev), GFP_KERNEL);
665 if (!teedev) {
666 ret = ERR_PTR(-ENOMEM);
667 goto err;
668 }
669
670 if (teedesc->flags & TEE_DESC_PRIVILEGED)
671 offs = TEE_NUM_DEVICES / 2;
672
673 spin_lock(&driver_lock);
674 teedev->id = find_next_zero_bit(dev_mask, TEE_NUM_DEVICES, offs);
675 if (teedev->id < TEE_NUM_DEVICES)
676 set_bit(teedev->id, dev_mask);
677 spin_unlock(&driver_lock);
678
679 if (teedev->id >= TEE_NUM_DEVICES) {
680 ret = ERR_PTR(-ENOMEM);
681 goto err;
682 }
683
684 snprintf(teedev->name, sizeof(teedev->name), "tee%s%d",
685 teedesc->flags & TEE_DESC_PRIVILEGED ? "priv" : "",
686 teedev->id - offs);
687
688 teedev->dev.class = tee_class;
689 teedev->dev.release = tee_release_device;
690 teedev->dev.parent = dev;
691
692 teedev->dev.devt = MKDEV(MAJOR(tee_devt), teedev->id);
693
694 rc = dev_set_name(&teedev->dev, "%s", teedev->name);
695 if (rc) {
696 ret = ERR_PTR(rc);
697 goto err_devt;
698 }
699
700 cdev_init(&teedev->cdev, &tee_fops);
701 teedev->cdev.owner = teedesc->owner;
702 teedev->cdev.kobj.parent = &teedev->dev.kobj;
703
704 dev_set_drvdata(&teedev->dev, driver_data);
705 device_initialize(&teedev->dev);
706
707 /* 1 as tee_device_unregister() does one final tee_device_put() */
708 teedev->num_users = 1;
709 init_completion(&teedev->c_no_users);
710 mutex_init(&teedev->mutex);
711 idr_init(&teedev->idr);
712
713 teedev->desc = teedesc;
714 teedev->pool = pool;
715
716 return teedev;
717 err_devt:
718 unregister_chrdev_region(teedev->dev.devt, 1);
719 err:
720 pr_err("could not register %s driver\n",
721 teedesc->flags & TEE_DESC_PRIVILEGED ? "privileged" : "client");
722 if (teedev && teedev->id < TEE_NUM_DEVICES) {
723 spin_lock(&driver_lock);
724 clear_bit(teedev->id, dev_mask);
725 spin_unlock(&driver_lock);
726 }
727 kfree(teedev);
728 return ret;
729 }
730 EXPORT_SYMBOL_GPL(tee_device_alloc);
731
implementation_id_show(struct device * dev,struct device_attribute * attr,char * buf)732 static ssize_t implementation_id_show(struct device *dev,
733 struct device_attribute *attr, char *buf)
734 {
735 struct tee_device *teedev = container_of(dev, struct tee_device, dev);
736 struct tee_ioctl_version_data vers;
737
738 teedev->desc->ops->get_version(teedev, &vers);
739 return scnprintf(buf, PAGE_SIZE, "%d\n", vers.impl_id);
740 }
741 static DEVICE_ATTR_RO(implementation_id);
742
743 static struct attribute *tee_dev_attrs[] = {
744 &dev_attr_implementation_id.attr,
745 NULL
746 };
747
748 static const struct attribute_group tee_dev_group = {
749 .attrs = tee_dev_attrs,
750 };
751
752 /**
753 * tee_device_register() - Registers a TEE device
754 * @teedev: Device to register
755 *
756 * tee_device_unregister() need to be called to remove the @teedev if
757 * this function fails.
758 *
759 * @returns < 0 on failure
760 */
tee_device_register(struct tee_device * teedev)761 int tee_device_register(struct tee_device *teedev)
762 {
763 int rc;
764
765 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) {
766 dev_err(&teedev->dev, "attempt to register twice\n");
767 return -EINVAL;
768 }
769
770 rc = cdev_add(&teedev->cdev, teedev->dev.devt, 1);
771 if (rc) {
772 dev_err(&teedev->dev,
773 "unable to cdev_add() %s, major %d, minor %d, err=%d\n",
774 teedev->name, MAJOR(teedev->dev.devt),
775 MINOR(teedev->dev.devt), rc);
776 return rc;
777 }
778
779 rc = device_add(&teedev->dev);
780 if (rc) {
781 dev_err(&teedev->dev,
782 "unable to device_add() %s, major %d, minor %d, err=%d\n",
783 teedev->name, MAJOR(teedev->dev.devt),
784 MINOR(teedev->dev.devt), rc);
785 goto err_device_add;
786 }
787
788 rc = sysfs_create_group(&teedev->dev.kobj, &tee_dev_group);
789 if (rc) {
790 dev_err(&teedev->dev,
791 "failed to create sysfs attributes, err=%d\n", rc);
792 goto err_sysfs_create_group;
793 }
794
795 teedev->flags |= TEE_DEVICE_FLAG_REGISTERED;
796 return 0;
797
798 err_sysfs_create_group:
799 device_del(&teedev->dev);
800 err_device_add:
801 cdev_del(&teedev->cdev);
802 return rc;
803 }
804 EXPORT_SYMBOL_GPL(tee_device_register);
805
tee_device_put(struct tee_device * teedev)806 void tee_device_put(struct tee_device *teedev)
807 {
808 mutex_lock(&teedev->mutex);
809 /* Shouldn't put in this state */
810 if (!WARN_ON(!teedev->desc)) {
811 teedev->num_users--;
812 if (!teedev->num_users) {
813 teedev->desc = NULL;
814 complete(&teedev->c_no_users);
815 }
816 }
817 mutex_unlock(&teedev->mutex);
818 }
819
tee_device_get(struct tee_device * teedev)820 bool tee_device_get(struct tee_device *teedev)
821 {
822 mutex_lock(&teedev->mutex);
823 if (!teedev->desc) {
824 mutex_unlock(&teedev->mutex);
825 return false;
826 }
827 teedev->num_users++;
828 mutex_unlock(&teedev->mutex);
829 return true;
830 }
831
832 /**
833 * tee_device_unregister() - Removes a TEE device
834 * @teedev: Device to unregister
835 *
836 * This function should be called to remove the @teedev even if
837 * tee_device_register() hasn't been called yet. Does nothing if
838 * @teedev is NULL.
839 */
tee_device_unregister(struct tee_device * teedev)840 void tee_device_unregister(struct tee_device *teedev)
841 {
842 if (!teedev)
843 return;
844
845 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) {
846 sysfs_remove_group(&teedev->dev.kobj, &tee_dev_group);
847 cdev_del(&teedev->cdev);
848 device_del(&teedev->dev);
849 }
850
851 tee_device_put(teedev);
852 wait_for_completion(&teedev->c_no_users);
853
854 /*
855 * No need to take a mutex any longer now since teedev->desc was
856 * set to NULL before teedev->c_no_users was completed.
857 */
858
859 teedev->pool = NULL;
860
861 put_device(&teedev->dev);
862 }
863 EXPORT_SYMBOL_GPL(tee_device_unregister);
864
865 /**
866 * tee_get_drvdata() - Return driver_data pointer
867 * @teedev: Device containing the driver_data pointer
868 * @returns the driver_data pointer supplied to tee_register().
869 */
tee_get_drvdata(struct tee_device * teedev)870 void *tee_get_drvdata(struct tee_device *teedev)
871 {
872 return dev_get_drvdata(&teedev->dev);
873 }
874 EXPORT_SYMBOL_GPL(tee_get_drvdata);
875
tee_init(void)876 static int __init tee_init(void)
877 {
878 int rc;
879
880 tee_class = class_create(THIS_MODULE, "tee");
881 if (IS_ERR(tee_class)) {
882 pr_err("couldn't create class\n");
883 return PTR_ERR(tee_class);
884 }
885
886 rc = alloc_chrdev_region(&tee_devt, 0, TEE_NUM_DEVICES, "tee");
887 if (rc) {
888 pr_err("failed to allocate char dev region\n");
889 class_destroy(tee_class);
890 tee_class = NULL;
891 }
892
893 return rc;
894 }
895
tee_exit(void)896 static void __exit tee_exit(void)
897 {
898 class_destroy(tee_class);
899 tee_class = NULL;
900 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES);
901 }
902
903 subsys_initcall(tee_init);
904 module_exit(tee_exit);
905
906 MODULE_AUTHOR("Linaro");
907 MODULE_DESCRIPTION("TEE Driver");
908 MODULE_VERSION("1.0");
909 MODULE_LICENSE("GPL v2");
910