1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2015-2017, 2019-2021 Linaro Limited
5 #include <linux/anon_inodes.h>
6 #include <linux/device.h>
9 #include <linux/sched.h>
10 #include <linux/slab.h>
11 #include <linux/tee_drv.h>
12 #include <linux/uaccess.h>
13 #include <linux/uio.h>
14 #include <linux/highmem.h>
15 #include "tee_private.h"
17 static void shm_put_kernel_pages(struct page **pages, size_t page_count)
21 for (n = 0; n < page_count; n++)
25 static void shm_get_kernel_pages(struct page **pages, size_t page_count)
29 for (n = 0; n < page_count; n++)
33 static void release_registered_pages(struct tee_shm *shm)
36 if (shm->flags & TEE_SHM_USER_MAPPED)
37 unpin_user_pages(shm->pages, shm->num_pages);
39 shm_put_kernel_pages(shm->pages, shm->num_pages);
45 static void tee_shm_release(struct tee_device *teedev, struct tee_shm *shm)
47 if (shm->flags & TEE_SHM_POOL) {
48 teedev->pool->ops->free(teedev->pool, shm);
49 } else if (shm->flags & TEE_SHM_DYNAMIC) {
50 int rc = teedev->desc->ops->shm_unregister(shm->ctx, shm);
53 dev_err(teedev->dev.parent,
54 "unregister shm %p failed: %d", shm, rc);
56 release_registered_pages(shm);
59 teedev_ctx_put(shm->ctx);
63 tee_device_put(teedev);
66 static struct tee_shm *shm_alloc_helper(struct tee_context *ctx, size_t size,
67 size_t align, u32 flags, int id)
69 struct tee_device *teedev = ctx->teedev;
74 if (!tee_device_get(teedev))
75 return ERR_PTR(-EINVAL);
78 /* teedev has been detached from driver */
79 ret = ERR_PTR(-EINVAL);
83 shm = kzalloc(sizeof(*shm), GFP_KERNEL);
85 ret = ERR_PTR(-ENOMEM);
89 refcount_set(&shm->refcount, 1);
94 * We're assigning this as it is needed if the shm is to be
95 * registered. If this function returns OK then the caller expected
96 * to call teedev_ctx_get() or clear shm->ctx in case it's not
101 rc = teedev->pool->ops->alloc(teedev->pool, shm, size, align);
112 tee_device_put(teedev);
117 * tee_shm_alloc_user_buf() - Allocate shared memory for user space
118 * @ctx: Context that allocates the shared memory
119 * @size: Requested size of shared memory
121 * Memory allocated as user space shared memory is automatically freed when
122 * the TEE file pointer is closed. The primary usage of this function is
123 * when the TEE driver doesn't support registering ordinary user space
126 * @returns a pointer to 'struct tee_shm'
128 struct tee_shm *tee_shm_alloc_user_buf(struct tee_context *ctx, size_t size)
130 u32 flags = TEE_SHM_DYNAMIC | TEE_SHM_POOL;
131 struct tee_device *teedev = ctx->teedev;
136 mutex_lock(&teedev->mutex);
137 id = idr_alloc(&teedev->idr, NULL, 1, 0, GFP_KERNEL);
138 mutex_unlock(&teedev->mutex);
142 shm = shm_alloc_helper(ctx, size, PAGE_SIZE, flags, id);
144 mutex_lock(&teedev->mutex);
145 idr_remove(&teedev->idr, id);
146 mutex_unlock(&teedev->mutex);
150 mutex_lock(&teedev->mutex);
151 ret = idr_replace(&teedev->idr, shm, id);
152 mutex_unlock(&teedev->mutex);
162 * tee_shm_alloc_kernel_buf() - Allocate shared memory for kernel buffer
163 * @ctx: Context that allocates the shared memory
164 * @size: Requested size of shared memory
166 * The returned memory registered in secure world and is suitable to be
167 * passed as a memory buffer in parameter argument to
168 * tee_client_invoke_func(). The memory allocated is later freed with a
169 * call to tee_shm_free().
171 * @returns a pointer to 'struct tee_shm'
173 struct tee_shm *tee_shm_alloc_kernel_buf(struct tee_context *ctx, size_t size)
175 u32 flags = TEE_SHM_DYNAMIC | TEE_SHM_POOL;
177 return shm_alloc_helper(ctx, size, PAGE_SIZE, flags, -1);
179 EXPORT_SYMBOL_GPL(tee_shm_alloc_kernel_buf);
182 * tee_shm_alloc_priv_buf() - Allocate shared memory for a privately shared
184 * @ctx: Context that allocates the shared memory
185 * @size: Requested size of shared memory
187 * This function returns similar shared memory as
188 * tee_shm_alloc_kernel_buf(), but with the difference that the memory
189 * might not be registered in secure world in case the driver supports
190 * passing memory not registered in advance.
192 * This function should normally only be used internally in the TEE
195 * @returns a pointer to 'struct tee_shm'
197 struct tee_shm *tee_shm_alloc_priv_buf(struct tee_context *ctx, size_t size)
199 u32 flags = TEE_SHM_PRIV | TEE_SHM_POOL;
201 return shm_alloc_helper(ctx, size, sizeof(long) * 2, flags, -1);
203 EXPORT_SYMBOL_GPL(tee_shm_alloc_priv_buf);
205 static struct tee_shm *
206 register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
209 struct tee_device *teedev = ctx->teedev;
211 unsigned long start, addr;
212 size_t num_pages, off;
217 if (!tee_device_get(teedev))
218 return ERR_PTR(-EINVAL);
220 if (!teedev->desc->ops->shm_register ||
221 !teedev->desc->ops->shm_unregister) {
222 ret = ERR_PTR(-ENOTSUPP);
228 shm = kzalloc(sizeof(*shm), GFP_KERNEL);
230 ret = ERR_PTR(-ENOMEM);
234 refcount_set(&shm->refcount, 1);
238 addr = untagged_addr((unsigned long)iter_iov_addr(iter));
239 start = rounddown(addr, PAGE_SIZE);
240 num_pages = iov_iter_npages(iter, INT_MAX);
242 ret = ERR_PTR(-ENOMEM);
246 shm->pages = kcalloc(num_pages, sizeof(*shm->pages), GFP_KERNEL);
248 ret = ERR_PTR(-ENOMEM);
252 len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0,
254 if (unlikely(len <= 0)) {
255 ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM);
256 goto err_free_shm_pages;
260 * iov_iter_extract_kvec_pages does not get reference on the pages,
261 * get a reference on them.
263 if (iov_iter_is_kvec(iter))
264 shm_get_kernel_pages(shm->pages, num_pages);
268 shm->num_pages = num_pages;
270 rc = teedev->desc->ops->shm_register(ctx, shm, shm->pages,
271 shm->num_pages, start);
274 goto err_put_shm_pages;
279 if (!iov_iter_is_kvec(iter))
280 unpin_user_pages(shm->pages, shm->num_pages);
282 shm_put_kernel_pages(shm->pages, shm->num_pages);
290 tee_device_put(teedev);
295 * tee_shm_register_user_buf() - Register a userspace shared memory buffer
296 * @ctx: Context that registers the shared memory
297 * @addr: The userspace address of the shared buffer
298 * @length: Length of the shared buffer
300 * @returns a pointer to 'struct tee_shm'
302 struct tee_shm *tee_shm_register_user_buf(struct tee_context *ctx,
303 unsigned long addr, size_t length)
305 u32 flags = TEE_SHM_USER_MAPPED | TEE_SHM_DYNAMIC;
306 struct tee_device *teedev = ctx->teedev;
308 struct iov_iter iter;
312 if (!access_ok((void __user *)addr, length))
313 return ERR_PTR(-EFAULT);
315 mutex_lock(&teedev->mutex);
316 id = idr_alloc(&teedev->idr, NULL, 1, 0, GFP_KERNEL);
317 mutex_unlock(&teedev->mutex);
321 iov_iter_ubuf(&iter, ITER_DEST, (void __user *)addr, length);
322 shm = register_shm_helper(ctx, &iter, flags, id);
324 mutex_lock(&teedev->mutex);
325 idr_remove(&teedev->idr, id);
326 mutex_unlock(&teedev->mutex);
330 mutex_lock(&teedev->mutex);
331 ret = idr_replace(&teedev->idr, shm, id);
332 mutex_unlock(&teedev->mutex);
342 * tee_shm_register_kernel_buf() - Register kernel memory to be shared with
344 * @ctx: Context that registers the shared memory
346 * @length: Length of the buffer
348 * @returns a pointer to 'struct tee_shm'
351 struct tee_shm *tee_shm_register_kernel_buf(struct tee_context *ctx,
352 void *addr, size_t length)
354 u32 flags = TEE_SHM_DYNAMIC;
356 struct iov_iter iter;
358 kvec.iov_base = addr;
359 kvec.iov_len = length;
360 iov_iter_kvec(&iter, ITER_DEST, &kvec, 1, length);
362 return register_shm_helper(ctx, &iter, flags, -1);
364 EXPORT_SYMBOL_GPL(tee_shm_register_kernel_buf);
366 static int tee_shm_fop_release(struct inode *inode, struct file *filp)
368 tee_shm_put(filp->private_data);
372 static int tee_shm_fop_mmap(struct file *filp, struct vm_area_struct *vma)
374 struct tee_shm *shm = filp->private_data;
375 size_t size = vma->vm_end - vma->vm_start;
377 /* Refuse sharing shared memory provided by application */
378 if (shm->flags & TEE_SHM_USER_MAPPED)
381 /* check for overflowing the buffer's size */
382 if (vma->vm_pgoff + vma_pages(vma) > shm->size >> PAGE_SHIFT)
385 return remap_pfn_range(vma, vma->vm_start, shm->paddr >> PAGE_SHIFT,
386 size, vma->vm_page_prot);
389 static const struct file_operations tee_shm_fops = {
390 .owner = THIS_MODULE,
391 .release = tee_shm_fop_release,
392 .mmap = tee_shm_fop_mmap,
396 * tee_shm_get_fd() - Increase reference count and return file descriptor
397 * @shm: Shared memory handle
398 * @returns user space file descriptor to shared memory
400 int tee_shm_get_fd(struct tee_shm *shm)
407 /* matched by tee_shm_put() in tee_shm_op_release() */
408 refcount_inc(&shm->refcount);
409 fd = anon_inode_getfd("tee_shm", &tee_shm_fops, shm, O_RDWR);
416 * tee_shm_free() - Free shared memory
417 * @shm: Handle to shared memory to free
419 void tee_shm_free(struct tee_shm *shm)
423 EXPORT_SYMBOL_GPL(tee_shm_free);
426 * tee_shm_get_va() - Get virtual address of a shared memory plus an offset
427 * @shm: Shared memory handle
428 * @offs: Offset from start of this shared memory
429 * @returns virtual address of the shared memory + offs if offs is within
430 * the bounds of this shared memory, else an ERR_PTR
432 void *tee_shm_get_va(struct tee_shm *shm, size_t offs)
435 return ERR_PTR(-EINVAL);
436 if (offs >= shm->size)
437 return ERR_PTR(-EINVAL);
438 return (char *)shm->kaddr + offs;
440 EXPORT_SYMBOL_GPL(tee_shm_get_va);
443 * tee_shm_get_pa() - Get physical address of a shared memory plus an offset
444 * @shm: Shared memory handle
445 * @offs: Offset from start of this shared memory
446 * @pa: Physical address to return
447 * @returns 0 if offs is within the bounds of this shared memory, else an
450 int tee_shm_get_pa(struct tee_shm *shm, size_t offs, phys_addr_t *pa)
452 if (offs >= shm->size)
455 *pa = shm->paddr + offs;
458 EXPORT_SYMBOL_GPL(tee_shm_get_pa);
461 * tee_shm_get_from_id() - Find shared memory object and increase reference
463 * @ctx: Context owning the shared memory
464 * @id: Id of shared memory object
465 * @returns a pointer to 'struct tee_shm' on success or an ERR_PTR on failure
467 struct tee_shm *tee_shm_get_from_id(struct tee_context *ctx, int id)
469 struct tee_device *teedev;
473 return ERR_PTR(-EINVAL);
475 teedev = ctx->teedev;
476 mutex_lock(&teedev->mutex);
477 shm = idr_find(&teedev->idr, id);
479 * If the tee_shm was found in the IDR it must have a refcount
480 * larger than 0 due to the guarantee in tee_shm_put() below. So
481 * it's safe to use refcount_inc().
483 if (!shm || shm->ctx != ctx)
484 shm = ERR_PTR(-EINVAL);
486 refcount_inc(&shm->refcount);
487 mutex_unlock(&teedev->mutex);
490 EXPORT_SYMBOL_GPL(tee_shm_get_from_id);
493 * tee_shm_put() - Decrease reference count on a shared memory handle
494 * @shm: Shared memory handle
496 void tee_shm_put(struct tee_shm *shm)
498 struct tee_device *teedev = shm->ctx->teedev;
499 bool do_release = false;
501 mutex_lock(&teedev->mutex);
502 if (refcount_dec_and_test(&shm->refcount)) {
504 * refcount has reached 0, we must now remove it from the
505 * IDR before releasing the mutex. This will guarantee that
506 * the refcount_inc() in tee_shm_get_from_id() never starts
510 idr_remove(&teedev->idr, shm->id);
513 mutex_unlock(&teedev->mutex);
516 tee_shm_release(teedev, shm);
518 EXPORT_SYMBOL_GPL(tee_shm_put);