msm-4.19: qseecom: Fix possible race condition (392fcd22) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/misc/qseecom.c

+75 −30

Original line number	Diff line number	Diff line
		@@ -3,7 +3,7 @@
		* QTI Secure Execution Environment Communicator (QSEECOM) driver
		*
		* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
		* Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
		* Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
		*/

		#define pr_fmt(fmt) "QSEECOM: %s: " fmt, __func__
		@@ -7613,14 +7613,15 @@ static long qseecom_ioctl(struct file *file,

		switch (cmd) {
		case QSEECOM_IOCTL_REGISTER_LISTENER_REQ: {
		mutex_lock(&listener_access_lock);
		if (data->type != QSEECOM_GENERIC) {
		pr_err("reg lstnr req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&listener_access_lock);
		ret = -EINVAL;
		break;
		}
		pr_debug("ioctl register_listener_req()\n");
		mutex_lock(&listener_access_lock);
		atomic_inc(&data->ioctl_count);
		data->type = QSEECOM_LISTENER_SERVICE;
		ret = qseecom_register_listener(data, argp);
		@@ -7632,15 +7633,16 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_UNREGISTER_LISTENER_REQ: {
		mutex_lock(&listener_access_lock);
		if ((data->listener.id == 0) \|\|
		(data->type != QSEECOM_LISTENER_SERVICE)) {
		pr_err("unreg lstnr req: invalid handle (%d) lid(%d)\n",
		data->type, data->listener.id);
		mutex_unlock(&listener_access_lock);
		ret = -EINVAL;
		break;
		}
		pr_debug("ioctl unregister_listener_req()\n");
		mutex_lock(&listener_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_unregister_listener(data);
		atomic_dec(&data->ioctl_count);
		@@ -7651,15 +7653,16 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_SEND_CMD_REQ: {
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		if ((data->client.app_id == 0) \|\|
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("send cmd req: invalid handle (%d) app_id(%d)\n",
		data->type, data->client.app_id);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		if (qseecom.support_bus_scaling) {
		/* register bus bw in case the client doesn't do it */
		if (!data->mode) {
		@@ -7713,15 +7716,16 @@ static long qseecom_ioctl(struct file *file,
		}
		case QSEECOM_IOCTL_SEND_MODFD_CMD_REQ:
		case QSEECOM_IOCTL_SEND_MODFD_CMD_64_REQ: {
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		if ((data->client.app_id == 0) \|\|
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("send mdfd cmd: invalid handle (%d) appid(%d)\n",
		data->type, data->client.app_id);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		if (qseecom.support_bus_scaling) {
		if (!data->mode) {
		mutex_lock(&qsee_bw_mutex);
		@@ -7777,13 +7781,16 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_RECEIVE_REQ: {
		mutex_lock(&listener_access_lock);
		if ((data->listener.id == 0) \|\|
		(data->type != QSEECOM_LISTENER_SERVICE)) {
		pr_err("receive req: invalid handle (%d), lid(%d)\n",
		data->type, data->listener.id);
		mutex_unlock(&listener_access_lock);
		ret = -EINVAL;
		break;
		}
		mutex_unlock(&listener_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_receive_req(data);
		atomic_dec(&data->ioctl_count);
		@@ -7793,14 +7800,15 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_SEND_RESP_REQ: {
		mutex_lock(&listener_access_lock);
		if ((data->listener.id == 0) \|\|
		(data->type != QSEECOM_LISTENER_SERVICE)) {
		pr_err("send resp req: invalid handle (%d), lid(%d)\n",
		data->type, data->listener.id);
		mutex_unlock(&listener_access_lock);
		ret = -EINVAL;
		break;
		}
		mutex_lock(&listener_access_lock);
		atomic_inc(&data->ioctl_count);
		if (!qseecom.qsee_reentrancy_support)
		ret = qseecom_send_resp();
		@@ -7814,16 +7822,17 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_SET_MEM_PARAM_REQ: {
		mutex_lock(&app_access_lock);
		if ((data->type != QSEECOM_CLIENT_APP) &&
		(data->type != QSEECOM_GENERIC) &&
		(data->type != QSEECOM_SECURE_SERVICE)) {
		pr_err("set mem param req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		pr_debug("SET_MEM_PARAM: qseecom addr = 0x%pK\n", data);
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_set_client_mem_param(data, argp);
		atomic_dec(&data->ioctl_count);
		@@ -7834,16 +7843,17 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_LOAD_APP_REQ: {
		mutex_lock(&app_access_lock);
		if ((data->type != QSEECOM_GENERIC) &&
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("load app req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		data->type = QSEECOM_CLIENT_APP;
		pr_debug("LOAD_APP_REQ: qseecom_addr = 0x%pK\n", data);
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_load_app(data, argp);
		atomic_dec(&data->ioctl_count);
		@@ -7854,15 +7864,16 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_UNLOAD_APP_REQ: {
		mutex_lock(&app_access_lock);
		if ((data->client.app_id == 0) \|\|
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("unload app req:invalid handle(%d) app_id(%d)\n",
		data->type, data->client.app_id);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		pr_debug("UNLOAD_APP: qseecom_addr = 0x%pK\n", data);
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_unload_app(data, false);
		atomic_dec(&data->ioctl_count);
		@@ -7881,10 +7892,12 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_PERF_ENABLE_REQ:{
		mutex_lock(&app_access_lock);
		if ((data->type != QSEECOM_GENERIC) &&
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("perf enable req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		@@ -7892,6 +7905,7 @@ static long qseecom_ioctl(struct file *file,
		(data->client.app_id == 0)) {
		pr_err("perf enable req:invalid handle(%d) appid(%d)\n",
		data->type, data->client.app_id);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		@@ -7906,13 +7920,16 @@ static long qseecom_ioctl(struct file *file,
		pr_err("Fail to vote for clocks %d\n", ret);
		}
		atomic_dec(&data->ioctl_count);
		mutex_unlock(&app_access_lock);
		break;
		}
		case QSEECOM_IOCTL_PERF_DISABLE_REQ:{
		mutex_lock(&app_access_lock);
		if ((data->type != QSEECOM_SECURE_SERVICE) &&
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("perf disable req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		@@ -7920,6 +7937,7 @@ static long qseecom_ioctl(struct file *file,
		(data->client.app_id == 0)) {
		pr_err("perf disable: invalid handle (%d)app_id(%d)\n",
		data->type, data->client.app_id);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		@@ -7933,6 +7951,7 @@ static long qseecom_ioctl(struct file *file,
		mutex_unlock(&qsee_bw_mutex);
		}
		atomic_dec(&data->ioctl_count);
		mutex_unlock(&app_access_lock);
		break;
		}

		@@ -7942,28 +7961,32 @@ static long qseecom_ioctl(struct file *file,
		pr_debug("crypto clock is not handled by HLOS\n");
		break;
		}
		mutex_lock(&app_access_lock);
		if ((data->client.app_id == 0) \|\|
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("set bus scale: invalid handle (%d) appid(%d)\n",
		data->type, data->client.app_id);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		atomic_inc(&data->ioctl_count);
		ret = qseecom_scale_bus_bandwidth(data, argp);
		atomic_dec(&data->ioctl_count);
		mutex_unlock(&app_access_lock);
		break;
		}
		case QSEECOM_IOCTL_LOAD_EXTERNAL_ELF_REQ: {
		mutex_lock(&app_access_lock);
		if (data->type != QSEECOM_GENERIC) {
		pr_err("load ext elf req: invalid client handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		data->type = QSEECOM_UNAVAILABLE_CLIENT_APP;
		data->released = true;
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_load_external_elf(data, argp);
		atomic_dec(&data->ioctl_count);
		@@ -7973,14 +7996,15 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_UNLOAD_EXTERNAL_ELF_REQ: {
		mutex_lock(&app_access_lock);
		if (data->type != QSEECOM_UNAVAILABLE_CLIENT_APP) {
		pr_err("unload ext elf req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		data->released = true;
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_unload_external_elf(data);
		atomic_dec(&data->ioctl_count);
		@@ -7990,15 +8014,16 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_APP_LOADED_QUERY_REQ: {
		mutex_lock(&app_access_lock);
		if ((data->type != QSEECOM_GENERIC) &&
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("app loaded query req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		data->type = QSEECOM_CLIENT_APP;
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		pr_debug("APP_LOAD_QUERY: qseecom_addr = 0x%pK\n", data);
		ret = qseecom_query_app_loaded(data, argp);
		@@ -8007,9 +8032,11 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_SEND_CMD_SERVICE_REQ: {
		mutex_lock(&app_access_lock);
		if (data->type != QSEECOM_GENERIC) {
		pr_err("send cmd svc req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		@@ -8017,9 +8044,9 @@ static long qseecom_ioctl(struct file *file,
		if (qseecom.qsee_version < QSEE_VERSION_03) {
		pr_err("SEND_CMD_SERVICE_REQ: Invalid qsee ver %u\n",
		qseecom.qsee_version);
		mutex_unlock(&app_access_lock);
		return -EINVAL;
		}
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_send_service_cmd(data, argp);
		atomic_dec(&data->ioctl_count);
		@@ -8029,19 +8056,21 @@ static long qseecom_ioctl(struct file *file,
		case QSEECOM_IOCTL_CREATE_KEY_REQ: {
		if (!(qseecom.support_pfe \|\| qseecom.support_fde))
		pr_err("Features requiring key init not supported\n");
		mutex_lock(&app_access_lock);
		if (data->type != QSEECOM_GENERIC) {
		pr_err("create key req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		if (qseecom.qsee_version < QSEE_VERSION_05) {
		pr_err("Create Key feature unsupported: qsee ver %u\n",
		qseecom.qsee_version);
		mutex_unlock(&app_access_lock);
		return -EINVAL;
		}
		data->released = true;
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_create_key(data, argp);
		if (ret)
		@@ -8054,19 +8083,21 @@ static long qseecom_ioctl(struct file *file,
		case QSEECOM_IOCTL_WIPE_KEY_REQ: {
		if (!(qseecom.support_pfe \|\| qseecom.support_fde))
		pr_err("Features requiring key init not supported\n");
		mutex_lock(&app_access_lock);
		if (data->type != QSEECOM_GENERIC) {
		pr_err("wipe key req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		if (qseecom.qsee_version < QSEE_VERSION_05) {
		pr_err("Wipe Key feature unsupported in qsee ver %u\n",
		qseecom.qsee_version);
		mutex_unlock(&app_access_lock);
		return -EINVAL;
		}
		data->released = true;
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_wipe_key(data, argp);
		if (ret)
		@@ -8078,19 +8109,21 @@ static long qseecom_ioctl(struct file *file,
		case QSEECOM_IOCTL_UPDATE_KEY_USER_INFO_REQ: {
		if (!(qseecom.support_pfe \|\| qseecom.support_fde))
		pr_err("Features requiring key init not supported\n");
		mutex_lock(&app_access_lock);
		if (data->type != QSEECOM_GENERIC) {
		pr_err("update key req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		if (qseecom.qsee_version < QSEE_VERSION_05) {
		pr_err("Update Key feature unsupported in qsee ver %u\n",
		qseecom.qsee_version);
		mutex_unlock(&app_access_lock);
		return -EINVAL;
		}
		data->released = true;
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_update_key_user_info(data, argp);
		if (ret)
		@@ -8100,14 +8133,15 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_SAVE_PARTITION_HASH_REQ: {
		mutex_lock(&app_access_lock);
		if (data->type != QSEECOM_GENERIC) {
		pr_err("save part hash req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		data->released = true;
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_save_partition_hash(argp);
		atomic_dec(&data->ioctl_count);
		@@ -8115,14 +8149,15 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_IS_ES_ACTIVATED_REQ: {
		mutex_lock(&app_access_lock);
		if (data->type != QSEECOM_GENERIC) {
		pr_err("ES activated req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		data->released = true;
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_is_es_activated(argp);
		atomic_dec(&data->ioctl_count);
		@@ -8130,14 +8165,15 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_IOCTL_MDTP_CIPHER_DIP_REQ: {
		mutex_lock(&app_access_lock);
		if (data->type != QSEECOM_GENERIC) {
		pr_err("MDTP cipher DIP req: invalid handle (%d)\n",
		data->type);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		data->released = true;
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_mdtp_cipher_dip(argp);
		atomic_dec(&data->ioctl_count);
		@@ -8146,14 +8182,15 @@ static long qseecom_ioctl(struct file *file,
		}
		case QSEECOM_IOCTL_SEND_MODFD_RESP:
		case QSEECOM_IOCTL_SEND_MODFD_RESP_64: {
		mutex_lock(&listener_access_lock);
		if ((data->listener.id == 0) \|\|
		(data->type != QSEECOM_LISTENER_SERVICE)) {
		pr_err("receive req: invalid handle (%d), lid(%d)\n",
		data->type, data->listener.id);
		mutex_unlock(&listener_access_lock);
		ret = -EINVAL;
		break;
		}
		mutex_lock(&listener_access_lock);
		atomic_inc(&data->ioctl_count);
		if (cmd == QSEECOM_IOCTL_SEND_MODFD_RESP)
		ret = qseecom_send_modfd_resp(data, argp);
		@@ -8168,20 +8205,22 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_QTEEC_IOCTL_OPEN_SESSION_REQ: {
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		if ((data->client.app_id == 0) \|\|
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("Open session: invalid handle (%d) appid(%d)\n",
		data->type, data->client.app_id);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		if (qseecom.qsee_version < QSEE_VERSION_40) {
		pr_err("GP feature unsupported: qsee ver %u\n",
		qseecom.qsee_version);
		mutex_unlock(&app_access_lock);
		return -EINVAL;
		}
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_qteec_open_session(data, argp);
		atomic_dec(&data->ioctl_count);
		@@ -8193,20 +8232,22 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_QTEEC_IOCTL_CLOSE_SESSION_REQ: {
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		if ((data->client.app_id == 0) \|\|
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("Close session: invalid handle (%d) appid(%d)\n",
		data->type, data->client.app_id);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		if (qseecom.qsee_version < QSEE_VERSION_40) {
		pr_err("GP feature unsupported: qsee ver %u\n",
		qseecom.qsee_version);
		mutex_unlock(&app_access_lock);
		return -EINVAL;
		}
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_qteec_close_session(data, argp);
		atomic_dec(&data->ioctl_count);
		@@ -8217,20 +8258,22 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_QTEEC_IOCTL_INVOKE_MODFD_CMD_REQ: {
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		if ((data->client.app_id == 0) \|\|
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("Invoke cmd: invalid handle (%d) appid(%d)\n",
		data->type, data->client.app_id);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		if (qseecom.qsee_version < QSEE_VERSION_40) {
		pr_err("GP feature unsupported: qsee ver %u\n",
		qseecom.qsee_version);
		mutex_unlock(&app_access_lock);
		return -EINVAL;
		}
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_qteec_invoke_modfd_cmd(data, argp);
		atomic_dec(&data->ioctl_count);
		@@ -8242,20 +8285,22 @@ static long qseecom_ioctl(struct file *file,
		break;
		}
		case QSEECOM_QTEEC_IOCTL_REQUEST_CANCELLATION_REQ: {
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		if ((data->client.app_id == 0) \|\|
		(data->type != QSEECOM_CLIENT_APP)) {
		pr_err("Cancel req: invalid handle (%d) appid(%d)\n",
		data->type, data->client.app_id);
		mutex_unlock(&app_access_lock);
		ret = -EINVAL;
		break;
		}
		if (qseecom.qsee_version < QSEE_VERSION_40) {
		pr_err("GP feature unsupported: qsee ver %u\n",
		qseecom.qsee_version);
		mutex_unlock(&app_access_lock);
		return -EINVAL;
		}
		/* Only one client allowed here at a time */
		mutex_lock(&app_access_lock);
		atomic_inc(&data->ioctl_count);
		ret = qseecom_qteec_request_cancellation(data, argp);
		atomic_dec(&data->ioctl_count);