user_obj.c 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
  4. */
  5. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  6. #include <linux/slab.h>
  7. #include <linux/uaccess.h>
  8. #include "qcomtee.h"
  9. /**
  10. * DOC: User Objects aka Supplicants
  11. *
  12. * Any userspace process with access to the TEE device file can behave as a
  13. * supplicant by creating a user object. Any TEE parameter of type OBJREF with
  14. * %QCOMTEE_OBJREF_FLAG_USER flag set is considered a user object.
  15. *
  16. * A supplicant uses qcomtee_user_object_select() (i.e. TEE_IOC_SUPPL_RECV) to
  17. * receive a QTEE user object request and qcomtee_user_object_submit()
  18. * (i.e. TEE_IOC_SUPPL_SEND) to submit a response. QTEE expects to receive the
  19. * response, including OB and OO in a specific order in the message; parameters
  20. * submitted with qcomtee_user_object_submit() should maintain this order.
  21. */
  22. /**
  23. * struct qcomtee_user_object - User object.
  24. * @object: &struct qcomtee_object representing the user object.
  25. * @ctx: context for which the user object is defined.
  26. * @object_id: object ID in @ctx.
  27. * @notify: notify on release.
  28. *
  29. * Any object managed in userspace is represented by this struct.
  30. * If @notify is set, a notification message is sent back to userspace
  31. * upon release.
  32. */
  33. struct qcomtee_user_object {
  34. struct qcomtee_object object;
  35. struct tee_context *ctx;
  36. u64 object_id;
  37. bool notify;
  38. };
  39. #define to_qcomtee_user_object(o) \
  40. container_of((o), struct qcomtee_user_object, object)
  41. static struct qcomtee_object_operations qcomtee_user_object_ops;
  42. /* Is it a user object? */
  43. int is_qcomtee_user_object(struct qcomtee_object *object)
  44. {
  45. return object != NULL_QCOMTEE_OBJECT &&
  46. typeof_qcomtee_object(object) == QCOMTEE_OBJECT_TYPE_CB &&
  47. object->ops == &qcomtee_user_object_ops;
  48. }
  49. /* Set the user object's 'notify on release' flag. */
  50. void qcomtee_user_object_set_notify(struct qcomtee_object *object, bool notify)
  51. {
  52. if (is_qcomtee_user_object(object))
  53. to_qcomtee_user_object(object)->notify = notify;
  54. }
  55. /* Supplicant Requests: */
  56. /**
  57. * enum qcomtee_req_state - Current state of request.
  58. * @QCOMTEE_REQ_QUEUED: Request is waiting for supplicant.
  59. * @QCOMTEE_REQ_PROCESSING: Request has been picked by the supplicant.
  60. * @QCOMTEE_REQ_PROCESSED: Response has been submitted for the request.
  61. */
  62. enum qcomtee_req_state {
  63. QCOMTEE_REQ_QUEUED = 1,
  64. QCOMTEE_REQ_PROCESSING,
  65. QCOMTEE_REQ_PROCESSED,
  66. };
  67. /* User requests sent to supplicants. */
  68. struct qcomtee_ureq {
  69. enum qcomtee_req_state state;
  70. /* User Request: */
  71. int req_id;
  72. u64 object_id;
  73. u32 op;
  74. struct qcomtee_arg *args;
  75. int errno;
  76. struct list_head node;
  77. struct completion c; /* Completion for whoever wait. */
  78. };
  79. /*
  80. * Placeholder for a PROCESSING request in qcomtee_context.reqs_idr.
  81. *
  82. * If the thread that calls qcomtee_object_invoke() dies and the supplicant
  83. * is processing the request, replace the entry in qcomtee_context.reqs_idr
  84. * with empty_ureq. This ensures that (1) the req_id remains busy and is not
  85. * reused, and (2) the supplicant fails to submit the response and performs
  86. * the necessary rollback.
  87. */
  88. static struct qcomtee_ureq empty_ureq = { .state = QCOMTEE_REQ_PROCESSING };
  89. /* Enqueue a user request for a context and assign a request ID. */
  90. static int ureq_enqueue(struct qcomtee_context_data *ctxdata,
  91. struct qcomtee_ureq *ureq)
  92. {
  93. int ret;
  94. guard(mutex)(&ctxdata->reqs_lock);
  95. /* Supplicant is dying. */
  96. if (ctxdata->released)
  97. return -ENODEV;
  98. /* Allocate an ID and queue the request. */
  99. ret = idr_alloc(&ctxdata->reqs_idr, ureq, 0, 0, GFP_KERNEL);
  100. if (ret < 0)
  101. return ret;
  102. ureq->req_id = ret;
  103. ureq->state = QCOMTEE_REQ_QUEUED;
  104. list_add_tail(&ureq->node, &ctxdata->reqs_list);
  105. return 0;
  106. }
  107. /**
  108. * ureq_dequeue() - Dequeue a user request from a context.
  109. * @ctxdata: context data for a context to dequeue the request.
  110. * @req_id: ID of the request to be dequeued.
  111. *
  112. * It dequeues a user request and releases its request ID.
  113. *
  114. * Context: The caller should hold &qcomtee_context_data->reqs_lock.
  115. * Return: Returns the user request associated with this ID; otherwise, NULL.
  116. */
  117. static struct qcomtee_ureq *ureq_dequeue(struct qcomtee_context_data *ctxdata,
  118. int req_id)
  119. {
  120. struct qcomtee_ureq *ureq;
  121. ureq = idr_remove(&ctxdata->reqs_idr, req_id);
  122. if (ureq == &empty_ureq || !ureq)
  123. return NULL;
  124. list_del(&ureq->node);
  125. return ureq;
  126. }
  127. /**
  128. * ureq_select() - Select the next request in a context.
  129. * @ctxdata: context data for a context to pop a request.
  130. * @ubuf_size: size of the available buffer for UBUF parameters.
  131. * @num_params: number of entries for the TEE parameter array.
  132. *
  133. * It checks if @num_params is large enough to fit the next request arguments.
  134. * It checks if @ubuf_size is large enough to fit IB buffer arguments.
  135. *
  136. * Context: The caller should hold &qcomtee_context_data->reqs_lock.
  137. * Return: On success, returns a request;
  138. * on failure, returns NULL and ERR_PTR.
  139. */
  140. static struct qcomtee_ureq *ureq_select(struct qcomtee_context_data *ctxdata,
  141. size_t ubuf_size, int num_params)
  142. {
  143. struct qcomtee_ureq *req, *ureq = NULL;
  144. struct qcomtee_arg *u;
  145. int i;
  146. /* Find the a queued request. */
  147. list_for_each_entry(req, &ctxdata->reqs_list, node) {
  148. if (req->state == QCOMTEE_REQ_QUEUED) {
  149. ureq = req;
  150. break;
  151. }
  152. }
  153. if (!ureq)
  154. return NULL;
  155. u = ureq->args;
  156. /* (1) Is there enough TEE parameters? */
  157. if (num_params < qcomtee_args_len(u))
  158. return ERR_PTR(-EINVAL);
  159. /* (2) Is there enough space to pass input buffers? */
  160. qcomtee_arg_for_each_input_buffer(i, u) {
  161. ubuf_size = size_sub(ubuf_size, u[i].b.size);
  162. if (ubuf_size == SIZE_MAX)
  163. return ERR_PTR(-EINVAL);
  164. ubuf_size = round_down(ubuf_size, 8);
  165. }
  166. return ureq;
  167. }
  168. /* Gets called when the user closes the device. */
  169. void qcomtee_requests_destroy(struct qcomtee_context_data *ctxdata)
  170. {
  171. struct qcomtee_ureq *req, *ureq;
  172. guard(mutex)(&ctxdata->reqs_lock);
  173. /* So ureq_enqueue() refuses new requests from QTEE. */
  174. ctxdata->released = true;
  175. /* ureqs in reqs_list are in QUEUED or PROCESSING (!= empty_ureq) state. */
  176. list_for_each_entry_safe(ureq, req, &ctxdata->reqs_list, node) {
  177. ureq_dequeue(ctxdata, ureq->req_id);
  178. if (ureq->op != QCOMTEE_MSG_OBJECT_OP_RELEASE) {
  179. ureq->state = QCOMTEE_REQ_PROCESSED;
  180. ureq->errno = -ENODEV;
  181. complete(&ureq->c);
  182. } else {
  183. kfree(ureq);
  184. }
  185. }
  186. }
  187. /* User Object API. */
  188. /* User object dispatcher. */
  189. static int qcomtee_user_object_dispatch(struct qcomtee_object_invoke_ctx *oic,
  190. struct qcomtee_object *object, u32 op,
  191. struct qcomtee_arg *args)
  192. {
  193. struct qcomtee_user_object *uo = to_qcomtee_user_object(object);
  194. struct qcomtee_context_data *ctxdata = uo->ctx->data;
  195. int errno;
  196. struct qcomtee_ureq *ureq __free(kfree) = kzalloc(sizeof(*ureq),
  197. GFP_KERNEL);
  198. if (!ureq)
  199. return -ENOMEM;
  200. init_completion(&ureq->c);
  201. ureq->object_id = uo->object_id;
  202. ureq->op = op;
  203. ureq->args = args;
  204. /* Queue the request. */
  205. if (ureq_enqueue(ctxdata, ureq))
  206. return -ENODEV;
  207. /* Wakeup supplicant to process it. */
  208. complete(&ctxdata->req_c);
  209. /*
  210. * Wait for the supplicant to process the request. Wait as KILLABLE
  211. * in case the supplicant and invoke thread are both running from the
  212. * same process, the supplicant crashes, or the shutdown sequence
  213. * starts with supplicant dies first; otherwise, it stuck indefinitely.
  214. *
  215. * If the supplicant processes long-running requests, also use
  216. * TASK_FREEZABLE to allow the device to safely suspend if needed.
  217. */
  218. if (!wait_for_completion_state(&ureq->c,
  219. TASK_KILLABLE | TASK_FREEZABLE)) {
  220. errno = ureq->errno;
  221. if (!errno)
  222. oic->data = no_free_ptr(ureq);
  223. } else {
  224. enum qcomtee_req_state prev_state;
  225. errno = -ENODEV;
  226. scoped_guard(mutex, &ctxdata->reqs_lock) {
  227. prev_state = ureq->state;
  228. /* Replace with empty_ureq to keep req_id reserved. */
  229. if (prev_state == QCOMTEE_REQ_PROCESSING) {
  230. list_del(&ureq->node);
  231. idr_replace(&ctxdata->reqs_idr,
  232. &empty_ureq, ureq->req_id);
  233. /* Remove as supplicant has never seen this request. */
  234. } else if (prev_state == QCOMTEE_REQ_QUEUED) {
  235. ureq_dequeue(ctxdata, ureq->req_id);
  236. }
  237. }
  238. /* Supplicant did some work, do not discard it. */
  239. if (prev_state == QCOMTEE_REQ_PROCESSED) {
  240. errno = ureq->errno;
  241. if (!errno)
  242. oic->data = no_free_ptr(ureq);
  243. }
  244. }
  245. return errno;
  246. }
  247. /* Gets called after submitting the dispatcher response. */
  248. static void qcomtee_user_object_notify(struct qcomtee_object_invoke_ctx *oic,
  249. struct qcomtee_object *unused_object,
  250. int err)
  251. {
  252. struct qcomtee_ureq *ureq = oic->data;
  253. struct qcomtee_arg *u = ureq->args;
  254. int i;
  255. /*
  256. * If err, there was a transport issue, and QTEE did not receive the
  257. * response for the dispatcher. Release the callback object created for
  258. * QTEE, in addition to the copies of objects kept for the drivers.
  259. */
  260. qcomtee_arg_for_each_output_object(i, u) {
  261. if (err &&
  262. (typeof_qcomtee_object(u[i].o) == QCOMTEE_OBJECT_TYPE_CB))
  263. qcomtee_object_put(u[i].o);
  264. qcomtee_object_put(u[i].o);
  265. }
  266. kfree(ureq);
  267. }
  268. static void qcomtee_user_object_release(struct qcomtee_object *object)
  269. {
  270. struct qcomtee_user_object *uo = to_qcomtee_user_object(object);
  271. struct qcomtee_context_data *ctxdata = uo->ctx->data;
  272. struct qcomtee_ureq *ureq;
  273. /* RELEASE does not require any argument. */
  274. static struct qcomtee_arg args[] = { { .type = QCOMTEE_ARG_TYPE_INV } };
  275. if (!uo->notify)
  276. goto out_no_notify;
  277. ureq = kzalloc_obj(*ureq);
  278. if (!ureq)
  279. goto out_no_notify;
  280. /* QUEUE a release request: */
  281. ureq->object_id = uo->object_id;
  282. ureq->op = QCOMTEE_MSG_OBJECT_OP_RELEASE;
  283. ureq->args = args;
  284. if (ureq_enqueue(ctxdata, ureq)) {
  285. kfree(ureq);
  286. /* Ignore the notification if it cannot be queued. */
  287. goto out_no_notify;
  288. }
  289. complete(&ctxdata->req_c);
  290. out_no_notify:
  291. teedev_ctx_put(uo->ctx);
  292. kfree(uo);
  293. }
  294. static struct qcomtee_object_operations qcomtee_user_object_ops = {
  295. .release = qcomtee_user_object_release,
  296. .notify = qcomtee_user_object_notify,
  297. .dispatch = qcomtee_user_object_dispatch,
  298. };
  299. /**
  300. * qcomtee_user_param_to_object() - OBJREF parameter to &struct qcomtee_object.
  301. * @object: object returned.
  302. * @param: TEE parameter.
  303. * @ctx: context in which the conversion should happen.
  304. *
  305. * @param is an OBJREF with %QCOMTEE_OBJREF_FLAG_USER flags.
  306. *
  307. * Return: On success, returns 0; on failure, returns < 0.
  308. */
  309. int qcomtee_user_param_to_object(struct qcomtee_object **object,
  310. struct tee_param *param,
  311. struct tee_context *ctx)
  312. {
  313. int err;
  314. struct qcomtee_user_object *user_object __free(kfree) =
  315. kzalloc_obj(*user_object);
  316. if (!user_object)
  317. return -ENOMEM;
  318. user_object->ctx = ctx;
  319. user_object->object_id = param->u.objref.id;
  320. /* By default, always notify userspace upon release. */
  321. user_object->notify = true;
  322. err = qcomtee_object_user_init(&user_object->object,
  323. QCOMTEE_OBJECT_TYPE_CB,
  324. &qcomtee_user_object_ops, "uo-%llu",
  325. param->u.objref.id);
  326. if (err)
  327. return err;
  328. /* Matching teedev_ctx_put() is in qcomtee_user_object_release(). */
  329. teedev_ctx_get(ctx);
  330. *object = &no_free_ptr(user_object)->object;
  331. return 0;
  332. }
  333. /* Reverse what qcomtee_user_param_to_object() does. */
  334. int qcomtee_user_param_from_object(struct tee_param *param,
  335. struct qcomtee_object *object,
  336. struct tee_context *ctx)
  337. {
  338. struct qcomtee_user_object *uo;
  339. uo = to_qcomtee_user_object(object);
  340. /* Ensure the object is in the same context as the caller. */
  341. if (uo->ctx != ctx)
  342. return -EINVAL;
  343. param->u.objref.id = uo->object_id;
  344. param->u.objref.flags = QCOMTEE_OBJREF_FLAG_USER;
  345. /* User objects are valid in userspace; do not keep a copy. */
  346. qcomtee_object_put(object);
  347. return 0;
  348. }
  349. /**
  350. * qcomtee_cb_params_from_args() - Convert QTEE arguments to TEE parameters.
  351. * @params: TEE parameters.
  352. * @u: QTEE arguments.
  353. * @num_params: number of elements in the parameter array.
  354. * @ubuf_addr: user buffer for arguments of type %QCOMTEE_ARG_TYPE_IB.
  355. * @ubuf_size: size of the user buffer.
  356. * @ctx: context in which the conversion should happen.
  357. *
  358. * It expects @params to have enough entries for @u. Entries in @params are of
  359. * %TEE_IOCTL_PARAM_ATTR_TYPE_NONE.
  360. *
  361. * Return: On success, returns the number of input parameters;
  362. * on failure, returns < 0.
  363. */
  364. static int qcomtee_cb_params_from_args(struct tee_param *params,
  365. struct qcomtee_arg *u, int num_params,
  366. void __user *ubuf_addr, size_t ubuf_size,
  367. struct tee_context *ctx)
  368. {
  369. int i, np;
  370. void __user *uaddr;
  371. qcomtee_arg_for_each(i, u) {
  372. switch (u[i].type) {
  373. case QCOMTEE_ARG_TYPE_IB:
  374. params[i].attr = TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT;
  375. /* Underflow already checked in ureq_select(). */
  376. ubuf_size = round_down(ubuf_size - u[i].b.size, 8);
  377. uaddr = (void __user *)(ubuf_addr + ubuf_size);
  378. params[i].u.ubuf.uaddr = uaddr;
  379. params[i].u.ubuf.size = u[i].b.size;
  380. if (copy_to_user(params[i].u.ubuf.uaddr, u[i].b.addr,
  381. u[i].b.size))
  382. goto out_failed;
  383. break;
  384. case QCOMTEE_ARG_TYPE_OB:
  385. params[i].attr = TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT;
  386. /* Let the user knows the maximum size QTEE expects. */
  387. params[i].u.ubuf.size = u[i].b.size;
  388. break;
  389. case QCOMTEE_ARG_TYPE_IO:
  390. params[i].attr = TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF_INPUT;
  391. if (qcomtee_objref_from_arg(&params[i], &u[i], ctx))
  392. goto out_failed;
  393. break;
  394. case QCOMTEE_ARG_TYPE_OO:
  395. params[i].attr =
  396. TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF_OUTPUT;
  397. break;
  398. default: /* Never get here! */
  399. goto out_failed;
  400. }
  401. }
  402. return i;
  403. out_failed:
  404. /* Undo qcomtee_objref_from_arg(). */
  405. for (np = i; np >= 0; np--) {
  406. if (params[np].attr == TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF_INPUT)
  407. qcomtee_context_del_qtee_object(&params[np], ctx);
  408. }
  409. /* Release any IO objects not processed. */
  410. for (; u[i].type; i++) {
  411. if (u[i].type == QCOMTEE_ARG_TYPE_IO)
  412. qcomtee_object_put(u[i].o);
  413. }
  414. return -EINVAL;
  415. }
  416. /**
  417. * qcomtee_cb_params_to_args() - Convert TEE parameters to QTEE arguments.
  418. * @u: QTEE arguments.
  419. * @params: TEE parameters.
  420. * @num_params: number of elements in the parameter array.
  421. * @ctx: context in which the conversion should happen.
  422. *
  423. * Return: On success, returns 0; on failure, returns < 0.
  424. */
  425. static int qcomtee_cb_params_to_args(struct qcomtee_arg *u,
  426. struct tee_param *params, int num_params,
  427. struct tee_context *ctx)
  428. {
  429. int i;
  430. qcomtee_arg_for_each(i, u) {
  431. switch (u[i].type) {
  432. case QCOMTEE_ARG_TYPE_IB:
  433. if (params[i].attr !=
  434. TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_INPUT)
  435. goto out_failed;
  436. break;
  437. case QCOMTEE_ARG_TYPE_OB:
  438. if (params[i].attr !=
  439. TEE_IOCTL_PARAM_ATTR_TYPE_UBUF_OUTPUT)
  440. goto out_failed;
  441. /* Client can not send more data than requested. */
  442. if (params[i].u.ubuf.size > u[i].b.size)
  443. goto out_failed;
  444. if (copy_from_user(u[i].b.addr, params[i].u.ubuf.uaddr,
  445. params[i].u.ubuf.size))
  446. goto out_failed;
  447. u[i].b.size = params[i].u.ubuf.size;
  448. break;
  449. case QCOMTEE_ARG_TYPE_IO:
  450. if (params[i].attr !=
  451. TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF_INPUT)
  452. goto out_failed;
  453. break;
  454. case QCOMTEE_ARG_TYPE_OO:
  455. if (params[i].attr !=
  456. TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF_OUTPUT)
  457. goto out_failed;
  458. if (qcomtee_objref_to_arg(&u[i], &params[i], ctx))
  459. goto out_failed;
  460. break;
  461. default: /* Never get here! */
  462. goto out_failed;
  463. }
  464. }
  465. return 0;
  466. out_failed:
  467. /* Undo qcomtee_objref_to_arg(). */
  468. for (i--; i >= 0; i--) {
  469. if (u[i].type != QCOMTEE_ARG_TYPE_OO)
  470. continue;
  471. qcomtee_user_object_set_notify(u[i].o, false);
  472. if (typeof_qcomtee_object(u[i].o) == QCOMTEE_OBJECT_TYPE_CB)
  473. qcomtee_object_put(u[i].o);
  474. qcomtee_object_put(u[i].o);
  475. }
  476. return -EINVAL;
  477. }
  478. /**
  479. * qcomtee_user_object_select() - Select a request for a user object.
  480. * @ctx: context to look for a user object.
  481. * @params: parameters for @op.
  482. * @num_params: number of elements in the parameter array.
  483. * @uaddr: user buffer for output UBUF parameters.
  484. * @size: size of user buffer @uaddr.
  485. * @data: information for the selected request.
  486. *
  487. * @params is filled along with @data for the selected request.
  488. *
  489. * Return: On success, returns 0; on failure, returns < 0.
  490. */
  491. int qcomtee_user_object_select(struct tee_context *ctx,
  492. struct tee_param *params, int num_params,
  493. void __user *uaddr, size_t size,
  494. struct qcomtee_user_object_request_data *data)
  495. {
  496. struct qcomtee_context_data *ctxdata = ctx->data;
  497. struct qcomtee_ureq *ureq;
  498. int ret;
  499. /*
  500. * Hold the reqs_lock not only for ureq_select() and updating the ureq
  501. * state to PROCESSING but for the entire duration of ureq access.
  502. * This prevents qcomtee_user_object_dispatch() from freeing
  503. * ureq while it is still in use, if client dies.
  504. */
  505. while (1) {
  506. scoped_guard(mutex, &ctxdata->reqs_lock) {
  507. ureq = ureq_select(ctxdata, size, num_params);
  508. if (!ureq)
  509. goto wait_for_request;
  510. if (IS_ERR(ureq))
  511. return PTR_ERR(ureq);
  512. /* Processing the request 'QUEUED -> PROCESSING'. */
  513. ureq->state = QCOMTEE_REQ_PROCESSING;
  514. /* ''Prepare user request:'' */
  515. data->id = ureq->req_id;
  516. data->object_id = ureq->object_id;
  517. data->op = ureq->op;
  518. ret = qcomtee_cb_params_from_args(params, ureq->args,
  519. num_params, uaddr,
  520. size, ctx);
  521. if (ret >= 0)
  522. goto done_request;
  523. /* Something is wrong with the request: */
  524. ureq_dequeue(ctxdata, data->id);
  525. /* Send error to QTEE. */
  526. ureq->state = QCOMTEE_REQ_PROCESSED;
  527. ureq->errno = ret;
  528. complete(&ureq->c);
  529. }
  530. continue;
  531. wait_for_request:
  532. /* Wait for a new QUEUED request. */
  533. if (wait_for_completion_interruptible(&ctxdata->req_c))
  534. return -ERESTARTSYS;
  535. }
  536. done_request:
  537. /* No one is waiting for the response. */
  538. if (data->op == QCOMTEE_MSG_OBJECT_OP_RELEASE) {
  539. scoped_guard(mutex, &ctxdata->reqs_lock)
  540. ureq_dequeue(ctxdata, data->id);
  541. kfree(ureq);
  542. }
  543. data->np = ret;
  544. return 0;
  545. }
  546. /**
  547. * qcomtee_user_object_submit() - Submit a response for a user object.
  548. * @ctx: context to look for a user object.
  549. * @params: returned parameters.
  550. * @num_params: number of elements in the parameter array.
  551. * @req_id: request ID for the response.
  552. * @errno: result of user object invocation.
  553. *
  554. * Return: On success, returns 0; on failure, returns < 0.
  555. */
  556. int qcomtee_user_object_submit(struct tee_context *ctx,
  557. struct tee_param *params, int num_params,
  558. int req_id, int errno)
  559. {
  560. struct qcomtee_context_data *ctxdata = ctx->data;
  561. struct qcomtee_ureq *ureq;
  562. /* See comments for reqs_lock in qcomtee_user_object_select(). */
  563. guard(mutex)(&ctxdata->reqs_lock);
  564. ureq = ureq_dequeue(ctxdata, req_id);
  565. if (!ureq)
  566. return -EINVAL;
  567. ureq->state = QCOMTEE_REQ_PROCESSED;
  568. if (!errno)
  569. ureq->errno = qcomtee_cb_params_to_args(ureq->args, params,
  570. num_params, ctx);
  571. else
  572. ureq->errno = errno;
  573. /* Return errno if qcomtee_cb_params_to_args() failed; otherwise 0. */
  574. if (!errno && ureq->errno)
  575. errno = ureq->errno;
  576. else
  577. errno = 0;
  578. /* Send result to QTEE. */
  579. complete(&ureq->c);
  580. return errno;
  581. }