android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

msm-5.10: qseecom: Fix possible race condition

Browse Source 
Fix possible race condition in data->type value in case of multithreaded
listener or app IOCTLs.

For example, below could cause inconsistent data->type value while
racing belows IOCTLs

Thread1 with QSEECOM_IOCTL_REGISTER_LISTENER_REQ
Thread2 with QSEECOM_IOCTL_UNREGISTER_LISTENER_REQ.

Change-Id: I13cf63e92e0b914179b6ad4e29969fa8567fcdb4
Signed-off-by: Vishakha Malik <quic_vmallik@quicinc.com>
This commit is contained in:
Vishakha Malik 2024-09-04 16:03:39 +05:30
parent aee2927ae5
commit 07b1f6dce2
1 changed files with 75 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
drivers/misc/qseecom.c
View File

@ -3,7 +3,7 @@
* QTI Secure Execution Environment Communicator (QSEECOM) driver
*
* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
* Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
* Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#define pr_fmt(fmt) "QSEECOM: %s: " fmt, __func__
@ -7651,14 +7651,15 @@ long qseecom_ioctl(struct file *file,
switch (cmd) {
case QSEECOM_IOCTL_REGISTER_LISTENER_REQ: {
mutex_lock(&listener_access_lock);
if (data->type != QSEECOM_GENERIC) {
pr_err("reg lstnr req: invalid handle (%d)\n",
data->type);
mutex_unlock(&listener_access_lock);
ret = -EINVAL;
break;
}
pr_debug("ioctl register_listener_req()\n");
mutex_lock(&listener_access_lock);
atomic_inc(&data->ioctl_count);
data->type = QSEECOM_LISTENER_SERVICE;
ret = qseecom_register_listener(data, argp);
@ -7670,15 +7671,16 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_UNREGISTER_LISTENER_REQ: {
mutex_lock(&listener_access_lock);
if ((data->listener.id == 0) ||
(data->type != QSEECOM_LISTENER_SERVICE)) {
pr_err("unreg lstnr req: invalid handle (%d) lid(%d)\n",
data->type, data->listener.id);
mutex_unlock(&listener_access_lock);
ret = -EINVAL;
break;
}
pr_debug("ioctl unregister_listener_req()\n");
mutex_lock(&listener_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_unregister_listener(data);
atomic_dec(&data->ioctl_count);
@ -7689,15 +7691,16 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_SEND_CMD_REQ: {
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
if ((data->client.app_id == 0) ||
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("send cmd req: invalid handle (%d) app_id(%d)\n",
data->type, data->client.app_id);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
if (qseecom.support_bus_scaling) {
/* register bus bw in case the client doesn't do it */
if (!data->mode) {
@ -7751,15 +7754,16 @@ long qseecom_ioctl(struct file *file,
}
case QSEECOM_IOCTL_SEND_MODFD_CMD_REQ:
case QSEECOM_IOCTL_SEND_MODFD_CMD_64_REQ: {
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
if ((data->client.app_id == 0) ||
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("send mdfd cmd: invalid handle (%d) appid(%d)\n",
data->type, data->client.app_id);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
if (qseecom.support_bus_scaling) {
if (!data->mode) {
mutex_lock(&qsee_bw_mutex);
@ -7815,13 +7819,16 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_RECEIVE_REQ: {
mutex_lock(&listener_access_lock);
if ((data->listener.id == 0) ||
(data->type != QSEECOM_LISTENER_SERVICE)) {
pr_err("receive req: invalid handle (%d), lid(%d)\n",
data->type, data->listener.id);
mutex_unlock(&listener_access_lock);
ret = -EINVAL;
break;
}
mutex_unlock(&listener_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_receive_req(data);
atomic_dec(&data->ioctl_count);
@ -7831,14 +7838,15 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_SEND_RESP_REQ: {
mutex_lock(&listener_access_lock);
if ((data->listener.id == 0) ||
(data->type != QSEECOM_LISTENER_SERVICE)) {
pr_err("send resp req: invalid handle (%d), lid(%d)\n",
data->type, data->listener.id);
mutex_unlock(&listener_access_lock);
ret = -EINVAL;
break;
}
mutex_lock(&listener_access_lock);
atomic_inc(&data->ioctl_count);
if (!qseecom.qsee_reentrancy_support)
ret = qseecom_send_resp();
@ -7852,16 +7860,17 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_SET_MEM_PARAM_REQ: {
mutex_lock(&app_access_lock);
if ((data->type != QSEECOM_CLIENT_APP) &&
(data->type != QSEECOM_GENERIC) &&
(data->type != QSEECOM_SECURE_SERVICE)) {
pr_err("set mem param req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
pr_debug("SET_MEM_PARAM: qseecom addr = 0x%pK\n", data);
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_set_client_mem_param(data, argp);
atomic_dec(&data->ioctl_count);
@ -7872,16 +7881,17 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_LOAD_APP_REQ: {
mutex_lock(&app_access_lock);
if ((data->type != QSEECOM_GENERIC) &&
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("load app req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
data->type = QSEECOM_CLIENT_APP;
pr_debug("LOAD_APP_REQ: qseecom_addr = 0x%pK\n", data);
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_load_app(data, argp);
atomic_dec(&data->ioctl_count);
@ -7892,15 +7902,16 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_UNLOAD_APP_REQ: {
mutex_lock(&app_access_lock);
if ((data->client.app_id == 0) ||
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("unload app req:invalid handle(%d) app_id(%d)\n",
data->type, data->client.app_id);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
pr_debug("UNLOAD_APP: qseecom_addr = 0x%pK\n", data);
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_unload_app(data, false);
atomic_dec(&data->ioctl_count);
@ -7919,10 +7930,12 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_PERF_ENABLE_REQ:{
mutex_lock(&app_access_lock);
if ((data->type != QSEECOM_GENERIC) &&
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("perf enable req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
@ -7930,6 +7943,7 @@ long qseecom_ioctl(struct file *file,
(data->client.app_id == 0)) {
pr_err("perf enable req:invalid handle(%d) appid(%d)\n",
data->type, data->client.app_id);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
@ -7944,13 +7958,16 @@ long qseecom_ioctl(struct file *file,
pr_err("Fail to vote for clocks %d\n", ret);
}
atomic_dec(&data->ioctl_count);
mutex_unlock(&app_access_lock);
break;
}
case QSEECOM_IOCTL_PERF_DISABLE_REQ:{
mutex_lock(&app_access_lock);
if ((data->type != QSEECOM_SECURE_SERVICE) &&
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("perf disable req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
@ -7958,6 +7975,7 @@ long qseecom_ioctl(struct file *file,
(data->client.app_id == 0)) {
pr_err("perf disable: invalid handle (%d)app_id(%d)\n",
data->type, data->client.app_id);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
@ -7971,6 +7989,7 @@ long qseecom_ioctl(struct file *file,
mutex_unlock(&qsee_bw_mutex);
}
atomic_dec(&data->ioctl_count);
mutex_unlock(&app_access_lock);
break;
}
@ -7980,28 +7999,32 @@ long qseecom_ioctl(struct file *file,
pr_debug("crypto clock is not handled by HLOS\n");
break;
}
mutex_lock(&app_access_lock);
if ((data->client.app_id == 0) ||
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("set bus scale: invalid handle (%d) appid(%d)\n",
data->type, data->client.app_id);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
atomic_inc(&data->ioctl_count);
ret = qseecom_scale_bus_bandwidth(data, argp);
atomic_dec(&data->ioctl_count);
mutex_unlock(&app_access_lock);
break;
}
case QSEECOM_IOCTL_LOAD_EXTERNAL_ELF_REQ: {
mutex_lock(&app_access_lock);
if (data->type != QSEECOM_GENERIC) {
pr_err("load ext elf req: invalid client handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
data->type = QSEECOM_UNAVAILABLE_CLIENT_APP;
data->released = true;
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_load_external_elf(data, argp);
atomic_dec(&data->ioctl_count);
@ -8011,14 +8034,15 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_UNLOAD_EXTERNAL_ELF_REQ: {
mutex_lock(&app_access_lock);
if (data->type != QSEECOM_UNAVAILABLE_CLIENT_APP) {
pr_err("unload ext elf req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
data->released = true;
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_unload_external_elf(data);
atomic_dec(&data->ioctl_count);
@ -8028,15 +8052,16 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_APP_LOADED_QUERY_REQ: {
mutex_lock(&app_access_lock);
if ((data->type != QSEECOM_GENERIC) &&
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("app loaded query req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
data->type = QSEECOM_CLIENT_APP;
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
pr_debug("APP_LOAD_QUERY: qseecom_addr = 0x%pK\n", data);
ret = qseecom_query_app_loaded(data, argp);
@ -8045,9 +8070,11 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_SEND_CMD_SERVICE_REQ: {
mutex_lock(&app_access_lock);
if (data->type != QSEECOM_GENERIC) {
pr_err("send cmd svc req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
@ -8055,9 +8082,9 @@ long qseecom_ioctl(struct file *file,
if (qseecom.qsee_version < QSEE_VERSION_03) {
pr_err("SEND_CMD_SERVICE_REQ: Invalid qsee ver %u\n",
qseecom.qsee_version);
mutex_unlock(&app_access_lock);
return -EINVAL;
}
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_send_service_cmd(data, argp);
atomic_dec(&data->ioctl_count);
@ -8067,19 +8094,21 @@ long qseecom_ioctl(struct file *file,
case QSEECOM_IOCTL_CREATE_KEY_REQ: {
if (!(qseecom.support_pfe || qseecom.support_fde))
pr_err("Features requiring key init not supported\n");
mutex_lock(&app_access_lock);
if (data->type != QSEECOM_GENERIC) {
pr_err("create key req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
if (qseecom.qsee_version < QSEE_VERSION_05) {
pr_err("Create Key feature unsupported: qsee ver %u\n",
qseecom.qsee_version);
mutex_unlock(&app_access_lock);
return -EINVAL;
}
data->released = true;
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_create_key(data, argp);
if (ret)
@ -8092,19 +8121,21 @@ long qseecom_ioctl(struct file *file,
case QSEECOM_IOCTL_WIPE_KEY_REQ: {
if (!(qseecom.support_pfe || qseecom.support_fde))
pr_err("Features requiring key init not supported\n");
mutex_lock(&app_access_lock);
if (data->type != QSEECOM_GENERIC) {
pr_err("wipe key req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
if (qseecom.qsee_version < QSEE_VERSION_05) {
pr_err("Wipe Key feature unsupported in qsee ver %u\n",
qseecom.qsee_version);
mutex_unlock(&app_access_lock);
return -EINVAL;
}
data->released = true;
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_wipe_key(data, argp);
if (ret)
@ -8116,19 +8147,21 @@ long qseecom_ioctl(struct file *file,
case QSEECOM_IOCTL_UPDATE_KEY_USER_INFO_REQ: {
if (!(qseecom.support_pfe || qseecom.support_fde))
pr_err("Features requiring key init not supported\n");
mutex_lock(&app_access_lock);
if (data->type != QSEECOM_GENERIC) {
pr_err("update key req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
if (qseecom.qsee_version < QSEE_VERSION_05) {
pr_err("Update Key feature unsupported in qsee ver %u\n",
qseecom.qsee_version);
mutex_unlock(&app_access_lock);
return -EINVAL;
}
data->released = true;
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_update_key_user_info(data, argp);
if (ret)
@ -8138,14 +8171,15 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_SAVE_PARTITION_HASH_REQ: {
mutex_lock(&app_access_lock);
if (data->type != QSEECOM_GENERIC) {
pr_err("save part hash req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
data->released = true;
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_save_partition_hash(argp);
atomic_dec(&data->ioctl_count);
@ -8153,14 +8187,15 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_IS_ES_ACTIVATED_REQ: {
mutex_lock(&app_access_lock);
if (data->type != QSEECOM_GENERIC) {
pr_err("ES activated req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
data->released = true;
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_is_es_activated(argp);
atomic_dec(&data->ioctl_count);
@ -8168,14 +8203,15 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_IOCTL_MDTP_CIPHER_DIP_REQ: {
mutex_lock(&app_access_lock);
if (data->type != QSEECOM_GENERIC) {
pr_err("MDTP cipher DIP req: invalid handle (%d)\n",
data->type);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
data->released = true;
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_mdtp_cipher_dip(argp);
atomic_dec(&data->ioctl_count);
@ -8184,14 +8220,15 @@ long qseecom_ioctl(struct file *file,
}
case QSEECOM_IOCTL_SEND_MODFD_RESP:
case QSEECOM_IOCTL_SEND_MODFD_RESP_64: {
mutex_lock(&listener_access_lock);
if ((data->listener.id == 0) ||
(data->type != QSEECOM_LISTENER_SERVICE)) {
pr_err("receive req: invalid handle (%d), lid(%d)\n",
data->type, data->listener.id);
mutex_unlock(&listener_access_lock);
ret = -EINVAL;
break;
}
mutex_lock(&listener_access_lock);
atomic_inc(&data->ioctl_count);
if (cmd == QSEECOM_IOCTL_SEND_MODFD_RESP)
ret = qseecom_send_modfd_resp(data, argp);
@ -8206,20 +8243,22 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_QTEEC_IOCTL_OPEN_SESSION_REQ: {
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
if ((data->client.app_id == 0) ||
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("Open session: invalid handle (%d) appid(%d)\n",
data->type, data->client.app_id);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
if (qseecom.qsee_version < QSEE_VERSION_40) {
pr_err("GP feature unsupported: qsee ver %u\n",
qseecom.qsee_version);
mutex_unlock(&app_access_lock);
return -EINVAL;
}
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_qteec_open_session(data, argp);
atomic_dec(&data->ioctl_count);
@ -8231,20 +8270,22 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_QTEEC_IOCTL_CLOSE_SESSION_REQ: {
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
if ((data->client.app_id == 0) ||
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("Close session: invalid handle (%d) appid(%d)\n",
data->type, data->client.app_id);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
if (qseecom.qsee_version < QSEE_VERSION_40) {
pr_err("GP feature unsupported: qsee ver %u\n",
qseecom.qsee_version);
mutex_unlock(&app_access_lock);
return -EINVAL;
}
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_qteec_close_session(data, argp);
atomic_dec(&data->ioctl_count);
@ -8255,20 +8296,22 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_QTEEC_IOCTL_INVOKE_MODFD_CMD_REQ: {
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
if ((data->client.app_id == 0) ||
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("Invoke cmd: invalid handle (%d) appid(%d)\n",
data->type, data->client.app_id);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
if (qseecom.qsee_version < QSEE_VERSION_40) {
pr_err("GP feature unsupported: qsee ver %u\n",
qseecom.qsee_version);
mutex_unlock(&app_access_lock);
return -EINVAL;
}
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_qteec_invoke_modfd_cmd(data, argp);
atomic_dec(&data->ioctl_count);
@ -8280,20 +8323,22 @@ long qseecom_ioctl(struct file *file,
break;
}
case QSEECOM_QTEEC_IOCTL_REQUEST_CANCELLATION_REQ: {
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
if ((data->client.app_id == 0) ||
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("Cancel req: invalid handle (%d) appid(%d)\n",
data->type, data->client.app_id);
mutex_unlock(&app_access_lock);
ret = -EINVAL;
break;
}
if (qseecom.qsee_version < QSEE_VERSION_40) {
pr_err("GP feature unsupported: qsee ver %u\n",
qseecom.qsee_version);
mutex_unlock(&app_access_lock);
return -EINVAL;
}
/* Only one client allowed here at a time */
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_qteec_request_cancellation(data, argp);
atomic_dec(&data->ioctl_count);