Merge changes from topic "trusty-cyclic" into android14-gs-pixel-5.15

* changes:
  ANDROID: trusty-ipc: correct data_source flag of struct iov_iter in filp_send_ioctl()
  ANDROID: trusty: fix use-after-free
  ANDROID: trusty: remove cyclic dependency

3 files changed, 41 insertions, 41 deletions

diff --git a/drivers/trusty/trusty-ipc-trace.h b/drivers/trusty/trusty-ipc-trace.h
index 9f193e2..60d6338 100644
--- a/drivers/trusty/trusty-ipc-trace.h
+++ b/drivers/trusty/trusty-ipc-trace.h
@@ -176,8 +176,9 @@ TRACE_EVENT(trusty_ipc_read,
 TRACE_EVENT(trusty_ipc_read_end,
 	TP_PROTO(struct tipc_chan *chan,
 		int len_or_err,
-		struct tipc_msg_buf *rxbuf),
-	TP_ARGS(chan, len_or_err, rxbuf),
+		trusty_shared_mem_id_t buf_id,
+		size_t shm_cnt),
+	TP_ARGS(chan, len_or_err, buf_id, shm_cnt),
 	TP_STRUCT__entry(
 		__field(int, len_or_err)
 		__field(u32, chan)
@@ -189,8 +190,8 @@ TRACE_EVENT(trusty_ipc_read_end,
 		__entry->len_or_err = len_or_err;
 		__entry->chan = chan ? chan->local : ~0U;
 		memcpy(__entry->srv_name, chan ? chan->srv_name : "", MAX_SRV_NAME_LEN);
-		__entry->buf_id = rxbuf ? rxbuf->buf_id : ~0ULL;
-		__entry->shm_cnt = rxbuf ? rxbuf->shm_cnt : 0;
+		__entry->buf_id = buf_id;
+		__entry->shm_cnt = shm_cnt;
 	),
 	TP_printk("len_or_err=%d chan=%u srv_name=%s buf_id=0x%llx shm_cnt=%zu",
 		__entry->len_or_err, __entry->chan, __entry->srv_name,
diff --git a/drivers/trusty/trusty-ipc.c b/drivers/trusty/trusty-ipc.c
index af0deda..3a54663 100644
--- a/drivers/trusty/trusty-ipc.c
+++ b/drivers/trusty/trusty-ipc.c
@@ -185,6 +185,22 @@ static struct virtio_device *default_vdev;
 static DEFINE_IDR(tipc_devices);
 static DEFINE_MUTEX(tipc_devices_lock);
 
+static u64 (*dma_buf_get_ffa_tag)(struct dma_buf *dma_buf) = NULL;
+static int (*dma_buf_get_shared_mem_id)(struct dma_buf *dma_buf,
+	trusty_shared_mem_id_t *id) = NULL;
+
+static inline u64 trusty_dma_buf_get_ffa_tag(struct dma_buf *dma_buf)
+{
+	return dma_buf_get_ffa_tag ? dma_buf_get_ffa_tag(dma_buf) : 0;
+}
+
+static int trusty_dma_buf_get_shared_mem_id(struct dma_buf *dma_buf,
+					    trusty_shared_mem_id_t *id)
+{
+	return  dma_buf_get_shared_mem_id ?
+		dma_buf_get_shared_mem_id(dma_buf, id) : -ENODATA;
+}
+
 static int _match_any(int id, void *p, void *data)
 {
 	return id;
@@ -1360,7 +1376,7 @@ static long filp_send_ioctl(struct file *filp,
 		goto load_shm_args_failed;
 	}
 
-	ret = import_iovec(READ, u64_to_user_ptr(req.iov), req.iov_cnt,
+	ret = import_iovec(WRITE, u64_to_user_ptr(req.iov), req.iov_cnt,
 			   ARRAY_SIZE(fast_iovs), &iov, &iter);
 	if (ret < 0) {
 		dev_dbg(dev, "Failed to import iovec\n");
@@ -1505,6 +1521,8 @@ static ssize_t tipc_read_iter(struct kiocb *iocb, struct iov_iter *iter)
 {
 	ssize_t ret;
 	size_t len;
+	trusty_shared_mem_id_t buf_id = ~0ULL;
+	size_t shm_cnt = 0;
 	struct tipc_msg_buf *mb = NULL;
 	struct file *filp = iocb->ki_filp;
 	struct tipc_dn_chan *dn = filp->private_data;
@@ -1539,6 +1557,8 @@ static ssize_t tipc_read_iter(struct kiocb *iocb, struct iov_iter *iter)
 
 	mb = list_first_entry(&dn->rx_msg_queue, struct tipc_msg_buf, node);
 
+	buf_id = mb->buf_id;
+	shm_cnt = mb->shm_cnt;
 	len = mb_avail_data(mb);
 	if (len > iov_iter_count(iter)) {
 		ret = -EMSGSIZE;
@@ -1555,7 +1575,7 @@ static ssize_t tipc_read_iter(struct kiocb *iocb, struct iov_iter *iter)
 	tipc_chan_put_rxbuf(dn->chan, mb);
 
 out:
-	trace_trusty_ipc_read_end(dn->chan, ret, mb);
+	trace_trusty_ipc_read_end(dn->chan, ret, buf_id, shm_cnt);
 	mutex_unlock(&dn->lock);
 	return ret;
 }
@@ -2282,6 +2302,16 @@ static void __exit tipc_exit(void)
 	unregister_chrdev_region(MKDEV(tipc_major, 0), MAX_DEVICES);
 }
 
+void trusty_register_func_for_dma_buf(
+	u64 (*get_ffa_tag)(struct dma_buf *dma_buf),
+	int (*get_shared_mem_id)(struct dma_buf *dma_buf,
+		trusty_shared_mem_id_t *id))
+{
+	dma_buf_get_ffa_tag = get_ffa_tag;
+	dma_buf_get_shared_mem_id = get_shared_mem_id;
+}
+EXPORT_SYMBOL_GPL(trusty_register_func_for_dma_buf);
+
 /* We need to init this early */
 subsys_initcall(tipc_init);
 module_exit(tipc_exit);
diff --git a/include/linux/trusty/trusty.h b/include/linux/trusty/trusty.h
index 751e5c7..41680f9 100644
--- a/include/linux/trusty/trusty.h
+++ b/include/linux/trusty/trusty.h
@@ -83,41 +83,10 @@ int trusty_reclaim_memory(struct device *dev, trusty_shared_mem_id_t id,
 			  struct scatterlist *sglist, unsigned int nents);
 
 struct dma_buf;
-#ifdef CONFIG_TRUSTY_DMA_BUF_FFA_TAG
-u64 trusty_dma_buf_get_ffa_tag(struct dma_buf *dma_buf);
-#else
-static inline u64 trusty_dma_buf_get_ffa_tag(struct dma_buf *dma_buf)
-{
-	return 0;
-}
-#endif
-
-/* Invalid handle value is defined by FF-A spec */
-#ifdef CONFIG_TRUSTY_DMA_BUF_SHARED_MEM_ID
-/**
- * trusty_dma_buf_get_shared_mem_id() - Get memory ID corresponding to a dma_buf
- * @dma_buf: DMA buffer
- * @id:      Pointer to output trusty_shared_mem_id_t
- *
- * Sets @id to trusty_shared_mem_id_t corresponding to the given @dma_buf.
- * @dma_buf "owns" the ID, i.e. is responsible for allocating/releasing it.
- * @dma_buf with an allocated @id must be in secure memory and should only be
- * sent to Trusty using TRUSTY_SEND_SECURE.
- *
- * Return:
- * * 0        - success
- * * -ENODATA - @dma_buf does not own a trusty_shared_mem_id_t
- * * ...      - @dma_buf should not be lent or shared
- */
-int trusty_dma_buf_get_shared_mem_id(struct dma_buf *dma_buf,
-				     trusty_shared_mem_id_t *id);
-#else
-static inline int trusty_dma_buf_get_shared_mem_id(struct dma_buf *dma_buf,
-						   trusty_shared_mem_id_t *id)
-{
-	return -ENODATA;
-}
-#endif
+void trusty_register_func_for_dma_buf(
+	u64 (*get_ffa_tag)(struct dma_buf *dma_buf),
+	int (*get_shared_mem_id)(struct dma_buf *dma_buf,
+		trusty_shared_mem_id_t *id));
 
 struct trusty_nop {
 	struct list_head node;