// SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note /* * * (C) COPYRIGHT 2019-2021 ARM Limited. All rights reserved. * * This program is free software and is provided to you under the terms of the * GNU General Public License version 2 as published by the Free Software * Foundation, and any use by you of this program is subject to the terms * of such GNU license. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, you can access it online at * http://www.gnu.org/licenses/gpl-2.0.html. * */ #include #include #include #include #include #include #include #include #include /* Size of a bitfield element in bytes */ #define BITFIELD_ELEM_SIZE sizeof(u64) /* We can track whether or not 64 pages are currently allocated in a u64 */ #define PAGES_PER_BITFIELD_ELEM (BITFIELD_ELEM_SIZE * BITS_PER_BYTE) /* Order 6 (ie, 64) corresponds to the number of pages held in a bitfield */ #define ORDER_OF_PAGES_PER_BITFIELD_ELEM 6 /** * struct simple_pma_device - Simple implementation of a protected memory * allocator device * @pma_dev: Protected memory allocator device pointer * @dev: Device pointer * @allocated_pages_bitfield_arr: Status of all the physical memory pages within the * protected memory region, one bit per page * @rmem_base: Base address of the reserved memory region * @rmem_size: Size of the reserved memory region, in pages * @num_free_pages: Number of free pages in the memory region * @rmem_lock: Lock to serialize the allocation and freeing of * physical pages from the protected memory region */ struct simple_pma_device { struct protected_memory_allocator_device pma_dev; struct device *dev; u64 *allocated_pages_bitfield_arr; phys_addr_t rmem_base; size_t rmem_size; size_t num_free_pages; spinlock_t rmem_lock; }; /** * ALLOC_PAGES_BITFIELD_ARR_SIZE() - Number of elements in array * 'allocated_pages_bitfield_arr' * If the number of pages required does not divide exactly by * PAGES_PER_BITFIELD_ELEM, adds an extra page for the remainder. * @num_pages: number of pages */ #define ALLOC_PAGES_BITFIELD_ARR_SIZE(num_pages) \ ((PAGES_PER_BITFIELD_ELEM * (0 != (num_pages % PAGES_PER_BITFIELD_ELEM)) + \ num_pages) / PAGES_PER_BITFIELD_ELEM) /** * small_granularity_alloc() - Allocate 1-32 power-of-two pages. * @epma_dev: protected memory allocator device structure. * @alloc_bitfield_idx: index of the relevant bitfield. * @start_bit: starting bitfield index. * @order: bitshift for number of pages. Order of 0 to 5 equals 1 to 32 pages. * @pma: protected_memory_allocation struct. * * Allocate a power-of-two number of pages, N, where * 0 <= N <= ORDER_OF_PAGES_PER_BITFIELD_ELEM - 1. ie, Up to 32 pages. The routine * fills-in a pma structure and sets the appropriate bits in the allocated-pages * bitfield array but assumes the caller has already determined that these are * already clear. * * This routine always works within only a single allocated-pages bitfield element. * It can be thought of as the 'small-granularity' allocator. */ static void small_granularity_alloc(struct simple_pma_device *const epma_dev, size_t alloc_bitfield_idx, size_t start_bit, size_t order, struct protected_memory_allocation *pma) { size_t i; size_t page_idx; u64 *bitfield; size_t alloc_pages_bitfield_size; if (WARN_ON(!epma_dev) || WARN_ON(!pma)) return; WARN(epma_dev->rmem_size == 0, "%s: rmem_size is 0", __func__); alloc_pages_bitfield_size = ALLOC_PAGES_BITFIELD_ARR_SIZE(epma_dev->rmem_size); WARN(alloc_bitfield_idx >= alloc_pages_bitfield_size, "%s: idx>bf_size: %zu %zu", __func__, alloc_bitfield_idx, alloc_pages_bitfield_size); WARN((start_bit + (1 << order)) > PAGES_PER_BITFIELD_ELEM, "%s: start=%zu order=%zu ppbe=%zu", __func__, start_bit, order, PAGES_PER_BITFIELD_ELEM); bitfield = &epma_dev->allocated_pages_bitfield_arr[alloc_bitfield_idx]; for (i = 0; i < (1 << order); i++) { /* Check the pages represented by this bit are actually free */ WARN(*bitfield & (1ULL << (start_bit + i)), "in %s: page not free: %zu %zu %.16llx %zu\n", __func__, i, order, *bitfield, alloc_pages_bitfield_size); /* Mark the pages as now allocated */ *bitfield |= (1ULL << (start_bit + i)); } /* Compute the page index */ page_idx = (alloc_bitfield_idx * PAGES_PER_BITFIELD_ELEM) + start_bit; /* Fill-in the allocation struct for the caller */ pma->pa = epma_dev->rmem_base + (page_idx << PAGE_SHIFT); pma->order = order; } /** * large_granularity_alloc() - Allocate pages at multiples of 64 pages. * @epma_dev: protected memory allocator device structure. * @start_alloc_bitfield_idx: index of the starting bitfield. * @order: bitshift for number of pages. Order of 6+ equals 64+ pages. * @pma: protected_memory_allocation struct. * * Allocate a power-of-two number of pages, N, where * N >= ORDER_OF_PAGES_PER_BITFIELD_ELEM. ie, 64 pages or more. The routine fills-in * a pma structure and sets the appropriate bits in the allocated-pages bitfield array * but assumes the caller has already determined that these are already clear. * * Unlike small_granularity_alloc, this routine can work with multiple 64-page groups, * ie multiple elements from the allocated-pages bitfield array. However, it always * works with complete sets of these 64-page groups. It can therefore be thought of * as the 'large-granularity' allocator. */ static void large_granularity_alloc(struct simple_pma_device *const epma_dev, size_t start_alloc_bitfield_idx, size_t order, struct protected_memory_allocation *pma) { size_t i; size_t num_pages_to_alloc = (size_t)1 << order; size_t num_bitfield_elements_needed = num_pages_to_alloc / PAGES_PER_BITFIELD_ELEM; size_t start_page_idx = start_alloc_bitfield_idx * PAGES_PER_BITFIELD_ELEM; if (WARN_ON(!epma_dev) || WARN_ON(!pma)) return; /* * Are there anough bitfield array elements (groups of 64 pages) * between the start element and the end of the bitfield array * to fulfill the request? */ WARN((start_alloc_bitfield_idx + order) >= ALLOC_PAGES_BITFIELD_ARR_SIZE(epma_dev->rmem_size), "%s: start=%zu order=%zu ms=%zu", __func__, start_alloc_bitfield_idx, order, epma_dev->rmem_size); for (i = 0; i < num_bitfield_elements_needed; i++) { u64 *bitfield = &epma_dev->allocated_pages_bitfield_arr[start_alloc_bitfield_idx + i]; /* We expect all pages that relate to this bitfield element to be free */ WARN((*bitfield != 0), "in %s: pages not free: i=%zu o=%zu bf=%.16llx\n", __func__, i, order, *bitfield); /* Mark all the pages for this element as not free */ *bitfield = ~0ULL; } /* Fill-in the allocation struct for the caller */ pma->pa = epma_dev->rmem_base + (start_page_idx << PAGE_SHIFT); pma->order = order; } static struct protected_memory_allocation *simple_pma_alloc_page( struct protected_memory_allocator_device *pma_dev, unsigned int order) { struct simple_pma_device *const epma_dev = container_of(pma_dev, struct simple_pma_device, pma_dev); struct protected_memory_allocation *pma; size_t num_pages_to_alloc; u64 *bitfields = epma_dev->allocated_pages_bitfield_arr; size_t i; size_t bit; size_t count; dev_dbg(epma_dev->dev, "%s(pma_dev=%px, order=%u\n", __func__, (void *)pma_dev, order); /* This is an example function that follows an extremely simple logic * and is very likely to fail to allocate memory if put under stress. * * The simple_pma_device maintains an array of u64s, with one bit used * to track the status of each page. * * In order to create a memory allocation, the allocator looks for an * adjacent group of cleared bits. This does leave the algorithm open * to fragmentation issues, but is deemed sufficient for now. * If successful, the allocator shall mark all the pages as allocated * and increment the offset accordingly. * * Allocations of 64 pages or more (order 6) can be allocated only with * 64-page alignment, in order to keep the algorithm as simple as * possible. ie, starting from bit 0 of any 64-bit page-allocation * bitfield. For this, the large-granularity allocator is utilised. * * Allocations of lower-order can only be allocated entirely within the * same group of 64 pages, with the small-ganularity allocator (ie * always from the same 64-bit page-allocation bitfield) - again, to * keep things as simple as possible, but flexible to meet * current needs. */ num_pages_to_alloc = (size_t)1 << order; pma = devm_kzalloc(epma_dev->dev, sizeof(*pma), GFP_KERNEL); if (!pma) { dev_err(epma_dev->dev, "Failed to alloc pma struct"); return NULL; } spin_lock(&epma_dev->rmem_lock); if (epma_dev->num_free_pages < num_pages_to_alloc) { dev_err(epma_dev->dev, "not enough free pages\n"); devm_kfree(epma_dev->dev, pma); spin_unlock(&epma_dev->rmem_lock); return NULL; } /* * For order 0-5 (ie, 1 to 32 pages) we always allocate within the same set of 64 pages * Currently, most allocations will be very small (1 page), so the more likely path * here is order < ORDER_OF_PAGES_PER_BITFIELD_ELEM. */ if (likely(order < ORDER_OF_PAGES_PER_BITFIELD_ELEM)) { size_t alloc_pages_bitmap_size = ALLOC_PAGES_BITFIELD_ARR_SIZE(epma_dev->rmem_size); for (i = 0; i < alloc_pages_bitmap_size; i++) { count = 0; for (bit = 0; bit < PAGES_PER_BITFIELD_ELEM; bit++) { if (0 == (bitfields[i] & (1ULL << bit))) { if ((count + 1) >= num_pages_to_alloc) { /* * We've found enough free, consecutive pages with which to * make an allocation */ small_granularity_alloc( epma_dev, i, bit - count, order, pma); epma_dev->num_free_pages -= num_pages_to_alloc; spin_unlock( &epma_dev->rmem_lock); return pma; } /* So far so good, but we need more set bits yet */ count++; } else { /* * We found an allocated page, so nothing we've seen so far can be used. * Keep looking. */ count = 0; } } } } else { /** * For allocations of order ORDER_OF_PAGES_PER_BITFIELD_ELEM and above (>= 64 pages), we know * we'll only get allocations for whole groups of 64 pages, which hugely simplifies the task. */ size_t alloc_pages_bitmap_size = ALLOC_PAGES_BITFIELD_ARR_SIZE(epma_dev->rmem_size); /* How many 64-bit bitfield elements will be needed for the allocation? */ size_t num_bitfield_elements_needed = num_pages_to_alloc / PAGES_PER_BITFIELD_ELEM; count = 0; for (i = 0; i < alloc_pages_bitmap_size; i++) { /* Are all the pages free for the i'th u64 bitfield element? */ if (bitfields[i] == 0) { count += PAGES_PER_BITFIELD_ELEM; if (count >= (1 << order)) { size_t start_idx = (i + 1) - num_bitfield_elements_needed; large_granularity_alloc(epma_dev, start_idx, order, pma); epma_dev->num_free_pages -= 1 << order; spin_unlock(&epma_dev->rmem_lock); return pma; } } else { count = 0; } } } spin_unlock(&epma_dev->rmem_lock); devm_kfree(epma_dev->dev, pma); dev_err(epma_dev->dev, "not enough contiguous pages (need %zu), total free pages left %zu\n", num_pages_to_alloc, epma_dev->num_free_pages); return NULL; } static phys_addr_t simple_pma_get_phys_addr( struct protected_memory_allocator_device *pma_dev, struct protected_memory_allocation *pma) { struct simple_pma_device *const epma_dev = container_of(pma_dev, struct simple_pma_device, pma_dev); dev_dbg(epma_dev->dev, "%s(pma_dev=%px, pma=%px, pa=%llx\n", __func__, (void *)pma_dev, (void *)pma, (unsigned long long)pma->pa); return pma->pa; } static void simple_pma_free_page( struct protected_memory_allocator_device *pma_dev, struct protected_memory_allocation *pma) { struct simple_pma_device *const epma_dev = container_of(pma_dev, struct simple_pma_device, pma_dev); size_t num_pages_in_allocation; size_t offset; size_t i; size_t bitfield_idx; size_t bitfield_start_bit; size_t page_num; u64 *bitfield; size_t alloc_pages_bitmap_size; size_t num_bitfield_elems_used_by_alloc; WARN_ON(pma == NULL); dev_dbg(epma_dev->dev, "%s(pma_dev=%px, pma=%px, pa=%llx\n", __func__, (void *)pma_dev, (void *)pma, (unsigned long long)pma->pa); WARN_ON(pma->pa < epma_dev->rmem_base); /* This is an example function that follows an extremely simple logic * and is vulnerable to abuse. */ offset = (pma->pa - epma_dev->rmem_base); num_pages_in_allocation = (size_t)1 << pma->order; /* The number of bitfield elements used by the allocation */ num_bitfield_elems_used_by_alloc = num_pages_in_allocation / PAGES_PER_BITFIELD_ELEM; /* The page number of the first page of the allocation, relative to rmem_base */ page_num = offset >> PAGE_SHIFT; /* Which u64 bitfield refers to this page? */ bitfield_idx = page_num / PAGES_PER_BITFIELD_ELEM; alloc_pages_bitmap_size = ALLOC_PAGES_BITFIELD_ARR_SIZE(epma_dev->rmem_size); /* Is the allocation within expected bounds? */ WARN_ON((bitfield_idx + num_bitfield_elems_used_by_alloc) >= alloc_pages_bitmap_size); spin_lock(&epma_dev->rmem_lock); if (pma->order < ORDER_OF_PAGES_PER_BITFIELD_ELEM) { bitfield = &epma_dev->allocated_pages_bitfield_arr[bitfield_idx]; /* Which bit within that u64 bitfield is the lsb covering this allocation? */ bitfield_start_bit = page_num % PAGES_PER_BITFIELD_ELEM; /* Clear the bits for the pages we're now freeing */ *bitfield &= ~(((1ULL << num_pages_in_allocation) - 1) << bitfield_start_bit); } else { WARN(page_num % PAGES_PER_BITFIELD_ELEM, "%s: Expecting allocs of order >= %d to be %zu-page aligned\n", __func__, ORDER_OF_PAGES_PER_BITFIELD_ELEM, PAGES_PER_BITFIELD_ELEM); for (i = 0; i < num_bitfield_elems_used_by_alloc; i++) { bitfield = &epma_dev->allocated_pages_bitfield_arr[bitfield_idx + i]; /* We expect all bits to be set (all pages allocated) */ WARN((*bitfield != ~0), "%s: alloc being freed is not fully allocated: of=%zu np=%zu bf=%.16llx\n", __func__, offset, num_pages_in_allocation, *bitfield); /* * Now clear all the bits in the bitfield element to mark all the pages * it refers to as free. */ *bitfield = 0ULL; } } epma_dev->num_free_pages += num_pages_in_allocation; spin_unlock(&epma_dev->rmem_lock); devm_kfree(epma_dev->dev, pma); } static int protected_memory_allocator_probe(struct platform_device *pdev) { struct simple_pma_device *epma_dev; struct device_node *np; phys_addr_t rmem_base; size_t rmem_size; size_t alloc_bitmap_pages_arr_size; #if (KERNEL_VERSION(4, 15, 0) <= LINUX_VERSION_CODE) struct reserved_mem *rmem; #endif np = pdev->dev.of_node; if (!np) { dev_err(&pdev->dev, "device node pointer not set\n"); return -ENODEV; } np = of_parse_phandle(np, "memory-region", 0); if (!np) { dev_err(&pdev->dev, "memory-region node not set\n"); return -ENODEV; } #if (KERNEL_VERSION(4, 15, 0) <= LINUX_VERSION_CODE) rmem = of_reserved_mem_lookup(np); if (rmem) { rmem_base = rmem->base; rmem_size = rmem->size >> PAGE_SHIFT; } else #endif { of_node_put(np); dev_err(&pdev->dev, "could not read reserved memory-region\n"); return -ENODEV; } of_node_put(np); epma_dev = devm_kzalloc(&pdev->dev, sizeof(*epma_dev), GFP_KERNEL); if (!epma_dev) return -ENOMEM; epma_dev->pma_dev.ops.pma_alloc_page = simple_pma_alloc_page; epma_dev->pma_dev.ops.pma_get_phys_addr = simple_pma_get_phys_addr; epma_dev->pma_dev.ops.pma_free_page = simple_pma_free_page; epma_dev->pma_dev.owner = THIS_MODULE; epma_dev->dev = &pdev->dev; epma_dev->rmem_base = rmem_base; epma_dev->rmem_size = rmem_size; epma_dev->num_free_pages = rmem_size; spin_lock_init(&epma_dev->rmem_lock); alloc_bitmap_pages_arr_size = ALLOC_PAGES_BITFIELD_ARR_SIZE(epma_dev->rmem_size); epma_dev->allocated_pages_bitfield_arr = devm_kzalloc(&pdev->dev, alloc_bitmap_pages_arr_size * BITFIELD_ELEM_SIZE, GFP_KERNEL); if (!epma_dev->allocated_pages_bitfield_arr) { dev_err(&pdev->dev, "failed to allocate resources\n"); devm_kfree(&pdev->dev, epma_dev); return -ENOMEM; } if (epma_dev->rmem_size % PAGES_PER_BITFIELD_ELEM) { size_t extra_pages = alloc_bitmap_pages_arr_size * PAGES_PER_BITFIELD_ELEM - epma_dev->rmem_size; size_t last_bitfield_index = alloc_bitmap_pages_arr_size - 1; /* Mark the extra pages (that lie outside the reserved range) as * always in use. */ epma_dev->allocated_pages_bitfield_arr[last_bitfield_index] = ((1ULL << extra_pages) - 1) << (PAGES_PER_BITFIELD_ELEM - extra_pages); } platform_set_drvdata(pdev, &epma_dev->pma_dev); dev_info(&pdev->dev, "Protected memory allocator probed successfully\n"); dev_info(&pdev->dev, "Protected memory region: base=%llx num pages=%zu\n", (unsigned long long)rmem_base, rmem_size); return 0; } static int protected_memory_allocator_remove(struct platform_device *pdev) { struct protected_memory_allocator_device *pma_dev = platform_get_drvdata(pdev); struct simple_pma_device *epma_dev; struct device *dev; if (!pma_dev) return -EINVAL; epma_dev = container_of(pma_dev, struct simple_pma_device, pma_dev); dev = epma_dev->dev; if (epma_dev->num_free_pages < epma_dev->rmem_size) { dev_warn(&pdev->dev, "Leaking %zu pages of protected memory\n", epma_dev->rmem_size - epma_dev->num_free_pages); } platform_set_drvdata(pdev, NULL); devm_kfree(dev, epma_dev->allocated_pages_bitfield_arr); devm_kfree(dev, epma_dev); dev_info(&pdev->dev, "Protected memory allocator removed successfully\n"); return 0; } static const struct of_device_id protected_memory_allocator_dt_ids[] = { { .compatible = "arm,protected-memory-allocator" }, { /* sentinel */ } }; MODULE_DEVICE_TABLE(of, protected_memory_allocator_dt_ids); static struct platform_driver protected_memory_allocator_driver = { .probe = protected_memory_allocator_probe, .remove = protected_memory_allocator_remove, .driver = { .name = "simple_protected_memory_allocator", .of_match_table = of_match_ptr(protected_memory_allocator_dt_ids), } }; module_platform_driver(protected_memory_allocator_driver); MODULE_LICENSE("GPL"); MODULE_AUTHOR("ARM Ltd."); MODULE_VERSION("1.0");