mmc: core: Add mmc CMD+ACMD passthrough ioctl

Allows appropriately-privileged applications to send CMD (normal) and ACMD (application-specific; preceded with CMD55) commands to cards/devices on the mmc bus. This is primarily useful for enabling the security functionality built in to every SD card. It can also be used as a generic passthrough (e.g. to enable virtual machines to control mmc bus devices directly). However, this use case has not been tested rigorously. Generic passthrough testing was only conducted for a few non-security opcodes to prove the feasibility of the passthrough. Since any opcode can be sent using this passthrough, it is very possible to render the card/device unusable. Applications that use this ioctl must have CAP_SYS_RAWIO. Security commands tested on TI PCIxx12 (SDHCI), Sigma Designs SMP8652 SoC, TI OMAP3621/OMAP3630 SoC, Samsung S5PC110 SoC, Qualcomm MSM7200A SoC. Signed-off-by: John Calixto <john.calixto@modsystems.com> Reviewed-by: Andrei Warkentin <andreiw@motorola.com> Reviewed-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Chris Ball <cjb@laptop.org>
author: John Calixto <john.calixto@modsystems.com> 2011-04-26 18:56:29 -0400
committer: Chris Ball <cjb@laptop.org> 2011-05-24 21:02:54 -0400
commit: cb87ea28ed9e75a41eb456bfcb547b4e6f10e750 (patch)
tree: e3fe4a653bd96815c650dd9f5db11edc6b39b0db /drivers/mmc
parent: 641c3187b9d53cfd4c23b0ce2ab18a13d5e775e5 (diff)
2 files changed, 203 insertions, 1 deletions
diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index e7efd6faeaf9..407836d55712 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -31,7 +31,11 @@
 #include <linux/mutex.h>
 #include <linux/scatterlist.h>
 #include <linux/string_helpers.h>
+#include <linux/delay.h>
+#include <linux/capability.h>
+#include <linux/compat.h>
+#include <linux/mmc/ioctl.h>
 #include <linux/mmc/card.h>
 #include <linux/mmc/host.h>
 #include <linux/mmc/mmc.h>
@@ -218,11 +222,208 @@ mmc_blk_getgeo(struct block_device *bdev, struct hd_geometry *geo)
        return 0;
 }
+struct mmc_blk_ioc_data {
+        struct mmc_ioc_cmd ic;
+        unsigned char *buf;
+        u64 buf_bytes;
+};
+static struct mmc_blk_ioc_data *mmc_blk_ioctl_copy_from_user(
+        struct mmc_ioc_cmd __user *user)
+{
+        struct mmc_blk_ioc_data *idata;
+        int err;
+        idata = kzalloc(sizeof(*idata), GFP_KERNEL);
+        if (!idata) {
+                err = -ENOMEM;
+                goto copy_err;
+        }
+        if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
+                err = -EFAULT;
+                goto copy_err;
+        }
+        idata->buf_bytes = (u64) idata->ic.blksz * idata->ic.blocks;
+        if (idata->buf_bytes > MMC_IOC_MAX_BYTES) {
+                err = -EOVERFLOW;
+                goto copy_err;
+        }
+        idata->buf = kzalloc(idata->buf_bytes, GFP_KERNEL);
+        if (!idata->buf) {
+                err = -ENOMEM;
+                goto copy_err;
+        }
+        if (copy_from_user(idata->buf, (void __user *)(unsigned long)
+                                        idata->ic.data_ptr, idata->buf_bytes)) {
+                err = -EFAULT;
+                goto copy_err;
+        }
+        return idata;
+copy_err:
+        kfree(idata->buf);
+        kfree(idata);
+        return ERR_PTR(err);
+}
+static int mmc_blk_ioctl_cmd(struct block_device *bdev,
+        struct mmc_ioc_cmd __user *ic_ptr)
+{
+        struct mmc_blk_ioc_data *idata;
+        struct mmc_blk_data *md;
+        struct mmc_card *card;
+        struct mmc_command cmd = {0};
+        struct mmc_data data = {0};
+        struct mmc_request mrq = {0};
+        struct scatterlist sg;
+        int err;
+        /*
+         * The caller must have CAP_SYS_RAWIO, and must be calling this on the
+         * whole block device, not on a partition.  This prevents overspray
+         * between sibling partitions.
+         */
+        if ((!capable(CAP_SYS_RAWIO)) || (bdev != bdev->bd_contains))
+                return -EPERM;
+        idata = mmc_blk_ioctl_copy_from_user(ic_ptr);
+        if (IS_ERR(idata))
+                return PTR_ERR(idata);
+        cmd.opcode = idata->ic.opcode;
+        cmd.arg = idata->ic.arg;
+        cmd.flags = idata->ic.flags;
+        data.sg = &sg;
+        data.sg_len = 1;
+        data.blksz = idata->ic.blksz;
+        data.blocks = idata->ic.blocks;
+        sg_init_one(data.sg, idata->buf, idata->buf_bytes);
+        if (idata->ic.write_flag)
+                data.flags = MMC_DATA_WRITE;
+        else
+                data.flags = MMC_DATA_READ;
+        mrq.cmd = &cmd;
+        mrq.data = &data;
+        md = mmc_blk_get(bdev->bd_disk);
+        if (!md) {
+                err = -EINVAL;
+                goto cmd_done;
+        }
+        card = md->queue.card;
+        if (IS_ERR(card)) {
+                err = PTR_ERR(card);
+                goto cmd_done;
+        }
+        mmc_claim_host(card->host);
+        if (idata->ic.is_acmd) {
+                err = mmc_app_cmd(card->host, card);
+                if (err)
+                        goto cmd_rel_host;
+        }
+        /* data.flags must already be set before doing this. */
+        mmc_set_data_timeout(&data, card);
+        /* Allow overriding the timeout_ns for empirical tuning. */
+        if (idata->ic.data_timeout_ns)
+                data.timeout_ns = idata->ic.data_timeout_ns;
+        if ((cmd.flags & MMC_RSP_R1B) == MMC_RSP_R1B) {
+                /*
+                 * Pretend this is a data transfer and rely on the host driver
+                 * to compute timeout.  When all host drivers support
+                 * cmd.cmd_timeout for R1B, this can be changed to:
+                 *
+                 *     mrq.data = NULL;
+                 *     cmd.cmd_timeout = idata->ic.cmd_timeout_ms;
+                 */
+                data.timeout_ns = idata->ic.cmd_timeout_ms * 1000000;
+        }
+        mmc_wait_for_req(card->host, &mrq);
+        if (cmd.error) {
+                dev_err(mmc_dev(card->host), "%s: cmd error %d\n",
+                                                __func__, cmd.error);
+                err = cmd.error;
+                goto cmd_rel_host;
+        }
+        if (data.error) {
+                dev_err(mmc_dev(card->host), "%s: data error %d\n",
+                                                __func__, data.error);
+                err = data.error;
+                goto cmd_rel_host;
+        }
+        /*
+         * According to the SD specs, some commands require a delay after
+         * issuing the command.
+         */
+        if (idata->ic.postsleep_min_us)
+                usleep_range(idata->ic.postsleep_min_us, idata->ic.postsleep_max_us);
+        if (copy_to_user(&(ic_ptr->response), cmd.resp, sizeof(cmd.resp))) {
+                err = -EFAULT;
+                goto cmd_rel_host;
+        }
+        if (!idata->ic.write_flag) {
+                if (copy_to_user((void __user *)(unsigned long) idata->ic.data_ptr,
+                                                idata->buf, idata->buf_bytes)) {
+                        err = -EFAULT;
+                        goto cmd_rel_host;
+                }
+        }
+cmd_rel_host:
+        mmc_release_host(card->host);
+cmd_done:
+        mmc_blk_put(md);
+        kfree(idata->buf);
+        kfree(idata);
+        return err;
+}
+static int mmc_blk_ioctl(struct block_device *bdev, fmode_t mode,
+        unsigned int cmd, unsigned long arg)
+{
+        int ret = -EINVAL;
+        if (cmd == MMC_IOC_CMD)
+                ret = mmc_blk_ioctl_cmd(bdev, (struct mmc_ioc_cmd __user *)arg);
+        return ret;
+}
+#ifdef CONFIG_COMPAT
+static int mmc_blk_compat_ioctl(struct block_device *bdev, fmode_t mode,
+        unsigned int cmd, unsigned long arg)
+{
+        return mmc_blk_ioctl(bdev, mode, cmd, (unsigned long) compat_ptr(arg));
+}
+#endif
 static const struct block_device_operations mmc_bdops = {
        .open                   = mmc_blk_open,
        .release                = mmc_blk_release,
        .getgeo                 = mmc_blk_getgeo,
        .owner                  = THIS_MODULE,
+        .ioctl                  = mmc_blk_ioctl,
+#ifdef CONFIG_COMPAT
+        .compat_ioctl           = mmc_blk_compat_ioctl,
+#endif
 };
 struct mmc_blk_request {
diff --git a/drivers/mmc/core/sd_ops.c b/drivers/mmc/core/sd_ops.c
index a206aea5360d..021fed153804 100644
--- a/drivers/mmc/core/sd_ops.c
+++ b/drivers/mmc/core/sd_ops.c
@@ -21,7 +21,7 @@
 #include "core.h"
 #include "sd_ops.h"
-static int mmc_app_cmd(struct mmc_host *host, struct mmc_card *card)
+int mmc_app_cmd(struct mmc_host *host, struct mmc_card *card)
 {
        int err;
        struct mmc_command cmd = {0};
@@ -49,6 +49,7 @@ static int mmc_app_cmd(struct mmc_host *host, struct mmc_card *card)
        return 0;
 }
+EXPORT_SYMBOL_GPL(mmc_app_cmd);
 /**
 *      mmc_wait_for_app_cmd - start an application command and wait for
author	John Calixto <john.calixto@modsystems.com>	2011-04-26 18:56:29 -0400
committer	Chris Ball <cjb@laptop.org>	2011-05-24 21:02:54 -0400
commit	cb87ea28ed9e75a41eb456bfcb547b4e6f10e750 (patch)
tree	e3fe4a653bd96815c650dd9f5db11edc6b39b0db /drivers/mmc
parent	641c3187b9d53cfd4c23b0ce2ab18a13d5e775e5 (diff)

diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c index e7efd6faeaf9..407836d55712 100644 --- a/drivers/mmc/card/block.c +++ b/drivers/mmc/card/block.c
@@ -31,7 +31,11 @@
31	#include <linux/mutex.h>	31	#include <linux/mutex.h>
32	#include <linux/scatterlist.h>	32	#include <linux/scatterlist.h>
33	#include <linux/string_helpers.h>	33	#include <linux/string_helpers.h>
		34	#include <linux/delay.h>
		35	#include <linux/capability.h>
		36	#include <linux/compat.h>
34		37
		38	#include <linux/mmc/ioctl.h>
35	#include <linux/mmc/card.h>	39	#include <linux/mmc/card.h>
36	#include <linux/mmc/host.h>	40	#include <linux/mmc/host.h>
37	#include <linux/mmc/mmc.h>	41	#include <linux/mmc/mmc.h>
@@ -218,11 +222,208 @@ mmc_blk_getgeo(struct block_device bdev, struct hd_geometry geo)
218	return 0;	222	return 0;
219	}	223	}
220		224
		225	struct mmc_blk_ioc_data {
		226	struct mmc_ioc_cmd ic;
		227	unsigned char *buf;
		228	u64 buf_bytes;
		229	};
		230
		231	static struct mmc_blk_ioc_data *mmc_blk_ioctl_copy_from_user(
		232	struct mmc_ioc_cmd __user *user)
		233	{
		234	struct mmc_blk_ioc_data *idata;
		235	int err;
		236
		237	idata = kzalloc(sizeof(*idata), GFP_KERNEL);
		238	if (!idata) {
		239	err = -ENOMEM;
		240	goto copy_err;
		241	}
		242
		243	if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
		244	err = -EFAULT;
		245	goto copy_err;
		246	}
		247
		248	idata->buf_bytes = (u64) idata->ic.blksz * idata->ic.blocks;
		249	if (idata->buf_bytes > MMC_IOC_MAX_BYTES) {
		250	err = -EOVERFLOW;
		251	goto copy_err;
		252	}
		253
		254	idata->buf = kzalloc(idata->buf_bytes, GFP_KERNEL);
		255	if (!idata->buf) {
		256	err = -ENOMEM;
		257	goto copy_err;
		258	}
		259
		260	if (copy_from_user(idata->buf, (void __user *)(unsigned long)
		261	idata->ic.data_ptr, idata->buf_bytes)) {
		262	err = -EFAULT;
		263	goto copy_err;
		264	}
		265
		266	return idata;
		267
		268	copy_err:
		269	kfree(idata->buf);
		270	kfree(idata);
		271	return ERR_PTR(err);
		272
		273	}
		274
		275	static int mmc_blk_ioctl_cmd(struct block_device *bdev,
		276	struct mmc_ioc_cmd __user *ic_ptr)
		277	{
		278	struct mmc_blk_ioc_data *idata;
		279	struct mmc_blk_data *md;
		280	struct mmc_card *card;
		281	struct mmc_command cmd = {0};
		282	struct mmc_data data = {0};
		283	struct mmc_request mrq = {0};
		284	struct scatterlist sg;
		285	int err;
		286
		287	/*
		288	* The caller must have CAP_SYS_RAWIO, and must be calling this on the
		289	* whole block device, not on a partition. This prevents overspray
		290	* between sibling partitions.
		291	*/
		292	if ((!capable(CAP_SYS_RAWIO)) \|\| (bdev != bdev->bd_contains))
		293	return -EPERM;
		294
		295	idata = mmc_blk_ioctl_copy_from_user(ic_ptr);
		296	if (IS_ERR(idata))
		297	return PTR_ERR(idata);
		298
		299	cmd.opcode = idata->ic.opcode;
		300	cmd.arg = idata->ic.arg;
		301	cmd.flags = idata->ic.flags;
		302
		303	data.sg = &sg;
		304	data.sg_len = 1;
		305	data.blksz = idata->ic.blksz;
		306	data.blocks = idata->ic.blocks;
		307
		308	sg_init_one(data.sg, idata->buf, idata->buf_bytes);
		309
		310	if (idata->ic.write_flag)
		311	data.flags = MMC_DATA_WRITE;
		312	else
		313	data.flags = MMC_DATA_READ;
		314
		315	mrq.cmd = &cmd;
		316	mrq.data = &data;
		317
		318	md = mmc_blk_get(bdev->bd_disk);
		319	if (!md) {
		320	err = -EINVAL;
		321	goto cmd_done;
		322	}
		323
		324	card = md->queue.card;
		325	if (IS_ERR(card)) {
		326	err = PTR_ERR(card);
		327	goto cmd_done;
		328	}
		329
		330	mmc_claim_host(card->host);
		331
		332	if (idata->ic.is_acmd) {
		333	err = mmc_app_cmd(card->host, card);
		334	if (err)
		335	goto cmd_rel_host;
		336	}
		337
		338	/* data.flags must already be set before doing this. */
		339	mmc_set_data_timeout(&data, card);
		340	/* Allow overriding the timeout_ns for empirical tuning. */
		341	if (idata->ic.data_timeout_ns)
		342	data.timeout_ns = idata->ic.data_timeout_ns;
		343
		344	if ((cmd.flags & MMC_RSP_R1B) == MMC_RSP_R1B) {
		345	/*
		346	* Pretend this is a data transfer and rely on the host driver
		347	* to compute timeout. When all host drivers support
		348	* cmd.cmd_timeout for R1B, this can be changed to:
		349	*
		350	* mrq.data = NULL;
		351	* cmd.cmd_timeout = idata->ic.cmd_timeout_ms;
		352	*/
		353	data.timeout_ns = idata->ic.cmd_timeout_ms * 1000000;
		354	}
		355
		356	mmc_wait_for_req(card->host, &mrq);
		357
		358	if (cmd.error) {
		359	dev_err(mmc_dev(card->host), "%s: cmd error %d\n",
		360	__func__, cmd.error);
		361	err = cmd.error;
		362	goto cmd_rel_host;
		363	}
		364	if (data.error) {
		365	dev_err(mmc_dev(card->host), "%s: data error %d\n",
		366	__func__, data.error);
		367	err = data.error;
		368	goto cmd_rel_host;
		369	}
		370
		371	/*
		372	* According to the SD specs, some commands require a delay after
		373	* issuing the command.
		374	*/
		375	if (idata->ic.postsleep_min_us)
		376	usleep_range(idata->ic.postsleep_min_us, idata->ic.postsleep_max_us);
		377
		378	if (copy_to_user(&(ic_ptr->response), cmd.resp, sizeof(cmd.resp))) {
		379	err = -EFAULT;
		380	goto cmd_rel_host;
		381	}
		382
		383	if (!idata->ic.write_flag) {
		384	if (copy_to_user((void __user *)(unsigned long) idata->ic.data_ptr,
		385	idata->buf, idata->buf_bytes)) {
		386	err = -EFAULT;
		387	goto cmd_rel_host;
		388	}
		389	}
		390
		391	cmd_rel_host:
		392	mmc_release_host(card->host);
		393
		394	cmd_done:
		395	mmc_blk_put(md);
		396	kfree(idata->buf);
		397	kfree(idata);
		398	return err;
		399	}
		400
		401	static int mmc_blk_ioctl(struct block_device *bdev, fmode_t mode,
		402	unsigned int cmd, unsigned long arg)
		403	{
		404	int ret = -EINVAL;
		405	if (cmd == MMC_IOC_CMD)
		406	ret = mmc_blk_ioctl_cmd(bdev, (struct mmc_ioc_cmd __user *)arg);
		407	return ret;
		408	}
		409
		410	#ifdef CONFIG_COMPAT
		411	static int mmc_blk_compat_ioctl(struct block_device *bdev, fmode_t mode,
		412	unsigned int cmd, unsigned long arg)
		413	{
		414	return mmc_blk_ioctl(bdev, mode, cmd, (unsigned long) compat_ptr(arg));
		415	}
		416	#endif
		417
221	static const struct block_device_operations mmc_bdops = {	418	static const struct block_device_operations mmc_bdops = {
222	.open = mmc_blk_open,	419	.open = mmc_blk_open,
223	.release = mmc_blk_release,	420	.release = mmc_blk_release,
224	.getgeo = mmc_blk_getgeo,	421	.getgeo = mmc_blk_getgeo,
225	.owner = THIS_MODULE,	422	.owner = THIS_MODULE,
		423	.ioctl = mmc_blk_ioctl,
		424	#ifdef CONFIG_COMPAT
		425	.compat_ioctl = mmc_blk_compat_ioctl,
		426	#endif
226	};	427	};
227		428
228	struct mmc_blk_request {	429	struct mmc_blk_request {


diff --git a/drivers/mmc/core/sd_ops.c b/drivers/mmc/core/sd_ops.c index a206aea5360d..021fed153804 100644 --- a/drivers/mmc/core/sd_ops.c +++ b/drivers/mmc/core/sd_ops.c
@@ -21,7 +21,7 @@
21	#include "core.h"	21	#include "core.h"
22	#include "sd_ops.h"	22	#include "sd_ops.h"
23		23
24	static int mmc_app_cmd(struct mmc_host host, struct mmc_card card)	24	int mmc_app_cmd(struct mmc_host host, struct mmc_card card)
25	{	25	{
26	int err;	26	int err;
27	struct mmc_command cmd = {0};	27	struct mmc_command cmd = {0};
@@ -49,6 +49,7 @@ static int mmc_app_cmd(struct mmc_host host, struct mmc_card card)
49		49
50	return 0;	50	return 0;
51	}	51	}
		52	EXPORT_SYMBOL_GPL(mmc_app_cmd);
52		53
53	/**	54	/**
54	* mmc_wait_for_app_cmd - start an application command and wait for	55	* mmc_wait_for_app_cmd - start an application command and wait for