nvsciipc: enable endpoint security

- allow ioctl access if UID looked up is one of process UID or SGIDs. - removed legacy codes - set UID of set DB ioctl using sysfs JIRA: NVIPC-2817 Change-Id: Ic910b5bdbb362e9cda0cc3af4bcd9c1642725a25 Signed-off-by: Suneel Kumar Pemmineti <spemmineti@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3225830 Tested-by: Joshua Cha <joshuac@nvidia.com> Reviewed-by: Simon Je <sje@nvidia.com> GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
2025-12-22 17:25:35 +03:00 · 2024-09-17 15:10:52 +00:00
parent 1fabab5472
commit 04ccb5c0c3
3 changed files with 126 additions and 123 deletions
--- a/drivers/misc/nvsciipc/nvsciipc.c
+++ b/drivers/misc/nvsciipc/nvsciipc.c
@@ -45,8 +45,10 @@
 DEFINE_MUTEX(nvsciipc_mutex);
 static struct platform_device *nvsciipc_pdev;
-static struct nvsciipc *ctx;
+static struct nvsciipc *s_ctx;
 static int32_t s_guestid = -1;
 /* UID of SET_DB ioctl client (default root UID) */
 static uint32_t s_nvsciipc_uid;
 long nvsciipc_dev_ioctl(struct file *filp, unsigned int cmd,
 	unsigned long arg);
@@ -78,7 +80,7 @@ NvSciError NvSciIpcEndpointValidateAuthTokenLinuxCurrent(
 	int i, ret, devlen;
 	char node[NVSCIIPC_MAX_EP_NAME+16];
-	if ((ctx == NULL) || (ctx->set_db_f != true)) {
+	if ((s_ctx == NULL) || (s_ctx->set_db_f != true)) {
 		ERR("not initialized\n");
 		return NvSciError_NotInitialized;
 	}
@@ -105,24 +107,24 @@ NvSciError NvSciIpcEndpointValidateAuthTokenLinuxCurrent(
 		filp->f_path.dentry->d_name.name, devlen);
 #endif
-	for (i = 0; i < ctx->num_eps; i++) {
+	for (i = 0; i < s_ctx->num_eps; i++) {
 		ret = snprintf(node, sizeof(node), "%s%d",
-			ctx->db[i]->dev_name, ctx->db[i]->id);
+			s_ctx->db[i]->dev_name, s_ctx->db[i]->id);
 		if ((ret < 0) || (ret != devlen))
 			continue;
 #if DEBUG_VALIDATE_TOKEN
-		INFO("node:%s, vuid:0x%llx\n", node, ctx->db[i]->vuid);
+		INFO("node:%s, vuid:0x%llx\n", node, s_ctx->db[i]->vuid);
 #endif
 		/* compare node name itself only (w/o directory) */
 		if (!strncmp(filp->f_path.dentry->d_name.name, node, ret)) {
-			*localUserVuid = ctx->db[i]->vuid;
+			*localUserVuid = s_ctx->db[i]->vuid;
 			break;
 		}
 	}
-	if (i == ctx->num_eps) {
+	if (i == s_ctx->num_eps) {
 		fdput(f);
 		ERR("wrong auth token passed\n");
 		return NvSciError_BadParameter;
@@ -147,20 +149,20 @@ NvSciError NvSciIpcEndpointMapVuid(NvSciIpcEndpointVuid localUserVuid,
 		return NvSciError_BadParameter;
 	}
-	if ((ctx == NULL) || (ctx->set_db_f != true)) {
+	if ((s_ctx == NULL) || (s_ctx->set_db_f != true)) {
 		ERR("not initialized\n");
 		return NvSciError_NotInitialized;
 	}
-	for (i = 0; i < ctx->num_eps; i++) {
+	for (i = 0; i < s_ctx->num_eps; i++) {
-		if (ctx->db[i]->vuid == localUserVuid) {
+		if (s_ctx->db[i]->vuid == localUserVuid) {
-			backend = ctx->db[i]->backend;
+			backend = s_ctx->db[i]->backend;
-			entry = ctx->db[i];
+			entry = s_ctx->db[i];
 			break;
 		}
 	}
-	if (i == ctx->num_eps) {
+	if (i == s_ctx->num_eps) {
 		ERR("wrong localUserVuid passed\n");
 		return NvSciError_BadParameter;
 	}
@@ -356,48 +358,19 @@ static int nvsciipc_ioctl_get_db_by_name(struct nvsciipc *ctx, unsigned int cmd,
 	for (i = 0; i < ctx->num_eps; i++) {
 		if (!strncmp(get_db.ep_name, ctx->db[i]->ep_name,
 			NVSCIIPC_MAX_EP_NAME)) {
-			get_db.entry = *ctx->db[i];
+// FIXME: consider android
-			get_db.idx = i;
+#if !defined(CONFIG_ANDROID) && !defined(CONFIG_TEGRA_SYSTEM_TYPE_ACK)
-			break;
+			/* Authenticate the client process with valid UID */
-		}
+			if ((ctx->db[i]->uid != 0xFFFFFFFF) &&
-	}
+			(current_cred()->uid.val != 0) &&
-
+			(current_cred()->uid.val != ctx->db[i]->uid)) {
-	if (i == ctx->num_eps) {
+				ERR("%s[Client_UID = %d] : "
-		INFO("%s: no entry (%s)\n", __func__, get_db.ep_name);
+					"Unauthorized access to endpoint\n",
-		return -ENOENT;
+					__func__, current_cred()->uid.val);
 	} else if (copy_to_user((void __user *)arg, &get_db,
 				_IOC_SIZE(cmd))) {
 		ERR("%s : copy_to_user failed\n", __func__);
 		return -EFAULT;
 	}
 	return 0;
 }
 // TODO: remove this after migration
 static int nvsciipc_ioctl_get_db_by_name_legacy(struct nvsciipc *ctx,
 	unsigned int cmd, unsigned long arg)
 {
 	struct nvsciipc_get_db_by_name_legacy get_db;
 	int i;
 	if ((ctx->num_eps == 0) || (ctx->set_db_f != true)) {
 		ERR("%s[%d] need to set endpoint database first\n", __func__,
 			get_current()->pid);
 				return -EPERM;
 			}
-
+#endif /* !CONFIG_ANDROID && !CONFIG_TEGRA_SYSTEM_TYPE_ACK */
-	if (copy_from_user(&get_db, (void __user *)arg, _IOC_SIZE(cmd))) {
+			get_db.entry = *ctx->db[i];
 		ERR("%s : copy_from_user failed\n", __func__);
 		return -EFAULT;
 	}
 	/* read operation */
 	for (i = 0; i < ctx->num_eps; i++) {
 		if (!strncmp(get_db.ep_name, ctx->db[i]->ep_name,
 			NVSCIIPC_MAX_EP_NAME)) {
 			//get_db.entry = *ctx->db[i];
 			memcpy(&get_db.entry, ctx->db[i], sizeof(get_db.entry));
 			get_db.idx = i;
 			break;
 		}
@@ -435,6 +408,17 @@ static int nvsciipc_ioctl_get_db_by_vuid(struct nvsciipc *ctx, unsigned int cmd,
 	/* read operation */
 	for (i = 0; i < ctx->num_eps; i++) {
 		if (get_db.vuid == ctx->db[i]->vuid) {
 // FIXME: consider android
 #if !defined(CONFIG_ANDROID) && !defined(CONFIG_TEGRA_SYSTEM_TYPE_ACK)
 			/* Authenticate the client process with valid UID */
 			if ((ctx->db[i]->uid != 0xFFFFFFFF) &&
 			(current_cred()->uid.val != 0) &&
 			(current_cred()->uid.val != ctx->db[i]->uid)) {
 				ERR("%s[Client_UID = %d] : Unauthorized access to endpoint\n",
 					__func__, current_cred()->uid.val);
 				return -EPERM;
 			}
 #endif /* !CONFIG_ANDROID && !CONFIG_TEGRA_SYSTEM_TYPE_ACK */
 			get_db.entry = *ctx->db[i];
 			get_db.idx = i;
 			break;
@@ -503,14 +487,15 @@ static int nvsciipc_ioctl_set_db(struct nvsciipc *ctx, unsigned int cmd,
 #if defined(CONFIG_ANDROID) || defined(CONFIG_TEGRA_SYSTEM_TYPE_ACK)
 	if ((current_cred()->uid.val != SYSTEM_GID) &&
-	(current_cred()->uid.val != 0)) {
+	(current_cred()->uid.val != 0) &&
 	(current_cred()->uid.val != s_nvsciipc_uid)) {
 		ERR("no permission to set db\n");
 		return -EPERM;
 	}
 #else
 	/* check root or nvsciipc user */
 	if ((current_cred()->uid.val != 0) &&
-	(current_cred()->uid.val != 2000)) {
+	(current_cred()->uid.val != s_nvsciipc_uid)) {
 		ERR("no permission to set db\n");
 		return -EPERM;
 	}
@@ -655,8 +640,6 @@ exit:
 	return ret;
 }
 // TODO: remove macro after change delivery btw branches
 #define NVSCIIPC_IOCTL_GET_DB_BY_NAME_LEGACY 0xc140c303
 long nvsciipc_dev_ioctl(struct file *filp, unsigned int cmd,
 		unsigned long arg)
 {
@@ -687,10 +670,6 @@ long nvsciipc_dev_ioctl(struct file *filp, unsigned int cmd,
 	case NVSCIIPC_IOCTL_GET_DB_BY_NAME:
 		ret = nvsciipc_ioctl_get_db_by_name(ctx, cmd, arg);
 		break;
 // TODO: remove legacy cmd after migration
 	case NVSCIIPC_IOCTL_GET_DB_BY_NAME_LEGACY:
 		ret = nvsciipc_ioctl_get_db_by_name_legacy(ctx, cmd, arg);
 		break;
 	case NVSCIIPC_IOCTL_GET_DB_BY_VUID:
 		ret = nvsciipc_ioctl_get_db_by_vuid(ctx, cmd, arg);
 		break;
@@ -760,6 +739,54 @@ static ssize_t nvsciipc_dbg_read(struct file *filp, char __user *buf,
 	return 0;
 }
 static ssize_t nvsciipc_uid_show(struct device *dev,
 	struct device_attribute *attr, char *buf)
 {
 	return sprintf(buf, "%d\n", s_nvsciipc_uid);
 }
 static ssize_t nvsciipc_uid_store(struct device *dev,
 	struct device_attribute *attr, const char *buf, size_t count)
 {
 	static int init_done;
 	uint32_t val;
 	int ret;
 	if (init_done) {
 		ERR("UID is already set as %d\n", s_nvsciipc_uid);
 		return -EPERM;
 	}
 	ret = kstrtou32(buf, 0, &val);
 	if (ret) {
 		ERR("Failed to store nvsciipc UID\n");
 		return ret;
 	}
 	s_nvsciipc_uid = val;
 	init_done = 1;
 	INFO("nvsciipc_uid is set as %d\n", s_nvsciipc_uid);
 	return count;
 }
 // /sys/devices/platform/nvsciipc/nvsciipc_uid
 static DEVICE_ATTR(nvsciipc_uid, 0660, nvsciipc_uid_show, nvsciipc_uid_store);
 static struct attribute *nvsciipc_uid_attrs[] = {
 	&dev_attr_nvsciipc_uid.attr,
 	NULL,
 };
 static struct attribute_group nvsciipc_uid_group = {
 	.attrs = nvsciipc_uid_attrs,
 };
 static const struct attribute_group *nvsciipc_uid_groups[] = {
 	&nvsciipc_uid_group,
 	NULL,
 };
 static const struct file_operations nvsciipc_fops = {
 	.owner		= THIS_MODULE,
 	.open		= nvsciipc_dev_open,
@@ -781,60 +808,67 @@ static int nvsciipc_probe(struct platform_device *pdev)
 		goto error;
 	}
-	ctx = devm_kzalloc(&pdev->dev, sizeof(struct nvsciipc),	GFP_KERNEL);
+	s_ctx = devm_kzalloc(&pdev->dev, sizeof(struct nvsciipc),	GFP_KERNEL);
-	if (ctx == NULL) {
+	if (s_ctx == NULL) {
 		ERR("devm_kzalloc failed for nvsciipc\n");
 		ret = -ENOMEM;
 		goto error;
 	}
-	ctx->set_db_f = false;
+	s_ctx->set_db_f = false;
-	ctx->dev = &(pdev->dev);
+	s_ctx->dev = &(pdev->dev);
-	platform_set_drvdata(pdev, ctx);
+	platform_set_drvdata(pdev, s_ctx);
 #if defined(NV_CLASS_CREATE_HAS_NO_OWNER_ARG) /* Linux v6.4 */
-	ctx->nvsciipc_class = class_create(MODULE_NAME);
+	s_ctx->nvsciipc_class = class_create(MODULE_NAME);
 #else
-	ctx->nvsciipc_class = class_create(THIS_MODULE, MODULE_NAME);
+	s_ctx->nvsciipc_class = class_create(THIS_MODULE, MODULE_NAME);
 #endif
-	if (IS_ERR(ctx->nvsciipc_class)) {
+	if (IS_ERR(s_ctx->nvsciipc_class)) {
 		ERR("failed to create class: %ld\n",
-			PTR_ERR(ctx->nvsciipc_class));
+			PTR_ERR(s_ctx->nvsciipc_class));
-		ret = PTR_ERR(ctx->nvsciipc_class);
+		ret = PTR_ERR(s_ctx->nvsciipc_class);
 		goto error;
 	}
-	ret = alloc_chrdev_region(&(ctx->dev_t), 0, 1, MODULE_NAME);
+	ret = sysfs_create_group(&pdev->dev.kobj, &nvsciipc_uid_group);
 	if (ret < 0) {
 		dev_err(&pdev->dev, "%s: Failed to reate sysfs group, %d\n",
 			__func__, ret);
 		goto error;
 	}
 	ret = alloc_chrdev_region(&(s_ctx->dev_t), 0, 1, MODULE_NAME);
 	if (ret != 0) {
 		ERR("alloc_chrdev_region() failed\n");
 		goto error;
 	}
-	ctx->dev_t = MKDEV(MAJOR(ctx->dev_t), 0);
+	s_ctx->dev_t = MKDEV(MAJOR(s_ctx->dev_t), 0);
-	cdev_init(&ctx->cdev, &nvsciipc_fops);
+	cdev_init(&s_ctx->cdev, &nvsciipc_fops);
-	ctx->cdev.owner = THIS_MODULE;
+	s_ctx->cdev.owner = THIS_MODULE;
-	ret = cdev_add(&(ctx->cdev), ctx->dev_t, 1);
+	ret = cdev_add(&(s_ctx->cdev), s_ctx->dev_t, 1);
 	if (ret != 0) {
 		ERR("cdev_add() failed\n");
 		goto error;
 	}
-	if (snprintf(ctx->device_name, (MAX_NAME_SIZE - 1), "%s", MODULE_NAME) < 0) {
+	if (snprintf(s_ctx->device_name, (MAX_NAME_SIZE - 1), "%s", MODULE_NAME) < 0) {
 		pr_err("snprintf() failed\n");
 		ret = -ENOMEM;
 		goto error;
 	}
-	ctx->device = device_create(ctx->nvsciipc_class, NULL,
+	s_ctx->device = device_create(s_ctx->nvsciipc_class, NULL,
-			ctx->dev_t, ctx,
+			s_ctx->dev_t, s_ctx,
-			ctx->device_name, 0);
+			s_ctx->device_name, 0);
-	if (IS_ERR(ctx->device)) {
+	if (IS_ERR(s_ctx->device)) {
-		ret = PTR_ERR(ctx->device);
+		ret = PTR_ERR(s_ctx->device);
 		ERR("device_create() failed\n");
 		goto error;
 	}
-	dev_set_drvdata(ctx->device, ctx);
+	dev_set_drvdata(s_ctx->device, s_ctx);
 	if (is_tegra_hypervisor_mode()) {
 		ret = hyp_read_gid(&s_guestid);
@@ -850,7 +884,7 @@ static int nvsciipc_probe(struct platform_device *pdev)
 	return ret;
 error:
-	nvsciipc_cleanup(ctx);
+	nvsciipc_cleanup(s_ctx);
 	return ret;
 }
@@ -860,6 +894,8 @@ static void nvsciipc_cleanup(struct nvsciipc *ctx)
 	if (ctx == NULL)
 		return;
 	sysfs_remove_group(&ctx->dev->kobj, &nvsciipc_uid_group);
 	nvsciipc_free_db(ctx);
 	if (ctx->nvsciipc_class && ctx->dev_t)
@@ -947,6 +983,7 @@ static struct platform_driver nvsciipc_driver = {
 	.shutdown = nvsciipc_shutdown,
 	.driver = {
 		.name = MODULE_NAME,
 		.groups = nvsciipc_uid_groups,
 	},
 #ifdef CONFIG_PM
 	.suspend = nvsciipc_suspend,
@@ -978,6 +1015,8 @@ static int __init nvsciipc_module_init(void)
 static void __exit nvsciipc_module_deinit(void)
 {
 	sysfs_remove_group(&s_ctx->dev->kobj, &nvsciipc_uid_group);
 	// calls nvsciipc_remove internally
 	platform_device_unregister(nvsciipc_pdev);
--- a/drivers/virt/tegra/ivc-cdev.c
+++ b/drivers/virt/tegra/ivc-cdev.c
@@ -1,7 +1,5 @@
-/* SPDX-License-Identifier: GPL-2.0-only */
+// SPDX-License-Identifier: GPL-2.0-only
-/*
+// SPDX-FileCopyrightText: Copyright (c) 2022-2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 * SPDX-FileCopyrightText: Copyright (c) 2022-2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 */
 #include <nvidia/conftest.h>
--- a/include/uapi/linux/nvsciipc_ioctl.h
+++ b/include/uapi/linux/nvsciipc_ioctl.h
@@ -33,29 +33,6 @@ struct nvsciipc_config_entry {
 	uint32_t uid;
 };
 /* TODO: remove it after migration */
 struct nvsciipc_config_entry_legacy {
 	/* endpoint name */
 	char ep_name[NVSCIIPC_MAX_EP_NAME];
 	/* node name for shm/sem */
 	char dev_name[NVSCIIPC_MAX_EP_NAME];
 	uint32_t backend;       /* backend type */
 	uint32_t nframes;       /* frame count */
 	uint32_t frame_size;    /* frame size */
 	/* ep id    for inter-Proc/Thread
 	 * queue id for inter-VM
 	 * dev id   for inter-Chip
 	 */
 	uint32_t id;
 	uint64_t vuid;  /* VM-wide unique id */
 	char rdma_dev_name[NVSCIIPC_MAX_RDMA_NAME];
 	char remote_ip[NVSCIIPC_MAX_IP_NAME];
 	uint32_t remote_port;
 	uint32_t local_port;
 	uint32_t peer_vmid;
 	uint32_t noti_type;
 };
 struct nvsciipc_db {
 	int num_eps;
 	struct nvsciipc_config_entry **entry;
@@ -77,13 +54,6 @@ struct nvsciipc_get_db_by_name {
 	uint32_t idx;
 };
 /* TODO: remove it after migration */
 struct nvsciipc_get_db_by_name_legacy {
 	char ep_name[NVSCIIPC_MAX_EP_NAME];
 	struct nvsciipc_config_entry_legacy entry;
 	uint32_t idx;
 };
 struct nvsciipc_get_db_by_vuid {
 	uint64_t vuid;
 	struct nvsciipc_config_entry entry;
@@ -95,7 +65,6 @@ struct nvsciipc_get_db_by_idx {
 	uint32_t idx;
 };
 /* for userspace level test, debugging purpose only */
 struct nvsciipc_validate_auth_token {
 	uint32_t auth_token;
 	uint64_t local_vuid;
@@ -107,7 +76,6 @@ struct nvsciipc_topoid {
 	uint32_t vmid;
 };
 /* for userspace level test, debugging purpose only */
 struct nvsciipc_map_vuid {
 	uint64_t vuid;
 	struct nvsciipc_topoid peer_topoid;
@@ -132,11 +100,9 @@ struct nvsciipc_map_vuid {
 #define NVSCIIPC_IOCTL_GET_DB_SIZE \
 	_IOR(NVSCIIPC_IOCTL_MAGIC, 5, uint32_t)
 /* debugging purpose only */
 #define NVSCIIPC_IOCTL_VALIDATE_AUTH_TOKEN \
 	_IOWR(NVSCIIPC_IOCTL_MAGIC, 6, struct nvsciipc_validate_auth_token)
 /* debugging purpose only */
 #define NVSCIIPC_IOCTL_MAP_VUID \
 	_IOWR(NVSCIIPC_IOCTL_MAGIC, 7, struct nvsciipc_map_vuid)