1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/kernel.h> 3 #include <linux/errno.h> 4 #include <linux/file.h> 5 #include <linux/io_uring/cmd.h> 6 #include <linux/io_uring/net.h> 7 #include <linux/security.h> 8 #include <linux/nospec.h> 9 #include <net/sock.h> 10 11 #include <uapi/linux/io_uring.h> 12 #include <asm/ioctls.h> 13 14 #include "io_uring.h" 15 #include "alloc_cache.h" 16 #include "rsrc.h" 17 #include "uring_cmd.h" 18 19 static struct io_uring_cmd_data *io_uring_async_get(struct io_kiocb *req) 20 { 21 struct io_ring_ctx *ctx = req->ctx; 22 struct io_uring_cmd_data *cache; 23 24 cache = io_alloc_cache_get(&ctx->uring_cache); 25 if (cache) { 26 cache->op_data = NULL; 27 req->flags |= REQ_F_ASYNC_DATA; 28 req->async_data = cache; 29 return cache; 30 } 31 if (!io_alloc_async_data(req)) { 32 cache = req->async_data; 33 cache->op_data = NULL; 34 return cache; 35 } 36 return NULL; 37 } 38 39 static void io_req_uring_cleanup(struct io_kiocb *req, unsigned int issue_flags) 40 { 41 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 42 struct io_uring_cmd_data *cache = req->async_data; 43 44 if (cache->op_data) { 45 kfree(cache->op_data); 46 cache->op_data = NULL; 47 } 48 49 if (issue_flags & IO_URING_F_UNLOCKED) 50 return; 51 if (io_alloc_cache_put(&req->ctx->uring_cache, cache)) { 52 ioucmd->sqe = NULL; 53 req->async_data = NULL; 54 req->flags &= ~REQ_F_ASYNC_DATA; 55 } 56 } 57 58 bool io_uring_try_cancel_uring_cmd(struct io_ring_ctx *ctx, 59 struct io_uring_task *tctx, bool cancel_all) 60 { 61 struct hlist_node *tmp; 62 struct io_kiocb *req; 63 bool ret = false; 64 65 lockdep_assert_held(&ctx->uring_lock); 66 67 hlist_for_each_entry_safe(req, tmp, &ctx->cancelable_uring_cmd, 68 hash_node) { 69 struct io_uring_cmd *cmd = io_kiocb_to_cmd(req, 70 struct io_uring_cmd); 71 struct file *file = req->file; 72 73 if (!cancel_all && req->tctx != tctx) 74 continue; 75 76 if (cmd->flags & IORING_URING_CMD_CANCELABLE) { 77 /* ->sqe isn't available if no async data */ 78 if (!req_has_async_data(req)) 79 cmd->sqe = NULL; 80 file->f_op->uring_cmd(cmd, IO_URING_F_CANCEL | 81 IO_URING_F_COMPLETE_DEFER); 82 ret = true; 83 } 84 } 85 io_submit_flush_completions(ctx); 86 return ret; 87 } 88 89 static void io_uring_cmd_del_cancelable(struct io_uring_cmd *cmd, 90 unsigned int issue_flags) 91 { 92 struct io_kiocb *req = cmd_to_io_kiocb(cmd); 93 struct io_ring_ctx *ctx = req->ctx; 94 95 if (!(cmd->flags & IORING_URING_CMD_CANCELABLE)) 96 return; 97 98 cmd->flags &= ~IORING_URING_CMD_CANCELABLE; 99 io_ring_submit_lock(ctx, issue_flags); 100 hlist_del(&req->hash_node); 101 io_ring_submit_unlock(ctx, issue_flags); 102 } 103 104 /* 105 * Mark this command as concelable, then io_uring_try_cancel_uring_cmd() 106 * will try to cancel this issued command by sending ->uring_cmd() with 107 * issue_flags of IO_URING_F_CANCEL. 108 * 109 * The command is guaranteed to not be done when calling ->uring_cmd() 110 * with IO_URING_F_CANCEL, but it is driver's responsibility to deal 111 * with race between io_uring canceling and normal completion. 112 */ 113 void io_uring_cmd_mark_cancelable(struct io_uring_cmd *cmd, 114 unsigned int issue_flags) 115 { 116 struct io_kiocb *req = cmd_to_io_kiocb(cmd); 117 struct io_ring_ctx *ctx = req->ctx; 118 119 if (!(cmd->flags & IORING_URING_CMD_CANCELABLE)) { 120 cmd->flags |= IORING_URING_CMD_CANCELABLE; 121 io_ring_submit_lock(ctx, issue_flags); 122 hlist_add_head(&req->hash_node, &ctx->cancelable_uring_cmd); 123 io_ring_submit_unlock(ctx, issue_flags); 124 } 125 } 126 EXPORT_SYMBOL_GPL(io_uring_cmd_mark_cancelable); 127 128 static void io_uring_cmd_work(struct io_kiocb *req, struct io_tw_state *ts) 129 { 130 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 131 unsigned int flags = IO_URING_F_COMPLETE_DEFER; 132 133 if (current->flags & (PF_EXITING | PF_KTHREAD)) 134 flags |= IO_URING_F_TASK_DEAD; 135 136 /* task_work executor checks the deffered list completion */ 137 ioucmd->task_work_cb(ioucmd, flags); 138 } 139 140 void __io_uring_cmd_do_in_task(struct io_uring_cmd *ioucmd, 141 void (*task_work_cb)(struct io_uring_cmd *, unsigned), 142 unsigned flags) 143 { 144 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 145 146 ioucmd->task_work_cb = task_work_cb; 147 req->io_task_work.func = io_uring_cmd_work; 148 __io_req_task_work_add(req, flags); 149 } 150 EXPORT_SYMBOL_GPL(__io_uring_cmd_do_in_task); 151 152 static inline void io_req_set_cqe32_extra(struct io_kiocb *req, 153 u64 extra1, u64 extra2) 154 { 155 req->big_cqe.extra1 = extra1; 156 req->big_cqe.extra2 = extra2; 157 } 158 159 /* 160 * Called by consumers of io_uring_cmd, if they originally returned 161 * -EIOCBQUEUED upon receiving the command. 162 */ 163 void io_uring_cmd_done(struct io_uring_cmd *ioucmd, ssize_t ret, u64 res2, 164 unsigned issue_flags) 165 { 166 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 167 168 io_uring_cmd_del_cancelable(ioucmd, issue_flags); 169 170 if (ret < 0) 171 req_set_fail(req); 172 173 io_req_set_res(req, ret, 0); 174 if (req->ctx->flags & IORING_SETUP_CQE32) 175 io_req_set_cqe32_extra(req, res2, 0); 176 io_req_uring_cleanup(req, issue_flags); 177 if (req->ctx->flags & IORING_SETUP_IOPOLL) { 178 /* order with io_iopoll_req_issued() checking ->iopoll_complete */ 179 smp_store_release(&req->iopoll_completed, 1); 180 } else if (issue_flags & IO_URING_F_COMPLETE_DEFER) { 181 if (WARN_ON_ONCE(issue_flags & IO_URING_F_UNLOCKED)) 182 return; 183 io_req_complete_defer(req); 184 } else { 185 req->io_task_work.func = io_req_task_complete; 186 io_req_task_work_add(req); 187 } 188 } 189 EXPORT_SYMBOL_GPL(io_uring_cmd_done); 190 191 static int io_uring_cmd_prep_setup(struct io_kiocb *req, 192 const struct io_uring_sqe *sqe) 193 { 194 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 195 struct io_uring_cmd_data *cache; 196 197 cache = io_uring_async_get(req); 198 if (unlikely(!cache)) 199 return -ENOMEM; 200 201 if (!(req->flags & REQ_F_FORCE_ASYNC)) { 202 /* defer memcpy until we need it */ 203 ioucmd->sqe = sqe; 204 return 0; 205 } 206 207 memcpy(req->async_data, sqe, uring_sqe_size(req->ctx)); 208 ioucmd->sqe = req->async_data; 209 return 0; 210 } 211 212 int io_uring_cmd_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) 213 { 214 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 215 216 if (sqe->__pad1) 217 return -EINVAL; 218 219 ioucmd->flags = READ_ONCE(sqe->uring_cmd_flags); 220 if (ioucmd->flags & ~IORING_URING_CMD_MASK) 221 return -EINVAL; 222 223 if (ioucmd->flags & IORING_URING_CMD_FIXED) { 224 struct io_ring_ctx *ctx = req->ctx; 225 struct io_rsrc_node *node; 226 u16 index = READ_ONCE(sqe->buf_index); 227 228 node = io_rsrc_node_lookup(&ctx->buf_table, index); 229 if (unlikely(!node)) 230 return -EFAULT; 231 /* 232 * Pi node upfront, prior to io_uring_cmd_import_fixed() 233 * being called. This prevents destruction of the mapped buffer 234 * we'll need at actual import time. 235 */ 236 io_req_assign_buf_node(req, node); 237 } 238 ioucmd->cmd_op = READ_ONCE(sqe->cmd_op); 239 240 return io_uring_cmd_prep_setup(req, sqe); 241 } 242 243 int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags) 244 { 245 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 246 struct io_ring_ctx *ctx = req->ctx; 247 struct file *file = req->file; 248 int ret; 249 250 if (!file->f_op->uring_cmd) 251 return -EOPNOTSUPP; 252 253 ret = security_uring_cmd(ioucmd); 254 if (ret) 255 return ret; 256 257 if (ctx->flags & IORING_SETUP_SQE128) 258 issue_flags |= IO_URING_F_SQE128; 259 if (ctx->flags & IORING_SETUP_CQE32) 260 issue_flags |= IO_URING_F_CQE32; 261 if (ctx->compat) 262 issue_flags |= IO_URING_F_COMPAT; 263 if (ctx->flags & IORING_SETUP_IOPOLL) { 264 if (!file->f_op->uring_cmd_iopoll) 265 return -EOPNOTSUPP; 266 issue_flags |= IO_URING_F_IOPOLL; 267 req->iopoll_completed = 0; 268 } 269 270 ret = file->f_op->uring_cmd(ioucmd, issue_flags); 271 if (ret == -EAGAIN) { 272 struct io_uring_cmd_data *cache = req->async_data; 273 274 if (ioucmd->sqe != (void *) cache) 275 memcpy(cache, ioucmd->sqe, uring_sqe_size(req->ctx)); 276 return -EAGAIN; 277 } else if (ret == -EIOCBQUEUED) { 278 return -EIOCBQUEUED; 279 } 280 281 if (ret < 0) 282 req_set_fail(req); 283 io_req_uring_cleanup(req, issue_flags); 284 io_req_set_res(req, ret, 0); 285 return IOU_OK; 286 } 287 288 int io_uring_cmd_import_fixed(u64 ubuf, unsigned long len, int rw, 289 struct iov_iter *iter, void *ioucmd) 290 { 291 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 292 struct io_rsrc_node *node = req->buf_node; 293 294 /* Must have had rsrc_node assigned at prep time */ 295 if (node) 296 return io_import_fixed(rw, iter, node->buf, ubuf, len); 297 298 return -EFAULT; 299 } 300 EXPORT_SYMBOL_GPL(io_uring_cmd_import_fixed); 301 302 void io_uring_cmd_issue_blocking(struct io_uring_cmd *ioucmd) 303 { 304 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 305 306 io_req_queue_iowq(req); 307 } 308 309 static inline int io_uring_cmd_getsockopt(struct socket *sock, 310 struct io_uring_cmd *cmd, 311 unsigned int issue_flags) 312 { 313 bool compat = !!(issue_flags & IO_URING_F_COMPAT); 314 int optlen, optname, level, err; 315 void __user *optval; 316 317 level = READ_ONCE(cmd->sqe->level); 318 if (level != SOL_SOCKET) 319 return -EOPNOTSUPP; 320 321 optval = u64_to_user_ptr(READ_ONCE(cmd->sqe->optval)); 322 optname = READ_ONCE(cmd->sqe->optname); 323 optlen = READ_ONCE(cmd->sqe->optlen); 324 325 err = do_sock_getsockopt(sock, compat, level, optname, 326 USER_SOCKPTR(optval), 327 KERNEL_SOCKPTR(&optlen)); 328 if (err) 329 return err; 330 331 /* On success, return optlen */ 332 return optlen; 333 } 334 335 static inline int io_uring_cmd_setsockopt(struct socket *sock, 336 struct io_uring_cmd *cmd, 337 unsigned int issue_flags) 338 { 339 bool compat = !!(issue_flags & IO_URING_F_COMPAT); 340 int optname, optlen, level; 341 void __user *optval; 342 sockptr_t optval_s; 343 344 optval = u64_to_user_ptr(READ_ONCE(cmd->sqe->optval)); 345 optname = READ_ONCE(cmd->sqe->optname); 346 optlen = READ_ONCE(cmd->sqe->optlen); 347 level = READ_ONCE(cmd->sqe->level); 348 optval_s = USER_SOCKPTR(optval); 349 350 return do_sock_setsockopt(sock, compat, level, optname, optval_s, 351 optlen); 352 } 353 354 #if defined(CONFIG_NET) 355 int io_uring_cmd_sock(struct io_uring_cmd *cmd, unsigned int issue_flags) 356 { 357 struct socket *sock = cmd->file->private_data; 358 struct sock *sk = sock->sk; 359 struct proto *prot = READ_ONCE(sk->sk_prot); 360 int ret, arg = 0; 361 362 if (!prot || !prot->ioctl) 363 return -EOPNOTSUPP; 364 365 switch (cmd->sqe->cmd_op) { 366 case SOCKET_URING_OP_SIOCINQ: 367 ret = prot->ioctl(sk, SIOCINQ, &arg); 368 if (ret) 369 return ret; 370 return arg; 371 case SOCKET_URING_OP_SIOCOUTQ: 372 ret = prot->ioctl(sk, SIOCOUTQ, &arg); 373 if (ret) 374 return ret; 375 return arg; 376 case SOCKET_URING_OP_GETSOCKOPT: 377 return io_uring_cmd_getsockopt(sock, cmd, issue_flags); 378 case SOCKET_URING_OP_SETSOCKOPT: 379 return io_uring_cmd_setsockopt(sock, cmd, issue_flags); 380 default: 381 return -EOPNOTSUPP; 382 } 383 } 384 EXPORT_SYMBOL_GPL(io_uring_cmd_sock); 385 #endif 386