1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/kernel.h> 3 #include <linux/errno.h> 4 #include <linux/file.h> 5 #include <linux/io_uring/cmd.h> 6 #include <linux/io_uring/net.h> 7 #include <linux/security.h> 8 #include <linux/nospec.h> 9 #include <net/sock.h> 10 11 #include <uapi/linux/io_uring.h> 12 #include <asm/ioctls.h> 13 14 #include "io_uring.h" 15 #include "alloc_cache.h" 16 #include "rsrc.h" 17 #include "uring_cmd.h" 18 19 static void io_req_uring_cleanup(struct io_kiocb *req, unsigned int issue_flags) 20 { 21 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 22 struct io_uring_cmd_data *cache = req->async_data; 23 24 if (cache->op_data) { 25 kfree(cache->op_data); 26 cache->op_data = NULL; 27 } 28 29 if (issue_flags & IO_URING_F_UNLOCKED) 30 return; 31 if (io_alloc_cache_put(&req->ctx->uring_cache, cache)) { 32 ioucmd->sqe = NULL; 33 req->async_data = NULL; 34 req->flags &= ~REQ_F_ASYNC_DATA; 35 } 36 } 37 38 bool io_uring_try_cancel_uring_cmd(struct io_ring_ctx *ctx, 39 struct io_uring_task *tctx, bool cancel_all) 40 { 41 struct hlist_node *tmp; 42 struct io_kiocb *req; 43 bool ret = false; 44 45 lockdep_assert_held(&ctx->uring_lock); 46 47 hlist_for_each_entry_safe(req, tmp, &ctx->cancelable_uring_cmd, 48 hash_node) { 49 struct io_uring_cmd *cmd = io_kiocb_to_cmd(req, 50 struct io_uring_cmd); 51 struct file *file = req->file; 52 53 if (!cancel_all && req->tctx != tctx) 54 continue; 55 56 if (cmd->flags & IORING_URING_CMD_CANCELABLE) { 57 /* ->sqe isn't available if no async data */ 58 if (!req_has_async_data(req)) 59 cmd->sqe = NULL; 60 file->f_op->uring_cmd(cmd, IO_URING_F_CANCEL | 61 IO_URING_F_COMPLETE_DEFER); 62 ret = true; 63 } 64 } 65 io_submit_flush_completions(ctx); 66 return ret; 67 } 68 69 static void io_uring_cmd_del_cancelable(struct io_uring_cmd *cmd, 70 unsigned int issue_flags) 71 { 72 struct io_kiocb *req = cmd_to_io_kiocb(cmd); 73 struct io_ring_ctx *ctx = req->ctx; 74 75 if (!(cmd->flags & IORING_URING_CMD_CANCELABLE)) 76 return; 77 78 cmd->flags &= ~IORING_URING_CMD_CANCELABLE; 79 io_ring_submit_lock(ctx, issue_flags); 80 hlist_del(&req->hash_node); 81 io_ring_submit_unlock(ctx, issue_flags); 82 } 83 84 /* 85 * Mark this command as concelable, then io_uring_try_cancel_uring_cmd() 86 * will try to cancel this issued command by sending ->uring_cmd() with 87 * issue_flags of IO_URING_F_CANCEL. 88 * 89 * The command is guaranteed to not be done when calling ->uring_cmd() 90 * with IO_URING_F_CANCEL, but it is driver's responsibility to deal 91 * with race between io_uring canceling and normal completion. 92 */ 93 void io_uring_cmd_mark_cancelable(struct io_uring_cmd *cmd, 94 unsigned int issue_flags) 95 { 96 struct io_kiocb *req = cmd_to_io_kiocb(cmd); 97 struct io_ring_ctx *ctx = req->ctx; 98 99 if (!(cmd->flags & IORING_URING_CMD_CANCELABLE)) { 100 cmd->flags |= IORING_URING_CMD_CANCELABLE; 101 io_ring_submit_lock(ctx, issue_flags); 102 hlist_add_head(&req->hash_node, &ctx->cancelable_uring_cmd); 103 io_ring_submit_unlock(ctx, issue_flags); 104 } 105 } 106 EXPORT_SYMBOL_GPL(io_uring_cmd_mark_cancelable); 107 108 static void io_uring_cmd_work(struct io_kiocb *req, struct io_tw_state *ts) 109 { 110 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 111 unsigned int flags = IO_URING_F_COMPLETE_DEFER; 112 113 if (io_should_terminate_tw()) 114 flags |= IO_URING_F_TASK_DEAD; 115 116 /* task_work executor checks the deffered list completion */ 117 ioucmd->task_work_cb(ioucmd, flags); 118 } 119 120 void __io_uring_cmd_do_in_task(struct io_uring_cmd *ioucmd, 121 void (*task_work_cb)(struct io_uring_cmd *, unsigned), 122 unsigned flags) 123 { 124 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 125 126 ioucmd->task_work_cb = task_work_cb; 127 req->io_task_work.func = io_uring_cmd_work; 128 __io_req_task_work_add(req, flags); 129 } 130 EXPORT_SYMBOL_GPL(__io_uring_cmd_do_in_task); 131 132 static inline void io_req_set_cqe32_extra(struct io_kiocb *req, 133 u64 extra1, u64 extra2) 134 { 135 req->big_cqe.extra1 = extra1; 136 req->big_cqe.extra2 = extra2; 137 } 138 139 /* 140 * Called by consumers of io_uring_cmd, if they originally returned 141 * -EIOCBQUEUED upon receiving the command. 142 */ 143 void io_uring_cmd_done(struct io_uring_cmd *ioucmd, ssize_t ret, u64 res2, 144 unsigned issue_flags) 145 { 146 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 147 148 io_uring_cmd_del_cancelable(ioucmd, issue_flags); 149 150 if (ret < 0) 151 req_set_fail(req); 152 153 io_req_set_res(req, ret, 0); 154 if (req->ctx->flags & IORING_SETUP_CQE32) 155 io_req_set_cqe32_extra(req, res2, 0); 156 io_req_uring_cleanup(req, issue_flags); 157 if (req->ctx->flags & IORING_SETUP_IOPOLL) { 158 /* order with io_iopoll_req_issued() checking ->iopoll_complete */ 159 smp_store_release(&req->iopoll_completed, 1); 160 } else if (issue_flags & IO_URING_F_COMPLETE_DEFER) { 161 if (WARN_ON_ONCE(issue_flags & IO_URING_F_UNLOCKED)) 162 return; 163 io_req_complete_defer(req); 164 } else { 165 req->io_task_work.func = io_req_task_complete; 166 io_req_task_work_add(req); 167 } 168 } 169 EXPORT_SYMBOL_GPL(io_uring_cmd_done); 170 171 static void io_uring_cmd_init_once(void *obj) 172 { 173 struct io_uring_cmd_data *data = obj; 174 175 data->op_data = NULL; 176 } 177 178 static int io_uring_cmd_prep_setup(struct io_kiocb *req, 179 const struct io_uring_sqe *sqe) 180 { 181 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 182 struct io_uring_cmd_data *cache; 183 184 cache = io_uring_alloc_async_data(&req->ctx->uring_cache, req, 185 io_uring_cmd_init_once); 186 if (!cache) 187 return -ENOMEM; 188 189 if (!(req->flags & REQ_F_FORCE_ASYNC)) { 190 /* defer memcpy until we need it */ 191 ioucmd->sqe = sqe; 192 return 0; 193 } 194 195 memcpy(req->async_data, sqe, uring_sqe_size(req->ctx)); 196 ioucmd->sqe = req->async_data; 197 return 0; 198 } 199 200 int io_uring_cmd_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) 201 { 202 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 203 204 if (sqe->__pad1) 205 return -EINVAL; 206 207 ioucmd->flags = READ_ONCE(sqe->uring_cmd_flags); 208 if (ioucmd->flags & ~IORING_URING_CMD_MASK) 209 return -EINVAL; 210 211 if (ioucmd->flags & IORING_URING_CMD_FIXED) { 212 struct io_ring_ctx *ctx = req->ctx; 213 struct io_rsrc_node *node; 214 u16 index = READ_ONCE(sqe->buf_index); 215 216 node = io_rsrc_node_lookup(&ctx->buf_table, index); 217 if (unlikely(!node)) 218 return -EFAULT; 219 /* 220 * Pi node upfront, prior to io_uring_cmd_import_fixed() 221 * being called. This prevents destruction of the mapped buffer 222 * we'll need at actual import time. 223 */ 224 io_req_assign_buf_node(req, node); 225 } 226 ioucmd->cmd_op = READ_ONCE(sqe->cmd_op); 227 228 return io_uring_cmd_prep_setup(req, sqe); 229 } 230 231 int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags) 232 { 233 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 234 struct io_ring_ctx *ctx = req->ctx; 235 struct file *file = req->file; 236 int ret; 237 238 if (!file->f_op->uring_cmd) 239 return -EOPNOTSUPP; 240 241 ret = security_uring_cmd(ioucmd); 242 if (ret) 243 return ret; 244 245 if (ctx->flags & IORING_SETUP_SQE128) 246 issue_flags |= IO_URING_F_SQE128; 247 if (ctx->flags & IORING_SETUP_CQE32) 248 issue_flags |= IO_URING_F_CQE32; 249 if (ctx->compat) 250 issue_flags |= IO_URING_F_COMPAT; 251 if (ctx->flags & IORING_SETUP_IOPOLL) { 252 if (!file->f_op->uring_cmd_iopoll) 253 return -EOPNOTSUPP; 254 issue_flags |= IO_URING_F_IOPOLL; 255 req->iopoll_completed = 0; 256 } 257 258 ret = file->f_op->uring_cmd(ioucmd, issue_flags); 259 if (ret == -EAGAIN) { 260 struct io_uring_cmd_data *cache = req->async_data; 261 262 if (ioucmd->sqe != (void *) cache) 263 memcpy(cache, ioucmd->sqe, uring_sqe_size(req->ctx)); 264 return -EAGAIN; 265 } else if (ret == -EIOCBQUEUED) { 266 return -EIOCBQUEUED; 267 } 268 269 if (ret < 0) 270 req_set_fail(req); 271 io_req_uring_cleanup(req, issue_flags); 272 io_req_set_res(req, ret, 0); 273 return IOU_OK; 274 } 275 276 int io_uring_cmd_import_fixed(u64 ubuf, unsigned long len, int rw, 277 struct iov_iter *iter, void *ioucmd) 278 { 279 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 280 struct io_rsrc_node *node = req->buf_node; 281 282 /* Must have had rsrc_node assigned at prep time */ 283 if (node) 284 return io_import_fixed(rw, iter, node->buf, ubuf, len); 285 286 return -EFAULT; 287 } 288 EXPORT_SYMBOL_GPL(io_uring_cmd_import_fixed); 289 290 void io_uring_cmd_issue_blocking(struct io_uring_cmd *ioucmd) 291 { 292 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 293 294 io_req_queue_iowq(req); 295 } 296 297 static inline int io_uring_cmd_getsockopt(struct socket *sock, 298 struct io_uring_cmd *cmd, 299 unsigned int issue_flags) 300 { 301 bool compat = !!(issue_flags & IO_URING_F_COMPAT); 302 int optlen, optname, level, err; 303 void __user *optval; 304 305 level = READ_ONCE(cmd->sqe->level); 306 if (level != SOL_SOCKET) 307 return -EOPNOTSUPP; 308 309 optval = u64_to_user_ptr(READ_ONCE(cmd->sqe->optval)); 310 optname = READ_ONCE(cmd->sqe->optname); 311 optlen = READ_ONCE(cmd->sqe->optlen); 312 313 err = do_sock_getsockopt(sock, compat, level, optname, 314 USER_SOCKPTR(optval), 315 KERNEL_SOCKPTR(&optlen)); 316 if (err) 317 return err; 318 319 /* On success, return optlen */ 320 return optlen; 321 } 322 323 static inline int io_uring_cmd_setsockopt(struct socket *sock, 324 struct io_uring_cmd *cmd, 325 unsigned int issue_flags) 326 { 327 bool compat = !!(issue_flags & IO_URING_F_COMPAT); 328 int optname, optlen, level; 329 void __user *optval; 330 sockptr_t optval_s; 331 332 optval = u64_to_user_ptr(READ_ONCE(cmd->sqe->optval)); 333 optname = READ_ONCE(cmd->sqe->optname); 334 optlen = READ_ONCE(cmd->sqe->optlen); 335 level = READ_ONCE(cmd->sqe->level); 336 optval_s = USER_SOCKPTR(optval); 337 338 return do_sock_setsockopt(sock, compat, level, optname, optval_s, 339 optlen); 340 } 341 342 #if defined(CONFIG_NET) 343 int io_uring_cmd_sock(struct io_uring_cmd *cmd, unsigned int issue_flags) 344 { 345 struct socket *sock = cmd->file->private_data; 346 struct sock *sk = sock->sk; 347 struct proto *prot = READ_ONCE(sk->sk_prot); 348 int ret, arg = 0; 349 350 if (!prot || !prot->ioctl) 351 return -EOPNOTSUPP; 352 353 switch (cmd->sqe->cmd_op) { 354 case SOCKET_URING_OP_SIOCINQ: 355 ret = prot->ioctl(sk, SIOCINQ, &arg); 356 if (ret) 357 return ret; 358 return arg; 359 case SOCKET_URING_OP_SIOCOUTQ: 360 ret = prot->ioctl(sk, SIOCOUTQ, &arg); 361 if (ret) 362 return ret; 363 return arg; 364 case SOCKET_URING_OP_GETSOCKOPT: 365 return io_uring_cmd_getsockopt(sock, cmd, issue_flags); 366 case SOCKET_URING_OP_SETSOCKOPT: 367 return io_uring_cmd_setsockopt(sock, cmd, issue_flags); 368 default: 369 return -EOPNOTSUPP; 370 } 371 } 372 EXPORT_SYMBOL_GPL(io_uring_cmd_sock); 373 #endif 374