1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/kernel.h> 3 #include <linux/errno.h> 4 #include <linux/file.h> 5 #include <linux/io_uring/cmd.h> 6 #include <linux/io_uring/net.h> 7 #include <linux/security.h> 8 #include <linux/nospec.h> 9 #include <net/sock.h> 10 11 #include <uapi/linux/io_uring.h> 12 #include <asm/ioctls.h> 13 14 #include "io_uring.h" 15 #include "alloc_cache.h" 16 #include "rsrc.h" 17 #include "uring_cmd.h" 18 19 static void io_req_uring_cleanup(struct io_kiocb *req, unsigned int issue_flags) 20 { 21 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 22 struct uring_cache *cache = req->async_data; 23 24 if (issue_flags & IO_URING_F_UNLOCKED) 25 return; 26 if (io_alloc_cache_put(&req->ctx->uring_cache, cache)) { 27 ioucmd->sqe = NULL; 28 req->async_data = NULL; 29 req->flags &= ~REQ_F_ASYNC_DATA; 30 } 31 } 32 33 bool io_uring_try_cancel_uring_cmd(struct io_ring_ctx *ctx, 34 struct io_uring_task *tctx, bool cancel_all) 35 { 36 struct hlist_node *tmp; 37 struct io_kiocb *req; 38 bool ret = false; 39 40 lockdep_assert_held(&ctx->uring_lock); 41 42 hlist_for_each_entry_safe(req, tmp, &ctx->cancelable_uring_cmd, 43 hash_node) { 44 struct io_uring_cmd *cmd = io_kiocb_to_cmd(req, 45 struct io_uring_cmd); 46 struct file *file = req->file; 47 48 if (!cancel_all && req->tctx != tctx) 49 continue; 50 51 if (cmd->flags & IORING_URING_CMD_CANCELABLE) { 52 /* ->sqe isn't available if no async data */ 53 if (!req_has_async_data(req)) 54 cmd->sqe = NULL; 55 file->f_op->uring_cmd(cmd, IO_URING_F_CANCEL | 56 IO_URING_F_COMPLETE_DEFER); 57 ret = true; 58 } 59 } 60 io_submit_flush_completions(ctx); 61 return ret; 62 } 63 64 static void io_uring_cmd_del_cancelable(struct io_uring_cmd *cmd, 65 unsigned int issue_flags) 66 { 67 struct io_kiocb *req = cmd_to_io_kiocb(cmd); 68 struct io_ring_ctx *ctx = req->ctx; 69 70 if (!(cmd->flags & IORING_URING_CMD_CANCELABLE)) 71 return; 72 73 cmd->flags &= ~IORING_URING_CMD_CANCELABLE; 74 io_ring_submit_lock(ctx, issue_flags); 75 hlist_del(&req->hash_node); 76 io_ring_submit_unlock(ctx, issue_flags); 77 } 78 79 /* 80 * Mark this command as concelable, then io_uring_try_cancel_uring_cmd() 81 * will try to cancel this issued command by sending ->uring_cmd() with 82 * issue_flags of IO_URING_F_CANCEL. 83 * 84 * The command is guaranteed to not be done when calling ->uring_cmd() 85 * with IO_URING_F_CANCEL, but it is driver's responsibility to deal 86 * with race between io_uring canceling and normal completion. 87 */ 88 void io_uring_cmd_mark_cancelable(struct io_uring_cmd *cmd, 89 unsigned int issue_flags) 90 { 91 struct io_kiocb *req = cmd_to_io_kiocb(cmd); 92 struct io_ring_ctx *ctx = req->ctx; 93 94 if (!(cmd->flags & IORING_URING_CMD_CANCELABLE)) { 95 cmd->flags |= IORING_URING_CMD_CANCELABLE; 96 io_ring_submit_lock(ctx, issue_flags); 97 hlist_add_head(&req->hash_node, &ctx->cancelable_uring_cmd); 98 io_ring_submit_unlock(ctx, issue_flags); 99 } 100 } 101 EXPORT_SYMBOL_GPL(io_uring_cmd_mark_cancelable); 102 103 static void io_uring_cmd_work(struct io_kiocb *req, struct io_tw_state *ts) 104 { 105 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 106 unsigned int flags = IO_URING_F_COMPLETE_DEFER; 107 108 if (io_should_terminate_tw()) 109 flags |= IO_URING_F_TASK_DEAD; 110 111 /* task_work executor checks the deffered list completion */ 112 ioucmd->task_work_cb(ioucmd, flags); 113 } 114 115 void __io_uring_cmd_do_in_task(struct io_uring_cmd *ioucmd, 116 void (*task_work_cb)(struct io_uring_cmd *, unsigned), 117 unsigned flags) 118 { 119 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 120 121 ioucmd->task_work_cb = task_work_cb; 122 req->io_task_work.func = io_uring_cmd_work; 123 __io_req_task_work_add(req, flags); 124 } 125 EXPORT_SYMBOL_GPL(__io_uring_cmd_do_in_task); 126 127 static inline void io_req_set_cqe32_extra(struct io_kiocb *req, 128 u64 extra1, u64 extra2) 129 { 130 req->big_cqe.extra1 = extra1; 131 req->big_cqe.extra2 = extra2; 132 } 133 134 /* 135 * Called by consumers of io_uring_cmd, if they originally returned 136 * -EIOCBQUEUED upon receiving the command. 137 */ 138 void io_uring_cmd_done(struct io_uring_cmd *ioucmd, ssize_t ret, u64 res2, 139 unsigned issue_flags) 140 { 141 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 142 143 io_uring_cmd_del_cancelable(ioucmd, issue_flags); 144 145 if (ret < 0) 146 req_set_fail(req); 147 148 io_req_set_res(req, ret, 0); 149 if (req->ctx->flags & IORING_SETUP_CQE32) 150 io_req_set_cqe32_extra(req, res2, 0); 151 io_req_uring_cleanup(req, issue_flags); 152 if (req->ctx->flags & IORING_SETUP_IOPOLL) { 153 /* order with io_iopoll_req_issued() checking ->iopoll_complete */ 154 smp_store_release(&req->iopoll_completed, 1); 155 } else if (issue_flags & IO_URING_F_COMPLETE_DEFER) { 156 if (WARN_ON_ONCE(issue_flags & IO_URING_F_UNLOCKED)) 157 return; 158 io_req_complete_defer(req); 159 } else { 160 req->io_task_work.func = io_req_task_complete; 161 io_req_task_work_add(req); 162 } 163 } 164 EXPORT_SYMBOL_GPL(io_uring_cmd_done); 165 166 static int io_uring_cmd_prep_setup(struct io_kiocb *req, 167 const struct io_uring_sqe *sqe) 168 { 169 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 170 struct uring_cache *cache; 171 172 cache = io_uring_alloc_async_data(&req->ctx->uring_cache, req, NULL); 173 if (!cache) 174 return -ENOMEM; 175 176 if (!(req->flags & REQ_F_FORCE_ASYNC)) { 177 /* defer memcpy until we need it */ 178 ioucmd->sqe = sqe; 179 return 0; 180 } 181 182 memcpy(req->async_data, sqe, uring_sqe_size(req->ctx)); 183 ioucmd->sqe = req->async_data; 184 return 0; 185 } 186 187 int io_uring_cmd_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) 188 { 189 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 190 191 if (sqe->__pad1) 192 return -EINVAL; 193 194 ioucmd->flags = READ_ONCE(sqe->uring_cmd_flags); 195 if (ioucmd->flags & ~IORING_URING_CMD_MASK) 196 return -EINVAL; 197 198 if (ioucmd->flags & IORING_URING_CMD_FIXED) { 199 struct io_ring_ctx *ctx = req->ctx; 200 struct io_rsrc_node *node; 201 u16 index = READ_ONCE(sqe->buf_index); 202 203 node = io_rsrc_node_lookup(&ctx->buf_table, index); 204 if (unlikely(!node)) 205 return -EFAULT; 206 /* 207 * Pi node upfront, prior to io_uring_cmd_import_fixed() 208 * being called. This prevents destruction of the mapped buffer 209 * we'll need at actual import time. 210 */ 211 io_req_assign_buf_node(req, node); 212 } 213 ioucmd->cmd_op = READ_ONCE(sqe->cmd_op); 214 215 return io_uring_cmd_prep_setup(req, sqe); 216 } 217 218 int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags) 219 { 220 struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); 221 struct io_ring_ctx *ctx = req->ctx; 222 struct file *file = req->file; 223 int ret; 224 225 if (!file->f_op->uring_cmd) 226 return -EOPNOTSUPP; 227 228 ret = security_uring_cmd(ioucmd); 229 if (ret) 230 return ret; 231 232 if (ctx->flags & IORING_SETUP_SQE128) 233 issue_flags |= IO_URING_F_SQE128; 234 if (ctx->flags & IORING_SETUP_CQE32) 235 issue_flags |= IO_URING_F_CQE32; 236 if (ctx->compat) 237 issue_flags |= IO_URING_F_COMPAT; 238 if (ctx->flags & IORING_SETUP_IOPOLL) { 239 if (!file->f_op->uring_cmd_iopoll) 240 return -EOPNOTSUPP; 241 issue_flags |= IO_URING_F_IOPOLL; 242 req->iopoll_completed = 0; 243 } 244 245 ret = file->f_op->uring_cmd(ioucmd, issue_flags); 246 if (ret == -EAGAIN) { 247 struct uring_cache *cache = req->async_data; 248 249 if (ioucmd->sqe != (void *) cache) 250 memcpy(cache, ioucmd->sqe, uring_sqe_size(req->ctx)); 251 return -EAGAIN; 252 } else if (ret == -EIOCBQUEUED) { 253 return -EIOCBQUEUED; 254 } 255 256 if (ret < 0) 257 req_set_fail(req); 258 io_req_uring_cleanup(req, issue_flags); 259 io_req_set_res(req, ret, 0); 260 return IOU_OK; 261 } 262 263 int io_uring_cmd_import_fixed(u64 ubuf, unsigned long len, int rw, 264 struct iov_iter *iter, void *ioucmd) 265 { 266 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 267 struct io_rsrc_node *node = req->buf_node; 268 269 /* Must have had rsrc_node assigned at prep time */ 270 if (node) 271 return io_import_fixed(rw, iter, node->buf, ubuf, len); 272 273 return -EFAULT; 274 } 275 EXPORT_SYMBOL_GPL(io_uring_cmd_import_fixed); 276 277 void io_uring_cmd_issue_blocking(struct io_uring_cmd *ioucmd) 278 { 279 struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); 280 281 io_req_queue_iowq(req); 282 } 283 284 static inline int io_uring_cmd_getsockopt(struct socket *sock, 285 struct io_uring_cmd *cmd, 286 unsigned int issue_flags) 287 { 288 bool compat = !!(issue_flags & IO_URING_F_COMPAT); 289 int optlen, optname, level, err; 290 void __user *optval; 291 292 level = READ_ONCE(cmd->sqe->level); 293 if (level != SOL_SOCKET) 294 return -EOPNOTSUPP; 295 296 optval = u64_to_user_ptr(READ_ONCE(cmd->sqe->optval)); 297 optname = READ_ONCE(cmd->sqe->optname); 298 optlen = READ_ONCE(cmd->sqe->optlen); 299 300 err = do_sock_getsockopt(sock, compat, level, optname, 301 USER_SOCKPTR(optval), 302 KERNEL_SOCKPTR(&optlen)); 303 if (err) 304 return err; 305 306 /* On success, return optlen */ 307 return optlen; 308 } 309 310 static inline int io_uring_cmd_setsockopt(struct socket *sock, 311 struct io_uring_cmd *cmd, 312 unsigned int issue_flags) 313 { 314 bool compat = !!(issue_flags & IO_URING_F_COMPAT); 315 int optname, optlen, level; 316 void __user *optval; 317 sockptr_t optval_s; 318 319 optval = u64_to_user_ptr(READ_ONCE(cmd->sqe->optval)); 320 optname = READ_ONCE(cmd->sqe->optname); 321 optlen = READ_ONCE(cmd->sqe->optlen); 322 level = READ_ONCE(cmd->sqe->level); 323 optval_s = USER_SOCKPTR(optval); 324 325 return do_sock_setsockopt(sock, compat, level, optname, optval_s, 326 optlen); 327 } 328 329 #if defined(CONFIG_NET) 330 int io_uring_cmd_sock(struct io_uring_cmd *cmd, unsigned int issue_flags) 331 { 332 struct socket *sock = cmd->file->private_data; 333 struct sock *sk = sock->sk; 334 struct proto *prot = READ_ONCE(sk->sk_prot); 335 int ret, arg = 0; 336 337 if (!prot || !prot->ioctl) 338 return -EOPNOTSUPP; 339 340 switch (cmd->sqe->cmd_op) { 341 case SOCKET_URING_OP_SIOCINQ: 342 ret = prot->ioctl(sk, SIOCINQ, &arg); 343 if (ret) 344 return ret; 345 return arg; 346 case SOCKET_URING_OP_SIOCOUTQ: 347 ret = prot->ioctl(sk, SIOCOUTQ, &arg); 348 if (ret) 349 return ret; 350 return arg; 351 case SOCKET_URING_OP_GETSOCKOPT: 352 return io_uring_cmd_getsockopt(sock, cmd, issue_flags); 353 case SOCKET_URING_OP_SETSOCKOPT: 354 return io_uring_cmd_setsockopt(sock, cmd, issue_flags); 355 default: 356 return -EOPNOTSUPP; 357 } 358 } 359 EXPORT_SYMBOL_GPL(io_uring_cmd_sock); 360 #endif 361