162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 262306a36Sopenharmony_ci#include <linux/kernel.h> 362306a36Sopenharmony_ci#include <linux/errno.h> 462306a36Sopenharmony_ci#include <linux/file.h> 562306a36Sopenharmony_ci#include <linux/slab.h> 662306a36Sopenharmony_ci#include <linux/nospec.h> 762306a36Sopenharmony_ci#include <linux/io_uring.h> 862306a36Sopenharmony_ci 962306a36Sopenharmony_ci#include <uapi/linux/io_uring.h> 1062306a36Sopenharmony_ci 1162306a36Sopenharmony_ci#include "io_uring.h" 1262306a36Sopenharmony_ci#include "rsrc.h" 1362306a36Sopenharmony_ci#include "filetable.h" 1462306a36Sopenharmony_ci#include "msg_ring.h" 1562306a36Sopenharmony_ci 1662306a36Sopenharmony_ci 1762306a36Sopenharmony_ci/* All valid masks for MSG_RING */ 1862306a36Sopenharmony_ci#define IORING_MSG_RING_MASK (IORING_MSG_RING_CQE_SKIP | \ 1962306a36Sopenharmony_ci IORING_MSG_RING_FLAGS_PASS) 2062306a36Sopenharmony_ci 2162306a36Sopenharmony_cistruct io_msg { 2262306a36Sopenharmony_ci struct file *file; 2362306a36Sopenharmony_ci struct file *src_file; 2462306a36Sopenharmony_ci struct callback_head tw; 2562306a36Sopenharmony_ci u64 user_data; 2662306a36Sopenharmony_ci u32 len; 2762306a36Sopenharmony_ci u32 cmd; 2862306a36Sopenharmony_ci u32 src_fd; 2962306a36Sopenharmony_ci union { 3062306a36Sopenharmony_ci u32 dst_fd; 3162306a36Sopenharmony_ci u32 cqe_flags; 3262306a36Sopenharmony_ci }; 3362306a36Sopenharmony_ci u32 flags; 3462306a36Sopenharmony_ci}; 3562306a36Sopenharmony_ci 3662306a36Sopenharmony_cistatic void io_double_unlock_ctx(struct io_ring_ctx *octx) 3762306a36Sopenharmony_ci{ 3862306a36Sopenharmony_ci mutex_unlock(&octx->uring_lock); 3962306a36Sopenharmony_ci} 4062306a36Sopenharmony_ci 4162306a36Sopenharmony_cistatic int io_double_lock_ctx(struct io_ring_ctx *octx, 4262306a36Sopenharmony_ci unsigned int issue_flags) 4362306a36Sopenharmony_ci{ 4462306a36Sopenharmony_ci /* 4562306a36Sopenharmony_ci * To ensure proper ordering between the two ctxs, we can only 4662306a36Sopenharmony_ci * attempt a trylock on the target. If that fails and we already have 4762306a36Sopenharmony_ci * the source ctx lock, punt to io-wq. 4862306a36Sopenharmony_ci */ 4962306a36Sopenharmony_ci if (!(issue_flags & IO_URING_F_UNLOCKED)) { 5062306a36Sopenharmony_ci if (!mutex_trylock(&octx->uring_lock)) 5162306a36Sopenharmony_ci return -EAGAIN; 5262306a36Sopenharmony_ci return 0; 5362306a36Sopenharmony_ci } 5462306a36Sopenharmony_ci mutex_lock(&octx->uring_lock); 5562306a36Sopenharmony_ci return 0; 5662306a36Sopenharmony_ci} 5762306a36Sopenharmony_ci 5862306a36Sopenharmony_civoid io_msg_ring_cleanup(struct io_kiocb *req) 5962306a36Sopenharmony_ci{ 6062306a36Sopenharmony_ci struct io_msg *msg = io_kiocb_to_cmd(req, struct io_msg); 6162306a36Sopenharmony_ci 6262306a36Sopenharmony_ci if (WARN_ON_ONCE(!msg->src_file)) 6362306a36Sopenharmony_ci return; 6462306a36Sopenharmony_ci 6562306a36Sopenharmony_ci fput(msg->src_file); 6662306a36Sopenharmony_ci msg->src_file = NULL; 6762306a36Sopenharmony_ci} 6862306a36Sopenharmony_ci 6962306a36Sopenharmony_cistatic inline bool io_msg_need_remote(struct io_ring_ctx *target_ctx) 7062306a36Sopenharmony_ci{ 7162306a36Sopenharmony_ci if (!target_ctx->task_complete) 7262306a36Sopenharmony_ci return false; 7362306a36Sopenharmony_ci return current != target_ctx->submitter_task; 7462306a36Sopenharmony_ci} 7562306a36Sopenharmony_ci 7662306a36Sopenharmony_cistatic int io_msg_exec_remote(struct io_kiocb *req, task_work_func_t func) 7762306a36Sopenharmony_ci{ 7862306a36Sopenharmony_ci struct io_ring_ctx *ctx = req->file->private_data; 7962306a36Sopenharmony_ci struct io_msg *msg = io_kiocb_to_cmd(req, struct io_msg); 8062306a36Sopenharmony_ci struct task_struct *task = READ_ONCE(ctx->submitter_task); 8162306a36Sopenharmony_ci 8262306a36Sopenharmony_ci if (unlikely(!task)) 8362306a36Sopenharmony_ci return -EOWNERDEAD; 8462306a36Sopenharmony_ci 8562306a36Sopenharmony_ci init_task_work(&msg->tw, func); 8662306a36Sopenharmony_ci if (task_work_add(ctx->submitter_task, &msg->tw, TWA_SIGNAL)) 8762306a36Sopenharmony_ci return -EOWNERDEAD; 8862306a36Sopenharmony_ci 8962306a36Sopenharmony_ci return IOU_ISSUE_SKIP_COMPLETE; 9062306a36Sopenharmony_ci} 9162306a36Sopenharmony_ci 9262306a36Sopenharmony_cistatic void io_msg_tw_complete(struct callback_head *head) 9362306a36Sopenharmony_ci{ 9462306a36Sopenharmony_ci struct io_msg *msg = container_of(head, struct io_msg, tw); 9562306a36Sopenharmony_ci struct io_kiocb *req = cmd_to_io_kiocb(msg); 9662306a36Sopenharmony_ci struct io_ring_ctx *target_ctx = req->file->private_data; 9762306a36Sopenharmony_ci int ret = 0; 9862306a36Sopenharmony_ci 9962306a36Sopenharmony_ci if (current->flags & PF_EXITING) { 10062306a36Sopenharmony_ci ret = -EOWNERDEAD; 10162306a36Sopenharmony_ci } else { 10262306a36Sopenharmony_ci u32 flags = 0; 10362306a36Sopenharmony_ci 10462306a36Sopenharmony_ci if (msg->flags & IORING_MSG_RING_FLAGS_PASS) 10562306a36Sopenharmony_ci flags = msg->cqe_flags; 10662306a36Sopenharmony_ci 10762306a36Sopenharmony_ci /* 10862306a36Sopenharmony_ci * If the target ring is using IOPOLL mode, then we need to be 10962306a36Sopenharmony_ci * holding the uring_lock for posting completions. Other ring 11062306a36Sopenharmony_ci * types rely on the regular completion locking, which is 11162306a36Sopenharmony_ci * handled while posting. 11262306a36Sopenharmony_ci */ 11362306a36Sopenharmony_ci if (target_ctx->flags & IORING_SETUP_IOPOLL) 11462306a36Sopenharmony_ci mutex_lock(&target_ctx->uring_lock); 11562306a36Sopenharmony_ci if (!io_post_aux_cqe(target_ctx, msg->user_data, msg->len, flags)) 11662306a36Sopenharmony_ci ret = -EOVERFLOW; 11762306a36Sopenharmony_ci if (target_ctx->flags & IORING_SETUP_IOPOLL) 11862306a36Sopenharmony_ci mutex_unlock(&target_ctx->uring_lock); 11962306a36Sopenharmony_ci } 12062306a36Sopenharmony_ci 12162306a36Sopenharmony_ci if (ret < 0) 12262306a36Sopenharmony_ci req_set_fail(req); 12362306a36Sopenharmony_ci io_req_queue_tw_complete(req, ret); 12462306a36Sopenharmony_ci} 12562306a36Sopenharmony_ci 12662306a36Sopenharmony_cistatic int io_msg_ring_data(struct io_kiocb *req, unsigned int issue_flags) 12762306a36Sopenharmony_ci{ 12862306a36Sopenharmony_ci struct io_ring_ctx *target_ctx = req->file->private_data; 12962306a36Sopenharmony_ci struct io_msg *msg = io_kiocb_to_cmd(req, struct io_msg); 13062306a36Sopenharmony_ci u32 flags = 0; 13162306a36Sopenharmony_ci int ret; 13262306a36Sopenharmony_ci 13362306a36Sopenharmony_ci if (msg->src_fd || msg->flags & ~IORING_MSG_RING_FLAGS_PASS) 13462306a36Sopenharmony_ci return -EINVAL; 13562306a36Sopenharmony_ci if (!(msg->flags & IORING_MSG_RING_FLAGS_PASS) && msg->dst_fd) 13662306a36Sopenharmony_ci return -EINVAL; 13762306a36Sopenharmony_ci if (target_ctx->flags & IORING_SETUP_R_DISABLED) 13862306a36Sopenharmony_ci return -EBADFD; 13962306a36Sopenharmony_ci 14062306a36Sopenharmony_ci if (io_msg_need_remote(target_ctx)) 14162306a36Sopenharmony_ci return io_msg_exec_remote(req, io_msg_tw_complete); 14262306a36Sopenharmony_ci 14362306a36Sopenharmony_ci if (msg->flags & IORING_MSG_RING_FLAGS_PASS) 14462306a36Sopenharmony_ci flags = msg->cqe_flags; 14562306a36Sopenharmony_ci 14662306a36Sopenharmony_ci ret = -EOVERFLOW; 14762306a36Sopenharmony_ci if (target_ctx->flags & IORING_SETUP_IOPOLL) { 14862306a36Sopenharmony_ci if (unlikely(io_double_lock_ctx(target_ctx, issue_flags))) 14962306a36Sopenharmony_ci return -EAGAIN; 15062306a36Sopenharmony_ci if (io_post_aux_cqe(target_ctx, msg->user_data, msg->len, flags)) 15162306a36Sopenharmony_ci ret = 0; 15262306a36Sopenharmony_ci io_double_unlock_ctx(target_ctx); 15362306a36Sopenharmony_ci } else { 15462306a36Sopenharmony_ci if (io_post_aux_cqe(target_ctx, msg->user_data, msg->len, flags)) 15562306a36Sopenharmony_ci ret = 0; 15662306a36Sopenharmony_ci } 15762306a36Sopenharmony_ci return ret; 15862306a36Sopenharmony_ci} 15962306a36Sopenharmony_ci 16062306a36Sopenharmony_cistatic struct file *io_msg_grab_file(struct io_kiocb *req, unsigned int issue_flags) 16162306a36Sopenharmony_ci{ 16262306a36Sopenharmony_ci struct io_msg *msg = io_kiocb_to_cmd(req, struct io_msg); 16362306a36Sopenharmony_ci struct io_ring_ctx *ctx = req->ctx; 16462306a36Sopenharmony_ci struct file *file = NULL; 16562306a36Sopenharmony_ci int idx = msg->src_fd; 16662306a36Sopenharmony_ci 16762306a36Sopenharmony_ci io_ring_submit_lock(ctx, issue_flags); 16862306a36Sopenharmony_ci if (likely(idx < ctx->nr_user_files)) { 16962306a36Sopenharmony_ci idx = array_index_nospec(idx, ctx->nr_user_files); 17062306a36Sopenharmony_ci file = io_file_from_index(&ctx->file_table, idx); 17162306a36Sopenharmony_ci if (file) 17262306a36Sopenharmony_ci get_file(file); 17362306a36Sopenharmony_ci } 17462306a36Sopenharmony_ci io_ring_submit_unlock(ctx, issue_flags); 17562306a36Sopenharmony_ci return file; 17662306a36Sopenharmony_ci} 17762306a36Sopenharmony_ci 17862306a36Sopenharmony_cistatic int io_msg_install_complete(struct io_kiocb *req, unsigned int issue_flags) 17962306a36Sopenharmony_ci{ 18062306a36Sopenharmony_ci struct io_ring_ctx *target_ctx = req->file->private_data; 18162306a36Sopenharmony_ci struct io_msg *msg = io_kiocb_to_cmd(req, struct io_msg); 18262306a36Sopenharmony_ci struct file *src_file = msg->src_file; 18362306a36Sopenharmony_ci int ret; 18462306a36Sopenharmony_ci 18562306a36Sopenharmony_ci if (unlikely(io_double_lock_ctx(target_ctx, issue_flags))) 18662306a36Sopenharmony_ci return -EAGAIN; 18762306a36Sopenharmony_ci 18862306a36Sopenharmony_ci ret = __io_fixed_fd_install(target_ctx, src_file, msg->dst_fd); 18962306a36Sopenharmony_ci if (ret < 0) 19062306a36Sopenharmony_ci goto out_unlock; 19162306a36Sopenharmony_ci 19262306a36Sopenharmony_ci msg->src_file = NULL; 19362306a36Sopenharmony_ci req->flags &= ~REQ_F_NEED_CLEANUP; 19462306a36Sopenharmony_ci 19562306a36Sopenharmony_ci if (msg->flags & IORING_MSG_RING_CQE_SKIP) 19662306a36Sopenharmony_ci goto out_unlock; 19762306a36Sopenharmony_ci /* 19862306a36Sopenharmony_ci * If this fails, the target still received the file descriptor but 19962306a36Sopenharmony_ci * wasn't notified of the fact. This means that if this request 20062306a36Sopenharmony_ci * completes with -EOVERFLOW, then the sender must ensure that a 20162306a36Sopenharmony_ci * later IORING_OP_MSG_RING delivers the message. 20262306a36Sopenharmony_ci */ 20362306a36Sopenharmony_ci if (!io_post_aux_cqe(target_ctx, msg->user_data, ret, 0)) 20462306a36Sopenharmony_ci ret = -EOVERFLOW; 20562306a36Sopenharmony_ciout_unlock: 20662306a36Sopenharmony_ci io_double_unlock_ctx(target_ctx); 20762306a36Sopenharmony_ci return ret; 20862306a36Sopenharmony_ci} 20962306a36Sopenharmony_ci 21062306a36Sopenharmony_cistatic void io_msg_tw_fd_complete(struct callback_head *head) 21162306a36Sopenharmony_ci{ 21262306a36Sopenharmony_ci struct io_msg *msg = container_of(head, struct io_msg, tw); 21362306a36Sopenharmony_ci struct io_kiocb *req = cmd_to_io_kiocb(msg); 21462306a36Sopenharmony_ci int ret = -EOWNERDEAD; 21562306a36Sopenharmony_ci 21662306a36Sopenharmony_ci if (!(current->flags & PF_EXITING)) 21762306a36Sopenharmony_ci ret = io_msg_install_complete(req, IO_URING_F_UNLOCKED); 21862306a36Sopenharmony_ci if (ret < 0) 21962306a36Sopenharmony_ci req_set_fail(req); 22062306a36Sopenharmony_ci io_req_queue_tw_complete(req, ret); 22162306a36Sopenharmony_ci} 22262306a36Sopenharmony_ci 22362306a36Sopenharmony_cistatic int io_msg_send_fd(struct io_kiocb *req, unsigned int issue_flags) 22462306a36Sopenharmony_ci{ 22562306a36Sopenharmony_ci struct io_ring_ctx *target_ctx = req->file->private_data; 22662306a36Sopenharmony_ci struct io_msg *msg = io_kiocb_to_cmd(req, struct io_msg); 22762306a36Sopenharmony_ci struct io_ring_ctx *ctx = req->ctx; 22862306a36Sopenharmony_ci struct file *src_file = msg->src_file; 22962306a36Sopenharmony_ci 23062306a36Sopenharmony_ci if (msg->len) 23162306a36Sopenharmony_ci return -EINVAL; 23262306a36Sopenharmony_ci if (target_ctx == ctx) 23362306a36Sopenharmony_ci return -EINVAL; 23462306a36Sopenharmony_ci if (target_ctx->flags & IORING_SETUP_R_DISABLED) 23562306a36Sopenharmony_ci return -EBADFD; 23662306a36Sopenharmony_ci if (!src_file) { 23762306a36Sopenharmony_ci src_file = io_msg_grab_file(req, issue_flags); 23862306a36Sopenharmony_ci if (!src_file) 23962306a36Sopenharmony_ci return -EBADF; 24062306a36Sopenharmony_ci msg->src_file = src_file; 24162306a36Sopenharmony_ci req->flags |= REQ_F_NEED_CLEANUP; 24262306a36Sopenharmony_ci } 24362306a36Sopenharmony_ci 24462306a36Sopenharmony_ci if (io_msg_need_remote(target_ctx)) 24562306a36Sopenharmony_ci return io_msg_exec_remote(req, io_msg_tw_fd_complete); 24662306a36Sopenharmony_ci return io_msg_install_complete(req, issue_flags); 24762306a36Sopenharmony_ci} 24862306a36Sopenharmony_ci 24962306a36Sopenharmony_ciint io_msg_ring_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) 25062306a36Sopenharmony_ci{ 25162306a36Sopenharmony_ci struct io_msg *msg = io_kiocb_to_cmd(req, struct io_msg); 25262306a36Sopenharmony_ci 25362306a36Sopenharmony_ci if (unlikely(sqe->buf_index || sqe->personality)) 25462306a36Sopenharmony_ci return -EINVAL; 25562306a36Sopenharmony_ci 25662306a36Sopenharmony_ci msg->src_file = NULL; 25762306a36Sopenharmony_ci msg->user_data = READ_ONCE(sqe->off); 25862306a36Sopenharmony_ci msg->len = READ_ONCE(sqe->len); 25962306a36Sopenharmony_ci msg->cmd = READ_ONCE(sqe->addr); 26062306a36Sopenharmony_ci msg->src_fd = READ_ONCE(sqe->addr3); 26162306a36Sopenharmony_ci msg->dst_fd = READ_ONCE(sqe->file_index); 26262306a36Sopenharmony_ci msg->flags = READ_ONCE(sqe->msg_ring_flags); 26362306a36Sopenharmony_ci if (msg->flags & ~IORING_MSG_RING_MASK) 26462306a36Sopenharmony_ci return -EINVAL; 26562306a36Sopenharmony_ci 26662306a36Sopenharmony_ci return 0; 26762306a36Sopenharmony_ci} 26862306a36Sopenharmony_ci 26962306a36Sopenharmony_ciint io_msg_ring(struct io_kiocb *req, unsigned int issue_flags) 27062306a36Sopenharmony_ci{ 27162306a36Sopenharmony_ci struct io_msg *msg = io_kiocb_to_cmd(req, struct io_msg); 27262306a36Sopenharmony_ci int ret; 27362306a36Sopenharmony_ci 27462306a36Sopenharmony_ci ret = -EBADFD; 27562306a36Sopenharmony_ci if (!io_is_uring_fops(req->file)) 27662306a36Sopenharmony_ci goto done; 27762306a36Sopenharmony_ci 27862306a36Sopenharmony_ci switch (msg->cmd) { 27962306a36Sopenharmony_ci case IORING_MSG_DATA: 28062306a36Sopenharmony_ci ret = io_msg_ring_data(req, issue_flags); 28162306a36Sopenharmony_ci break; 28262306a36Sopenharmony_ci case IORING_MSG_SEND_FD: 28362306a36Sopenharmony_ci ret = io_msg_send_fd(req, issue_flags); 28462306a36Sopenharmony_ci break; 28562306a36Sopenharmony_ci default: 28662306a36Sopenharmony_ci ret = -EINVAL; 28762306a36Sopenharmony_ci break; 28862306a36Sopenharmony_ci } 28962306a36Sopenharmony_ci 29062306a36Sopenharmony_cidone: 29162306a36Sopenharmony_ci if (ret < 0) { 29262306a36Sopenharmony_ci if (ret == -EAGAIN || ret == IOU_ISSUE_SKIP_COMPLETE) 29362306a36Sopenharmony_ci return ret; 29462306a36Sopenharmony_ci req_set_fail(req); 29562306a36Sopenharmony_ci } 29662306a36Sopenharmony_ci io_req_set_res(req, ret, 0); 29762306a36Sopenharmony_ci return IOU_OK; 29862306a36Sopenharmony_ci} 299