1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
4 #include <linux/fs.h>
5 #include <linux/file.h>
6 #include <linux/mm.h>
7 #include <linux/slab.h>
8 #include <linux/nospec.h>
9 #include <linux/hugetlb.h>
10 #include <linux/compat.h>
11 #include <linux/io_uring.h>
12 
13 #include <uapi/linux/io_uring.h>
14 
15 #include "io_uring.h"
16 #include "alloc_cache.h"
17 #include "openclose.h"
18 #include "rsrc.h"
19 #include "memmap.h"
20 #include "register.h"
21 
22 struct io_rsrc_update {
23 	struct file			*file;
24 	u64				arg;
25 	u32				nr_args;
26 	u32				offset;
27 };
28 
29 static void io_rsrc_buf_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc);
30 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
31 				  struct io_mapped_ubuf **pimu,
32 				  struct page **last_hpage);
33 
34 /* only define max */
35 #define IORING_MAX_FIXED_FILES	(1U << 20)
36 #define IORING_MAX_REG_BUFFERS	(1U << 14)
37 
38 static const struct io_mapped_ubuf dummy_ubuf = {
39 	/* set invalid range, so io_import_fixed() fails meeting it */
40 	.ubuf = -1UL,
41 	.len = UINT_MAX,
42 };
43 
__io_account_mem(struct user_struct * user,unsigned long nr_pages)44 int __io_account_mem(struct user_struct *user, unsigned long nr_pages)
45 {
46 	unsigned long page_limit, cur_pages, new_pages;
47 
48 	if (!nr_pages)
49 		return 0;
50 
51 	/* Don't allow more pages than we can safely lock */
52 	page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
53 
54 	cur_pages = atomic_long_read(&user->locked_vm);
55 	do {
56 		new_pages = cur_pages + nr_pages;
57 		if (new_pages > page_limit)
58 			return -ENOMEM;
59 	} while (!atomic_long_try_cmpxchg(&user->locked_vm,
60 					  &cur_pages, new_pages));
61 	return 0;
62 }
63 
io_unaccount_mem(struct io_ring_ctx * ctx,unsigned long nr_pages)64 static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
65 {
66 	if (ctx->user)
67 		__io_unaccount_mem(ctx->user, nr_pages);
68 
69 	if (ctx->mm_account)
70 		atomic64_sub(nr_pages, &ctx->mm_account->pinned_vm);
71 }
72 
io_account_mem(struct io_ring_ctx * ctx,unsigned long nr_pages)73 static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
74 {
75 	int ret;
76 
77 	if (ctx->user) {
78 		ret = __io_account_mem(ctx->user, nr_pages);
79 		if (ret)
80 			return ret;
81 	}
82 
83 	if (ctx->mm_account)
84 		atomic64_add(nr_pages, &ctx->mm_account->pinned_vm);
85 
86 	return 0;
87 }
88 
io_buffer_validate(struct iovec * iov)89 static int io_buffer_validate(struct iovec *iov)
90 {
91 	unsigned long tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);
92 
93 	/*
94 	 * Don't impose further limits on the size and buffer
95 	 * constraints here, we'll -EINVAL later when IO is
96 	 * submitted if they are wrong.
97 	 */
98 	if (!iov->iov_base)
99 		return iov->iov_len ? -EFAULT : 0;
100 	if (!iov->iov_len)
101 		return -EFAULT;
102 
103 	/* arbitrary limit, but we need something */
104 	if (iov->iov_len > SZ_1G)
105 		return -EFAULT;
106 
107 	if (check_add_overflow((unsigned long)iov->iov_base, acct_len, &tmp))
108 		return -EOVERFLOW;
109 
110 	return 0;
111 }
112 
io_buffer_unmap(struct io_ring_ctx * ctx,struct io_mapped_ubuf ** slot)113 static void io_buffer_unmap(struct io_ring_ctx *ctx, struct io_mapped_ubuf **slot)
114 {
115 	struct io_mapped_ubuf *imu = *slot;
116 	unsigned int i;
117 
118 	*slot = NULL;
119 	if (imu != &dummy_ubuf) {
120 		if (!refcount_dec_and_test(&imu->refs))
121 			return;
122 		for (i = 0; i < imu->nr_bvecs; i++)
123 			unpin_user_page(imu->bvec[i].bv_page);
124 		if (imu->acct_pages)
125 			io_unaccount_mem(ctx, imu->acct_pages);
126 		kvfree(imu);
127 	}
128 }
129 
io_rsrc_put_work(struct io_rsrc_node * node)130 static void io_rsrc_put_work(struct io_rsrc_node *node)
131 {
132 	struct io_rsrc_put *prsrc = &node->item;
133 
134 	if (prsrc->tag)
135 		io_post_aux_cqe(node->ctx, prsrc->tag, 0, 0);
136 
137 	switch (node->type) {
138 	case IORING_RSRC_FILE:
139 		fput(prsrc->file);
140 		break;
141 	case IORING_RSRC_BUFFER:
142 		io_rsrc_buf_put(node->ctx, prsrc);
143 		break;
144 	default:
145 		WARN_ON_ONCE(1);
146 		break;
147 	}
148 }
149 
io_rsrc_node_destroy(struct io_ring_ctx * ctx,struct io_rsrc_node * node)150 void io_rsrc_node_destroy(struct io_ring_ctx *ctx, struct io_rsrc_node *node)
151 {
152 	if (!io_alloc_cache_put(&ctx->rsrc_node_cache, node))
153 		kfree(node);
154 }
155 
io_rsrc_node_ref_zero(struct io_rsrc_node * node)156 void io_rsrc_node_ref_zero(struct io_rsrc_node *node)
157 	__must_hold(&node->ctx->uring_lock)
158 {
159 	struct io_ring_ctx *ctx = node->ctx;
160 
161 	while (!list_empty(&ctx->rsrc_ref_list)) {
162 		node = list_first_entry(&ctx->rsrc_ref_list,
163 					    struct io_rsrc_node, node);
164 		/* recycle ref nodes in order */
165 		if (node->refs)
166 			break;
167 		list_del(&node->node);
168 
169 		if (likely(!node->empty))
170 			io_rsrc_put_work(node);
171 		io_rsrc_node_destroy(ctx, node);
172 	}
173 	if (list_empty(&ctx->rsrc_ref_list) && unlikely(ctx->rsrc_quiesce))
174 		wake_up_all(&ctx->rsrc_quiesce_wq);
175 }
176 
io_rsrc_node_alloc(struct io_ring_ctx * ctx)177 struct io_rsrc_node *io_rsrc_node_alloc(struct io_ring_ctx *ctx)
178 {
179 	struct io_rsrc_node *ref_node;
180 
181 	ref_node = io_alloc_cache_get(&ctx->rsrc_node_cache);
182 	if (!ref_node) {
183 		ref_node = kzalloc(sizeof(*ref_node), GFP_KERNEL);
184 		if (!ref_node)
185 			return NULL;
186 	}
187 
188 	ref_node->ctx = ctx;
189 	ref_node->empty = 0;
190 	ref_node->refs = 1;
191 	return ref_node;
192 }
193 
io_rsrc_ref_quiesce(struct io_rsrc_data * data,struct io_ring_ctx * ctx)194 __cold static int io_rsrc_ref_quiesce(struct io_rsrc_data *data,
195 				      struct io_ring_ctx *ctx)
196 {
197 	struct io_rsrc_node *backup;
198 	DEFINE_WAIT(we);
199 	int ret;
200 
201 	/* As We may drop ->uring_lock, other task may have started quiesce */
202 	if (data->quiesce)
203 		return -ENXIO;
204 
205 	backup = io_rsrc_node_alloc(ctx);
206 	if (!backup)
207 		return -ENOMEM;
208 	ctx->rsrc_node->empty = true;
209 	ctx->rsrc_node->type = -1;
210 	list_add_tail(&ctx->rsrc_node->node, &ctx->rsrc_ref_list);
211 	io_put_rsrc_node(ctx, ctx->rsrc_node);
212 	ctx->rsrc_node = backup;
213 
214 	if (list_empty(&ctx->rsrc_ref_list))
215 		return 0;
216 
217 	if (ctx->flags & IORING_SETUP_DEFER_TASKRUN) {
218 		atomic_set(&ctx->cq_wait_nr, 1);
219 		smp_mb();
220 	}
221 
222 	ctx->rsrc_quiesce++;
223 	data->quiesce = true;
224 	do {
225 		prepare_to_wait(&ctx->rsrc_quiesce_wq, &we, TASK_INTERRUPTIBLE);
226 		mutex_unlock(&ctx->uring_lock);
227 
228 		ret = io_run_task_work_sig(ctx);
229 		if (ret < 0) {
230 			finish_wait(&ctx->rsrc_quiesce_wq, &we);
231 			mutex_lock(&ctx->uring_lock);
232 			if (list_empty(&ctx->rsrc_ref_list))
233 				ret = 0;
234 			break;
235 		}
236 
237 		schedule();
238 		mutex_lock(&ctx->uring_lock);
239 		ret = 0;
240 	} while (!list_empty(&ctx->rsrc_ref_list));
241 
242 	finish_wait(&ctx->rsrc_quiesce_wq, &we);
243 	data->quiesce = false;
244 	ctx->rsrc_quiesce--;
245 
246 	if (ctx->flags & IORING_SETUP_DEFER_TASKRUN) {
247 		atomic_set(&ctx->cq_wait_nr, 0);
248 		smp_mb();
249 	}
250 	return ret;
251 }
252 
io_free_page_table(void ** table,size_t size)253 static void io_free_page_table(void **table, size_t size)
254 {
255 	unsigned i, nr_tables = DIV_ROUND_UP(size, PAGE_SIZE);
256 
257 	for (i = 0; i < nr_tables; i++)
258 		kfree(table[i]);
259 	kfree(table);
260 }
261 
io_rsrc_data_free(struct io_rsrc_data * data)262 static void io_rsrc_data_free(struct io_rsrc_data *data)
263 {
264 	size_t size = data->nr * sizeof(data->tags[0][0]);
265 
266 	if (data->tags)
267 		io_free_page_table((void **)data->tags, size);
268 	kfree(data);
269 }
270 
io_alloc_page_table(size_t size)271 static __cold void **io_alloc_page_table(size_t size)
272 {
273 	unsigned i, nr_tables = DIV_ROUND_UP(size, PAGE_SIZE);
274 	size_t init_size = size;
275 	void **table;
276 
277 	table = kcalloc(nr_tables, sizeof(*table), GFP_KERNEL_ACCOUNT);
278 	if (!table)
279 		return NULL;
280 
281 	for (i = 0; i < nr_tables; i++) {
282 		unsigned int this_size = min_t(size_t, size, PAGE_SIZE);
283 
284 		table[i] = kzalloc(this_size, GFP_KERNEL_ACCOUNT);
285 		if (!table[i]) {
286 			io_free_page_table(table, init_size);
287 			return NULL;
288 		}
289 		size -= this_size;
290 	}
291 	return table;
292 }
293 
io_rsrc_data_alloc(struct io_ring_ctx * ctx,int type,u64 __user * utags,unsigned nr,struct io_rsrc_data ** pdata)294 __cold static int io_rsrc_data_alloc(struct io_ring_ctx *ctx, int type,
295 				     u64 __user *utags,
296 				     unsigned nr, struct io_rsrc_data **pdata)
297 {
298 	struct io_rsrc_data *data;
299 	int ret = 0;
300 	unsigned i;
301 
302 	data = kzalloc(sizeof(*data), GFP_KERNEL);
303 	if (!data)
304 		return -ENOMEM;
305 	data->tags = (u64 **)io_alloc_page_table(nr * sizeof(data->tags[0][0]));
306 	if (!data->tags) {
307 		kfree(data);
308 		return -ENOMEM;
309 	}
310 
311 	data->nr = nr;
312 	data->ctx = ctx;
313 	data->rsrc_type = type;
314 	if (utags) {
315 		ret = -EFAULT;
316 		for (i = 0; i < nr; i++) {
317 			u64 *tag_slot = io_get_tag_slot(data, i);
318 
319 			if (copy_from_user(tag_slot, &utags[i],
320 					   sizeof(*tag_slot)))
321 				goto fail;
322 		}
323 	}
324 	*pdata = data;
325 	return 0;
326 fail:
327 	io_rsrc_data_free(data);
328 	return ret;
329 }
330 
__io_sqe_files_update(struct io_ring_ctx * ctx,struct io_uring_rsrc_update2 * up,unsigned nr_args)331 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
332 				 struct io_uring_rsrc_update2 *up,
333 				 unsigned nr_args)
334 {
335 	u64 __user *tags = u64_to_user_ptr(up->tags);
336 	__s32 __user *fds = u64_to_user_ptr(up->data);
337 	struct io_rsrc_data *data = ctx->file_data;
338 	struct io_fixed_file *file_slot;
339 	int fd, i, err = 0;
340 	unsigned int done;
341 
342 	if (!ctx->file_data)
343 		return -ENXIO;
344 	if (up->offset + nr_args > ctx->nr_user_files)
345 		return -EINVAL;
346 
347 	for (done = 0; done < nr_args; done++) {
348 		u64 tag = 0;
349 
350 		if ((tags && copy_from_user(&tag, &tags[done], sizeof(tag))) ||
351 		    copy_from_user(&fd, &fds[done], sizeof(fd))) {
352 			err = -EFAULT;
353 			break;
354 		}
355 		if ((fd == IORING_REGISTER_FILES_SKIP || fd == -1) && tag) {
356 			err = -EINVAL;
357 			break;
358 		}
359 		if (fd == IORING_REGISTER_FILES_SKIP)
360 			continue;
361 
362 		i = array_index_nospec(up->offset + done, ctx->nr_user_files);
363 		file_slot = io_fixed_file_slot(&ctx->file_table, i);
364 
365 		if (file_slot->file_ptr) {
366 			err = io_queue_rsrc_removal(data, i,
367 						    io_slot_file(file_slot));
368 			if (err)
369 				break;
370 			file_slot->file_ptr = 0;
371 			io_file_bitmap_clear(&ctx->file_table, i);
372 		}
373 		if (fd != -1) {
374 			struct file *file = fget(fd);
375 
376 			if (!file) {
377 				err = -EBADF;
378 				break;
379 			}
380 			/*
381 			 * Don't allow io_uring instances to be registered.
382 			 */
383 			if (io_is_uring_fops(file)) {
384 				fput(file);
385 				err = -EBADF;
386 				break;
387 			}
388 			*io_get_tag_slot(data, i) = tag;
389 			io_fixed_file_set(file_slot, file);
390 			io_file_bitmap_set(&ctx->file_table, i);
391 		}
392 	}
393 	return done ? done : err;
394 }
395 
__io_sqe_buffers_update(struct io_ring_ctx * ctx,struct io_uring_rsrc_update2 * up,unsigned int nr_args)396 static int __io_sqe_buffers_update(struct io_ring_ctx *ctx,
397 				   struct io_uring_rsrc_update2 *up,
398 				   unsigned int nr_args)
399 {
400 	u64 __user *tags = u64_to_user_ptr(up->tags);
401 	struct iovec fast_iov, *iov;
402 	struct page *last_hpage = NULL;
403 	struct iovec __user *uvec;
404 	u64 user_data = up->data;
405 	__u32 done;
406 	int i, err;
407 
408 	if (!ctx->buf_data)
409 		return -ENXIO;
410 	if (up->offset + nr_args > ctx->nr_user_bufs)
411 		return -EINVAL;
412 
413 	for (done = 0; done < nr_args; done++) {
414 		struct io_mapped_ubuf *imu;
415 		u64 tag = 0;
416 
417 		uvec = u64_to_user_ptr(user_data);
418 		iov = iovec_from_user(uvec, 1, 1, &fast_iov, ctx->compat);
419 		if (IS_ERR(iov)) {
420 			err = PTR_ERR(iov);
421 			break;
422 		}
423 		if (tags && copy_from_user(&tag, &tags[done], sizeof(tag))) {
424 			err = -EFAULT;
425 			break;
426 		}
427 		err = io_buffer_validate(iov);
428 		if (err)
429 			break;
430 		if (!iov->iov_base && tag) {
431 			err = -EINVAL;
432 			break;
433 		}
434 		err = io_sqe_buffer_register(ctx, iov, &imu, &last_hpage);
435 		if (err)
436 			break;
437 
438 		i = array_index_nospec(up->offset + done, ctx->nr_user_bufs);
439 		if (ctx->user_bufs[i] != &dummy_ubuf) {
440 			err = io_queue_rsrc_removal(ctx->buf_data, i,
441 						    ctx->user_bufs[i]);
442 			if (unlikely(err)) {
443 				io_buffer_unmap(ctx, &imu);
444 				break;
445 			}
446 			ctx->user_bufs[i] = (struct io_mapped_ubuf *)&dummy_ubuf;
447 		}
448 
449 		ctx->user_bufs[i] = imu;
450 		*io_get_tag_slot(ctx->buf_data, i) = tag;
451 		if (ctx->compat)
452 			user_data += sizeof(struct compat_iovec);
453 		else
454 			user_data += sizeof(struct iovec);
455 	}
456 	return done ? done : err;
457 }
458 
__io_register_rsrc_update(struct io_ring_ctx * ctx,unsigned type,struct io_uring_rsrc_update2 * up,unsigned nr_args)459 static int __io_register_rsrc_update(struct io_ring_ctx *ctx, unsigned type,
460 				     struct io_uring_rsrc_update2 *up,
461 				     unsigned nr_args)
462 {
463 	__u32 tmp;
464 
465 	lockdep_assert_held(&ctx->uring_lock);
466 
467 	if (check_add_overflow(up->offset, nr_args, &tmp))
468 		return -EOVERFLOW;
469 
470 	switch (type) {
471 	case IORING_RSRC_FILE:
472 		return __io_sqe_files_update(ctx, up, nr_args);
473 	case IORING_RSRC_BUFFER:
474 		return __io_sqe_buffers_update(ctx, up, nr_args);
475 	}
476 	return -EINVAL;
477 }
478 
io_register_files_update(struct io_ring_ctx * ctx,void __user * arg,unsigned nr_args)479 int io_register_files_update(struct io_ring_ctx *ctx, void __user *arg,
480 			     unsigned nr_args)
481 {
482 	struct io_uring_rsrc_update2 up;
483 
484 	if (!nr_args)
485 		return -EINVAL;
486 	memset(&up, 0, sizeof(up));
487 	if (copy_from_user(&up, arg, sizeof(struct io_uring_rsrc_update)))
488 		return -EFAULT;
489 	if (up.resv || up.resv2)
490 		return -EINVAL;
491 	return __io_register_rsrc_update(ctx, IORING_RSRC_FILE, &up, nr_args);
492 }
493 
io_register_rsrc_update(struct io_ring_ctx * ctx,void __user * arg,unsigned size,unsigned type)494 int io_register_rsrc_update(struct io_ring_ctx *ctx, void __user *arg,
495 			    unsigned size, unsigned type)
496 {
497 	struct io_uring_rsrc_update2 up;
498 
499 	if (size != sizeof(up))
500 		return -EINVAL;
501 	if (copy_from_user(&up, arg, sizeof(up)))
502 		return -EFAULT;
503 	if (!up.nr || up.resv || up.resv2)
504 		return -EINVAL;
505 	return __io_register_rsrc_update(ctx, type, &up, up.nr);
506 }
507 
io_register_rsrc(struct io_ring_ctx * ctx,void __user * arg,unsigned int size,unsigned int type)508 __cold int io_register_rsrc(struct io_ring_ctx *ctx, void __user *arg,
509 			    unsigned int size, unsigned int type)
510 {
511 	struct io_uring_rsrc_register rr;
512 
513 	/* keep it extendible */
514 	if (size != sizeof(rr))
515 		return -EINVAL;
516 
517 	memset(&rr, 0, sizeof(rr));
518 	if (copy_from_user(&rr, arg, size))
519 		return -EFAULT;
520 	if (!rr.nr || rr.resv2)
521 		return -EINVAL;
522 	if (rr.flags & ~IORING_RSRC_REGISTER_SPARSE)
523 		return -EINVAL;
524 
525 	switch (type) {
526 	case IORING_RSRC_FILE:
527 		if (rr.flags & IORING_RSRC_REGISTER_SPARSE && rr.data)
528 			break;
529 		return io_sqe_files_register(ctx, u64_to_user_ptr(rr.data),
530 					     rr.nr, u64_to_user_ptr(rr.tags));
531 	case IORING_RSRC_BUFFER:
532 		if (rr.flags & IORING_RSRC_REGISTER_SPARSE && rr.data)
533 			break;
534 		return io_sqe_buffers_register(ctx, u64_to_user_ptr(rr.data),
535 					       rr.nr, u64_to_user_ptr(rr.tags));
536 	}
537 	return -EINVAL;
538 }
539 
io_files_update_prep(struct io_kiocb * req,const struct io_uring_sqe * sqe)540 int io_files_update_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
541 {
542 	struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
543 
544 	if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
545 		return -EINVAL;
546 	if (sqe->rw_flags || sqe->splice_fd_in)
547 		return -EINVAL;
548 
549 	up->offset = READ_ONCE(sqe->off);
550 	up->nr_args = READ_ONCE(sqe->len);
551 	if (!up->nr_args)
552 		return -EINVAL;
553 	up->arg = READ_ONCE(sqe->addr);
554 	return 0;
555 }
556 
io_files_update_with_index_alloc(struct io_kiocb * req,unsigned int issue_flags)557 static int io_files_update_with_index_alloc(struct io_kiocb *req,
558 					    unsigned int issue_flags)
559 {
560 	struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
561 	__s32 __user *fds = u64_to_user_ptr(up->arg);
562 	unsigned int done;
563 	struct file *file;
564 	int ret, fd;
565 
566 	if (!req->ctx->file_data)
567 		return -ENXIO;
568 
569 	for (done = 0; done < up->nr_args; done++) {
570 		if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
571 			ret = -EFAULT;
572 			break;
573 		}
574 
575 		file = fget(fd);
576 		if (!file) {
577 			ret = -EBADF;
578 			break;
579 		}
580 		ret = io_fixed_fd_install(req, issue_flags, file,
581 					  IORING_FILE_INDEX_ALLOC);
582 		if (ret < 0)
583 			break;
584 		if (copy_to_user(&fds[done], &ret, sizeof(ret))) {
585 			__io_close_fixed(req->ctx, issue_flags, ret);
586 			ret = -EFAULT;
587 			break;
588 		}
589 	}
590 
591 	if (done)
592 		return done;
593 	return ret;
594 }
595 
io_files_update(struct io_kiocb * req,unsigned int issue_flags)596 int io_files_update(struct io_kiocb *req, unsigned int issue_flags)
597 {
598 	struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
599 	struct io_ring_ctx *ctx = req->ctx;
600 	struct io_uring_rsrc_update2 up2;
601 	int ret;
602 
603 	up2.offset = up->offset;
604 	up2.data = up->arg;
605 	up2.nr = 0;
606 	up2.tags = 0;
607 	up2.resv = 0;
608 	up2.resv2 = 0;
609 
610 	if (up->offset == IORING_FILE_INDEX_ALLOC) {
611 		ret = io_files_update_with_index_alloc(req, issue_flags);
612 	} else {
613 		io_ring_submit_lock(ctx, issue_flags);
614 		ret = __io_register_rsrc_update(ctx, IORING_RSRC_FILE,
615 						&up2, up->nr_args);
616 		io_ring_submit_unlock(ctx, issue_flags);
617 	}
618 
619 	if (ret < 0)
620 		req_set_fail(req);
621 	io_req_set_res(req, ret, 0);
622 	return IOU_OK;
623 }
624 
io_queue_rsrc_removal(struct io_rsrc_data * data,unsigned idx,void * rsrc)625 int io_queue_rsrc_removal(struct io_rsrc_data *data, unsigned idx, void *rsrc)
626 {
627 	struct io_ring_ctx *ctx = data->ctx;
628 	struct io_rsrc_node *node = ctx->rsrc_node;
629 	u64 *tag_slot = io_get_tag_slot(data, idx);
630 
631 	ctx->rsrc_node = io_rsrc_node_alloc(ctx);
632 	if (unlikely(!ctx->rsrc_node)) {
633 		ctx->rsrc_node = node;
634 		return -ENOMEM;
635 	}
636 
637 	node->item.rsrc = rsrc;
638 	node->type = data->rsrc_type;
639 	node->item.tag = *tag_slot;
640 	*tag_slot = 0;
641 	list_add_tail(&node->node, &ctx->rsrc_ref_list);
642 	io_put_rsrc_node(ctx, node);
643 	return 0;
644 }
645 
__io_sqe_files_unregister(struct io_ring_ctx * ctx)646 void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
647 {
648 	int i;
649 
650 	for (i = 0; i < ctx->nr_user_files; i++) {
651 		struct file *file = io_file_from_index(&ctx->file_table, i);
652 
653 		if (!file)
654 			continue;
655 		io_file_bitmap_clear(&ctx->file_table, i);
656 		fput(file);
657 	}
658 
659 	io_free_file_tables(&ctx->file_table);
660 	io_file_table_set_alloc_range(ctx, 0, 0);
661 	io_rsrc_data_free(ctx->file_data);
662 	ctx->file_data = NULL;
663 	ctx->nr_user_files = 0;
664 }
665 
io_sqe_files_unregister(struct io_ring_ctx * ctx)666 int io_sqe_files_unregister(struct io_ring_ctx *ctx)
667 {
668 	unsigned nr = ctx->nr_user_files;
669 	int ret;
670 
671 	if (!ctx->file_data)
672 		return -ENXIO;
673 
674 	/*
675 	 * Quiesce may unlock ->uring_lock, and while it's not held
676 	 * prevent new requests using the table.
677 	 */
678 	ctx->nr_user_files = 0;
679 	ret = io_rsrc_ref_quiesce(ctx->file_data, ctx);
680 	ctx->nr_user_files = nr;
681 	if (!ret)
682 		__io_sqe_files_unregister(ctx);
683 	return ret;
684 }
685 
io_sqe_files_register(struct io_ring_ctx * ctx,void __user * arg,unsigned nr_args,u64 __user * tags)686 int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
687 			  unsigned nr_args, u64 __user *tags)
688 {
689 	__s32 __user *fds = (__s32 __user *) arg;
690 	struct file *file;
691 	int fd, ret;
692 	unsigned i;
693 
694 	if (ctx->file_data)
695 		return -EBUSY;
696 	if (!nr_args)
697 		return -EINVAL;
698 	if (nr_args > IORING_MAX_FIXED_FILES)
699 		return -EMFILE;
700 	if (nr_args > rlimit(RLIMIT_NOFILE))
701 		return -EMFILE;
702 	ret = io_rsrc_data_alloc(ctx, IORING_RSRC_FILE, tags, nr_args,
703 				 &ctx->file_data);
704 	if (ret)
705 		return ret;
706 
707 	if (!io_alloc_file_tables(&ctx->file_table, nr_args)) {
708 		io_rsrc_data_free(ctx->file_data);
709 		ctx->file_data = NULL;
710 		return -ENOMEM;
711 	}
712 
713 	for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
714 		struct io_fixed_file *file_slot;
715 
716 		if (fds && copy_from_user(&fd, &fds[i], sizeof(fd))) {
717 			ret = -EFAULT;
718 			goto fail;
719 		}
720 		/* allow sparse sets */
721 		if (!fds || fd == -1) {
722 			ret = -EINVAL;
723 			if (unlikely(*io_get_tag_slot(ctx->file_data, i)))
724 				goto fail;
725 			continue;
726 		}
727 
728 		file = fget(fd);
729 		ret = -EBADF;
730 		if (unlikely(!file))
731 			goto fail;
732 
733 		/*
734 		 * Don't allow io_uring instances to be registered.
735 		 */
736 		if (io_is_uring_fops(file)) {
737 			fput(file);
738 			goto fail;
739 		}
740 		file_slot = io_fixed_file_slot(&ctx->file_table, i);
741 		io_fixed_file_set(file_slot, file);
742 		io_file_bitmap_set(&ctx->file_table, i);
743 	}
744 
745 	/* default it to the whole table */
746 	io_file_table_set_alloc_range(ctx, 0, ctx->nr_user_files);
747 	return 0;
748 fail:
749 	__io_sqe_files_unregister(ctx);
750 	return ret;
751 }
752 
io_rsrc_buf_put(struct io_ring_ctx * ctx,struct io_rsrc_put * prsrc)753 static void io_rsrc_buf_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)
754 {
755 	io_buffer_unmap(ctx, &prsrc->buf);
756 	prsrc->buf = NULL;
757 }
758 
__io_sqe_buffers_unregister(struct io_ring_ctx * ctx)759 void __io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
760 {
761 	unsigned int i;
762 
763 	for (i = 0; i < ctx->nr_user_bufs; i++)
764 		io_buffer_unmap(ctx, &ctx->user_bufs[i]);
765 	kfree(ctx->user_bufs);
766 	io_rsrc_data_free(ctx->buf_data);
767 	ctx->user_bufs = NULL;
768 	ctx->buf_data = NULL;
769 	ctx->nr_user_bufs = 0;
770 }
771 
io_sqe_buffers_unregister(struct io_ring_ctx * ctx)772 int io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
773 {
774 	unsigned nr = ctx->nr_user_bufs;
775 	int ret;
776 
777 	if (!ctx->buf_data)
778 		return -ENXIO;
779 
780 	/*
781 	 * Quiesce may unlock ->uring_lock, and while it's not held
782 	 * prevent new requests using the table.
783 	 */
784 	ctx->nr_user_bufs = 0;
785 	ret = io_rsrc_ref_quiesce(ctx->buf_data, ctx);
786 	ctx->nr_user_bufs = nr;
787 	if (!ret)
788 		__io_sqe_buffers_unregister(ctx);
789 	return ret;
790 }
791 
792 /*
793  * Not super efficient, but this is just a registration time. And we do cache
794  * the last compound head, so generally we'll only do a full search if we don't
795  * match that one.
796  *
797  * We check if the given compound head page has already been accounted, to
798  * avoid double accounting it. This allows us to account the full size of the
799  * page, not just the constituent pages of a huge page.
800  */
headpage_already_acct(struct io_ring_ctx * ctx,struct page ** pages,int nr_pages,struct page * hpage)801 static bool headpage_already_acct(struct io_ring_ctx *ctx, struct page **pages,
802 				  int nr_pages, struct page *hpage)
803 {
804 	int i, j;
805 
806 	/* check current page array */
807 	for (i = 0; i < nr_pages; i++) {
808 		if (!PageCompound(pages[i]))
809 			continue;
810 		if (compound_head(pages[i]) == hpage)
811 			return true;
812 	}
813 
814 	/* check previously registered pages */
815 	for (i = 0; i < ctx->nr_user_bufs; i++) {
816 		struct io_mapped_ubuf *imu = ctx->user_bufs[i];
817 
818 		for (j = 0; j < imu->nr_bvecs; j++) {
819 			if (!PageCompound(imu->bvec[j].bv_page))
820 				continue;
821 			if (compound_head(imu->bvec[j].bv_page) == hpage)
822 				return true;
823 		}
824 	}
825 
826 	return false;
827 }
828 
io_buffer_account_pin(struct io_ring_ctx * ctx,struct page ** pages,int nr_pages,struct io_mapped_ubuf * imu,struct page ** last_hpage)829 static int io_buffer_account_pin(struct io_ring_ctx *ctx, struct page **pages,
830 				 int nr_pages, struct io_mapped_ubuf *imu,
831 				 struct page **last_hpage)
832 {
833 	int i, ret;
834 
835 	imu->acct_pages = 0;
836 	for (i = 0; i < nr_pages; i++) {
837 		if (!PageCompound(pages[i])) {
838 			imu->acct_pages++;
839 		} else {
840 			struct page *hpage;
841 
842 			hpage = compound_head(pages[i]);
843 			if (hpage == *last_hpage)
844 				continue;
845 			*last_hpage = hpage;
846 			if (headpage_already_acct(ctx, pages, i, hpage))
847 				continue;
848 			imu->acct_pages += page_size(hpage) >> PAGE_SHIFT;
849 		}
850 	}
851 
852 	if (!imu->acct_pages)
853 		return 0;
854 
855 	ret = io_account_mem(ctx, imu->acct_pages);
856 	if (ret)
857 		imu->acct_pages = 0;
858 	return ret;
859 }
860 
io_do_coalesce_buffer(struct page *** pages,int * nr_pages,struct io_imu_folio_data * data,int nr_folios)861 static bool io_do_coalesce_buffer(struct page ***pages, int *nr_pages,
862 				struct io_imu_folio_data *data, int nr_folios)
863 {
864 	struct page **page_array = *pages, **new_array = NULL;
865 	int nr_pages_left = *nr_pages, i, j;
866 
867 	/* Store head pages only*/
868 	new_array = kvmalloc_array(nr_folios, sizeof(struct page *),
869 					GFP_KERNEL);
870 	if (!new_array)
871 		return false;
872 
873 	new_array[0] = compound_head(page_array[0]);
874 	/*
875 	 * The pages are bound to the folio, it doesn't
876 	 * actually unpin them but drops all but one reference,
877 	 * which is usually put down by io_buffer_unmap().
878 	 * Note, needs a better helper.
879 	 */
880 	if (data->nr_pages_head > 1)
881 		unpin_user_pages(&page_array[1], data->nr_pages_head - 1);
882 
883 	j = data->nr_pages_head;
884 	nr_pages_left -= data->nr_pages_head;
885 	for (i = 1; i < nr_folios; i++) {
886 		unsigned int nr_unpin;
887 
888 		new_array[i] = page_array[j];
889 		nr_unpin = min_t(unsigned int, nr_pages_left - 1,
890 					data->nr_pages_mid - 1);
891 		if (nr_unpin)
892 			unpin_user_pages(&page_array[j+1], nr_unpin);
893 		j += data->nr_pages_mid;
894 		nr_pages_left -= data->nr_pages_mid;
895 	}
896 	kvfree(page_array);
897 	*pages = new_array;
898 	*nr_pages = nr_folios;
899 	return true;
900 }
901 
io_try_coalesce_buffer(struct page *** pages,int * nr_pages,struct io_imu_folio_data * data)902 static bool io_try_coalesce_buffer(struct page ***pages, int *nr_pages,
903 					 struct io_imu_folio_data *data)
904 {
905 	struct page **page_array = *pages;
906 	struct folio *folio = page_folio(page_array[0]);
907 	unsigned int count = 1, nr_folios = 1;
908 	int i;
909 
910 	if (*nr_pages <= 1)
911 		return false;
912 
913 	data->nr_pages_mid = folio_nr_pages(folio);
914 	if (data->nr_pages_mid == 1)
915 		return false;
916 
917 	data->folio_shift = folio_shift(folio);
918 	/*
919 	 * Check if pages are contiguous inside a folio, and all folios have
920 	 * the same page count except for the head and tail.
921 	 */
922 	for (i = 1; i < *nr_pages; i++) {
923 		if (page_folio(page_array[i]) == folio &&
924 			page_array[i] == page_array[i-1] + 1) {
925 			count++;
926 			continue;
927 		}
928 
929 		if (nr_folios == 1) {
930 			if (folio_page_idx(folio, page_array[i-1]) !=
931 				data->nr_pages_mid - 1)
932 				return false;
933 
934 			data->nr_pages_head = count;
935 		} else if (count != data->nr_pages_mid) {
936 			return false;
937 		}
938 
939 		folio = page_folio(page_array[i]);
940 		if (folio_size(folio) != (1UL << data->folio_shift) ||
941 			folio_page_idx(folio, page_array[i]) != 0)
942 			return false;
943 
944 		count = 1;
945 		nr_folios++;
946 	}
947 	if (nr_folios == 1)
948 		data->nr_pages_head = count;
949 
950 	return io_do_coalesce_buffer(pages, nr_pages, data, nr_folios);
951 }
952 
io_sqe_buffer_register(struct io_ring_ctx * ctx,struct iovec * iov,struct io_mapped_ubuf ** pimu,struct page ** last_hpage)953 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
954 				  struct io_mapped_ubuf **pimu,
955 				  struct page **last_hpage)
956 {
957 	struct io_mapped_ubuf *imu = NULL;
958 	struct page **pages = NULL;
959 	unsigned long off;
960 	size_t size;
961 	int ret, nr_pages, i;
962 	struct io_imu_folio_data data;
963 	bool coalesced;
964 
965 	*pimu = (struct io_mapped_ubuf *)&dummy_ubuf;
966 	if (!iov->iov_base)
967 		return 0;
968 
969 	ret = -ENOMEM;
970 	pages = io_pin_pages((unsigned long) iov->iov_base, iov->iov_len,
971 				&nr_pages);
972 	if (IS_ERR(pages)) {
973 		ret = PTR_ERR(pages);
974 		pages = NULL;
975 		goto done;
976 	}
977 
978 	/* If it's huge page(s), try to coalesce them into fewer bvec entries */
979 	coalesced = io_try_coalesce_buffer(&pages, &nr_pages, &data);
980 
981 	imu = kvmalloc(struct_size(imu, bvec, nr_pages), GFP_KERNEL);
982 	if (!imu)
983 		goto done;
984 
985 	ret = io_buffer_account_pin(ctx, pages, nr_pages, imu, last_hpage);
986 	if (ret) {
987 		unpin_user_pages(pages, nr_pages);
988 		goto done;
989 	}
990 
991 	size = iov->iov_len;
992 	/* store original address for later verification */
993 	imu->ubuf = (unsigned long) iov->iov_base;
994 	imu->len = iov->iov_len;
995 	imu->nr_bvecs = nr_pages;
996 	imu->folio_shift = PAGE_SHIFT;
997 	if (coalesced)
998 		imu->folio_shift = data.folio_shift;
999 	refcount_set(&imu->refs, 1);
1000 	off = (unsigned long) iov->iov_base & ((1UL << imu->folio_shift) - 1);
1001 	*pimu = imu;
1002 	ret = 0;
1003 
1004 	for (i = 0; i < nr_pages; i++) {
1005 		size_t vec_len;
1006 
1007 		vec_len = min_t(size_t, size, (1UL << imu->folio_shift) - off);
1008 		bvec_set_page(&imu->bvec[i], pages[i], vec_len, off);
1009 		off = 0;
1010 		size -= vec_len;
1011 	}
1012 done:
1013 	if (ret)
1014 		kvfree(imu);
1015 	kvfree(pages);
1016 	return ret;
1017 }
1018 
io_buffers_map_alloc(struct io_ring_ctx * ctx,unsigned int nr_args)1019 static int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args)
1020 {
1021 	ctx->user_bufs = kcalloc(nr_args, sizeof(*ctx->user_bufs), GFP_KERNEL);
1022 	return ctx->user_bufs ? 0 : -ENOMEM;
1023 }
1024 
io_sqe_buffers_register(struct io_ring_ctx * ctx,void __user * arg,unsigned int nr_args,u64 __user * tags)1025 int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg,
1026 			    unsigned int nr_args, u64 __user *tags)
1027 {
1028 	struct page *last_hpage = NULL;
1029 	struct io_rsrc_data *data;
1030 	struct iovec fast_iov, *iov = &fast_iov;
1031 	const struct iovec __user *uvec;
1032 	int i, ret;
1033 
1034 	BUILD_BUG_ON(IORING_MAX_REG_BUFFERS >= (1u << 16));
1035 
1036 	if (ctx->user_bufs)
1037 		return -EBUSY;
1038 	if (!nr_args || nr_args > IORING_MAX_REG_BUFFERS)
1039 		return -EINVAL;
1040 	ret = io_rsrc_data_alloc(ctx, IORING_RSRC_BUFFER, tags, nr_args, &data);
1041 	if (ret)
1042 		return ret;
1043 	ret = io_buffers_map_alloc(ctx, nr_args);
1044 	if (ret) {
1045 		io_rsrc_data_free(data);
1046 		return ret;
1047 	}
1048 
1049 	if (!arg)
1050 		memset(iov, 0, sizeof(*iov));
1051 
1052 	for (i = 0; i < nr_args; i++, ctx->nr_user_bufs++) {
1053 		if (arg) {
1054 			uvec = (struct iovec __user *) arg;
1055 			iov = iovec_from_user(uvec, 1, 1, &fast_iov, ctx->compat);
1056 			if (IS_ERR(iov)) {
1057 				ret = PTR_ERR(iov);
1058 				break;
1059 			}
1060 			ret = io_buffer_validate(iov);
1061 			if (ret)
1062 				break;
1063 			if (ctx->compat)
1064 				arg += sizeof(struct compat_iovec);
1065 			else
1066 				arg += sizeof(struct iovec);
1067 		}
1068 
1069 		if (!iov->iov_base && *io_get_tag_slot(data, i)) {
1070 			ret = -EINVAL;
1071 			break;
1072 		}
1073 
1074 		ret = io_sqe_buffer_register(ctx, iov, &ctx->user_bufs[i],
1075 					     &last_hpage);
1076 		if (ret)
1077 			break;
1078 	}
1079 
1080 	WARN_ON_ONCE(ctx->buf_data);
1081 
1082 	ctx->buf_data = data;
1083 	if (ret)
1084 		__io_sqe_buffers_unregister(ctx);
1085 	return ret;
1086 }
1087 
io_import_fixed(int ddir,struct iov_iter * iter,struct io_mapped_ubuf * imu,u64 buf_addr,size_t len)1088 int io_import_fixed(int ddir, struct iov_iter *iter,
1089 			   struct io_mapped_ubuf *imu,
1090 			   u64 buf_addr, size_t len)
1091 {
1092 	u64 buf_end;
1093 	size_t offset;
1094 
1095 	if (WARN_ON_ONCE(!imu))
1096 		return -EFAULT;
1097 	if (unlikely(check_add_overflow(buf_addr, (u64)len, &buf_end)))
1098 		return -EFAULT;
1099 	/* not inside the mapped region */
1100 	if (unlikely(buf_addr < imu->ubuf || buf_end > (imu->ubuf + imu->len)))
1101 		return -EFAULT;
1102 
1103 	/*
1104 	 * Might not be a start of buffer, set size appropriately
1105 	 * and advance us to the beginning.
1106 	 */
1107 	offset = buf_addr - imu->ubuf;
1108 	iov_iter_bvec(iter, ddir, imu->bvec, imu->nr_bvecs, offset + len);
1109 
1110 	if (offset) {
1111 		/*
1112 		 * Don't use iov_iter_advance() here, as it's really slow for
1113 		 * using the latter parts of a big fixed buffer - it iterates
1114 		 * over each segment manually. We can cheat a bit here, because
1115 		 * we know that:
1116 		 *
1117 		 * 1) it's a BVEC iter, we set it up
1118 		 * 2) all bvecs are the same in size, except potentially the
1119 		 *    first and last bvec
1120 		 *
1121 		 * So just find our index, and adjust the iterator afterwards.
1122 		 * If the offset is within the first bvec (or the whole first
1123 		 * bvec, just use iov_iter_advance(). This makes it easier
1124 		 * since we can just skip the first segment, which may not
1125 		 * be folio_size aligned.
1126 		 */
1127 		const struct bio_vec *bvec = imu->bvec;
1128 
1129 		if (offset < bvec->bv_len) {
1130 			iter->bvec = bvec;
1131 			iter->count -= offset;
1132 			iter->iov_offset = offset;
1133 		} else {
1134 			unsigned long seg_skip;
1135 
1136 			/* skip first vec */
1137 			offset -= bvec->bv_len;
1138 			seg_skip = 1 + (offset >> imu->folio_shift);
1139 
1140 			iter->bvec = bvec + seg_skip;
1141 			iter->nr_segs -= seg_skip;
1142 			iter->count -= bvec->bv_len + offset;
1143 			iter->iov_offset = offset & ((1UL << imu->folio_shift) - 1);
1144 		}
1145 	}
1146 
1147 	return 0;
1148 }
1149 
io_clone_buffers(struct io_ring_ctx * ctx,struct io_ring_ctx * src_ctx)1150 static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx)
1151 {
1152 	struct io_mapped_ubuf **user_bufs;
1153 	struct io_rsrc_data *data;
1154 	int i, ret, nbufs;
1155 
1156 	/*
1157 	 * Drop our own lock here. We'll setup the data we need and reference
1158 	 * the source buffers, then re-grab, check, and assign at the end.
1159 	 */
1160 	mutex_unlock(&ctx->uring_lock);
1161 
1162 	mutex_lock(&src_ctx->uring_lock);
1163 	ret = -ENXIO;
1164 	nbufs = src_ctx->nr_user_bufs;
1165 	if (!nbufs)
1166 		goto out_unlock;
1167 	ret = io_rsrc_data_alloc(ctx, IORING_RSRC_BUFFER, NULL, nbufs, &data);
1168 	if (ret)
1169 		goto out_unlock;
1170 
1171 	ret = -ENOMEM;
1172 	user_bufs = kcalloc(nbufs, sizeof(*ctx->user_bufs), GFP_KERNEL);
1173 	if (!user_bufs)
1174 		goto out_free_data;
1175 
1176 	for (i = 0; i < nbufs; i++) {
1177 		struct io_mapped_ubuf *src = src_ctx->user_bufs[i];
1178 
1179 		if (src != &dummy_ubuf)
1180 			refcount_inc(&src->refs);
1181 		user_bufs[i] = src;
1182 	}
1183 
1184 	/* Have a ref on the bufs now, drop src lock and re-grab our own lock */
1185 	mutex_unlock(&src_ctx->uring_lock);
1186 	mutex_lock(&ctx->uring_lock);
1187 	if (!ctx->user_bufs) {
1188 		ctx->user_bufs = user_bufs;
1189 		ctx->buf_data = data;
1190 		ctx->nr_user_bufs = nbufs;
1191 		return 0;
1192 	}
1193 
1194 	/* someone raced setting up buffers, dump ours */
1195 	for (i = 0; i < nbufs; i++)
1196 		io_buffer_unmap(ctx, &user_bufs[i]);
1197 	io_rsrc_data_free(data);
1198 	kfree(user_bufs);
1199 	return -EBUSY;
1200 out_free_data:
1201 	io_rsrc_data_free(data);
1202 out_unlock:
1203 	mutex_unlock(&src_ctx->uring_lock);
1204 	mutex_lock(&ctx->uring_lock);
1205 	return ret;
1206 }
1207 
1208 /*
1209  * Copy the registered buffers from the source ring whose file descriptor
1210  * is given in the src_fd to the current ring. This is identical to registering
1211  * the buffers with ctx, except faster as mappings already exist.
1212  *
1213  * Since the memory is already accounted once, don't account it again.
1214  */
io_register_clone_buffers(struct io_ring_ctx * ctx,void __user * arg)1215 int io_register_clone_buffers(struct io_ring_ctx *ctx, void __user *arg)
1216 {
1217 	struct io_uring_clone_buffers buf;
1218 	bool registered_src;
1219 	struct file *file;
1220 	int ret;
1221 
1222 	if (ctx->user_bufs || ctx->nr_user_bufs)
1223 		return -EBUSY;
1224 	if (copy_from_user(&buf, arg, sizeof(buf)))
1225 		return -EFAULT;
1226 	if (buf.flags & ~IORING_REGISTER_SRC_REGISTERED)
1227 		return -EINVAL;
1228 	if (memchr_inv(buf.pad, 0, sizeof(buf.pad)))
1229 		return -EINVAL;
1230 
1231 	registered_src = (buf.flags & IORING_REGISTER_SRC_REGISTERED) != 0;
1232 	file = io_uring_register_get_file(buf.src_fd, registered_src);
1233 	if (IS_ERR(file))
1234 		return PTR_ERR(file);
1235 	ret = io_clone_buffers(ctx, file->private_data);
1236 	if (!registered_src)
1237 		fput(file);
1238 	return ret;
1239 }
1240