xref: /openbmc/linux/fs/fcntl.c (revision 4d3d0869)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  *  linux/fs/fcntl.c
4  *
5  *  Copyright (C) 1991, 1992  Linus Torvalds
6  */
7 
8 #include <linux/syscalls.h>
9 #include <linux/init.h>
10 #include <linux/mm.h>
11 #include <linux/sched/task.h>
12 #include <linux/fs.h>
13 #include <linux/filelock.h>
14 #include <linux/file.h>
15 #include <linux/fdtable.h>
16 #include <linux/capability.h>
17 #include <linux/dnotify.h>
18 #include <linux/slab.h>
19 #include <linux/module.h>
20 #include <linux/pipe_fs_i.h>
21 #include <linux/security.h>
22 #include <linux/ptrace.h>
23 #include <linux/signal.h>
24 #include <linux/rcupdate.h>
25 #include <linux/pid_namespace.h>
26 #include <linux/user_namespace.h>
27 #include <linux/memfd.h>
28 #include <linux/compat.h>
29 #include <linux/mount.h>
30 
31 #include <linux/poll.h>
32 #include <asm/siginfo.h>
33 #include <linux/uaccess.h>
34 
35 #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
36 
setfl(int fd,struct file * filp,unsigned int arg)37 static int setfl(int fd, struct file * filp, unsigned int arg)
38 {
39 	struct inode * inode = file_inode(filp);
40 	int error = 0;
41 
42 	/*
43 	 * O_APPEND cannot be cleared if the file is marked as append-only
44 	 * and the file is open for write.
45 	 */
46 	if (((arg ^ filp->f_flags) & O_APPEND) && IS_APPEND(inode))
47 		return -EPERM;
48 
49 	/* O_NOATIME can only be set by the owner or superuser */
50 	if ((arg & O_NOATIME) && !(filp->f_flags & O_NOATIME))
51 		if (!inode_owner_or_capable(file_mnt_idmap(filp), inode))
52 			return -EPERM;
53 
54 	/* required for strict SunOS emulation */
55 	if (O_NONBLOCK != O_NDELAY)
56 	       if (arg & O_NDELAY)
57 		   arg |= O_NONBLOCK;
58 
59 	/* Pipe packetized mode is controlled by O_DIRECT flag */
60 	if (!S_ISFIFO(inode->i_mode) &&
61 	    (arg & O_DIRECT) &&
62 	    !(filp->f_mode & FMODE_CAN_ODIRECT))
63 		return -EINVAL;
64 
65 	if (filp->f_op->check_flags)
66 		error = filp->f_op->check_flags(arg);
67 	if (error)
68 		return error;
69 
70 	/*
71 	 * ->fasync() is responsible for setting the FASYNC bit.
72 	 */
73 	if (((arg ^ filp->f_flags) & FASYNC) && filp->f_op->fasync) {
74 		error = filp->f_op->fasync(fd, filp, (arg & FASYNC) != 0);
75 		if (error < 0)
76 			goto out;
77 		if (error > 0)
78 			error = 0;
79 	}
80 	spin_lock(&filp->f_lock);
81 	filp->f_flags = (arg & SETFL_MASK) | (filp->f_flags & ~SETFL_MASK);
82 	filp->f_iocb_flags = iocb_flags(filp);
83 	spin_unlock(&filp->f_lock);
84 
85  out:
86 	return error;
87 }
88 
__f_setown(struct file * filp,struct pid * pid,enum pid_type type,int force)89 void __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
90 		int force)
91 {
92 	write_lock_irq(&filp->f_owner.lock);
93 	if (force || !filp->f_owner.pid) {
94 		put_pid(filp->f_owner.pid);
95 		filp->f_owner.pid = get_pid(pid);
96 		filp->f_owner.pid_type = type;
97 
98 		if (pid) {
99 			const struct cred *cred = current_cred();
100 			security_file_set_fowner(filp);
101 			filp->f_owner.uid = cred->uid;
102 			filp->f_owner.euid = cred->euid;
103 		}
104 	}
105 	write_unlock_irq(&filp->f_owner.lock);
106 }
107 EXPORT_SYMBOL(__f_setown);
108 
f_setown(struct file * filp,int who,int force)109 int f_setown(struct file *filp, int who, int force)
110 {
111 	enum pid_type type;
112 	struct pid *pid = NULL;
113 	int ret = 0;
114 
115 	type = PIDTYPE_TGID;
116 	if (who < 0) {
117 		/* avoid overflow below */
118 		if (who == INT_MIN)
119 			return -EINVAL;
120 
121 		type = PIDTYPE_PGID;
122 		who = -who;
123 	}
124 
125 	rcu_read_lock();
126 	if (who) {
127 		pid = find_vpid(who);
128 		if (!pid)
129 			ret = -ESRCH;
130 	}
131 
132 	if (!ret)
133 		__f_setown(filp, pid, type, force);
134 	rcu_read_unlock();
135 
136 	return ret;
137 }
138 EXPORT_SYMBOL(f_setown);
139 
f_delown(struct file * filp)140 void f_delown(struct file *filp)
141 {
142 	__f_setown(filp, NULL, PIDTYPE_TGID, 1);
143 }
144 
f_getown(struct file * filp)145 pid_t f_getown(struct file *filp)
146 {
147 	pid_t pid = 0;
148 
149 	read_lock_irq(&filp->f_owner.lock);
150 	rcu_read_lock();
151 	if (pid_task(filp->f_owner.pid, filp->f_owner.pid_type)) {
152 		pid = pid_vnr(filp->f_owner.pid);
153 		if (filp->f_owner.pid_type == PIDTYPE_PGID)
154 			pid = -pid;
155 	}
156 	rcu_read_unlock();
157 	read_unlock_irq(&filp->f_owner.lock);
158 	return pid;
159 }
160 
f_setown_ex(struct file * filp,unsigned long arg)161 static int f_setown_ex(struct file *filp, unsigned long arg)
162 {
163 	struct f_owner_ex __user *owner_p = (void __user *)arg;
164 	struct f_owner_ex owner;
165 	struct pid *pid;
166 	int type;
167 	int ret;
168 
169 	ret = copy_from_user(&owner, owner_p, sizeof(owner));
170 	if (ret)
171 		return -EFAULT;
172 
173 	switch (owner.type) {
174 	case F_OWNER_TID:
175 		type = PIDTYPE_PID;
176 		break;
177 
178 	case F_OWNER_PID:
179 		type = PIDTYPE_TGID;
180 		break;
181 
182 	case F_OWNER_PGRP:
183 		type = PIDTYPE_PGID;
184 		break;
185 
186 	default:
187 		return -EINVAL;
188 	}
189 
190 	rcu_read_lock();
191 	pid = find_vpid(owner.pid);
192 	if (owner.pid && !pid)
193 		ret = -ESRCH;
194 	else
195 		 __f_setown(filp, pid, type, 1);
196 	rcu_read_unlock();
197 
198 	return ret;
199 }
200 
f_getown_ex(struct file * filp,unsigned long arg)201 static int f_getown_ex(struct file *filp, unsigned long arg)
202 {
203 	struct f_owner_ex __user *owner_p = (void __user *)arg;
204 	struct f_owner_ex owner = {};
205 	int ret = 0;
206 
207 	read_lock_irq(&filp->f_owner.lock);
208 	rcu_read_lock();
209 	if (pid_task(filp->f_owner.pid, filp->f_owner.pid_type))
210 		owner.pid = pid_vnr(filp->f_owner.pid);
211 	rcu_read_unlock();
212 	switch (filp->f_owner.pid_type) {
213 	case PIDTYPE_PID:
214 		owner.type = F_OWNER_TID;
215 		break;
216 
217 	case PIDTYPE_TGID:
218 		owner.type = F_OWNER_PID;
219 		break;
220 
221 	case PIDTYPE_PGID:
222 		owner.type = F_OWNER_PGRP;
223 		break;
224 
225 	default:
226 		WARN_ON(1);
227 		ret = -EINVAL;
228 		break;
229 	}
230 	read_unlock_irq(&filp->f_owner.lock);
231 
232 	if (!ret) {
233 		ret = copy_to_user(owner_p, &owner, sizeof(owner));
234 		if (ret)
235 			ret = -EFAULT;
236 	}
237 	return ret;
238 }
239 
240 #ifdef CONFIG_CHECKPOINT_RESTORE
f_getowner_uids(struct file * filp,unsigned long arg)241 static int f_getowner_uids(struct file *filp, unsigned long arg)
242 {
243 	struct user_namespace *user_ns = current_user_ns();
244 	uid_t __user *dst = (void __user *)arg;
245 	uid_t src[2];
246 	int err;
247 
248 	read_lock_irq(&filp->f_owner.lock);
249 	src[0] = from_kuid(user_ns, filp->f_owner.uid);
250 	src[1] = from_kuid(user_ns, filp->f_owner.euid);
251 	read_unlock_irq(&filp->f_owner.lock);
252 
253 	err  = put_user(src[0], &dst[0]);
254 	err |= put_user(src[1], &dst[1]);
255 
256 	return err;
257 }
258 #else
f_getowner_uids(struct file * filp,unsigned long arg)259 static int f_getowner_uids(struct file *filp, unsigned long arg)
260 {
261 	return -EINVAL;
262 }
263 #endif
264 
rw_hint_valid(u64 hint)265 static bool rw_hint_valid(u64 hint)
266 {
267 	switch (hint) {
268 	case RWH_WRITE_LIFE_NOT_SET:
269 	case RWH_WRITE_LIFE_NONE:
270 	case RWH_WRITE_LIFE_SHORT:
271 	case RWH_WRITE_LIFE_MEDIUM:
272 	case RWH_WRITE_LIFE_LONG:
273 	case RWH_WRITE_LIFE_EXTREME:
274 		return true;
275 	default:
276 		return false;
277 	}
278 }
279 
fcntl_rw_hint(struct file * file,unsigned int cmd,unsigned long arg)280 static long fcntl_rw_hint(struct file *file, unsigned int cmd,
281 			  unsigned long arg)
282 {
283 	struct inode *inode = file_inode(file);
284 	u64 __user *argp = (u64 __user *)arg;
285 	u64 hint;
286 
287 	switch (cmd) {
288 	case F_GET_RW_HINT:
289 		hint = inode->i_write_hint;
290 		if (copy_to_user(argp, &hint, sizeof(*argp)))
291 			return -EFAULT;
292 		return 0;
293 	case F_SET_RW_HINT:
294 		if (copy_from_user(&hint, argp, sizeof(hint)))
295 			return -EFAULT;
296 		if (!rw_hint_valid(hint))
297 			return -EINVAL;
298 
299 		inode_lock(inode);
300 		inode->i_write_hint = hint;
301 		inode_unlock(inode);
302 		return 0;
303 	default:
304 		return -EINVAL;
305 	}
306 }
307 
do_fcntl(int fd,unsigned int cmd,unsigned long arg,struct file * filp)308 static long do_fcntl(int fd, unsigned int cmd, unsigned long arg,
309 		struct file *filp)
310 {
311 	void __user *argp = (void __user *)arg;
312 	int argi = (int)arg;
313 	struct flock flock;
314 	long err = -EINVAL;
315 
316 	switch (cmd) {
317 	case F_DUPFD:
318 		err = f_dupfd(argi, filp, 0);
319 		break;
320 	case F_DUPFD_CLOEXEC:
321 		err = f_dupfd(argi, filp, O_CLOEXEC);
322 		break;
323 	case F_GETFD:
324 		err = get_close_on_exec(fd) ? FD_CLOEXEC : 0;
325 		break;
326 	case F_SETFD:
327 		err = 0;
328 		set_close_on_exec(fd, argi & FD_CLOEXEC);
329 		break;
330 	case F_GETFL:
331 		err = filp->f_flags;
332 		break;
333 	case F_SETFL:
334 		err = setfl(fd, filp, argi);
335 		break;
336 #if BITS_PER_LONG != 32
337 	/* 32-bit arches must use fcntl64() */
338 	case F_OFD_GETLK:
339 #endif
340 	case F_GETLK:
341 		if (copy_from_user(&flock, argp, sizeof(flock)))
342 			return -EFAULT;
343 		err = fcntl_getlk(filp, cmd, &flock);
344 		if (!err && copy_to_user(argp, &flock, sizeof(flock)))
345 			return -EFAULT;
346 		break;
347 #if BITS_PER_LONG != 32
348 	/* 32-bit arches must use fcntl64() */
349 	case F_OFD_SETLK:
350 	case F_OFD_SETLKW:
351 		fallthrough;
352 #endif
353 	case F_SETLK:
354 	case F_SETLKW:
355 		if (copy_from_user(&flock, argp, sizeof(flock)))
356 			return -EFAULT;
357 		err = fcntl_setlk(fd, filp, cmd, &flock);
358 		break;
359 	case F_GETOWN:
360 		/*
361 		 * XXX If f_owner is a process group, the
362 		 * negative return value will get converted
363 		 * into an error.  Oops.  If we keep the
364 		 * current syscall conventions, the only way
365 		 * to fix this will be in libc.
366 		 */
367 		err = f_getown(filp);
368 		force_successful_syscall_return();
369 		break;
370 	case F_SETOWN:
371 		err = f_setown(filp, argi, 1);
372 		break;
373 	case F_GETOWN_EX:
374 		err = f_getown_ex(filp, arg);
375 		break;
376 	case F_SETOWN_EX:
377 		err = f_setown_ex(filp, arg);
378 		break;
379 	case F_GETOWNER_UIDS:
380 		err = f_getowner_uids(filp, arg);
381 		break;
382 	case F_GETSIG:
383 		err = filp->f_owner.signum;
384 		break;
385 	case F_SETSIG:
386 		/* arg == 0 restores default behaviour. */
387 		if (!valid_signal(argi)) {
388 			break;
389 		}
390 		err = 0;
391 		filp->f_owner.signum = argi;
392 		break;
393 	case F_GETLEASE:
394 		err = fcntl_getlease(filp);
395 		break;
396 	case F_SETLEASE:
397 		err = fcntl_setlease(fd, filp, argi);
398 		break;
399 	case F_NOTIFY:
400 		err = fcntl_dirnotify(fd, filp, argi);
401 		break;
402 	case F_SETPIPE_SZ:
403 	case F_GETPIPE_SZ:
404 		err = pipe_fcntl(filp, cmd, argi);
405 		break;
406 	case F_ADD_SEALS:
407 	case F_GET_SEALS:
408 		err = memfd_fcntl(filp, cmd, argi);
409 		break;
410 	case F_GET_RW_HINT:
411 	case F_SET_RW_HINT:
412 		err = fcntl_rw_hint(filp, cmd, arg);
413 		break;
414 	default:
415 		break;
416 	}
417 	return err;
418 }
419 
check_fcntl_cmd(unsigned cmd)420 static int check_fcntl_cmd(unsigned cmd)
421 {
422 	switch (cmd) {
423 	case F_DUPFD:
424 	case F_DUPFD_CLOEXEC:
425 	case F_GETFD:
426 	case F_SETFD:
427 	case F_GETFL:
428 		return 1;
429 	}
430 	return 0;
431 }
432 
SYSCALL_DEFINE3(fcntl,unsigned int,fd,unsigned int,cmd,unsigned long,arg)433 SYSCALL_DEFINE3(fcntl, unsigned int, fd, unsigned int, cmd, unsigned long, arg)
434 {
435 	struct fd f = fdget_raw(fd);
436 	long err = -EBADF;
437 
438 	if (!f.file)
439 		goto out;
440 
441 	if (unlikely(f.file->f_mode & FMODE_PATH)) {
442 		if (!check_fcntl_cmd(cmd))
443 			goto out1;
444 	}
445 
446 	err = security_file_fcntl(f.file, cmd, arg);
447 	if (!err)
448 		err = do_fcntl(fd, cmd, arg, f.file);
449 
450 out1:
451  	fdput(f);
452 out:
453 	return err;
454 }
455 
456 #if BITS_PER_LONG == 32
SYSCALL_DEFINE3(fcntl64,unsigned int,fd,unsigned int,cmd,unsigned long,arg)457 SYSCALL_DEFINE3(fcntl64, unsigned int, fd, unsigned int, cmd,
458 		unsigned long, arg)
459 {
460 	void __user *argp = (void __user *)arg;
461 	struct fd f = fdget_raw(fd);
462 	struct flock64 flock;
463 	long err = -EBADF;
464 
465 	if (!f.file)
466 		goto out;
467 
468 	if (unlikely(f.file->f_mode & FMODE_PATH)) {
469 		if (!check_fcntl_cmd(cmd))
470 			goto out1;
471 	}
472 
473 	err = security_file_fcntl(f.file, cmd, arg);
474 	if (err)
475 		goto out1;
476 
477 	switch (cmd) {
478 	case F_GETLK64:
479 	case F_OFD_GETLK:
480 		err = -EFAULT;
481 		if (copy_from_user(&flock, argp, sizeof(flock)))
482 			break;
483 		err = fcntl_getlk64(f.file, cmd, &flock);
484 		if (!err && copy_to_user(argp, &flock, sizeof(flock)))
485 			err = -EFAULT;
486 		break;
487 	case F_SETLK64:
488 	case F_SETLKW64:
489 	case F_OFD_SETLK:
490 	case F_OFD_SETLKW:
491 		err = -EFAULT;
492 		if (copy_from_user(&flock, argp, sizeof(flock)))
493 			break;
494 		err = fcntl_setlk64(fd, f.file, cmd, &flock);
495 		break;
496 	default:
497 		err = do_fcntl(fd, cmd, arg, f.file);
498 		break;
499 	}
500 out1:
501 	fdput(f);
502 out:
503 	return err;
504 }
505 #endif
506 
507 #ifdef CONFIG_COMPAT
508 /* careful - don't use anywhere else */
509 #define copy_flock_fields(dst, src)		\
510 	(dst)->l_type = (src)->l_type;		\
511 	(dst)->l_whence = (src)->l_whence;	\
512 	(dst)->l_start = (src)->l_start;	\
513 	(dst)->l_len = (src)->l_len;		\
514 	(dst)->l_pid = (src)->l_pid;
515 
get_compat_flock(struct flock * kfl,const struct compat_flock __user * ufl)516 static int get_compat_flock(struct flock *kfl, const struct compat_flock __user *ufl)
517 {
518 	struct compat_flock fl;
519 
520 	if (copy_from_user(&fl, ufl, sizeof(struct compat_flock)))
521 		return -EFAULT;
522 	copy_flock_fields(kfl, &fl);
523 	return 0;
524 }
525 
get_compat_flock64(struct flock * kfl,const struct compat_flock64 __user * ufl)526 static int get_compat_flock64(struct flock *kfl, const struct compat_flock64 __user *ufl)
527 {
528 	struct compat_flock64 fl;
529 
530 	if (copy_from_user(&fl, ufl, sizeof(struct compat_flock64)))
531 		return -EFAULT;
532 	copy_flock_fields(kfl, &fl);
533 	return 0;
534 }
535 
put_compat_flock(const struct flock * kfl,struct compat_flock __user * ufl)536 static int put_compat_flock(const struct flock *kfl, struct compat_flock __user *ufl)
537 {
538 	struct compat_flock fl;
539 
540 	memset(&fl, 0, sizeof(struct compat_flock));
541 	copy_flock_fields(&fl, kfl);
542 	if (copy_to_user(ufl, &fl, sizeof(struct compat_flock)))
543 		return -EFAULT;
544 	return 0;
545 }
546 
put_compat_flock64(const struct flock * kfl,struct compat_flock64 __user * ufl)547 static int put_compat_flock64(const struct flock *kfl, struct compat_flock64 __user *ufl)
548 {
549 	struct compat_flock64 fl;
550 
551 	BUILD_BUG_ON(sizeof(kfl->l_start) > sizeof(ufl->l_start));
552 	BUILD_BUG_ON(sizeof(kfl->l_len) > sizeof(ufl->l_len));
553 
554 	memset(&fl, 0, sizeof(struct compat_flock64));
555 	copy_flock_fields(&fl, kfl);
556 	if (copy_to_user(ufl, &fl, sizeof(struct compat_flock64)))
557 		return -EFAULT;
558 	return 0;
559 }
560 #undef copy_flock_fields
561 
562 static unsigned int
convert_fcntl_cmd(unsigned int cmd)563 convert_fcntl_cmd(unsigned int cmd)
564 {
565 	switch (cmd) {
566 	case F_GETLK64:
567 		return F_GETLK;
568 	case F_SETLK64:
569 		return F_SETLK;
570 	case F_SETLKW64:
571 		return F_SETLKW;
572 	}
573 
574 	return cmd;
575 }
576 
577 /*
578  * GETLK was successful and we need to return the data, but it needs to fit in
579  * the compat structure.
580  * l_start shouldn't be too big, unless the original start + end is greater than
581  * COMPAT_OFF_T_MAX, in which case the app was asking for trouble, so we return
582  * -EOVERFLOW in that case.  l_len could be too big, in which case we just
583  * truncate it, and only allow the app to see that part of the conflicting lock
584  * that might make sense to it anyway
585  */
fixup_compat_flock(struct flock * flock)586 static int fixup_compat_flock(struct flock *flock)
587 {
588 	if (flock->l_start > COMPAT_OFF_T_MAX)
589 		return -EOVERFLOW;
590 	if (flock->l_len > COMPAT_OFF_T_MAX)
591 		flock->l_len = COMPAT_OFF_T_MAX;
592 	return 0;
593 }
594 
do_compat_fcntl64(unsigned int fd,unsigned int cmd,compat_ulong_t arg)595 static long do_compat_fcntl64(unsigned int fd, unsigned int cmd,
596 			     compat_ulong_t arg)
597 {
598 	struct fd f = fdget_raw(fd);
599 	struct flock flock;
600 	long err = -EBADF;
601 
602 	if (!f.file)
603 		return err;
604 
605 	if (unlikely(f.file->f_mode & FMODE_PATH)) {
606 		if (!check_fcntl_cmd(cmd))
607 			goto out_put;
608 	}
609 
610 	err = security_file_fcntl(f.file, cmd, arg);
611 	if (err)
612 		goto out_put;
613 
614 	switch (cmd) {
615 	case F_GETLK:
616 		err = get_compat_flock(&flock, compat_ptr(arg));
617 		if (err)
618 			break;
619 		err = fcntl_getlk(f.file, convert_fcntl_cmd(cmd), &flock);
620 		if (err)
621 			break;
622 		err = fixup_compat_flock(&flock);
623 		if (!err)
624 			err = put_compat_flock(&flock, compat_ptr(arg));
625 		break;
626 	case F_GETLK64:
627 	case F_OFD_GETLK:
628 		err = get_compat_flock64(&flock, compat_ptr(arg));
629 		if (err)
630 			break;
631 		err = fcntl_getlk(f.file, convert_fcntl_cmd(cmd), &flock);
632 		if (!err)
633 			err = put_compat_flock64(&flock, compat_ptr(arg));
634 		break;
635 	case F_SETLK:
636 	case F_SETLKW:
637 		err = get_compat_flock(&flock, compat_ptr(arg));
638 		if (err)
639 			break;
640 		err = fcntl_setlk(fd, f.file, convert_fcntl_cmd(cmd), &flock);
641 		break;
642 	case F_SETLK64:
643 	case F_SETLKW64:
644 	case F_OFD_SETLK:
645 	case F_OFD_SETLKW:
646 		err = get_compat_flock64(&flock, compat_ptr(arg));
647 		if (err)
648 			break;
649 		err = fcntl_setlk(fd, f.file, convert_fcntl_cmd(cmd), &flock);
650 		break;
651 	default:
652 		err = do_fcntl(fd, cmd, arg, f.file);
653 		break;
654 	}
655 out_put:
656 	fdput(f);
657 	return err;
658 }
659 
COMPAT_SYSCALL_DEFINE3(fcntl64,unsigned int,fd,unsigned int,cmd,compat_ulong_t,arg)660 COMPAT_SYSCALL_DEFINE3(fcntl64, unsigned int, fd, unsigned int, cmd,
661 		       compat_ulong_t, arg)
662 {
663 	return do_compat_fcntl64(fd, cmd, arg);
664 }
665 
COMPAT_SYSCALL_DEFINE3(fcntl,unsigned int,fd,unsigned int,cmd,compat_ulong_t,arg)666 COMPAT_SYSCALL_DEFINE3(fcntl, unsigned int, fd, unsigned int, cmd,
667 		       compat_ulong_t, arg)
668 {
669 	switch (cmd) {
670 	case F_GETLK64:
671 	case F_SETLK64:
672 	case F_SETLKW64:
673 	case F_OFD_GETLK:
674 	case F_OFD_SETLK:
675 	case F_OFD_SETLKW:
676 		return -EINVAL;
677 	}
678 	return do_compat_fcntl64(fd, cmd, arg);
679 }
680 #endif
681 
682 /* Table to convert sigio signal codes into poll band bitmaps */
683 
684 static const __poll_t band_table[NSIGPOLL] = {
685 	EPOLLIN | EPOLLRDNORM,			/* POLL_IN */
686 	EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND,	/* POLL_OUT */
687 	EPOLLIN | EPOLLRDNORM | EPOLLMSG,		/* POLL_MSG */
688 	EPOLLERR,				/* POLL_ERR */
689 	EPOLLPRI | EPOLLRDBAND,			/* POLL_PRI */
690 	EPOLLHUP | EPOLLERR			/* POLL_HUP */
691 };
692 
sigio_perm(struct task_struct * p,struct fown_struct * fown,int sig)693 static inline int sigio_perm(struct task_struct *p,
694                              struct fown_struct *fown, int sig)
695 {
696 	const struct cred *cred;
697 	int ret;
698 
699 	rcu_read_lock();
700 	cred = __task_cred(p);
701 	ret = ((uid_eq(fown->euid, GLOBAL_ROOT_UID) ||
702 		uid_eq(fown->euid, cred->suid) || uid_eq(fown->euid, cred->uid) ||
703 		uid_eq(fown->uid,  cred->suid) || uid_eq(fown->uid,  cred->uid)) &&
704 	       !security_file_send_sigiotask(p, fown, sig));
705 	rcu_read_unlock();
706 	return ret;
707 }
708 
send_sigio_to_task(struct task_struct * p,struct fown_struct * fown,int fd,int reason,enum pid_type type)709 static void send_sigio_to_task(struct task_struct *p,
710 			       struct fown_struct *fown,
711 			       int fd, int reason, enum pid_type type)
712 {
713 	/*
714 	 * F_SETSIG can change ->signum lockless in parallel, make
715 	 * sure we read it once and use the same value throughout.
716 	 */
717 	int signum = READ_ONCE(fown->signum);
718 
719 	if (!sigio_perm(p, fown, signum))
720 		return;
721 
722 	switch (signum) {
723 		default: {
724 			kernel_siginfo_t si;
725 
726 			/* Queue a rt signal with the appropriate fd as its
727 			   value.  We use SI_SIGIO as the source, not
728 			   SI_KERNEL, since kernel signals always get
729 			   delivered even if we can't queue.  Failure to
730 			   queue in this case _should_ be reported; we fall
731 			   back to SIGIO in that case. --sct */
732 			clear_siginfo(&si);
733 			si.si_signo = signum;
734 			si.si_errno = 0;
735 		        si.si_code  = reason;
736 			/*
737 			 * Posix definies POLL_IN and friends to be signal
738 			 * specific si_codes for SIG_POLL.  Linux extended
739 			 * these si_codes to other signals in a way that is
740 			 * ambiguous if other signals also have signal
741 			 * specific si_codes.  In that case use SI_SIGIO instead
742 			 * to remove the ambiguity.
743 			 */
744 			if ((signum != SIGPOLL) && sig_specific_sicodes(signum))
745 				si.si_code = SI_SIGIO;
746 
747 			/* Make sure we are called with one of the POLL_*
748 			   reasons, otherwise we could leak kernel stack into
749 			   userspace.  */
750 			BUG_ON((reason < POLL_IN) || ((reason - POLL_IN) >= NSIGPOLL));
751 			if (reason - POLL_IN >= NSIGPOLL)
752 				si.si_band  = ~0L;
753 			else
754 				si.si_band = mangle_poll(band_table[reason - POLL_IN]);
755 			si.si_fd    = fd;
756 			if (!do_send_sig_info(signum, &si, p, type))
757 				break;
758 		}
759 			fallthrough;	/* fall back on the old plain SIGIO signal */
760 		case 0:
761 			do_send_sig_info(SIGIO, SEND_SIG_PRIV, p, type);
762 	}
763 }
764 
send_sigio(struct fown_struct * fown,int fd,int band)765 void send_sigio(struct fown_struct *fown, int fd, int band)
766 {
767 	struct task_struct *p;
768 	enum pid_type type;
769 	unsigned long flags;
770 	struct pid *pid;
771 
772 	read_lock_irqsave(&fown->lock, flags);
773 
774 	type = fown->pid_type;
775 	pid = fown->pid;
776 	if (!pid)
777 		goto out_unlock_fown;
778 
779 	if (type <= PIDTYPE_TGID) {
780 		rcu_read_lock();
781 		p = pid_task(pid, PIDTYPE_PID);
782 		if (p)
783 			send_sigio_to_task(p, fown, fd, band, type);
784 		rcu_read_unlock();
785 	} else {
786 		read_lock(&tasklist_lock);
787 		do_each_pid_task(pid, type, p) {
788 			send_sigio_to_task(p, fown, fd, band, type);
789 		} while_each_pid_task(pid, type, p);
790 		read_unlock(&tasklist_lock);
791 	}
792  out_unlock_fown:
793 	read_unlock_irqrestore(&fown->lock, flags);
794 }
795 
send_sigurg_to_task(struct task_struct * p,struct fown_struct * fown,enum pid_type type)796 static void send_sigurg_to_task(struct task_struct *p,
797 				struct fown_struct *fown, enum pid_type type)
798 {
799 	if (sigio_perm(p, fown, SIGURG))
800 		do_send_sig_info(SIGURG, SEND_SIG_PRIV, p, type);
801 }
802 
send_sigurg(struct fown_struct * fown)803 int send_sigurg(struct fown_struct *fown)
804 {
805 	struct task_struct *p;
806 	enum pid_type type;
807 	struct pid *pid;
808 	unsigned long flags;
809 	int ret = 0;
810 
811 	read_lock_irqsave(&fown->lock, flags);
812 
813 	type = fown->pid_type;
814 	pid = fown->pid;
815 	if (!pid)
816 		goto out_unlock_fown;
817 
818 	ret = 1;
819 
820 	if (type <= PIDTYPE_TGID) {
821 		rcu_read_lock();
822 		p = pid_task(pid, PIDTYPE_PID);
823 		if (p)
824 			send_sigurg_to_task(p, fown, type);
825 		rcu_read_unlock();
826 	} else {
827 		read_lock(&tasklist_lock);
828 		do_each_pid_task(pid, type, p) {
829 			send_sigurg_to_task(p, fown, type);
830 		} while_each_pid_task(pid, type, p);
831 		read_unlock(&tasklist_lock);
832 	}
833  out_unlock_fown:
834 	read_unlock_irqrestore(&fown->lock, flags);
835 	return ret;
836 }
837 
838 static DEFINE_SPINLOCK(fasync_lock);
839 static struct kmem_cache *fasync_cache __read_mostly;
840 
fasync_free_rcu(struct rcu_head * head)841 static void fasync_free_rcu(struct rcu_head *head)
842 {
843 	kmem_cache_free(fasync_cache,
844 			container_of(head, struct fasync_struct, fa_rcu));
845 }
846 
847 /*
848  * Remove a fasync entry. If successfully removed, return
849  * positive and clear the FASYNC flag. If no entry exists,
850  * do nothing and return 0.
851  *
852  * NOTE! It is very important that the FASYNC flag always
853  * match the state "is the filp on a fasync list".
854  *
855  */
fasync_remove_entry(struct file * filp,struct fasync_struct ** fapp)856 int fasync_remove_entry(struct file *filp, struct fasync_struct **fapp)
857 {
858 	struct fasync_struct *fa, **fp;
859 	int result = 0;
860 
861 	spin_lock(&filp->f_lock);
862 	spin_lock(&fasync_lock);
863 	for (fp = fapp; (fa = *fp) != NULL; fp = &fa->fa_next) {
864 		if (fa->fa_file != filp)
865 			continue;
866 
867 		write_lock_irq(&fa->fa_lock);
868 		fa->fa_file = NULL;
869 		write_unlock_irq(&fa->fa_lock);
870 
871 		*fp = fa->fa_next;
872 		call_rcu(&fa->fa_rcu, fasync_free_rcu);
873 		filp->f_flags &= ~FASYNC;
874 		result = 1;
875 		break;
876 	}
877 	spin_unlock(&fasync_lock);
878 	spin_unlock(&filp->f_lock);
879 	return result;
880 }
881 
fasync_alloc(void)882 struct fasync_struct *fasync_alloc(void)
883 {
884 	return kmem_cache_alloc(fasync_cache, GFP_KERNEL);
885 }
886 
887 /*
888  * NOTE! This can be used only for unused fasync entries:
889  * entries that actually got inserted on the fasync list
890  * need to be released by rcu - see fasync_remove_entry.
891  */
fasync_free(struct fasync_struct * new)892 void fasync_free(struct fasync_struct *new)
893 {
894 	kmem_cache_free(fasync_cache, new);
895 }
896 
897 /*
898  * Insert a new entry into the fasync list.  Return the pointer to the
899  * old one if we didn't use the new one.
900  *
901  * NOTE! It is very important that the FASYNC flag always
902  * match the state "is the filp on a fasync list".
903  */
fasync_insert_entry(int fd,struct file * filp,struct fasync_struct ** fapp,struct fasync_struct * new)904 struct fasync_struct *fasync_insert_entry(int fd, struct file *filp, struct fasync_struct **fapp, struct fasync_struct *new)
905 {
906         struct fasync_struct *fa, **fp;
907 
908 	spin_lock(&filp->f_lock);
909 	spin_lock(&fasync_lock);
910 	for (fp = fapp; (fa = *fp) != NULL; fp = &fa->fa_next) {
911 		if (fa->fa_file != filp)
912 			continue;
913 
914 		write_lock_irq(&fa->fa_lock);
915 		fa->fa_fd = fd;
916 		write_unlock_irq(&fa->fa_lock);
917 		goto out;
918 	}
919 
920 	rwlock_init(&new->fa_lock);
921 	new->magic = FASYNC_MAGIC;
922 	new->fa_file = filp;
923 	new->fa_fd = fd;
924 	new->fa_next = *fapp;
925 	rcu_assign_pointer(*fapp, new);
926 	filp->f_flags |= FASYNC;
927 
928 out:
929 	spin_unlock(&fasync_lock);
930 	spin_unlock(&filp->f_lock);
931 	return fa;
932 }
933 
934 /*
935  * Add a fasync entry. Return negative on error, positive if
936  * added, and zero if did nothing but change an existing one.
937  */
fasync_add_entry(int fd,struct file * filp,struct fasync_struct ** fapp)938 static int fasync_add_entry(int fd, struct file *filp, struct fasync_struct **fapp)
939 {
940 	struct fasync_struct *new;
941 
942 	new = fasync_alloc();
943 	if (!new)
944 		return -ENOMEM;
945 
946 	/*
947 	 * fasync_insert_entry() returns the old (update) entry if
948 	 * it existed.
949 	 *
950 	 * So free the (unused) new entry and return 0 to let the
951 	 * caller know that we didn't add any new fasync entries.
952 	 */
953 	if (fasync_insert_entry(fd, filp, fapp, new)) {
954 		fasync_free(new);
955 		return 0;
956 	}
957 
958 	return 1;
959 }
960 
961 /*
962  * fasync_helper() is used by almost all character device drivers
963  * to set up the fasync queue, and for regular files by the file
964  * lease code. It returns negative on error, 0 if it did no changes
965  * and positive if it added/deleted the entry.
966  */
fasync_helper(int fd,struct file * filp,int on,struct fasync_struct ** fapp)967 int fasync_helper(int fd, struct file * filp, int on, struct fasync_struct **fapp)
968 {
969 	if (!on)
970 		return fasync_remove_entry(filp, fapp);
971 	return fasync_add_entry(fd, filp, fapp);
972 }
973 
974 EXPORT_SYMBOL(fasync_helper);
975 
976 /*
977  * rcu_read_lock() is held
978  */
kill_fasync_rcu(struct fasync_struct * fa,int sig,int band)979 static void kill_fasync_rcu(struct fasync_struct *fa, int sig, int band)
980 {
981 	while (fa) {
982 		struct fown_struct *fown;
983 		unsigned long flags;
984 
985 		if (fa->magic != FASYNC_MAGIC) {
986 			printk(KERN_ERR "kill_fasync: bad magic number in "
987 			       "fasync_struct!\n");
988 			return;
989 		}
990 		read_lock_irqsave(&fa->fa_lock, flags);
991 		if (fa->fa_file) {
992 			fown = &fa->fa_file->f_owner;
993 			/* Don't send SIGURG to processes which have not set a
994 			   queued signum: SIGURG has its own default signalling
995 			   mechanism. */
996 			if (!(sig == SIGURG && fown->signum == 0))
997 				send_sigio(fown, fa->fa_fd, band);
998 		}
999 		read_unlock_irqrestore(&fa->fa_lock, flags);
1000 		fa = rcu_dereference(fa->fa_next);
1001 	}
1002 }
1003 
kill_fasync(struct fasync_struct ** fp,int sig,int band)1004 void kill_fasync(struct fasync_struct **fp, int sig, int band)
1005 {
1006 	/* First a quick test without locking: usually
1007 	 * the list is empty.
1008 	 */
1009 	if (*fp) {
1010 		rcu_read_lock();
1011 		kill_fasync_rcu(rcu_dereference(*fp), sig, band);
1012 		rcu_read_unlock();
1013 	}
1014 }
1015 EXPORT_SYMBOL(kill_fasync);
1016 
fcntl_init(void)1017 static int __init fcntl_init(void)
1018 {
1019 	/*
1020 	 * Please add new bits here to ensure allocation uniqueness.
1021 	 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
1022 	 * is defined as O_NONBLOCK on some platforms and not on others.
1023 	 */
1024 	BUILD_BUG_ON(21 - 1 /* for O_RDONLY being 0 */ !=
1025 		HWEIGHT32(
1026 			(VALID_OPEN_FLAGS & ~(O_NONBLOCK | O_NDELAY)) |
1027 			__FMODE_EXEC | __FMODE_NONOTIFY));
1028 
1029 	fasync_cache = kmem_cache_create("fasync_cache",
1030 					 sizeof(struct fasync_struct), 0,
1031 					 SLAB_PANIC | SLAB_ACCOUNT, NULL);
1032 	return 0;
1033 }
1034 
1035 module_init(fcntl_init)
1036