1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * linux/fs/fcntl.c
4 *
5 * Copyright (C) 1991, 1992 Linus Torvalds
6 */
7
8 #include <linux/syscalls.h>
9 #include <linux/init.h>
10 #include <linux/mm.h>
11 #include <linux/sched/task.h>
12 #include <linux/fs.h>
13 #include <linux/filelock.h>
14 #include <linux/file.h>
15 #include <linux/fdtable.h>
16 #include <linux/capability.h>
17 #include <linux/dnotify.h>
18 #include <linux/slab.h>
19 #include <linux/module.h>
20 #include <linux/pipe_fs_i.h>
21 #include <linux/security.h>
22 #include <linux/ptrace.h>
23 #include <linux/signal.h>
24 #include <linux/rcupdate.h>
25 #include <linux/pid_namespace.h>
26 #include <linux/user_namespace.h>
27 #include <linux/memfd.h>
28 #include <linux/compat.h>
29 #include <linux/mount.h>
30
31 #include <linux/poll.h>
32 #include <asm/siginfo.h>
33 #include <linux/uaccess.h>
34
35 #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
36
setfl(int fd,struct file * filp,unsigned int arg)37 static int setfl(int fd, struct file * filp, unsigned int arg)
38 {
39 struct inode * inode = file_inode(filp);
40 int error = 0;
41
42 /*
43 * O_APPEND cannot be cleared if the file is marked as append-only
44 * and the file is open for write.
45 */
46 if (((arg ^ filp->f_flags) & O_APPEND) && IS_APPEND(inode))
47 return -EPERM;
48
49 /* O_NOATIME can only be set by the owner or superuser */
50 if ((arg & O_NOATIME) && !(filp->f_flags & O_NOATIME))
51 if (!inode_owner_or_capable(file_mnt_idmap(filp), inode))
52 return -EPERM;
53
54 /* required for strict SunOS emulation */
55 if (O_NONBLOCK != O_NDELAY)
56 if (arg & O_NDELAY)
57 arg |= O_NONBLOCK;
58
59 /* Pipe packetized mode is controlled by O_DIRECT flag */
60 if (!S_ISFIFO(inode->i_mode) &&
61 (arg & O_DIRECT) &&
62 !(filp->f_mode & FMODE_CAN_ODIRECT))
63 return -EINVAL;
64
65 if (filp->f_op->check_flags)
66 error = filp->f_op->check_flags(arg);
67 if (error)
68 return error;
69
70 /*
71 * ->fasync() is responsible for setting the FASYNC bit.
72 */
73 if (((arg ^ filp->f_flags) & FASYNC) && filp->f_op->fasync) {
74 error = filp->f_op->fasync(fd, filp, (arg & FASYNC) != 0);
75 if (error < 0)
76 goto out;
77 if (error > 0)
78 error = 0;
79 }
80 spin_lock(&filp->f_lock);
81 filp->f_flags = (arg & SETFL_MASK) | (filp->f_flags & ~SETFL_MASK);
82 filp->f_iocb_flags = iocb_flags(filp);
83 spin_unlock(&filp->f_lock);
84
85 out:
86 return error;
87 }
88
f_modown(struct file * filp,struct pid * pid,enum pid_type type,int force)89 static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
90 int force)
91 {
92 write_lock_irq(&filp->f_owner.lock);
93 if (force || !filp->f_owner.pid) {
94 put_pid(filp->f_owner.pid);
95 filp->f_owner.pid = get_pid(pid);
96 filp->f_owner.pid_type = type;
97
98 if (pid) {
99 const struct cred *cred = current_cred();
100 filp->f_owner.uid = cred->uid;
101 filp->f_owner.euid = cred->euid;
102 }
103 }
104 write_unlock_irq(&filp->f_owner.lock);
105 }
106
__f_setown(struct file * filp,struct pid * pid,enum pid_type type,int force)107 void __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
108 int force)
109 {
110 security_file_set_fowner(filp);
111 f_modown(filp, pid, type, force);
112 }
113 EXPORT_SYMBOL(__f_setown);
114
f_setown(struct file * filp,int who,int force)115 int f_setown(struct file *filp, int who, int force)
116 {
117 enum pid_type type;
118 struct pid *pid = NULL;
119 int ret = 0;
120
121 type = PIDTYPE_TGID;
122 if (who < 0) {
123 /* avoid overflow below */
124 if (who == INT_MIN)
125 return -EINVAL;
126
127 type = PIDTYPE_PGID;
128 who = -who;
129 }
130
131 rcu_read_lock();
132 if (who) {
133 pid = find_vpid(who);
134 if (!pid)
135 ret = -ESRCH;
136 }
137
138 if (!ret)
139 __f_setown(filp, pid, type, force);
140 rcu_read_unlock();
141
142 return ret;
143 }
144 EXPORT_SYMBOL(f_setown);
145
f_delown(struct file * filp)146 void f_delown(struct file *filp)
147 {
148 f_modown(filp, NULL, PIDTYPE_TGID, 1);
149 }
150
f_getown(struct file * filp)151 pid_t f_getown(struct file *filp)
152 {
153 pid_t pid = 0;
154
155 read_lock_irq(&filp->f_owner.lock);
156 rcu_read_lock();
157 if (pid_task(filp->f_owner.pid, filp->f_owner.pid_type)) {
158 pid = pid_vnr(filp->f_owner.pid);
159 if (filp->f_owner.pid_type == PIDTYPE_PGID)
160 pid = -pid;
161 }
162 rcu_read_unlock();
163 read_unlock_irq(&filp->f_owner.lock);
164 return pid;
165 }
166
f_setown_ex(struct file * filp,unsigned long arg)167 static int f_setown_ex(struct file *filp, unsigned long arg)
168 {
169 struct f_owner_ex __user *owner_p = (void __user *)arg;
170 struct f_owner_ex owner;
171 struct pid *pid;
172 int type;
173 int ret;
174
175 ret = copy_from_user(&owner, owner_p, sizeof(owner));
176 if (ret)
177 return -EFAULT;
178
179 switch (owner.type) {
180 case F_OWNER_TID:
181 type = PIDTYPE_PID;
182 break;
183
184 case F_OWNER_PID:
185 type = PIDTYPE_TGID;
186 break;
187
188 case F_OWNER_PGRP:
189 type = PIDTYPE_PGID;
190 break;
191
192 default:
193 return -EINVAL;
194 }
195
196 rcu_read_lock();
197 pid = find_vpid(owner.pid);
198 if (owner.pid && !pid)
199 ret = -ESRCH;
200 else
201 __f_setown(filp, pid, type, 1);
202 rcu_read_unlock();
203
204 return ret;
205 }
206
f_getown_ex(struct file * filp,unsigned long arg)207 static int f_getown_ex(struct file *filp, unsigned long arg)
208 {
209 struct f_owner_ex __user *owner_p = (void __user *)arg;
210 struct f_owner_ex owner = {};
211 int ret = 0;
212
213 read_lock_irq(&filp->f_owner.lock);
214 rcu_read_lock();
215 if (pid_task(filp->f_owner.pid, filp->f_owner.pid_type))
216 owner.pid = pid_vnr(filp->f_owner.pid);
217 rcu_read_unlock();
218 switch (filp->f_owner.pid_type) {
219 case PIDTYPE_PID:
220 owner.type = F_OWNER_TID;
221 break;
222
223 case PIDTYPE_TGID:
224 owner.type = F_OWNER_PID;
225 break;
226
227 case PIDTYPE_PGID:
228 owner.type = F_OWNER_PGRP;
229 break;
230
231 default:
232 WARN_ON(1);
233 ret = -EINVAL;
234 break;
235 }
236 read_unlock_irq(&filp->f_owner.lock);
237
238 if (!ret) {
239 ret = copy_to_user(owner_p, &owner, sizeof(owner));
240 if (ret)
241 ret = -EFAULT;
242 }
243 return ret;
244 }
245
246 #ifdef CONFIG_CHECKPOINT_RESTORE
f_getowner_uids(struct file * filp,unsigned long arg)247 static int f_getowner_uids(struct file *filp, unsigned long arg)
248 {
249 struct user_namespace *user_ns = current_user_ns();
250 uid_t __user *dst = (void __user *)arg;
251 uid_t src[2];
252 int err;
253
254 read_lock_irq(&filp->f_owner.lock);
255 src[0] = from_kuid(user_ns, filp->f_owner.uid);
256 src[1] = from_kuid(user_ns, filp->f_owner.euid);
257 read_unlock_irq(&filp->f_owner.lock);
258
259 err = put_user(src[0], &dst[0]);
260 err |= put_user(src[1], &dst[1]);
261
262 return err;
263 }
264 #else
f_getowner_uids(struct file * filp,unsigned long arg)265 static int f_getowner_uids(struct file *filp, unsigned long arg)
266 {
267 return -EINVAL;
268 }
269 #endif
270
rw_hint_valid(u64 hint)271 static bool rw_hint_valid(u64 hint)
272 {
273 switch (hint) {
274 case RWH_WRITE_LIFE_NOT_SET:
275 case RWH_WRITE_LIFE_NONE:
276 case RWH_WRITE_LIFE_SHORT:
277 case RWH_WRITE_LIFE_MEDIUM:
278 case RWH_WRITE_LIFE_LONG:
279 case RWH_WRITE_LIFE_EXTREME:
280 return true;
281 default:
282 return false;
283 }
284 }
285
fcntl_rw_hint(struct file * file,unsigned int cmd,unsigned long arg)286 static long fcntl_rw_hint(struct file *file, unsigned int cmd,
287 unsigned long arg)
288 {
289 struct inode *inode = file_inode(file);
290 u64 __user *argp = (u64 __user *)arg;
291 u64 hint;
292
293 switch (cmd) {
294 case F_GET_RW_HINT:
295 hint = inode->i_write_hint;
296 if (copy_to_user(argp, &hint, sizeof(*argp)))
297 return -EFAULT;
298 return 0;
299 case F_SET_RW_HINT:
300 if (copy_from_user(&hint, argp, sizeof(hint)))
301 return -EFAULT;
302 if (!rw_hint_valid(hint))
303 return -EINVAL;
304
305 inode_lock(inode);
306 inode->i_write_hint = hint;
307 inode_unlock(inode);
308 return 0;
309 default:
310 return -EINVAL;
311 }
312 }
313
do_fcntl(int fd,unsigned int cmd,unsigned long arg,struct file * filp)314 static long do_fcntl(int fd, unsigned int cmd, unsigned long arg,
315 struct file *filp)
316 {
317 void __user *argp = (void __user *)arg;
318 int argi = (int)arg;
319 struct flock flock;
320 long err = -EINVAL;
321
322 switch (cmd) {
323 case F_DUPFD:
324 err = f_dupfd(argi, filp, 0);
325 break;
326 case F_DUPFD_CLOEXEC:
327 err = f_dupfd(argi, filp, O_CLOEXEC);
328 break;
329 case F_GETFD:
330 err = get_close_on_exec(fd) ? FD_CLOEXEC : 0;
331 break;
332 case F_SETFD:
333 err = 0;
334 set_close_on_exec(fd, argi & FD_CLOEXEC);
335 break;
336 case F_GETFL:
337 err = filp->f_flags;
338 break;
339 case F_SETFL:
340 err = setfl(fd, filp, argi);
341 break;
342 #if BITS_PER_LONG != 32
343 /* 32-bit arches must use fcntl64() */
344 case F_OFD_GETLK:
345 #endif
346 case F_GETLK:
347 if (copy_from_user(&flock, argp, sizeof(flock)))
348 return -EFAULT;
349 err = fcntl_getlk(filp, cmd, &flock);
350 if (!err && copy_to_user(argp, &flock, sizeof(flock)))
351 return -EFAULT;
352 break;
353 #if BITS_PER_LONG != 32
354 /* 32-bit arches must use fcntl64() */
355 case F_OFD_SETLK:
356 case F_OFD_SETLKW:
357 fallthrough;
358 #endif
359 case F_SETLK:
360 case F_SETLKW:
361 if (copy_from_user(&flock, argp, sizeof(flock)))
362 return -EFAULT;
363 err = fcntl_setlk(fd, filp, cmd, &flock);
364 break;
365 case F_GETOWN:
366 /*
367 * XXX If f_owner is a process group, the
368 * negative return value will get converted
369 * into an error. Oops. If we keep the
370 * current syscall conventions, the only way
371 * to fix this will be in libc.
372 */
373 err = f_getown(filp);
374 force_successful_syscall_return();
375 break;
376 case F_SETOWN:
377 err = f_setown(filp, argi, 1);
378 break;
379 case F_GETOWN_EX:
380 err = f_getown_ex(filp, arg);
381 break;
382 case F_SETOWN_EX:
383 err = f_setown_ex(filp, arg);
384 break;
385 case F_GETOWNER_UIDS:
386 err = f_getowner_uids(filp, arg);
387 break;
388 case F_GETSIG:
389 err = filp->f_owner.signum;
390 break;
391 case F_SETSIG:
392 /* arg == 0 restores default behaviour. */
393 if (!valid_signal(argi)) {
394 break;
395 }
396 err = 0;
397 filp->f_owner.signum = argi;
398 break;
399 case F_GETLEASE:
400 err = fcntl_getlease(filp);
401 break;
402 case F_SETLEASE:
403 err = fcntl_setlease(fd, filp, argi);
404 break;
405 case F_NOTIFY:
406 err = fcntl_dirnotify(fd, filp, argi);
407 break;
408 case F_SETPIPE_SZ:
409 case F_GETPIPE_SZ:
410 err = pipe_fcntl(filp, cmd, argi);
411 break;
412 case F_ADD_SEALS:
413 case F_GET_SEALS:
414 err = memfd_fcntl(filp, cmd, argi);
415 break;
416 case F_GET_RW_HINT:
417 case F_SET_RW_HINT:
418 err = fcntl_rw_hint(filp, cmd, arg);
419 break;
420 default:
421 break;
422 }
423 return err;
424 }
425
check_fcntl_cmd(unsigned cmd)426 static int check_fcntl_cmd(unsigned cmd)
427 {
428 switch (cmd) {
429 case F_DUPFD:
430 case F_DUPFD_CLOEXEC:
431 case F_GETFD:
432 case F_SETFD:
433 case F_GETFL:
434 return 1;
435 }
436 return 0;
437 }
438
SYSCALL_DEFINE3(fcntl,unsigned int,fd,unsigned int,cmd,unsigned long,arg)439 SYSCALL_DEFINE3(fcntl, unsigned int, fd, unsigned int, cmd, unsigned long, arg)
440 {
441 struct fd f = fdget_raw(fd);
442 long err = -EBADF;
443
444 if (!f.file)
445 goto out;
446
447 if (unlikely(f.file->f_mode & FMODE_PATH)) {
448 if (!check_fcntl_cmd(cmd))
449 goto out1;
450 }
451
452 err = security_file_fcntl(f.file, cmd, arg);
453 if (!err)
454 err = do_fcntl(fd, cmd, arg, f.file);
455
456 out1:
457 fdput(f);
458 out:
459 return err;
460 }
461
462 #if BITS_PER_LONG == 32
SYSCALL_DEFINE3(fcntl64,unsigned int,fd,unsigned int,cmd,unsigned long,arg)463 SYSCALL_DEFINE3(fcntl64, unsigned int, fd, unsigned int, cmd,
464 unsigned long, arg)
465 {
466 void __user *argp = (void __user *)arg;
467 struct fd f = fdget_raw(fd);
468 struct flock64 flock;
469 long err = -EBADF;
470
471 if (!f.file)
472 goto out;
473
474 if (unlikely(f.file->f_mode & FMODE_PATH)) {
475 if (!check_fcntl_cmd(cmd))
476 goto out1;
477 }
478
479 err = security_file_fcntl(f.file, cmd, arg);
480 if (err)
481 goto out1;
482
483 switch (cmd) {
484 case F_GETLK64:
485 case F_OFD_GETLK:
486 err = -EFAULT;
487 if (copy_from_user(&flock, argp, sizeof(flock)))
488 break;
489 err = fcntl_getlk64(f.file, cmd, &flock);
490 if (!err && copy_to_user(argp, &flock, sizeof(flock)))
491 err = -EFAULT;
492 break;
493 case F_SETLK64:
494 case F_SETLKW64:
495 case F_OFD_SETLK:
496 case F_OFD_SETLKW:
497 err = -EFAULT;
498 if (copy_from_user(&flock, argp, sizeof(flock)))
499 break;
500 err = fcntl_setlk64(fd, f.file, cmd, &flock);
501 break;
502 default:
503 err = do_fcntl(fd, cmd, arg, f.file);
504 break;
505 }
506 out1:
507 fdput(f);
508 out:
509 return err;
510 }
511 #endif
512
513 #ifdef CONFIG_COMPAT
514 /* careful - don't use anywhere else */
515 #define copy_flock_fields(dst, src) \
516 (dst)->l_type = (src)->l_type; \
517 (dst)->l_whence = (src)->l_whence; \
518 (dst)->l_start = (src)->l_start; \
519 (dst)->l_len = (src)->l_len; \
520 (dst)->l_pid = (src)->l_pid;
521
get_compat_flock(struct flock * kfl,const struct compat_flock __user * ufl)522 static int get_compat_flock(struct flock *kfl, const struct compat_flock __user *ufl)
523 {
524 struct compat_flock fl;
525
526 if (copy_from_user(&fl, ufl, sizeof(struct compat_flock)))
527 return -EFAULT;
528 copy_flock_fields(kfl, &fl);
529 return 0;
530 }
531
get_compat_flock64(struct flock * kfl,const struct compat_flock64 __user * ufl)532 static int get_compat_flock64(struct flock *kfl, const struct compat_flock64 __user *ufl)
533 {
534 struct compat_flock64 fl;
535
536 if (copy_from_user(&fl, ufl, sizeof(struct compat_flock64)))
537 return -EFAULT;
538 copy_flock_fields(kfl, &fl);
539 return 0;
540 }
541
put_compat_flock(const struct flock * kfl,struct compat_flock __user * ufl)542 static int put_compat_flock(const struct flock *kfl, struct compat_flock __user *ufl)
543 {
544 struct compat_flock fl;
545
546 memset(&fl, 0, sizeof(struct compat_flock));
547 copy_flock_fields(&fl, kfl);
548 if (copy_to_user(ufl, &fl, sizeof(struct compat_flock)))
549 return -EFAULT;
550 return 0;
551 }
552
put_compat_flock64(const struct flock * kfl,struct compat_flock64 __user * ufl)553 static int put_compat_flock64(const struct flock *kfl, struct compat_flock64 __user *ufl)
554 {
555 struct compat_flock64 fl;
556
557 BUILD_BUG_ON(sizeof(kfl->l_start) > sizeof(ufl->l_start));
558 BUILD_BUG_ON(sizeof(kfl->l_len) > sizeof(ufl->l_len));
559
560 memset(&fl, 0, sizeof(struct compat_flock64));
561 copy_flock_fields(&fl, kfl);
562 if (copy_to_user(ufl, &fl, sizeof(struct compat_flock64)))
563 return -EFAULT;
564 return 0;
565 }
566 #undef copy_flock_fields
567
568 static unsigned int
convert_fcntl_cmd(unsigned int cmd)569 convert_fcntl_cmd(unsigned int cmd)
570 {
571 switch (cmd) {
572 case F_GETLK64:
573 return F_GETLK;
574 case F_SETLK64:
575 return F_SETLK;
576 case F_SETLKW64:
577 return F_SETLKW;
578 }
579
580 return cmd;
581 }
582
583 /*
584 * GETLK was successful and we need to return the data, but it needs to fit in
585 * the compat structure.
586 * l_start shouldn't be too big, unless the original start + end is greater than
587 * COMPAT_OFF_T_MAX, in which case the app was asking for trouble, so we return
588 * -EOVERFLOW in that case. l_len could be too big, in which case we just
589 * truncate it, and only allow the app to see that part of the conflicting lock
590 * that might make sense to it anyway
591 */
fixup_compat_flock(struct flock * flock)592 static int fixup_compat_flock(struct flock *flock)
593 {
594 if (flock->l_start > COMPAT_OFF_T_MAX)
595 return -EOVERFLOW;
596 if (flock->l_len > COMPAT_OFF_T_MAX)
597 flock->l_len = COMPAT_OFF_T_MAX;
598 return 0;
599 }
600
do_compat_fcntl64(unsigned int fd,unsigned int cmd,compat_ulong_t arg)601 static long do_compat_fcntl64(unsigned int fd, unsigned int cmd,
602 compat_ulong_t arg)
603 {
604 struct fd f = fdget_raw(fd);
605 struct flock flock;
606 long err = -EBADF;
607
608 if (!f.file)
609 return err;
610
611 if (unlikely(f.file->f_mode & FMODE_PATH)) {
612 if (!check_fcntl_cmd(cmd))
613 goto out_put;
614 }
615
616 err = security_file_fcntl(f.file, cmd, arg);
617 if (err)
618 goto out_put;
619
620 switch (cmd) {
621 case F_GETLK:
622 err = get_compat_flock(&flock, compat_ptr(arg));
623 if (err)
624 break;
625 err = fcntl_getlk(f.file, convert_fcntl_cmd(cmd), &flock);
626 if (err)
627 break;
628 err = fixup_compat_flock(&flock);
629 if (!err)
630 err = put_compat_flock(&flock, compat_ptr(arg));
631 break;
632 case F_GETLK64:
633 case F_OFD_GETLK:
634 err = get_compat_flock64(&flock, compat_ptr(arg));
635 if (err)
636 break;
637 err = fcntl_getlk(f.file, convert_fcntl_cmd(cmd), &flock);
638 if (!err)
639 err = put_compat_flock64(&flock, compat_ptr(arg));
640 break;
641 case F_SETLK:
642 case F_SETLKW:
643 err = get_compat_flock(&flock, compat_ptr(arg));
644 if (err)
645 break;
646 err = fcntl_setlk(fd, f.file, convert_fcntl_cmd(cmd), &flock);
647 break;
648 case F_SETLK64:
649 case F_SETLKW64:
650 case F_OFD_SETLK:
651 case F_OFD_SETLKW:
652 err = get_compat_flock64(&flock, compat_ptr(arg));
653 if (err)
654 break;
655 err = fcntl_setlk(fd, f.file, convert_fcntl_cmd(cmd), &flock);
656 break;
657 default:
658 err = do_fcntl(fd, cmd, arg, f.file);
659 break;
660 }
661 out_put:
662 fdput(f);
663 return err;
664 }
665
COMPAT_SYSCALL_DEFINE3(fcntl64,unsigned int,fd,unsigned int,cmd,compat_ulong_t,arg)666 COMPAT_SYSCALL_DEFINE3(fcntl64, unsigned int, fd, unsigned int, cmd,
667 compat_ulong_t, arg)
668 {
669 return do_compat_fcntl64(fd, cmd, arg);
670 }
671
COMPAT_SYSCALL_DEFINE3(fcntl,unsigned int,fd,unsigned int,cmd,compat_ulong_t,arg)672 COMPAT_SYSCALL_DEFINE3(fcntl, unsigned int, fd, unsigned int, cmd,
673 compat_ulong_t, arg)
674 {
675 switch (cmd) {
676 case F_GETLK64:
677 case F_SETLK64:
678 case F_SETLKW64:
679 case F_OFD_GETLK:
680 case F_OFD_SETLK:
681 case F_OFD_SETLKW:
682 return -EINVAL;
683 }
684 return do_compat_fcntl64(fd, cmd, arg);
685 }
686 #endif
687
688 /* Table to convert sigio signal codes into poll band bitmaps */
689
690 static const __poll_t band_table[NSIGPOLL] = {
691 EPOLLIN | EPOLLRDNORM, /* POLL_IN */
692 EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND, /* POLL_OUT */
693 EPOLLIN | EPOLLRDNORM | EPOLLMSG, /* POLL_MSG */
694 EPOLLERR, /* POLL_ERR */
695 EPOLLPRI | EPOLLRDBAND, /* POLL_PRI */
696 EPOLLHUP | EPOLLERR /* POLL_HUP */
697 };
698
sigio_perm(struct task_struct * p,struct fown_struct * fown,int sig)699 static inline int sigio_perm(struct task_struct *p,
700 struct fown_struct *fown, int sig)
701 {
702 const struct cred *cred;
703 int ret;
704
705 rcu_read_lock();
706 cred = __task_cred(p);
707 ret = ((uid_eq(fown->euid, GLOBAL_ROOT_UID) ||
708 uid_eq(fown->euid, cred->suid) || uid_eq(fown->euid, cred->uid) ||
709 uid_eq(fown->uid, cred->suid) || uid_eq(fown->uid, cred->uid)) &&
710 !security_file_send_sigiotask(p, fown, sig));
711 rcu_read_unlock();
712 return ret;
713 }
714
send_sigio_to_task(struct task_struct * p,struct fown_struct * fown,int fd,int reason,enum pid_type type)715 static void send_sigio_to_task(struct task_struct *p,
716 struct fown_struct *fown,
717 int fd, int reason, enum pid_type type)
718 {
719 /*
720 * F_SETSIG can change ->signum lockless in parallel, make
721 * sure we read it once and use the same value throughout.
722 */
723 int signum = READ_ONCE(fown->signum);
724
725 if (!sigio_perm(p, fown, signum))
726 return;
727
728 switch (signum) {
729 default: {
730 kernel_siginfo_t si;
731
732 /* Queue a rt signal with the appropriate fd as its
733 value. We use SI_SIGIO as the source, not
734 SI_KERNEL, since kernel signals always get
735 delivered even if we can't queue. Failure to
736 queue in this case _should_ be reported; we fall
737 back to SIGIO in that case. --sct */
738 clear_siginfo(&si);
739 si.si_signo = signum;
740 si.si_errno = 0;
741 si.si_code = reason;
742 /*
743 * Posix definies POLL_IN and friends to be signal
744 * specific si_codes for SIG_POLL. Linux extended
745 * these si_codes to other signals in a way that is
746 * ambiguous if other signals also have signal
747 * specific si_codes. In that case use SI_SIGIO instead
748 * to remove the ambiguity.
749 */
750 if ((signum != SIGPOLL) && sig_specific_sicodes(signum))
751 si.si_code = SI_SIGIO;
752
753 /* Make sure we are called with one of the POLL_*
754 reasons, otherwise we could leak kernel stack into
755 userspace. */
756 BUG_ON((reason < POLL_IN) || ((reason - POLL_IN) >= NSIGPOLL));
757 if (reason - POLL_IN >= NSIGPOLL)
758 si.si_band = ~0L;
759 else
760 si.si_band = mangle_poll(band_table[reason - POLL_IN]);
761 si.si_fd = fd;
762 if (!do_send_sig_info(signum, &si, p, type))
763 break;
764 }
765 fallthrough; /* fall back on the old plain SIGIO signal */
766 case 0:
767 do_send_sig_info(SIGIO, SEND_SIG_PRIV, p, type);
768 }
769 }
770
send_sigio(struct fown_struct * fown,int fd,int band)771 void send_sigio(struct fown_struct *fown, int fd, int band)
772 {
773 struct task_struct *p;
774 enum pid_type type;
775 unsigned long flags;
776 struct pid *pid;
777
778 read_lock_irqsave(&fown->lock, flags);
779
780 type = fown->pid_type;
781 pid = fown->pid;
782 if (!pid)
783 goto out_unlock_fown;
784
785 if (type <= PIDTYPE_TGID) {
786 rcu_read_lock();
787 p = pid_task(pid, PIDTYPE_PID);
788 if (p)
789 send_sigio_to_task(p, fown, fd, band, type);
790 rcu_read_unlock();
791 } else {
792 read_lock(&tasklist_lock);
793 do_each_pid_task(pid, type, p) {
794 send_sigio_to_task(p, fown, fd, band, type);
795 } while_each_pid_task(pid, type, p);
796 read_unlock(&tasklist_lock);
797 }
798 out_unlock_fown:
799 read_unlock_irqrestore(&fown->lock, flags);
800 }
801
send_sigurg_to_task(struct task_struct * p,struct fown_struct * fown,enum pid_type type)802 static void send_sigurg_to_task(struct task_struct *p,
803 struct fown_struct *fown, enum pid_type type)
804 {
805 if (sigio_perm(p, fown, SIGURG))
806 do_send_sig_info(SIGURG, SEND_SIG_PRIV, p, type);
807 }
808
send_sigurg(struct fown_struct * fown)809 int send_sigurg(struct fown_struct *fown)
810 {
811 struct task_struct *p;
812 enum pid_type type;
813 struct pid *pid;
814 unsigned long flags;
815 int ret = 0;
816
817 read_lock_irqsave(&fown->lock, flags);
818
819 type = fown->pid_type;
820 pid = fown->pid;
821 if (!pid)
822 goto out_unlock_fown;
823
824 ret = 1;
825
826 if (type <= PIDTYPE_TGID) {
827 rcu_read_lock();
828 p = pid_task(pid, PIDTYPE_PID);
829 if (p)
830 send_sigurg_to_task(p, fown, type);
831 rcu_read_unlock();
832 } else {
833 read_lock(&tasklist_lock);
834 do_each_pid_task(pid, type, p) {
835 send_sigurg_to_task(p, fown, type);
836 } while_each_pid_task(pid, type, p);
837 read_unlock(&tasklist_lock);
838 }
839 out_unlock_fown:
840 read_unlock_irqrestore(&fown->lock, flags);
841 return ret;
842 }
843
844 static DEFINE_SPINLOCK(fasync_lock);
845 static struct kmem_cache *fasync_cache __read_mostly;
846
fasync_free_rcu(struct rcu_head * head)847 static void fasync_free_rcu(struct rcu_head *head)
848 {
849 kmem_cache_free(fasync_cache,
850 container_of(head, struct fasync_struct, fa_rcu));
851 }
852
853 /*
854 * Remove a fasync entry. If successfully removed, return
855 * positive and clear the FASYNC flag. If no entry exists,
856 * do nothing and return 0.
857 *
858 * NOTE! It is very important that the FASYNC flag always
859 * match the state "is the filp on a fasync list".
860 *
861 */
fasync_remove_entry(struct file * filp,struct fasync_struct ** fapp)862 int fasync_remove_entry(struct file *filp, struct fasync_struct **fapp)
863 {
864 struct fasync_struct *fa, **fp;
865 int result = 0;
866
867 spin_lock(&filp->f_lock);
868 spin_lock(&fasync_lock);
869 for (fp = fapp; (fa = *fp) != NULL; fp = &fa->fa_next) {
870 if (fa->fa_file != filp)
871 continue;
872
873 write_lock_irq(&fa->fa_lock);
874 fa->fa_file = NULL;
875 write_unlock_irq(&fa->fa_lock);
876
877 *fp = fa->fa_next;
878 call_rcu(&fa->fa_rcu, fasync_free_rcu);
879 filp->f_flags &= ~FASYNC;
880 result = 1;
881 break;
882 }
883 spin_unlock(&fasync_lock);
884 spin_unlock(&filp->f_lock);
885 return result;
886 }
887
fasync_alloc(void)888 struct fasync_struct *fasync_alloc(void)
889 {
890 return kmem_cache_alloc(fasync_cache, GFP_KERNEL);
891 }
892
893 /*
894 * NOTE! This can be used only for unused fasync entries:
895 * entries that actually got inserted on the fasync list
896 * need to be released by rcu - see fasync_remove_entry.
897 */
fasync_free(struct fasync_struct * new)898 void fasync_free(struct fasync_struct *new)
899 {
900 kmem_cache_free(fasync_cache, new);
901 }
902
903 /*
904 * Insert a new entry into the fasync list. Return the pointer to the
905 * old one if we didn't use the new one.
906 *
907 * NOTE! It is very important that the FASYNC flag always
908 * match the state "is the filp on a fasync list".
909 */
fasync_insert_entry(int fd,struct file * filp,struct fasync_struct ** fapp,struct fasync_struct * new)910 struct fasync_struct *fasync_insert_entry(int fd, struct file *filp, struct fasync_struct **fapp, struct fasync_struct *new)
911 {
912 struct fasync_struct *fa, **fp;
913
914 spin_lock(&filp->f_lock);
915 spin_lock(&fasync_lock);
916 for (fp = fapp; (fa = *fp) != NULL; fp = &fa->fa_next) {
917 if (fa->fa_file != filp)
918 continue;
919
920 write_lock_irq(&fa->fa_lock);
921 fa->fa_fd = fd;
922 write_unlock_irq(&fa->fa_lock);
923 goto out;
924 }
925
926 rwlock_init(&new->fa_lock);
927 new->magic = FASYNC_MAGIC;
928 new->fa_file = filp;
929 new->fa_fd = fd;
930 new->fa_next = *fapp;
931 rcu_assign_pointer(*fapp, new);
932 filp->f_flags |= FASYNC;
933
934 out:
935 spin_unlock(&fasync_lock);
936 spin_unlock(&filp->f_lock);
937 return fa;
938 }
939
940 /*
941 * Add a fasync entry. Return negative on error, positive if
942 * added, and zero if did nothing but change an existing one.
943 */
fasync_add_entry(int fd,struct file * filp,struct fasync_struct ** fapp)944 static int fasync_add_entry(int fd, struct file *filp, struct fasync_struct **fapp)
945 {
946 struct fasync_struct *new;
947
948 new = fasync_alloc();
949 if (!new)
950 return -ENOMEM;
951
952 /*
953 * fasync_insert_entry() returns the old (update) entry if
954 * it existed.
955 *
956 * So free the (unused) new entry and return 0 to let the
957 * caller know that we didn't add any new fasync entries.
958 */
959 if (fasync_insert_entry(fd, filp, fapp, new)) {
960 fasync_free(new);
961 return 0;
962 }
963
964 return 1;
965 }
966
967 /*
968 * fasync_helper() is used by almost all character device drivers
969 * to set up the fasync queue, and for regular files by the file
970 * lease code. It returns negative on error, 0 if it did no changes
971 * and positive if it added/deleted the entry.
972 */
fasync_helper(int fd,struct file * filp,int on,struct fasync_struct ** fapp)973 int fasync_helper(int fd, struct file * filp, int on, struct fasync_struct **fapp)
974 {
975 if (!on)
976 return fasync_remove_entry(filp, fapp);
977 return fasync_add_entry(fd, filp, fapp);
978 }
979
980 EXPORT_SYMBOL(fasync_helper);
981
982 /*
983 * rcu_read_lock() is held
984 */
kill_fasync_rcu(struct fasync_struct * fa,int sig,int band)985 static void kill_fasync_rcu(struct fasync_struct *fa, int sig, int band)
986 {
987 while (fa) {
988 struct fown_struct *fown;
989 unsigned long flags;
990
991 if (fa->magic != FASYNC_MAGIC) {
992 printk(KERN_ERR "kill_fasync: bad magic number in "
993 "fasync_struct!\n");
994 return;
995 }
996 read_lock_irqsave(&fa->fa_lock, flags);
997 if (fa->fa_file) {
998 fown = &fa->fa_file->f_owner;
999 /* Don't send SIGURG to processes which have not set a
1000 queued signum: SIGURG has its own default signalling
1001 mechanism. */
1002 if (!(sig == SIGURG && fown->signum == 0))
1003 send_sigio(fown, fa->fa_fd, band);
1004 }
1005 read_unlock_irqrestore(&fa->fa_lock, flags);
1006 fa = rcu_dereference(fa->fa_next);
1007 }
1008 }
1009
kill_fasync(struct fasync_struct ** fp,int sig,int band)1010 void kill_fasync(struct fasync_struct **fp, int sig, int band)
1011 {
1012 /* First a quick test without locking: usually
1013 * the list is empty.
1014 */
1015 if (*fp) {
1016 rcu_read_lock();
1017 kill_fasync_rcu(rcu_dereference(*fp), sig, band);
1018 rcu_read_unlock();
1019 }
1020 }
1021 EXPORT_SYMBOL(kill_fasync);
1022
fcntl_init(void)1023 static int __init fcntl_init(void)
1024 {
1025 /*
1026 * Please add new bits here to ensure allocation uniqueness.
1027 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
1028 * is defined as O_NONBLOCK on some platforms and not on others.
1029 */
1030 BUILD_BUG_ON(21 - 1 /* for O_RDONLY being 0 */ !=
1031 HWEIGHT32(
1032 (VALID_OPEN_FLAGS & ~(O_NONBLOCK | O_NDELAY)) |
1033 __FMODE_EXEC | __FMODE_NONOTIFY));
1034
1035 fasync_cache = kmem_cache_create("fasync_cache",
1036 sizeof(struct fasync_struct), 0,
1037 SLAB_PANIC | SLAB_ACCOUNT, NULL);
1038 return 0;
1039 }
1040
1041 module_init(fcntl_init)
1042