1 /*
2  * Copyright (c) 2016, Mellanox Technologies inc.  All rights reserved.
3  *
4  * This software is available to you under a choice of one of two
5  * licenses.  You may choose to be licensed under the terms of the GNU
6  * General Public License (GPL) Version 2, available from the file
7  * COPYING in the main directory of this source tree, or the
8  * OpenIB.org BSD license below:
9  *
10  *     Redistribution and use in source and binary forms, with or
11  *     without modification, are permitted provided that the following
12  *     conditions are met:
13  *
14  *      - Redistributions of source code must retain the above
15  *        copyright notice, this list of conditions and the following
16  *        disclaimer.
17  *
18  *      - Redistributions in binary form must reproduce the above
19  *        copyright notice, this list of conditions and the following
20  *        disclaimer in the documentation and/or other materials
21  *        provided with the distribution.
22  *
23  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
25  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
26  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
27  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
28  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
29  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
30  * SOFTWARE.
31  */
32 
33 #include <linux/file.h>
34 #include <linux/anon_inodes.h>
35 #include <linux/sched/mm.h>
36 #include <rdma/ib_verbs.h>
37 #include <rdma/uverbs_types.h>
38 #include <linux/rcupdate.h>
39 #include <rdma/uverbs_ioctl.h>
40 #include <rdma/rdma_user_ioctl.h>
41 #include "uverbs.h"
42 #include "core_priv.h"
43 #include "rdma_core.h"
44 
45 void uverbs_uobject_get(struct ib_uobject *uobject)
46 {
47 	kref_get(&uobject->ref);
48 }
49 
50 static void uverbs_uobject_free(struct kref *ref)
51 {
52 	struct ib_uobject *uobj =
53 		container_of(ref, struct ib_uobject, ref);
54 
55 	if (uobj->uapi_object->type_class->needs_kfree_rcu)
56 		kfree_rcu(uobj, rcu);
57 	else
58 		kfree(uobj);
59 }
60 
61 void uverbs_uobject_put(struct ib_uobject *uobject)
62 {
63 	kref_put(&uobject->ref, uverbs_uobject_free);
64 }
65 
66 static int uverbs_try_lock_object(struct ib_uobject *uobj,
67 				  enum rdma_lookup_mode mode)
68 {
69 	/*
70 	 * When a shared access is required, we use a positive counter. Each
71 	 * shared access request checks that the value != -1 and increment it.
72 	 * Exclusive access is required for operations like write or destroy.
73 	 * In exclusive access mode, we check that the counter is zero (nobody
74 	 * claimed this object) and we set it to -1. Releasing a shared access
75 	 * lock is done simply by decreasing the counter. As for exclusive
76 	 * access locks, since only a single one of them is is allowed
77 	 * concurrently, setting the counter to zero is enough for releasing
78 	 * this lock.
79 	 */
80 	switch (mode) {
81 	case UVERBS_LOOKUP_READ:
82 		return atomic_fetch_add_unless(&uobj->usecnt, 1, -1) == -1 ?
83 			-EBUSY : 0;
84 	case UVERBS_LOOKUP_WRITE:
85 		/* lock is exclusive */
86 		return atomic_cmpxchg(&uobj->usecnt, 0, -1) == 0 ? 0 : -EBUSY;
87 	case UVERBS_LOOKUP_DESTROY:
88 		return 0;
89 	}
90 	return 0;
91 }
92 
93 static void assert_uverbs_usecnt(struct ib_uobject *uobj,
94 				 enum rdma_lookup_mode mode)
95 {
96 #ifdef CONFIG_LOCKDEP
97 	switch (mode) {
98 	case UVERBS_LOOKUP_READ:
99 		WARN_ON(atomic_read(&uobj->usecnt) <= 0);
100 		break;
101 	case UVERBS_LOOKUP_WRITE:
102 		WARN_ON(atomic_read(&uobj->usecnt) != -1);
103 		break;
104 	case UVERBS_LOOKUP_DESTROY:
105 		break;
106 	}
107 #endif
108 }
109 
110 /*
111  * This must be called with the hw_destroy_rwsem locked for read or write,
112  * also the uobject itself must be locked for write.
113  *
114  * Upon return the HW object is guaranteed to be destroyed.
115  *
116  * For RDMA_REMOVE_ABORT, the hw_destroy_rwsem is not required to be held,
117  * however the type's allocat_commit function cannot have been called and the
118  * uobject cannot be on the uobjects_lists
119  *
120  * For RDMA_REMOVE_DESTROY the caller shold be holding a kref (eg via
121  * rdma_lookup_get_uobject) and the object is left in a state where the caller
122  * needs to call rdma_lookup_put_uobject.
123  *
124  * For all other destroy modes this function internally unlocks the uobject
125  * and consumes the kref on the uobj.
126  */
127 static int uverbs_destroy_uobject(struct ib_uobject *uobj,
128 				  enum rdma_remove_reason reason,
129 				  struct uverbs_attr_bundle *attrs)
130 {
131 	struct ib_uverbs_file *ufile = attrs->ufile;
132 	unsigned long flags;
133 	int ret;
134 
135 	lockdep_assert_held(&ufile->hw_destroy_rwsem);
136 	assert_uverbs_usecnt(uobj, UVERBS_LOOKUP_WRITE);
137 
138 	if (uobj->object) {
139 		ret = uobj->uapi_object->type_class->destroy_hw(uobj, reason,
140 								attrs);
141 		if (ret) {
142 			if (ib_is_destroy_retryable(ret, reason, uobj))
143 				return ret;
144 
145 			/* Nothing to be done, dangle the memory and move on */
146 			WARN(true,
147 			     "ib_uverbs: failed to remove uobject id %d, driver err=%d",
148 			     uobj->id, ret);
149 		}
150 
151 		uobj->object = NULL;
152 	}
153 
154 	if (reason == RDMA_REMOVE_ABORT) {
155 		WARN_ON(!list_empty(&uobj->list));
156 		WARN_ON(!uobj->context);
157 		uobj->uapi_object->type_class->alloc_abort(uobj);
158 	}
159 
160 	uobj->context = NULL;
161 
162 	/*
163 	 * For DESTROY the usecnt is held write locked, the caller is expected
164 	 * to put it unlock and put the object when done with it. Only DESTROY
165 	 * can remove the IDR handle.
166 	 */
167 	if (reason != RDMA_REMOVE_DESTROY)
168 		atomic_set(&uobj->usecnt, 0);
169 	else
170 		uobj->uapi_object->type_class->remove_handle(uobj);
171 
172 	if (!list_empty(&uobj->list)) {
173 		spin_lock_irqsave(&ufile->uobjects_lock, flags);
174 		list_del_init(&uobj->list);
175 		spin_unlock_irqrestore(&ufile->uobjects_lock, flags);
176 
177 		/*
178 		 * Pairs with the get in rdma_alloc_commit_uobject(), could
179 		 * destroy uobj.
180 		 */
181 		uverbs_uobject_put(uobj);
182 	}
183 
184 	/*
185 	 * When aborting the stack kref remains owned by the core code, and is
186 	 * not transferred into the type. Pairs with the get in alloc_uobj
187 	 */
188 	if (reason == RDMA_REMOVE_ABORT)
189 		uverbs_uobject_put(uobj);
190 
191 	return 0;
192 }
193 
194 /*
195  * This calls uverbs_destroy_uobject() using the RDMA_REMOVE_DESTROY
196  * sequence. It should only be used from command callbacks. On success the
197  * caller must pair this with rdma_lookup_put_uobject(LOOKUP_WRITE). This
198  * version requires the caller to have already obtained an
199  * LOOKUP_DESTROY uobject kref.
200  */
201 int uobj_destroy(struct ib_uobject *uobj, struct uverbs_attr_bundle *attrs)
202 {
203 	struct ib_uverbs_file *ufile = attrs->ufile;
204 	int ret;
205 
206 	down_read(&ufile->hw_destroy_rwsem);
207 
208 	ret = uverbs_try_lock_object(uobj, UVERBS_LOOKUP_WRITE);
209 	if (ret)
210 		goto out_unlock;
211 
212 	ret = uverbs_destroy_uobject(uobj, RDMA_REMOVE_DESTROY, attrs);
213 	if (ret) {
214 		atomic_set(&uobj->usecnt, 0);
215 		goto out_unlock;
216 	}
217 
218 out_unlock:
219 	up_read(&ufile->hw_destroy_rwsem);
220 	return ret;
221 }
222 
223 /*
224  * uobj_get_destroy destroys the HW object and returns a handle to the uobj
225  * with a NULL object pointer. The caller must pair this with
226  * uverbs_put_destroy.
227  */
228 struct ib_uobject *__uobj_get_destroy(const struct uverbs_api_object *obj,
229 				      u32 id, struct uverbs_attr_bundle *attrs)
230 {
231 	struct ib_uobject *uobj;
232 	int ret;
233 
234 	uobj = rdma_lookup_get_uobject(obj, attrs->ufile, id,
235 				       UVERBS_LOOKUP_DESTROY, attrs);
236 	if (IS_ERR(uobj))
237 		return uobj;
238 
239 	ret = uobj_destroy(uobj, attrs);
240 	if (ret) {
241 		rdma_lookup_put_uobject(uobj, UVERBS_LOOKUP_DESTROY);
242 		return ERR_PTR(ret);
243 	}
244 
245 	return uobj;
246 }
247 
248 /*
249  * Does both uobj_get_destroy() and uobj_put_destroy().  Returns 0 on success
250  * (negative errno on failure). For use by callers that do not need the uobj.
251  */
252 int __uobj_perform_destroy(const struct uverbs_api_object *obj, u32 id,
253 			   struct uverbs_attr_bundle *attrs)
254 {
255 	struct ib_uobject *uobj;
256 
257 	uobj = __uobj_get_destroy(obj, id, attrs);
258 	if (IS_ERR(uobj))
259 		return PTR_ERR(uobj);
260 
261 	rdma_lookup_put_uobject(uobj, UVERBS_LOOKUP_WRITE);
262 	return 0;
263 }
264 
265 /* alloc_uobj must be undone by uverbs_destroy_uobject() */
266 static struct ib_uobject *alloc_uobj(struct ib_uverbs_file *ufile,
267 				     const struct uverbs_api_object *obj)
268 {
269 	struct ib_uobject *uobj;
270 	struct ib_ucontext *ucontext;
271 
272 	ucontext = ib_uverbs_get_ucontext_file(ufile);
273 	if (IS_ERR(ucontext))
274 		return ERR_CAST(ucontext);
275 
276 	uobj = kzalloc(obj->type_attrs->obj_size, GFP_KERNEL);
277 	if (!uobj)
278 		return ERR_PTR(-ENOMEM);
279 	/*
280 	 * user_handle should be filled by the handler,
281 	 * The object is added to the list in the commit stage.
282 	 */
283 	uobj->ufile = ufile;
284 	uobj->context = ucontext;
285 	INIT_LIST_HEAD(&uobj->list);
286 	uobj->uapi_object = obj;
287 	/*
288 	 * Allocated objects start out as write locked to deny any other
289 	 * syscalls from accessing them until they are committed. See
290 	 * rdma_alloc_commit_uobject
291 	 */
292 	atomic_set(&uobj->usecnt, -1);
293 	kref_init(&uobj->ref);
294 
295 	return uobj;
296 }
297 
298 static int idr_add_uobj(struct ib_uobject *uobj)
299 {
300        /*
301         * We start with allocating an idr pointing to NULL. This represents an
302         * object which isn't initialized yet. We'll replace it later on with
303         * the real object once we commit.
304         */
305 	return xa_alloc(&uobj->ufile->idr, &uobj->id, NULL, xa_limit_32b,
306 			GFP_KERNEL);
307 }
308 
309 /* Returns the ib_uobject or an error. The caller should check for IS_ERR. */
310 static struct ib_uobject *
311 lookup_get_idr_uobject(const struct uverbs_api_object *obj,
312 		       struct ib_uverbs_file *ufile, s64 id,
313 		       enum rdma_lookup_mode mode)
314 {
315 	struct ib_uobject *uobj;
316 
317 	if (id < 0 || id > ULONG_MAX)
318 		return ERR_PTR(-EINVAL);
319 
320 	rcu_read_lock();
321 	/*
322 	 * The idr_find is guaranteed to return a pointer to something that
323 	 * isn't freed yet, or NULL, as the free after idr_remove goes through
324 	 * kfree_rcu(). However the object may still have been released and
325 	 * kfree() could be called at any time.
326 	 */
327 	uobj = xa_load(&ufile->idr, id);
328 	if (!uobj || !kref_get_unless_zero(&uobj->ref))
329 		uobj = ERR_PTR(-ENOENT);
330 	rcu_read_unlock();
331 	return uobj;
332 }
333 
334 static struct ib_uobject *
335 lookup_get_fd_uobject(const struct uverbs_api_object *obj,
336 		      struct ib_uverbs_file *ufile, s64 id,
337 		      enum rdma_lookup_mode mode)
338 {
339 	const struct uverbs_obj_fd_type *fd_type;
340 	struct file *f;
341 	struct ib_uobject *uobject;
342 	int fdno = id;
343 
344 	if (fdno != id)
345 		return ERR_PTR(-EINVAL);
346 
347 	if (mode != UVERBS_LOOKUP_READ)
348 		return ERR_PTR(-EOPNOTSUPP);
349 
350 	if (!obj->type_attrs)
351 		return ERR_PTR(-EIO);
352 	fd_type =
353 		container_of(obj->type_attrs, struct uverbs_obj_fd_type, type);
354 
355 	f = fget(fdno);
356 	if (!f)
357 		return ERR_PTR(-EBADF);
358 
359 	uobject = f->private_data;
360 	/*
361 	 * fget(id) ensures we are not currently running uverbs_close_fd,
362 	 * and the caller is expected to ensure that uverbs_close_fd is never
363 	 * done while a call top lookup is possible.
364 	 */
365 	if (f->f_op != fd_type->fops) {
366 		fput(f);
367 		return ERR_PTR(-EBADF);
368 	}
369 
370 	uverbs_uobject_get(uobject);
371 	return uobject;
372 }
373 
374 struct ib_uobject *rdma_lookup_get_uobject(const struct uverbs_api_object *obj,
375 					   struct ib_uverbs_file *ufile, s64 id,
376 					   enum rdma_lookup_mode mode,
377 					   struct uverbs_attr_bundle *attrs)
378 {
379 	struct ib_uobject *uobj;
380 	int ret;
381 
382 	if (obj == ERR_PTR(-ENOMSG)) {
383 		/* must be UVERBS_IDR_ANY_OBJECT, see uapi_get_object() */
384 		uobj = lookup_get_idr_uobject(NULL, ufile, id, mode);
385 		if (IS_ERR(uobj))
386 			return uobj;
387 	} else {
388 		if (IS_ERR(obj))
389 			return ERR_PTR(-EINVAL);
390 
391 		uobj = obj->type_class->lookup_get(obj, ufile, id, mode);
392 		if (IS_ERR(uobj))
393 			return uobj;
394 
395 		if (uobj->uapi_object != obj) {
396 			ret = -EINVAL;
397 			goto free;
398 		}
399 	}
400 
401 	/*
402 	 * If we have been disassociated block every command except for
403 	 * DESTROY based commands.
404 	 */
405 	if (mode != UVERBS_LOOKUP_DESTROY &&
406 	    !srcu_dereference(ufile->device->ib_dev,
407 			      &ufile->device->disassociate_srcu)) {
408 		ret = -EIO;
409 		goto free;
410 	}
411 
412 	ret = uverbs_try_lock_object(uobj, mode);
413 	if (ret)
414 		goto free;
415 	if (attrs)
416 		attrs->context = uobj->context;
417 
418 	return uobj;
419 free:
420 	uobj->uapi_object->type_class->lookup_put(uobj, mode);
421 	uverbs_uobject_put(uobj);
422 	return ERR_PTR(ret);
423 }
424 
425 static struct ib_uobject *
426 alloc_begin_idr_uobject(const struct uverbs_api_object *obj,
427 			struct ib_uverbs_file *ufile)
428 {
429 	int ret;
430 	struct ib_uobject *uobj;
431 
432 	uobj = alloc_uobj(ufile, obj);
433 	if (IS_ERR(uobj))
434 		return uobj;
435 
436 	ret = idr_add_uobj(uobj);
437 	if (ret)
438 		goto uobj_put;
439 
440 	ret = ib_rdmacg_try_charge(&uobj->cg_obj, uobj->context->device,
441 				   RDMACG_RESOURCE_HCA_OBJECT);
442 	if (ret)
443 		goto remove;
444 
445 	return uobj;
446 
447 remove:
448 	xa_erase(&ufile->idr, uobj->id);
449 uobj_put:
450 	uverbs_uobject_put(uobj);
451 	return ERR_PTR(ret);
452 }
453 
454 static struct ib_uobject *
455 alloc_begin_fd_uobject(const struct uverbs_api_object *obj,
456 		       struct ib_uverbs_file *ufile)
457 {
458 	int new_fd;
459 	struct ib_uobject *uobj;
460 
461 	new_fd = get_unused_fd_flags(O_CLOEXEC);
462 	if (new_fd < 0)
463 		return ERR_PTR(new_fd);
464 
465 	uobj = alloc_uobj(ufile, obj);
466 	if (IS_ERR(uobj)) {
467 		put_unused_fd(new_fd);
468 		return uobj;
469 	}
470 
471 	uobj->id = new_fd;
472 	uobj->ufile = ufile;
473 
474 	return uobj;
475 }
476 
477 struct ib_uobject *rdma_alloc_begin_uobject(const struct uverbs_api_object *obj,
478 					    struct ib_uverbs_file *ufile,
479 					    struct uverbs_attr_bundle *attrs)
480 {
481 	struct ib_uobject *ret;
482 
483 	if (IS_ERR(obj))
484 		return ERR_PTR(-EINVAL);
485 
486 	/*
487 	 * The hw_destroy_rwsem is held across the entire object creation and
488 	 * released during rdma_alloc_commit_uobject or
489 	 * rdma_alloc_abort_uobject
490 	 */
491 	if (!down_read_trylock(&ufile->hw_destroy_rwsem))
492 		return ERR_PTR(-EIO);
493 
494 	ret = obj->type_class->alloc_begin(obj, ufile);
495 	if (IS_ERR(ret)) {
496 		up_read(&ufile->hw_destroy_rwsem);
497 		return ret;
498 	}
499 	if (attrs)
500 		attrs->context = ret->context;
501 	return ret;
502 }
503 
504 static void alloc_abort_idr_uobject(struct ib_uobject *uobj)
505 {
506 	ib_rdmacg_uncharge(&uobj->cg_obj, uobj->context->device,
507 			   RDMACG_RESOURCE_HCA_OBJECT);
508 
509 	xa_erase(&uobj->ufile->idr, uobj->id);
510 }
511 
512 static int __must_check destroy_hw_idr_uobject(struct ib_uobject *uobj,
513 					       enum rdma_remove_reason why,
514 					       struct uverbs_attr_bundle *attrs)
515 {
516 	const struct uverbs_obj_idr_type *idr_type =
517 		container_of(uobj->uapi_object->type_attrs,
518 			     struct uverbs_obj_idr_type, type);
519 	int ret = idr_type->destroy_object(uobj, why, attrs);
520 
521 	/*
522 	 * We can only fail gracefully if the user requested to destroy the
523 	 * object or when a retry may be called upon an error.
524 	 * In the rest of the cases, just remove whatever you can.
525 	 */
526 	if (ib_is_destroy_retryable(ret, why, uobj))
527 		return ret;
528 
529 	if (why == RDMA_REMOVE_ABORT)
530 		return 0;
531 
532 	ib_rdmacg_uncharge(&uobj->cg_obj, uobj->context->device,
533 			   RDMACG_RESOURCE_HCA_OBJECT);
534 
535 	return 0;
536 }
537 
538 static void remove_handle_idr_uobject(struct ib_uobject *uobj)
539 {
540 	xa_erase(&uobj->ufile->idr, uobj->id);
541 	/* Matches the kref in alloc_commit_idr_uobject */
542 	uverbs_uobject_put(uobj);
543 }
544 
545 static void alloc_abort_fd_uobject(struct ib_uobject *uobj)
546 {
547 	put_unused_fd(uobj->id);
548 }
549 
550 static int __must_check destroy_hw_fd_uobject(struct ib_uobject *uobj,
551 					      enum rdma_remove_reason why,
552 					      struct uverbs_attr_bundle *attrs)
553 {
554 	const struct uverbs_obj_fd_type *fd_type = container_of(
555 		uobj->uapi_object->type_attrs, struct uverbs_obj_fd_type, type);
556 	int ret = fd_type->context_closed(uobj, why);
557 
558 	if (ib_is_destroy_retryable(ret, why, uobj))
559 		return ret;
560 
561 	return 0;
562 }
563 
564 static void remove_handle_fd_uobject(struct ib_uobject *uobj)
565 {
566 }
567 
568 static int alloc_commit_idr_uobject(struct ib_uobject *uobj)
569 {
570 	struct ib_uverbs_file *ufile = uobj->ufile;
571 	void *old;
572 
573 	/*
574 	 * We already allocated this IDR with a NULL object, so
575 	 * this shouldn't fail.
576 	 *
577 	 * NOTE: Storing the uobj transfers our kref on uobj to the XArray.
578 	 * It will be put by remove_commit_idr_uobject()
579 	 */
580 	old = xa_store(&ufile->idr, uobj->id, uobj, GFP_KERNEL);
581 	WARN_ON(old != NULL);
582 
583 	return 0;
584 }
585 
586 static int alloc_commit_fd_uobject(struct ib_uobject *uobj)
587 {
588 	const struct uverbs_obj_fd_type *fd_type = container_of(
589 		uobj->uapi_object->type_attrs, struct uverbs_obj_fd_type, type);
590 	int fd = uobj->id;
591 	struct file *filp;
592 
593 	/*
594 	 * The kref for uobj is moved into filp->private data and put in
595 	 * uverbs_close_fd(). Once alloc_commit() succeeds uverbs_close_fd()
596 	 * must be guaranteed to be called from the provided fops release
597 	 * callback.
598 	 */
599 	filp = anon_inode_getfile(fd_type->name,
600 				  fd_type->fops,
601 				  uobj,
602 				  fd_type->flags);
603 	if (IS_ERR(filp))
604 		return PTR_ERR(filp);
605 
606 	uobj->object = filp;
607 
608 	/* Matching put will be done in uverbs_close_fd() */
609 	kref_get(&uobj->ufile->ref);
610 
611 	/* This shouldn't be used anymore. Use the file object instead */
612 	uobj->id = 0;
613 
614 	/*
615 	 * NOTE: Once we install the file we loose ownership of our kref on
616 	 * uobj. It will be put by uverbs_close_fd()
617 	 */
618 	fd_install(fd, filp);
619 
620 	return 0;
621 }
622 
623 /*
624  * In all cases rdma_alloc_commit_uobject() consumes the kref to uobj and the
625  * caller can no longer assume uobj is valid. If this function fails it
626  * destroys the uboject, including the attached HW object.
627  */
628 int __must_check rdma_alloc_commit_uobject(struct ib_uobject *uobj,
629 					   struct uverbs_attr_bundle *attrs)
630 {
631 	struct ib_uverbs_file *ufile = attrs->ufile;
632 	int ret;
633 
634 	/* alloc_commit consumes the uobj kref */
635 	ret = uobj->uapi_object->type_class->alloc_commit(uobj);
636 	if (ret) {
637 		uverbs_destroy_uobject(uobj, RDMA_REMOVE_ABORT, attrs);
638 		up_read(&ufile->hw_destroy_rwsem);
639 		return ret;
640 	}
641 
642 	/* kref is held so long as the uobj is on the uobj list. */
643 	uverbs_uobject_get(uobj);
644 	spin_lock_irq(&ufile->uobjects_lock);
645 	list_add(&uobj->list, &ufile->uobjects);
646 	spin_unlock_irq(&ufile->uobjects_lock);
647 
648 	/* matches atomic_set(-1) in alloc_uobj */
649 	atomic_set(&uobj->usecnt, 0);
650 
651 	/* Matches the down_read in rdma_alloc_begin_uobject */
652 	up_read(&ufile->hw_destroy_rwsem);
653 
654 	return 0;
655 }
656 
657 /*
658  * This consumes the kref for uobj. It is up to the caller to unwind the HW
659  * object and anything else connected to uobj before calling this.
660  */
661 void rdma_alloc_abort_uobject(struct ib_uobject *uobj,
662 			      struct uverbs_attr_bundle *attrs)
663 {
664 	struct ib_uverbs_file *ufile = uobj->ufile;
665 
666 	uobj->object = NULL;
667 	uverbs_destroy_uobject(uobj, RDMA_REMOVE_ABORT, attrs);
668 
669 	/* Matches the down_read in rdma_alloc_begin_uobject */
670 	up_read(&ufile->hw_destroy_rwsem);
671 }
672 
673 static void lookup_put_idr_uobject(struct ib_uobject *uobj,
674 				   enum rdma_lookup_mode mode)
675 {
676 }
677 
678 static void lookup_put_fd_uobject(struct ib_uobject *uobj,
679 				  enum rdma_lookup_mode mode)
680 {
681 	struct file *filp = uobj->object;
682 
683 	WARN_ON(mode != UVERBS_LOOKUP_READ);
684 	/* This indirectly calls uverbs_close_fd and free the object */
685 	fput(filp);
686 }
687 
688 void rdma_lookup_put_uobject(struct ib_uobject *uobj,
689 			     enum rdma_lookup_mode mode)
690 {
691 	assert_uverbs_usecnt(uobj, mode);
692 	uobj->uapi_object->type_class->lookup_put(uobj, mode);
693 	/*
694 	 * In order to unlock an object, either decrease its usecnt for
695 	 * read access or zero it in case of exclusive access. See
696 	 * uverbs_try_lock_object for locking schema information.
697 	 */
698 	switch (mode) {
699 	case UVERBS_LOOKUP_READ:
700 		atomic_dec(&uobj->usecnt);
701 		break;
702 	case UVERBS_LOOKUP_WRITE:
703 		atomic_set(&uobj->usecnt, 0);
704 		break;
705 	case UVERBS_LOOKUP_DESTROY:
706 		break;
707 	}
708 
709 	/* Pairs with the kref obtained by type->lookup_get */
710 	uverbs_uobject_put(uobj);
711 }
712 
713 void setup_ufile_idr_uobject(struct ib_uverbs_file *ufile)
714 {
715 	xa_init_flags(&ufile->idr, XA_FLAGS_ALLOC);
716 }
717 
718 void release_ufile_idr_uobject(struct ib_uverbs_file *ufile)
719 {
720 	struct ib_uobject *entry;
721 	unsigned long id;
722 
723 	/*
724 	 * At this point uverbs_cleanup_ufile() is guaranteed to have run, and
725 	 * there are no HW objects left, however the xarray is still populated
726 	 * with anything that has not been cleaned up by userspace. Since the
727 	 * kref on ufile is 0, nothing is allowed to call lookup_get.
728 	 *
729 	 * This is an optimized equivalent to remove_handle_idr_uobject
730 	 */
731 	xa_for_each(&ufile->idr, id, entry) {
732 		WARN_ON(entry->object);
733 		uverbs_uobject_put(entry);
734 	}
735 
736 	xa_destroy(&ufile->idr);
737 }
738 
739 const struct uverbs_obj_type_class uverbs_idr_class = {
740 	.alloc_begin = alloc_begin_idr_uobject,
741 	.lookup_get = lookup_get_idr_uobject,
742 	.alloc_commit = alloc_commit_idr_uobject,
743 	.alloc_abort = alloc_abort_idr_uobject,
744 	.lookup_put = lookup_put_idr_uobject,
745 	.destroy_hw = destroy_hw_idr_uobject,
746 	.remove_handle = remove_handle_idr_uobject,
747 	/*
748 	 * When we destroy an object, we first just lock it for WRITE and
749 	 * actually DESTROY it in the finalize stage. So, the problematic
750 	 * scenario is when we just started the finalize stage of the
751 	 * destruction (nothing was executed yet). Now, the other thread
752 	 * fetched the object for READ access, but it didn't lock it yet.
753 	 * The DESTROY thread continues and starts destroying the object.
754 	 * When the other thread continue - without the RCU, it would
755 	 * access freed memory. However, the rcu_read_lock delays the free
756 	 * until the rcu_read_lock of the READ operation quits. Since the
757 	 * exclusive lock of the object is still taken by the DESTROY flow, the
758 	 * READ operation will get -EBUSY and it'll just bail out.
759 	 */
760 	.needs_kfree_rcu = true,
761 };
762 EXPORT_SYMBOL(uverbs_idr_class);
763 
764 void uverbs_close_fd(struct file *f)
765 {
766 	struct ib_uobject *uobj = f->private_data;
767 	struct ib_uverbs_file *ufile = uobj->ufile;
768 	struct uverbs_attr_bundle attrs = {
769 		.context = uobj->context,
770 		.ufile = ufile,
771 	};
772 
773 	if (down_read_trylock(&ufile->hw_destroy_rwsem)) {
774 		/*
775 		 * lookup_get_fd_uobject holds the kref on the struct file any
776 		 * time a FD uobj is locked, which prevents this release
777 		 * method from being invoked. Meaning we can always get the
778 		 * write lock here, or we have a kernel bug.
779 		 */
780 		WARN_ON(uverbs_try_lock_object(uobj, UVERBS_LOOKUP_WRITE));
781 		uverbs_destroy_uobject(uobj, RDMA_REMOVE_CLOSE, &attrs);
782 		up_read(&ufile->hw_destroy_rwsem);
783 	}
784 
785 	/* Matches the get in alloc_begin_fd_uobject */
786 	kref_put(&ufile->ref, ib_uverbs_release_file);
787 
788 	/* Pairs with filp->private_data in alloc_begin_fd_uobject */
789 	uverbs_uobject_put(uobj);
790 }
791 EXPORT_SYMBOL(uverbs_close_fd);
792 
793 /*
794  * Drop the ucontext off the ufile and completely disconnect it from the
795  * ib_device
796  */
797 static void ufile_destroy_ucontext(struct ib_uverbs_file *ufile,
798 				   enum rdma_remove_reason reason)
799 {
800 	struct ib_ucontext *ucontext = ufile->ucontext;
801 	struct ib_device *ib_dev = ucontext->device;
802 
803 	/*
804 	 * If we are closing the FD then the user mmap VMAs must have
805 	 * already been destroyed as they hold on to the filep, otherwise
806 	 * they need to be zap'd.
807 	 */
808 	if (reason == RDMA_REMOVE_DRIVER_REMOVE) {
809 		uverbs_user_mmap_disassociate(ufile);
810 		if (ib_dev->ops.disassociate_ucontext)
811 			ib_dev->ops.disassociate_ucontext(ucontext);
812 	}
813 
814 	ib_rdmacg_uncharge(&ucontext->cg_obj, ib_dev,
815 			   RDMACG_RESOURCE_HCA_HANDLE);
816 
817 	rdma_restrack_del(&ucontext->res);
818 
819 	ib_dev->ops.dealloc_ucontext(ucontext);
820 	WARN_ON(!xa_empty(&ucontext->mmap_xa));
821 	kfree(ucontext);
822 
823 	ufile->ucontext = NULL;
824 }
825 
826 static int __uverbs_cleanup_ufile(struct ib_uverbs_file *ufile,
827 				  enum rdma_remove_reason reason)
828 {
829 	struct ib_uobject *obj, *next_obj;
830 	int ret = -EINVAL;
831 	struct uverbs_attr_bundle attrs = { .ufile = ufile };
832 
833 	/*
834 	 * This shouldn't run while executing other commands on this
835 	 * context. Thus, the only thing we should take care of is
836 	 * releasing a FD while traversing this list. The FD could be
837 	 * closed and released from the _release fop of this FD.
838 	 * In order to mitigate this, we add a lock.
839 	 * We take and release the lock per traversal in order to let
840 	 * other threads (which might still use the FDs) chance to run.
841 	 */
842 	list_for_each_entry_safe(obj, next_obj, &ufile->uobjects, list) {
843 		attrs.context = obj->context;
844 		/*
845 		 * if we hit this WARN_ON, that means we are
846 		 * racing with a lookup_get.
847 		 */
848 		WARN_ON(uverbs_try_lock_object(obj, UVERBS_LOOKUP_WRITE));
849 		if (!uverbs_destroy_uobject(obj, reason, &attrs))
850 			ret = 0;
851 		else
852 			atomic_set(&obj->usecnt, 0);
853 	}
854 	return ret;
855 }
856 
857 /*
858  * Destroy the uncontext and every uobject associated with it. If called with
859  * reason != RDMA_REMOVE_CLOSE this will not return until the destruction has
860  * been completed and ufile->ucontext is NULL.
861  *
862  * This is internally locked and can be called in parallel from multiple
863  * contexts.
864  */
865 void uverbs_destroy_ufile_hw(struct ib_uverbs_file *ufile,
866 			     enum rdma_remove_reason reason)
867 {
868 	if (reason == RDMA_REMOVE_CLOSE) {
869 		/*
870 		 * During destruction we might trigger something that
871 		 * synchronously calls release on any file descriptor. For
872 		 * this reason all paths that come from file_operations
873 		 * release must use try_lock. They can progress knowing that
874 		 * there is an ongoing uverbs_destroy_ufile_hw that will clean
875 		 * up the driver resources.
876 		 */
877 		if (!mutex_trylock(&ufile->ucontext_lock))
878 			return;
879 
880 	} else {
881 		mutex_lock(&ufile->ucontext_lock);
882 	}
883 
884 	down_write(&ufile->hw_destroy_rwsem);
885 
886 	/*
887 	 * If a ucontext was never created then we can't have any uobjects to
888 	 * cleanup, nothing to do.
889 	 */
890 	if (!ufile->ucontext)
891 		goto done;
892 
893 	ufile->ucontext->closing = true;
894 	ufile->ucontext->cleanup_retryable = true;
895 	while (!list_empty(&ufile->uobjects))
896 		if (__uverbs_cleanup_ufile(ufile, reason)) {
897 			/*
898 			 * No entry was cleaned-up successfully during this
899 			 * iteration
900 			 */
901 			break;
902 		}
903 
904 	ufile->ucontext->cleanup_retryable = false;
905 	if (!list_empty(&ufile->uobjects))
906 		__uverbs_cleanup_ufile(ufile, reason);
907 
908 	ufile_destroy_ucontext(ufile, reason);
909 
910 done:
911 	up_write(&ufile->hw_destroy_rwsem);
912 	mutex_unlock(&ufile->ucontext_lock);
913 }
914 
915 const struct uverbs_obj_type_class uverbs_fd_class = {
916 	.alloc_begin = alloc_begin_fd_uobject,
917 	.lookup_get = lookup_get_fd_uobject,
918 	.alloc_commit = alloc_commit_fd_uobject,
919 	.alloc_abort = alloc_abort_fd_uobject,
920 	.lookup_put = lookup_put_fd_uobject,
921 	.destroy_hw = destroy_hw_fd_uobject,
922 	.remove_handle = remove_handle_fd_uobject,
923 	.needs_kfree_rcu = false,
924 };
925 EXPORT_SYMBOL(uverbs_fd_class);
926 
927 struct ib_uobject *
928 uverbs_get_uobject_from_file(u16 object_id, enum uverbs_obj_access access,
929 			     s64 id, struct uverbs_attr_bundle *attrs)
930 {
931 	const struct uverbs_api_object *obj =
932 		uapi_get_object(attrs->ufile->device->uapi, object_id);
933 
934 	switch (access) {
935 	case UVERBS_ACCESS_READ:
936 		return rdma_lookup_get_uobject(obj, attrs->ufile, id,
937 					       UVERBS_LOOKUP_READ, attrs);
938 	case UVERBS_ACCESS_DESTROY:
939 		/* Actual destruction is done inside uverbs_handle_method */
940 		return rdma_lookup_get_uobject(obj, attrs->ufile, id,
941 					       UVERBS_LOOKUP_DESTROY, attrs);
942 	case UVERBS_ACCESS_WRITE:
943 		return rdma_lookup_get_uobject(obj, attrs->ufile, id,
944 					       UVERBS_LOOKUP_WRITE, attrs);
945 	case UVERBS_ACCESS_NEW:
946 		return rdma_alloc_begin_uobject(obj, attrs->ufile, attrs);
947 	default:
948 		WARN_ON(true);
949 		return ERR_PTR(-EOPNOTSUPP);
950 	}
951 }
952 
953 int uverbs_finalize_object(struct ib_uobject *uobj,
954 			   enum uverbs_obj_access access, bool commit,
955 			   struct uverbs_attr_bundle *attrs)
956 {
957 	int ret = 0;
958 
959 	/*
960 	 * refcounts should be handled at the object level and not at the
961 	 * uobject level. Refcounts of the objects themselves are done in
962 	 * handlers.
963 	 */
964 
965 	switch (access) {
966 	case UVERBS_ACCESS_READ:
967 		rdma_lookup_put_uobject(uobj, UVERBS_LOOKUP_READ);
968 		break;
969 	case UVERBS_ACCESS_WRITE:
970 		rdma_lookup_put_uobject(uobj, UVERBS_LOOKUP_WRITE);
971 		break;
972 	case UVERBS_ACCESS_DESTROY:
973 		if (uobj)
974 			rdma_lookup_put_uobject(uobj, UVERBS_LOOKUP_DESTROY);
975 		break;
976 	case UVERBS_ACCESS_NEW:
977 		if (commit)
978 			ret = rdma_alloc_commit_uobject(uobj, attrs);
979 		else
980 			rdma_alloc_abort_uobject(uobj, attrs);
981 		break;
982 	default:
983 		WARN_ON(true);
984 		ret = -EOPNOTSUPP;
985 	}
986 
987 	return ret;
988 }
989