xref: /openbmc/linux/fs/ext4/ioctl.c (revision 1a59d1b8)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * linux/fs/ext4/ioctl.c
4  *
5  * Copyright (C) 1993, 1994, 1995
6  * Remy Card (card@masi.ibp.fr)
7  * Laboratoire MASI - Institut Blaise Pascal
8  * Universite Pierre et Marie Curie (Paris VI)
9  */
10 
11 #include <linux/fs.h>
12 #include <linux/capability.h>
13 #include <linux/time.h>
14 #include <linux/compat.h>
15 #include <linux/mount.h>
16 #include <linux/file.h>
17 #include <linux/quotaops.h>
18 #include <linux/random.h>
19 #include <linux/uuid.h>
20 #include <linux/uaccess.h>
21 #include <linux/delay.h>
22 #include <linux/iversion.h>
23 #include "ext4_jbd2.h"
24 #include "ext4.h"
25 #include <linux/fsmap.h>
26 #include "fsmap.h"
27 #include <trace/events/ext4.h>
28 
29 /**
30  * Swap memory between @a and @b for @len bytes.
31  *
32  * @a:          pointer to first memory area
33  * @b:          pointer to second memory area
34  * @len:        number of bytes to swap
35  *
36  */
37 static void memswap(void *a, void *b, size_t len)
38 {
39 	unsigned char *ap, *bp;
40 
41 	ap = (unsigned char *)a;
42 	bp = (unsigned char *)b;
43 	while (len-- > 0) {
44 		swap(*ap, *bp);
45 		ap++;
46 		bp++;
47 	}
48 }
49 
50 /**
51  * Swap i_data and associated attributes between @inode1 and @inode2.
52  * This function is used for the primary swap between inode1 and inode2
53  * and also to revert this primary swap in case of errors.
54  *
55  * Therefore you have to make sure, that calling this method twice
56  * will revert all changes.
57  *
58  * @inode1:     pointer to first inode
59  * @inode2:     pointer to second inode
60  */
61 static void swap_inode_data(struct inode *inode1, struct inode *inode2)
62 {
63 	loff_t isize;
64 	struct ext4_inode_info *ei1;
65 	struct ext4_inode_info *ei2;
66 	unsigned long tmp;
67 
68 	ei1 = EXT4_I(inode1);
69 	ei2 = EXT4_I(inode2);
70 
71 	swap(inode1->i_version, inode2->i_version);
72 	swap(inode1->i_atime, inode2->i_atime);
73 	swap(inode1->i_mtime, inode2->i_mtime);
74 
75 	memswap(ei1->i_data, ei2->i_data, sizeof(ei1->i_data));
76 	tmp = ei1->i_flags & EXT4_FL_SHOULD_SWAP;
77 	ei1->i_flags = (ei2->i_flags & EXT4_FL_SHOULD_SWAP) |
78 		(ei1->i_flags & ~EXT4_FL_SHOULD_SWAP);
79 	ei2->i_flags = tmp | (ei2->i_flags & ~EXT4_FL_SHOULD_SWAP);
80 	swap(ei1->i_disksize, ei2->i_disksize);
81 	ext4_es_remove_extent(inode1, 0, EXT_MAX_BLOCKS);
82 	ext4_es_remove_extent(inode2, 0, EXT_MAX_BLOCKS);
83 
84 	isize = i_size_read(inode1);
85 	i_size_write(inode1, i_size_read(inode2));
86 	i_size_write(inode2, isize);
87 }
88 
89 static void reset_inode_seed(struct inode *inode)
90 {
91 	struct ext4_inode_info *ei = EXT4_I(inode);
92 	struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
93 	__le32 inum = cpu_to_le32(inode->i_ino);
94 	__le32 gen = cpu_to_le32(inode->i_generation);
95 	__u32 csum;
96 
97 	if (!ext4_has_metadata_csum(inode->i_sb))
98 		return;
99 
100 	csum = ext4_chksum(sbi, sbi->s_csum_seed, (__u8 *)&inum, sizeof(inum));
101 	ei->i_csum_seed = ext4_chksum(sbi, csum, (__u8 *)&gen, sizeof(gen));
102 }
103 
104 /**
105  * Swap the information from the given @inode and the inode
106  * EXT4_BOOT_LOADER_INO. It will basically swap i_data and all other
107  * important fields of the inodes.
108  *
109  * @sb:         the super block of the filesystem
110  * @inode:      the inode to swap with EXT4_BOOT_LOADER_INO
111  *
112  */
113 static long swap_inode_boot_loader(struct super_block *sb,
114 				struct inode *inode)
115 {
116 	handle_t *handle;
117 	int err;
118 	struct inode *inode_bl;
119 	struct ext4_inode_info *ei_bl;
120 	qsize_t size, size_bl, diff;
121 	blkcnt_t blocks;
122 	unsigned short bytes;
123 
124 	inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL);
125 	if (IS_ERR(inode_bl))
126 		return PTR_ERR(inode_bl);
127 	ei_bl = EXT4_I(inode_bl);
128 
129 	/* Protect orig inodes against a truncate and make sure,
130 	 * that only 1 swap_inode_boot_loader is running. */
131 	lock_two_nondirectories(inode, inode_bl);
132 
133 	if (inode->i_nlink != 1 || !S_ISREG(inode->i_mode) ||
134 	    IS_SWAPFILE(inode) || IS_ENCRYPTED(inode) ||
135 	    (EXT4_I(inode)->i_flags & EXT4_JOURNAL_DATA_FL) ||
136 	    ext4_has_inline_data(inode)) {
137 		err = -EINVAL;
138 		goto journal_err_out;
139 	}
140 
141 	if (IS_RDONLY(inode) || IS_APPEND(inode) || IS_IMMUTABLE(inode) ||
142 	    !inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN)) {
143 		err = -EPERM;
144 		goto journal_err_out;
145 	}
146 
147 	down_write(&EXT4_I(inode)->i_mmap_sem);
148 	err = filemap_write_and_wait(inode->i_mapping);
149 	if (err)
150 		goto err_out;
151 
152 	err = filemap_write_and_wait(inode_bl->i_mapping);
153 	if (err)
154 		goto err_out;
155 
156 	/* Wait for all existing dio workers */
157 	inode_dio_wait(inode);
158 	inode_dio_wait(inode_bl);
159 
160 	truncate_inode_pages(&inode->i_data, 0);
161 	truncate_inode_pages(&inode_bl->i_data, 0);
162 
163 	handle = ext4_journal_start(inode_bl, EXT4_HT_MOVE_EXTENTS, 2);
164 	if (IS_ERR(handle)) {
165 		err = -EINVAL;
166 		goto err_out;
167 	}
168 
169 	/* Protect extent tree against block allocations via delalloc */
170 	ext4_double_down_write_data_sem(inode, inode_bl);
171 
172 	if (inode_bl->i_nlink == 0) {
173 		/* this inode has never been used as a BOOT_LOADER */
174 		set_nlink(inode_bl, 1);
175 		i_uid_write(inode_bl, 0);
176 		i_gid_write(inode_bl, 0);
177 		inode_bl->i_flags = 0;
178 		ei_bl->i_flags = 0;
179 		inode_set_iversion(inode_bl, 1);
180 		i_size_write(inode_bl, 0);
181 		inode_bl->i_mode = S_IFREG;
182 		if (ext4_has_feature_extents(sb)) {
183 			ext4_set_inode_flag(inode_bl, EXT4_INODE_EXTENTS);
184 			ext4_ext_tree_init(handle, inode_bl);
185 		} else
186 			memset(ei_bl->i_data, 0, sizeof(ei_bl->i_data));
187 	}
188 
189 	err = dquot_initialize(inode);
190 	if (err)
191 		goto err_out1;
192 
193 	size = (qsize_t)(inode->i_blocks) * (1 << 9) + inode->i_bytes;
194 	size_bl = (qsize_t)(inode_bl->i_blocks) * (1 << 9) + inode_bl->i_bytes;
195 	diff = size - size_bl;
196 	swap_inode_data(inode, inode_bl);
197 
198 	inode->i_ctime = inode_bl->i_ctime = current_time(inode);
199 
200 	inode->i_generation = prandom_u32();
201 	inode_bl->i_generation = prandom_u32();
202 	reset_inode_seed(inode);
203 	reset_inode_seed(inode_bl);
204 
205 	ext4_discard_preallocations(inode);
206 
207 	err = ext4_mark_inode_dirty(handle, inode);
208 	if (err < 0) {
209 		/* No need to update quota information. */
210 		ext4_warning(inode->i_sb,
211 			"couldn't mark inode #%lu dirty (err %d)",
212 			inode->i_ino, err);
213 		/* Revert all changes: */
214 		swap_inode_data(inode, inode_bl);
215 		ext4_mark_inode_dirty(handle, inode);
216 		goto err_out1;
217 	}
218 
219 	blocks = inode_bl->i_blocks;
220 	bytes = inode_bl->i_bytes;
221 	inode_bl->i_blocks = inode->i_blocks;
222 	inode_bl->i_bytes = inode->i_bytes;
223 	err = ext4_mark_inode_dirty(handle, inode_bl);
224 	if (err < 0) {
225 		/* No need to update quota information. */
226 		ext4_warning(inode_bl->i_sb,
227 			"couldn't mark inode #%lu dirty (err %d)",
228 			inode_bl->i_ino, err);
229 		goto revert;
230 	}
231 
232 	/* Bootloader inode should not be counted into quota information. */
233 	if (diff > 0)
234 		dquot_free_space(inode, diff);
235 	else
236 		err = dquot_alloc_space(inode, -1 * diff);
237 
238 	if (err < 0) {
239 revert:
240 		/* Revert all changes: */
241 		inode_bl->i_blocks = blocks;
242 		inode_bl->i_bytes = bytes;
243 		swap_inode_data(inode, inode_bl);
244 		ext4_mark_inode_dirty(handle, inode);
245 		ext4_mark_inode_dirty(handle, inode_bl);
246 	}
247 
248 err_out1:
249 	ext4_journal_stop(handle);
250 	ext4_double_up_write_data_sem(inode, inode_bl);
251 
252 err_out:
253 	up_write(&EXT4_I(inode)->i_mmap_sem);
254 journal_err_out:
255 	unlock_two_nondirectories(inode, inode_bl);
256 	iput(inode_bl);
257 	return err;
258 }
259 
260 #ifdef CONFIG_FS_ENCRYPTION
261 static int uuid_is_zero(__u8 u[16])
262 {
263 	int	i;
264 
265 	for (i = 0; i < 16; i++)
266 		if (u[i])
267 			return 0;
268 	return 1;
269 }
270 #endif
271 
272 static int ext4_ioctl_setflags(struct inode *inode,
273 			       unsigned int flags)
274 {
275 	struct ext4_inode_info *ei = EXT4_I(inode);
276 	handle_t *handle = NULL;
277 	int err = -EPERM, migrate = 0;
278 	struct ext4_iloc iloc;
279 	unsigned int oldflags, mask, i;
280 	unsigned int jflag;
281 	struct super_block *sb = inode->i_sb;
282 
283 	/* Is it quota file? Do not allow user to mess with it */
284 	if (ext4_is_quota_file(inode))
285 		goto flags_out;
286 
287 	oldflags = ei->i_flags;
288 
289 	/* The JOURNAL_DATA flag is modifiable only by root */
290 	jflag = flags & EXT4_JOURNAL_DATA_FL;
291 
292 	/*
293 	 * The IMMUTABLE and APPEND_ONLY flags can only be changed by
294 	 * the relevant capability.
295 	 *
296 	 * This test looks nicer. Thanks to Pauline Middelink
297 	 */
298 	if ((flags ^ oldflags) & (EXT4_APPEND_FL | EXT4_IMMUTABLE_FL)) {
299 		if (!capable(CAP_LINUX_IMMUTABLE))
300 			goto flags_out;
301 	}
302 
303 	/*
304 	 * The JOURNAL_DATA flag can only be changed by
305 	 * the relevant capability.
306 	 */
307 	if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL)) {
308 		if (!capable(CAP_SYS_RESOURCE))
309 			goto flags_out;
310 	}
311 	if ((flags ^ oldflags) & EXT4_EXTENTS_FL)
312 		migrate = 1;
313 
314 	if (flags & EXT4_EOFBLOCKS_FL) {
315 		/* we don't support adding EOFBLOCKS flag */
316 		if (!(oldflags & EXT4_EOFBLOCKS_FL)) {
317 			err = -EOPNOTSUPP;
318 			goto flags_out;
319 		}
320 	} else if (oldflags & EXT4_EOFBLOCKS_FL) {
321 		err = ext4_truncate(inode);
322 		if (err)
323 			goto flags_out;
324 	}
325 
326 	if ((flags ^ oldflags) & EXT4_CASEFOLD_FL) {
327 		if (!ext4_has_feature_casefold(sb)) {
328 			err = -EOPNOTSUPP;
329 			goto flags_out;
330 		}
331 
332 		if (!S_ISDIR(inode->i_mode)) {
333 			err = -ENOTDIR;
334 			goto flags_out;
335 		}
336 
337 		if (!ext4_empty_dir(inode)) {
338 			err = -ENOTEMPTY;
339 			goto flags_out;
340 		}
341 	}
342 
343 	handle = ext4_journal_start(inode, EXT4_HT_INODE, 1);
344 	if (IS_ERR(handle)) {
345 		err = PTR_ERR(handle);
346 		goto flags_out;
347 	}
348 	if (IS_SYNC(inode))
349 		ext4_handle_sync(handle);
350 	err = ext4_reserve_inode_write(handle, inode, &iloc);
351 	if (err)
352 		goto flags_err;
353 
354 	for (i = 0, mask = 1; i < 32; i++, mask <<= 1) {
355 		if (!(mask & EXT4_FL_USER_MODIFIABLE))
356 			continue;
357 		/* These flags get special treatment later */
358 		if (mask == EXT4_JOURNAL_DATA_FL || mask == EXT4_EXTENTS_FL)
359 			continue;
360 		if (mask & flags)
361 			ext4_set_inode_flag(inode, i);
362 		else
363 			ext4_clear_inode_flag(inode, i);
364 	}
365 
366 	ext4_set_inode_flags(inode);
367 	inode->i_ctime = current_time(inode);
368 
369 	err = ext4_mark_iloc_dirty(handle, inode, &iloc);
370 flags_err:
371 	ext4_journal_stop(handle);
372 	if (err)
373 		goto flags_out;
374 
375 	if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL)) {
376 		/*
377 		 * Changes to the journaling mode can cause unsafe changes to
378 		 * S_DAX if we are using the DAX mount option.
379 		 */
380 		if (test_opt(inode->i_sb, DAX)) {
381 			err = -EBUSY;
382 			goto flags_out;
383 		}
384 
385 		err = ext4_change_inode_journal_flag(inode, jflag);
386 		if (err)
387 			goto flags_out;
388 	}
389 	if (migrate) {
390 		if (flags & EXT4_EXTENTS_FL)
391 			err = ext4_ext_migrate(inode);
392 		else
393 			err = ext4_ind_migrate(inode);
394 	}
395 
396 flags_out:
397 	return err;
398 }
399 
400 #ifdef CONFIG_QUOTA
401 static int ext4_ioctl_setproject(struct file *filp, __u32 projid)
402 {
403 	struct inode *inode = file_inode(filp);
404 	struct super_block *sb = inode->i_sb;
405 	struct ext4_inode_info *ei = EXT4_I(inode);
406 	int err, rc;
407 	handle_t *handle;
408 	kprojid_t kprojid;
409 	struct ext4_iloc iloc;
410 	struct ext4_inode *raw_inode;
411 	struct dquot *transfer_to[MAXQUOTAS] = { };
412 
413 	if (!ext4_has_feature_project(sb)) {
414 		if (projid != EXT4_DEF_PROJID)
415 			return -EOPNOTSUPP;
416 		else
417 			return 0;
418 	}
419 
420 	if (EXT4_INODE_SIZE(sb) <= EXT4_GOOD_OLD_INODE_SIZE)
421 		return -EOPNOTSUPP;
422 
423 	kprojid = make_kprojid(&init_user_ns, (projid_t)projid);
424 
425 	if (projid_eq(kprojid, EXT4_I(inode)->i_projid))
426 		return 0;
427 
428 	err = -EPERM;
429 	/* Is it quota file? Do not allow user to mess with it */
430 	if (ext4_is_quota_file(inode))
431 		return err;
432 
433 	err = ext4_get_inode_loc(inode, &iloc);
434 	if (err)
435 		return err;
436 
437 	raw_inode = ext4_raw_inode(&iloc);
438 	if (!EXT4_FITS_IN_INODE(raw_inode, ei, i_projid)) {
439 		err = ext4_expand_extra_isize(inode,
440 					      EXT4_SB(sb)->s_want_extra_isize,
441 					      &iloc);
442 		if (err)
443 			return err;
444 	} else {
445 		brelse(iloc.bh);
446 	}
447 
448 	err = dquot_initialize(inode);
449 	if (err)
450 		return err;
451 
452 	handle = ext4_journal_start(inode, EXT4_HT_QUOTA,
453 		EXT4_QUOTA_INIT_BLOCKS(sb) +
454 		EXT4_QUOTA_DEL_BLOCKS(sb) + 3);
455 	if (IS_ERR(handle))
456 		return PTR_ERR(handle);
457 
458 	err = ext4_reserve_inode_write(handle, inode, &iloc);
459 	if (err)
460 		goto out_stop;
461 
462 	transfer_to[PRJQUOTA] = dqget(sb, make_kqid_projid(kprojid));
463 	if (!IS_ERR(transfer_to[PRJQUOTA])) {
464 
465 		/* __dquot_transfer() calls back ext4_get_inode_usage() which
466 		 * counts xattr inode references.
467 		 */
468 		down_read(&EXT4_I(inode)->xattr_sem);
469 		err = __dquot_transfer(inode, transfer_to);
470 		up_read(&EXT4_I(inode)->xattr_sem);
471 		dqput(transfer_to[PRJQUOTA]);
472 		if (err)
473 			goto out_dirty;
474 	}
475 
476 	EXT4_I(inode)->i_projid = kprojid;
477 	inode->i_ctime = current_time(inode);
478 out_dirty:
479 	rc = ext4_mark_iloc_dirty(handle, inode, &iloc);
480 	if (!err)
481 		err = rc;
482 out_stop:
483 	ext4_journal_stop(handle);
484 	return err;
485 }
486 #else
487 static int ext4_ioctl_setproject(struct file *filp, __u32 projid)
488 {
489 	if (projid != EXT4_DEF_PROJID)
490 		return -EOPNOTSUPP;
491 	return 0;
492 }
493 #endif
494 
495 /* Transfer internal flags to xflags */
496 static inline __u32 ext4_iflags_to_xflags(unsigned long iflags)
497 {
498 	__u32 xflags = 0;
499 
500 	if (iflags & EXT4_SYNC_FL)
501 		xflags |= FS_XFLAG_SYNC;
502 	if (iflags & EXT4_IMMUTABLE_FL)
503 		xflags |= FS_XFLAG_IMMUTABLE;
504 	if (iflags & EXT4_APPEND_FL)
505 		xflags |= FS_XFLAG_APPEND;
506 	if (iflags & EXT4_NODUMP_FL)
507 		xflags |= FS_XFLAG_NODUMP;
508 	if (iflags & EXT4_NOATIME_FL)
509 		xflags |= FS_XFLAG_NOATIME;
510 	if (iflags & EXT4_PROJINHERIT_FL)
511 		xflags |= FS_XFLAG_PROJINHERIT;
512 	return xflags;
513 }
514 
515 #define EXT4_SUPPORTED_FS_XFLAGS (FS_XFLAG_SYNC | FS_XFLAG_IMMUTABLE | \
516 				  FS_XFLAG_APPEND | FS_XFLAG_NODUMP | \
517 				  FS_XFLAG_NOATIME | FS_XFLAG_PROJINHERIT)
518 
519 /* Transfer xflags flags to internal */
520 static inline unsigned long ext4_xflags_to_iflags(__u32 xflags)
521 {
522 	unsigned long iflags = 0;
523 
524 	if (xflags & FS_XFLAG_SYNC)
525 		iflags |= EXT4_SYNC_FL;
526 	if (xflags & FS_XFLAG_IMMUTABLE)
527 		iflags |= EXT4_IMMUTABLE_FL;
528 	if (xflags & FS_XFLAG_APPEND)
529 		iflags |= EXT4_APPEND_FL;
530 	if (xflags & FS_XFLAG_NODUMP)
531 		iflags |= EXT4_NODUMP_FL;
532 	if (xflags & FS_XFLAG_NOATIME)
533 		iflags |= EXT4_NOATIME_FL;
534 	if (xflags & FS_XFLAG_PROJINHERIT)
535 		iflags |= EXT4_PROJINHERIT_FL;
536 
537 	return iflags;
538 }
539 
540 static int ext4_shutdown(struct super_block *sb, unsigned long arg)
541 {
542 	struct ext4_sb_info *sbi = EXT4_SB(sb);
543 	__u32 flags;
544 
545 	if (!capable(CAP_SYS_ADMIN))
546 		return -EPERM;
547 
548 	if (get_user(flags, (__u32 __user *)arg))
549 		return -EFAULT;
550 
551 	if (flags > EXT4_GOING_FLAGS_NOLOGFLUSH)
552 		return -EINVAL;
553 
554 	if (ext4_forced_shutdown(sbi))
555 		return 0;
556 
557 	ext4_msg(sb, KERN_ALERT, "shut down requested (%d)", flags);
558 	trace_ext4_shutdown(sb, flags);
559 
560 	switch (flags) {
561 	case EXT4_GOING_FLAGS_DEFAULT:
562 		freeze_bdev(sb->s_bdev);
563 		set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags);
564 		thaw_bdev(sb->s_bdev, sb);
565 		break;
566 	case EXT4_GOING_FLAGS_LOGFLUSH:
567 		set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags);
568 		if (sbi->s_journal && !is_journal_aborted(sbi->s_journal)) {
569 			(void) ext4_force_commit(sb);
570 			jbd2_journal_abort(sbi->s_journal, -ESHUTDOWN);
571 		}
572 		break;
573 	case EXT4_GOING_FLAGS_NOLOGFLUSH:
574 		set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags);
575 		if (sbi->s_journal && !is_journal_aborted(sbi->s_journal))
576 			jbd2_journal_abort(sbi->s_journal, -ESHUTDOWN);
577 		break;
578 	default:
579 		return -EINVAL;
580 	}
581 	clear_opt(sb, DISCARD);
582 	return 0;
583 }
584 
585 struct getfsmap_info {
586 	struct super_block	*gi_sb;
587 	struct fsmap_head __user *gi_data;
588 	unsigned int		gi_idx;
589 	__u32			gi_last_flags;
590 };
591 
592 static int ext4_getfsmap_format(struct ext4_fsmap *xfm, void *priv)
593 {
594 	struct getfsmap_info *info = priv;
595 	struct fsmap fm;
596 
597 	trace_ext4_getfsmap_mapping(info->gi_sb, xfm);
598 
599 	info->gi_last_flags = xfm->fmr_flags;
600 	ext4_fsmap_from_internal(info->gi_sb, &fm, xfm);
601 	if (copy_to_user(&info->gi_data->fmh_recs[info->gi_idx++], &fm,
602 			sizeof(struct fsmap)))
603 		return -EFAULT;
604 
605 	return 0;
606 }
607 
608 static int ext4_ioc_getfsmap(struct super_block *sb,
609 			     struct fsmap_head __user *arg)
610 {
611 	struct getfsmap_info info = { NULL };
612 	struct ext4_fsmap_head xhead = {0};
613 	struct fsmap_head head;
614 	bool aborted = false;
615 	int error;
616 
617 	if (copy_from_user(&head, arg, sizeof(struct fsmap_head)))
618 		return -EFAULT;
619 	if (memchr_inv(head.fmh_reserved, 0, sizeof(head.fmh_reserved)) ||
620 	    memchr_inv(head.fmh_keys[0].fmr_reserved, 0,
621 		       sizeof(head.fmh_keys[0].fmr_reserved)) ||
622 	    memchr_inv(head.fmh_keys[1].fmr_reserved, 0,
623 		       sizeof(head.fmh_keys[1].fmr_reserved)))
624 		return -EINVAL;
625 	/*
626 	 * ext4 doesn't report file extents at all, so the only valid
627 	 * file offsets are the magic ones (all zeroes or all ones).
628 	 */
629 	if (head.fmh_keys[0].fmr_offset ||
630 	    (head.fmh_keys[1].fmr_offset != 0 &&
631 	     head.fmh_keys[1].fmr_offset != -1ULL))
632 		return -EINVAL;
633 
634 	xhead.fmh_iflags = head.fmh_iflags;
635 	xhead.fmh_count = head.fmh_count;
636 	ext4_fsmap_to_internal(sb, &xhead.fmh_keys[0], &head.fmh_keys[0]);
637 	ext4_fsmap_to_internal(sb, &xhead.fmh_keys[1], &head.fmh_keys[1]);
638 
639 	trace_ext4_getfsmap_low_key(sb, &xhead.fmh_keys[0]);
640 	trace_ext4_getfsmap_high_key(sb, &xhead.fmh_keys[1]);
641 
642 	info.gi_sb = sb;
643 	info.gi_data = arg;
644 	error = ext4_getfsmap(sb, &xhead, ext4_getfsmap_format, &info);
645 	if (error == EXT4_QUERY_RANGE_ABORT) {
646 		error = 0;
647 		aborted = true;
648 	} else if (error)
649 		return error;
650 
651 	/* If we didn't abort, set the "last" flag in the last fmx */
652 	if (!aborted && info.gi_idx) {
653 		info.gi_last_flags |= FMR_OF_LAST;
654 		if (copy_to_user(&info.gi_data->fmh_recs[info.gi_idx - 1].fmr_flags,
655 				 &info.gi_last_flags,
656 				 sizeof(info.gi_last_flags)))
657 			return -EFAULT;
658 	}
659 
660 	/* copy back header */
661 	head.fmh_entries = xhead.fmh_entries;
662 	head.fmh_oflags = xhead.fmh_oflags;
663 	if (copy_to_user(arg, &head, sizeof(struct fsmap_head)))
664 		return -EFAULT;
665 
666 	return 0;
667 }
668 
669 static long ext4_ioctl_group_add(struct file *file,
670 				 struct ext4_new_group_data *input)
671 {
672 	struct super_block *sb = file_inode(file)->i_sb;
673 	int err, err2=0;
674 
675 	err = ext4_resize_begin(sb);
676 	if (err)
677 		return err;
678 
679 	if (ext4_has_feature_bigalloc(sb)) {
680 		ext4_msg(sb, KERN_ERR,
681 			 "Online resizing not supported with bigalloc");
682 		err = -EOPNOTSUPP;
683 		goto group_add_out;
684 	}
685 
686 	err = mnt_want_write_file(file);
687 	if (err)
688 		goto group_add_out;
689 
690 	err = ext4_group_add(sb, input);
691 	if (EXT4_SB(sb)->s_journal) {
692 		jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);
693 		err2 = jbd2_journal_flush(EXT4_SB(sb)->s_journal);
694 		jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
695 	}
696 	if (err == 0)
697 		err = err2;
698 	mnt_drop_write_file(file);
699 	if (!err && ext4_has_group_desc_csum(sb) &&
700 	    test_opt(sb, INIT_INODE_TABLE))
701 		err = ext4_register_li_request(sb, input->group);
702 group_add_out:
703 	ext4_resize_end(sb);
704 	return err;
705 }
706 
707 static int ext4_ioctl_check_project(struct inode *inode, struct fsxattr *fa)
708 {
709 	/*
710 	 * Project Quota ID state is only allowed to change from within the init
711 	 * namespace. Enforce that restriction only if we are trying to change
712 	 * the quota ID state. Everything else is allowed in user namespaces.
713 	 */
714 	if (current_user_ns() == &init_user_ns)
715 		return 0;
716 
717 	if (__kprojid_val(EXT4_I(inode)->i_projid) != fa->fsx_projid)
718 		return -EINVAL;
719 
720 	if (ext4_test_inode_flag(inode, EXT4_INODE_PROJINHERIT)) {
721 		if (!(fa->fsx_xflags & FS_XFLAG_PROJINHERIT))
722 			return -EINVAL;
723 	} else {
724 		if (fa->fsx_xflags & FS_XFLAG_PROJINHERIT)
725 			return -EINVAL;
726 	}
727 
728 	return 0;
729 }
730 
731 long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
732 {
733 	struct inode *inode = file_inode(filp);
734 	struct super_block *sb = inode->i_sb;
735 	struct ext4_inode_info *ei = EXT4_I(inode);
736 	unsigned int flags;
737 
738 	ext4_debug("cmd = %u, arg = %lu\n", cmd, arg);
739 
740 	switch (cmd) {
741 	case FS_IOC_GETFSMAP:
742 		return ext4_ioc_getfsmap(sb, (void __user *)arg);
743 	case EXT4_IOC_GETFLAGS:
744 		flags = ei->i_flags & EXT4_FL_USER_VISIBLE;
745 		return put_user(flags, (int __user *) arg);
746 	case EXT4_IOC_SETFLAGS: {
747 		int err;
748 
749 		if (!inode_owner_or_capable(inode))
750 			return -EACCES;
751 
752 		if (get_user(flags, (int __user *) arg))
753 			return -EFAULT;
754 
755 		if (flags & ~EXT4_FL_USER_VISIBLE)
756 			return -EOPNOTSUPP;
757 		/*
758 		 * chattr(1) grabs flags via GETFLAGS, modifies the result and
759 		 * passes that to SETFLAGS. So we cannot easily make SETFLAGS
760 		 * more restrictive than just silently masking off visible but
761 		 * not settable flags as we always did.
762 		 */
763 		flags &= EXT4_FL_USER_MODIFIABLE;
764 		if (ext4_mask_flags(inode->i_mode, flags) != flags)
765 			return -EOPNOTSUPP;
766 
767 		err = mnt_want_write_file(filp);
768 		if (err)
769 			return err;
770 
771 		inode_lock(inode);
772 		err = ext4_ioctl_setflags(inode, flags);
773 		inode_unlock(inode);
774 		mnt_drop_write_file(filp);
775 		return err;
776 	}
777 	case EXT4_IOC_GETVERSION:
778 	case EXT4_IOC_GETVERSION_OLD:
779 		return put_user(inode->i_generation, (int __user *) arg);
780 	case EXT4_IOC_SETVERSION:
781 	case EXT4_IOC_SETVERSION_OLD: {
782 		handle_t *handle;
783 		struct ext4_iloc iloc;
784 		__u32 generation;
785 		int err;
786 
787 		if (!inode_owner_or_capable(inode))
788 			return -EPERM;
789 
790 		if (ext4_has_metadata_csum(inode->i_sb)) {
791 			ext4_warning(sb, "Setting inode version is not "
792 				     "supported with metadata_csum enabled.");
793 			return -ENOTTY;
794 		}
795 
796 		err = mnt_want_write_file(filp);
797 		if (err)
798 			return err;
799 		if (get_user(generation, (int __user *) arg)) {
800 			err = -EFAULT;
801 			goto setversion_out;
802 		}
803 
804 		inode_lock(inode);
805 		handle = ext4_journal_start(inode, EXT4_HT_INODE, 1);
806 		if (IS_ERR(handle)) {
807 			err = PTR_ERR(handle);
808 			goto unlock_out;
809 		}
810 		err = ext4_reserve_inode_write(handle, inode, &iloc);
811 		if (err == 0) {
812 			inode->i_ctime = current_time(inode);
813 			inode->i_generation = generation;
814 			err = ext4_mark_iloc_dirty(handle, inode, &iloc);
815 		}
816 		ext4_journal_stop(handle);
817 
818 unlock_out:
819 		inode_unlock(inode);
820 setversion_out:
821 		mnt_drop_write_file(filp);
822 		return err;
823 	}
824 	case EXT4_IOC_GROUP_EXTEND: {
825 		ext4_fsblk_t n_blocks_count;
826 		int err, err2=0;
827 
828 		err = ext4_resize_begin(sb);
829 		if (err)
830 			return err;
831 
832 		if (get_user(n_blocks_count, (__u32 __user *)arg)) {
833 			err = -EFAULT;
834 			goto group_extend_out;
835 		}
836 
837 		if (ext4_has_feature_bigalloc(sb)) {
838 			ext4_msg(sb, KERN_ERR,
839 				 "Online resizing not supported with bigalloc");
840 			err = -EOPNOTSUPP;
841 			goto group_extend_out;
842 		}
843 
844 		err = mnt_want_write_file(filp);
845 		if (err)
846 			goto group_extend_out;
847 
848 		err = ext4_group_extend(sb, EXT4_SB(sb)->s_es, n_blocks_count);
849 		if (EXT4_SB(sb)->s_journal) {
850 			jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);
851 			err2 = jbd2_journal_flush(EXT4_SB(sb)->s_journal);
852 			jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
853 		}
854 		if (err == 0)
855 			err = err2;
856 		mnt_drop_write_file(filp);
857 group_extend_out:
858 		ext4_resize_end(sb);
859 		return err;
860 	}
861 
862 	case EXT4_IOC_MOVE_EXT: {
863 		struct move_extent me;
864 		struct fd donor;
865 		int err;
866 
867 		if (!(filp->f_mode & FMODE_READ) ||
868 		    !(filp->f_mode & FMODE_WRITE))
869 			return -EBADF;
870 
871 		if (copy_from_user(&me,
872 			(struct move_extent __user *)arg, sizeof(me)))
873 			return -EFAULT;
874 		me.moved_len = 0;
875 
876 		donor = fdget(me.donor_fd);
877 		if (!donor.file)
878 			return -EBADF;
879 
880 		if (!(donor.file->f_mode & FMODE_WRITE)) {
881 			err = -EBADF;
882 			goto mext_out;
883 		}
884 
885 		if (ext4_has_feature_bigalloc(sb)) {
886 			ext4_msg(sb, KERN_ERR,
887 				 "Online defrag not supported with bigalloc");
888 			err = -EOPNOTSUPP;
889 			goto mext_out;
890 		} else if (IS_DAX(inode)) {
891 			ext4_msg(sb, KERN_ERR,
892 				 "Online defrag not supported with DAX");
893 			err = -EOPNOTSUPP;
894 			goto mext_out;
895 		}
896 
897 		err = mnt_want_write_file(filp);
898 		if (err)
899 			goto mext_out;
900 
901 		err = ext4_move_extents(filp, donor.file, me.orig_start,
902 					me.donor_start, me.len, &me.moved_len);
903 		mnt_drop_write_file(filp);
904 
905 		if (copy_to_user((struct move_extent __user *)arg,
906 				 &me, sizeof(me)))
907 			err = -EFAULT;
908 mext_out:
909 		fdput(donor);
910 		return err;
911 	}
912 
913 	case EXT4_IOC_GROUP_ADD: {
914 		struct ext4_new_group_data input;
915 
916 		if (copy_from_user(&input, (struct ext4_new_group_input __user *)arg,
917 				sizeof(input)))
918 			return -EFAULT;
919 
920 		return ext4_ioctl_group_add(filp, &input);
921 	}
922 
923 	case EXT4_IOC_MIGRATE:
924 	{
925 		int err;
926 		if (!inode_owner_or_capable(inode))
927 			return -EACCES;
928 
929 		err = mnt_want_write_file(filp);
930 		if (err)
931 			return err;
932 		/*
933 		 * inode_mutex prevent write and truncate on the file.
934 		 * Read still goes through. We take i_data_sem in
935 		 * ext4_ext_swap_inode_data before we switch the
936 		 * inode format to prevent read.
937 		 */
938 		inode_lock((inode));
939 		err = ext4_ext_migrate(inode);
940 		inode_unlock((inode));
941 		mnt_drop_write_file(filp);
942 		return err;
943 	}
944 
945 	case EXT4_IOC_ALLOC_DA_BLKS:
946 	{
947 		int err;
948 		if (!inode_owner_or_capable(inode))
949 			return -EACCES;
950 
951 		err = mnt_want_write_file(filp);
952 		if (err)
953 			return err;
954 		err = ext4_alloc_da_blocks(inode);
955 		mnt_drop_write_file(filp);
956 		return err;
957 	}
958 
959 	case EXT4_IOC_SWAP_BOOT:
960 	{
961 		int err;
962 		if (!(filp->f_mode & FMODE_WRITE))
963 			return -EBADF;
964 		err = mnt_want_write_file(filp);
965 		if (err)
966 			return err;
967 		err = swap_inode_boot_loader(sb, inode);
968 		mnt_drop_write_file(filp);
969 		return err;
970 	}
971 
972 	case EXT4_IOC_RESIZE_FS: {
973 		ext4_fsblk_t n_blocks_count;
974 		int err = 0, err2 = 0;
975 		ext4_group_t o_group = EXT4_SB(sb)->s_groups_count;
976 
977 		if (copy_from_user(&n_blocks_count, (__u64 __user *)arg,
978 				   sizeof(__u64))) {
979 			return -EFAULT;
980 		}
981 
982 		err = ext4_resize_begin(sb);
983 		if (err)
984 			return err;
985 
986 		err = mnt_want_write_file(filp);
987 		if (err)
988 			goto resizefs_out;
989 
990 		err = ext4_resize_fs(sb, n_blocks_count);
991 		if (EXT4_SB(sb)->s_journal) {
992 			jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);
993 			err2 = jbd2_journal_flush(EXT4_SB(sb)->s_journal);
994 			jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
995 		}
996 		if (err == 0)
997 			err = err2;
998 		mnt_drop_write_file(filp);
999 		if (!err && (o_group < EXT4_SB(sb)->s_groups_count) &&
1000 		    ext4_has_group_desc_csum(sb) &&
1001 		    test_opt(sb, INIT_INODE_TABLE))
1002 			err = ext4_register_li_request(sb, o_group);
1003 
1004 resizefs_out:
1005 		ext4_resize_end(sb);
1006 		return err;
1007 	}
1008 
1009 	case FITRIM:
1010 	{
1011 		struct request_queue *q = bdev_get_queue(sb->s_bdev);
1012 		struct fstrim_range range;
1013 		int ret = 0;
1014 
1015 		if (!capable(CAP_SYS_ADMIN))
1016 			return -EPERM;
1017 
1018 		if (!blk_queue_discard(q))
1019 			return -EOPNOTSUPP;
1020 
1021 		/*
1022 		 * We haven't replayed the journal, so we cannot use our
1023 		 * block-bitmap-guided storage zapping commands.
1024 		 */
1025 		if (test_opt(sb, NOLOAD) && ext4_has_feature_journal(sb))
1026 			return -EROFS;
1027 
1028 		if (copy_from_user(&range, (struct fstrim_range __user *)arg,
1029 		    sizeof(range)))
1030 			return -EFAULT;
1031 
1032 		range.minlen = max((unsigned int)range.minlen,
1033 				   q->limits.discard_granularity);
1034 		ret = ext4_trim_fs(sb, &range);
1035 		if (ret < 0)
1036 			return ret;
1037 
1038 		if (copy_to_user((struct fstrim_range __user *)arg, &range,
1039 		    sizeof(range)))
1040 			return -EFAULT;
1041 
1042 		return 0;
1043 	}
1044 	case EXT4_IOC_PRECACHE_EXTENTS:
1045 		return ext4_ext_precache(inode);
1046 
1047 	case EXT4_IOC_SET_ENCRYPTION_POLICY:
1048 		if (!ext4_has_feature_encrypt(sb))
1049 			return -EOPNOTSUPP;
1050 		return fscrypt_ioctl_set_policy(filp, (const void __user *)arg);
1051 
1052 	case EXT4_IOC_GET_ENCRYPTION_PWSALT: {
1053 #ifdef CONFIG_FS_ENCRYPTION
1054 		int err, err2;
1055 		struct ext4_sb_info *sbi = EXT4_SB(sb);
1056 		handle_t *handle;
1057 
1058 		if (!ext4_has_feature_encrypt(sb))
1059 			return -EOPNOTSUPP;
1060 		if (uuid_is_zero(sbi->s_es->s_encrypt_pw_salt)) {
1061 			err = mnt_want_write_file(filp);
1062 			if (err)
1063 				return err;
1064 			handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1);
1065 			if (IS_ERR(handle)) {
1066 				err = PTR_ERR(handle);
1067 				goto pwsalt_err_exit;
1068 			}
1069 			err = ext4_journal_get_write_access(handle, sbi->s_sbh);
1070 			if (err)
1071 				goto pwsalt_err_journal;
1072 			generate_random_uuid(sbi->s_es->s_encrypt_pw_salt);
1073 			err = ext4_handle_dirty_metadata(handle, NULL,
1074 							 sbi->s_sbh);
1075 		pwsalt_err_journal:
1076 			err2 = ext4_journal_stop(handle);
1077 			if (err2 && !err)
1078 				err = err2;
1079 		pwsalt_err_exit:
1080 			mnt_drop_write_file(filp);
1081 			if (err)
1082 				return err;
1083 		}
1084 		if (copy_to_user((void __user *) arg,
1085 				 sbi->s_es->s_encrypt_pw_salt, 16))
1086 			return -EFAULT;
1087 		return 0;
1088 #else
1089 		return -EOPNOTSUPP;
1090 #endif
1091 	}
1092 	case EXT4_IOC_GET_ENCRYPTION_POLICY:
1093 		return fscrypt_ioctl_get_policy(filp, (void __user *)arg);
1094 
1095 	case EXT4_IOC_FSGETXATTR:
1096 	{
1097 		struct fsxattr fa;
1098 
1099 		memset(&fa, 0, sizeof(struct fsxattr));
1100 		fa.fsx_xflags = ext4_iflags_to_xflags(ei->i_flags & EXT4_FL_USER_VISIBLE);
1101 
1102 		if (ext4_has_feature_project(inode->i_sb)) {
1103 			fa.fsx_projid = (__u32)from_kprojid(&init_user_ns,
1104 				EXT4_I(inode)->i_projid);
1105 		}
1106 
1107 		if (copy_to_user((struct fsxattr __user *)arg,
1108 				 &fa, sizeof(fa)))
1109 			return -EFAULT;
1110 		return 0;
1111 	}
1112 	case EXT4_IOC_FSSETXATTR:
1113 	{
1114 		struct fsxattr fa;
1115 		int err;
1116 
1117 		if (copy_from_user(&fa, (struct fsxattr __user *)arg,
1118 				   sizeof(fa)))
1119 			return -EFAULT;
1120 
1121 		/* Make sure caller has proper permission */
1122 		if (!inode_owner_or_capable(inode))
1123 			return -EACCES;
1124 
1125 		if (fa.fsx_xflags & ~EXT4_SUPPORTED_FS_XFLAGS)
1126 			return -EOPNOTSUPP;
1127 
1128 		flags = ext4_xflags_to_iflags(fa.fsx_xflags);
1129 		if (ext4_mask_flags(inode->i_mode, flags) != flags)
1130 			return -EOPNOTSUPP;
1131 
1132 		err = mnt_want_write_file(filp);
1133 		if (err)
1134 			return err;
1135 
1136 		inode_lock(inode);
1137 		err = ext4_ioctl_check_project(inode, &fa);
1138 		if (err)
1139 			goto out;
1140 		flags = (ei->i_flags & ~EXT4_FL_XFLAG_VISIBLE) |
1141 			 (flags & EXT4_FL_XFLAG_VISIBLE);
1142 		err = ext4_ioctl_setflags(inode, flags);
1143 		if (err)
1144 			goto out;
1145 		err = ext4_ioctl_setproject(filp, fa.fsx_projid);
1146 out:
1147 		inode_unlock(inode);
1148 		mnt_drop_write_file(filp);
1149 		return err;
1150 	}
1151 	case EXT4_IOC_SHUTDOWN:
1152 		return ext4_shutdown(sb, arg);
1153 	default:
1154 		return -ENOTTY;
1155 	}
1156 }
1157 
1158 #ifdef CONFIG_COMPAT
1159 long ext4_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
1160 {
1161 	/* These are just misnamed, they actually get/put from/to user an int */
1162 	switch (cmd) {
1163 	case EXT4_IOC32_GETFLAGS:
1164 		cmd = EXT4_IOC_GETFLAGS;
1165 		break;
1166 	case EXT4_IOC32_SETFLAGS:
1167 		cmd = EXT4_IOC_SETFLAGS;
1168 		break;
1169 	case EXT4_IOC32_GETVERSION:
1170 		cmd = EXT4_IOC_GETVERSION;
1171 		break;
1172 	case EXT4_IOC32_SETVERSION:
1173 		cmd = EXT4_IOC_SETVERSION;
1174 		break;
1175 	case EXT4_IOC32_GROUP_EXTEND:
1176 		cmd = EXT4_IOC_GROUP_EXTEND;
1177 		break;
1178 	case EXT4_IOC32_GETVERSION_OLD:
1179 		cmd = EXT4_IOC_GETVERSION_OLD;
1180 		break;
1181 	case EXT4_IOC32_SETVERSION_OLD:
1182 		cmd = EXT4_IOC_SETVERSION_OLD;
1183 		break;
1184 	case EXT4_IOC32_GETRSVSZ:
1185 		cmd = EXT4_IOC_GETRSVSZ;
1186 		break;
1187 	case EXT4_IOC32_SETRSVSZ:
1188 		cmd = EXT4_IOC_SETRSVSZ;
1189 		break;
1190 	case EXT4_IOC32_GROUP_ADD: {
1191 		struct compat_ext4_new_group_input __user *uinput;
1192 		struct ext4_new_group_data input;
1193 		int err;
1194 
1195 		uinput = compat_ptr(arg);
1196 		err = get_user(input.group, &uinput->group);
1197 		err |= get_user(input.block_bitmap, &uinput->block_bitmap);
1198 		err |= get_user(input.inode_bitmap, &uinput->inode_bitmap);
1199 		err |= get_user(input.inode_table, &uinput->inode_table);
1200 		err |= get_user(input.blocks_count, &uinput->blocks_count);
1201 		err |= get_user(input.reserved_blocks,
1202 				&uinput->reserved_blocks);
1203 		if (err)
1204 			return -EFAULT;
1205 		return ext4_ioctl_group_add(file, &input);
1206 	}
1207 	case EXT4_IOC_MOVE_EXT:
1208 	case EXT4_IOC_RESIZE_FS:
1209 	case EXT4_IOC_PRECACHE_EXTENTS:
1210 	case EXT4_IOC_SET_ENCRYPTION_POLICY:
1211 	case EXT4_IOC_GET_ENCRYPTION_PWSALT:
1212 	case EXT4_IOC_GET_ENCRYPTION_POLICY:
1213 	case EXT4_IOC_SHUTDOWN:
1214 	case FS_IOC_GETFSMAP:
1215 		break;
1216 	default:
1217 		return -ENOIOCTLCMD;
1218 	}
1219 	return ext4_ioctl(file, cmd, (unsigned long) compat_ptr(arg));
1220 }
1221 #endif
1222