search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
drm/modes: Fix drm_mode_vrefres() docs
[drm/drm-misc.git] / fs / fuse / ioctl.c
blob2d9abf48828f9439f31cc16fcc8ab407a7df9d46
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (C) 2017 Red Hat, Inc.
4 */
5
6 #include "fuse_i.h"
7
8 #include <linux/uio.h>
9 #include <linux/compat.h>
10 #include <linux/fileattr.h>
11 #include <linux/fsverity.h>
12
13 #define FUSE_VERITY_ENABLE_ARG_MAX_PAGES 256
14
15 static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args,
16 struct fuse_ioctl_out *outarg)
17 {
18 ssize_t ret;
19
20 args->out_args[0].size = sizeof(*outarg);
21 args->out_args[0].value = outarg;
22
23 ret = fuse_simple_request(fm, args);
24
25 /* Translate ENOSYS, which shouldn't be returned from fs */
26 if (ret == -ENOSYS)
27 ret = -ENOTTY;
28
29 if (ret >= 0 && outarg->result == -ENOSYS)
30 outarg->result = -ENOTTY;
31
32 return ret;
33 }
34
35 /*
36 * CUSE servers compiled on 32bit broke on 64bit kernels because the
37 * ABI was defined to be 'struct iovec' which is different on 32bit
38 * and 64bit. Fortunately we can determine which structure the server
39 * used from the size of the reply.
40 */
41 static int fuse_copy_ioctl_iovec_old(struct iovec *dst, void *src,
42 size_t transferred, unsigned count,
43 bool is_compat)
44 {
45 #ifdef CONFIG_COMPAT
46 if (count * sizeof(struct compat_iovec) == transferred) {
47 struct compat_iovec *ciov = src;
48 unsigned i;
49
50 /*
51 * With this interface a 32bit server cannot support
52 * non-compat (i.e. ones coming from 64bit apps) ioctl
53 * requests
54 */
55 if (!is_compat)
56 return -EINVAL;
57
58 for (i = 0; i < count; i++) {
59 dst[i].iov_base = compat_ptr(ciov[i].iov_base);
60 dst[i].iov_len = ciov[i].iov_len;
61 }
62 return 0;
63 }
64 #endif
65
66 if (count * sizeof(struct iovec) != transferred)
67 return -EIO;
68
69 memcpy(dst, src, transferred);
70 return 0;
71 }
72
73 /* Make sure iov_length() won't overflow */
74 static int fuse_verify_ioctl_iov(struct fuse_conn *fc, struct iovec *iov,
75 size_t count)
76 {
77 size_t n;
78 u32 max = fc->max_pages << PAGE_SHIFT;
79
80 for (n = 0; n < count; n++, iov++) {
81 if (iov->iov_len > (size_t) max)
82 return -ENOMEM;
83 max -= iov->iov_len;
84 }
85 return 0;
86 }
87
88 static int fuse_copy_ioctl_iovec(struct fuse_conn *fc, struct iovec *dst,
89 void *src, size_t transferred, unsigned count,
90 bool is_compat)
91 {
92 unsigned i;
93 struct fuse_ioctl_iovec *fiov = src;
94
95 if (fc->minor < 16) {
96 return fuse_copy_ioctl_iovec_old(dst, src, transferred,
97 count, is_compat);
98 }
99
100 if (count * sizeof(struct fuse_ioctl_iovec) != transferred)
101 return -EIO;
102
103 for (i = 0; i < count; i++) {
104 /* Did the server supply an inappropriate value? */
105 if (fiov[i].base != (unsigned long) fiov[i].base ||
106 fiov[i].len != (unsigned long) fiov[i].len)
107 return -EIO;
108
109 dst[i].iov_base = (void __user *) (unsigned long) fiov[i].base;
110 dst[i].iov_len = (size_t) fiov[i].len;
111
112 #ifdef CONFIG_COMPAT
113 if (is_compat &&
114 (ptr_to_compat(dst[i].iov_base) != fiov[i].base ||
115 (compat_size_t) dst[i].iov_len != fiov[i].len))
116 return -EIO;
117 #endif
118 }
119
120 return 0;
121 }
122
123 /* For fs-verity, determine iov lengths from input */
124 static int fuse_setup_measure_verity(unsigned long arg, struct iovec *iov)
125 {
126 __u16 digest_size;
127 struct fsverity_digest __user *uarg = (void __user *)arg;
128
129 if (copy_from_user(&digest_size, &uarg->digest_size, sizeof(digest_size)))
130 return -EFAULT;
131
132 if (digest_size > SIZE_MAX - sizeof(struct fsverity_digest))
133 return -EINVAL;
134
135 iov->iov_len = sizeof(struct fsverity_digest) + digest_size;
136
137 return 0;
138 }
139
140 static int fuse_setup_enable_verity(unsigned long arg, struct iovec *iov,
141 unsigned int *in_iovs)
142 {
143 struct fsverity_enable_arg enable;
144 struct fsverity_enable_arg __user *uarg = (void __user *)arg;
145 const __u32 max_buffer_len = FUSE_VERITY_ENABLE_ARG_MAX_PAGES * PAGE_SIZE;
146
147 if (copy_from_user(&enable, uarg, sizeof(enable)))
148 return -EFAULT;
149
150 if (enable.salt_size > max_buffer_len || enable.sig_size > max_buffer_len)
151 return -ENOMEM;
152
153 if (enable.salt_size > 0) {
154 iov++;
155 (*in_iovs)++;
156
157 iov->iov_base = u64_to_user_ptr(enable.salt_ptr);
158 iov->iov_len = enable.salt_size;
159 }
160
161 if (enable.sig_size > 0) {
162 iov++;
163 (*in_iovs)++;
164
165 iov->iov_base = u64_to_user_ptr(enable.sig_ptr);
166 iov->iov_len = enable.sig_size;
167 }
168 return 0;
169 }
170
171 /*
172 * For ioctls, there is no generic way to determine how much memory
173 * needs to be read and/or written. Furthermore, ioctls are allowed
174 * to dereference the passed pointer, so the parameter requires deep
175 * copying but FUSE has no idea whatsoever about what to copy in or
176 * out.
177 *
178 * This is solved by allowing FUSE server to retry ioctl with
179 * necessary in/out iovecs. Let's assume the ioctl implementation
180 * needs to read in the following structure.
181 *
182 * struct a {
183 * char *buf;
184 * size_t buflen;
185 * }
186 *
187 * On the first callout to FUSE server, inarg->in_size and
188 * inarg->out_size will be NULL; then, the server completes the ioctl
189 * with FUSE_IOCTL_RETRY set in out->flags, out->in_iovs set to 1 and
190 * the actual iov array to
191 *
192 * { { .iov_base = inarg.arg, .iov_len = sizeof(struct a) } }
193 *
194 * which tells FUSE to copy in the requested area and retry the ioctl.
195 * On the second round, the server has access to the structure and
196 * from that it can tell what to look for next, so on the invocation,
197 * it sets FUSE_IOCTL_RETRY, out->in_iovs to 2 and iov array to
198 *
199 * { { .iov_base = inarg.arg, .iov_len = sizeof(struct a) },
200 * { .iov_base = a.buf, .iov_len = a.buflen } }
201 *
202 * FUSE will copy both struct a and the pointed buffer from the
203 * process doing the ioctl and retry ioctl with both struct a and the
204 * buffer.
205 *
206 * This time, FUSE server has everything it needs and completes ioctl
207 * without FUSE_IOCTL_RETRY which finishes the ioctl call.
208 *
209 * Copying data out works the same way.
210 *
211 * Note that if FUSE_IOCTL_UNRESTRICTED is clear, the kernel
212 * automatically initializes in and out iovs by decoding @cmd with
213 * _IOC_* macros and the server is not allowed to request RETRY. This
214 * limits ioctl data transfers to well-formed ioctls and is the forced
215 * behavior for all FUSE servers.
216 */
217 long fuse_do_ioctl(struct file *file, unsigned int cmd, unsigned long arg,
218 unsigned int flags)
219 {
220 struct fuse_file *ff = file->private_data;
221 struct fuse_mount *fm = ff->fm;
222 struct fuse_ioctl_in inarg = {
223 .fh = ff->fh,
224 .cmd = cmd,
225 .arg = arg,
226 .flags = flags
227 };
228 struct fuse_ioctl_out outarg;
229 struct iovec *iov_page = NULL;
230 struct iovec *in_iov = NULL, *out_iov = NULL;
231 unsigned int in_iovs = 0, out_iovs = 0, max_pages;
232 size_t in_size, out_size, c;
233 ssize_t transferred;
234 int err, i;
235 struct iov_iter ii;
236 struct fuse_args_pages ap = {};
237
238 #if BITS_PER_LONG == 32
239 inarg.flags |= FUSE_IOCTL_32BIT;
240 #else
241 if (flags & FUSE_IOCTL_COMPAT) {
242 inarg.flags |= FUSE_IOCTL_32BIT;
243 #ifdef CONFIG_X86_X32_ABI
244 if (in_x32_syscall())
245 inarg.flags |= FUSE_IOCTL_COMPAT_X32;
246 #endif
247 }
248 #endif
249
250 /* assume all the iovs returned by client always fits in a page */
251 BUILD_BUG_ON(sizeof(struct fuse_ioctl_iovec) * FUSE_IOCTL_MAX_IOV > PAGE_SIZE);
252
253 err = -ENOMEM;
254 ap.folios = fuse_folios_alloc(fm->fc->max_pages, GFP_KERNEL, &ap.descs);
255 iov_page = (struct iovec *) __get_free_page(GFP_KERNEL);
256 if (!ap.folios || !iov_page)
257 goto out;
258
259 fuse_folio_descs_length_init(ap.descs, 0, fm->fc->max_pages);
260
261 /*
262 * If restricted, initialize IO parameters as encoded in @cmd.
263 * RETRY from server is not allowed.
264 */
265 if (!(flags & FUSE_IOCTL_UNRESTRICTED)) {
266 struct iovec *iov = iov_page;
267
268 iov->iov_base = (void __user *)arg;
269 iov->iov_len = _IOC_SIZE(cmd);
270
271 if (_IOC_DIR(cmd) & _IOC_WRITE) {
272 in_iov = iov;
273 in_iovs = 1;
274 }
275
276 if (_IOC_DIR(cmd) & _IOC_READ) {
277 out_iov = iov;
278 out_iovs = 1;
279 }
280
281 err = 0;
282 switch (cmd) {
283 case FS_IOC_MEASURE_VERITY:
284 err = fuse_setup_measure_verity(arg, iov);
285 break;
286 case FS_IOC_ENABLE_VERITY:
287 err = fuse_setup_enable_verity(arg, iov, &in_iovs);
288 break;
289 }
290 if (err)
291 goto out;
292 }
293
294 retry:
295 inarg.in_size = in_size = iov_length(in_iov, in_iovs);
296 inarg.out_size = out_size = iov_length(out_iov, out_iovs);
297
298 /*
299 * Out data can be used either for actual out data or iovs,
300 * make sure there always is at least one page.
301 */
302 out_size = max_t(size_t, out_size, PAGE_SIZE);
303 max_pages = DIV_ROUND_UP(max(in_size, out_size), PAGE_SIZE);
304
305 /* make sure there are enough buffer pages and init request with them */
306 err = -ENOMEM;
307 if (max_pages > fm->fc->max_pages)
308 goto out;
309 while (ap.num_folios < max_pages) {
310 ap.folios[ap.num_folios] = folio_alloc(GFP_KERNEL | __GFP_HIGHMEM, 0);
311 if (!ap.folios[ap.num_folios])
312 goto out;
313 ap.num_folios++;
314 }
315
316 /* okay, let's send it to the client */
317 ap.args.opcode = FUSE_IOCTL;
318 ap.args.nodeid = ff->nodeid;
319 ap.args.in_numargs = 1;
320 ap.args.in_args[0].size = sizeof(inarg);
321 ap.args.in_args[0].value = &inarg;
322 if (in_size) {
323 ap.args.in_numargs++;
324 ap.args.in_args[1].size = in_size;
325 ap.args.in_pages = true;
326
327 err = -EFAULT;
328 iov_iter_init(&ii, ITER_SOURCE, in_iov, in_iovs, in_size);
329 for (i = 0; iov_iter_count(&ii) && !WARN_ON(i >= ap.num_folios); i++) {
330 c = copy_folio_from_iter(ap.folios[i], 0, PAGE_SIZE, &ii);
331 if (c != PAGE_SIZE && iov_iter_count(&ii))
332 goto out;
333 }
334 }
335
336 ap.args.out_numargs = 2;
337 ap.args.out_args[1].size = out_size;
338 ap.args.out_pages = true;
339 ap.args.out_argvar = true;
340
341 transferred = fuse_send_ioctl(fm, &ap.args, &outarg);
342 err = transferred;
343 if (transferred < 0)
344 goto out;
345
346 /* did it ask for retry? */
347 if (outarg.flags & FUSE_IOCTL_RETRY) {
348 void *vaddr;
349
350 /* no retry if in restricted mode */
351 err = -EIO;
352 if (!(flags & FUSE_IOCTL_UNRESTRICTED))
353 goto out;
354
355 in_iovs = outarg.in_iovs;
356 out_iovs = outarg.out_iovs;
357
358 /*
359 * Make sure things are in boundary, separate checks
360 * are to protect against overflow.
361 */
362 err = -ENOMEM;
363 if (in_iovs > FUSE_IOCTL_MAX_IOV ||
364 out_iovs > FUSE_IOCTL_MAX_IOV ||
365 in_iovs + out_iovs > FUSE_IOCTL_MAX_IOV)
366 goto out;
367
368 vaddr = kmap_local_folio(ap.folios[0], 0);
369 err = fuse_copy_ioctl_iovec(fm->fc, iov_page, vaddr,
370 transferred, in_iovs + out_iovs,
371 (flags & FUSE_IOCTL_COMPAT) != 0);
372 kunmap_local(vaddr);
373 if (err)
374 goto out;
375
376 in_iov = iov_page;
377 out_iov = in_iov + in_iovs;
378
379 err = fuse_verify_ioctl_iov(fm->fc, in_iov, in_iovs);
380 if (err)
381 goto out;
382
383 err = fuse_verify_ioctl_iov(fm->fc, out_iov, out_iovs);
384 if (err)
385 goto out;
386
387 goto retry;
388 }
389
390 err = -EIO;
391 if (transferred > inarg.out_size)
392 goto out;
393
394 err = -EFAULT;
395 iov_iter_init(&ii, ITER_DEST, out_iov, out_iovs, transferred);
396 for (i = 0; iov_iter_count(&ii) && !WARN_ON(i >= ap.num_folios); i++) {
397 c = copy_folio_to_iter(ap.folios[i], 0, PAGE_SIZE, &ii);
398 if (c != PAGE_SIZE && iov_iter_count(&ii))
399 goto out;
400 }
401 err = 0;
402 out:
403 free_page((unsigned long) iov_page);
404 while (ap.num_folios)
405 folio_put(ap.folios[--ap.num_folios]);
406 kfree(ap.folios);
407
408 return err ? err : outarg.result;
409 }
410 EXPORT_SYMBOL_GPL(fuse_do_ioctl);
411
412 long fuse_ioctl_common(struct file *file, unsigned int cmd,
413 unsigned long arg, unsigned int flags)
414 {
415 struct inode *inode = file_inode(file);
416 struct fuse_conn *fc = get_fuse_conn(inode);
417
418 if (!fuse_allow_current_process(fc))
419 return -EACCES;
420
421 if (fuse_is_bad(inode))
422 return -EIO;
423
424 return fuse_do_ioctl(file, cmd, arg, flags);
425 }
426
427 long fuse_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
428 {
429 return fuse_ioctl_common(file, cmd, arg, 0);
430 }
431
432 long fuse_file_compat_ioctl(struct file *file, unsigned int cmd,
433 unsigned long arg)
434 {
435 return fuse_ioctl_common(file, cmd, arg, FUSE_IOCTL_COMPAT);
436 }
437
438 static int fuse_priv_ioctl(struct inode *inode, struct fuse_file *ff,
439 unsigned int cmd, void *ptr, size_t size)
440 {
441 struct fuse_mount *fm = ff->fm;
442 struct fuse_ioctl_in inarg;
443 struct fuse_ioctl_out outarg;
444 FUSE_ARGS(args);
445 int err;
446
447 memset(&inarg, 0, sizeof(inarg));
448 inarg.fh = ff->fh;
449 inarg.cmd = cmd;
450
451 #if BITS_PER_LONG == 32
452 inarg.flags |= FUSE_IOCTL_32BIT;
453 #endif
454 if (S_ISDIR(inode->i_mode))
455 inarg.flags |= FUSE_IOCTL_DIR;
456
457 if (_IOC_DIR(cmd) & _IOC_READ)
458 inarg.out_size = size;
459 if (_IOC_DIR(cmd) & _IOC_WRITE)
460 inarg.in_size = size;
461
462 args.opcode = FUSE_IOCTL;
463 args.nodeid = ff->nodeid;
464 args.in_numargs = 2;
465 args.in_args[0].size = sizeof(inarg);
466 args.in_args[0].value = &inarg;
467 args.in_args[1].size = inarg.in_size;
468 args.in_args[1].value = ptr;
469 args.out_numargs = 2;
470 args.out_args[1].size = inarg.out_size;
471 args.out_args[1].value = ptr;
472
473 err = fuse_send_ioctl(fm, &args, &outarg);
474 if (!err) {
475 if (outarg.result < 0)
476 err = outarg.result;
477 else if (outarg.flags & FUSE_IOCTL_RETRY)
478 err = -EIO;
479 }
480 return err;
481 }
482
483 static struct fuse_file *fuse_priv_ioctl_prepare(struct inode *inode)
484 {
485 struct fuse_mount *fm = get_fuse_mount(inode);
486 bool isdir = S_ISDIR(inode->i_mode);
487
488 if (!fuse_allow_current_process(fm->fc))
489 return ERR_PTR(-EACCES);
490
491 if (fuse_is_bad(inode))
492 return ERR_PTR(-EIO);
493
494 if (!S_ISREG(inode->i_mode) && !isdir)
495 return ERR_PTR(-ENOTTY);
496
497 return fuse_file_open(fm, get_node_id(inode), O_RDONLY, isdir);
498 }
499
500 static void fuse_priv_ioctl_cleanup(struct inode *inode, struct fuse_file *ff)
501 {
502 fuse_file_release(inode, ff, O_RDONLY, NULL, S_ISDIR(inode->i_mode));
503 }
504
505 int fuse_fileattr_get(struct dentry *dentry, struct fileattr *fa)
506 {
507 struct inode *inode = d_inode(dentry);
508 struct fuse_file *ff;
509 unsigned int flags;
510 struct fsxattr xfa;
511 int err;
512
513 ff = fuse_priv_ioctl_prepare(inode);
514 if (IS_ERR(ff))
515 return PTR_ERR(ff);
516
517 if (fa->flags_valid) {
518 err = fuse_priv_ioctl(inode, ff, FS_IOC_GETFLAGS,
519 &flags, sizeof(flags));
520 if (err)
521 goto cleanup;
522
523 fileattr_fill_flags(fa, flags);
524 } else {
525 err = fuse_priv_ioctl(inode, ff, FS_IOC_FSGETXATTR,
526 &xfa, sizeof(xfa));
527 if (err)
528 goto cleanup;
529
530 fileattr_fill_xflags(fa, xfa.fsx_xflags);
531 fa->fsx_extsize = xfa.fsx_extsize;
532 fa->fsx_nextents = xfa.fsx_nextents;
533 fa->fsx_projid = xfa.fsx_projid;
534 fa->fsx_cowextsize = xfa.fsx_cowextsize;
535 }
536 cleanup:
537 fuse_priv_ioctl_cleanup(inode, ff);
538
539 return err;
540 }
541
542 int fuse_fileattr_set(struct mnt_idmap *idmap,
543 struct dentry *dentry, struct fileattr *fa)
544 {
545 struct inode *inode = d_inode(dentry);
546 struct fuse_file *ff;
547 unsigned int flags = fa->flags;
548 struct fsxattr xfa;
549 int err;
550
551 ff = fuse_priv_ioctl_prepare(inode);
552 if (IS_ERR(ff))
553 return PTR_ERR(ff);
554
555 if (fa->flags_valid) {
556 err = fuse_priv_ioctl(inode, ff, FS_IOC_SETFLAGS,
557 &flags, sizeof(flags));
558 if (err)
559 goto cleanup;
560 } else {
561 memset(&xfa, 0, sizeof(xfa));
562 xfa.fsx_xflags = fa->fsx_xflags;
563 xfa.fsx_extsize = fa->fsx_extsize;
564 xfa.fsx_nextents = fa->fsx_nextents;
565 xfa.fsx_projid = fa->fsx_projid;
566 xfa.fsx_cowextsize = fa->fsx_cowextsize;
567
568 err = fuse_priv_ioctl(inode, ff, FS_IOC_FSSETXATTR,
569 &xfa, sizeof(xfa));
570 }
571
572 cleanup:
573 fuse_priv_ioctl_cleanup(inode, ff);
574
575 return err;
576 }
Kernel DRM miscellaneous fixes and cross-tree changes