1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * NET An implementation of the SOCKET network access protocol.
4 *
5 * Version: @(#)socket.c 1.1.93 18/02/95
6 *
7 * Authors: Orest Zborowski, <obz@Kodak.COM>
8 * Ross Biro
9 * Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG>
10 *
11 * Fixes:
12 * Anonymous : NOTSOCK/BADF cleanup. Error fix in
13 * shutdown()
14 * Alan Cox : verify_area() fixes
15 * Alan Cox : Removed DDI
16 * Jonathan Kamens : SOCK_DGRAM reconnect bug
17 * Alan Cox : Moved a load of checks to the very
18 * top level.
19 * Alan Cox : Move address structures to/from user
20 * mode above the protocol layers.
21 * Rob Janssen : Allow 0 length sends.
22 * Alan Cox : Asynchronous I/O support (cribbed from the
23 * tty drivers).
24 * Niibe Yutaka : Asynchronous I/O for writes (4.4BSD style)
25 * Jeff Uphoff : Made max number of sockets command-line
26 * configurable.
27 * Matti Aarnio : Made the number of sockets dynamic,
28 * to be allocated when needed, and mr.
29 * Uphoff's max is used as max to be
30 * allowed to allocate.
31 * Linus : Argh. removed all the socket allocation
32 * altogether: it's in the inode now.
33 * Alan Cox : Made sock_alloc()/sock_release() public
34 * for NetROM and future kernel nfsd type
35 * stuff.
36 * Alan Cox : sendmsg/recvmsg basics.
37 * Tom Dyas : Export net symbols.
38 * Marcin Dalecki : Fixed problems with CONFIG_NET="n".
39 * Alan Cox : Added thread locking to sys_* calls
40 * for sockets. May have errors at the
41 * moment.
42 * Kevin Buhr : Fixed the dumb errors in the above.
43 * Andi Kleen : Some small cleanups, optimizations,
44 * and fixed a copy_from_user() bug.
45 * Tigran Aivazian : sys_send(args) calls sys_sendto(args, NULL, 0)
46 * Tigran Aivazian : Made listen(2) backlog sanity checks
47 * protocol-independent
48 *
49 * This module is effectively the top level interface to the BSD socket
50 * paradigm.
51 *
52 * Based upon Swansea University Computer Society NET3.039
53 */
54
55#include <linux/bpf-cgroup.h>
56#include <linux/ethtool.h>
57#include <linux/mm.h>
58#include <linux/socket.h>
59#include <linux/file.h>
60#include <linux/splice.h>
61#include <linux/net.h>
62#include <linux/interrupt.h>
63#include <linux/thread_info.h>
64#include <linux/rcupdate.h>
65#include <linux/netdevice.h>
66#include <linux/proc_fs.h>
67#include <linux/seq_file.h>
68#include <linux/mutex.h>
69#include <linux/if_bridge.h>
70#include <linux/if_vlan.h>
71#include <linux/ptp_classify.h>
72#include <linux/init.h>
73#include <linux/poll.h>
74#include <linux/cache.h>
75#include <linux/module.h>
76#include <linux/highmem.h>
77#include <linux/mount.h>
78#include <linux/pseudo_fs.h>
79#include <linux/security.h>
80#include <linux/syscalls.h>
81#include <linux/compat.h>
82#include <linux/kmod.h>
83#include <linux/audit.h>
84#include <linux/wireless.h>
85#include <linux/nsproxy.h>
86#include <linux/magic.h>
87#include <linux/slab.h>
88#include <linux/xattr.h>
89#include <linux/nospec.h>
90#include <linux/indirect_call_wrapper.h>
91#include <linux/io_uring/net.h>
92
93#include <linux/uaccess.h>
94#include <asm/unistd.h>
95
96#include <net/compat.h>
97#include <net/wext.h>
98#include <net/cls_cgroup.h>
99
100#include <net/sock.h>
101#include <linux/netfilter.h>
102
103#include <linux/if_tun.h>
104#include <linux/ipv6_route.h>
105#include <linux/route.h>
106#include <linux/termios.h>
107#include <linux/sockios.h>
108#include <net/busy_poll.h>
109#include <linux/errqueue.h>
110#include <linux/ptp_clock_kernel.h>
111#include <trace/events/sock.h>
112
113#include "core/dev.h"
114
115#ifdef CONFIG_NET_RX_BUSY_POLL
116unsigned int sysctl_net_busy_read __read_mostly;
117unsigned int sysctl_net_busy_poll __read_mostly;
118#endif
119
120static ssize_t sock_read_iter(struct kiocb *iocb, struct iov_iter *to);
121static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from);
122static int sock_mmap(struct file *file, struct vm_area_struct *vma);
123
124static int sock_close(struct inode *inode, struct file *file);
125static __poll_t sock_poll(struct file *file,
126 struct poll_table_struct *wait);
127static long sock_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
128#ifdef CONFIG_COMPAT
129static long compat_sock_ioctl(struct file *file,
130 unsigned int cmd, unsigned long arg);
131#endif
132static int sock_fasync(int fd, struct file *filp, int on);
133static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
134 struct pipe_inode_info *pipe, size_t len,
135 unsigned int flags);
136static void sock_splice_eof(struct file *file);
137
138#ifdef CONFIG_PROC_FS
139static void sock_show_fdinfo(struct seq_file *m, struct file *f)
140{
141 struct socket *sock = f->private_data;
142 const struct proto_ops *ops = READ_ONCE(sock->ops);
143
144 if (ops->show_fdinfo)
145 ops->show_fdinfo(m, sock);
146}
147#else
148#define sock_show_fdinfo NULL
149#endif
150
151/*
152 * Socket files have a set of 'special' operations as well as the generic file ones. These don't appear
153 * in the operation structures but are done directly via the socketcall() multiplexor.
154 */
155
156static const struct file_operations socket_file_ops = {
157 .owner = THIS_MODULE,
158 .read_iter = sock_read_iter,
159 .write_iter = sock_write_iter,
160 .poll = sock_poll,
161 .unlocked_ioctl = sock_ioctl,
162#ifdef CONFIG_COMPAT
163 .compat_ioctl = compat_sock_ioctl,
164#endif
165 .uring_cmd = io_uring_cmd_sock,
166 .mmap = sock_mmap,
167 .release = sock_close,
168 .fasync = sock_fasync,
169 .splice_write = splice_to_socket,
170 .splice_read = sock_splice_read,
171 .splice_eof = sock_splice_eof,
172 .show_fdinfo = sock_show_fdinfo,
173};
174
175static const char * const pf_family_names[] = {
176 [PF_UNSPEC] = "PF_UNSPEC",
177 [PF_UNIX] = "PF_UNIX/PF_LOCAL",
178 [PF_INET] = "PF_INET",
179 [PF_AX25] = "PF_AX25",
180 [PF_IPX] = "PF_IPX",
181 [PF_APPLETALK] = "PF_APPLETALK",
182 [PF_NETROM] = "PF_NETROM",
183 [PF_BRIDGE] = "PF_BRIDGE",
184 [PF_ATMPVC] = "PF_ATMPVC",
185 [PF_X25] = "PF_X25",
186 [PF_INET6] = "PF_INET6",
187 [PF_ROSE] = "PF_ROSE",
188 [PF_DECnet] = "PF_DECnet",
189 [PF_NETBEUI] = "PF_NETBEUI",
190 [PF_SECURITY] = "PF_SECURITY",
191 [PF_KEY] = "PF_KEY",
192 [PF_NETLINK] = "PF_NETLINK/PF_ROUTE",
193 [PF_PACKET] = "PF_PACKET",
194 [PF_ASH] = "PF_ASH",
195 [PF_ECONET] = "PF_ECONET",
196 [PF_ATMSVC] = "PF_ATMSVC",
197 [PF_RDS] = "PF_RDS",
198 [PF_SNA] = "PF_SNA",
199 [PF_IRDA] = "PF_IRDA",
200 [PF_PPPOX] = "PF_PPPOX",
201 [PF_WANPIPE] = "PF_WANPIPE",
202 [PF_LLC] = "PF_LLC",
203 [PF_IB] = "PF_IB",
204 [PF_MPLS] = "PF_MPLS",
205 [PF_CAN] = "PF_CAN",
206 [PF_TIPC] = "PF_TIPC",
207 [PF_BLUETOOTH] = "PF_BLUETOOTH",
208 [PF_IUCV] = "PF_IUCV",
209 [PF_RXRPC] = "PF_RXRPC",
210 [PF_ISDN] = "PF_ISDN",
211 [PF_PHONET] = "PF_PHONET",
212 [PF_IEEE802154] = "PF_IEEE802154",
213 [PF_CAIF] = "PF_CAIF",
214 [PF_ALG] = "PF_ALG",
215 [PF_NFC] = "PF_NFC",
216 [PF_VSOCK] = "PF_VSOCK",
217 [PF_KCM] = "PF_KCM",
218 [PF_QIPCRTR] = "PF_QIPCRTR",
219 [PF_SMC] = "PF_SMC",
220 [PF_XDP] = "PF_XDP",
221 [PF_MCTP] = "PF_MCTP",
222};
223
224/*
225 * The protocol list. Each protocol is registered in here.
226 */
227
228static DEFINE_SPINLOCK(net_family_lock);
229static const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
230
231/*
232 * Support routines.
233 * Move socket addresses back and forth across the kernel/user
234 * divide and look after the messy bits.
235 */
236
237/**
238 * move_addr_to_kernel - copy a socket address into kernel space
239 * @uaddr: Address in user space
240 * @kaddr: Address in kernel space
241 * @ulen: Length in user space
242 *
243 * The address is copied into kernel space. If the provided address is
244 * too long an error code of -EINVAL is returned. If the copy gives
245 * invalid addresses -EFAULT is returned. On a success 0 is returned.
246 */
247
248int move_addr_to_kernel(void __user *uaddr, int ulen, struct sockaddr_storage *kaddr)
249{
250 if (ulen < 0 || ulen > sizeof(struct sockaddr_storage))
251 return -EINVAL;
252 if (ulen == 0)
253 return 0;
254 if (copy_from_user(to: kaddr, from: uaddr, n: ulen))
255 return -EFAULT;
256 return audit_sockaddr(len: ulen, addr: kaddr);
257}
258
259/**
260 * move_addr_to_user - copy an address to user space
261 * @kaddr: kernel space address
262 * @klen: length of address in kernel
263 * @uaddr: user space address
264 * @ulen: pointer to user length field
265 *
266 * The value pointed to by ulen on entry is the buffer length available.
267 * This is overwritten with the buffer space used. -EINVAL is returned
268 * if an overlong buffer is specified or a negative buffer size. -EFAULT
269 * is returned if either the buffer or the length field are not
270 * accessible.
271 * After copying the data up to the limit the user specifies, the true
272 * length of the data is written over the length limit the user
273 * specified. Zero is returned for a success.
274 */
275
276static int move_addr_to_user(struct sockaddr_storage *kaddr, int klen,
277 void __user *uaddr, int __user *ulen)
278{
279 int len;
280
281 BUG_ON(klen > sizeof(struct sockaddr_storage));
282
283 if (can_do_masked_user_access())
284 ulen = masked_user_access_begin(ulen);
285 else if (!user_access_begin(ulen, 4))
286 return -EFAULT;
287
288 unsafe_get_user(len, ulen, efault_end);
289
290 if (len > klen)
291 len = klen;
292 /*
293 * "fromlen shall refer to the value before truncation.."
294 * 1003.1g
295 */
296 if (len >= 0)
297 unsafe_put_user(klen, ulen, efault_end);
298
299 user_access_end();
300
301 if (len) {
302 if (len < 0)
303 return -EINVAL;
304 if (audit_sockaddr(len: klen, addr: kaddr))
305 return -ENOMEM;
306 if (copy_to_user(to: uaddr, from: kaddr, n: len))
307 return -EFAULT;
308 }
309 return 0;
310
311efault_end:
312 user_access_end();
313 return -EFAULT;
314}
315
316static struct kmem_cache *sock_inode_cachep __ro_after_init;
317
318static struct inode *sock_alloc_inode(struct super_block *sb)
319{
320 struct socket_alloc *ei;
321
322 ei = alloc_inode_sb(sb, sock_inode_cachep, GFP_KERNEL);
323 if (!ei)
324 return NULL;
325 init_waitqueue_head(&ei->socket.wq.wait);
326 ei->socket.wq.fasync_list = NULL;
327 ei->socket.wq.flags = 0;
328
329 ei->socket.state = SS_UNCONNECTED;
330 ei->socket.flags = 0;
331 ei->socket.ops = NULL;
332 ei->socket.sk = NULL;
333 ei->socket.file = NULL;
334
335 return &ei->vfs_inode;
336}
337
338static void sock_free_inode(struct inode *inode)
339{
340 struct socket_alloc *ei;
341
342 ei = container_of(inode, struct socket_alloc, vfs_inode);
343 kmem_cache_free(s: sock_inode_cachep, objp: ei);
344}
345
346static void init_once(void *foo)
347{
348 struct socket_alloc *ei = (struct socket_alloc *)foo;
349
350 inode_init_once(&ei->vfs_inode);
351}
352
353static void init_inodecache(void)
354{
355 sock_inode_cachep = kmem_cache_create("sock_inode_cache",
356 sizeof(struct socket_alloc),
357 0,
358 (SLAB_HWCACHE_ALIGN |
359 SLAB_RECLAIM_ACCOUNT |
360 SLAB_ACCOUNT),
361 init_once);
362 BUG_ON(sock_inode_cachep == NULL);
363}
364
365static const struct super_operations sockfs_ops = {
366 .alloc_inode = sock_alloc_inode,
367 .free_inode = sock_free_inode,
368 .statfs = simple_statfs,
369};
370
371/*
372 * sockfs_dname() is called from d_path().
373 */
374static char *sockfs_dname(struct dentry *dentry, char *buffer, int buflen)
375{
376 return dynamic_dname(buffer, buflen, "socket:[%lu]",
377 d_inode(dentry)->i_ino);
378}
379
380static const struct dentry_operations sockfs_dentry_operations = {
381 .d_dname = sockfs_dname,
382};
383
384static int sockfs_xattr_get(const struct xattr_handler *handler,
385 struct dentry *dentry, struct inode *inode,
386 const char *suffix, void *value, size_t size)
387{
388 if (value) {
389 if (dentry->d_name.len + 1 > size)
390 return -ERANGE;
391 memcpy(to: value, from: dentry->d_name.name, len: dentry->d_name.len + 1);
392 }
393 return dentry->d_name.len + 1;
394}
395
396#define XATTR_SOCKPROTONAME_SUFFIX "sockprotoname"
397#define XATTR_NAME_SOCKPROTONAME (XATTR_SYSTEM_PREFIX XATTR_SOCKPROTONAME_SUFFIX)
398#define XATTR_NAME_SOCKPROTONAME_LEN (sizeof(XATTR_NAME_SOCKPROTONAME)-1)
399
400static const struct xattr_handler sockfs_xattr_handler = {
401 .name = XATTR_NAME_SOCKPROTONAME,
402 .get = sockfs_xattr_get,
403};
404
405static int sockfs_security_xattr_set(const struct xattr_handler *handler,
406 struct mnt_idmap *idmap,
407 struct dentry *dentry, struct inode *inode,
408 const char *suffix, const void *value,
409 size_t size, int flags)
410{
411 /* Handled by LSM. */
412 return -EAGAIN;
413}
414
415static const struct xattr_handler sockfs_security_xattr_handler = {
416 .prefix = XATTR_SECURITY_PREFIX,
417 .set = sockfs_security_xattr_set,
418};
419
420static const struct xattr_handler * const sockfs_xattr_handlers[] = {
421 &sockfs_xattr_handler,
422 &sockfs_security_xattr_handler,
423 NULL
424};
425
426static int sockfs_init_fs_context(struct fs_context *fc)
427{
428 struct pseudo_fs_context *ctx = init_pseudo(fc, SOCKFS_MAGIC);
429 if (!ctx)
430 return -ENOMEM;
431 ctx->ops = &sockfs_ops;
432 ctx->dops = &sockfs_dentry_operations;
433 ctx->xattr = sockfs_xattr_handlers;
434 return 0;
435}
436
437static struct vfsmount *sock_mnt __read_mostly;
438
439static struct file_system_type sock_fs_type = {
440 .name = "sockfs",
441 .init_fs_context = sockfs_init_fs_context,
442 .kill_sb = kill_anon_super,
443};
444
445/*
446 * Obtains the first available file descriptor and sets it up for use.
447 *
448 * These functions create file structures and maps them to fd space
449 * of the current process. On success it returns file descriptor
450 * and file struct implicitly stored in sock->file.
451 * Note that another thread may close file descriptor before we return
452 * from this function. We use the fact that now we do not refer
453 * to socket after mapping. If one day we will need it, this
454 * function will increment ref. count on file by 1.
455 *
456 * In any case returned fd MAY BE not valid!
457 * This race condition is unavoidable
458 * with shared fd spaces, we cannot solve it inside kernel,
459 * but we take care of internal coherence yet.
460 */
461
462/**
463 * sock_alloc_file - Bind a &socket to a &file
464 * @sock: socket
465 * @flags: file status flags
466 * @dname: protocol name
467 *
468 * Returns the &file bound with @sock, implicitly storing it
469 * in sock->file. If dname is %NULL, sets to "".
470 *
471 * On failure @sock is released, and an ERR pointer is returned.
472 *
473 * This function uses GFP_KERNEL internally.
474 */
475
476struct file *sock_alloc_file(struct socket *sock, int flags, const char *dname)
477{
478 struct file *file;
479
480 if (!dname)
481 dname = sock->sk ? sock->sk->sk_prot_creator->name : "";
482
483 file = alloc_file_pseudo(SOCK_INODE(socket: sock), sock_mnt, dname,
484 O_RDWR | (flags & O_NONBLOCK),
485 &socket_file_ops);
486 if (IS_ERR(ptr: file)) {
487 sock_release(sock);
488 return file;
489 }
490
491 file->f_mode |= FMODE_NOWAIT;
492 sock->file = file;
493 file->private_data = sock;
494 stream_open(inode: SOCK_INODE(socket: sock), filp: file);
495 /*
496 * Disable permission and pre-content events, but enable legacy
497 * inotify events for legacy users.
498 */
499 file_set_fsnotify_mode(file, FMODE_NONOTIFY_PERM);
500 return file;
501}
502EXPORT_SYMBOL(sock_alloc_file);
503
504static int sock_map_fd(struct socket *sock, int flags)
505{
506 struct file *newfile;
507 int fd = get_unused_fd_flags(flags);
508 if (unlikely(fd < 0)) {
509 sock_release(sock);
510 return fd;
511 }
512
513 newfile = sock_alloc_file(sock, flags, NULL);
514 if (!IS_ERR(ptr: newfile)) {
515 fd_install(fd, file: newfile);
516 return fd;
517 }
518
519 put_unused_fd(fd);
520 return PTR_ERR(ptr: newfile);
521}
522
523/**
524 * sock_from_file - Return the &socket bounded to @file.
525 * @file: file
526 *
527 * On failure returns %NULL.
528 */
529
530struct socket *sock_from_file(struct file *file)
531{
532 if (likely(file->f_op == &socket_file_ops))
533 return file->private_data; /* set in sock_alloc_file */
534
535 return NULL;
536}
537EXPORT_SYMBOL(sock_from_file);
538
539/**
540 * sockfd_lookup - Go from a file number to its socket slot
541 * @fd: file handle
542 * @err: pointer to an error code return
543 *
544 * The file handle passed in is locked and the socket it is bound
545 * to is returned. If an error occurs the err pointer is overwritten
546 * with a negative errno code and NULL is returned. The function checks
547 * for both invalid handles and passing a handle which is not a socket.
548 *
549 * On a success the socket object pointer is returned.
550 */
551
552struct socket *sockfd_lookup(int fd, int *err)
553{
554 struct file *file;
555 struct socket *sock;
556
557 file = fget(fd);
558 if (!file) {
559 *err = -EBADF;
560 return NULL;
561 }
562
563 sock = sock_from_file(file);
564 if (!sock) {
565 *err = -ENOTSOCK;
566 fput(file);
567 }
568 return sock;
569}
570EXPORT_SYMBOL(sockfd_lookup);
571
572static ssize_t sockfs_listxattr(struct dentry *dentry, char *buffer,
573 size_t size)
574{
575 ssize_t len;
576 ssize_t used = 0;
577
578 len = security_inode_listsecurity(inode: d_inode(dentry), buffer, buffer_size: size);
579 if (len < 0)
580 return len;
581 used += len;
582 if (buffer) {
583 if (size < used)
584 return -ERANGE;
585 buffer += len;
586 }
587
588 len = (XATTR_NAME_SOCKPROTONAME_LEN + 1);
589 used += len;
590 if (buffer) {
591 if (size < used)
592 return -ERANGE;
593 memcpy(to: buffer, XATTR_NAME_SOCKPROTONAME, len);
594 buffer += len;
595 }
596
597 return used;
598}
599
600static int sockfs_setattr(struct mnt_idmap *idmap,
601 struct dentry *dentry, struct iattr *iattr)
602{
603 int err = simple_setattr(&nop_mnt_idmap, dentry, iattr);
604
605 if (!err && (iattr->ia_valid & ATTR_UID)) {
606 struct socket *sock = SOCKET_I(inode: d_inode(dentry));
607
608 if (sock->sk) {
609 /* Paired with READ_ONCE() in sk_uid() */
610 WRITE_ONCE(sock->sk->sk_uid, iattr->ia_uid);
611 } else {
612 err = -ENOENT;
613 }
614 }
615
616 return err;
617}
618
619static const struct inode_operations sockfs_inode_ops = {
620 .listxattr = sockfs_listxattr,
621 .setattr = sockfs_setattr,
622};
623
624/**
625 * sock_alloc - allocate a socket
626 *
627 * Allocate a new inode and socket object. The two are bound together
628 * and initialised. The socket is then returned. If we are out of inodes
629 * NULL is returned. This functions uses GFP_KERNEL internally.
630 */
631
632struct socket *sock_alloc(void)
633{
634 struct inode *inode;
635 struct socket *sock;
636
637 inode = new_inode_pseudo(sb: sock_mnt->mnt_sb);
638 if (!inode)
639 return NULL;
640
641 sock = SOCKET_I(inode);
642
643 inode->i_ino = get_next_ino();
644 inode->i_mode = S_IFSOCK | S_IRWXUGO;
645 inode->i_uid = current_fsuid();
646 inode->i_gid = current_fsgid();
647 inode->i_op = &sockfs_inode_ops;
648
649 return sock;
650}
651EXPORT_SYMBOL(sock_alloc);
652
653static void __sock_release(struct socket *sock, struct inode *inode)
654{
655 const struct proto_ops *ops = READ_ONCE(sock->ops);
656
657 if (ops) {
658 struct module *owner = ops->owner;
659
660 if (inode)
661 inode_lock(inode);
662 ops->release(sock);
663 sock->sk = NULL;
664 if (inode)
665 inode_unlock(inode);
666 sock->ops = NULL;
667 module_put(module: owner);
668 }
669
670 if (sock->wq.fasync_list)
671 pr_err("%s: fasync list not empty!\n", __func__);
672
673 if (!sock->file) {
674 iput(SOCK_INODE(socket: sock));
675 return;
676 }
677 sock->file = NULL;
678}
679
680/**
681 * sock_release - close a socket
682 * @sock: socket to close
683 *
684 * The socket is released from the protocol stack if it has a release
685 * callback, and the inode is then released if the socket is bound to
686 * an inode not a file.
687 */
688void sock_release(struct socket *sock)
689{
690 __sock_release(sock, NULL);
691}
692EXPORT_SYMBOL(sock_release);
693
694void __sock_tx_timestamp(__u32 tsflags, __u8 *tx_flags)
695{
696 u8 flags = *tx_flags;
697
698 if (tsflags & SOF_TIMESTAMPING_TX_HARDWARE)
699 flags |= SKBTX_HW_TSTAMP_NOBPF;
700
701 if (tsflags & SOF_TIMESTAMPING_TX_SOFTWARE)
702 flags |= SKBTX_SW_TSTAMP;
703
704 if (tsflags & SOF_TIMESTAMPING_TX_SCHED)
705 flags |= SKBTX_SCHED_TSTAMP;
706
707 if (tsflags & SOF_TIMESTAMPING_TX_COMPLETION)
708 flags |= SKBTX_COMPLETION_TSTAMP;
709
710 *tx_flags = flags;
711}
712EXPORT_SYMBOL(__sock_tx_timestamp);
713
714INDIRECT_CALLABLE_DECLARE(int inet_sendmsg(struct socket *, struct msghdr *,
715 size_t));
716INDIRECT_CALLABLE_DECLARE(int inet6_sendmsg(struct socket *, struct msghdr *,
717 size_t));
718
719static noinline void call_trace_sock_send_length(struct sock *sk, int ret,
720 int flags)
721{
722 trace_sock_send_length(sk, ret, flags: 0);
723}
724
725static inline int sock_sendmsg_nosec(struct socket *sock, struct msghdr *msg)
726{
727 int ret = INDIRECT_CALL_INET(READ_ONCE(sock->ops)->sendmsg, inet6_sendmsg,
728 inet_sendmsg, sock, msg,
729 msg_data_left(msg));
730 BUG_ON(ret == -EIOCBQUEUED);
731
732 if (trace_sock_send_length_enabled())
733 call_trace_sock_send_length(sk: sock->sk, ret, flags: 0);
734 return ret;
735}
736
737static int __sock_sendmsg(struct socket *sock, struct msghdr *msg)
738{
739 int err = security_socket_sendmsg(sock, msg,
740 size: msg_data_left(msg));
741
742 return err ?: sock_sendmsg_nosec(sock, msg);
743}
744
745/**
746 * sock_sendmsg - send a message through @sock
747 * @sock: socket
748 * @msg: message to send
749 *
750 * Sends @msg through @sock, passing through LSM.
751 * Returns the number of bytes sent, or an error code.
752 */
753int sock_sendmsg(struct socket *sock, struct msghdr *msg)
754{
755 struct sockaddr_storage *save_addr = (struct sockaddr_storage *)msg->msg_name;
756 struct sockaddr_storage address;
757 int save_len = msg->msg_namelen;
758 int ret;
759
760 if (msg->msg_name) {
761 memcpy(to: &address, from: msg->msg_name, len: msg->msg_namelen);
762 msg->msg_name = &address;
763 }
764
765 ret = __sock_sendmsg(sock, msg);
766 msg->msg_name = save_addr;
767 msg->msg_namelen = save_len;
768
769 return ret;
770}
771EXPORT_SYMBOL(sock_sendmsg);
772
773/**
774 * kernel_sendmsg - send a message through @sock (kernel-space)
775 * @sock: socket
776 * @msg: message header
777 * @vec: kernel vec
778 * @num: vec array length
779 * @size: total message data size
780 *
781 * Builds the message data with @vec and sends it through @sock.
782 * Returns the number of bytes sent, or an error code.
783 */
784
785int kernel_sendmsg(struct socket *sock, struct msghdr *msg,
786 struct kvec *vec, size_t num, size_t size)
787{
788 iov_iter_kvec(i: &msg->msg_iter, ITER_SOURCE, kvec: vec, nr_segs: num, count: size);
789 return sock_sendmsg(sock, msg);
790}
791EXPORT_SYMBOL(kernel_sendmsg);
792
793static bool skb_is_err_queue(const struct sk_buff *skb)
794{
795 /* pkt_type of skbs enqueued on the error queue are set to
796 * PACKET_OUTGOING in skb_set_err_queue(). This is only safe to do
797 * in recvmsg, since skbs received on a local socket will never
798 * have a pkt_type of PACKET_OUTGOING.
799 */
800 return skb->pkt_type == PACKET_OUTGOING;
801}
802
803/* On transmit, software and hardware timestamps are returned independently.
804 * As the two skb clones share the hardware timestamp, which may be updated
805 * before the software timestamp is received, a hardware TX timestamp may be
806 * returned only if there is no software TX timestamp. Ignore false software
807 * timestamps, which may be made in the __sock_recv_timestamp() call when the
808 * option SO_TIMESTAMP_OLD(NS) is enabled on the socket, even when the skb has a
809 * hardware timestamp.
810 */
811static bool skb_is_swtx_tstamp(const struct sk_buff *skb, int false_tstamp)
812{
813 return skb->tstamp && !false_tstamp && skb_is_err_queue(skb);
814}
815
816static ktime_t get_timestamp(struct sock *sk, struct sk_buff *skb, int *if_index)
817{
818 bool cycles = READ_ONCE(sk->sk_tsflags) & SOF_TIMESTAMPING_BIND_PHC;
819 struct skb_shared_hwtstamps *shhwtstamps = skb_hwtstamps(skb);
820 struct net_device *orig_dev;
821 ktime_t hwtstamp;
822
823 rcu_read_lock();
824 orig_dev = dev_get_by_napi_id(napi_id: skb_napi_id(skb));
825 if (orig_dev) {
826 *if_index = orig_dev->ifindex;
827 hwtstamp = netdev_get_tstamp(dev: orig_dev, hwtstamps: shhwtstamps, cycles);
828 } else {
829 hwtstamp = shhwtstamps->hwtstamp;
830 }
831 rcu_read_unlock();
832
833 return hwtstamp;
834}
835
836static void put_ts_pktinfo(struct msghdr *msg, struct sk_buff *skb,
837 int if_index)
838{
839 struct scm_ts_pktinfo ts_pktinfo;
840 struct net_device *orig_dev;
841
842 if (!skb_mac_header_was_set(skb))
843 return;
844
845 memset(s: &ts_pktinfo, c: 0, n: sizeof(ts_pktinfo));
846
847 if (!if_index) {
848 rcu_read_lock();
849 orig_dev = dev_get_by_napi_id(napi_id: skb_napi_id(skb));
850 if (orig_dev)
851 if_index = orig_dev->ifindex;
852 rcu_read_unlock();
853 }
854 ts_pktinfo.if_index = if_index;
855
856 ts_pktinfo.pkt_length = skb->len - skb_mac_offset(skb);
857 put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_PKTINFO,
858 len: sizeof(ts_pktinfo), data: &ts_pktinfo);
859}
860
861bool skb_has_tx_timestamp(struct sk_buff *skb, const struct sock *sk)
862{
863 const struct sock_exterr_skb *serr = SKB_EXT_ERR(skb);
864 u32 tsflags = READ_ONCE(sk->sk_tsflags);
865
866 if (serr->ee.ee_errno != ENOMSG ||
867 serr->ee.ee_origin != SO_EE_ORIGIN_TIMESTAMPING)
868 return false;
869
870 /* software time stamp available and wanted */
871 if ((tsflags & SOF_TIMESTAMPING_SOFTWARE) && skb->tstamp)
872 return true;
873 /* hardware time stamps available and wanted */
874 return (tsflags & SOF_TIMESTAMPING_RAW_HARDWARE) &&
875 skb_hwtstamps(skb)->hwtstamp;
876}
877
878int skb_get_tx_timestamp(struct sk_buff *skb, struct sock *sk,
879 struct timespec64 *ts)
880{
881 u32 tsflags = READ_ONCE(sk->sk_tsflags);
882 ktime_t hwtstamp;
883 int if_index = 0;
884
885 if ((tsflags & SOF_TIMESTAMPING_SOFTWARE) &&
886 ktime_to_timespec64_cond(kt: skb->tstamp, ts))
887 return SOF_TIMESTAMPING_TX_SOFTWARE;
888
889 if (!(tsflags & SOF_TIMESTAMPING_RAW_HARDWARE) ||
890 skb_is_swtx_tstamp(skb, false_tstamp: false))
891 return -ENOENT;
892
893 if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP_NETDEV)
894 hwtstamp = get_timestamp(sk, skb, if_index: &if_index);
895 else
896 hwtstamp = skb_hwtstamps(skb)->hwtstamp;
897
898 if (tsflags & SOF_TIMESTAMPING_BIND_PHC)
899 hwtstamp = ptp_convert_timestamp(hwtstamp: &hwtstamp,
900 READ_ONCE(sk->sk_bind_phc));
901 if (!ktime_to_timespec64_cond(kt: hwtstamp, ts))
902 return -ENOENT;
903
904 return SOF_TIMESTAMPING_TX_HARDWARE;
905}
906
907/*
908 * called from sock_recv_timestamp() if sock_flag(sk, SOCK_RCVTSTAMP)
909 */
910void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
911 struct sk_buff *skb)
912{
913 int need_software_tstamp = sock_flag(sk, flag: SOCK_RCVTSTAMP);
914 int new_tstamp = sock_flag(sk, flag: SOCK_TSTAMP_NEW);
915 struct scm_timestamping_internal tss;
916 int empty = 1, false_tstamp = 0;
917 struct skb_shared_hwtstamps *shhwtstamps =
918 skb_hwtstamps(skb);
919 int if_index;
920 ktime_t hwtstamp;
921 u32 tsflags;
922
923 /* Race occurred between timestamp enabling and packet
924 receiving. Fill in the current time for now. */
925 if (need_software_tstamp && skb->tstamp == 0) {
926 __net_timestamp(skb);
927 false_tstamp = 1;
928 }
929
930 if (need_software_tstamp) {
931 if (!sock_flag(sk, flag: SOCK_RCVTSTAMPNS)) {
932 if (new_tstamp) {
933 struct __kernel_sock_timeval tv;
934
935 skb_get_new_timestamp(skb, stamp: &tv);
936 put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMP_NEW,
937 len: sizeof(tv), data: &tv);
938 } else {
939 struct __kernel_old_timeval tv;
940
941 skb_get_timestamp(skb, stamp: &tv);
942 put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMP_OLD,
943 len: sizeof(tv), data: &tv);
944 }
945 } else {
946 if (new_tstamp) {
947 struct __kernel_timespec ts;
948
949 skb_get_new_timestampns(skb, stamp: &ts);
950 put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPNS_NEW,
951 len: sizeof(ts), data: &ts);
952 } else {
953 struct __kernel_old_timespec ts;
954
955 skb_get_timestampns(skb, stamp: &ts);
956 put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPNS_OLD,
957 len: sizeof(ts), data: &ts);
958 }
959 }
960 }
961
962 memset(s: &tss, c: 0, n: sizeof(tss));
963 tsflags = READ_ONCE(sk->sk_tsflags);
964 if ((tsflags & SOF_TIMESTAMPING_SOFTWARE &&
965 (tsflags & SOF_TIMESTAMPING_RX_SOFTWARE ||
966 skb_is_err_queue(skb) ||
967 !(tsflags & SOF_TIMESTAMPING_OPT_RX_FILTER))) &&
968 ktime_to_timespec64_cond(kt: skb->tstamp, ts: tss.ts + 0))
969 empty = 0;
970 if (shhwtstamps &&
971 (tsflags & SOF_TIMESTAMPING_RAW_HARDWARE &&
972 (tsflags & SOF_TIMESTAMPING_RX_HARDWARE ||
973 skb_is_err_queue(skb) ||
974 !(tsflags & SOF_TIMESTAMPING_OPT_RX_FILTER))) &&
975 !skb_is_swtx_tstamp(skb, false_tstamp)) {
976 if_index = 0;
977 if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP_NETDEV)
978 hwtstamp = get_timestamp(sk, skb, if_index: &if_index);
979 else
980 hwtstamp = shhwtstamps->hwtstamp;
981
982 if (tsflags & SOF_TIMESTAMPING_BIND_PHC)
983 hwtstamp = ptp_convert_timestamp(hwtstamp: &hwtstamp,
984 READ_ONCE(sk->sk_bind_phc));
985
986 if (ktime_to_timespec64_cond(kt: hwtstamp, ts: tss.ts + 2)) {
987 empty = 0;
988
989 if ((tsflags & SOF_TIMESTAMPING_OPT_PKTINFO) &&
990 !skb_is_err_queue(skb))
991 put_ts_pktinfo(msg, skb, if_index);
992 }
993 }
994 if (!empty) {
995 if (sock_flag(sk, flag: SOCK_TSTAMP_NEW))
996 put_cmsg_scm_timestamping64(msg, tss: &tss);
997 else
998 put_cmsg_scm_timestamping(msg, tss: &tss);
999
1000 if (skb_is_err_queue(skb) && skb->len &&
1001 SKB_EXT_ERR(skb)->opt_stats)
1002 put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
1003 len: skb->len, data: skb->data);
1004 }
1005}
1006EXPORT_SYMBOL_GPL(__sock_recv_timestamp);
1007
1008#ifdef CONFIG_WIRELESS
1009void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
1010 struct sk_buff *skb)
1011{
1012 int ack;
1013
1014 if (!sock_flag(sk, flag: SOCK_WIFI_STATUS))
1015 return;
1016 if (!skb->wifi_acked_valid)
1017 return;
1018
1019 ack = skb->wifi_acked;
1020
1021 put_cmsg(msg, SOL_SOCKET, SCM_WIFI_STATUS, len: sizeof(ack), data: &ack);
1022}
1023EXPORT_SYMBOL_GPL(__sock_recv_wifi_status);
1024#endif
1025
1026static inline void sock_recv_drops(struct msghdr *msg, struct sock *sk,
1027 struct sk_buff *skb)
1028{
1029 if (sock_flag(sk, flag: SOCK_RXQ_OVFL) && skb && SOCK_SKB_CB(skb)->dropcount)
1030 put_cmsg(msg, SOL_SOCKET, SO_RXQ_OVFL,
1031 len: sizeof(__u32), data: &SOCK_SKB_CB(skb)->dropcount);
1032}
1033
1034static void sock_recv_mark(struct msghdr *msg, struct sock *sk,
1035 struct sk_buff *skb)
1036{
1037 if (sock_flag(sk, flag: SOCK_RCVMARK) && skb) {
1038 /* We must use a bounce buffer for CONFIG_HARDENED_USERCOPY=y */
1039 __u32 mark = skb->mark;
1040
1041 put_cmsg(msg, SOL_SOCKET, SO_MARK, len: sizeof(__u32), data: &mark);
1042 }
1043}
1044
1045static void sock_recv_priority(struct msghdr *msg, struct sock *sk,
1046 struct sk_buff *skb)
1047{
1048 if (sock_flag(sk, flag: SOCK_RCVPRIORITY) && skb) {
1049 __u32 priority = skb->priority;
1050
1051 put_cmsg(msg, SOL_SOCKET, SO_PRIORITY, len: sizeof(__u32), data: &priority);
1052 }
1053}
1054
1055void __sock_recv_cmsgs(struct msghdr *msg, struct sock *sk,
1056 struct sk_buff *skb)
1057{
1058 sock_recv_timestamp(msg, sk, skb);
1059 sock_recv_drops(msg, sk, skb);
1060 sock_recv_mark(msg, sk, skb);
1061 sock_recv_priority(msg, sk, skb);
1062}
1063EXPORT_SYMBOL_GPL(__sock_recv_cmsgs);
1064
1065INDIRECT_CALLABLE_DECLARE(int inet_recvmsg(struct socket *, struct msghdr *,
1066 size_t, int));
1067INDIRECT_CALLABLE_DECLARE(int inet6_recvmsg(struct socket *, struct msghdr *,
1068 size_t, int));
1069
1070static noinline void call_trace_sock_recv_length(struct sock *sk, int ret, int flags)
1071{
1072 trace_sock_recv_length(sk, ret, flags);
1073}
1074
1075static inline int sock_recvmsg_nosec(struct socket *sock, struct msghdr *msg,
1076 int flags)
1077{
1078 int ret = INDIRECT_CALL_INET(READ_ONCE(sock->ops)->recvmsg,
1079 inet6_recvmsg,
1080 inet_recvmsg, sock, msg,
1081 msg_data_left(msg), flags);
1082 if (trace_sock_recv_length_enabled())
1083 call_trace_sock_recv_length(sk: sock->sk, ret, flags);
1084 return ret;
1085}
1086
1087/**
1088 * sock_recvmsg - receive a message from @sock
1089 * @sock: socket
1090 * @msg: message to receive
1091 * @flags: message flags
1092 *
1093 * Receives @msg from @sock, passing through LSM. Returns the total number
1094 * of bytes received, or an error.
1095 */
1096int sock_recvmsg(struct socket *sock, struct msghdr *msg, int flags)
1097{
1098 int err = security_socket_recvmsg(sock, msg, size: msg_data_left(msg), flags);
1099
1100 return err ?: sock_recvmsg_nosec(sock, msg, flags);
1101}
1102EXPORT_SYMBOL(sock_recvmsg);
1103
1104/**
1105 * kernel_recvmsg - Receive a message from a socket (kernel space)
1106 * @sock: The socket to receive the message from
1107 * @msg: Received message
1108 * @vec: Input s/g array for message data
1109 * @num: Size of input s/g array
1110 * @size: Number of bytes to read
1111 * @flags: Message flags (MSG_DONTWAIT, etc...)
1112 *
1113 * On return the msg structure contains the scatter/gather array passed in the
1114 * vec argument. The array is modified so that it consists of the unfilled
1115 * portion of the original array.
1116 *
1117 * The returned value is the total number of bytes received, or an error.
1118 */
1119
1120int kernel_recvmsg(struct socket *sock, struct msghdr *msg,
1121 struct kvec *vec, size_t num, size_t size, int flags)
1122{
1123 msg->msg_control_is_user = false;
1124 iov_iter_kvec(i: &msg->msg_iter, ITER_DEST, kvec: vec, nr_segs: num, count: size);
1125 return sock_recvmsg(sock, msg, flags);
1126}
1127EXPORT_SYMBOL(kernel_recvmsg);
1128
1129static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
1130 struct pipe_inode_info *pipe, size_t len,
1131 unsigned int flags)
1132{
1133 struct socket *sock = file->private_data;
1134 const struct proto_ops *ops;
1135
1136 ops = READ_ONCE(sock->ops);
1137 if (unlikely(!ops->splice_read))
1138 return copy_splice_read(in: file, ppos, pipe, len, flags);
1139
1140 return ops->splice_read(sock, ppos, pipe, len, flags);
1141}
1142
1143static void sock_splice_eof(struct file *file)
1144{
1145 struct socket *sock = file->private_data;
1146 const struct proto_ops *ops;
1147
1148 ops = READ_ONCE(sock->ops);
1149 if (ops->splice_eof)
1150 ops->splice_eof(sock);
1151}
1152
1153static ssize_t sock_read_iter(struct kiocb *iocb, struct iov_iter *to)
1154{
1155 struct file *file = iocb->ki_filp;
1156 struct socket *sock = file->private_data;
1157 struct msghdr msg = {.msg_iter = *to,
1158 .msg_iocb = iocb};
1159 ssize_t res;
1160
1161 if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
1162 msg.msg_flags = MSG_DONTWAIT;
1163
1164 if (iocb->ki_pos != 0)
1165 return -ESPIPE;
1166
1167 if (!iov_iter_count(i: to)) /* Match SYS5 behaviour */
1168 return 0;
1169
1170 res = sock_recvmsg(sock, &msg, msg.msg_flags);
1171 *to = msg.msg_iter;
1172 return res;
1173}
1174
1175static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from)
1176{
1177 struct file *file = iocb->ki_filp;
1178 struct socket *sock = file->private_data;
1179 struct msghdr msg = {.msg_iter = *from,
1180 .msg_iocb = iocb};
1181 ssize_t res;
1182
1183 if (iocb->ki_pos != 0)
1184 return -ESPIPE;
1185
1186 if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
1187 msg.msg_flags = MSG_DONTWAIT;
1188
1189 if (sock->type == SOCK_SEQPACKET)
1190 msg.msg_flags |= MSG_EOR;
1191
1192 if (iocb->ki_flags & IOCB_NOSIGNAL)
1193 msg.msg_flags |= MSG_NOSIGNAL;
1194
1195 res = __sock_sendmsg(sock, msg: &msg);
1196 *from = msg.msg_iter;
1197 return res;
1198}
1199
1200/*
1201 * Atomic setting of ioctl hooks to avoid race
1202 * with module unload.
1203 */
1204
1205static DEFINE_MUTEX(br_ioctl_mutex);
1206static int (*br_ioctl_hook)(struct net *net, unsigned int cmd,
1207 void __user *uarg);
1208
1209void brioctl_set(int (*hook)(struct net *net, unsigned int cmd,
1210 void __user *uarg))
1211{
1212 mutex_lock(lock: &br_ioctl_mutex);
1213 br_ioctl_hook = hook;
1214 mutex_unlock(lock: &br_ioctl_mutex);
1215}
1216EXPORT_SYMBOL(brioctl_set);
1217
1218int br_ioctl_call(struct net *net, unsigned int cmd, void __user *uarg)
1219{
1220 int err = -ENOPKG;
1221
1222 if (!br_ioctl_hook)
1223 request_module("bridge");
1224
1225 mutex_lock(lock: &br_ioctl_mutex);
1226 if (br_ioctl_hook)
1227 err = br_ioctl_hook(net, cmd, uarg);
1228 mutex_unlock(lock: &br_ioctl_mutex);
1229
1230 return err;
1231}
1232
1233static DEFINE_MUTEX(vlan_ioctl_mutex);
1234static int (*vlan_ioctl_hook) (struct net *, void __user *arg);
1235
1236void vlan_ioctl_set(int (*hook) (struct net *, void __user *))
1237{
1238 mutex_lock(lock: &vlan_ioctl_mutex);
1239 vlan_ioctl_hook = hook;
1240 mutex_unlock(lock: &vlan_ioctl_mutex);
1241}
1242EXPORT_SYMBOL(vlan_ioctl_set);
1243
1244static long sock_do_ioctl(struct net *net, struct socket *sock,
1245 unsigned int cmd, unsigned long arg)
1246{
1247 const struct proto_ops *ops = READ_ONCE(sock->ops);
1248 struct ifreq ifr;
1249 bool need_copyout;
1250 int err;
1251 void __user *argp = (void __user *)arg;
1252 void __user *data;
1253
1254 err = ops->ioctl(sock, cmd, arg);
1255
1256 /*
1257 * If this ioctl is unknown try to hand it down
1258 * to the NIC driver.
1259 */
1260 if (err != -ENOIOCTLCMD)
1261 return err;
1262
1263 if (!is_socket_ioctl_cmd(cmd))
1264 return -ENOTTY;
1265
1266 if (get_user_ifreq(ifr: &ifr, ifrdata: &data, arg: argp))
1267 return -EFAULT;
1268 err = dev_ioctl(net, cmd, ifr: &ifr, data, need_copyout: &need_copyout);
1269 if (!err && need_copyout)
1270 if (put_user_ifreq(ifr: &ifr, arg: argp))
1271 return -EFAULT;
1272
1273 return err;
1274}
1275
1276/*
1277 * With an ioctl, arg may well be a user mode pointer, but we don't know
1278 * what to do with it - that's up to the protocol still.
1279 */
1280
1281static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg)
1282{
1283 const struct proto_ops *ops;
1284 struct socket *sock;
1285 struct sock *sk;
1286 void __user *argp = (void __user *)arg;
1287 int pid, err;
1288 struct net *net;
1289
1290 sock = file->private_data;
1291 ops = READ_ONCE(sock->ops);
1292 sk = sock->sk;
1293 net = sock_net(sk);
1294 if (unlikely(cmd >= SIOCDEVPRIVATE && cmd <= (SIOCDEVPRIVATE + 15))) {
1295 struct ifreq ifr;
1296 void __user *data;
1297 bool need_copyout;
1298 if (get_user_ifreq(ifr: &ifr, ifrdata: &data, arg: argp))
1299 return -EFAULT;
1300 err = dev_ioctl(net, cmd, ifr: &ifr, data, need_copyout: &need_copyout);
1301 if (!err && need_copyout)
1302 if (put_user_ifreq(ifr: &ifr, arg: argp))
1303 return -EFAULT;
1304 } else
1305#ifdef CONFIG_WEXT_CORE
1306 if (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) {
1307 err = wext_handle_ioctl(net, cmd, argp);
1308 } else
1309#endif
1310 switch (cmd) {
1311 case FIOSETOWN:
1312 case SIOCSPGRP:
1313 err = -EFAULT;
1314 if (get_user(pid, (int __user *)argp))
1315 break;
1316 err = f_setown(filp: sock->file, who: pid, force: 1);
1317 break;
1318 case FIOGETOWN:
1319 case SIOCGPGRP:
1320 err = put_user(f_getown(sock->file),
1321 (int __user *)argp);
1322 break;
1323 case SIOCGIFBR:
1324 case SIOCSIFBR:
1325 case SIOCBRADDBR:
1326 case SIOCBRDELBR:
1327 case SIOCBRADDIF:
1328 case SIOCBRDELIF:
1329 err = br_ioctl_call(net, cmd, uarg: argp);
1330 break;
1331 case SIOCGIFVLAN:
1332 case SIOCSIFVLAN:
1333 err = -ENOPKG;
1334 if (!vlan_ioctl_hook)
1335 request_module("8021q");
1336
1337 mutex_lock(lock: &vlan_ioctl_mutex);
1338 if (vlan_ioctl_hook)
1339 err = vlan_ioctl_hook(net, argp);
1340 mutex_unlock(lock: &vlan_ioctl_mutex);
1341 break;
1342 case SIOCGSKNS:
1343 err = -EPERM;
1344 if (!ns_capable(ns: net->user_ns, CAP_NET_ADMIN))
1345 break;
1346
1347 err = open_related_ns(ns: &net->ns, get_ns: get_net_ns);
1348 break;
1349 case SIOCGSTAMP_OLD:
1350 case SIOCGSTAMPNS_OLD:
1351 if (!ops->gettstamp) {
1352 err = -ENOIOCTLCMD;
1353 break;
1354 }
1355 err = ops->gettstamp(sock, argp,
1356 cmd == SIOCGSTAMP_OLD,
1357 !IS_ENABLED(CONFIG_64BIT));
1358 break;
1359 case SIOCGSTAMP_NEW:
1360 case SIOCGSTAMPNS_NEW:
1361 if (!ops->gettstamp) {
1362 err = -ENOIOCTLCMD;
1363 break;
1364 }
1365 err = ops->gettstamp(sock, argp,
1366 cmd == SIOCGSTAMP_NEW,
1367 false);
1368 break;
1369
1370 case SIOCGIFCONF:
1371 err = dev_ifconf(net, ifc: argp);
1372 break;
1373
1374 default:
1375 err = sock_do_ioctl(net, sock, cmd, arg);
1376 break;
1377 }
1378 return err;
1379}
1380
1381/**
1382 * sock_create_lite - creates a socket
1383 * @family: protocol family (AF_INET, ...)
1384 * @type: communication type (SOCK_STREAM, ...)
1385 * @protocol: protocol (0, ...)
1386 * @res: new socket
1387 *
1388 * Creates a new socket and assigns it to @res, passing through LSM.
1389 * The new socket initialization is not complete, see kernel_accept().
1390 * Returns 0 or an error. On failure @res is set to %NULL.
1391 * This function internally uses GFP_KERNEL.
1392 */
1393
1394int sock_create_lite(int family, int type, int protocol, struct socket **res)
1395{
1396 int err;
1397 struct socket *sock = NULL;
1398
1399 err = security_socket_create(family, type, protocol, kern: 1);
1400 if (err)
1401 goto out;
1402
1403 sock = sock_alloc();
1404 if (!sock) {
1405 err = -ENOMEM;
1406 goto out;
1407 }
1408
1409 sock->type = type;
1410 err = security_socket_post_create(sock, family, type, protocol, kern: 1);
1411 if (err)
1412 goto out_release;
1413
1414out:
1415 *res = sock;
1416 return err;
1417out_release:
1418 sock_release(sock);
1419 sock = NULL;
1420 goto out;
1421}
1422EXPORT_SYMBOL(sock_create_lite);
1423
1424/* No kernel lock held - perfect */
1425static __poll_t sock_poll(struct file *file, poll_table *wait)
1426{
1427 struct socket *sock = file->private_data;
1428 const struct proto_ops *ops = READ_ONCE(sock->ops);
1429 __poll_t events = poll_requested_events(p: wait), flag = 0;
1430
1431 if (!ops->poll)
1432 return 0;
1433
1434 if (sk_can_busy_loop(sk: sock->sk)) {
1435 /* poll once if requested by the syscall */
1436 if (events & POLL_BUSY_LOOP)
1437 sk_busy_loop(sk: sock->sk, nonblock: 1);
1438
1439 /* if this socket can poll_ll, tell the system call */
1440 flag = POLL_BUSY_LOOP;
1441 }
1442
1443 return ops->poll(file, sock, wait) | flag;
1444}
1445
1446static int sock_mmap(struct file *file, struct vm_area_struct *vma)
1447{
1448 struct socket *sock = file->private_data;
1449
1450 return READ_ONCE(sock->ops)->mmap(file, sock, vma);
1451}
1452
1453static int sock_close(struct inode *inode, struct file *filp)
1454{
1455 __sock_release(sock: SOCKET_I(inode), inode);
1456 return 0;
1457}
1458
1459/*
1460 * Update the socket async list
1461 *
1462 * Fasync_list locking strategy.
1463 *
1464 * 1. fasync_list is modified only under process context socket lock
1465 * i.e. under semaphore.
1466 * 2. fasync_list is used under read_lock(&sk->sk_callback_lock)
1467 * or under socket lock
1468 */
1469
1470static int sock_fasync(int fd, struct file *filp, int on)
1471{
1472 struct socket *sock = filp->private_data;
1473 struct sock *sk = sock->sk;
1474 struct socket_wq *wq = &sock->wq;
1475
1476 if (sk == NULL)
1477 return -EINVAL;
1478
1479 lock_sock(sk);
1480 fasync_helper(fd, filp, on, &wq->fasync_list);
1481
1482 if (!wq->fasync_list)
1483 sock_reset_flag(sk, flag: SOCK_FASYNC);
1484 else
1485 sock_set_flag(sk, flag: SOCK_FASYNC);
1486
1487 release_sock(sk);
1488 return 0;
1489}
1490
1491/* This function may be called only under rcu_lock */
1492
1493int sock_wake_async(struct socket_wq *wq, int how, int band)
1494{
1495 if (!wq || !wq->fasync_list)
1496 return -1;
1497
1498 switch (how) {
1499 case SOCK_WAKE_WAITD:
1500 if (test_bit(SOCKWQ_ASYNC_WAITDATA, &wq->flags))
1501 break;
1502 goto call_kill;
1503 case SOCK_WAKE_SPACE:
1504 if (!test_and_clear_bit(nr: SOCKWQ_ASYNC_NOSPACE, addr: &wq->flags))
1505 break;
1506 fallthrough;
1507 case SOCK_WAKE_IO:
1508call_kill:
1509 kill_fasync(&wq->fasync_list, SIGIO, band);
1510 break;
1511 case SOCK_WAKE_URG:
1512 kill_fasync(&wq->fasync_list, SIGURG, band);
1513 }
1514
1515 return 0;
1516}
1517EXPORT_SYMBOL(sock_wake_async);
1518
1519/**
1520 * __sock_create - creates a socket
1521 * @net: net namespace
1522 * @family: protocol family (AF_INET, ...)
1523 * @type: communication type (SOCK_STREAM, ...)
1524 * @protocol: protocol (0, ...)
1525 * @res: new socket
1526 * @kern: boolean for kernel space sockets
1527 *
1528 * Creates a new socket and assigns it to @res, passing through LSM.
1529 * Returns 0 or an error. On failure @res is set to %NULL. @kern must
1530 * be set to true if the socket resides in kernel space.
1531 * This function internally uses GFP_KERNEL.
1532 */
1533
1534int __sock_create(struct net *net, int family, int type, int protocol,
1535 struct socket **res, int kern)
1536{
1537 int err;
1538 struct socket *sock;
1539 const struct net_proto_family *pf;
1540
1541 /*
1542 * Check protocol is in range
1543 */
1544 if (family < 0 || family >= NPROTO)
1545 return -EAFNOSUPPORT;
1546 if (type < 0 || type >= SOCK_MAX)
1547 return -EINVAL;
1548
1549 /* Compatibility.
1550
1551 This uglymoron is moved from INET layer to here to avoid
1552 deadlock in module load.
1553 */
1554 if (family == PF_INET && type == SOCK_PACKET) {
1555 pr_info_once("%s uses obsolete (PF_INET,SOCK_PACKET)\n",
1556 current->comm);
1557 family = PF_PACKET;
1558 }
1559
1560 err = security_socket_create(family, type, protocol, kern);
1561 if (err)
1562 return err;
1563
1564 /*
1565 * Allocate the socket and allow the family to set things up. if
1566 * the protocol is 0, the family is instructed to select an appropriate
1567 * default.
1568 */
1569 sock = sock_alloc();
1570 if (!sock) {
1571 net_warn_ratelimited("socket: no more sockets\n");
1572 return -ENFILE; /* Not exactly a match, but its the
1573 closest posix thing */
1574 }
1575
1576 sock->type = type;
1577
1578#ifdef CONFIG_MODULES
1579 /* Attempt to load a protocol module if the find failed.
1580 *
1581 * 12/09/1996 Marcin: But! this makes REALLY only sense, if the user
1582 * requested real, full-featured networking support upon configuration.
1583 * Otherwise module support will break!
1584 */
1585 if (rcu_access_pointer(net_families[family]) == NULL)
1586 request_module("net-pf-%d", family);
1587#endif
1588
1589 rcu_read_lock();
1590 pf = rcu_dereference(net_families[family]);
1591 err = -EAFNOSUPPORT;
1592 if (!pf)
1593 goto out_release;
1594
1595 /*
1596 * We will call the ->create function, that possibly is in a loadable
1597 * module, so we have to bump that loadable module refcnt first.
1598 */
1599 if (!try_module_get(module: pf->owner))
1600 goto out_release;
1601
1602 /* Now protected by module ref count */
1603 rcu_read_unlock();
1604
1605 err = pf->create(net, sock, protocol, kern);
1606 if (err < 0) {
1607 /* ->create should release the allocated sock->sk object on error
1608 * and make sure sock->sk is set to NULL to avoid use-after-free
1609 */
1610 DEBUG_NET_WARN_ONCE(sock->sk,
1611 "%ps must clear sock->sk on failure, family: %d, type: %d, protocol: %d\n",
1612 pf->create, family, type, protocol);
1613 goto out_module_put;
1614 }
1615
1616 /*
1617 * Now to bump the refcnt of the [loadable] module that owns this
1618 * socket at sock_release time we decrement its refcnt.
1619 */
1620 if (!try_module_get(module: sock->ops->owner))
1621 goto out_module_busy;
1622
1623 /*
1624 * Now that we're done with the ->create function, the [loadable]
1625 * module can have its refcnt decremented
1626 */
1627 module_put(module: pf->owner);
1628 err = security_socket_post_create(sock, family, type, protocol, kern);
1629 if (err)
1630 goto out_sock_release;
1631 *res = sock;
1632
1633 return 0;
1634
1635out_module_busy:
1636 err = -EAFNOSUPPORT;
1637out_module_put:
1638 sock->ops = NULL;
1639 module_put(module: pf->owner);
1640out_sock_release:
1641 sock_release(sock);
1642 return err;
1643
1644out_release:
1645 rcu_read_unlock();
1646 goto out_sock_release;
1647}
1648EXPORT_SYMBOL(__sock_create);
1649
1650/**
1651 * sock_create - creates a socket
1652 * @family: protocol family (AF_INET, ...)
1653 * @type: communication type (SOCK_STREAM, ...)
1654 * @protocol: protocol (0, ...)
1655 * @res: new socket
1656 *
1657 * A wrapper around __sock_create().
1658 * Returns 0 or an error. This function internally uses GFP_KERNEL.
1659 */
1660
1661int sock_create(int family, int type, int protocol, struct socket **res)
1662{
1663 return __sock_create(current->nsproxy->net_ns, family, type, protocol, res, 0);
1664}
1665EXPORT_SYMBOL(sock_create);
1666
1667/**
1668 * sock_create_kern - creates a socket (kernel space)
1669 * @net: net namespace
1670 * @family: protocol family (AF_INET, ...)
1671 * @type: communication type (SOCK_STREAM, ...)
1672 * @protocol: protocol (0, ...)
1673 * @res: new socket
1674 *
1675 * A wrapper around __sock_create().
1676 * Returns 0 or an error. This function internally uses GFP_KERNEL.
1677 */
1678
1679int sock_create_kern(struct net *net, int family, int type, int protocol, struct socket **res)
1680{
1681 return __sock_create(net, family, type, protocol, res, 1);
1682}
1683EXPORT_SYMBOL(sock_create_kern);
1684
1685static struct socket *__sys_socket_create(int family, int type, int protocol)
1686{
1687 struct socket *sock;
1688 int retval;
1689
1690 /* Check the SOCK_* constants for consistency. */
1691 BUILD_BUG_ON(SOCK_CLOEXEC != O_CLOEXEC);
1692 BUILD_BUG_ON((SOCK_MAX | SOCK_TYPE_MASK) != SOCK_TYPE_MASK);
1693 BUILD_BUG_ON(SOCK_CLOEXEC & SOCK_TYPE_MASK);
1694 BUILD_BUG_ON(SOCK_NONBLOCK & SOCK_TYPE_MASK);
1695
1696 if ((type & ~SOCK_TYPE_MASK) & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
1697 return ERR_PTR(error: -EINVAL);
1698 type &= SOCK_TYPE_MASK;
1699
1700 retval = sock_create(family, type, protocol, &sock);
1701 if (retval < 0)
1702 return ERR_PTR(error: retval);
1703
1704 return sock;
1705}
1706
1707struct file *__sys_socket_file(int family, int type, int protocol)
1708{
1709 struct socket *sock;
1710 int flags;
1711
1712 sock = __sys_socket_create(family, type, protocol);
1713 if (IS_ERR(ptr: sock))
1714 return ERR_CAST(ptr: sock);
1715
1716 flags = type & ~SOCK_TYPE_MASK;
1717 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
1718 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
1719
1720 return sock_alloc_file(sock, flags, NULL);
1721}
1722
1723/* A hook for bpf progs to attach to and update socket protocol.
1724 *
1725 * A static noinline declaration here could cause the compiler to
1726 * optimize away the function. A global noinline declaration will
1727 * keep the definition, but may optimize away the callsite.
1728 * Therefore, __weak is needed to ensure that the call is still
1729 * emitted, by telling the compiler that we don't know what the
1730 * function might eventually be.
1731 */
1732
1733__bpf_hook_start();
1734
1735__weak noinline int update_socket_protocol(int family, int type, int protocol)
1736{
1737 return protocol;
1738}
1739
1740__bpf_hook_end();
1741
1742int __sys_socket(int family, int type, int protocol)
1743{
1744 struct socket *sock;
1745 int flags;
1746
1747 sock = __sys_socket_create(family, type,
1748 protocol: update_socket_protocol(family, type, protocol));
1749 if (IS_ERR(ptr: sock))
1750 return PTR_ERR(ptr: sock);
1751
1752 flags = type & ~SOCK_TYPE_MASK;
1753 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
1754 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
1755
1756 return sock_map_fd(sock, flags: flags & (O_CLOEXEC | O_NONBLOCK));
1757}
1758
1759SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
1760{
1761 return __sys_socket(family, type, protocol);
1762}
1763
1764/*
1765 * Create a pair of connected sockets.
1766 */
1767
1768int __sys_socketpair(int family, int type, int protocol, int __user *usockvec)
1769{
1770 struct socket *sock1, *sock2;
1771 int fd1, fd2, err;
1772 struct file *newfile1, *newfile2;
1773 int flags;
1774
1775 flags = type & ~SOCK_TYPE_MASK;
1776 if (flags & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
1777 return -EINVAL;
1778 type &= SOCK_TYPE_MASK;
1779
1780 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
1781 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
1782
1783 /*
1784 * reserve descriptors and make sure we won't fail
1785 * to return them to userland.
1786 */
1787 fd1 = get_unused_fd_flags(flags);
1788 if (unlikely(fd1 < 0))
1789 return fd1;
1790
1791 fd2 = get_unused_fd_flags(flags);
1792 if (unlikely(fd2 < 0)) {
1793 put_unused_fd(fd: fd1);
1794 return fd2;
1795 }
1796
1797 err = put_user(fd1, &usockvec[0]);
1798 if (err)
1799 goto out;
1800
1801 err = put_user(fd2, &usockvec[1]);
1802 if (err)
1803 goto out;
1804
1805 /*
1806 * Obtain the first socket and check if the underlying protocol
1807 * supports the socketpair call.
1808 */
1809
1810 err = sock_create(family, type, protocol, &sock1);
1811 if (unlikely(err < 0))
1812 goto out;
1813
1814 err = sock_create(family, type, protocol, &sock2);
1815 if (unlikely(err < 0)) {
1816 sock_release(sock1);
1817 goto out;
1818 }
1819
1820 err = security_socket_socketpair(socka: sock1, sockb: sock2);
1821 if (unlikely(err)) {
1822 sock_release(sock2);
1823 sock_release(sock1);
1824 goto out;
1825 }
1826
1827 err = READ_ONCE(sock1->ops)->socketpair(sock1, sock2);
1828 if (unlikely(err < 0)) {
1829 sock_release(sock2);
1830 sock_release(sock1);
1831 goto out;
1832 }
1833
1834 newfile1 = sock_alloc_file(sock1, flags, NULL);
1835 if (IS_ERR(ptr: newfile1)) {
1836 err = PTR_ERR(ptr: newfile1);
1837 sock_release(sock2);
1838 goto out;
1839 }
1840
1841 newfile2 = sock_alloc_file(sock2, flags, NULL);
1842 if (IS_ERR(ptr: newfile2)) {
1843 err = PTR_ERR(ptr: newfile2);
1844 fput(newfile1);
1845 goto out;
1846 }
1847
1848 audit_fd_pair(fd1, fd2);
1849
1850 fd_install(fd: fd1, file: newfile1);
1851 fd_install(fd: fd2, file: newfile2);
1852 return 0;
1853
1854out:
1855 put_unused_fd(fd: fd2);
1856 put_unused_fd(fd: fd1);
1857 return err;
1858}
1859
1860SYSCALL_DEFINE4(socketpair, int, family, int, type, int, protocol,
1861 int __user *, usockvec)
1862{
1863 return __sys_socketpair(family, type, protocol, usockvec);
1864}
1865
1866int __sys_bind_socket(struct socket *sock, struct sockaddr_storage *address,
1867 int addrlen)
1868{
1869 int err;
1870
1871 err = security_socket_bind(sock, address: (struct sockaddr *)address,
1872 addrlen);
1873 if (!err)
1874 err = READ_ONCE(sock->ops)->bind(sock,
1875 (struct sockaddr *)address,
1876 addrlen);
1877 return err;
1878}
1879
1880/*
1881 * Bind a name to a socket. Nothing much to do here since it's
1882 * the protocol's responsibility to handle the local address.
1883 *
1884 * We move the socket address to kernel space before we call
1885 * the protocol layer (having also checked the address is ok).
1886 */
1887
1888int __sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen)
1889{
1890 struct socket *sock;
1891 struct sockaddr_storage address;
1892 CLASS(fd, f)(fd);
1893 int err;
1894
1895 if (fd_empty(f))
1896 return -EBADF;
1897 sock = sock_from_file(fd_file(f));
1898 if (unlikely(!sock))
1899 return -ENOTSOCK;
1900
1901 err = move_addr_to_kernel(uaddr: umyaddr, ulen: addrlen, kaddr: &address);
1902 if (unlikely(err))
1903 return err;
1904
1905 return __sys_bind_socket(sock, address: &address, addrlen);
1906}
1907
1908SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
1909{
1910 return __sys_bind(fd, umyaddr, addrlen);
1911}
1912
1913/*
1914 * Perform a listen. Basically, we allow the protocol to do anything
1915 * necessary for a listen, and if that works, we mark the socket as
1916 * ready for listening.
1917 */
1918int __sys_listen_socket(struct socket *sock, int backlog)
1919{
1920 int somaxconn, err;
1921
1922 somaxconn = READ_ONCE(sock_net(sock->sk)->core.sysctl_somaxconn);
1923 if ((unsigned int)backlog > somaxconn)
1924 backlog = somaxconn;
1925
1926 err = security_socket_listen(sock, backlog);
1927 if (!err)
1928 err = READ_ONCE(sock->ops)->listen(sock, backlog);
1929 return err;
1930}
1931
1932int __sys_listen(int fd, int backlog)
1933{
1934 CLASS(fd, f)(fd);
1935 struct socket *sock;
1936
1937 if (fd_empty(f))
1938 return -EBADF;
1939 sock = sock_from_file(fd_file(f));
1940 if (unlikely(!sock))
1941 return -ENOTSOCK;
1942
1943 return __sys_listen_socket(sock, backlog);
1944}
1945
1946SYSCALL_DEFINE2(listen, int, fd, int, backlog)
1947{
1948 return __sys_listen(fd, backlog);
1949}
1950
1951struct file *do_accept(struct file *file, struct proto_accept_arg *arg,
1952 struct sockaddr __user *upeer_sockaddr,
1953 int __user *upeer_addrlen, int flags)
1954{
1955 struct socket *sock, *newsock;
1956 struct file *newfile;
1957 int err, len;
1958 struct sockaddr_storage address;
1959 const struct proto_ops *ops;
1960
1961 sock = sock_from_file(file);
1962 if (!sock)
1963 return ERR_PTR(error: -ENOTSOCK);
1964
1965 newsock = sock_alloc();
1966 if (!newsock)
1967 return ERR_PTR(error: -ENFILE);
1968 ops = READ_ONCE(sock->ops);
1969
1970 newsock->type = sock->type;
1971 newsock->ops = ops;
1972
1973 /*
1974 * We don't need try_module_get here, as the listening socket (sock)
1975 * has the protocol module (sock->ops->owner) held.
1976 */
1977 __module_get(module: ops->owner);
1978
1979 newfile = sock_alloc_file(newsock, flags, sock->sk->sk_prot_creator->name);
1980 if (IS_ERR(ptr: newfile))
1981 return newfile;
1982
1983 err = security_socket_accept(sock, newsock);
1984 if (err)
1985 goto out_fd;
1986
1987 arg->flags |= sock->file->f_flags;
1988 err = ops->accept(sock, newsock, arg);
1989 if (err < 0)
1990 goto out_fd;
1991
1992 if (upeer_sockaddr) {
1993 len = ops->getname(newsock, (struct sockaddr *)&address, 2);
1994 if (len < 0) {
1995 err = -ECONNABORTED;
1996 goto out_fd;
1997 }
1998 err = move_addr_to_user(kaddr: &address,
1999 klen: len, uaddr: upeer_sockaddr, ulen: upeer_addrlen);
2000 if (err < 0)
2001 goto out_fd;
2002 }
2003
2004 /* File flags are not inherited via accept() unlike another OSes. */
2005 return newfile;
2006out_fd:
2007 fput(newfile);
2008 return ERR_PTR(error: err);
2009}
2010
2011static int __sys_accept4_file(struct file *file, struct sockaddr __user *upeer_sockaddr,
2012 int __user *upeer_addrlen, int flags)
2013{
2014 struct proto_accept_arg arg = { };
2015 struct file *newfile;
2016 int newfd;
2017
2018 if (flags & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
2019 return -EINVAL;
2020
2021 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
2022 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
2023
2024 newfd = get_unused_fd_flags(flags);
2025 if (unlikely(newfd < 0))
2026 return newfd;
2027
2028 newfile = do_accept(file, arg: &arg, upeer_sockaddr, upeer_addrlen,
2029 flags);
2030 if (IS_ERR(ptr: newfile)) {
2031 put_unused_fd(fd: newfd);
2032 return PTR_ERR(ptr: newfile);
2033 }
2034 fd_install(fd: newfd, file: newfile);
2035 return newfd;
2036}
2037
2038/*
2039 * For accept, we attempt to create a new socket, set up the link
2040 * with the client, wake up the client, then return the new
2041 * connected fd. We collect the address of the connector in kernel
2042 * space and move it to user at the very end. This is unclean because
2043 * we open the socket then return an error.
2044 *
2045 * 1003.1g adds the ability to recvmsg() to query connection pending
2046 * status to recvmsg. We need to add that support in a way thats
2047 * clean when we restructure accept also.
2048 */
2049
2050int __sys_accept4(int fd, struct sockaddr __user *upeer_sockaddr,
2051 int __user *upeer_addrlen, int flags)
2052{
2053 CLASS(fd, f)(fd);
2054
2055 if (fd_empty(f))
2056 return -EBADF;
2057 return __sys_accept4_file(fd_file(f), upeer_sockaddr,
2058 upeer_addrlen, flags);
2059}
2060
2061SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
2062 int __user *, upeer_addrlen, int, flags)
2063{
2064 return __sys_accept4(fd, upeer_sockaddr, upeer_addrlen, flags);
2065}
2066
2067SYSCALL_DEFINE3(accept, int, fd, struct sockaddr __user *, upeer_sockaddr,
2068 int __user *, upeer_addrlen)
2069{
2070 return __sys_accept4(fd, upeer_sockaddr, upeer_addrlen, flags: 0);
2071}
2072
2073/*
2074 * Attempt to connect to a socket with the server address. The address
2075 * is in user space so we verify it is OK and move it to kernel space.
2076 *
2077 * For 1003.1g we need to add clean support for a bind to AF_UNSPEC to
2078 * break bindings
2079 *
2080 * NOTE: 1003.1g draft 6.3 is broken with respect to AX.25/NetROM and
2081 * other SEQPACKET protocols that take time to connect() as it doesn't
2082 * include the -EINPROGRESS status for such sockets.
2083 */
2084
2085int __sys_connect_file(struct file *file, struct sockaddr_storage *address,
2086 int addrlen, int file_flags)
2087{
2088 struct socket *sock;
2089 int err;
2090
2091 sock = sock_from_file(file);
2092 if (!sock) {
2093 err = -ENOTSOCK;
2094 goto out;
2095 }
2096
2097 err =
2098 security_socket_connect(sock, address: (struct sockaddr *)address, addrlen);
2099 if (err)
2100 goto out;
2101
2102 err = READ_ONCE(sock->ops)->connect(sock, (struct sockaddr *)address,
2103 addrlen, sock->file->f_flags | file_flags);
2104out:
2105 return err;
2106}
2107
2108int __sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
2109{
2110 struct sockaddr_storage address;
2111 CLASS(fd, f)(fd);
2112 int ret;
2113
2114 if (fd_empty(f))
2115 return -EBADF;
2116
2117 ret = move_addr_to_kernel(uaddr: uservaddr, ulen: addrlen, kaddr: &address);
2118 if (ret)
2119 return ret;
2120
2121 return __sys_connect_file(fd_file(f), address: &address, addrlen, file_flags: 0);
2122}
2123
2124SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
2125 int, addrlen)
2126{
2127 return __sys_connect(fd, uservaddr, addrlen);
2128}
2129
2130/*
2131 * Get the local address ('name') of a socket object. Move the obtained
2132 * name to user space.
2133 */
2134
2135int __sys_getsockname(int fd, struct sockaddr __user *usockaddr,
2136 int __user *usockaddr_len)
2137{
2138 struct socket *sock;
2139 struct sockaddr_storage address;
2140 CLASS(fd, f)(fd);
2141 int err;
2142
2143 if (fd_empty(f))
2144 return -EBADF;
2145 sock = sock_from_file(fd_file(f));
2146 if (unlikely(!sock))
2147 return -ENOTSOCK;
2148
2149 err = security_socket_getsockname(sock);
2150 if (err)
2151 return err;
2152
2153 err = READ_ONCE(sock->ops)->getname(sock, (struct sockaddr *)&address, 0);
2154 if (err < 0)
2155 return err;
2156
2157 /* "err" is actually length in this case */
2158 return move_addr_to_user(kaddr: &address, klen: err, uaddr: usockaddr, ulen: usockaddr_len);
2159}
2160
2161SYSCALL_DEFINE3(getsockname, int, fd, struct sockaddr __user *, usockaddr,
2162 int __user *, usockaddr_len)
2163{
2164 return __sys_getsockname(fd, usockaddr, usockaddr_len);
2165}
2166
2167/*
2168 * Get the remote address ('name') of a socket object. Move the obtained
2169 * name to user space.
2170 */
2171
2172int __sys_getpeername(int fd, struct sockaddr __user *usockaddr,
2173 int __user *usockaddr_len)
2174{
2175 struct socket *sock;
2176 struct sockaddr_storage address;
2177 CLASS(fd, f)(fd);
2178 int err;
2179
2180 if (fd_empty(f))
2181 return -EBADF;
2182 sock = sock_from_file(fd_file(f));
2183 if (unlikely(!sock))
2184 return -ENOTSOCK;
2185
2186 err = security_socket_getpeername(sock);
2187 if (err)
2188 return err;
2189
2190 err = READ_ONCE(sock->ops)->getname(sock, (struct sockaddr *)&address, 1);
2191 if (err < 0)
2192 return err;
2193
2194 /* "err" is actually length in this case */
2195 return move_addr_to_user(kaddr: &address, klen: err, uaddr: usockaddr, ulen: usockaddr_len);
2196}
2197
2198SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
2199 int __user *, usockaddr_len)
2200{
2201 return __sys_getpeername(fd, usockaddr, usockaddr_len);
2202}
2203
2204/*
2205 * Send a datagram to a given address. We move the address into kernel
2206 * space and check the user space data area is readable before invoking
2207 * the protocol.
2208 */
2209int __sys_sendto(int fd, void __user *buff, size_t len, unsigned int flags,
2210 struct sockaddr __user *addr, int addr_len)
2211{
2212 struct socket *sock;
2213 struct sockaddr_storage address;
2214 int err;
2215 struct msghdr msg;
2216
2217 err = import_ubuf(ITER_SOURCE, buf: buff, len, i: &msg.msg_iter);
2218 if (unlikely(err))
2219 return err;
2220
2221 CLASS(fd, f)(fd);
2222 if (fd_empty(f))
2223 return -EBADF;
2224 sock = sock_from_file(fd_file(f));
2225 if (unlikely(!sock))
2226 return -ENOTSOCK;
2227
2228 msg.msg_name = NULL;
2229 msg.msg_control = NULL;
2230 msg.msg_controllen = 0;
2231 msg.msg_namelen = 0;
2232 msg.msg_ubuf = NULL;
2233 if (addr) {
2234 err = move_addr_to_kernel(uaddr: addr, ulen: addr_len, kaddr: &address);
2235 if (err < 0)
2236 return err;
2237 msg.msg_name = (struct sockaddr *)&address;
2238 msg.msg_namelen = addr_len;
2239 }
2240 flags &= ~MSG_INTERNAL_SENDMSG_FLAGS;
2241 if (sock->file->f_flags & O_NONBLOCK)
2242 flags |= MSG_DONTWAIT;
2243 msg.msg_flags = flags;
2244 return __sock_sendmsg(sock, msg: &msg);
2245}
2246
2247SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
2248 unsigned int, flags, struct sockaddr __user *, addr,
2249 int, addr_len)
2250{
2251 return __sys_sendto(fd, buff, len, flags, addr, addr_len);
2252}
2253
2254/*
2255 * Send a datagram down a socket.
2256 */
2257
2258SYSCALL_DEFINE4(send, int, fd, void __user *, buff, size_t, len,
2259 unsigned int, flags)
2260{
2261 return __sys_sendto(fd, buff, len, flags, NULL, addr_len: 0);
2262}
2263
2264/*
2265 * Receive a frame from the socket and optionally record the address of the
2266 * sender. We verify the buffers are writable and if needed move the
2267 * sender address from kernel to user space.
2268 */
2269int __sys_recvfrom(int fd, void __user *ubuf, size_t size, unsigned int flags,
2270 struct sockaddr __user *addr, int __user *addr_len)
2271{
2272 struct sockaddr_storage address;
2273 struct msghdr msg = {
2274 /* Save some cycles and don't copy the address if not needed */
2275 .msg_name = addr ? (struct sockaddr *)&address : NULL,
2276 };
2277 struct socket *sock;
2278 int err, err2;
2279
2280 err = import_ubuf(ITER_DEST, buf: ubuf, len: size, i: &msg.msg_iter);
2281 if (unlikely(err))
2282 return err;
2283
2284 CLASS(fd, f)(fd);
2285
2286 if (fd_empty(f))
2287 return -EBADF;
2288 sock = sock_from_file(fd_file(f));
2289 if (unlikely(!sock))
2290 return -ENOTSOCK;
2291
2292 if (sock->file->f_flags & O_NONBLOCK)
2293 flags |= MSG_DONTWAIT;
2294 err = sock_recvmsg(sock, &msg, flags);
2295
2296 if (err >= 0 && addr != NULL) {
2297 err2 = move_addr_to_user(kaddr: &address,
2298 klen: msg.msg_namelen, uaddr: addr, ulen: addr_len);
2299 if (err2 < 0)
2300 err = err2;
2301 }
2302 return err;
2303}
2304
2305SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
2306 unsigned int, flags, struct sockaddr __user *, addr,
2307 int __user *, addr_len)
2308{
2309 return __sys_recvfrom(fd, ubuf, size, flags, addr, addr_len);
2310}
2311
2312/*
2313 * Receive a datagram from a socket.
2314 */
2315
2316SYSCALL_DEFINE4(recv, int, fd, void __user *, ubuf, size_t, size,
2317 unsigned int, flags)
2318{
2319 return __sys_recvfrom(fd, ubuf, size, flags, NULL, NULL);
2320}
2321
2322static bool sock_use_custom_sol_socket(const struct socket *sock)
2323{
2324 return test_bit(SOCK_CUSTOM_SOCKOPT, &sock->flags);
2325}
2326
2327int do_sock_setsockopt(struct socket *sock, bool compat, int level,
2328 int optname, sockptr_t optval, int optlen)
2329{
2330 const struct proto_ops *ops;
2331 char *kernel_optval = NULL;
2332 int err;
2333
2334 if (optlen < 0)
2335 return -EINVAL;
2336
2337 err = security_socket_setsockopt(sock, level, optname);
2338 if (err)
2339 goto out_put;
2340
2341 if (!compat)
2342 err = BPF_CGROUP_RUN_PROG_SETSOCKOPT(sock->sk, &level, &optname,
2343 optval, &optlen,
2344 &kernel_optval);
2345 if (err < 0)
2346 goto out_put;
2347 if (err > 0) {
2348 err = 0;
2349 goto out_put;
2350 }
2351
2352 if (kernel_optval)
2353 optval = KERNEL_SOCKPTR(p: kernel_optval);
2354 ops = READ_ONCE(sock->ops);
2355 if (level == SOL_SOCKET && !sock_use_custom_sol_socket(sock))
2356 err = sock_setsockopt(sock, level, op: optname, optval, optlen);
2357 else if (unlikely(!ops->setsockopt))
2358 err = -EOPNOTSUPP;
2359 else
2360 err = ops->setsockopt(sock, level, optname, optval,
2361 optlen);
2362 kfree(objp: kernel_optval);
2363out_put:
2364 return err;
2365}
2366EXPORT_SYMBOL(do_sock_setsockopt);
2367
2368/* Set a socket option. Because we don't know the option lengths we have
2369 * to pass the user mode parameter for the protocols to sort out.
2370 */
2371int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval,
2372 int optlen)
2373{
2374 sockptr_t optval = USER_SOCKPTR(p: user_optval);
2375 bool compat = in_compat_syscall();
2376 struct socket *sock;
2377 CLASS(fd, f)(fd);
2378
2379 if (fd_empty(f))
2380 return -EBADF;
2381 sock = sock_from_file(fd_file(f));
2382 if (unlikely(!sock))
2383 return -ENOTSOCK;
2384
2385 return do_sock_setsockopt(sock, compat, level, optname, optval, optlen);
2386}
2387
2388SYSCALL_DEFINE5(setsockopt, int, fd, int, level, int, optname,
2389 char __user *, optval, int, optlen)
2390{
2391 return __sys_setsockopt(fd, level, optname, user_optval: optval, optlen);
2392}
2393
2394INDIRECT_CALLABLE_DECLARE(bool tcp_bpf_bypass_getsockopt(int level,
2395 int optname));
2396
2397int do_sock_getsockopt(struct socket *sock, bool compat, int level,
2398 int optname, sockptr_t optval, sockptr_t optlen)
2399{
2400 int max_optlen __maybe_unused = 0;
2401 const struct proto_ops *ops;
2402 int err;
2403
2404 err = security_socket_getsockopt(sock, level, optname);
2405 if (err)
2406 return err;
2407
2408 if (!compat)
2409 copy_from_sockptr(dst: &max_optlen, src: optlen, size: sizeof(int));
2410
2411 ops = READ_ONCE(sock->ops);
2412 if (level == SOL_SOCKET) {
2413 err = sk_getsockopt(sk: sock->sk, level, optname, optval, optlen);
2414 } else if (unlikely(!ops->getsockopt)) {
2415 err = -EOPNOTSUPP;
2416 } else {
2417 if (WARN_ONCE(optval.is_kernel || optlen.is_kernel,
2418 "Invalid argument type"))
2419 return -EOPNOTSUPP;
2420
2421 err = ops->getsockopt(sock, level, optname, optval.user,
2422 optlen.user);
2423 }
2424
2425 if (!compat)
2426 err = BPF_CGROUP_RUN_PROG_GETSOCKOPT(sock->sk, level, optname,
2427 optval, optlen, max_optlen,
2428 err);
2429
2430 return err;
2431}
2432EXPORT_SYMBOL(do_sock_getsockopt);
2433
2434/*
2435 * Get a socket option. Because we don't know the option lengths we have
2436 * to pass a user mode parameter for the protocols to sort out.
2437 */
2438int __sys_getsockopt(int fd, int level, int optname, char __user *optval,
2439 int __user *optlen)
2440{
2441 struct socket *sock;
2442 CLASS(fd, f)(fd);
2443
2444 if (fd_empty(f))
2445 return -EBADF;
2446 sock = sock_from_file(fd_file(f));
2447 if (unlikely(!sock))
2448 return -ENOTSOCK;
2449
2450 return do_sock_getsockopt(sock, in_compat_syscall(), level, optname,
2451 USER_SOCKPTR(p: optval), USER_SOCKPTR(p: optlen));
2452}
2453
2454SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname,
2455 char __user *, optval, int __user *, optlen)
2456{
2457 return __sys_getsockopt(fd, level, optname, optval, optlen);
2458}
2459
2460/*
2461 * Shutdown a socket.
2462 */
2463
2464int __sys_shutdown_sock(struct socket *sock, int how)
2465{
2466 int err;
2467
2468 err = security_socket_shutdown(sock, how);
2469 if (!err)
2470 err = READ_ONCE(sock->ops)->shutdown(sock, how);
2471
2472 return err;
2473}
2474
2475int __sys_shutdown(int fd, int how)
2476{
2477 struct socket *sock;
2478 CLASS(fd, f)(fd);
2479
2480 if (fd_empty(f))
2481 return -EBADF;
2482 sock = sock_from_file(fd_file(f));
2483 if (unlikely(!sock))
2484 return -ENOTSOCK;
2485
2486 return __sys_shutdown_sock(sock, how);
2487}
2488
2489SYSCALL_DEFINE2(shutdown, int, fd, int, how)
2490{
2491 return __sys_shutdown(fd, how);
2492}
2493
2494/* A couple of helpful macros for getting the address of the 32/64 bit
2495 * fields which are the same type (int / unsigned) on our platforms.
2496 */
2497#define COMPAT_MSG(msg, member) ((MSG_CMSG_COMPAT & flags) ? &msg##_compat->member : &msg->member)
2498#define COMPAT_NAMELEN(msg) COMPAT_MSG(msg, msg_namelen)
2499#define COMPAT_FLAGS(msg) COMPAT_MSG(msg, msg_flags)
2500
2501struct used_address {
2502 struct sockaddr_storage name;
2503 unsigned int name_len;
2504};
2505
2506int __copy_msghdr(struct msghdr *kmsg,
2507 struct user_msghdr *msg,
2508 struct sockaddr __user **save_addr)
2509{
2510 ssize_t err;
2511
2512 kmsg->msg_control_is_user = true;
2513 kmsg->msg_get_inq = 0;
2514 kmsg->msg_control_user = msg->msg_control;
2515 kmsg->msg_controllen = msg->msg_controllen;
2516 kmsg->msg_flags = msg->msg_flags;
2517
2518 kmsg->msg_namelen = msg->msg_namelen;
2519 if (!msg->msg_name)
2520 kmsg->msg_namelen = 0;
2521
2522 if (kmsg->msg_namelen < 0)
2523 return -EINVAL;
2524
2525 if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
2526 kmsg->msg_namelen = sizeof(struct sockaddr_storage);
2527
2528 if (save_addr)
2529 *save_addr = msg->msg_name;
2530
2531 if (msg->msg_name && kmsg->msg_namelen) {
2532 if (!save_addr) {
2533 err = move_addr_to_kernel(uaddr: msg->msg_name,
2534 ulen: kmsg->msg_namelen,
2535 kaddr: kmsg->msg_name);
2536 if (err < 0)
2537 return err;
2538 }
2539 } else {
2540 kmsg->msg_name = NULL;
2541 kmsg->msg_namelen = 0;
2542 }
2543
2544 if (msg->msg_iovlen > UIO_MAXIOV)
2545 return -EMSGSIZE;
2546
2547 kmsg->msg_iocb = NULL;
2548 kmsg->msg_ubuf = NULL;
2549 return 0;
2550}
2551
2552static int copy_msghdr_from_user(struct msghdr *kmsg,
2553 struct user_msghdr __user *umsg,
2554 struct sockaddr __user **save_addr,
2555 struct iovec **iov)
2556{
2557 struct user_msghdr msg;
2558 ssize_t err;
2559
2560 if (copy_from_user(to: &msg, from: umsg, n: sizeof(*umsg)))
2561 return -EFAULT;
2562
2563 err = __copy_msghdr(kmsg, msg: &msg, save_addr);
2564 if (err)
2565 return err;
2566
2567 err = import_iovec(type: save_addr ? ITER_DEST : ITER_SOURCE,
2568 uvec: msg.msg_iov, nr_segs: msg.msg_iovlen,
2569 UIO_FASTIOV, iovp: iov, i: &kmsg->msg_iter);
2570 return err < 0 ? err : 0;
2571}
2572
2573static int ____sys_sendmsg(struct socket *sock, struct msghdr *msg_sys,
2574 unsigned int flags, struct used_address *used_address,
2575 unsigned int allowed_msghdr_flags)
2576{
2577 unsigned char ctl[sizeof(struct cmsghdr) + 20]
2578 __aligned(sizeof(__kernel_size_t));
2579 /* 20 is size of ipv6_pktinfo */
2580 unsigned char *ctl_buf = ctl;
2581 int ctl_len;
2582 ssize_t err;
2583
2584 err = -ENOBUFS;
2585
2586 if (msg_sys->msg_controllen > INT_MAX)
2587 goto out;
2588 flags |= (msg_sys->msg_flags & allowed_msghdr_flags);
2589 ctl_len = msg_sys->msg_controllen;
2590 if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
2591 err =
2592 cmsghdr_from_user_compat_to_kern(msg_sys, sock->sk, ctl,
2593 sizeof(ctl));
2594 if (err)
2595 goto out;
2596 ctl_buf = msg_sys->msg_control;
2597 ctl_len = msg_sys->msg_controllen;
2598 } else if (ctl_len) {
2599 BUILD_BUG_ON(sizeof(struct cmsghdr) !=
2600 CMSG_ALIGN(sizeof(struct cmsghdr)));
2601 if (ctl_len > sizeof(ctl)) {
2602 ctl_buf = sock_kmalloc(sk: sock->sk, size: ctl_len, GFP_KERNEL);
2603 if (ctl_buf == NULL)
2604 goto out;
2605 }
2606 err = -EFAULT;
2607 if (copy_from_user(to: ctl_buf, from: msg_sys->msg_control_user, n: ctl_len))
2608 goto out_freectl;
2609 msg_sys->msg_control = ctl_buf;
2610 msg_sys->msg_control_is_user = false;
2611 }
2612 flags &= ~MSG_INTERNAL_SENDMSG_FLAGS;
2613 msg_sys->msg_flags = flags;
2614
2615 if (sock->file->f_flags & O_NONBLOCK)
2616 msg_sys->msg_flags |= MSG_DONTWAIT;
2617 /*
2618 * If this is sendmmsg() and current destination address is same as
2619 * previously succeeded address, omit asking LSM's decision.
2620 * used_address->name_len is initialized to UINT_MAX so that the first
2621 * destination address never matches.
2622 */
2623 if (used_address && msg_sys->msg_name &&
2624 used_address->name_len == msg_sys->msg_namelen &&
2625 !memcmp(&used_address->name, msg_sys->msg_name,
2626 used_address->name_len)) {
2627 err = sock_sendmsg_nosec(sock, msg: msg_sys);
2628 goto out_freectl;
2629 }
2630 err = __sock_sendmsg(sock, msg: msg_sys);
2631 /*
2632 * If this is sendmmsg() and sending to current destination address was
2633 * successful, remember it.
2634 */
2635 if (used_address && err >= 0) {
2636 used_address->name_len = msg_sys->msg_namelen;
2637 if (msg_sys->msg_name)
2638 memcpy(to: &used_address->name, from: msg_sys->msg_name,
2639 len: used_address->name_len);
2640 }
2641
2642out_freectl:
2643 if (ctl_buf != ctl)
2644 sock_kfree_s(sk: sock->sk, mem: ctl_buf, size: ctl_len);
2645out:
2646 return err;
2647}
2648
2649static int sendmsg_copy_msghdr(struct msghdr *msg,
2650 struct user_msghdr __user *umsg, unsigned flags,
2651 struct iovec **iov)
2652{
2653 int err;
2654
2655 if (flags & MSG_CMSG_COMPAT) {
2656 struct compat_msghdr __user *msg_compat;
2657
2658 msg_compat = (struct compat_msghdr __user *) umsg;
2659 err = get_compat_msghdr(msg, msg_compat, NULL, iov);
2660 } else {
2661 err = copy_msghdr_from_user(kmsg: msg, umsg, NULL, iov);
2662 }
2663 if (err < 0)
2664 return err;
2665
2666 return 0;
2667}
2668
2669static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg,
2670 struct msghdr *msg_sys, unsigned int flags,
2671 struct used_address *used_address,
2672 unsigned int allowed_msghdr_flags)
2673{
2674 struct sockaddr_storage address;
2675 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
2676 ssize_t err;
2677
2678 msg_sys->msg_name = &address;
2679
2680 err = sendmsg_copy_msghdr(msg: msg_sys, umsg: msg, flags, iov: &iov);
2681 if (err < 0)
2682 return err;
2683
2684 err = ____sys_sendmsg(sock, msg_sys, flags, used_address,
2685 allowed_msghdr_flags);
2686 kfree(objp: iov);
2687 return err;
2688}
2689
2690/*
2691 * BSD sendmsg interface
2692 */
2693long __sys_sendmsg_sock(struct socket *sock, struct msghdr *msg,
2694 unsigned int flags)
2695{
2696 return ____sys_sendmsg(sock, msg_sys: msg, flags, NULL, allowed_msghdr_flags: 0);
2697}
2698
2699long __sys_sendmsg(int fd, struct user_msghdr __user *msg, unsigned int flags,
2700 bool forbid_cmsg_compat)
2701{
2702 struct msghdr msg_sys;
2703 struct socket *sock;
2704
2705 if (forbid_cmsg_compat && (flags & MSG_CMSG_COMPAT))
2706 return -EINVAL;
2707
2708 CLASS(fd, f)(fd);
2709
2710 if (fd_empty(f))
2711 return -EBADF;
2712 sock = sock_from_file(fd_file(f));
2713 if (unlikely(!sock))
2714 return -ENOTSOCK;
2715
2716 return ___sys_sendmsg(sock, msg, msg_sys: &msg_sys, flags, NULL, allowed_msghdr_flags: 0);
2717}
2718
2719SYSCALL_DEFINE3(sendmsg, int, fd, struct user_msghdr __user *, msg, unsigned int, flags)
2720{
2721 return __sys_sendmsg(fd, msg, flags, forbid_cmsg_compat: true);
2722}
2723
2724/*
2725 * Linux sendmmsg interface
2726 */
2727
2728int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
2729 unsigned int flags, bool forbid_cmsg_compat)
2730{
2731 int err, datagrams;
2732 struct socket *sock;
2733 struct mmsghdr __user *entry;
2734 struct compat_mmsghdr __user *compat_entry;
2735 struct msghdr msg_sys;
2736 struct used_address used_address;
2737 unsigned int oflags = flags;
2738
2739 if (forbid_cmsg_compat && (flags & MSG_CMSG_COMPAT))
2740 return -EINVAL;
2741
2742 if (vlen > UIO_MAXIOV)
2743 vlen = UIO_MAXIOV;
2744
2745 datagrams = 0;
2746
2747 CLASS(fd, f)(fd);
2748
2749 if (fd_empty(f))
2750 return -EBADF;
2751 sock = sock_from_file(fd_file(f));
2752 if (unlikely(!sock))
2753 return -ENOTSOCK;
2754
2755 used_address.name_len = UINT_MAX;
2756 entry = mmsg;
2757 compat_entry = (struct compat_mmsghdr __user *)mmsg;
2758 err = 0;
2759 flags |= MSG_BATCH;
2760
2761 while (datagrams < vlen) {
2762 if (datagrams == vlen - 1)
2763 flags = oflags;
2764
2765 if (MSG_CMSG_COMPAT & flags) {
2766 err = ___sys_sendmsg(sock, msg: (struct user_msghdr __user *)compat_entry,
2767 msg_sys: &msg_sys, flags, used_address: &used_address, MSG_EOR);
2768 if (err < 0)
2769 break;
2770 err = __put_user(err, &compat_entry->msg_len);
2771 ++compat_entry;
2772 } else {
2773 err = ___sys_sendmsg(sock,
2774 msg: (struct user_msghdr __user *)entry,
2775 msg_sys: &msg_sys, flags, used_address: &used_address, MSG_EOR);
2776 if (err < 0)
2777 break;
2778 err = put_user(err, &entry->msg_len);
2779 ++entry;
2780 }
2781
2782 if (err)
2783 break;
2784 ++datagrams;
2785 if (msg_data_left(msg: &msg_sys))
2786 break;
2787 cond_resched();
2788 }
2789
2790 /* We only return an error if no datagrams were able to be sent */
2791 if (datagrams != 0)
2792 return datagrams;
2793
2794 return err;
2795}
2796
2797SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
2798 unsigned int, vlen, unsigned int, flags)
2799{
2800 return __sys_sendmmsg(fd, mmsg, vlen, flags, forbid_cmsg_compat: true);
2801}
2802
2803static int recvmsg_copy_msghdr(struct msghdr *msg,
2804 struct user_msghdr __user *umsg, unsigned flags,
2805 struct sockaddr __user **uaddr,
2806 struct iovec **iov)
2807{
2808 ssize_t err;
2809
2810 if (MSG_CMSG_COMPAT & flags) {
2811 struct compat_msghdr __user *msg_compat;
2812
2813 msg_compat = (struct compat_msghdr __user *) umsg;
2814 err = get_compat_msghdr(msg, msg_compat, uaddr, iov);
2815 } else {
2816 err = copy_msghdr_from_user(kmsg: msg, umsg, save_addr: uaddr, iov);
2817 }
2818 if (err < 0)
2819 return err;
2820
2821 return 0;
2822}
2823
2824static int ____sys_recvmsg(struct socket *sock, struct msghdr *msg_sys,
2825 struct user_msghdr __user *msg,
2826 struct sockaddr __user *uaddr,
2827 unsigned int flags, int nosec)
2828{
2829 struct compat_msghdr __user *msg_compat =
2830 (struct compat_msghdr __user *) msg;
2831 int __user *uaddr_len = COMPAT_NAMELEN(msg);
2832 struct sockaddr_storage addr;
2833 unsigned long cmsg_ptr;
2834 int len;
2835 ssize_t err;
2836
2837 msg_sys->msg_name = &addr;
2838 cmsg_ptr = (unsigned long)msg_sys->msg_control;
2839 msg_sys->msg_flags = flags & (MSG_CMSG_CLOEXEC|MSG_CMSG_COMPAT);
2840
2841 /* We assume all kernel code knows the size of sockaddr_storage */
2842 msg_sys->msg_namelen = 0;
2843
2844 if (sock->file->f_flags & O_NONBLOCK)
2845 flags |= MSG_DONTWAIT;
2846
2847 if (unlikely(nosec))
2848 err = sock_recvmsg_nosec(sock, msg: msg_sys, flags);
2849 else
2850 err = sock_recvmsg(sock, msg_sys, flags);
2851
2852 if (err < 0)
2853 goto out;
2854 len = err;
2855
2856 if (uaddr != NULL) {
2857 err = move_addr_to_user(kaddr: &addr,
2858 klen: msg_sys->msg_namelen, uaddr,
2859 ulen: uaddr_len);
2860 if (err < 0)
2861 goto out;
2862 }
2863 err = __put_user((msg_sys->msg_flags & ~MSG_CMSG_COMPAT),
2864 COMPAT_FLAGS(msg));
2865 if (err)
2866 goto out;
2867 if (MSG_CMSG_COMPAT & flags)
2868 err = __put_user((unsigned long)msg_sys->msg_control - cmsg_ptr,
2869 &msg_compat->msg_controllen);
2870 else
2871 err = __put_user((unsigned long)msg_sys->msg_control - cmsg_ptr,
2872 &msg->msg_controllen);
2873 if (err)
2874 goto out;
2875 err = len;
2876out:
2877 return err;
2878}
2879
2880static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg,
2881 struct msghdr *msg_sys, unsigned int flags, int nosec)
2882{
2883 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
2884 /* user mode address pointers */
2885 struct sockaddr __user *uaddr;
2886 ssize_t err;
2887
2888 err = recvmsg_copy_msghdr(msg: msg_sys, umsg: msg, flags, uaddr: &uaddr, iov: &iov);
2889 if (err < 0)
2890 return err;
2891
2892 err = ____sys_recvmsg(sock, msg_sys, msg, uaddr, flags, nosec);
2893 kfree(objp: iov);
2894 return err;
2895}
2896
2897/*
2898 * BSD recvmsg interface
2899 */
2900
2901long __sys_recvmsg_sock(struct socket *sock, struct msghdr *msg,
2902 struct user_msghdr __user *umsg,
2903 struct sockaddr __user *uaddr, unsigned int flags)
2904{
2905 return ____sys_recvmsg(sock, msg_sys: msg, msg: umsg, uaddr, flags, nosec: 0);
2906}
2907
2908long __sys_recvmsg(int fd, struct user_msghdr __user *msg, unsigned int flags,
2909 bool forbid_cmsg_compat)
2910{
2911 struct msghdr msg_sys;
2912 struct socket *sock;
2913
2914 if (forbid_cmsg_compat && (flags & MSG_CMSG_COMPAT))
2915 return -EINVAL;
2916
2917 CLASS(fd, f)(fd);
2918
2919 if (fd_empty(f))
2920 return -EBADF;
2921 sock = sock_from_file(fd_file(f));
2922 if (unlikely(!sock))
2923 return -ENOTSOCK;
2924
2925 return ___sys_recvmsg(sock, msg, msg_sys: &msg_sys, flags, nosec: 0);
2926}
2927
2928SYSCALL_DEFINE3(recvmsg, int, fd, struct user_msghdr __user *, msg,
2929 unsigned int, flags)
2930{
2931 return __sys_recvmsg(fd, msg, flags, forbid_cmsg_compat: true);
2932}
2933
2934/*
2935 * Linux recvmmsg interface
2936 */
2937
2938static int do_recvmmsg(int fd, struct mmsghdr __user *mmsg,
2939 unsigned int vlen, unsigned int flags,
2940 struct timespec64 *timeout)
2941{
2942 int err = 0, datagrams;
2943 struct socket *sock;
2944 struct mmsghdr __user *entry;
2945 struct compat_mmsghdr __user *compat_entry;
2946 struct msghdr msg_sys;
2947 struct timespec64 end_time;
2948 struct timespec64 timeout64;
2949
2950 if (timeout &&
2951 poll_select_set_timeout(to: &end_time, sec: timeout->tv_sec,
2952 nsec: timeout->tv_nsec))
2953 return -EINVAL;
2954
2955 datagrams = 0;
2956
2957 CLASS(fd, f)(fd);
2958
2959 if (fd_empty(f))
2960 return -EBADF;
2961 sock = sock_from_file(fd_file(f));
2962 if (unlikely(!sock))
2963 return -ENOTSOCK;
2964
2965 if (likely(!(flags & MSG_ERRQUEUE))) {
2966 err = sock_error(sk: sock->sk);
2967 if (err)
2968 return err;
2969 }
2970
2971 entry = mmsg;
2972 compat_entry = (struct compat_mmsghdr __user *)mmsg;
2973
2974 while (datagrams < vlen) {
2975 /*
2976 * No need to ask LSM for more than the first datagram.
2977 */
2978 if (MSG_CMSG_COMPAT & flags) {
2979 err = ___sys_recvmsg(sock, msg: (struct user_msghdr __user *)compat_entry,
2980 msg_sys: &msg_sys, flags: flags & ~MSG_WAITFORONE,
2981 nosec: datagrams);
2982 if (err < 0)
2983 break;
2984 err = __put_user(err, &compat_entry->msg_len);
2985 ++compat_entry;
2986 } else {
2987 err = ___sys_recvmsg(sock,
2988 msg: (struct user_msghdr __user *)entry,
2989 msg_sys: &msg_sys, flags: flags & ~MSG_WAITFORONE,
2990 nosec: datagrams);
2991 if (err < 0)
2992 break;
2993 err = put_user(err, &entry->msg_len);
2994 ++entry;
2995 }
2996
2997 if (err)
2998 break;
2999 ++datagrams;
3000
3001 /* MSG_WAITFORONE turns on MSG_DONTWAIT after one packet */
3002 if (flags & MSG_WAITFORONE)
3003 flags |= MSG_DONTWAIT;
3004
3005 if (timeout) {
3006 ktime_get_ts64(ts: &timeout64);
3007 *timeout = timespec64_sub(lhs: end_time, rhs: timeout64);
3008 if (timeout->tv_sec < 0) {
3009 timeout->tv_sec = timeout->tv_nsec = 0;
3010 break;
3011 }
3012
3013 /* Timeout, return less than vlen datagrams */
3014 if (timeout->tv_nsec == 0 && timeout->tv_sec == 0)
3015 break;
3016 }
3017
3018 /* Out of band data, return right away */
3019 if (msg_sys.msg_flags & MSG_OOB)
3020 break;
3021 cond_resched();
3022 }
3023
3024 if (err == 0)
3025 return datagrams;
3026
3027 if (datagrams == 0)
3028 return err;
3029
3030 /*
3031 * We may return less entries than requested (vlen) if the
3032 * sock is non block and there aren't enough datagrams...
3033 */
3034 if (err != -EAGAIN) {
3035 /*
3036 * ... or if recvmsg returns an error after we
3037 * received some datagrams, where we record the
3038 * error to return on the next call or if the
3039 * app asks about it using getsockopt(SO_ERROR).
3040 */
3041 WRITE_ONCE(sock->sk->sk_err, -err);
3042 }
3043 return datagrams;
3044}
3045
3046int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg,
3047 unsigned int vlen, unsigned int flags,
3048 struct __kernel_timespec __user *timeout,
3049 struct old_timespec32 __user *timeout32)
3050{
3051 int datagrams;
3052 struct timespec64 timeout_sys;
3053
3054 if (timeout && get_timespec64(ts: &timeout_sys, uts: timeout))
3055 return -EFAULT;
3056
3057 if (timeout32 && get_old_timespec32(&timeout_sys, timeout32))
3058 return -EFAULT;
3059
3060 if (!timeout && !timeout32)
3061 return do_recvmmsg(fd, mmsg, vlen, flags, NULL);
3062
3063 datagrams = do_recvmmsg(fd, mmsg, vlen, flags, timeout: &timeout_sys);
3064
3065 if (datagrams <= 0)
3066 return datagrams;
3067
3068 if (timeout && put_timespec64(ts: &timeout_sys, uts: timeout))
3069 datagrams = -EFAULT;
3070
3071 if (timeout32 && put_old_timespec32(&timeout_sys, timeout32))
3072 datagrams = -EFAULT;
3073
3074 return datagrams;
3075}
3076
3077SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
3078 unsigned int, vlen, unsigned int, flags,
3079 struct __kernel_timespec __user *, timeout)
3080{
3081 if (flags & MSG_CMSG_COMPAT)
3082 return -EINVAL;
3083
3084 return __sys_recvmmsg(fd, mmsg, vlen, flags, timeout, NULL);
3085}
3086
3087#ifdef CONFIG_COMPAT_32BIT_TIME
3088SYSCALL_DEFINE5(recvmmsg_time32, int, fd, struct mmsghdr __user *, mmsg,
3089 unsigned int, vlen, unsigned int, flags,
3090 struct old_timespec32 __user *, timeout)
3091{
3092 if (flags & MSG_CMSG_COMPAT)
3093 return -EINVAL;
3094
3095 return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL, timeout32: timeout);
3096}
3097#endif
3098
3099#ifdef __ARCH_WANT_SYS_SOCKETCALL
3100/* Argument list sizes for sys_socketcall */
3101#define AL(x) ((x) * sizeof(unsigned long))
3102static const unsigned char nargs[21] = {
3103 AL(0), AL(3), AL(3), AL(3), AL(2), AL(3),
3104 AL(3), AL(3), AL(4), AL(4), AL(4), AL(6),
3105 AL(6), AL(2), AL(5), AL(5), AL(3), AL(3),
3106 AL(4), AL(5), AL(4)
3107};
3108
3109#undef AL
3110
3111/*
3112 * System call vectors.
3113 *
3114 * Argument checking cleaned up. Saved 20% in size.
3115 * This function doesn't need to set the kernel lock because
3116 * it is set by the callees.
3117 */
3118
3119SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
3120{
3121 unsigned long a[AUDITSC_ARGS];
3122 unsigned long a0, a1;
3123 int err;
3124 unsigned int len;
3125
3126 if (call < 1 || call > SYS_SENDMMSG)
3127 return -EINVAL;
3128 call = array_index_nospec(call, SYS_SENDMMSG + 1);
3129
3130 len = nargs[call];
3131 if (len > sizeof(a))
3132 return -EINVAL;
3133
3134 /* copy_from_user should be SMP safe. */
3135 if (copy_from_user(to: a, from: args, n: len))
3136 return -EFAULT;
3137
3138 err = audit_socketcall(nargs: nargs[call] / sizeof(unsigned long), args: a);
3139 if (err)
3140 return err;
3141
3142 a0 = a[0];
3143 a1 = a[1];
3144
3145 switch (call) {
3146 case SYS_SOCKET:
3147 err = __sys_socket(family: a0, type: a1, protocol: a[2]);
3148 break;
3149 case SYS_BIND:
3150 err = __sys_bind(fd: a0, umyaddr: (struct sockaddr __user *)a1, addrlen: a[2]);
3151 break;
3152 case SYS_CONNECT:
3153 err = __sys_connect(fd: a0, uservaddr: (struct sockaddr __user *)a1, addrlen: a[2]);
3154 break;
3155 case SYS_LISTEN:
3156 err = __sys_listen(fd: a0, backlog: a1);
3157 break;
3158 case SYS_ACCEPT:
3159 err = __sys_accept4(fd: a0, upeer_sockaddr: (struct sockaddr __user *)a1,
3160 upeer_addrlen: (int __user *)a[2], flags: 0);
3161 break;
3162 case SYS_GETSOCKNAME:
3163 err =
3164 __sys_getsockname(fd: a0, usockaddr: (struct sockaddr __user *)a1,
3165 usockaddr_len: (int __user *)a[2]);
3166 break;
3167 case SYS_GETPEERNAME:
3168 err =
3169 __sys_getpeername(fd: a0, usockaddr: (struct sockaddr __user *)a1,
3170 usockaddr_len: (int __user *)a[2]);
3171 break;
3172 case SYS_SOCKETPAIR:
3173 err = __sys_socketpair(family: a0, type: a1, protocol: a[2], usockvec: (int __user *)a[3]);
3174 break;
3175 case SYS_SEND:
3176 err = __sys_sendto(fd: a0, buff: (void __user *)a1, len: a[2], flags: a[3],
3177 NULL, addr_len: 0);
3178 break;
3179 case SYS_SENDTO:
3180 err = __sys_sendto(fd: a0, buff: (void __user *)a1, len: a[2], flags: a[3],
3181 addr: (struct sockaddr __user *)a[4], addr_len: a[5]);
3182 break;
3183 case SYS_RECV:
3184 err = __sys_recvfrom(fd: a0, ubuf: (void __user *)a1, size: a[2], flags: a[3],
3185 NULL, NULL);
3186 break;
3187 case SYS_RECVFROM:
3188 err = __sys_recvfrom(fd: a0, ubuf: (void __user *)a1, size: a[2], flags: a[3],
3189 addr: (struct sockaddr __user *)a[4],
3190 addr_len: (int __user *)a[5]);
3191 break;
3192 case SYS_SHUTDOWN:
3193 err = __sys_shutdown(fd: a0, how: a1);
3194 break;
3195 case SYS_SETSOCKOPT:
3196 err = __sys_setsockopt(fd: a0, level: a1, optname: a[2], user_optval: (char __user *)a[3],
3197 optlen: a[4]);
3198 break;
3199 case SYS_GETSOCKOPT:
3200 err =
3201 __sys_getsockopt(fd: a0, level: a1, optname: a[2], optval: (char __user *)a[3],
3202 optlen: (int __user *)a[4]);
3203 break;
3204 case SYS_SENDMSG:
3205 err = __sys_sendmsg(fd: a0, msg: (struct user_msghdr __user *)a1,
3206 flags: a[2], forbid_cmsg_compat: true);
3207 break;
3208 case SYS_SENDMMSG:
3209 err = __sys_sendmmsg(fd: a0, mmsg: (struct mmsghdr __user *)a1, vlen: a[2],
3210 flags: a[3], forbid_cmsg_compat: true);
3211 break;
3212 case SYS_RECVMSG:
3213 err = __sys_recvmsg(fd: a0, msg: (struct user_msghdr __user *)a1,
3214 flags: a[2], forbid_cmsg_compat: true);
3215 break;
3216 case SYS_RECVMMSG:
3217 if (IS_ENABLED(CONFIG_64BIT))
3218 err = __sys_recvmmsg(fd: a0, mmsg: (struct mmsghdr __user *)a1,
3219 vlen: a[2], flags: a[3],
3220 timeout: (struct __kernel_timespec __user *)a[4],
3221 NULL);
3222 else
3223 err = __sys_recvmmsg(fd: a0, mmsg: (struct mmsghdr __user *)a1,
3224 vlen: a[2], flags: a[3], NULL,
3225 timeout32: (struct old_timespec32 __user *)a[4]);
3226 break;
3227 case SYS_ACCEPT4:
3228 err = __sys_accept4(fd: a0, upeer_sockaddr: (struct sockaddr __user *)a1,
3229 upeer_addrlen: (int __user *)a[2], flags: a[3]);
3230 break;
3231 default:
3232 err = -EINVAL;
3233 break;
3234 }
3235 return err;
3236}
3237
3238#endif /* __ARCH_WANT_SYS_SOCKETCALL */
3239
3240/**
3241 * sock_register - add a socket protocol handler
3242 * @ops: description of protocol
3243 *
3244 * This function is called by a protocol handler that wants to
3245 * advertise its address family, and have it linked into the
3246 * socket interface. The value ops->family corresponds to the
3247 * socket system call protocol family.
3248 */
3249int sock_register(const struct net_proto_family *ops)
3250{
3251 int err;
3252
3253 if (ops->family >= NPROTO) {
3254 pr_crit("protocol %d >= NPROTO(%d)\n", ops->family, NPROTO);
3255 return -ENOBUFS;
3256 }
3257
3258 spin_lock(lock: &net_family_lock);
3259 if (rcu_dereference_protected(net_families[ops->family],
3260 lockdep_is_held(&net_family_lock)))
3261 err = -EEXIST;
3262 else {
3263 rcu_assign_pointer(net_families[ops->family], ops);
3264 err = 0;
3265 }
3266 spin_unlock(lock: &net_family_lock);
3267
3268 pr_info("NET: Registered %s protocol family\n", pf_family_names[ops->family]);
3269 return err;
3270}
3271EXPORT_SYMBOL(sock_register);
3272
3273/**
3274 * sock_unregister - remove a protocol handler
3275 * @family: protocol family to remove
3276 *
3277 * This function is called by a protocol handler that wants to
3278 * remove its address family, and have it unlinked from the
3279 * new socket creation.
3280 *
3281 * If protocol handler is a module, then it can use module reference
3282 * counts to protect against new references. If protocol handler is not
3283 * a module then it needs to provide its own protection in
3284 * the ops->create routine.
3285 */
3286void sock_unregister(int family)
3287{
3288 BUG_ON(family < 0 || family >= NPROTO);
3289
3290 spin_lock(lock: &net_family_lock);
3291 RCU_INIT_POINTER(net_families[family], NULL);
3292 spin_unlock(lock: &net_family_lock);
3293
3294 synchronize_rcu();
3295
3296 pr_info("NET: Unregistered %s protocol family\n", pf_family_names[family]);
3297}
3298EXPORT_SYMBOL(sock_unregister);
3299
3300bool sock_is_registered(int family)
3301{
3302 return family < NPROTO && rcu_access_pointer(net_families[family]);
3303}
3304
3305static int __init sock_init(void)
3306{
3307 int err;
3308 /*
3309 * Initialize the network sysctl infrastructure.
3310 */
3311 err = net_sysctl_init();
3312 if (err)
3313 goto out;
3314
3315 /*
3316 * Initialize skbuff SLAB cache
3317 */
3318 skb_init();
3319
3320 /*
3321 * Initialize the protocols module.
3322 */
3323
3324 init_inodecache();
3325
3326 err = register_filesystem(&sock_fs_type);
3327 if (err)
3328 goto out;
3329 sock_mnt = kern_mount(&sock_fs_type);
3330 if (IS_ERR(ptr: sock_mnt)) {
3331 err = PTR_ERR(ptr: sock_mnt);
3332 goto out_mount;
3333 }
3334
3335 /* The real protocol initialization is performed in later initcalls.
3336 */
3337
3338#ifdef CONFIG_NETFILTER
3339 err = netfilter_init();
3340 if (err)
3341 goto out;
3342#endif
3343
3344 ptp_classifier_init();
3345
3346out:
3347 return err;
3348
3349out_mount:
3350 unregister_filesystem(&sock_fs_type);
3351 goto out;
3352}
3353
3354core_initcall(sock_init); /* early initcall */
3355
3356#ifdef CONFIG_PROC_FS
3357void socket_seq_show(struct seq_file *seq)
3358{
3359 seq_printf(m: seq, fmt: "sockets: used %d\n",
3360 sock_inuse_get(net: seq->private));
3361}
3362#endif /* CONFIG_PROC_FS */
3363
3364/* Handle the fact that while struct ifreq has the same *layout* on
3365 * 32/64 for everything but ifreq::ifru_ifmap and ifreq::ifru_data,
3366 * which are handled elsewhere, it still has different *size* due to
3367 * ifreq::ifru_ifmap (which is 16 bytes on 32 bit, 24 bytes on 64-bit,
3368 * resulting in struct ifreq being 32 and 40 bytes respectively).
3369 * As a result, if the struct happens to be at the end of a page and
3370 * the next page isn't readable/writable, we get a fault. To prevent
3371 * that, copy back and forth to the full size.
3372 */
3373int get_user_ifreq(struct ifreq *ifr, void __user **ifrdata, void __user *arg)
3374{
3375 if (in_compat_syscall()) {
3376 struct compat_ifreq *ifr32 = (struct compat_ifreq *)ifr;
3377
3378 memset(s: ifr, c: 0, n: sizeof(*ifr));
3379 if (copy_from_user(to: ifr32, from: arg, n: sizeof(*ifr32)))
3380 return -EFAULT;
3381
3382 if (ifrdata)
3383 *ifrdata = compat_ptr(uptr: ifr32->ifr_data);
3384
3385 return 0;
3386 }
3387
3388 if (copy_from_user(to: ifr, from: arg, n: sizeof(*ifr)))
3389 return -EFAULT;
3390
3391 if (ifrdata)
3392 *ifrdata = ifr->ifr_data;
3393
3394 return 0;
3395}
3396EXPORT_SYMBOL(get_user_ifreq);
3397
3398int put_user_ifreq(struct ifreq *ifr, void __user *arg)
3399{
3400 size_t size = sizeof(*ifr);
3401
3402 if (in_compat_syscall())
3403 size = sizeof(struct compat_ifreq);
3404
3405 if (copy_to_user(to: arg, from: ifr, n: size))
3406 return -EFAULT;
3407
3408 return 0;
3409}
3410EXPORT_SYMBOL(put_user_ifreq);
3411
3412#ifdef CONFIG_COMPAT
3413static int compat_siocwandev(struct net *net, struct compat_ifreq __user *uifr32)
3414{
3415 compat_uptr_t uptr32;
3416 struct ifreq ifr;
3417 void __user *saved;
3418 int err;
3419
3420 if (get_user_ifreq(&ifr, NULL, uifr32))
3421 return -EFAULT;
3422
3423 if (get_user(uptr32, &uifr32->ifr_settings.ifs_ifsu))
3424 return -EFAULT;
3425
3426 saved = ifr.ifr_settings.ifs_ifsu.raw_hdlc;
3427 ifr.ifr_settings.ifs_ifsu.raw_hdlc = compat_ptr(uptr: uptr32);
3428
3429 err = dev_ioctl(net, SIOCWANDEV, ifr: &ifr, NULL, NULL);
3430 if (!err) {
3431 ifr.ifr_settings.ifs_ifsu.raw_hdlc = saved;
3432 if (put_user_ifreq(&ifr, uifr32))
3433 err = -EFAULT;
3434 }
3435 return err;
3436}
3437
3438/* Handle ioctls that use ifreq::ifr_data and just need struct ifreq converted */
3439static int compat_ifr_data_ioctl(struct net *net, unsigned int cmd,
3440 struct compat_ifreq __user *u_ifreq32)
3441{
3442 struct ifreq ifreq;
3443 void __user *data;
3444
3445 if (!is_socket_ioctl_cmd(cmd))
3446 return -ENOTTY;
3447 if (get_user_ifreq(&ifreq, &data, u_ifreq32))
3448 return -EFAULT;
3449 ifreq.ifr_data = data;
3450
3451 return dev_ioctl(net, cmd, ifr: &ifreq, data, NULL);
3452}
3453
3454static int compat_sock_ioctl_trans(struct file *file, struct socket *sock,
3455 unsigned int cmd, unsigned long arg)
3456{
3457 void __user *argp = compat_ptr(uptr: arg);
3458 struct sock *sk = sock->sk;
3459 struct net *net = sock_net(sk);
3460 const struct proto_ops *ops;
3461
3462 if (cmd >= SIOCDEVPRIVATE && cmd <= (SIOCDEVPRIVATE + 15))
3463 return sock_ioctl(file, cmd, arg: (unsigned long)argp);
3464
3465 switch (cmd) {
3466 case SIOCWANDEV:
3467 return compat_siocwandev(net, uifr32: argp);
3468 case SIOCGSTAMP_OLD:
3469 case SIOCGSTAMPNS_OLD:
3470 ops = READ_ONCE(sock->ops);
3471 if (!ops->gettstamp)
3472 return -ENOIOCTLCMD;
3473 return ops->gettstamp(sock, argp, cmd == SIOCGSTAMP_OLD,
3474 !COMPAT_USE_64BIT_TIME);
3475
3476 case SIOCETHTOOL:
3477 case SIOCBONDSLAVEINFOQUERY:
3478 case SIOCBONDINFOQUERY:
3479 case SIOCSHWTSTAMP:
3480 case SIOCGHWTSTAMP:
3481 return compat_ifr_data_ioctl(net, cmd, u_ifreq32: argp);
3482
3483 case FIOSETOWN:
3484 case SIOCSPGRP:
3485 case FIOGETOWN:
3486 case SIOCGPGRP:
3487 case SIOCBRADDBR:
3488 case SIOCBRDELBR:
3489 case SIOCBRADDIF:
3490 case SIOCBRDELIF:
3491 case SIOCGIFVLAN:
3492 case SIOCSIFVLAN:
3493 case SIOCGSKNS:
3494 case SIOCGSTAMP_NEW:
3495 case SIOCGSTAMPNS_NEW:
3496 case SIOCGIFCONF:
3497 case SIOCSIFBR:
3498 case SIOCGIFBR:
3499 return sock_ioctl(file, cmd, arg);
3500
3501 case SIOCGIFFLAGS:
3502 case SIOCSIFFLAGS:
3503 case SIOCGIFMAP:
3504 case SIOCSIFMAP:
3505 case SIOCGIFMETRIC:
3506 case SIOCSIFMETRIC:
3507 case SIOCGIFMTU:
3508 case SIOCSIFMTU:
3509 case SIOCGIFMEM:
3510 case SIOCSIFMEM:
3511 case SIOCGIFHWADDR:
3512 case SIOCSIFHWADDR:
3513 case SIOCADDMULTI:
3514 case SIOCDELMULTI:
3515 case SIOCGIFINDEX:
3516 case SIOCGIFADDR:
3517 case SIOCSIFADDR:
3518 case SIOCSIFHWBROADCAST:
3519 case SIOCDIFADDR:
3520 case SIOCGIFBRDADDR:
3521 case SIOCSIFBRDADDR:
3522 case SIOCGIFDSTADDR:
3523 case SIOCSIFDSTADDR:
3524 case SIOCGIFNETMASK:
3525 case SIOCSIFNETMASK:
3526 case SIOCSIFPFLAGS:
3527 case SIOCGIFPFLAGS:
3528 case SIOCGIFTXQLEN:
3529 case SIOCSIFTXQLEN:
3530 case SIOCGIFNAME:
3531 case SIOCSIFNAME:
3532 case SIOCGMIIPHY:
3533 case SIOCGMIIREG:
3534 case SIOCSMIIREG:
3535 case SIOCBONDENSLAVE:
3536 case SIOCBONDRELEASE:
3537 case SIOCBONDSETHWADDR:
3538 case SIOCBONDCHANGEACTIVE:
3539 case SIOCSARP:
3540 case SIOCGARP:
3541 case SIOCDARP:
3542 case SIOCOUTQ:
3543 case SIOCOUTQNSD:
3544 case SIOCATMARK:
3545 return sock_do_ioctl(net, sock, cmd, arg);
3546 }
3547
3548 return -ENOIOCTLCMD;
3549}
3550
3551static long compat_sock_ioctl(struct file *file, unsigned int cmd,
3552 unsigned long arg)
3553{
3554 struct socket *sock = file->private_data;
3555 const struct proto_ops *ops = READ_ONCE(sock->ops);
3556 int ret = -ENOIOCTLCMD;
3557 struct sock *sk;
3558 struct net *net;
3559
3560 sk = sock->sk;
3561 net = sock_net(sk);
3562
3563 if (ops->compat_ioctl)
3564 ret = ops->compat_ioctl(sock, cmd, arg);
3565
3566 if (ret == -ENOIOCTLCMD &&
3567 (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST))
3568 ret = compat_wext_handle_ioctl(net, cmd, arg);
3569
3570 if (ret == -ENOIOCTLCMD)
3571 ret = compat_sock_ioctl_trans(file, sock, cmd, arg);
3572
3573 return ret;
3574}
3575#endif
3576
3577/**
3578 * kernel_bind - bind an address to a socket (kernel space)
3579 * @sock: socket
3580 * @addr: address
3581 * @addrlen: length of address
3582 *
3583 * Returns 0 or an error.
3584 */
3585
3586int kernel_bind(struct socket *sock, struct sockaddr *addr, int addrlen)
3587{
3588 struct sockaddr_storage address;
3589
3590 memcpy(to: &address, from: addr, len: addrlen);
3591
3592 return READ_ONCE(sock->ops)->bind(sock, (struct sockaddr *)&address,
3593 addrlen);
3594}
3595EXPORT_SYMBOL(kernel_bind);
3596
3597/**
3598 * kernel_listen - move socket to listening state (kernel space)
3599 * @sock: socket
3600 * @backlog: pending connections queue size
3601 *
3602 * Returns 0 or an error.
3603 */
3604
3605int kernel_listen(struct socket *sock, int backlog)
3606{
3607 return READ_ONCE(sock->ops)->listen(sock, backlog);
3608}
3609EXPORT_SYMBOL(kernel_listen);
3610
3611/**
3612 * kernel_accept - accept a connection (kernel space)
3613 * @sock: listening socket
3614 * @newsock: new connected socket
3615 * @flags: flags
3616 *
3617 * @flags must be SOCK_CLOEXEC, SOCK_NONBLOCK or 0.
3618 * If it fails, @newsock is guaranteed to be %NULL.
3619 * Returns 0 or an error.
3620 */
3621
3622int kernel_accept(struct socket *sock, struct socket **newsock, int flags)
3623{
3624 struct sock *sk = sock->sk;
3625 const struct proto_ops *ops = READ_ONCE(sock->ops);
3626 struct proto_accept_arg arg = {
3627 .flags = flags,
3628 .kern = true,
3629 };
3630 int err;
3631
3632 err = sock_create_lite(sk->sk_family, sk->sk_type, sk->sk_protocol,
3633 newsock);
3634 if (err < 0)
3635 goto done;
3636
3637 err = ops->accept(sock, *newsock, &arg);
3638 if (err < 0) {
3639 sock_release(*newsock);
3640 *newsock = NULL;
3641 goto done;
3642 }
3643
3644 (*newsock)->ops = ops;
3645 __module_get(module: ops->owner);
3646
3647done:
3648 return err;
3649}
3650EXPORT_SYMBOL(kernel_accept);
3651
3652/**
3653 * kernel_connect - connect a socket (kernel space)
3654 * @sock: socket
3655 * @addr: address
3656 * @addrlen: address length
3657 * @flags: flags (O_NONBLOCK, ...)
3658 *
3659 * For datagram sockets, @addr is the address to which datagrams are sent
3660 * by default, and the only address from which datagrams are received.
3661 * For stream sockets, attempts to connect to @addr.
3662 * Returns 0 or an error code.
3663 */
3664
3665int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen,
3666 int flags)
3667{
3668 struct sockaddr_storage address;
3669
3670 memcpy(to: &address, from: addr, len: addrlen);
3671
3672 return READ_ONCE(sock->ops)->connect(sock, (struct sockaddr *)&address,
3673 addrlen, flags);
3674}
3675EXPORT_SYMBOL(kernel_connect);
3676
3677/**
3678 * kernel_getsockname - get the address which the socket is bound (kernel space)
3679 * @sock: socket
3680 * @addr: address holder
3681 *
3682 * Fills the @addr pointer with the address which the socket is bound.
3683 * Returns the length of the address in bytes or an error code.
3684 */
3685
3686int kernel_getsockname(struct socket *sock, struct sockaddr *addr)
3687{
3688 return READ_ONCE(sock->ops)->getname(sock, addr, 0);
3689}
3690EXPORT_SYMBOL(kernel_getsockname);
3691
3692/**
3693 * kernel_getpeername - get the address which the socket is connected (kernel space)
3694 * @sock: socket
3695 * @addr: address holder
3696 *
3697 * Fills the @addr pointer with the address which the socket is connected.
3698 * Returns the length of the address in bytes or an error code.
3699 */
3700
3701int kernel_getpeername(struct socket *sock, struct sockaddr *addr)
3702{
3703 return READ_ONCE(sock->ops)->getname(sock, addr, 1);
3704}
3705EXPORT_SYMBOL(kernel_getpeername);
3706
3707/**
3708 * kernel_sock_shutdown - shut down part of a full-duplex connection (kernel space)
3709 * @sock: socket
3710 * @how: connection part
3711 *
3712 * Returns 0 or an error.
3713 */
3714
3715int kernel_sock_shutdown(struct socket *sock, enum sock_shutdown_cmd how)
3716{
3717 return READ_ONCE(sock->ops)->shutdown(sock, how);
3718}
3719EXPORT_SYMBOL(kernel_sock_shutdown);
3720
3721/**
3722 * kernel_sock_ip_overhead - returns the IP overhead imposed by a socket
3723 * @sk: socket
3724 *
3725 * This routine returns the IP overhead imposed by a socket i.e.
3726 * the length of the underlying IP header, depending on whether
3727 * this is an IPv4 or IPv6 socket and the length from IP options turned
3728 * on at the socket. Assumes that the caller has a lock on the socket.
3729 */
3730
3731u32 kernel_sock_ip_overhead(struct sock *sk)
3732{
3733 struct inet_sock *inet;
3734 struct ip_options_rcu *opt;
3735 u32 overhead = 0;
3736#if IS_ENABLED(CONFIG_IPV6)
3737 struct ipv6_pinfo *np;
3738 struct ipv6_txoptions *optv6 = NULL;
3739#endif /* IS_ENABLED(CONFIG_IPV6) */
3740
3741 if (!sk)
3742 return overhead;
3743
3744 switch (sk->sk_family) {
3745 case AF_INET:
3746 inet = inet_sk(sk);
3747 overhead += sizeof(struct iphdr);
3748 opt = rcu_dereference_protected(inet->inet_opt,
3749 sock_owned_by_user(sk));
3750 if (opt)
3751 overhead += opt->opt.optlen;
3752 return overhead;
3753#if IS_ENABLED(CONFIG_IPV6)
3754 case AF_INET6:
3755 np = inet6_sk(sk: sk);
3756 overhead += sizeof(struct ipv6hdr);
3757 if (np)
3758 optv6 = rcu_dereference_protected(np->opt,
3759 sock_owned_by_user(sk));
3760 if (optv6)
3761 overhead += (optv6->opt_flen + optv6->opt_nflen);
3762 return overhead;
3763#endif /* IS_ENABLED(CONFIG_IPV6) */
3764 default: /* Returns 0 overhead if the socket is not ipv4 or ipv6 */
3765 return overhead;
3766 }
3767}
3768EXPORT_SYMBOL(kernel_sock_ip_overhead);
3769