linux/net/socket.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/*
   3 * NET          An implementation of the SOCKET network access protocol.
   4 *
   5 * Version:     @(#)socket.c    1.1.93  18/02/95
   6 *
   7 * Authors:     Orest Zborowski, <obz@Kodak.COM>
   8 *              Ross Biro
   9 *              Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG>
  10 *
  11 * Fixes:
  12 *              Anonymous       :       NOTSOCK/BADF cleanup. Error fix in
  13 *                                      shutdown()
  14 *              Alan Cox        :       verify_area() fixes
  15 *              Alan Cox        :       Removed DDI
  16 *              Jonathan Kamens :       SOCK_DGRAM reconnect bug
  17 *              Alan Cox        :       Moved a load of checks to the very
  18 *                                      top level.
  19 *              Alan Cox        :       Move address structures to/from user
  20 *                                      mode above the protocol layers.
  21 *              Rob Janssen     :       Allow 0 length sends.
  22 *              Alan Cox        :       Asynchronous I/O support (cribbed from the
  23 *                                      tty drivers).
  24 *              Niibe Yutaka    :       Asynchronous I/O for writes (4.4BSD style)
  25 *              Jeff Uphoff     :       Made max number of sockets command-line
  26 *                                      configurable.
  27 *              Matti Aarnio    :       Made the number of sockets dynamic,
  28 *                                      to be allocated when needed, and mr.
  29 *                                      Uphoff's max is used as max to be
  30 *                                      allowed to allocate.
  31 *              Linus           :       Argh. removed all the socket allocation
  32 *                                      altogether: it's in the inode now.
  33 *              Alan Cox        :       Made sock_alloc()/sock_release() public
  34 *                                      for NetROM and future kernel nfsd type
  35 *                                      stuff.
  36 *              Alan Cox        :       sendmsg/recvmsg basics.
  37 *              Tom Dyas        :       Export net symbols.
  38 *              Marcin Dalecki  :       Fixed problems with CONFIG_NET="n".
  39 *              Alan Cox        :       Added thread locking to sys_* calls
  40 *                                      for sockets. May have errors at the
  41 *                                      moment.
  42 *              Kevin Buhr      :       Fixed the dumb errors in the above.
  43 *              Andi Kleen      :       Some small cleanups, optimizations,
  44 *                                      and fixed a copy_from_user() bug.
  45 *              Tigran Aivazian :       sys_send(args) calls sys_sendto(args, NULL, 0)
  46 *              Tigran Aivazian :       Made listen(2) backlog sanity checks
  47 *                                      protocol-independent
  48 *
  49 *      This module is effectively the top level interface to the BSD socket
  50 *      paradigm.
  51 *
  52 *      Based upon Swansea University Computer Society NET3.039
  53 */
  54
  55#include <linux/ethtool.h>
  56#include <linux/mm.h>
  57#include <linux/socket.h>
  58#include <linux/file.h>
  59#include <linux/net.h>
  60#include <linux/interrupt.h>
  61#include <linux/thread_info.h>
  62#include <linux/rcupdate.h>
  63#include <linux/netdevice.h>
  64#include <linux/proc_fs.h>
  65#include <linux/seq_file.h>
  66#include <linux/mutex.h>
  67#include <linux/if_bridge.h>
  68#include <linux/if_vlan.h>
  69#include <linux/ptp_classify.h>
  70#include <linux/init.h>
  71#include <linux/poll.h>
  72#include <linux/cache.h>
  73#include <linux/module.h>
  74#include <linux/highmem.h>
  75#include <linux/mount.h>
  76#include <linux/pseudo_fs.h>
  77#include <linux/security.h>
  78#include <linux/syscalls.h>
  79#include <linux/compat.h>
  80#include <linux/kmod.h>
  81#include <linux/audit.h>
  82#include <linux/wireless.h>
  83#include <linux/nsproxy.h>
  84#include <linux/magic.h>
  85#include <linux/slab.h>
  86#include <linux/xattr.h>
  87#include <linux/nospec.h>
  88#include <linux/indirect_call_wrapper.h>
  89
  90#include <linux/uaccess.h>
  91#include <asm/unistd.h>
  92
  93#include <net/compat.h>
  94#include <net/wext.h>
  95#include <net/cls_cgroup.h>
  96
  97#include <net/sock.h>
  98#include <linux/netfilter.h>
  99
 100#include <linux/if_tun.h>
 101#include <linux/ipv6_route.h>
 102#include <linux/route.h>
 103#include <linux/termios.h>
 104#include <linux/sockios.h>
 105#include <net/busy_poll.h>
 106#include <linux/errqueue.h>
 107#include <linux/ptp_clock_kernel.h>
 108
 109#ifdef CONFIG_NET_RX_BUSY_POLL
 110unsigned int sysctl_net_busy_read __read_mostly;
 111unsigned int sysctl_net_busy_poll __read_mostly;
 112#endif
 113
 114static ssize_t sock_read_iter(struct kiocb *iocb, struct iov_iter *to);
 115static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from);
 116static int sock_mmap(struct file *file, struct vm_area_struct *vma);
 117
 118static int sock_close(struct inode *inode, struct file *file);
 119static __poll_t sock_poll(struct file *file,
 120                              struct poll_table_struct *wait);
 121static long sock_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
 122#ifdef CONFIG_COMPAT
 123static long compat_sock_ioctl(struct file *file,
 124                              unsigned int cmd, unsigned long arg);
 125#endif
 126static int sock_fasync(int fd, struct file *filp, int on);
 127static ssize_t sock_sendpage(struct file *file, struct page *page,
 128                             int offset, size_t size, loff_t *ppos, int more);
 129static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
 130                                struct pipe_inode_info *pipe, size_t len,
 131                                unsigned int flags);
 132
 133#ifdef CONFIG_PROC_FS
 134static void sock_show_fdinfo(struct seq_file *m, struct file *f)
 135{
 136        struct socket *sock = f->private_data;
 137
 138        if (sock->ops->show_fdinfo)
 139                sock->ops->show_fdinfo(m, sock);
 140}
 141#else
 142#define sock_show_fdinfo NULL
 143#endif
 144
 145/*
 146 *      Socket files have a set of 'special' operations as well as the generic file ones. These don't appear
 147 *      in the operation structures but are done directly via the socketcall() multiplexor.
 148 */
 149
 150static const struct file_operations socket_file_ops = {
 151        .owner =        THIS_MODULE,
 152        .llseek =       no_llseek,
 153        .read_iter =    sock_read_iter,
 154        .write_iter =   sock_write_iter,
 155        .poll =         sock_poll,
 156        .unlocked_ioctl = sock_ioctl,
 157#ifdef CONFIG_COMPAT
 158        .compat_ioctl = compat_sock_ioctl,
 159#endif
 160        .mmap =         sock_mmap,
 161        .release =      sock_close,
 162        .fasync =       sock_fasync,
 163        .sendpage =     sock_sendpage,
 164        .splice_write = generic_splice_sendpage,
 165        .splice_read =  sock_splice_read,
 166        .show_fdinfo =  sock_show_fdinfo,
 167};
 168
 169static const char * const pf_family_names[] = {
 170        [PF_UNSPEC]     = "PF_UNSPEC",
 171        [PF_UNIX]       = "PF_UNIX/PF_LOCAL",
 172        [PF_INET]       = "PF_INET",
 173        [PF_AX25]       = "PF_AX25",
 174        [PF_IPX]        = "PF_IPX",
 175        [PF_APPLETALK]  = "PF_APPLETALK",
 176        [PF_NETROM]     = "PF_NETROM",
 177        [PF_BRIDGE]     = "PF_BRIDGE",
 178        [PF_ATMPVC]     = "PF_ATMPVC",
 179        [PF_X25]        = "PF_X25",
 180        [PF_INET6]      = "PF_INET6",
 181        [PF_ROSE]       = "PF_ROSE",
 182        [PF_DECnet]     = "PF_DECnet",
 183        [PF_NETBEUI]    = "PF_NETBEUI",
 184        [PF_SECURITY]   = "PF_SECURITY",
 185        [PF_KEY]        = "PF_KEY",
 186        [PF_NETLINK]    = "PF_NETLINK/PF_ROUTE",
 187        [PF_PACKET]     = "PF_PACKET",
 188        [PF_ASH]        = "PF_ASH",
 189        [PF_ECONET]     = "PF_ECONET",
 190        [PF_ATMSVC]     = "PF_ATMSVC",
 191        [PF_RDS]        = "PF_RDS",
 192        [PF_SNA]        = "PF_SNA",
 193        [PF_IRDA]       = "PF_IRDA",
 194        [PF_PPPOX]      = "PF_PPPOX",
 195        [PF_WANPIPE]    = "PF_WANPIPE",
 196        [PF_LLC]        = "PF_LLC",
 197        [PF_IB]         = "PF_IB",
 198        [PF_MPLS]       = "PF_MPLS",
 199        [PF_CAN]        = "PF_CAN",
 200        [PF_TIPC]       = "PF_TIPC",
 201        [PF_BLUETOOTH]  = "PF_BLUETOOTH",
 202        [PF_IUCV]       = "PF_IUCV",
 203        [PF_RXRPC]      = "PF_RXRPC",
 204        [PF_ISDN]       = "PF_ISDN",
 205        [PF_PHONET]     = "PF_PHONET",
 206        [PF_IEEE802154] = "PF_IEEE802154",
 207        [PF_CAIF]       = "PF_CAIF",
 208        [PF_ALG]        = "PF_ALG",
 209        [PF_NFC]        = "PF_NFC",
 210        [PF_VSOCK]      = "PF_VSOCK",
 211        [PF_KCM]        = "PF_KCM",
 212        [PF_QIPCRTR]    = "PF_QIPCRTR",
 213        [PF_SMC]        = "PF_SMC",
 214        [PF_XDP]        = "PF_XDP",
 215};
 216
 217/*
 218 *      The protocol list. Each protocol is registered in here.
 219 */
 220
 221static DEFINE_SPINLOCK(net_family_lock);
 222static const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
 223
 224/*
 225 * Support routines.
 226 * Move socket addresses back and forth across the kernel/user
 227 * divide and look after the messy bits.
 228 */
 229
 230/**
 231 *      move_addr_to_kernel     -       copy a socket address into kernel space
 232 *      @uaddr: Address in user space
 233 *      @kaddr: Address in kernel space
 234 *      @ulen: Length in user space
 235 *
 236 *      The address is copied into kernel space. If the provided address is
 237 *      too long an error code of -EINVAL is returned. If the copy gives
 238 *      invalid addresses -EFAULT is returned. On a success 0 is returned.
 239 */
 240
 241int move_addr_to_kernel(void __user *uaddr, int ulen, struct sockaddr_storage *kaddr)
 242{
 243        if (ulen < 0 || ulen > sizeof(struct sockaddr_storage))
 244                return -EINVAL;
 245        if (ulen == 0)
 246                return 0;
 247        if (copy_from_user(kaddr, uaddr, ulen))
 248                return -EFAULT;
 249        return audit_sockaddr(ulen, kaddr);
 250}
 251
 252/**
 253 *      move_addr_to_user       -       copy an address to user space
 254 *      @kaddr: kernel space address
 255 *      @klen: length of address in kernel
 256 *      @uaddr: user space address
 257 *      @ulen: pointer to user length field
 258 *
 259 *      The value pointed to by ulen on entry is the buffer length available.
 260 *      This is overwritten with the buffer space used. -EINVAL is returned
 261 *      if an overlong buffer is specified or a negative buffer size. -EFAULT
 262 *      is returned if either the buffer or the length field are not
 263 *      accessible.
 264 *      After copying the data up to the limit the user specifies, the true
 265 *      length of the data is written over the length limit the user
 266 *      specified. Zero is returned for a success.
 267 */
 268
 269static int move_addr_to_user(struct sockaddr_storage *kaddr, int klen,
 270                             void __user *uaddr, int __user *ulen)
 271{
 272        int err;
 273        int len;
 274
 275        BUG_ON(klen > sizeof(struct sockaddr_storage));
 276        err = get_user(len, ulen);
 277        if (err)
 278                return err;
 279        if (len > klen)
 280                len = klen;
 281        if (len < 0)
 282                return -EINVAL;
 283        if (len) {
 284                if (audit_sockaddr(klen, kaddr))
 285                        return -ENOMEM;
 286                if (copy_to_user(uaddr, kaddr, len))
 287                        return -EFAULT;
 288        }
 289        /*
 290         *      "fromlen shall refer to the value before truncation.."
 291         *                      1003.1g
 292         */
 293        return __put_user(klen, ulen);
 294}
 295
 296static struct kmem_cache *sock_inode_cachep __ro_after_init;
 297
 298static struct inode *sock_alloc_inode(struct super_block *sb)
 299{
 300        struct socket_alloc *ei;
 301
 302        ei = kmem_cache_alloc(sock_inode_cachep, GFP_KERNEL);
 303        if (!ei)
 304                return NULL;
 305        init_waitqueue_head(&ei->socket.wq.wait);
 306        ei->socket.wq.fasync_list = NULL;
 307        ei->socket.wq.flags = 0;
 308
 309        ei->socket.state = SS_UNCONNECTED;
 310        ei->socket.flags = 0;
 311        ei->socket.ops = NULL;
 312        ei->socket.sk = NULL;
 313        ei->socket.file = NULL;
 314
 315        return &ei->vfs_inode;
 316}
 317
 318static void sock_free_inode(struct inode *inode)
 319{
 320        struct socket_alloc *ei;
 321
 322        ei = container_of(inode, struct socket_alloc, vfs_inode);
 323        kmem_cache_free(sock_inode_cachep, ei);
 324}
 325
 326static void init_once(void *foo)
 327{
 328        struct socket_alloc *ei = (struct socket_alloc *)foo;
 329
 330        inode_init_once(&ei->vfs_inode);
 331}
 332
 333static void init_inodecache(void)
 334{
 335        sock_inode_cachep = kmem_cache_create("sock_inode_cache",
 336                                              sizeof(struct socket_alloc),
 337                                              0,
 338                                              (SLAB_HWCACHE_ALIGN |
 339                                               SLAB_RECLAIM_ACCOUNT |
 340                                               SLAB_MEM_SPREAD | SLAB_ACCOUNT),
 341                                              init_once);
 342        BUG_ON(sock_inode_cachep == NULL);
 343}
 344
 345static const struct super_operations sockfs_ops = {
 346        .alloc_inode    = sock_alloc_inode,
 347        .free_inode     = sock_free_inode,
 348        .statfs         = simple_statfs,
 349};
 350
 351/*
 352 * sockfs_dname() is called from d_path().
 353 */
 354static char *sockfs_dname(struct dentry *dentry, char *buffer, int buflen)
 355{
 356        return dynamic_dname(dentry, buffer, buflen, "socket:[%lu]",
 357                                d_inode(dentry)->i_ino);
 358}
 359
 360static const struct dentry_operations sockfs_dentry_operations = {
 361        .d_dname  = sockfs_dname,
 362};
 363
 364static int sockfs_xattr_get(const struct xattr_handler *handler,
 365                            struct dentry *dentry, struct inode *inode,
 366                            const char *suffix, void *value, size_t size)
 367{
 368        if (value) {
 369                if (dentry->d_name.len + 1 > size)
 370                        return -ERANGE;
 371                memcpy(value, dentry->d_name.name, dentry->d_name.len + 1);
 372        }
 373        return dentry->d_name.len + 1;
 374}
 375
 376#define XATTR_SOCKPROTONAME_SUFFIX "sockprotoname"
 377#define XATTR_NAME_SOCKPROTONAME (XATTR_SYSTEM_PREFIX XATTR_SOCKPROTONAME_SUFFIX)
 378#define XATTR_NAME_SOCKPROTONAME_LEN (sizeof(XATTR_NAME_SOCKPROTONAME)-1)
 379
 380static const struct xattr_handler sockfs_xattr_handler = {
 381        .name = XATTR_NAME_SOCKPROTONAME,
 382        .get = sockfs_xattr_get,
 383};
 384
 385static int sockfs_security_xattr_set(const struct xattr_handler *handler,
 386                                     struct user_namespace *mnt_userns,
 387                                     struct dentry *dentry, struct inode *inode,
 388                                     const char *suffix, const void *value,
 389                                     size_t size, int flags)
 390{
 391        /* Handled by LSM. */
 392        return -EAGAIN;
 393}
 394
 395static const struct xattr_handler sockfs_security_xattr_handler = {
 396        .prefix = XATTR_SECURITY_PREFIX,
 397        .set = sockfs_security_xattr_set,
 398};
 399
 400static const struct xattr_handler *sockfs_xattr_handlers[] = {
 401        &sockfs_xattr_handler,
 402        &sockfs_security_xattr_handler,
 403        NULL
 404};
 405
 406static int sockfs_init_fs_context(struct fs_context *fc)
 407{
 408        struct pseudo_fs_context *ctx = init_pseudo(fc, SOCKFS_MAGIC);
 409        if (!ctx)
 410                return -ENOMEM;
 411        ctx->ops = &sockfs_ops;
 412        ctx->dops = &sockfs_dentry_operations;
 413        ctx->xattr = sockfs_xattr_handlers;
 414        return 0;
 415}
 416
 417static struct vfsmount *sock_mnt __read_mostly;
 418
 419static struct file_system_type sock_fs_type = {
 420        .name =         "sockfs",
 421        .init_fs_context = sockfs_init_fs_context,
 422        .kill_sb =      kill_anon_super,
 423};
 424
 425/*
 426 *      Obtains the first available file descriptor and sets it up for use.
 427 *
 428 *      These functions create file structures and maps them to fd space
 429 *      of the current process. On success it returns file descriptor
 430 *      and file struct implicitly stored in sock->file.
 431 *      Note that another thread may close file descriptor before we return
 432 *      from this function. We use the fact that now we do not refer
 433 *      to socket after mapping. If one day we will need it, this
 434 *      function will increment ref. count on file by 1.
 435 *
 436 *      In any case returned fd MAY BE not valid!
 437 *      This race condition is unavoidable
 438 *      with shared fd spaces, we cannot solve it inside kernel,
 439 *      but we take care of internal coherence yet.
 440 */
 441
 442/**
 443 *      sock_alloc_file - Bind a &socket to a &file
 444 *      @sock: socket
 445 *      @flags: file status flags
 446 *      @dname: protocol name
 447 *
 448 *      Returns the &file bound with @sock, implicitly storing it
 449 *      in sock->file. If dname is %NULL, sets to "".
 450 *      On failure the return is a ERR pointer (see linux/err.h).
 451 *      This function uses GFP_KERNEL internally.
 452 */
 453
 454struct file *sock_alloc_file(struct socket *sock, int flags, const char *dname)
 455{
 456        struct file *file;
 457
 458        if (!dname)
 459                dname = sock->sk ? sock->sk->sk_prot_creator->name : "";
 460
 461        file = alloc_file_pseudo(SOCK_INODE(sock), sock_mnt, dname,
 462                                O_RDWR | (flags & O_NONBLOCK),
 463                                &socket_file_ops);
 464        if (IS_ERR(file)) {
 465                sock_release(sock);
 466                return file;
 467        }
 468
 469        sock->file = file;
 470        file->private_data = sock;
 471        stream_open(SOCK_INODE(sock), file);
 472        return file;
 473}
 474EXPORT_SYMBOL(sock_alloc_file);
 475
 476static int sock_map_fd(struct socket *sock, int flags)
 477{
 478        struct file *newfile;
 479        int fd = get_unused_fd_flags(flags);
 480        if (unlikely(fd < 0)) {
 481                sock_release(sock);
 482                return fd;
 483        }
 484
 485        newfile = sock_alloc_file(sock, flags, NULL);
 486        if (!IS_ERR(newfile)) {
 487                fd_install(fd, newfile);
 488                return fd;
 489        }
 490
 491        put_unused_fd(fd);
 492        return PTR_ERR(newfile);
 493}
 494
 495/**
 496 *      sock_from_file - Return the &socket bounded to @file.
 497 *      @file: file
 498 *
 499 *      On failure returns %NULL.
 500 */
 501
 502struct socket *sock_from_file(struct file *file)
 503{
 504        if (file->f_op == &socket_file_ops)
 505                return file->private_data;      /* set in sock_map_fd */
 506
 507        return NULL;
 508}
 509EXPORT_SYMBOL(sock_from_file);
 510
 511/**
 512 *      sockfd_lookup - Go from a file number to its socket slot
 513 *      @fd: file handle
 514 *      @err: pointer to an error code return
 515 *
 516 *      The file handle passed in is locked and the socket it is bound
 517 *      to is returned. If an error occurs the err pointer is overwritten
 518 *      with a negative errno code and NULL is returned. The function checks
 519 *      for both invalid handles and passing a handle which is not a socket.
 520 *
 521 *      On a success the socket object pointer is returned.
 522 */
 523
 524struct socket *sockfd_lookup(int fd, int *err)
 525{
 526        struct file *file;
 527        struct socket *sock;
 528
 529        file = fget(fd);
 530        if (!file) {
 531                *err = -EBADF;
 532                return NULL;
 533        }
 534
 535        sock = sock_from_file(file);
 536        if (!sock) {
 537                *err = -ENOTSOCK;
 538                fput(file);
 539        }
 540        return sock;
 541}
 542EXPORT_SYMBOL(sockfd_lookup);
 543
 544static struct socket *sockfd_lookup_light(int fd, int *err, int *fput_needed)
 545{
 546        struct fd f = fdget(fd);
 547        struct socket *sock;
 548
 549        *err = -EBADF;
 550        if (f.file) {
 551                sock = sock_from_file(f.file);
 552                if (likely(sock)) {
 553                        *fput_needed = f.flags & FDPUT_FPUT;
 554                        return sock;
 555                }
 556                *err = -ENOTSOCK;
 557                fdput(f);
 558        }
 559        return NULL;
 560}
 561
 562static ssize_t sockfs_listxattr(struct dentry *dentry, char *buffer,
 563                                size_t size)
 564{
 565        ssize_t len;
 566        ssize_t used = 0;
 567
 568        len = security_inode_listsecurity(d_inode(dentry), buffer, size);
 569        if (len < 0)
 570                return len;
 571        used += len;
 572        if (buffer) {
 573                if (size < used)
 574                        return -ERANGE;
 575                buffer += len;
 576        }
 577
 578        len = (XATTR_NAME_SOCKPROTONAME_LEN + 1);
 579        used += len;
 580        if (buffer) {
 581                if (size < used)
 582                        return -ERANGE;
 583                memcpy(buffer, XATTR_NAME_SOCKPROTONAME, len);
 584                buffer += len;
 585        }
 586
 587        return used;
 588}
 589
 590static int sockfs_setattr(struct user_namespace *mnt_userns,
 591                          struct dentry *dentry, struct iattr *iattr)
 592{
 593        int err = simple_setattr(&init_user_ns, dentry, iattr);
 594
 595        if (!err && (iattr->ia_valid & ATTR_UID)) {
 596                struct socket *sock = SOCKET_I(d_inode(dentry));
 597
 598                if (sock->sk)
 599                        sock->sk->sk_uid = iattr->ia_uid;
 600                else
 601                        err = -ENOENT;
 602        }
 603
 604        return err;
 605}
 606
 607static const struct inode_operations sockfs_inode_ops = {
 608        .listxattr = sockfs_listxattr,
 609        .setattr = sockfs_setattr,
 610};
 611
 612/**
 613 *      sock_alloc - allocate a socket
 614 *
 615 *      Allocate a new inode and socket object. The two are bound together
 616 *      and initialised. The socket is then returned. If we are out of inodes
 617 *      NULL is returned. This functions uses GFP_KERNEL internally.
 618 */
 619
 620struct socket *sock_alloc(void)
 621{
 622        struct inode *inode;
 623        struct socket *sock;
 624
 625        inode = new_inode_pseudo(sock_mnt->mnt_sb);
 626        if (!inode)
 627                return NULL;
 628
 629        sock = SOCKET_I(inode);
 630
 631        inode->i_ino = get_next_ino();
 632        inode->i_mode = S_IFSOCK | S_IRWXUGO;
 633        inode->i_uid = current_fsuid();
 634        inode->i_gid = current_fsgid();
 635        inode->i_op = &sockfs_inode_ops;
 636
 637        return sock;
 638}
 639EXPORT_SYMBOL(sock_alloc);
 640
 641static void __sock_release(struct socket *sock, struct inode *inode)
 642{
 643        if (sock->ops) {
 644                struct module *owner = sock->ops->owner;
 645
 646                if (inode)
 647                        inode_lock(inode);
 648                sock->ops->release(sock);
 649                sock->sk = NULL;
 650                if (inode)
 651                        inode_unlock(inode);
 652                sock->ops = NULL;
 653                module_put(owner);
 654        }
 655
 656        if (sock->wq.fasync_list)
 657                pr_err("%s: fasync list not empty!\n", __func__);
 658
 659        if (!sock->file) {
 660                iput(SOCK_INODE(sock));
 661                return;
 662        }
 663        sock->file = NULL;
 664}
 665
 666/**
 667 *      sock_release - close a socket
 668 *      @sock: socket to close
 669 *
 670 *      The socket is released from the protocol stack if it has a release
 671 *      callback, and the inode is then released if the socket is bound to
 672 *      an inode not a file.
 673 */
 674void sock_release(struct socket *sock)
 675{
 676        __sock_release(sock, NULL);
 677}
 678EXPORT_SYMBOL(sock_release);
 679
 680void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags)
 681{
 682        u8 flags = *tx_flags;
 683
 684        if (tsflags & SOF_TIMESTAMPING_TX_HARDWARE)
 685                flags |= SKBTX_HW_TSTAMP;
 686
 687        if (tsflags & SOF_TIMESTAMPING_TX_SOFTWARE)
 688                flags |= SKBTX_SW_TSTAMP;
 689
 690        if (tsflags & SOF_TIMESTAMPING_TX_SCHED)
 691                flags |= SKBTX_SCHED_TSTAMP;
 692
 693        *tx_flags = flags;
 694}
 695EXPORT_SYMBOL(__sock_tx_timestamp);
 696
 697INDIRECT_CALLABLE_DECLARE(int inet_sendmsg(struct socket *, struct msghdr *,
 698                                           size_t));
 699INDIRECT_CALLABLE_DECLARE(int inet6_sendmsg(struct socket *, struct msghdr *,
 700                                            size_t));
 701static inline int sock_sendmsg_nosec(struct socket *sock, struct msghdr *msg)
 702{
 703        int ret = INDIRECT_CALL_INET(sock->ops->sendmsg, inet6_sendmsg,
 704                                     inet_sendmsg, sock, msg,
 705                                     msg_data_left(msg));
 706        BUG_ON(ret == -EIOCBQUEUED);
 707        return ret;
 708}
 709
 710/**
 711 *      sock_sendmsg - send a message through @sock
 712 *      @sock: socket
 713 *      @msg: message to send
 714 *
 715 *      Sends @msg through @sock, passing through LSM.
 716 *      Returns the number of bytes sent, or an error code.
 717 */
 718int sock_sendmsg(struct socket *sock, struct msghdr *msg)
 719{
 720        int err = security_socket_sendmsg(sock, msg,
 721                                          msg_data_left(msg));
 722
 723        return err ?: sock_sendmsg_nosec(sock, msg);
 724}
 725EXPORT_SYMBOL(sock_sendmsg);
 726
 727/**
 728 *      kernel_sendmsg - send a message through @sock (kernel-space)
 729 *      @sock: socket
 730 *      @msg: message header
 731 *      @vec: kernel vec
 732 *      @num: vec array length
 733 *      @size: total message data size
 734 *
 735 *      Builds the message data with @vec and sends it through @sock.
 736 *      Returns the number of bytes sent, or an error code.
 737 */
 738
 739int kernel_sendmsg(struct socket *sock, struct msghdr *msg,
 740                   struct kvec *vec, size_t num, size_t size)
 741{
 742        iov_iter_kvec(&msg->msg_iter, WRITE, vec, num, size);
 743        return sock_sendmsg(sock, msg);
 744}
 745EXPORT_SYMBOL(kernel_sendmsg);
 746
 747/**
 748 *      kernel_sendmsg_locked - send a message through @sock (kernel-space)
 749 *      @sk: sock
 750 *      @msg: message header
 751 *      @vec: output s/g array
 752 *      @num: output s/g array length
 753 *      @size: total message data size
 754 *
 755 *      Builds the message data with @vec and sends it through @sock.
 756 *      Returns the number of bytes sent, or an error code.
 757 *      Caller must hold @sk.
 758 */
 759
 760int kernel_sendmsg_locked(struct sock *sk, struct msghdr *msg,
 761                          struct kvec *vec, size_t num, size_t size)
 762{
 763        struct socket *sock = sk->sk_socket;
 764
 765        if (!sock->ops->sendmsg_locked)
 766                return sock_no_sendmsg_locked(sk, msg, size);
 767
 768        iov_iter_kvec(&msg->msg_iter, WRITE, vec, num, size);
 769
 770        return sock->ops->sendmsg_locked(sk, msg, msg_data_left(msg));
 771}
 772EXPORT_SYMBOL(kernel_sendmsg_locked);
 773
 774static bool skb_is_err_queue(const struct sk_buff *skb)
 775{
 776        /* pkt_type of skbs enqueued on the error queue are set to
 777         * PACKET_OUTGOING in skb_set_err_queue(). This is only safe to do
 778         * in recvmsg, since skbs received on a local socket will never
 779         * have a pkt_type of PACKET_OUTGOING.
 780         */
 781        return skb->pkt_type == PACKET_OUTGOING;
 782}
 783
 784/* On transmit, software and hardware timestamps are returned independently.
 785 * As the two skb clones share the hardware timestamp, which may be updated
 786 * before the software timestamp is received, a hardware TX timestamp may be
 787 * returned only if there is no software TX timestamp. Ignore false software
 788 * timestamps, which may be made in the __sock_recv_timestamp() call when the
 789 * option SO_TIMESTAMP_OLD(NS) is enabled on the socket, even when the skb has a
 790 * hardware timestamp.
 791 */
 792static bool skb_is_swtx_tstamp(const struct sk_buff *skb, int false_tstamp)
 793{
 794        return skb->tstamp && !false_tstamp && skb_is_err_queue(skb);
 795}
 796
 797static void put_ts_pktinfo(struct msghdr *msg, struct sk_buff *skb)
 798{
 799        struct scm_ts_pktinfo ts_pktinfo;
 800        struct net_device *orig_dev;
 801
 802        if (!skb_mac_header_was_set(skb))
 803                return;
 804
 805        memset(&ts_pktinfo, 0, sizeof(ts_pktinfo));
 806
 807        rcu_read_lock();
 808        orig_dev = dev_get_by_napi_id(skb_napi_id(skb));
 809        if (orig_dev)
 810                ts_pktinfo.if_index = orig_dev->ifindex;
 811        rcu_read_unlock();
 812
 813        ts_pktinfo.pkt_length = skb->len - skb_mac_offset(skb);
 814        put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_PKTINFO,
 815                 sizeof(ts_pktinfo), &ts_pktinfo);
 816}
 817
 818/*
 819 * called from sock_recv_timestamp() if sock_flag(sk, SOCK_RCVTSTAMP)
 820 */
 821void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
 822        struct sk_buff *skb)
 823{
 824        int need_software_tstamp = sock_flag(sk, SOCK_RCVTSTAMP);
 825        int new_tstamp = sock_flag(sk, SOCK_TSTAMP_NEW);
 826        struct scm_timestamping_internal tss;
 827
 828        int empty = 1, false_tstamp = 0;
 829        struct skb_shared_hwtstamps *shhwtstamps =
 830                skb_hwtstamps(skb);
 831
 832        /* Race occurred between timestamp enabling and packet
 833           receiving.  Fill in the current time for now. */
 834        if (need_software_tstamp && skb->tstamp == 0) {
 835                __net_timestamp(skb);
 836                false_tstamp = 1;
 837        }
 838
 839        if (need_software_tstamp) {
 840                if (!sock_flag(sk, SOCK_RCVTSTAMPNS)) {
 841                        if (new_tstamp) {
 842                                struct __kernel_sock_timeval tv;
 843
 844                                skb_get_new_timestamp(skb, &tv);
 845                                put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMP_NEW,
 846                                         sizeof(tv), &tv);
 847                        } else {
 848                                struct __kernel_old_timeval tv;
 849
 850                                skb_get_timestamp(skb, &tv);
 851                                put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMP_OLD,
 852                                         sizeof(tv), &tv);
 853                        }
 854                } else {
 855                        if (new_tstamp) {
 856                                struct __kernel_timespec ts;
 857
 858                                skb_get_new_timestampns(skb, &ts);
 859                                put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPNS_NEW,
 860                                         sizeof(ts), &ts);
 861                        } else {
 862                                struct __kernel_old_timespec ts;
 863
 864                                skb_get_timestampns(skb, &ts);
 865                                put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPNS_OLD,
 866                                         sizeof(ts), &ts);
 867                        }
 868                }
 869        }
 870
 871        memset(&tss, 0, sizeof(tss));
 872        if ((sk->sk_tsflags & SOF_TIMESTAMPING_SOFTWARE) &&
 873            ktime_to_timespec64_cond(skb->tstamp, tss.ts + 0))
 874                empty = 0;
 875        if (shhwtstamps &&
 876            (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE) &&
 877            !skb_is_swtx_tstamp(skb, false_tstamp)) {
 878                if (sk->sk_tsflags & SOF_TIMESTAMPING_BIND_PHC)
 879                        ptp_convert_timestamp(shhwtstamps, sk->sk_bind_phc);
 880
 881                if (ktime_to_timespec64_cond(shhwtstamps->hwtstamp,
 882                                             tss.ts + 2)) {
 883                        empty = 0;
 884
 885                        if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_PKTINFO) &&
 886                            !skb_is_err_queue(skb))
 887                                put_ts_pktinfo(msg, skb);
 888                }
 889        }
 890        if (!empty) {
 891                if (sock_flag(sk, SOCK_TSTAMP_NEW))
 892                        put_cmsg_scm_timestamping64(msg, &tss);
 893                else
 894                        put_cmsg_scm_timestamping(msg, &tss);
 895
 896                if (skb_is_err_queue(skb) && skb->len &&
 897                    SKB_EXT_ERR(skb)->opt_stats)
 898                        put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
 899                                 skb->len, skb->data);
 900        }
 901}
 902EXPORT_SYMBOL_GPL(__sock_recv_timestamp);
 903
 904void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
 905        struct sk_buff *skb)
 906{
 907        int ack;
 908
 909        if (!sock_flag(sk, SOCK_WIFI_STATUS))
 910                return;
 911        if (!skb->wifi_acked_valid)
 912                return;
 913
 914        ack = skb->wifi_acked;
 915
 916        put_cmsg(msg, SOL_SOCKET, SCM_WIFI_STATUS, sizeof(ack), &ack);
 917}
 918EXPORT_SYMBOL_GPL(__sock_recv_wifi_status);
 919
 920static inline void sock_recv_drops(struct msghdr *msg, struct sock *sk,
 921                                   struct sk_buff *skb)
 922{
 923        if (sock_flag(sk, SOCK_RXQ_OVFL) && skb && SOCK_SKB_CB(skb)->dropcount)
 924                put_cmsg(msg, SOL_SOCKET, SO_RXQ_OVFL,
 925                        sizeof(__u32), &SOCK_SKB_CB(skb)->dropcount);
 926}
 927
 928void __sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk,
 929        struct sk_buff *skb)
 930{
 931        sock_recv_timestamp(msg, sk, skb);
 932        sock_recv_drops(msg, sk, skb);
 933}
 934EXPORT_SYMBOL_GPL(__sock_recv_ts_and_drops);
 935
 936INDIRECT_CALLABLE_DECLARE(int inet_recvmsg(struct socket *, struct msghdr *,
 937                                           size_t, int));
 938INDIRECT_CALLABLE_DECLARE(int inet6_recvmsg(struct socket *, struct msghdr *,
 939                                            size_t, int));
 940static inline int sock_recvmsg_nosec(struct socket *sock, struct msghdr *msg,
 941                                     int flags)
 942{
 943        return INDIRECT_CALL_INET(sock->ops->recvmsg, inet6_recvmsg,
 944                                  inet_recvmsg, sock, msg, msg_data_left(msg),
 945                                  flags);
 946}
 947
 948/**
 949 *      sock_recvmsg - receive a message from @sock
 950 *      @sock: socket
 951 *      @msg: message to receive
 952 *      @flags: message flags
 953 *
 954 *      Receives @msg from @sock, passing through LSM. Returns the total number
 955 *      of bytes received, or an error.
 956 */
 957int sock_recvmsg(struct socket *sock, struct msghdr *msg, int flags)
 958{
 959        int err = security_socket_recvmsg(sock, msg, msg_data_left(msg), flags);
 960
 961        return err ?: sock_recvmsg_nosec(sock, msg, flags);
 962}
 963EXPORT_SYMBOL(sock_recvmsg);
 964
 965/**
 966 *      kernel_recvmsg - Receive a message from a socket (kernel space)
 967 *      @sock: The socket to receive the message from
 968 *      @msg: Received message
 969 *      @vec: Input s/g array for message data
 970 *      @num: Size of input s/g array
 971 *      @size: Number of bytes to read
 972 *      @flags: Message flags (MSG_DONTWAIT, etc...)
 973 *
 974 *      On return the msg structure contains the scatter/gather array passed in the
 975 *      vec argument. The array is modified so that it consists of the unfilled
 976 *      portion of the original array.
 977 *
 978 *      The returned value is the total number of bytes received, or an error.
 979 */
 980
 981int kernel_recvmsg(struct socket *sock, struct msghdr *msg,
 982                   struct kvec *vec, size_t num, size_t size, int flags)
 983{
 984        msg->msg_control_is_user = false;
 985        iov_iter_kvec(&msg->msg_iter, READ, vec, num, size);
 986        return sock_recvmsg(sock, msg, flags);
 987}
 988EXPORT_SYMBOL(kernel_recvmsg);
 989
 990static ssize_t sock_sendpage(struct file *file, struct page *page,
 991                             int offset, size_t size, loff_t *ppos, int more)
 992{
 993        struct socket *sock;
 994        int flags;
 995
 996        sock = file->private_data;
 997
 998        flags = (file->f_flags & O_NONBLOCK) ? MSG_DONTWAIT : 0;
 999        /* more is a combination of MSG_MORE and MSG_SENDPAGE_NOTLAST */
1000        flags |= more;
1001
1002        return kernel_sendpage(sock, page, offset, size, flags);
1003}
1004
1005static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
1006                                struct pipe_inode_info *pipe, size_t len,
1007                                unsigned int flags)
1008{
1009        struct socket *sock = file->private_data;
1010
1011        if (unlikely(!sock->ops->splice_read))
1012                return generic_file_splice_read(file, ppos, pipe, len, flags);
1013
1014        return sock->ops->splice_read(sock, ppos, pipe, len, flags);
1015}
1016
1017static ssize_t sock_read_iter(struct kiocb *iocb, struct iov_iter *to)
1018{
1019        struct file *file = iocb->ki_filp;
1020        struct socket *sock = file->private_data;
1021        struct msghdr msg = {.msg_iter = *to,
1022                             .msg_iocb = iocb};
1023        ssize_t res;
1024
1025        if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
1026                msg.msg_flags = MSG_DONTWAIT;
1027
1028        if (iocb->ki_pos != 0)
1029                return -ESPIPE;
1030
1031        if (!iov_iter_count(to))        /* Match SYS5 behaviour */
1032                return 0;
1033
1034        res = sock_recvmsg(sock, &msg, msg.msg_flags);
1035        *to = msg.msg_iter;
1036        return res;
1037}
1038
1039static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from)
1040{
1041        struct file *file = iocb->ki_filp;
1042        struct socket *sock = file->private_data;
1043        struct msghdr msg = {.msg_iter = *from,
1044                             .msg_iocb = iocb};
1045        ssize_t res;
1046
1047        if (iocb->ki_pos != 0)
1048                return -ESPIPE;
1049
1050        if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
1051                msg.msg_flags = MSG_DONTWAIT;
1052
1053        if (sock->type == SOCK_SEQPACKET)
1054                msg.msg_flags |= MSG_EOR;
1055
1056        res = sock_sendmsg(sock, &msg);
1057        *from = msg.msg_iter;
1058        return res;
1059}
1060
1061/*
1062 * Atomic setting of ioctl hooks to avoid race
1063 * with module unload.
1064 */
1065
1066static DEFINE_MUTEX(br_ioctl_mutex);
1067static int (*br_ioctl_hook) (struct net *, unsigned int cmd, void __user *arg);
1068
1069void brioctl_set(int (*hook) (struct net *, unsigned int, void __user *))
1070{
1071        mutex_lock(&br_ioctl_mutex);
1072        br_ioctl_hook = hook;
1073        mutex_unlock(&br_ioctl_mutex);
1074}
1075EXPORT_SYMBOL(brioctl_set);
1076
1077static DEFINE_MUTEX(vlan_ioctl_mutex);
1078static int (*vlan_ioctl_hook) (struct net *, void __user *arg);
1079
1080void vlan_ioctl_set(int (*hook) (struct net *, void __user *))
1081{
1082        mutex_lock(&vlan_ioctl_mutex);
1083        vlan_ioctl_hook = hook;
1084        mutex_unlock(&vlan_ioctl_mutex);
1085}
1086EXPORT_SYMBOL(vlan_ioctl_set);
1087
1088static long sock_do_ioctl(struct net *net, struct socket *sock,
1089                          unsigned int cmd, unsigned long arg)
1090{
1091        int err;
1092        void __user *argp = (void __user *)arg;
1093
1094        err = sock->ops->ioctl(sock, cmd, arg);
1095
1096        /*
1097         * If this ioctl is unknown try to hand it down
1098         * to the NIC driver.
1099         */
1100        if (err != -ENOIOCTLCMD)
1101                return err;
1102
1103        if (cmd == SIOCGIFCONF) {
1104                struct ifconf ifc;
1105                if (copy_from_user(&ifc, argp, sizeof(struct ifconf)))
1106                        return -EFAULT;
1107                rtnl_lock();
1108                err = dev_ifconf(net, &ifc, sizeof(struct ifreq));
1109                rtnl_unlock();
1110                if (!err && copy_to_user(argp, &ifc, sizeof(struct ifconf)))
1111                        err = -EFAULT;
1112        } else {
1113                struct ifreq ifr;
1114                bool need_copyout;
1115                if (copy_from_user(&ifr, argp, sizeof(struct ifreq)))
1116                        return -EFAULT;
1117                err = dev_ioctl(net, cmd, &ifr, &need_copyout);
1118                if (!err && need_copyout)
1119                        if (copy_to_user(argp, &ifr, sizeof(struct ifreq)))
1120                                return -EFAULT;
1121        }
1122        return err;
1123}
1124
1125/*
1126 *      With an ioctl, arg may well be a user mode pointer, but we don't know
1127 *      what to do with it - that's up to the protocol still.
1128 */
1129
1130static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg)
1131{
1132        struct socket *sock;
1133        struct sock *sk;
1134        void __user *argp = (void __user *)arg;
1135        int pid, err;
1136        struct net *net;
1137
1138        sock = file->private_data;
1139        sk = sock->sk;
1140        net = sock_net(sk);
1141        if (unlikely(cmd >= SIOCDEVPRIVATE && cmd <= (SIOCDEVPRIVATE + 15))) {
1142                struct ifreq ifr;
1143                bool need_copyout;
1144                if (copy_from_user(&ifr, argp, sizeof(struct ifreq)))
1145                        return -EFAULT;
1146                err = dev_ioctl(net, cmd, &ifr, &need_copyout);
1147                if (!err && need_copyout)
1148                        if (copy_to_user(argp, &ifr, sizeof(struct ifreq)))
1149                                return -EFAULT;
1150        } else
1151#ifdef CONFIG_WEXT_CORE
1152        if (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) {
1153                err = wext_handle_ioctl(net, cmd, argp);
1154        } else
1155#endif
1156                switch (cmd) {
1157                case FIOSETOWN:
1158                case SIOCSPGRP:
1159                        err = -EFAULT;
1160                        if (get_user(pid, (int __user *)argp))
1161                                break;
1162                        err = f_setown(sock->file, pid, 1);
1163                        break;
1164                case FIOGETOWN:
1165                case SIOCGPGRP:
1166                        err = put_user(f_getown(sock->file),
1167                                       (int __user *)argp);
1168                        break;
1169                case SIOCGIFBR:
1170                case SIOCSIFBR:
1171                case SIOCBRADDBR:
1172                case SIOCBRDELBR:
1173                        err = -ENOPKG;
1174                        if (!br_ioctl_hook)
1175                                request_module("bridge");
1176
1177                        mutex_lock(&br_ioctl_mutex);
1178                        if (br_ioctl_hook)
1179                                err = br_ioctl_hook(net, cmd, argp);
1180                        mutex_unlock(&br_ioctl_mutex);
1181                        break;
1182                case SIOCGIFVLAN:
1183                case SIOCSIFVLAN:
1184                        err = -ENOPKG;
1185                        if (!vlan_ioctl_hook)
1186                                request_module("8021q");
1187
1188                        mutex_lock(&vlan_ioctl_mutex);
1189                        if (vlan_ioctl_hook)
1190                                err = vlan_ioctl_hook(net, argp);
1191                        mutex_unlock(&vlan_ioctl_mutex);
1192                        break;
1193                case SIOCGSKNS:
1194                        err = -EPERM;
1195                        if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1196                                break;
1197
1198                        err = open_related_ns(&net->ns, get_net_ns);
1199                        break;
1200                case SIOCGSTAMP_OLD:
1201                case SIOCGSTAMPNS_OLD:
1202                        if (!sock->ops->gettstamp) {
1203                                err = -ENOIOCTLCMD;
1204                                break;
1205                        }
1206                        err = sock->ops->gettstamp(sock, argp,
1207                                                   cmd == SIOCGSTAMP_OLD,
1208                                                   !IS_ENABLED(CONFIG_64BIT));
1209                        break;
1210                case SIOCGSTAMP_NEW:
1211                case SIOCGSTAMPNS_NEW:
1212                        if (!sock->ops->gettstamp) {
1213                                err = -ENOIOCTLCMD;
1214                                break;
1215                        }
1216                        err = sock->ops->gettstamp(sock, argp,
1217                                                   cmd == SIOCGSTAMP_NEW,
1218                                                   false);
1219                        break;
1220                default:
1221                        err = sock_do_ioctl(net, sock, cmd, arg);
1222                        break;
1223                }
1224        return err;
1225}
1226
1227/**
1228 *      sock_create_lite - creates a socket
1229 *      @family: protocol family (AF_INET, ...)
1230 *      @type: communication type (SOCK_STREAM, ...)
1231 *      @protocol: protocol (0, ...)
1232 *      @res: new socket
1233 *
1234 *      Creates a new socket and assigns it to @res, passing through LSM.
1235 *      The new socket initialization is not complete, see kernel_accept().
1236 *      Returns 0 or an error. On failure @res is set to %NULL.
1237 *      This function internally uses GFP_KERNEL.
1238 */
1239
1240int sock_create_lite(int family, int type, int protocol, struct socket **res)
1241{
1242        int err;
1243        struct socket *sock = NULL;
1244
1245        err = security_socket_create(family, type, protocol, 1);
1246        if (err)
1247                goto out;
1248
1249        sock = sock_alloc();
1250        if (!sock) {
1251                err = -ENOMEM;
1252                goto out;
1253        }
1254
1255        sock->type = type;
1256        err = security_socket_post_create(sock, family, type, protocol, 1);
1257        if (err)
1258                goto out_release;
1259
1260out:
1261        *res = sock;
1262        return err;
1263out_release:
1264        sock_release(sock);
1265        sock = NULL;
1266        goto out;
1267}
1268EXPORT_SYMBOL(sock_create_lite);
1269
1270/* No kernel lock held - perfect */
1271static __poll_t sock_poll(struct file *file, poll_table *wait)
1272{
1273        struct socket *sock = file->private_data;
1274        __poll_t events = poll_requested_events(wait), flag = 0;
1275
1276        if (!sock->ops->poll)
1277                return 0;
1278
1279        if (sk_can_busy_loop(sock->sk)) {
1280                /* poll once if requested by the syscall */
1281                if (events & POLL_BUSY_LOOP)
1282                        sk_busy_loop(sock->sk, 1);
1283
1284                /* if this socket can poll_ll, tell the system call */
1285                flag = POLL_BUSY_LOOP;
1286        }
1287
1288        return sock->ops->poll(file, sock, wait) | flag;
1289}
1290
1291static int sock_mmap(struct file *file, struct vm_area_struct *vma)
1292{
1293        struct socket *sock = file->private_data;
1294
1295        return sock->ops->mmap(file, sock, vma);
1296}
1297
1298static int sock_close(struct inode *inode, struct file *filp)
1299{
1300        __sock_release(SOCKET_I(inode), inode);
1301        return 0;
1302}
1303
1304/*
1305 *      Update the socket async list
1306 *
1307 *      Fasync_list locking strategy.
1308 *
1309 *      1. fasync_list is modified only under process context socket lock
1310 *         i.e. under semaphore.
1311 *      2. fasync_list is used under read_lock(&sk->sk_callback_lock)
1312 *         or under socket lock
1313 */
1314
1315static int sock_fasync(int fd, struct file *filp, int on)
1316{
1317        struct socket *sock = filp->private_data;
1318        struct sock *sk = sock->sk;
1319        struct socket_wq *wq = &sock->wq;
1320
1321        if (sk == NULL)
1322                return -EINVAL;
1323
1324        lock_sock(sk);
1325        fasync_helper(fd, filp, on, &wq->fasync_list);
1326
1327        if (!wq->fasync_list)
1328                sock_reset_flag(sk, SOCK_FASYNC);
1329        else
1330                sock_set_flag(sk, SOCK_FASYNC);
1331
1332        release_sock(sk);
1333        return 0;
1334}
1335
1336/* This function may be called only under rcu_lock */
1337
1338int sock_wake_async(struct socket_wq *wq, int how, int band)
1339{
1340        if (!wq || !wq->fasync_list)
1341                return -1;
1342
1343        switch (how) {
1344        case SOCK_WAKE_WAITD:
1345                if (test_bit(SOCKWQ_ASYNC_WAITDATA, &wq->flags))
1346                        break;
1347                goto call_kill;
1348        case SOCK_WAKE_SPACE:
1349                if (!test_and_clear_bit(SOCKWQ_ASYNC_NOSPACE, &wq->flags))
1350                        break;
1351                fallthrough;
1352        case SOCK_WAKE_IO:
1353call_kill:
1354                kill_fasync(&wq->fasync_list, SIGIO, band);
1355                break;
1356        case SOCK_WAKE_URG:
1357                kill_fasync(&wq->fasync_list, SIGURG, band);
1358        }
1359
1360        return 0;
1361}
1362EXPORT_SYMBOL(sock_wake_async);
1363
1364/**
1365 *      __sock_create - creates a socket
1366 *      @net: net namespace
1367 *      @family: protocol family (AF_INET, ...)
1368 *      @type: communication type (SOCK_STREAM, ...)
1369 *      @protocol: protocol (0, ...)
1370 *      @res: new socket
1371 *      @kern: boolean for kernel space sockets
1372 *
1373 *      Creates a new socket and assigns it to @res, passing through LSM.
1374 *      Returns 0 or an error. On failure @res is set to %NULL. @kern must
1375 *      be set to true if the socket resides in kernel space.
1376 *      This function internally uses GFP_KERNEL.
1377 */
1378
1379int __sock_create(struct net *net, int family, int type, int protocol,
1380                         struct socket **res, int kern)
1381{
1382        int err;
1383        struct socket *sock;
1384        const struct net_proto_family *pf;
1385
1386        /*
1387         *      Check protocol is in range
1388         */
1389        if (family < 0 || family >= NPROTO)
1390                return -EAFNOSUPPORT;
1391        if (type < 0 || type >= SOCK_MAX)
1392                return -EINVAL;
1393
1394        /* Compatibility.
1395
1396           This uglymoron is moved from INET layer to here to avoid
1397           deadlock in module load.
1398         */
1399        if (family == PF_INET && type == SOCK_PACKET) {
1400                pr_info_once("%s uses obsolete (PF_INET,SOCK_PACKET)\n",
1401                             current->comm);
1402                family = PF_PACKET;
1403        }
1404
1405        err = security_socket_create(family, type, protocol, kern);
1406        if (err)
1407                return err;
1408
1409        /*
1410         *      Allocate the socket and allow the family to set things up. if
1411         *      the protocol is 0, the family is instructed to select an appropriate
1412         *      default.
1413         */
1414        sock = sock_alloc();
1415        if (!sock) {
1416                net_warn_ratelimited("socket: no more sockets\n");
1417                return -ENFILE; /* Not exactly a match, but its the
1418                                   closest posix thing */
1419        }
1420
1421        sock->type = type;
1422
1423#ifdef CONFIG_MODULES
1424        /* Attempt to load a protocol module if the find failed.
1425         *
1426         * 12/09/1996 Marcin: But! this makes REALLY only sense, if the user
1427         * requested real, full-featured networking support upon configuration.
1428         * Otherwise module support will break!
1429         */
1430        if (rcu_access_pointer(net_families[family]) == NULL)
1431                request_module("net-pf-%d", family);
1432#endif
1433
1434        rcu_read_lock();
1435        pf = rcu_dereference(net_families[family]);
1436        err = -EAFNOSUPPORT;
1437        if (!pf)
1438                goto out_release;
1439
1440        /*
1441         * We will call the ->create function, that possibly is in a loadable
1442         * module, so we have to bump that loadable module refcnt first.
1443         */
1444        if (!try_module_get(pf->owner))
1445                goto out_release;
1446
1447        /* Now protected by module ref count */
1448        rcu_read_unlock();
1449
1450        err = pf->create(net, sock, protocol, kern);
1451        if (err < 0)
1452                goto out_module_put;
1453
1454        /*
1455         * Now to bump the refcnt of the [loadable] module that owns this
1456         * socket at sock_release time we decrement its refcnt.
1457         */
1458        if (!try_module_get(sock->ops->owner))
1459                goto out_module_busy;
1460
1461        /*
1462         * Now that we're done with the ->create function, the [loadable]
1463         * module can have its refcnt decremented
1464         */
1465        module_put(pf->owner);
1466        err = security_socket_post_create(sock, family, type, protocol, kern);
1467        if (err)
1468                goto out_sock_release;
1469        *res = sock;
1470
1471        return 0;
1472
1473out_module_busy:
1474        err = -EAFNOSUPPORT;
1475out_module_put:
1476        sock->ops = NULL;
1477        module_put(pf->owner);
1478out_sock_release:
1479        sock_release(sock);
1480        return err;
1481
1482out_release:
1483        rcu_read_unlock();
1484        goto out_sock_release;
1485}
1486EXPORT_SYMBOL(__sock_create);
1487
1488/**
1489 *      sock_create - creates a socket
1490 *      @family: protocol family (AF_INET, ...)
1491 *      @type: communication type (SOCK_STREAM, ...)
1492 *      @protocol: protocol (0, ...)
1493 *      @res: new socket
1494 *
1495 *      A wrapper around __sock_create().
1496 *      Returns 0 or an error. This function internally uses GFP_KERNEL.
1497 */
1498
1499int sock_create(int family, int type, int protocol, struct socket **res)
1500{
1501        return __sock_create(current->nsproxy->net_ns, family, type, protocol, res, 0);
1502}
1503EXPORT_SYMBOL(sock_create);
1504
1505/**
1506 *      sock_create_kern - creates a socket (kernel space)
1507 *      @net: net namespace
1508 *      @family: protocol family (AF_INET, ...)
1509 *      @type: communication type (SOCK_STREAM, ...)
1510 *      @protocol: protocol (0, ...)
1511 *      @res: new socket
1512 *
1513 *      A wrapper around __sock_create().
1514 *      Returns 0 or an error. This function internally uses GFP_KERNEL.
1515 */
1516
1517int sock_create_kern(struct net *net, int family, int type, int protocol, struct socket **res)
1518{
1519        return __sock_create(net, family, type, protocol, res, 1);
1520}
1521EXPORT_SYMBOL(sock_create_kern);
1522
1523int __sys_socket(int family, int type, int protocol)
1524{
1525        int retval;
1526        struct socket *sock;
1527        int flags;
1528
1529        /* Check the SOCK_* constants for consistency.  */
1530        BUILD_BUG_ON(SOCK_CLOEXEC != O_CLOEXEC);
1531        BUILD_BUG_ON((SOCK_MAX | SOCK_TYPE_MASK) != SOCK_TYPE_MASK);
1532        BUILD_BUG_ON(SOCK_CLOEXEC & SOCK_TYPE_MASK);
1533        BUILD_BUG_ON(SOCK_NONBLOCK & SOCK_TYPE_MASK);
1534
1535        flags = type & ~SOCK_TYPE_MASK;
1536        if (flags & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
1537                return -EINVAL;
1538        type &= SOCK_TYPE_MASK;
1539
1540        if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
1541                flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
1542
1543        retval = sock_create(family, type, protocol, &sock);
1544        if (retval < 0)
1545                return retval;
1546
1547        return sock_map_fd(sock, flags & (O_CLOEXEC | O_NONBLOCK));
1548}
1549
1550SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
1551{
1552        return __sys_socket(family, type, protocol);
1553}
1554
1555/*
1556 *      Create a pair of connected sockets.
1557 */
1558
1559int __sys_socketpair(int family, int type, int protocol, int __user *usockvec)
1560{
1561        struct socket *sock1, *sock2;
1562        int fd1, fd2, err;
1563        struct file *newfile1, *newfile2;
1564        int flags;
1565
1566        flags = type & ~SOCK_TYPE_MASK;
1567        if (flags & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
1568                return -EINVAL;
1569        type &= SOCK_TYPE_MASK;
1570
1571        if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
1572                flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
1573
1574        /*
1575         * reserve descriptors and make sure we won't fail
1576         * to return them to userland.
1577         */
1578        fd1 = get_unused_fd_flags(flags);
1579        if (unlikely(fd1 < 0))
1580                return fd1;
1581
1582        fd2 = get_unused_fd_flags(flags);
1583        if (unlikely(fd2 < 0)) {
1584                put_unused_fd(fd1);
1585                return fd2;
1586        }
1587
1588        err = put_user(fd1, &usockvec[0]);
1589        if (err)
1590                goto out;
1591
1592        err = put_user(fd2, &usockvec[1]);
1593        if (err)
1594                goto out;
1595
1596        /*
1597         * Obtain the first socket and check if the underlying protocol
1598         * supports the socketpair call.
1599         */
1600
1601        err = sock_create(family, type, protocol, &sock1);
1602        if (unlikely(err < 0))
1603                goto out;
1604
1605        err = sock_create(family, type, protocol, &sock2);
1606        if (unlikely(err < 0)) {
1607                sock_release(sock1);
1608                goto out;
1609        }
1610
1611        err = security_socket_socketpair(sock1, sock2);
1612        if (unlikely(err)) {
1613                sock_release(sock2);
1614                sock_release(sock1);
1615                goto out;
1616        }
1617
1618        err = sock1->ops->socketpair(sock1, sock2);
1619        if (unlikely(err < 0)) {
1620                sock_release(sock2);
1621                sock_release(sock1);
1622                goto out;
1623        }
1624
1625        newfile1 = sock_alloc_file(sock1, flags, NULL);
1626        if (IS_ERR(newfile1)) {
1627                err = PTR_ERR(newfile1);
1628                sock_release(sock2);
1629                goto out;
1630        }
1631
1632        newfile2 = sock_alloc_file(sock2, flags, NULL);
1633        if (IS_ERR(newfile2)) {
1634                err = PTR_ERR(newfile2);
1635                fput(newfile1);
1636                goto out;
1637        }
1638
1639        audit_fd_pair(fd1, fd2);
1640
1641        fd_install(fd1, newfile1);
1642        fd_install(fd2, newfile2);
1643        return 0;
1644
1645out:
1646        put_unused_fd(fd2);
1647        put_unused_fd(fd1);
1648        return err;
1649}
1650
1651SYSCALL_DEFINE4(socketpair, int, family, int, type, int, protocol,
1652                int __user *, usockvec)
1653{
1654        return __sys_socketpair(family, type, protocol, usockvec);
1655}
1656
1657/*
1658 *      Bind a name to a socket. Nothing much to do here since it's
1659 *      the protocol's responsibility to handle the local address.
1660 *
1661 *      We move the socket address to kernel space before we call
1662 *      the protocol layer (having also checked the address is ok).
1663 */
1664
1665int __sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen)
1666{
1667        struct socket *sock;
1668        struct sockaddr_storage address;
1669        int err, fput_needed;
1670
1671        sock = sockfd_lookup_light(fd, &err, &fput_needed);
1672        if (sock) {
1673                err = move_addr_to_kernel(umyaddr, addrlen, &address);
1674                if (!err) {
1675                        err = security_socket_bind(sock,
1676                                                   (struct sockaddr *)&address,
1677                                                   addrlen);
1678                        if (!err)
1679                                err = sock->ops->bind(sock,
1680                                                      (struct sockaddr *)
1681                                                      &address, addrlen);
1682                }
1683                fput_light(sock->file, fput_needed);
1684        }
1685        return err;
1686}
1687
1688SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
1689{
1690        return __sys_bind(fd, umyaddr, addrlen);
1691}
1692
1693/*
1694 *      Perform a listen. Basically, we allow the protocol to do anything
1695 *      necessary for a listen, and if that works, we mark the socket as
1696 *      ready for listening.
1697 */
1698
1699int __sys_listen(int fd, int backlog)
1700{
1701        struct socket *sock;
1702        int err, fput_needed;
1703        int somaxconn;
1704
1705        sock = sockfd_lookup_light(fd, &err, &fput_needed);
1706        if (sock) {
1707                somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn;
1708                if ((unsigned int)backlog > somaxconn)
1709                        backlog = somaxconn;
1710
1711                err = security_socket_listen(sock, backlog);
1712                if (!err)
1713                        err = sock->ops->listen(sock, backlog);
1714
1715                fput_light(sock->file, fput_needed);
1716        }
1717        return err;
1718}
1719
1720SYSCALL_DEFINE2(listen, int, fd, int, backlog)
1721{
1722        return __sys_listen(fd, backlog);
1723}
1724
1725int __sys_accept4_file(struct file *file, unsigned file_flags,
1726                       struct sockaddr __user *upeer_sockaddr,
1727                       int __user *upeer_addrlen, int flags,
1728                       unsigned long nofile)
1729{
1730        struct socket *sock, *newsock;
1731        struct file *newfile;
1732        int err, len, newfd;
1733        struct sockaddr_storage address;
1734
1735        if (flags & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
1736                return -EINVAL;
1737
1738        if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
1739                flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
1740
1741        sock = sock_from_file(file);
1742        if (!sock) {
1743                err = -ENOTSOCK;
1744                goto out;
1745        }
1746
1747        err = -ENFILE;
1748        newsock = sock_alloc();
1749        if (!newsock)
1750                goto out;
1751
1752        newsock->type = sock->type;
1753        newsock->ops = sock->ops;
1754
1755        /*
1756         * We don't need try_module_get here, as the listening socket (sock)
1757         * has the protocol module (sock->ops->owner) held.
1758         */
1759        __module_get(newsock->ops->owner);
1760
1761        newfd = __get_unused_fd_flags(flags, nofile);
1762        if (unlikely(newfd < 0)) {
1763                err = newfd;
1764                sock_release(newsock);
1765                goto out;
1766        }
1767        newfile = sock_alloc_file(newsock, flags, sock->sk->sk_prot_creator->name);
1768        if (IS_ERR(newfile)) {
1769                err = PTR_ERR(newfile);
1770                put_unused_fd(newfd);
1771                goto out;
1772        }
1773
1774        err = security_socket_accept(sock, newsock);
1775        if (err)
1776                goto out_fd;
1777
1778        err = sock->ops->accept(sock, newsock, sock->file->f_flags | file_flags,
1779                                        false);
1780        if (err < 0)
1781                goto out_fd;
1782
1783        if (upeer_sockaddr) {
1784                len = newsock->ops->getname(newsock,
1785                                        (struct sockaddr *)&address, 2);
1786                if (len < 0) {
1787                        err = -ECONNABORTED;
1788                        goto out_fd;
1789                }
1790                err = move_addr_to_user(&address,
1791                                        len, upeer_sockaddr, upeer_addrlen);
1792                if (err < 0)
1793                        goto out_fd;
1794        }
1795
1796        /* File flags are not inherited via accept() unlike another OSes. */
1797
1798        fd_install(newfd, newfile);
1799        err = newfd;
1800out:
1801        return err;
1802out_fd:
1803        fput(newfile);
1804        put_unused_fd(newfd);
1805        goto out;
1806
1807}
1808
1809/*
1810 *      For accept, we attempt to create a new socket, set up the link
1811 *      with the client, wake up the client, then return the new
1812 *      connected fd. We collect the address of the connector in kernel
1813 *      space and move it to user at the very end. This is unclean because
1814 *      we open the socket then return an error.
1815 *
1816 *      1003.1g adds the ability to recvmsg() to query connection pending
1817 *      status to recvmsg. We need to add that support in a way thats
1818 *      clean when we restructure accept also.
1819 */
1820
1821int __sys_accept4(int fd, struct sockaddr __user *upeer_sockaddr,
1822                  int __user *upeer_addrlen, int flags)
1823{
1824        int ret = -EBADF;
1825        struct fd f;
1826
1827        f = fdget(fd);
1828        if (f.file) {
1829                ret = __sys_accept4_file(f.file, 0, upeer_sockaddr,
1830                                                upeer_addrlen, flags,
1831                                                rlimit(RLIMIT_NOFILE));
1832                fdput(f);
1833        }
1834
1835        return ret;
1836}
1837
1838SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
1839                int __user *, upeer_addrlen, int, flags)
1840{
1841        return __sys_accept4(fd, upeer_sockaddr, upeer_addrlen, flags);
1842}
1843
1844SYSCALL_DEFINE3(accept, int, fd, struct sockaddr __user *, upeer_sockaddr,
1845                int __user *, upeer_addrlen)
1846{
1847        return __sys_accept4(fd, upeer_sockaddr, upeer_addrlen, 0);
1848}
1849
1850/*
1851 *      Attempt to connect to a socket with the server address.  The address
1852 *      is in user space so we verify it is OK and move it to kernel space.
1853 *
1854 *      For 1003.1g we need to add clean support for a bind to AF_UNSPEC to
1855 *      break bindings
1856 *
1857 *      NOTE: 1003.1g draft 6.3 is broken with respect to AX.25/NetROM and
1858 *      other SEQPACKET protocols that take time to connect() as it doesn't
1859 *      include the -EINPROGRESS status for such sockets.
1860 */
1861
1862int __sys_connect_file(struct file *file, struct sockaddr_storage *address,
1863                       int addrlen, int file_flags)
1864{
1865        struct socket *sock;
1866        int err;
1867
1868        sock = sock_from_file(file);
1869        if (!sock) {
1870                err = -ENOTSOCK;
1871                goto out;
1872        }
1873
1874        err =
1875            security_socket_connect(sock, (struct sockaddr *)address, addrlen);
1876        if (err)
1877                goto out;
1878
1879        err = sock->ops->connect(sock, (struct sockaddr *)address, addrlen,
1880                                 sock->file->f_flags | file_flags);
1881out:
1882        return err;
1883}
1884
1885int __sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
1886{
1887        int ret = -EBADF;
1888        struct fd f;
1889
1890        f = fdget(fd);
1891        if (f.file) {
1892                struct sockaddr_storage address;
1893
1894                ret = move_addr_to_kernel(uservaddr, addrlen, &address);
1895                if (!ret)
1896                        ret = __sys_connect_file(f.file, &address, addrlen, 0);
1897                fdput(f);
1898        }
1899
1900        return ret;
1901}
1902
1903SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
1904                int, addrlen)
1905{
1906        return __sys_connect(fd, uservaddr, addrlen);
1907}
1908
1909/*
1910 *      Get the local address ('name') of a socket object. Move the obtained
1911 *      name to user space.
1912 */
1913
1914int __sys_getsockname(int fd, struct sockaddr __user *usockaddr,
1915                      int __user *usockaddr_len)
1916{
1917        struct socket *sock;
1918        struct sockaddr_storage address;
1919        int err, fput_needed;
1920
1921        sock = sockfd_lookup_light(fd, &err, &fput_needed);
1922        if (!sock)
1923                goto out;
1924
1925        err = security_socket_getsockname(sock);
1926        if (err)
1927                goto out_put;
1928
1929        err = sock->ops->getname(sock, (struct sockaddr *)&address, 0);
1930        if (err < 0)
1931                goto out_put;
1932        /* "err" is actually length in this case */
1933        err = move_addr_to_user(&address, err, usockaddr, usockaddr_len);
1934
1935out_put:
1936        fput_light(sock->file, fput_needed);
1937out:
1938        return err;
1939}
1940
1941SYSCALL_DEFINE3(getsockname, int, fd, struct sockaddr __user *, usockaddr,
1942                int __user *, usockaddr_len)
1943{
1944        return __sys_getsockname(fd, usockaddr, usockaddr_len);
1945}
1946
1947/*
1948 *      Get the remote address ('name') of a socket object. Move the obtained
1949 *      name to user space.
1950 */
1951
1952int __sys_getpeername(int fd, struct sockaddr __user *usockaddr,
1953                      int __user *usockaddr_len)
1954{
1955        struct socket *sock;
1956        struct sockaddr_storage address;
1957        int err, fput_needed;
1958
1959        sock = sockfd_lookup_light(fd, &err, &fput_needed);
1960        if (sock != NULL) {
1961                err = security_socket_getpeername(sock);
1962                if (err) {
1963                        fput_light(sock->file, fput_needed);
1964                        return err;
1965                }
1966
1967                err = sock->ops->getname(sock, (struct sockaddr *)&address, 1);
1968                if (err >= 0)
1969                        /* "err" is actually length in this case */
1970                        err = move_addr_to_user(&address, err, usockaddr,
1971                                                usockaddr_len);
1972                fput_light(sock->file, fput_needed);
1973        }
1974        return err;
1975}
1976
1977SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
1978                int __user *, usockaddr_len)
1979{
1980        return __sys_getpeername(fd, usockaddr, usockaddr_len);
1981}
1982
1983/*
1984 *      Send a datagram to a given address. We move the address into kernel
1985 *      space and check the user space data area is readable before invoking
1986 *      the protocol.
1987 */
1988int __sys_sendto(int fd, void __user *buff, size_t len, unsigned int flags,
1989                 struct sockaddr __user *addr,  int addr_len)
1990{
1991        struct socket *sock;
1992        struct sockaddr_storage address;
1993        int err;
1994        struct msghdr msg;
1995        struct iovec iov;
1996        int fput_needed;
1997
1998        err = import_single_range(WRITE, buff, len, &iov, &msg.msg_iter);
1999        if (unlikely(err))
2000                return err;
2001        sock = sockfd_lookup_light(fd, &err, &fput_needed);
2002        if (!sock)
2003                goto out;
2004
2005        msg.msg_name = NULL;
2006        msg.msg_control = NULL;
2007        msg.msg_controllen = 0;
2008        msg.msg_namelen = 0;
2009        if (addr) {
2010                err = move_addr_to_kernel(addr, addr_len, &address);
2011                if (err < 0)
2012                        goto out_put;
2013                msg.msg_name = (struct sockaddr *)&address;
2014                msg.msg_namelen = addr_len;
2015        }
2016        if (sock->file->f_flags & O_NONBLOCK)
2017                flags |= MSG_DONTWAIT;
2018        msg.msg_flags = flags;
2019        err = sock_sendmsg(sock, &msg);
2020
2021out_put:
2022        fput_light(sock->file, fput_needed);
2023out:
2024        return err;
2025}
2026
2027SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
2028                unsigned int, flags, struct sockaddr __user *, addr,
2029                int, addr_len)
2030{
2031        return __sys_sendto(fd, buff, len, flags, addr, addr_len);
2032}
2033
2034/*
2035 *      Send a datagram down a socket.
2036 */
2037
2038SYSCALL_DEFINE4(send, int, fd, void __user *, buff, size_t, len,
2039                unsigned int, flags)
2040{
2041        return __sys_sendto(fd, buff, len, flags, NULL, 0);
2042}
2043
2044/*
2045 *      Receive a frame from the socket and optionally record the address of the
2046 *      sender. We verify the buffers are writable and if needed move the
2047 *      sender address from kernel to user space.
2048 */
2049int __sys_recvfrom(int fd, void __user *ubuf, size_t size, unsigned int flags,
2050                   struct sockaddr __user *addr, int __user *addr_len)
2051{
2052        struct socket *sock;
2053        struct iovec iov;
2054        struct msghdr msg;
2055        struct sockaddr_storage address;
2056        int err, err2;
2057        int fput_needed;
2058
2059        err = import_single_range(READ, ubuf, size, &iov, &msg.msg_iter);
2060        if (unlikely(err))
2061                return err;
2062        sock = sockfd_lookup_light(fd, &err, &fput_needed);
2063        if (!sock)
2064                goto out;
2065
2066        msg.msg_control = NULL;
2067        msg.msg_controllen = 0;
2068        /* Save some cycles and don't copy the address if not needed */
2069        msg.msg_name = addr ? (struct sockaddr *)&address : NULL;
2070        /* We assume all kernel code knows the size of sockaddr_storage */
2071        msg.msg_namelen = 0;
2072        msg.msg_iocb = NULL;
2073        msg.msg_flags = 0;
2074        if (sock->file->f_flags & O_NONBLOCK)
2075                flags |= MSG_DONTWAIT;
2076        err = sock_recvmsg(sock, &msg, flags);
2077
2078        if (err >= 0 && addr != NULL) {
2079                err2 = move_addr_to_user(&address,
2080                                         msg.msg_namelen, addr, addr_len);
2081                if (err2 < 0)
2082                        err = err2;
2083        }
2084
2085        fput_light(sock->file, fput_needed);
2086out:
2087        return err;
2088}
2089
2090SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
2091                unsigned int, flags, struct sockaddr __user *, addr,
2092                int __user *, addr_len)
2093{
2094        return __sys_recvfrom(fd, ubuf, size, flags, addr, addr_len);
2095}
2096
2097/*
2098 *      Receive a datagram from a socket.
2099 */
2100
2101SYSCALL_DEFINE4(recv, int, fd, void __user *, ubuf, size_t, size,
2102                unsigned int, flags)
2103{
2104        return __sys_recvfrom(fd, ubuf, size, flags, NULL, NULL);
2105}
2106
2107static bool sock_use_custom_sol_socket(const struct socket *sock)
2108{
2109        const struct sock *sk = sock->sk;
2110
2111        /* Use sock->ops->setsockopt() for MPTCP */
2112        return IS_ENABLED(CONFIG_MPTCP) &&
2113               sk->sk_protocol == IPPROTO_MPTCP &&
2114               sk->sk_type == SOCK_STREAM &&
2115               (sk->sk_family == AF_INET || sk->sk_family == AF_INET6);
2116}
2117
2118/*
2119 *      Set a socket option. Because we don't know the option lengths we have
2120 *      to pass the user mode parameter for the protocols to sort out.
2121 */
2122int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval,
2123                int optlen)
2124{
2125        sockptr_t optval = USER_SOCKPTR(user_optval);
2126        char *kernel_optval = NULL;
2127        int err, fput_needed;
2128        struct socket *sock;
2129
2130        if (optlen < 0)
2131                return -EINVAL;
2132
2133        sock = sockfd_lookup_light(fd, &err, &fput_needed);
2134        if (!sock)
2135                return err;
2136
2137        err = security_socket_setsockopt(sock, level, optname);
2138        if (err)
2139                goto out_put;
2140
2141        if (!in_compat_syscall())
2142                err = BPF_CGROUP_RUN_PROG_SETSOCKOPT(sock->sk, &level, &optname,
2143                                                     user_optval, &optlen,
2144                                                     &kernel_optval);
2145        if (err < 0)
2146                goto out_put;
2147        if (err > 0) {
2148                err = 0;
2149                goto out_put;
2150        }
2151
2152        if (kernel_optval)
2153                optval = KERNEL_SOCKPTR(kernel_optval);
2154        if (level == SOL_SOCKET && !sock_use_custom_sol_socket(sock))
2155                err = sock_setsockopt(sock, level, optname, optval, optlen);
2156        else if (unlikely(!sock->ops->setsockopt))
2157                err = -EOPNOTSUPP;
2158        else
2159                err = sock->ops->setsockopt(sock, level, optname, optval,
2160                                            optlen);
2161        kfree(kernel_optval);
2162out_put:
2163        fput_light(sock->file, fput_needed);
2164        return err;
2165}
2166
2167SYSCALL_DEFINE5(setsockopt, int, fd, int, level, int, optname,
2168                char __user *, optval, int, optlen)
2169{
2170        return __sys_setsockopt(fd, level, optname, optval, optlen);
2171}
2172
2173INDIRECT_CALLABLE_DECLARE(bool tcp_bpf_bypass_getsockopt(int level,
2174                                                         int optname));
2175
2176/*
2177 *      Get a socket option. Because we don't know the option lengths we have
2178 *      to pass a user mode parameter for the protocols to sort out.
2179 */
2180int __sys_getsockopt(int fd, int level, int optname, char __user *optval,
2181                int __user *optlen)
2182{
2183        int err, fput_needed;
2184        struct socket *sock;
2185        int max_optlen;
2186
2187        sock = sockfd_lookup_light(fd, &err, &fput_needed);
2188        if (!sock)
2189                return err;
2190
2191        err = security_socket_getsockopt(sock, level, optname);
2192        if (err)
2193                goto out_put;
2194
2195        if (!in_compat_syscall())
2196                max_optlen = BPF_CGROUP_GETSOCKOPT_MAX_OPTLEN(optlen);
2197
2198        if (level == SOL_SOCKET)
2199                err = sock_getsockopt(sock, level, optname, optval, optlen);
2200        else if (unlikely(!sock->ops->getsockopt))
2201                err = -EOPNOTSUPP;
2202        else
2203                err = sock->ops->getsockopt(sock, level, optname, optval,
2204                                            optlen);
2205
2206        if (!in_compat_syscall())
2207                err = BPF_CGROUP_RUN_PROG_GETSOCKOPT(sock->sk, level, optname,
2208                                                     optval, optlen, max_optlen,
2209                                                     err);
2210out_put:
2211        fput_light(sock->file, fput_needed);
2212        return err;
2213}
2214
2215SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname,
2216                char __user *, optval, int __user *, optlen)
2217{
2218        return __sys_getsockopt(fd, level, optname, optval, optlen);
2219}
2220
2221/*
2222 *      Shutdown a socket.
2223 */
2224
2225int __sys_shutdown_sock(struct socket *sock, int how)
2226{
2227        int err;
2228
2229        err = security_socket_shutdown(sock, how);
2230        if (!err)
2231                err = sock->ops->shutdown(sock, how);
2232
2233        return err;
2234}
2235
2236int __sys_shutdown(int fd, int how)
2237{
2238        int err, fput_needed;
2239        struct socket *sock;
2240
2241        sock = sockfd_lookup_light(fd, &err, &fput_needed);
2242        if (sock != NULL) {
2243                err = __sys_shutdown_sock(sock, how);
2244                fput_light(sock->file, fput_needed);
2245        }
2246        return err;
2247}
2248
2249SYSCALL_DEFINE2(shutdown, int, fd, int, how)
2250{
2251        return __sys_shutdown(fd, how);
2252}
2253
2254/* A couple of helpful macros for getting the address of the 32/64 bit
2255 * fields which are the same type (int / unsigned) on our platforms.
2256 */
2257#define COMPAT_MSG(msg, member) ((MSG_CMSG_COMPAT & flags) ? &msg##_compat->member : &msg->member)
2258#define COMPAT_NAMELEN(msg)     COMPAT_MSG(msg, msg_namelen)
2259#define COMPAT_FLAGS(msg)       COMPAT_MSG(msg, msg_flags)
2260
2261struct used_address {
2262        struct sockaddr_storage name;
2263        unsigned int name_len;
2264};
2265
2266int __copy_msghdr_from_user(struct msghdr *kmsg,
2267                            struct user_msghdr __user *umsg,
2268                            struct sockaddr __user **save_addr,
2269                            struct iovec __user **uiov, size_t *nsegs)
2270{
2271        struct user_msghdr msg;
2272        ssize_t err;
2273
2274        if (copy_from_user(&msg, umsg, sizeof(*umsg)))
2275                return -EFAULT;
2276
2277        kmsg->msg_control_is_user = true;
2278        kmsg->msg_control_user = msg.msg_control;
2279        kmsg->msg_controllen = msg.msg_controllen;
2280        kmsg->msg_flags = msg.msg_flags;
2281
2282        kmsg->msg_namelen = msg.msg_namelen;
2283        if (!msg.msg_name)
2284                kmsg->msg_namelen = 0;
2285
2286        if (kmsg->msg_namelen < 0)
2287                return -EINVAL;
2288
2289        if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
2290                kmsg->msg_namelen = sizeof(struct sockaddr_storage);
2291
2292        if (save_addr)
2293                *save_addr = msg.msg_name;
2294
2295        if (msg.msg_name && kmsg->msg_namelen) {
2296                if (!save_addr) {
2297                        err = move_addr_to_kernel(msg.msg_name,
2298                                                  kmsg->msg_namelen,
2299                                                  kmsg->msg_name);
2300                        if (err < 0)
2301                                return err;
2302                }
2303        } else {
2304                kmsg->msg_name = NULL;
2305                kmsg->msg_namelen = 0;
2306        }
2307
2308        if (msg.msg_iovlen > UIO_MAXIOV)
2309                return -EMSGSIZE;
2310
2311        kmsg->msg_iocb = NULL;
2312        *uiov = msg.msg_iov;
2313        *nsegs = msg.msg_iovlen;
2314        return 0;
2315}
2316
2317static int copy_msghdr_from_user(struct msghdr *kmsg,
2318                                 struct user_msghdr __user *umsg,
2319                                 struct sockaddr __user **save_addr,
2320                                 struct iovec **iov)
2321{
2322        struct user_msghdr msg;
2323        ssize_t err;
2324
2325        err = __copy_msghdr_from_user(kmsg, umsg, save_addr, &msg.msg_iov,
2326                                        &msg.msg_iovlen);
2327        if (err)
2328                return err;
2329
2330        err = import_iovec(save_addr ? READ : WRITE,
2331                            msg.msg_iov, msg.msg_iovlen,
2332                            UIO_FASTIOV, iov, &kmsg->msg_iter);
2333        return err < 0 ? err : 0;
2334}
2335
2336static int ____sys_sendmsg(struct socket *sock, struct msghdr *msg_sys,
2337                           unsigned int flags, struct used_address *used_address,
2338                           unsigned int allowed_msghdr_flags)
2339{
2340        unsigned char ctl[sizeof(struct cmsghdr) + 20]
2341                                __aligned(sizeof(__kernel_size_t));
2342        /* 20 is size of ipv6_pktinfo */
2343        unsigned char *ctl_buf = ctl;
2344        int ctl_len;
2345        ssize_t err;
2346
2347        err = -ENOBUFS;
2348
2349        if (msg_sys->msg_controllen > INT_MAX)
2350                goto out;
2351        flags |= (msg_sys->msg_flags & allowed_msghdr_flags);
2352        ctl_len = msg_sys->msg_controllen;
2353        if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
2354                err =
2355                    cmsghdr_from_user_compat_to_kern(msg_sys, sock->sk, ctl,
2356                                                     sizeof(ctl));
2357                if (err)
2358                        goto out;
2359                ctl_buf = msg_sys->msg_control;
2360                ctl_len = msg_sys->msg_controllen;
2361        } else if (ctl_len) {
2362                BUILD_BUG_ON(sizeof(struct cmsghdr) !=
2363                             CMSG_ALIGN(sizeof(struct cmsghdr)));
2364                if (ctl_len > sizeof(ctl)) {
2365                        ctl_buf = sock_kmalloc(sock->sk, ctl_len, GFP_KERNEL);
2366                        if (ctl_buf == NULL)
2367                                goto out;
2368                }
2369                err = -EFAULT;
2370                if (copy_from_user(ctl_buf, msg_sys->msg_control_user, ctl_len))
2371                        goto out_freectl;
2372                msg_sys->msg_control = ctl_buf;
2373                msg_sys->msg_control_is_user = false;
2374        }
2375        msg_sys->msg_flags = flags;
2376
2377        if (sock->file->f_flags & O_NONBLOCK)
2378                msg_sys->msg_flags |= MSG_DONTWAIT;
2379        /*
2380         * If this is sendmmsg() and current destination address is same as
2381         * previously succeeded address, omit asking LSM's decision.
2382         * used_address->name_len is initialized to UINT_MAX so that the first
2383         * destination address never matches.
2384         */
2385        if (used_address && msg_sys->msg_name &&
2386            used_address->name_len == msg_sys->msg_namelen &&
2387            !memcmp(&used_address->name, msg_sys->msg_name,
2388                    used_address->name_len)) {
2389                err = sock_sendmsg_nosec(sock, msg_sys);
2390                goto out_freectl;
2391        }
2392        err = sock_sendmsg(sock, msg_sys);
2393        /*
2394         * If this is sendmmsg() and sending to current destination address was
2395         * successful, remember it.
2396         */
2397        if (used_address && err >= 0) {
2398                used_address->name_len = msg_sys->msg_namelen;
2399                if (msg_sys->msg_name)
2400                        memcpy(&used_address->name, msg_sys->msg_name,
2401                               used_address->name_len);
2402        }
2403
2404out_freectl:
2405        if (ctl_buf != ctl)
2406                sock_kfree_s(sock->sk, ctl_buf, ctl_len);
2407out:
2408        return err;
2409}
2410
2411int sendmsg_copy_msghdr(struct msghdr *msg,
2412                        struct user_msghdr __user *umsg, unsigned flags,
2413                        struct iovec **iov)
2414{
2415        int err;
2416
2417        if (flags & MSG_CMSG_COMPAT) {
2418                struct compat_msghdr __user *msg_compat;
2419
2420                msg_compat = (struct compat_msghdr __user *) umsg;
2421                err = get_compat_msghdr(msg, msg_compat, NULL, iov);
2422        } else {
2423                err = copy_msghdr_from_user(msg, umsg, NULL, iov);
2424        }
2425        if (err < 0)
2426                return err;
2427
2428        return 0;
2429}
2430
2431static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg,
2432                         struct msghdr *msg_sys, unsigned int flags,
2433                         struct used_address *used_address,
2434                         unsigned int allowed_msghdr_flags)
2435{
2436        struct sockaddr_storage address;
2437        struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
2438        ssize_t err;
2439
2440        msg_sys->msg_name = &address;
2441
2442        err = sendmsg_copy_msghdr(msg_sys, msg, flags, &iov);
2443        if (err < 0)
2444                return err;
2445
2446        err = ____sys_sendmsg(sock, msg_sys, flags, used_address,
2447                                allowed_msghdr_flags);
2448        kfree(iov);
2449        return err;
2450}
2451
2452/*
2453 *      BSD sendmsg interface
2454 */
2455long __sys_sendmsg_sock(struct socket *sock, struct msghdr *msg,
2456                        unsigned int flags)
2457{
2458        return ____sys_sendmsg(sock, msg, flags, NULL, 0);
2459}
2460
2461long __sys_sendmsg(int fd, struct user_msghdr __user *msg, unsigned int flags,
2462                   bool forbid_cmsg_compat)
2463{
2464        int fput_needed, err;
2465        struct msghdr msg_sys;
2466        struct socket *sock;
2467
2468        if (forbid_cmsg_compat && (flags & MSG_CMSG_COMPAT))
2469                return -EINVAL;
2470
2471        sock = sockfd_lookup_light(fd, &err, &fput_needed);
2472        if (!sock)
2473                goto out;
2474
2475        err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL, 0);
2476
2477        fput_light(sock->file, fput_needed);
2478out:
2479        return err;
2480}
2481
2482SYSCALL_DEFINE3(sendmsg, int, fd, struct user_msghdr __user *, msg, unsigned int, flags)
2483{
2484        return __sys_sendmsg(fd, msg, flags, true);
2485}
2486
2487/*
2488 *      Linux sendmmsg interface
2489 */
2490
2491int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
2492                   unsigned int flags, bool forbid_cmsg_compat)
2493{
2494        int fput_needed, err, datagrams;
2495        struct socket *sock;
2496        struct mmsghdr __user *entry;
2497        struct compat_mmsghdr __user *compat_entry;
2498        struct msghdr msg_sys;
2499        struct used_address used_address;
2500        unsigned int oflags = flags;
2501
2502        if (forbid_cmsg_compat && (flags & MSG_CMSG_COMPAT))
2503                return -EINVAL;
2504
2505        if (vlen > UIO_MAXIOV)
2506                vlen = UIO_MAXIOV;
2507
2508        datagrams = 0;
2509
2510        sock = sockfd_lookup_light(fd, &err, &fput_needed);
2511        if (!sock)
2512                return err;
2513
2514        used_address.name_len = UINT_MAX;
2515        entry = mmsg;
2516        compat_entry = (struct compat_mmsghdr __user *)mmsg;
2517        err = 0;
2518        flags |= MSG_BATCH;
2519
2520        while (datagrams < vlen) {
2521                if (datagrams == vlen - 1)
2522                        flags = oflags;
2523
2524                if (MSG_CMSG_COMPAT & flags) {
2525                        err = ___sys_sendmsg(sock, (struct user_msghdr __user *)compat_entry,
2526                                             &msg_sys, flags, &used_address, MSG_EOR);
2527                        if (err < 0)
2528                                break;
2529                        err = __put_user(err, &compat_entry->msg_len);
2530                        ++compat_entry;
2531                } else {
2532                        err = ___sys_sendmsg(sock,
2533                                             (struct user_msghdr __user *)entry,
2534                                             &msg_sys, flags, &used_address, MSG_EOR);
2535                        if (err < 0)
2536                                break;
2537                        err = put_user(err, &entry->msg_len);
2538                        ++entry;
2539                }
2540
2541                if (err)
2542                        break;
2543                ++datagrams;
2544                if (msg_data_left(&msg_sys))
2545                        break;
2546                cond_resched();
2547        }
2548
2549        fput_light(sock->file, fput_needed);
2550
2551        /* We only return an error if no datagrams were able to be sent */
2552        if (datagrams != 0)
2553                return datagrams;
2554
2555        return err;
2556}
2557
2558SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
2559                unsigned int, vlen, unsigned int, flags)
2560{
2561        return __sys_sendmmsg(fd, mmsg, vlen, flags, true);
2562}
2563
2564int recvmsg_copy_msghdr(struct msghdr *msg,
2565                        struct user_msghdr __user *umsg, unsigned flags,
2566                        struct sockaddr __user **uaddr,
2567                        struct iovec **iov)
2568{
2569        ssize_t err;
2570
2571        if (MSG_CMSG_COMPAT & flags) {
2572                struct compat_msghdr __user *msg_compat;
2573
2574                msg_compat = (struct compat_msghdr __user *) umsg;
2575                err = get_compat_msghdr(msg, msg_compat, uaddr, iov);
2576        } else {
2577                err = copy_msghdr_from_user(msg, umsg, uaddr, iov);
2578        }
2579        if (err < 0)
2580                return err;
2581
2582        return 0;
2583}
2584
2585static int ____sys_recvmsg(struct socket *sock, struct msghdr *msg_sys,
2586                           struct user_msghdr __user *msg,
2587                           struct sockaddr __user *uaddr,
2588                           unsigned int flags, int nosec)
2589{
2590        struct compat_msghdr __user *msg_compat =
2591                                        (struct compat_msghdr __user *) msg;
2592        int __user *uaddr_len = COMPAT_NAMELEN(msg);
2593        struct sockaddr_storage addr;
2594        unsigned long cmsg_ptr;
2595        int len;
2596        ssize_t err;
2597
2598        msg_sys->msg_name = &addr;
2599        cmsg_ptr = (unsigned long)msg_sys->msg_control;
2600        msg_sys->msg_flags = flags & (MSG_CMSG_CLOEXEC|MSG_CMSG_COMPAT);
2601
2602        /* We assume all kernel code knows the size of sockaddr_storage */
2603        msg_sys->msg_namelen = 0;
2604
2605        if (sock->file->f_flags & O_NONBLOCK)
2606                flags |= MSG_DONTWAIT;
2607
2608        if (unlikely(nosec))
2609                err = sock_recvmsg_nosec(sock, msg_sys, flags);
2610        else
2611                err = sock_recvmsg(sock, msg_sys, flags);
2612
2613        if (err < 0)
2614                goto out;
2615        len = err;
2616
2617        if (uaddr != NULL) {
2618                err = move_addr_to_user(&addr,
2619                                        msg_sys->msg_namelen, uaddr,
2620                                        uaddr_len);
2621                if (err < 0)
2622                        goto out;
2623        }
2624        err = __put_user((msg_sys->msg_flags & ~MSG_CMSG_COMPAT),
2625                         COMPAT_FLAGS(msg));
2626        if (err)
2627                goto out;
2628        if (MSG_CMSG_COMPAT & flags)
2629                err = __put_user((unsigned long)msg_sys->msg_control - cmsg_ptr,
2630                                 &msg_compat->msg_controllen);
2631        else
2632                err = __put_user((unsigned long)msg_sys->msg_control - cmsg_ptr,
2633                                 &msg->msg_controllen);
2634        if (err)
2635                goto out;
2636        err = len;
2637out:
2638        return err;
2639}
2640
2641static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg,
2642                         struct msghdr *msg_sys, unsigned int flags, int nosec)
2643{
2644        struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
2645        /* user mode address pointers */
2646        struct sockaddr __user *uaddr;
2647        ssize_t err;
2648
2649        err = recvmsg_copy_msghdr(msg_sys, msg, flags, &uaddr, &iov);
2650        if (err < 0)
2651                return err;
2652
2653        err = ____sys_recvmsg(sock, msg_sys, msg, uaddr, flags, nosec);
2654        kfree(iov);
2655        return err;
2656}
2657
2658/*
2659 *      BSD recvmsg interface
2660 */
2661
2662long __sys_recvmsg_sock(struct socket *sock, struct msghdr *msg,
2663                        struct user_msghdr __user *umsg,
2664                        struct sockaddr __user *uaddr, unsigned int flags)
2665{
2666        return ____sys_recvmsg(sock, msg, umsg, uaddr, flags, 0);
2667}
2668
2669long __sys_recvmsg(int fd, struct user_msghdr __user *msg, unsigned int flags,
2670                   bool forbid_cmsg_compat)
2671{
2672        int fput_needed, err;
2673        struct msghdr msg_sys;
2674        struct socket *sock;
2675
2676        if (forbid_cmsg_compat && (flags & MSG_CMSG_COMPAT))
2677                return -EINVAL;
2678
2679        sock = sockfd_lookup_light(fd, &err, &fput_needed);
2680        if (!sock)
2681                goto out;
2682
2683        err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0);
2684
2685        fput_light(sock->file, fput_needed);
2686out:
2687        return err;
2688}
2689
2690SYSCALL_DEFINE3(recvmsg, int, fd, struct user_msghdr __user *, msg,
2691                unsigned int, flags)
2692{
2693        return __sys_recvmsg(fd, msg, flags, true);
2694}
2695
2696/*
2697 *     Linux recvmmsg interface
2698 */
2699
2700static int do_recvmmsg(int fd, struct mmsghdr __user *mmsg,
2701                          unsigned int vlen, unsigned int flags,
2702                          struct timespec64 *timeout)
2703{
2704        int fput_needed, err, datagrams;
2705        struct socket *sock;
2706        struct mmsghdr __user *entry;
2707        struct compat_mmsghdr __user *compat_entry;
2708        struct msghdr msg_sys;
2709        struct timespec64 end_time;
2710        struct timespec64 timeout64;
2711
2712        if (timeout &&
2713            poll_select_set_timeout(&end_time, timeout->tv_sec,
2714                                    timeout->tv_nsec))
2715                return -EINVAL;
2716
2717        datagrams = 0;
2718
2719        sock = sockfd_lookup_light(fd, &err, &fput_needed);
2720        if (!sock)
2721                return err;
2722
2723        if (likely(!(flags & MSG_ERRQUEUE))) {
2724                err = sock_error(sock->sk);
2725                if (err) {
2726                        datagrams = err;
2727                        goto out_put;
2728                }
2729        }
2730
2731        entry = mmsg;
2732        compat_entry = (struct compat_mmsghdr __user *)mmsg;
2733
2734        while (datagrams < vlen) {
2735                /*
2736                 * No need to ask LSM for more than the first datagram.
2737                 */
2738                if (MSG_CMSG_COMPAT & flags) {
2739                        err = ___sys_recvmsg(sock, (struct user_msghdr __user *)compat_entry,
2740                                             &msg_sys, flags & ~MSG_WAITFORONE,
2741                                             datagrams);
2742                        if (err < 0)
2743                                break;
2744                        err = __put_user(err, &compat_entry->msg_len);
2745                        ++compat_entry;
2746                } else {
2747                        err = ___sys_recvmsg(sock,
2748                                             (struct user_msghdr __user *)entry,
2749                                             &msg_sys, flags & ~MSG_WAITFORONE,
2750                                             datagrams);
2751                        if (err < 0)
2752                                break;
2753                        err = put_user(err, &entry->msg_len);
2754                        ++entry;
2755                }
2756
2757                if (err)
2758                        break;
2759                ++datagrams;
2760
2761                /* MSG_WAITFORONE turns on MSG_DONTWAIT after one packet */
2762                if (flags & MSG_WAITFORONE)
2763                        flags |= MSG_DONTWAIT;
2764
2765                if (timeout) {
2766                        ktime_get_ts64(&timeout64);
2767                        *timeout = timespec64_sub(end_time, timeout64);
2768                        if (timeout->tv_sec < 0) {
2769                                timeout->tv_sec = timeout->tv_nsec = 0;
2770                                break;
2771                        }
2772
2773                        /* Timeout, return less than vlen datagrams */
2774                        if (timeout->tv_nsec == 0 && timeout->tv_sec == 0)
2775                                break;
2776                }
2777
2778                /* Out of band data, return right away */
2779                if (msg_sys.msg_flags & MSG_OOB)
2780                        break;
2781                cond_resched();
2782        }
2783
2784        if (err == 0)
2785                goto out_put;
2786
2787        if (datagrams == 0) {
2788                datagrams = err;
2789                goto out_put;
2790        }
2791
2792        /*
2793         * We may return less entries than requested (vlen) if the
2794         * sock is non block and there aren't enough datagrams...
2795         */
2796        if (err != -EAGAIN) {
2797                /*
2798                 * ... or  if recvmsg returns an error after we
2799                 * received some datagrams, where we record the
2800                 * error to return on the next call or if the
2801                 * app asks about it using getsockopt(SO_ERROR).
2802                 */
2803                sock->sk->sk_err = -err;
2804        }
2805out_put:
2806        fput_light(sock->file, fput_needed);
2807
2808        return datagrams;
2809}
2810
2811int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg,
2812                   unsigned int vlen, unsigned int flags,
2813                   struct __kernel_timespec __user *timeout,
2814                   struct old_timespec32 __user *timeout32)
2815{
2816        int datagrams;
2817        struct timespec64 timeout_sys;
2818
2819        if (timeout && get_timespec64(&timeout_sys, timeout))
2820                return -EFAULT;
2821
2822        if (timeout32 && get_old_timespec32(&timeout_sys, timeout32))
2823                return -EFAULT;
2824
2825        if (!timeout && !timeout32)
2826                return do_recvmmsg(fd, mmsg, vlen, flags, NULL);
2827
2828        datagrams = do_recvmmsg(fd, mmsg, vlen, flags, &timeout_sys);
2829
2830        if (datagrams <= 0)
2831                return datagrams;
2832
2833        if (timeout && put_timespec64(&timeout_sys, timeout))
2834                datagrams = -EFAULT;
2835
2836        if (timeout32 && put_old_timespec32(&timeout_sys, timeout32))
2837                datagrams = -EFAULT;
2838
2839        return datagrams;
2840}
2841
2842SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
2843                unsigned int, vlen, unsigned int, flags,
2844                struct __kernel_timespec __user *, timeout)
2845{
2846        if (flags & MSG_CMSG_COMPAT)
2847                return -EINVAL;
2848
2849        return __sys_recvmmsg(fd, mmsg, vlen, flags, timeout, NULL);
2850}
2851
2852#ifdef CONFIG_COMPAT_32BIT_TIME
2853SYSCALL_DEFINE5(recvmmsg_time32, int, fd, struct mmsghdr __user *, mmsg,
2854                unsigned int, vlen, unsigned int, flags,
2855                struct old_timespec32 __user *, timeout)
2856{
2857        if (flags & MSG_CMSG_COMPAT)
2858                return -EINVAL;
2859
2860        return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL, timeout);
2861}
2862#endif
2863
2864#ifdef __ARCH_WANT_SYS_SOCKETCALL
2865/* Argument list sizes for sys_socketcall */
2866#define AL(x) ((x) * sizeof(unsigned long))
2867static const unsigned char nargs[21] = {
2868        AL(0), AL(3), AL(3), AL(3), AL(2), AL(3),
2869        AL(3), AL(3), AL(4), AL(4), AL(4), AL(6),
2870        AL(6), AL(2), AL(5), AL(5), AL(3), AL(3),
2871        AL(4), AL(5), AL(4)
2872};
2873
2874#undef AL
2875
2876/*
2877 *      System call vectors.
2878 *
2879 *      Argument checking cleaned up. Saved 20% in size.
2880 *  This function doesn't need to set the kernel lock because
2881 *  it is set by the callees.
2882 */
2883
2884SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
2885{
2886        unsigned long a[AUDITSC_ARGS];
2887        unsigned long a0, a1;
2888        int err;
2889        unsigned int len;
2890
2891        if (call < 1 || call > SYS_SENDMMSG)
2892                return -EINVAL;
2893        call = array_index_nospec(call, SYS_SENDMMSG + 1);
2894
2895        len = nargs[call];
2896        if (len > sizeof(a))
2897                return -EINVAL;
2898
2899        /* copy_from_user should be SMP safe. */
2900        if (copy_from_user(a, args, len))
2901                return -EFAULT;
2902
2903        err = audit_socketcall(nargs[call] / sizeof(unsigned long), a);
2904        if (err)
2905                return err;
2906
2907        a0 = a[0];
2908        a1 = a[1];
2909
2910        switch (call) {
2911        case SYS_SOCKET:
2912                err = __sys_socket(a0, a1, a[2]);
2913                break;
2914        case SYS_BIND:
2915                err = __sys_bind(a0, (struct sockaddr __user *)a1, a[2]);
2916                break;
2917        case SYS_CONNECT:
2918                err = __sys_connect(a0, (struct sockaddr __user *)a1, a[2]);
2919                break;
2920        case SYS_LISTEN:
2921                err = __sys_listen(a0, a1);
2922                break;
2923        case SYS_ACCEPT:
2924                err = __sys_accept4(a0, (struct sockaddr __user *)a1,
2925                                    (int __user *)a[2], 0);
2926                break;
2927        case SYS_GETSOCKNAME:
2928                err =
2929                    __sys_getsockname(a0, (struct sockaddr __user *)a1,
2930                                      (int __user *)a[2]);
2931                break;
2932        case SYS_GETPEERNAME:
2933                err =
2934                    __sys_getpeername(a0, (struct sockaddr __user *)a1,
2935                                      (int __user *)a[2]);
2936                break;
2937        case SYS_SOCKETPAIR:
2938                err = __sys_socketpair(a0, a1, a[2], (int __user *)a[3]);
2939                break;
2940        case SYS_SEND:
2941                err = __sys_sendto(a0, (void __user *)a1, a[2], a[3],
2942                                   NULL, 0);
2943                break;
2944        case SYS_SENDTO:
2945                err = __sys_sendto(a0, (void __user *)a1, a[2], a[3],
2946                                   (struct sockaddr __user *)a[4], a[5]);
2947                break;
2948        case SYS_RECV:
2949                err = __sys_recvfrom(a0, (void __user *)a1, a[2], a[3],
2950                                     NULL, NULL);
2951                break;
2952        case SYS_RECVFROM:
2953                err = __sys_recvfrom(a0, (void __user *)a1, a[2], a[3],
2954                                     (struct sockaddr __user *)a[4],
2955                                     (int __user *)a[5]);
2956                break;
2957        case SYS_SHUTDOWN:
2958                err = __sys_shutdown(a0, a1);
2959                break;
2960        case SYS_SETSOCKOPT:
2961                err = __sys_setsockopt(a0, a1, a[2], (char __user *)a[3],
2962                                       a[4]);
2963                break;
2964        case SYS_GETSOCKOPT:
2965                err =
2966                    __sys_getsockopt(a0, a1, a[2], (char __user *)a[3],
2967                                     (int __user *)a[4]);
2968                break;
2969        case SYS_SENDMSG:
2970                err = __sys_sendmsg(a0, (struct user_msghdr __user *)a1,
2971                                    a[2], true);
2972                break;
2973        case SYS_SENDMMSG:
2974                err = __sys_sendmmsg(a0, (struct mmsghdr __user *)a1, a[2],
2975                                     a[3], true);
2976                break;
2977        case SYS_RECVMSG:
2978                err = __sys_recvmsg(a0, (struct user_msghdr __user *)a1,
2979                                    a[2], true);
2980                break;
2981        case SYS_RECVMMSG:
2982                if (IS_ENABLED(CONFIG_64BIT))
2983                        err = __sys_recvmmsg(a0, (struct mmsghdr __user *)a1,
2984                                             a[2], a[3],
2985                                             (struct __kernel_timespec __user *)a[4],
2986                                             NULL);
2987                else
2988                        err = __sys_recvmmsg(a0, (struct mmsghdr __user *)a1,
2989                                             a[2], a[3], NULL,
2990                                             (struct old_timespec32 __user *)a[4]);
2991                break;
2992        case SYS_ACCEPT4:
2993                err = __sys_accept4(a0, (struct sockaddr __user *)a1,
2994                                    (int __user *)a[2], a[3]);
2995                break;
2996        default:
2997                err = -EINVAL;
2998                break;
2999        }
3000        return err;
3001}
3002
3003#endif                          /* __ARCH_WANT_SYS_SOCKETCALL */
3004
3005/**
3006 *      sock_register - add a socket protocol handler
3007 *      @ops: description of protocol
3008 *
3009 *      This function is called by a protocol handler that wants to
3010 *      advertise its address family, and have it linked into the
3011 *      socket interface. The value ops->family corresponds to the
3012 *      socket system call protocol family.
3013 */
3014int sock_register(const struct net_proto_family *ops)
3015{
3016        int err;
3017
3018        if (ops->family >= NPROTO) {
3019                pr_crit("protocol %d >= NPROTO(%d)\n", ops->family, NPROTO);
3020                return -ENOBUFS;
3021        }
3022
3023        spin_lock(&net_family_lock);
3024        if (rcu_dereference_protected(net_families[ops->family],
3025                                      lockdep_is_held(&net_family_lock)))
3026                err = -EEXIST;
3027        else {
3028                rcu_assign_pointer(net_families[ops->family], ops);
3029                err = 0;
3030        }
3031        spin_unlock(&net_family_lock);
3032
3033        pr_info("NET: Registered %s protocol family\n", pf_family_names[ops->family]);
3034        return err;
3035}
3036EXPORT_SYMBOL(sock_register);
3037
3038/**
3039 *      sock_unregister - remove a protocol handler
3040 *      @family: protocol family to remove
3041 *
3042 *      This function is called by a protocol handler that wants to
3043 *      remove its address family, and have it unlinked from the
3044 *      new socket creation.
3045 *
3046 *      If protocol handler is a module, then it can use module reference
3047 *      counts to protect against new references. If protocol handler is not
3048 *      a module then it needs to provide its own protection in
3049 *      the ops->create routine.
3050 */
3051void sock_unregister(int family)
3052{
3053        BUG_ON(family < 0 || family >= NPROTO);
3054
3055        spin_lock(&net_family_lock);
3056        RCU_INIT_POINTER(net_families[family], NULL);
3057        spin_unlock(&net_family_lock);
3058
3059        synchronize_rcu();
3060
3061        pr_info("NET: Unregistered %s protocol family\n", pf_family_names[family]);
3062}
3063EXPORT_SYMBOL(sock_unregister);
3064
3065bool sock_is_registered(int family)
3066{
3067        return family < NPROTO && rcu_access_pointer(net_families[family]);
3068}
3069
3070static int __init sock_init(void)
3071{
3072        int err;
3073        /*
3074         *      Initialize the network sysctl infrastructure.
3075         */
3076        err = net_sysctl_init();
3077        if (err)
3078                goto out;
3079
3080        /*
3081         *      Initialize skbuff SLAB cache
3082         */
3083        skb_init();
3084
3085        /*
3086         *      Initialize the protocols module.
3087         */
3088
3089        init_inodecache();
3090
3091        err = register_filesystem(&sock_fs_type);
3092        if (err)
3093                goto out;
3094        sock_mnt = kern_mount(&sock_fs_type);
3095        if (IS_ERR(sock_mnt)) {
3096                err = PTR_ERR(sock_mnt);
3097                goto out_mount;
3098        }
3099
3100        /* The real protocol initialization is performed in later initcalls.
3101         */
3102
3103#ifdef CONFIG_NETFILTER
3104        err = netfilter_init();
3105        if (err)
3106                goto out;
3107#endif
3108
3109        ptp_classifier_init();
3110
3111out:
3112        return err;
3113
3114out_mount:
3115        unregister_filesystem(&sock_fs_type);
3116        goto out;
3117}
3118
3119core_initcall(sock_init);       /* early initcall */
3120
3121#ifdef CONFIG_PROC_FS
3122void socket_seq_show(struct seq_file *seq)
3123{
3124        seq_printf(seq, "sockets: used %d\n",
3125                   sock_inuse_get(seq->private));
3126}
3127#endif                          /* CONFIG_PROC_FS */
3128
3129#ifdef CONFIG_COMPAT
3130static int compat_dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32)
3131{
3132        struct compat_ifconf ifc32;
3133        struct ifconf ifc;
3134        int err;
3135
3136        if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf)))
3137                return -EFAULT;
3138
3139        ifc.ifc_len = ifc32.ifc_len;
3140        ifc.ifc_req = compat_ptr(ifc32.ifcbuf);
3141
3142        rtnl_lock();
3143        err = dev_ifconf(net, &ifc, sizeof(struct compat_ifreq));
3144        rtnl_unlock();
3145        if (err)
3146                return err;
3147
3148        ifc32.ifc_len = ifc.ifc_len;
3149        if (copy_to_user(uifc32, &ifc32, sizeof(struct compat_ifconf)))
3150                return -EFAULT;
3151
3152        return 0;
3153}
3154
3155static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
3156{
3157        struct compat_ethtool_rxnfc __user *compat_rxnfc;
3158        bool convert_in = false, convert_out = false;
3159        size_t buf_size = 0;
3160        struct ethtool_rxnfc __user *rxnfc = NULL;
3161        struct ifreq ifr;
3162        u32 rule_cnt = 0, actual_rule_cnt;
3163        u32 ethcmd;
3164        u32 data;
3165        int ret;
3166
3167        if (get_user(data, &ifr32->ifr_ifru.ifru_data))
3168                return -EFAULT;
3169
3170        compat_rxnfc = compat_ptr(data);
3171
3172        if (get_user(ethcmd, &compat_rxnfc->cmd))
3173                return -EFAULT;
3174
3175        /* Most ethtool structures are defined without padding.
3176         * Unfortunately struct ethtool_rxnfc is an exception.
3177         */
3178        switch (ethcmd) {
3179        default:
3180                break;
3181        case ETHTOOL_GRXCLSRLALL:
3182                /* Buffer size is variable */
3183                if (get_user(rule_cnt, &compat_rxnfc->rule_cnt))
3184                        return -EFAULT;
3185                if (rule_cnt > KMALLOC_MAX_SIZE / sizeof(u32))
3186                        return -ENOMEM;
3187                buf_size += rule_cnt * sizeof(u32);
3188                fallthrough;
3189        case ETHTOOL_GRXRINGS:
3190        case ETHTOOL_GRXCLSRLCNT:
3191        case ETHTOOL_GRXCLSRULE:
3192        case ETHTOOL_SRXCLSRLINS:
3193                convert_out = true;
3194                fallthrough;
3195        case ETHTOOL_SRXCLSRLDEL:
3196                buf_size += sizeof(struct ethtool_rxnfc);
3197                convert_in = true;
3198                rxnfc = compat_alloc_user_space(buf_size);
3199                break;
3200        }
3201
3202        if (copy_from_user(&ifr.ifr_name, &ifr32->ifr_name, IFNAMSIZ))
3203                return -EFAULT;
3204
3205        ifr.ifr_data = convert_in ? rxnfc : (void __user *)compat_rxnfc;
3206
3207        if (convert_in) {
3208                /* We expect there to be holes between fs.m_ext and
3209                 * fs.ring_cookie and at the end of fs, but nowhere else.
3210                 */
3211                BUILD_BUG_ON(offsetof(struct compat_ethtool_rxnfc, fs.m_ext) +
3212                             sizeof(compat_rxnfc->fs.m_ext) !=
3213                             offsetof(struct ethtool_rxnfc, fs.m_ext) +
3214                             sizeof(rxnfc->fs.m_ext));
3215                BUILD_BUG_ON(
3216                        offsetof(struct compat_ethtool_rxnfc, fs.location) -
3217                        offsetof(struct compat_ethtool_rxnfc, fs.ring_cookie) !=
3218                        offsetof(struct ethtool_rxnfc, fs.location) -
3219                        offsetof(struct ethtool_rxnfc, fs.ring_cookie));
3220
3221                if (copy_in_user(rxnfc, compat_rxnfc,
3222                                 (void __user *)(&rxnfc->fs.m_ext + 1) -
3223                                 (void __user *)rxnfc) ||
3224                    copy_in_user(&rxnfc->fs.ring_cookie,
3225                                 &compat_rxnfc->fs.ring_cookie,
3226                                 (void __user *)(&rxnfc->fs.location + 1) -
3227                                 (void __user *)&rxnfc->fs.ring_cookie))
3228                        return -EFAULT;
3229                if (ethcmd == ETHTOOL_GRXCLSRLALL) {
3230                        if (put_user(rule_cnt, &rxnfc->rule_cnt))
3231                                return -EFAULT;
3232                } else if (copy_in_user(&rxnfc->rule_cnt,
3233                                        &compat_rxnfc->rule_cnt,
3234                                        sizeof(rxnfc->rule_cnt)))
3235                        return -EFAULT;
3236        }
3237
3238        ret = dev_ioctl(net, SIOCETHTOOL, &ifr, NULL);
3239        if (ret)
3240                return ret;
3241
3242        if (convert_out) {
3243                if (copy_in_user(compat_rxnfc, rxnfc,
3244                                 (const void __user *)(&rxnfc->fs.m_ext + 1) -
3245                                 (const void __user *)rxnfc) ||
3246                    copy_in_user(&compat_rxnfc->fs.ring_cookie,
3247                                 &rxnfc->fs.ring_cookie,
3248                                 (const void __user *)(&rxnfc->fs.location + 1) -
3249                                 (const void __user *)&rxnfc->fs.ring_cookie) ||
3250                    copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt,
3251                                 sizeof(rxnfc->rule_cnt)))
3252                        return -EFAULT;
3253
3254                if (ethcmd == ETHTOOL_GRXCLSRLALL) {
3255                        /* As an optimisation, we only copy the actual
3256                         * number of rules that the underlying
3257                         * function returned.  Since Mallory might
3258                         * change the rule count in user memory, we
3259                         * check that it is less than the rule count
3260                         * originally given (as the user buffer size),
3261                         * which has been range-checked.
3262                         */
3263                        if (get_user(actual_rule_cnt, &rxnfc->rule_cnt))
3264                                return -EFAULT;
3265                        if (actual_rule_cnt < rule_cnt)
3266                                rule_cnt = actual_rule_cnt;
3267                        if (copy_in_user(&compat_rxnfc->rule_locs[0],
3268                                         &rxnfc->rule_locs[0],
3269                                         rule_cnt * sizeof(u32)))
3270                                return -EFAULT;
3271                }
3272        }
3273
3274        return 0;
3275}
3276
3277static int compat_siocwandev(struct net *net, struct compat_ifreq __user *uifr32)
3278{
3279        compat_uptr_t uptr32;
3280        struct ifreq ifr;
3281        void __user *saved;
3282        int err;
3283
3284        if (copy_from_user(&ifr, uifr32, sizeof(struct compat_ifreq)))
3285                return -EFAULT;
3286
3287        if (get_user(uptr32, &uifr32->ifr_settings.ifs_ifsu))
3288                return -EFAULT;
3289
3290        saved = ifr.ifr_settings.ifs_ifsu.raw_hdlc;
3291        ifr.ifr_settings.ifs_ifsu.raw_hdlc = compat_ptr(uptr32);
3292
3293        err = dev_ioctl(net, SIOCWANDEV, &ifr, NULL);
3294        if (!err) {
3295                ifr.ifr_settings.ifs_ifsu.raw_hdlc = saved;
3296                if (copy_to_user(uifr32, &ifr, sizeof(struct compat_ifreq)))
3297                        err = -EFAULT;
3298        }
3299        return err;
3300}
3301
3302/* Handle ioctls that use ifreq::ifr_data and just need struct ifreq converted */
3303static int compat_ifr_data_ioctl(struct net *net, unsigned int cmd,
3304                                 struct compat_ifreq __user *u_ifreq32)
3305{
3306        struct ifreq ifreq;
3307        u32 data32;
3308
3309        if (copy_from_user(ifreq.ifr_name, u_ifreq32->ifr_name, IFNAMSIZ))
3310                return -EFAULT;
3311        if (get_user(data32, &u_ifreq32->ifr_data))
3312                return -EFAULT;
3313        ifreq.ifr_data = compat_ptr(data32);
3314
3315        return dev_ioctl(net, cmd, &ifreq, NULL);
3316}
3317
3318static int compat_ifreq_ioctl(struct net *net, struct socket *sock,
3319                              unsigned int cmd,
3320                              struct compat_ifreq __user *uifr32)
3321{
3322        struct ifreq __user *uifr;
3323        int err;
3324
3325        /* Handle the fact that while struct ifreq has the same *layout* on
3326         * 32/64 for everything but ifreq::ifru_ifmap and ifreq::ifru_data,
3327         * which are handled elsewhere, it still has different *size* due to
3328         * ifreq::ifru_ifmap (which is 16 bytes on 32 bit, 24 bytes on 64-bit,
3329         * resulting in struct ifreq being 32 and 40 bytes respectively).
3330         * As a result, if the struct happens to be at the end of a page and
3331         * the next page isn't readable/writable, we get a fault. To prevent
3332         * that, copy back and forth to the full size.
3333         */
3334
3335        uifr = compat_alloc_user_space(sizeof(*uifr));
3336        if (copy_in_user(uifr, uifr32, sizeof(*uifr32)))
3337                return -EFAULT;
3338
3339        err = sock_do_ioctl(net, sock, cmd, (unsigned long)uifr);
3340
3341        if (!err) {
3342                switch (cmd) {
3343                case SIOCGIFFLAGS:
3344                case SIOCGIFMETRIC:
3345                case SIOCGIFMTU:
3346                case SIOCGIFMEM:
3347                case SIOCGIFHWADDR:
3348                case SIOCGIFINDEX:
3349                case SIOCGIFADDR:
3350                case SIOCGIFBRDADDR:
3351                case SIOCGIFDSTADDR:
3352                case SIOCGIFNETMASK:
3353                case SIOCGIFPFLAGS:
3354                case SIOCGIFTXQLEN:
3355                case SIOCGMIIPHY:
3356                case SIOCGMIIREG:
3357                case SIOCGIFNAME:
3358                        if (copy_in_user(uifr32, uifr, sizeof(*uifr32)))
3359                                err = -EFAULT;
3360                        break;
3361                }
3362        }
3363        return err;
3364}
3365
3366static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
3367                        struct compat_ifreq __user *uifr32)
3368{
3369        struct ifreq ifr;
3370        struct compat_ifmap __user *uifmap32;
3371        int err;
3372
3373        uifmap32 = &uifr32->ifr_ifru.ifru_map;
3374        err = copy_from_user(&ifr, uifr32, sizeof(ifr.ifr_name));
3375        err |= get_user(ifr.ifr_map.mem_start, &uifmap32->mem_start);
3376        err |= get_user(ifr.ifr_map.mem_end, &uifmap32->mem_end);
3377        err |= get_user(ifr.ifr_map.base_addr, &uifmap32->base_addr);
3378        err |= get_user(ifr.ifr_map.irq, &uifmap32->irq);
3379        err |= get_user(ifr.ifr_map.dma, &uifmap32->dma);
3380        err |= get_user(ifr.ifr_map.port, &uifmap32->port);
3381        if (err)
3382                return -EFAULT;
3383
3384        err = dev_ioctl(net, cmd, &ifr, NULL);
3385
3386        if (cmd == SIOCGIFMAP && !err) {
3387                err = copy_to_user(uifr32, &ifr, sizeof(ifr.ifr_name));
3388                err |= put_user(ifr.ifr_map.mem_start, &uifmap32->mem_start);
3389                err |= put_user(ifr.ifr_map.mem_end, &uifmap32->mem_end);
3390                err |= put_user(ifr.ifr_map.base_addr, &uifmap32->base_addr);
3391                err |= put_user(ifr.ifr_map.irq, &uifmap32->irq);
3392                err |= put_user(ifr.ifr_map.dma, &uifmap32->dma);
3393                err |= put_user(ifr.ifr_map.port, &uifmap32->port);
3394                if (err)
3395                        err = -EFAULT;
3396        }
3397        return err;
3398}
3399
3400/* Since old style bridge ioctl's endup using SIOCDEVPRIVATE
3401 * for some operations; this forces use of the newer bridge-utils that
3402 * use compatible ioctls
3403 */
3404static int old_bridge_ioctl(compat_ulong_t __user *argp)
3405{
3406        compat_ulong_t tmp;
3407
3408        if (get_user(tmp, argp))
3409                return -EFAULT;
3410        if (tmp == BRCTL_GET_VERSION)
3411                return BRCTL_VERSION + 1;
3412        return -EINVAL;
3413}
3414
3415static int compat_sock_ioctl_trans(struct file *file, struct socket *sock,
3416                         unsigned int cmd, unsigned long arg)
3417{
3418        void __user *argp = compat_ptr(arg);
3419        struct sock *sk = sock->sk;
3420        struct net *net = sock_net(sk);
3421
3422        if (cmd >= SIOCDEVPRIVATE && cmd <= (SIOCDEVPRIVATE + 15))
3423                return compat_ifr_data_ioctl(net, cmd, argp);
3424
3425        switch (cmd) {
3426        case SIOCSIFBR:
3427        case SIOCGIFBR:
3428                return old_bridge_ioctl(argp);
3429        case SIOCGIFCONF:
3430                return compat_dev_ifconf(net, argp);
3431        case SIOCETHTOOL:
3432                return ethtool_ioctl(net, argp);
3433        case SIOCWANDEV:
3434                return compat_siocwandev(net, argp);
3435        case SIOCGIFMAP:
3436        case SIOCSIFMAP:
3437                return compat_sioc_ifmap(net, cmd, argp);
3438        case SIOCGSTAMP_OLD:
3439        case SIOCGSTAMPNS_OLD:
3440                if (!sock->ops->gettstamp)
3441                        return -ENOIOCTLCMD;
3442                return sock->ops->gettstamp(sock, argp, cmd == SIOCGSTAMP_OLD,
3443                                            !COMPAT_USE_64BIT_TIME);
3444
3445        case SIOCBONDSLAVEINFOQUERY:
3446        case SIOCBONDINFOQUERY:
3447        case SIOCSHWTSTAMP:
3448        case SIOCGHWTSTAMP:
3449                return compat_ifr_data_ioctl(net, cmd, argp);
3450
3451        case FIOSETOWN:
3452        case SIOCSPGRP:
3453        case FIOGETOWN:
3454        case SIOCGPGRP:
3455        case SIOCBRADDBR:
3456        case SIOCBRDELBR:
3457        case SIOCGIFVLAN:
3458        case SIOCSIFVLAN:
3459        case SIOCGSKNS:
3460        case SIOCGSTAMP_NEW:
3461        case SIOCGSTAMPNS_NEW:
3462                return sock_ioctl(file, cmd, arg);
3463
3464        case SIOCGIFFLAGS:
3465        case SIOCSIFFLAGS:
3466        case SIOCGIFMETRIC:
3467        case SIOCSIFMETRIC:
3468        case SIOCGIFMTU:
3469        case SIOCSIFMTU:
3470        case SIOCGIFMEM:
3471        case SIOCSIFMEM:
3472        case SIOCGIFHWADDR:
3473        case SIOCSIFHWADDR:
3474        case SIOCADDMULTI:
3475        case SIOCDELMULTI:
3476        case SIOCGIFINDEX:
3477        case SIOCGIFADDR:
3478        case SIOCSIFADDR:
3479        case SIOCSIFHWBROADCAST:
3480        case SIOCDIFADDR:
3481        case SIOCGIFBRDADDR:
3482        case SIOCSIFBRDADDR:
3483        case SIOCGIFDSTADDR:
3484        case SIOCSIFDSTADDR:
3485        case SIOCGIFNETMASK:
3486        case SIOCSIFNETMASK:
3487        case SIOCSIFPFLAGS:
3488        case SIOCGIFPFLAGS:
3489        case SIOCGIFTXQLEN:
3490        case SIOCSIFTXQLEN:
3491        case SIOCBRADDIF:
3492        case SIOCBRDELIF:
3493        case SIOCGIFNAME:
3494        case SIOCSIFNAME:
3495        case SIOCGMIIPHY:
3496        case SIOCGMIIREG:
3497        case SIOCSMIIREG:
3498        case SIOCBONDENSLAVE:
3499        case SIOCBONDRELEASE:
3500        case SIOCBONDSETHWADDR:
3501        case SIOCBONDCHANGEACTIVE:
3502                return compat_ifreq_ioctl(net, sock, cmd, argp);
3503
3504        case SIOCSARP:
3505        case SIOCGARP:
3506        case SIOCDARP:
3507        case SIOCOUTQ:
3508        case SIOCOUTQNSD:
3509        case SIOCATMARK:
3510                return sock_do_ioctl(net, sock, cmd, arg);
3511        }
3512
3513        return -ENOIOCTLCMD;
3514}
3515
3516static long compat_sock_ioctl(struct file *file, unsigned int cmd,
3517                              unsigned long arg)
3518{
3519        struct socket *sock = file->private_data;
3520        int ret = -ENOIOCTLCMD;
3521        struct sock *sk;
3522        struct net *net;
3523
3524        sk = sock->sk;
3525        net = sock_net(sk);
3526
3527        if (sock->ops->compat_ioctl)
3528                ret = sock->ops->compat_ioctl(sock, cmd, arg);
3529
3530        if (ret == -ENOIOCTLCMD &&
3531            (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST))
3532                ret = compat_wext_handle_ioctl(net, cmd, arg);
3533
3534        if (ret == -ENOIOCTLCMD)
3535                ret = compat_sock_ioctl_trans(file, sock, cmd, arg);
3536
3537        return ret;
3538}
3539#endif
3540
3541/**
3542 *      kernel_bind - bind an address to a socket (kernel space)
3543 *      @sock: socket
3544 *      @addr: address
3545 *      @addrlen: length of address
3546 *
3547 *      Returns 0 or an error.
3548 */
3549
3550int kernel_bind(struct socket *sock, struct sockaddr *addr, int addrlen)
3551{
3552        return sock->ops->bind(sock, addr, addrlen);
3553}
3554EXPORT_SYMBOL(kernel_bind);
3555
3556/**
3557 *      kernel_listen - move socket to listening state (kernel space)
3558 *      @sock: socket
3559 *      @backlog: pending connections queue size
3560 *
3561 *      Returns 0 or an error.
3562 */
3563
3564int kernel_listen(struct socket *sock, int backlog)
3565{
3566        return sock->ops->listen(sock, backlog);
3567}
3568EXPORT_SYMBOL(kernel_listen);
3569
3570/**
3571 *      kernel_accept - accept a connection (kernel space)
3572 *      @sock: listening socket
3573 *      @newsock: new connected socket
3574 *      @flags: flags
3575 *
3576 *      @flags must be SOCK_CLOEXEC, SOCK_NONBLOCK or 0.
3577 *      If it fails, @newsock is guaranteed to be %NULL.
3578 *      Returns 0 or an error.
3579 */
3580
3581int kernel_accept(struct socket *sock, struct socket **newsock, int flags)
3582{
3583        struct sock *sk = sock->sk;
3584        int err;
3585
3586        err = sock_create_lite(sk->sk_family, sk->sk_type, sk->sk_protocol,
3587                               newsock);
3588        if (err < 0)
3589                goto done;
3590
3591        err = sock->ops->accept(sock, *newsock, flags, true);
3592        if (err < 0) {
3593                sock_release(*newsock);
3594                *newsock = NULL;
3595                goto done;
3596        }
3597
3598        (*newsock)->ops = sock->ops;
3599        __module_get((*newsock)->ops->owner);
3600
3601done:
3602        return err;
3603}
3604EXPORT_SYMBOL(kernel_accept);
3605
3606/**
3607 *      kernel_connect - connect a socket (kernel space)
3608 *      @sock: socket
3609 *      @addr: address
3610 *      @addrlen: address length
3611 *      @flags: flags (O_NONBLOCK, ...)
3612 *
3613 *      For datagram sockets, @addr is the address to which datagrams are sent
3614 *      by default, and the only address from which datagrams are received.
3615 *      For stream sockets, attempts to connect to @addr.
3616 *      Returns 0 or an error code.
3617 */
3618
3619int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen,
3620                   int flags)
3621{
3622        return sock->ops->connect(sock, addr, addrlen, flags);
3623}
3624EXPORT_SYMBOL(kernel_connect);
3625
3626/**
3627 *      kernel_getsockname - get the address which the socket is bound (kernel space)
3628 *      @sock: socket
3629 *      @addr: address holder
3630 *
3631 *      Fills the @addr pointer with the address which the socket is bound.
3632 *      Returns 0 or an error code.
3633 */
3634
3635int kernel_getsockname(struct socket *sock, struct sockaddr *addr)
3636{
3637        return sock->ops->getname(sock, addr, 0);
3638}
3639EXPORT_SYMBOL(kernel_getsockname);
3640
3641/**
3642 *      kernel_getpeername - get the address which the socket is connected (kernel space)
3643 *      @sock: socket
3644 *      @addr: address holder
3645 *
3646 *      Fills the @addr pointer with the address which the socket is connected.
3647 *      Returns 0 or an error code.
3648 */
3649
3650int kernel_getpeername(struct socket *sock, struct sockaddr *addr)
3651{
3652        return sock->ops->getname(sock, addr, 1);
3653}
3654EXPORT_SYMBOL(kernel_getpeername);
3655
3656/**
3657 *      kernel_sendpage - send a &page through a socket (kernel space)
3658 *      @sock: socket
3659 *      @page: page
3660 *      @offset: page offset
3661 *      @size: total size in bytes
3662 *      @flags: flags (MSG_DONTWAIT, ...)
3663 *
3664 *      Returns the total amount sent in bytes or an error.
3665 */
3666
3667int kernel_sendpage(struct socket *sock, struct page *page, int offset,
3668                    size_t size, int flags)
3669{
3670        if (sock->ops->sendpage) {
3671                /* Warn in case the improper page to zero-copy send */
3672                WARN_ONCE(!sendpage_ok(page), "improper page for zero-copy send");
3673                return sock->ops->sendpage(sock, page, offset, size, flags);
3674        }
3675        return sock_no_sendpage(sock, page, offset, size, flags);
3676}
3677EXPORT_SYMBOL(kernel_sendpage);
3678
3679/**
3680 *      kernel_sendpage_locked - send a &page through the locked sock (kernel space)
3681 *      @sk: sock
3682 *      @page: page
3683 *      @offset: page offset
3684 *      @size: total size in bytes
3685 *      @flags: flags (MSG_DONTWAIT, ...)
3686 *
3687 *      Returns the total amount sent in bytes or an error.
3688 *      Caller must hold @sk.
3689 */
3690
3691int kernel_sendpage_locked(struct sock *sk, struct page *page, int offset,
3692                           size_t size, int flags)
3693{
3694        struct socket *sock = sk->sk_socket;
3695
3696        if (sock->ops->sendpage_locked)
3697                return sock->ops->sendpage_locked(sk, page, offset, size,
3698                                                  flags);
3699
3700        return sock_no_sendpage_locked(sk, page, offset, size, flags);
3701}
3702EXPORT_SYMBOL(kernel_sendpage_locked);
3703
3704/**
3705 *      kernel_sock_shutdown - shut down part of a full-duplex connection (kernel space)
3706 *      @sock: socket
3707 *      @how: connection part
3708 *
3709 *      Returns 0 or an error.
3710 */
3711
3712int kernel_sock_shutdown(struct socket *sock, enum sock_shutdown_cmd how)
3713{
3714        return sock->ops->shutdown(sock, how);
3715}
3716EXPORT_SYMBOL(kernel_sock_shutdown);
3717
3718/**
3719 *      kernel_sock_ip_overhead - returns the IP overhead imposed by a socket
3720 *      @sk: socket
3721 *
3722 *      This routine returns the IP overhead imposed by a socket i.e.
3723 *      the length of the underlying IP header, depending on whether
3724 *      this is an IPv4 or IPv6 socket and the length from IP options turned
3725 *      on at the socket. Assumes that the caller has a lock on the socket.
3726 */
3727
3728u32 kernel_sock_ip_overhead(struct sock *sk)
3729{
3730        struct inet_sock *inet;
3731        struct ip_options_rcu *opt;
3732        u32 overhead = 0;
3733#if IS_ENABLED(CONFIG_IPV6)
3734        struct ipv6_pinfo *np;
3735        struct ipv6_txoptions *optv6 = NULL;
3736#endif /* IS_ENABLED(CONFIG_IPV6) */
3737
3738        if (!sk)
3739                return overhead;
3740
3741        switch (sk->sk_family) {
3742        case AF_INET:
3743                inet = inet_sk(sk);
3744                overhead += sizeof(struct iphdr);
3745                opt = rcu_dereference_protected(inet->inet_opt,
3746                                                sock_owned_by_user(sk));
3747                if (opt)
3748                        overhead += opt->opt.optlen;
3749                return overhead;
3750#if IS_ENABLED(CONFIG_IPV6)
3751        case AF_INET6:
3752                np = inet6_sk(sk);
3753                overhead += sizeof(struct ipv6hdr);
3754                if (np)
3755                        optv6 = rcu_dereference_protected(np->opt,
3756                                                          sock_owned_by_user(sk));
3757                if (optv6)
3758                        overhead += (optv6->opt_flen + optv6->opt_nflen);
3759                return overhead;
3760#endif /* IS_ENABLED(CONFIG_IPV6) */
3761        default: /* Returns 0 overhead if the socket is not ipv4 or ipv6 */
3762                return overhead;
3763        }
3764}
3765EXPORT_SYMBOL(kernel_sock_ip_overhead);
3766