// Copyright 2018 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package linux

import (
	"bytes"

	"gvisor.googlesource.com/gvisor/pkg/abi/linux"
	"gvisor.googlesource.com/gvisor/pkg/sentry/arch"
	"gvisor.googlesource.com/gvisor/pkg/sentry/kernel"
	"gvisor.googlesource.com/gvisor/pkg/sentry/kernel/kdefs"
	"gvisor.googlesource.com/gvisor/pkg/sentry/memmap"
	"gvisor.googlesource.com/gvisor/pkg/sentry/mm"
	"gvisor.googlesource.com/gvisor/pkg/sentry/usermem"
	"gvisor.googlesource.com/gvisor/pkg/syserror"
)

// Brk implements linux syscall brk(2).
func Brk(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
	addr, _ := t.MemoryManager().Brk(t, args[0].Pointer())
	// "However, the actual Linux system call returns the new program break on
	// success. On failure, the system call returns the current break." -
	// brk(2)
	return uintptr(addr), nil, nil
}

// Mmap implements linux syscall mmap(2).
func Mmap(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
	prot := args[2].Int()
	flags := args[3].Int()
	fd := kdefs.FD(args[4].Int())
	fixed := flags&linux.MAP_FIXED != 0
	private := flags&linux.MAP_PRIVATE != 0
	shared := flags&linux.MAP_SHARED != 0
	anon := flags&linux.MAP_ANONYMOUS != 0
	map32bit := flags&linux.MAP_32BIT != 0

	// Require exactly one of MAP_PRIVATE and MAP_SHARED.
	if private == shared {
		return 0, nil, syserror.EINVAL
	}

	opts := memmap.MMapOpts{
		Length:   args[1].Uint64(),
		Offset:   args[5].Uint64(),
		Addr:     args[0].Pointer(),
		Fixed:    fixed,
		Unmap:    fixed,
		Map32Bit: map32bit,
		Private:  private,
		Perms: usermem.AccessType{
			Read:    linux.PROT_READ&prot != 0,
			Write:   linux.PROT_WRITE&prot != 0,
			Execute: linux.PROT_EXEC&prot != 0,
		},
		MaxPerms:  usermem.AnyAccess,
		GrowsDown: linux.MAP_GROWSDOWN&flags != 0,
		Precommit: linux.MAP_POPULATE&flags != 0,
	}
	defer func() {
		if opts.MappingIdentity != nil {
			opts.MappingIdentity.DecRef()
		}
	}()

	if !anon {
		// Convert the passed FD to a file reference.
		file := t.FDMap().GetFile(fd)
		if file == nil {
			return 0, nil, syserror.EBADF
		}
		defer file.DecRef()

		flags := file.Flags()
		// mmap unconditionally requires that the FD is readable.
		if !flags.Read {
			return 0, nil, syserror.EACCES
		}
		// MAP_SHARED requires that the FD be writable for PROT_WRITE.
		if shared && !flags.Write {
			opts.MaxPerms.Write = false
		}

		if err := file.ConfigureMMap(t, &opts); err != nil {
			return 0, nil, err
		}
	}

	rv, err := t.MemoryManager().MMap(t, opts)
	return uintptr(rv), nil, err
}

// Munmap implements linux syscall munmap(2).
func Munmap(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
	return 0, nil, t.MemoryManager().MUnmap(t, args[0].Pointer(), args[1].Uint64())
}

// Mremap implements linux syscall mremap(2).
func Mremap(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
	oldAddr := args[0].Pointer()
	oldSize := args[1].Uint64()
	newSize := args[2].Uint64()
	flags := args[3].Uint64()
	newAddr := args[4].Pointer()

	if flags&^(linux.MREMAP_MAYMOVE|linux.MREMAP_FIXED) != 0 {
		return 0, nil, syserror.EINVAL
	}
	mayMove := flags&linux.MREMAP_MAYMOVE != 0
	fixed := flags&linux.MREMAP_FIXED != 0
	var moveMode mm.MRemapMoveMode
	switch {
	case !mayMove && !fixed:
		moveMode = mm.MRemapNoMove
	case mayMove && !fixed:
		moveMode = mm.MRemapMayMove
	case mayMove && fixed:
		moveMode = mm.MRemapMustMove
	case !mayMove && fixed:
		// "If MREMAP_FIXED is specified, then MREMAP_MAYMOVE must also be
		// specified." - mremap(2)
		return 0, nil, syserror.EINVAL
	}

	rv, err := t.MemoryManager().MRemap(t, oldAddr, oldSize, newSize, mm.MRemapOpts{
		Move:    moveMode,
		NewAddr: newAddr,
	})
	return uintptr(rv), nil, err
}

// Mprotect implements linux syscall mprotect(2).
func Mprotect(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
	length := args[1].Uint64()
	prot := args[2].Int()
	err := t.MemoryManager().MProtect(args[0].Pointer(), length, usermem.AccessType{
		Read:    linux.PROT_READ&prot != 0,
		Write:   linux.PROT_WRITE&prot != 0,
		Execute: linux.PROT_EXEC&prot != 0,
	}, linux.PROT_GROWSDOWN&prot != 0)
	return 0, nil, err
}

// Madvise implements linux syscall madvise(2).
func Madvise(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
	addr := args[0].Pointer()
	length := uint64(args[1].SizeT())
	adv := args[2].Int()

	// "The Linux implementation requires that the address addr be
	// page-aligned, and allows length to be zero." - madvise(2)
	if addr.RoundDown() != addr {
		return 0, nil, syserror.EINVAL
	}
	if length == 0 {
		return 0, nil, nil
	}
	// Not explicitly stated: length need not be page-aligned.
	lenAddr, ok := usermem.Addr(length).RoundUp()
	if !ok {
		return 0, nil, syserror.EINVAL
	}
	length = uint64(lenAddr)

	switch adv {
	case linux.MADV_DONTNEED:
		return 0, nil, t.MemoryManager().Decommit(addr, length)
	case linux.MADV_HUGEPAGE, linux.MADV_NOHUGEPAGE:
		fallthrough
	case linux.MADV_MERGEABLE, linux.MADV_UNMERGEABLE:
		fallthrough
	case linux.MADV_DONTDUMP, linux.MADV_DODUMP:
		// TODO: Core dumping isn't implemented, so these are
		// no-ops.
		fallthrough
	case linux.MADV_NORMAL, linux.MADV_RANDOM, linux.MADV_SEQUENTIAL, linux.MADV_WILLNEED:
		// Do nothing, we totally ignore the suggestions above.
		return 0, nil, nil
	case linux.MADV_REMOVE, linux.MADV_DOFORK, linux.MADV_DONTFORK:
		// These "suggestions" have application-visible side effects, so we
		// have to indicate that we don't support them.
		return 0, nil, syserror.ENOSYS
	case linux.MADV_HWPOISON:
		// Only privileged processes are allowed to poison pages.
		return 0, nil, syserror.EPERM
	default:
		// If adv is not a valid value tell the caller.
		return 0, nil, syserror.EINVAL
	}
}

func copyOutIfNotNull(t *kernel.Task, ptr usermem.Addr, val interface{}) (int, error) {
	if ptr != 0 {
		return t.CopyOut(ptr, val)
	}
	return 0, nil
}

// GetMempolicy implements the syscall get_mempolicy(2).
func GetMempolicy(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
	mode := args[0].Pointer()
	nodemask := args[1].Pointer()
	maxnode := args[2].Uint()
	addr := args[3].Pointer()
	flags := args[4].Uint()

	memsAllowed := flags&linux.MPOL_F_MEMS_ALLOWED != 0
	nodeFlag := flags&linux.MPOL_F_NODE != 0
	addrFlag := flags&linux.MPOL_F_ADDR != 0

	// TODO: Once sysfs is implemented, report a single numa node in
	// /sys/devices/system/node.
	if nodemask != 0 && maxnode < 1 {
		return 0, nil, syserror.EINVAL
	}

	// 'addr' provided iff 'addrFlag' set.
	if addrFlag == (addr == 0) {
		return 0, nil, syserror.EINVAL
	}

	// Default policy for the thread.
	if flags == 0 {
		policy, nodemaskVal := t.NumaPolicy()
		if _, err := copyOutIfNotNull(t, mode, policy); err != nil {
			return 0, nil, syserror.EFAULT
		}
		if _, err := copyOutIfNotNull(t, nodemask, nodemaskVal); err != nil {
			return 0, nil, syserror.EFAULT
		}
		return 0, nil, nil
	}

	// Report all nodes available to caller.
	if memsAllowed {
		// MPOL_F_NODE and MPOL_F_ADDR not allowed with MPOL_F_MEMS_ALLOWED.
		if nodeFlag || addrFlag {
			return 0, nil, syserror.EINVAL
		}

		// Report a single numa node.
		if _, err := copyOutIfNotNull(t, nodemask, uint32(0x1)); err != nil {
			return 0, nil, syserror.EFAULT
		}
		return 0, nil, nil
	}

	if addrFlag {
		if nodeFlag {
			// Return the id for the node where 'addr' resides, via 'mode'.
			//
			// The real get_mempolicy(2) allocates the page referenced by 'addr'
			// by simulating a read, if it is unallocated before the call. It
			// then returns the node the page is allocated on through the mode
			// pointer.
			b := t.CopyScratchBuffer(1)
			_, err := t.CopyInBytes(addr, b)
			if err != nil {
				return 0, nil, syserror.EFAULT
			}
			if _, err := copyOutIfNotNull(t, mode, int32(0)); err != nil {
				return 0, nil, syserror.EFAULT
			}
		} else {
			storedPolicy, _ := t.NumaPolicy()
			// Return the policy governing the memory referenced by 'addr'.
			if _, err := copyOutIfNotNull(t, mode, int32(storedPolicy)); err != nil {
				return 0, nil, syserror.EFAULT
			}
		}
		return 0, nil, nil
	}

	storedPolicy, _ := t.NumaPolicy()
	if nodeFlag && (storedPolicy&^linux.MPOL_MODE_FLAGS == linux.MPOL_INTERLEAVE) {
		// Policy for current thread is to interleave memory between
		// nodes. Return the next node we'll allocate on. Since we only have a
		// single node, this is always node 0.
		if _, err := copyOutIfNotNull(t, mode, int32(0)); err != nil {
			return 0, nil, syserror.EFAULT
		}
		return 0, nil, nil
	}

	return 0, nil, syserror.EINVAL
}

func allowedNodesMask() uint32 {
	const maxNodes = 1
	return ^uint32((1 << maxNodes) - 1)
}

// SetMempolicy implements the syscall set_mempolicy(2).
func SetMempolicy(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
	modeWithFlags := args[0].Int()
	nodemask := args[1].Pointer()
	maxnode := args[2].Uint()

	if maxnode < 1 {
		return 0, nil, syserror.EINVAL
	}

	if modeWithFlags&linux.MPOL_MODE_FLAGS == linux.MPOL_MODE_FLAGS {
		// Can't specify multiple modes simultaneously. Must also contain a
		// valid mode, which we check below.
		return 0, nil, syserror.EINVAL
	}

	mode := modeWithFlags &^ linux.MPOL_MODE_FLAGS
	if mode < 0 || mode >= linux.MPOL_MAX {
		return 0, nil, syserror.EINVAL
	}

	var nodemaskVal uint32
	if _, err := t.CopyIn(nodemask, &nodemaskVal); err != nil {
		return 0, nil, syserror.EFAULT
	}

	// When setting MPOL_INTERLEAVE, nodemask must not be empty.
	if mode == linux.MPOL_INTERLEAVE && nodemaskVal == 0 {
		return 0, nil, syserror.EINVAL
	}

	if nodemaskVal&allowedNodesMask() != 0 {
		// Invalid node specified.
		return 0, nil, syserror.EINVAL
	}

	t.SetNumaPolicy(int32(modeWithFlags), nodemaskVal)

	return 0, nil, nil
}

// Mincore implements the syscall mincore(2).
func Mincore(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
	addr := args[0].Pointer()
	length := args[1].SizeT()
	vec := args[2].Pointer()

	if addr != addr.RoundDown() {
		return 0, nil, syserror.EINVAL
	}
	// "The length argument need not be a multiple of the page size, but since
	// residency information is returned for whole pages, length is effectively
	// rounded up to the next multiple of the page size." - mincore(2)
	la, ok := usermem.Addr(length).RoundUp()
	if !ok {
		return 0, nil, syserror.ENOMEM
	}
	ar, ok := addr.ToRange(uint64(la))
	if !ok {
		return 0, nil, syserror.ENOMEM
	}

	// Pretend that all mapped pages are "resident in core".
	mapped := t.MemoryManager().VirtualMemorySizeRange(ar)
	// "ENOMEM: addr to addr + length contained unmapped memory."
	if mapped != uint64(la) {
		return 0, nil, syserror.ENOMEM
	}
	resident := bytes.Repeat([]byte{1}, int(mapped/usermem.PageSize))
	_, err := t.CopyOut(vec, resident)
	return 0, nil, err
}

// Msync implements Linux syscall msync(2).
func Msync(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
	addr := args[0].Pointer()
	length := args[1].SizeT()
	flags := args[2].Int()

	if addr != addr.RoundDown() {
		return 0, nil, syserror.EINVAL
	}
	if length == 0 {
		return 0, nil, nil
	}
	la, ok := usermem.Addr(length).RoundUp()
	if !ok {
		return 0, nil, syserror.ENOMEM
	}
	// "The flags argument should specify exactly one of MS_ASYNC and MS_SYNC,
	// and may additionally include the MS_INVALIDATE bit. ... However, Linux
	// permits a call to msync() that specifies neither of these flags, with
	// semantics that are (currently) equivalent to specifying MS_ASYNC." -
	// msync(2)
	if flags&^(linux.MS_ASYNC|linux.MS_SYNC|linux.MS_INVALIDATE) != 0 {
		return 0, nil, syserror.EINVAL
	}
	sync := flags&linux.MS_SYNC != 0
	if sync && flags&linux.MS_ASYNC != 0 {
		return 0, nil, syserror.EINVAL
	}

	// MS_INVALIDATE "asks to invalidate other mappings of the same file (so
	// that they can be updated with the fresh values just written)". This is a
	// no-op given that shared memory exists. However, MS_INVALIDATE can also
	// be used to detect mlocks: "EBUSY: MS_INVALIDATE was specified in flags,
	// and a memory lock exists for the specified address range." Given that
	// mlock is stubbed out, it's unsafe to pass MS_INVALIDATE silently since
	// some user program could be using it for synchronization.
	if flags&linux.MS_INVALIDATE != 0 {
		return 0, nil, syserror.EINVAL
	}
	// MS_SYNC "requests an update and waits for it to complete."
	if sync {
		err := t.MemoryManager().Sync(t, addr, uint64(la))
		// Sync calls fsync, the same interrupt conversion rules apply, see
		// mm/msync.c, fsync POSIX.1-2008.
		return 0, nil, syserror.ConvertIntr(err, kernel.ERESTARTSYS)
	}
	// MS_ASYNC "specifies that an update be scheduled, but the call returns
	// immediately". As long as dirty pages are tracked and eventually written
	// back, this is a no-op. (Correspondingly: "Since Linux 2.6.19, MS_ASYNC
	// is in fact a no-op, since the kernel properly tracks dirty pages and
	// flushes them to storage as necessary.")
	//
	// However: "ENOMEM: The indicated memory (or part of it) was not mapped."
	// This applies even for MS_ASYNC.
	ar, ok := addr.ToRange(uint64(la))
	if !ok {
		return 0, nil, syserror.ENOMEM
	}
	mapped := t.MemoryManager().VirtualMemorySizeRange(ar)
	if mapped != uint64(la) {
		return 0, nil, syserror.ENOMEM
	}
	return 0, nil, nil
}