1 // SPDX-License-Identifier: GPL-2.0
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
6 * A note on the read/write ordering memory barriers that are matched between
7 * the application and kernel side.
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
30 * Also see the examples in the liburing library:
32 * git://git.kernel.dk/liburing
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
39 * Copyright (C) 2018-2019 Jens Axboe
40 * Copyright (c) 2018-2019 Christoph Hellwig
42 #include <linux/kernel.h>
43 #include <linux/init.h>
44 #include <linux/errno.h>
45 #include <linux/syscalls.h>
46 #include <linux/compat.h>
47 #include <net/compat.h>
48 #include <linux/refcount.h>
49 #include <linux/uio.h>
50 #include <linux/bits.h>
52 #include <linux/sched/signal.h>
54 #include <linux/file.h>
55 #include <linux/fdtable.h>
57 #include <linux/mman.h>
58 #include <linux/percpu.h>
59 #include <linux/slab.h>
60 #include <linux/kthread.h>
61 #include <linux/blkdev.h>
62 #include <linux/bvec.h>
63 #include <linux/net.h>
65 #include <net/af_unix.h>
67 #include <linux/anon_inodes.h>
68 #include <linux/sched/mm.h>
69 #include <linux/uaccess.h>
70 #include <linux/nospec.h>
71 #include <linux/sizes.h>
72 #include <linux/hugetlb.h>
73 #include <linux/highmem.h>
74 #include <linux/namei.h>
75 #include <linux/fsnotify.h>
76 #include <linux/fadvise.h>
77 #include <linux/eventpoll.h>
78 #include <linux/fs_struct.h>
79 #include <linux/splice.h>
80 #include <linux/task_work.h>
81 #include <linux/pagemap.h>
83 #define CREATE_TRACE_POINTS
84 #include <trace/events/io_uring.h>
86 #include <uapi/linux/io_uring.h>
91 #define IORING_MAX_ENTRIES 32768
92 #define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
95 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
97 #define IORING_FILE_TABLE_SHIFT 9
98 #define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
99 #define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
100 #define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
103 u32 head ____cacheline_aligned_in_smp;
104 u32 tail ____cacheline_aligned_in_smp;
108 * This data is shared with the application through the mmap at offsets
109 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
111 * The offsets to the member fields are published through struct
112 * io_sqring_offsets when calling io_uring_setup.
116 * Head and tail offsets into the ring; the offsets need to be
117 * masked to get valid indices.
119 * The kernel controls head of the sq ring and the tail of the cq ring,
120 * and the application controls tail of the sq ring and the head of the
123 struct io_uring sq, cq;
125 * Bitmasks to apply to head and tail offsets (constant, equals
128 u32 sq_ring_mask, cq_ring_mask;
129 /* Ring sizes (constant, power of 2) */
130 u32 sq_ring_entries, cq_ring_entries;
132 * Number of invalid entries dropped by the kernel due to
133 * invalid index stored in array
135 * Written by the kernel, shouldn't be modified by the
136 * application (i.e. get number of "new events" by comparing to
139 * After a new SQ head value was read by the application this
140 * counter includes all submissions that were dropped reaching
141 * the new SQ head (and possibly more).
147 * Written by the kernel, shouldn't be modified by the
150 * The application needs a full memory barrier before checking
151 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
157 * Written by the application, shouldn't be modified by the
162 * Number of completion events lost because the queue was full;
163 * this should be avoided by the application by making sure
164 * there are not more requests pending than there is space in
165 * the completion queue.
167 * Written by the kernel, shouldn't be modified by the
168 * application (i.e. get number of "new events" by comparing to
171 * As completion events come in out of order this counter is not
172 * ordered with any other data.
176 * Ring buffer of completion events.
178 * The kernel writes completion events fresh every time they are
179 * produced, so the application is allowed to modify pending
182 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
185 struct io_mapped_ubuf {
188 struct bio_vec *bvec;
189 unsigned int nr_bvecs;
192 struct fixed_file_table {
196 struct fixed_file_ref_node {
197 struct percpu_ref refs;
198 struct list_head node;
199 struct list_head file_list;
200 struct fixed_file_data *file_data;
201 struct llist_node llist;
204 struct fixed_file_data {
205 struct fixed_file_table *table;
206 struct io_ring_ctx *ctx;
208 struct percpu_ref *cur_refs;
209 struct percpu_ref refs;
210 struct completion done;
211 struct list_head ref_list;
216 struct list_head list;
224 struct percpu_ref refs;
225 } ____cacheline_aligned_in_smp;
229 unsigned int compat: 1;
230 unsigned int limit_mem: 1;
231 unsigned int cq_overflow_flushed: 1;
232 unsigned int drain_next: 1;
233 unsigned int eventfd_async: 1;
236 * Ring buffer of indices into array of io_uring_sqe, which is
237 * mmapped by the application using the IORING_OFF_SQES offset.
239 * This indirection could e.g. be used to assign fixed
240 * io_uring_sqe entries to operations and only submit them to
241 * the queue when needed.
243 * The kernel modifies neither the indices array nor the entries
247 unsigned cached_sq_head;
250 unsigned sq_thread_idle;
251 unsigned cached_sq_dropped;
252 atomic_t cached_cq_overflow;
253 unsigned long sq_check_overflow;
255 struct list_head defer_list;
256 struct list_head timeout_list;
257 struct list_head cq_overflow_list;
259 wait_queue_head_t inflight_wait;
260 struct io_uring_sqe *sq_sqes;
261 } ____cacheline_aligned_in_smp;
263 struct io_rings *rings;
267 struct task_struct *sqo_thread; /* if using sq thread polling */
268 struct mm_struct *sqo_mm;
269 wait_queue_head_t sqo_wait;
272 * If used, fixed file set. Writers must ensure that ->refs is dead,
273 * readers must ensure that ->refs is alive as long as the file* is
274 * used. Only updated through io_uring_register(2).
276 struct fixed_file_data *file_data;
277 unsigned nr_user_files;
279 struct file *ring_file;
281 /* if used, fixed mapped user buffers */
282 unsigned nr_user_bufs;
283 struct io_mapped_ubuf *user_bufs;
285 struct user_struct *user;
287 const struct cred *creds;
289 struct completion ref_comp;
290 struct completion sq_thread_comp;
292 /* if all else fails... */
293 struct io_kiocb *fallback_req;
295 #if defined(CONFIG_UNIX)
296 struct socket *ring_sock;
299 struct idr io_buffer_idr;
301 struct idr personality_idr;
304 unsigned cached_cq_tail;
307 atomic_t cq_timeouts;
308 unsigned long cq_check_overflow;
309 struct wait_queue_head cq_wait;
310 struct fasync_struct *cq_fasync;
311 struct eventfd_ctx *cq_ev_fd;
312 } ____cacheline_aligned_in_smp;
315 struct mutex uring_lock;
316 wait_queue_head_t wait;
317 } ____cacheline_aligned_in_smp;
320 spinlock_t completion_lock;
323 * ->poll_list is protected by the ctx->uring_lock for
324 * io_uring instances that don't use IORING_SETUP_SQPOLL.
325 * For SQPOLL, only the single threaded io_sq_thread() will
326 * manipulate the list, hence no extra locking is needed there.
328 struct list_head poll_list;
329 struct hlist_head *cancel_hash;
330 unsigned cancel_hash_bits;
331 bool poll_multi_file;
333 spinlock_t inflight_lock;
334 struct list_head inflight_list;
335 } ____cacheline_aligned_in_smp;
337 struct delayed_work file_put_work;
338 struct llist_head file_put_llist;
340 struct work_struct exit_work;
344 * First field must be the file pointer in all the
345 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
347 struct io_poll_iocb {
350 struct wait_queue_head *head;
356 struct wait_queue_entry wait;
361 struct file *put_file;
365 struct io_timeout_data {
366 struct io_kiocb *req;
367 struct hrtimer timer;
368 struct timespec64 ts;
369 enum hrtimer_mode mode;
374 struct sockaddr __user *addr;
375 int __user *addr_len;
377 unsigned long nofile;
402 /* NOTE: kiocb has the file as the first member, so don't do it here */
410 struct sockaddr __user *addr;
417 struct user_msghdr __user *msg;
423 struct io_buffer *kbuf;
429 struct filename *filename;
431 unsigned long nofile;
434 struct io_files_update {
460 struct epoll_event event;
464 struct file *file_out;
465 struct file *file_in;
472 struct io_provide_buf {
486 const char __user *filename;
487 struct statx __user *buffer;
490 struct io_async_connect {
491 struct sockaddr_storage address;
494 struct io_async_msghdr {
495 struct iovec fast_iov[UIO_FASTIOV];
497 struct sockaddr __user *uaddr;
499 struct sockaddr_storage addr;
503 struct iovec fast_iov[UIO_FASTIOV];
507 struct wait_page_queue wpq;
508 struct callback_head task_work;
511 struct io_async_ctx {
513 struct io_async_rw rw;
514 struct io_async_msghdr msg;
515 struct io_async_connect connect;
516 struct io_timeout_data timeout;
521 REQ_F_FIXED_FILE_BIT = IOSQE_FIXED_FILE_BIT,
522 REQ_F_IO_DRAIN_BIT = IOSQE_IO_DRAIN_BIT,
523 REQ_F_LINK_BIT = IOSQE_IO_LINK_BIT,
524 REQ_F_HARDLINK_BIT = IOSQE_IO_HARDLINK_BIT,
525 REQ_F_FORCE_ASYNC_BIT = IOSQE_ASYNC_BIT,
526 REQ_F_BUFFER_SELECT_BIT = IOSQE_BUFFER_SELECT_BIT,
533 REQ_F_LINK_TIMEOUT_BIT,
535 REQ_F_COMP_LOCKED_BIT,
536 REQ_F_NEED_CLEANUP_BIT,
539 REQ_F_BUFFER_SELECTED_BIT,
540 REQ_F_NO_FILE_TABLE_BIT,
541 REQ_F_WORK_INITIALIZED_BIT,
542 REQ_F_TASK_PINNED_BIT,
544 /* not a real bit, just to check we're not overflowing the space */
550 REQ_F_FIXED_FILE = BIT(REQ_F_FIXED_FILE_BIT),
551 /* drain existing IO first */
552 REQ_F_IO_DRAIN = BIT(REQ_F_IO_DRAIN_BIT),
554 REQ_F_LINK = BIT(REQ_F_LINK_BIT),
555 /* doesn't sever on completion < 0 */
556 REQ_F_HARDLINK = BIT(REQ_F_HARDLINK_BIT),
558 REQ_F_FORCE_ASYNC = BIT(REQ_F_FORCE_ASYNC_BIT),
559 /* IOSQE_BUFFER_SELECT */
560 REQ_F_BUFFER_SELECT = BIT(REQ_F_BUFFER_SELECT_BIT),
563 REQ_F_LINK_HEAD = BIT(REQ_F_LINK_HEAD_BIT),
564 /* fail rest of links */
565 REQ_F_FAIL_LINK = BIT(REQ_F_FAIL_LINK_BIT),
566 /* on inflight list */
567 REQ_F_INFLIGHT = BIT(REQ_F_INFLIGHT_BIT),
568 /* read/write uses file position */
569 REQ_F_CUR_POS = BIT(REQ_F_CUR_POS_BIT),
570 /* must not punt to workers */
571 REQ_F_NOWAIT = BIT(REQ_F_NOWAIT_BIT),
572 /* has linked timeout */
573 REQ_F_LINK_TIMEOUT = BIT(REQ_F_LINK_TIMEOUT_BIT),
575 REQ_F_ISREG = BIT(REQ_F_ISREG_BIT),
576 /* completion under lock */
577 REQ_F_COMP_LOCKED = BIT(REQ_F_COMP_LOCKED_BIT),
579 REQ_F_NEED_CLEANUP = BIT(REQ_F_NEED_CLEANUP_BIT),
580 /* in overflow list */
581 REQ_F_OVERFLOW = BIT(REQ_F_OVERFLOW_BIT),
582 /* already went through poll handler */
583 REQ_F_POLLED = BIT(REQ_F_POLLED_BIT),
584 /* buffer already selected */
585 REQ_F_BUFFER_SELECTED = BIT(REQ_F_BUFFER_SELECTED_BIT),
586 /* doesn't need file table for this request */
587 REQ_F_NO_FILE_TABLE = BIT(REQ_F_NO_FILE_TABLE_BIT),
588 /* io_wq_work is initialized */
589 REQ_F_WORK_INITIALIZED = BIT(REQ_F_WORK_INITIALIZED_BIT),
590 /* req->task is refcounted */
591 REQ_F_TASK_PINNED = BIT(REQ_F_TASK_PINNED_BIT),
595 struct io_poll_iocb poll;
596 struct io_wq_work work;
600 * NOTE! Each of the iocb union members has the file pointer
601 * as the first entry in their struct definition. So you can
602 * access the file pointer through any of the sub-structs,
603 * or directly as just 'ki_filp' in this struct.
609 struct io_poll_iocb poll;
610 struct io_accept accept;
612 struct io_cancel cancel;
613 struct io_timeout timeout;
614 struct io_connect connect;
615 struct io_sr_msg sr_msg;
617 struct io_close close;
618 struct io_files_update files_update;
619 struct io_fadvise fadvise;
620 struct io_madvise madvise;
621 struct io_epoll epoll;
622 struct io_splice splice;
623 struct io_provide_buf pbuf;
624 struct io_statx statx;
627 struct io_async_ctx *io;
630 /* polled IO has completed */
635 struct io_ring_ctx *ctx;
636 struct list_head list;
639 struct task_struct *task;
645 struct list_head link_list;
647 struct list_head inflight_entry;
649 struct percpu_ref *fixed_file_refs;
653 * Only commands that never go async can use the below fields,
654 * obviously. Right now only IORING_OP_POLL_ADD uses them, and
655 * async armed poll handlers for regular commands. The latter
656 * restore the work, if needed.
659 struct hlist_node hash_node;
660 struct async_poll *apoll;
662 struct io_wq_work work;
664 struct callback_head task_work;
667 #define IO_IOPOLL_BATCH 8
669 struct io_comp_state {
671 struct list_head list;
672 struct io_ring_ctx *ctx;
675 struct io_submit_state {
676 struct blk_plug plug;
679 * io_kiocb alloc cache
681 void *reqs[IO_IOPOLL_BATCH];
682 unsigned int free_reqs;
685 * Batch completion logic
687 struct io_comp_state comp;
690 * File reference cache
694 unsigned int has_refs;
695 unsigned int used_refs;
696 unsigned int ios_left;
700 /* needs req->io allocated for deferral/async */
701 unsigned async_ctx : 1;
702 /* needs current->mm setup, does mm access */
703 unsigned needs_mm : 1;
704 /* needs req->file assigned */
705 unsigned needs_file : 1;
706 /* don't fail if file grab fails */
707 unsigned needs_file_no_error : 1;
708 /* hash wq insertion if file is a regular file */
709 unsigned hash_reg_file : 1;
710 /* unbound wq insertion if file is a non-regular file */
711 unsigned unbound_nonreg_file : 1;
712 /* opcode is not supported by this kernel */
713 unsigned not_supported : 1;
714 /* needs file table */
715 unsigned file_table : 1;
717 unsigned needs_fs : 1;
718 /* set if opcode supports polled "wait" */
720 unsigned pollout : 1;
721 /* op supports buffer selection */
722 unsigned buffer_select : 1;
725 static const struct io_op_def io_op_defs[] = {
726 [IORING_OP_NOP] = {},
727 [IORING_OP_READV] = {
731 .unbound_nonreg_file = 1,
735 [IORING_OP_WRITEV] = {
740 .unbound_nonreg_file = 1,
743 [IORING_OP_FSYNC] = {
746 [IORING_OP_READ_FIXED] = {
748 .unbound_nonreg_file = 1,
751 [IORING_OP_WRITE_FIXED] = {
754 .unbound_nonreg_file = 1,
757 [IORING_OP_POLL_ADD] = {
759 .unbound_nonreg_file = 1,
761 [IORING_OP_POLL_REMOVE] = {},
762 [IORING_OP_SYNC_FILE_RANGE] = {
765 [IORING_OP_SENDMSG] = {
769 .unbound_nonreg_file = 1,
773 [IORING_OP_RECVMSG] = {
777 .unbound_nonreg_file = 1,
782 [IORING_OP_TIMEOUT] = {
786 [IORING_OP_TIMEOUT_REMOVE] = {},
787 [IORING_OP_ACCEPT] = {
790 .unbound_nonreg_file = 1,
794 [IORING_OP_ASYNC_CANCEL] = {},
795 [IORING_OP_LINK_TIMEOUT] = {
799 [IORING_OP_CONNECT] = {
803 .unbound_nonreg_file = 1,
806 [IORING_OP_FALLOCATE] = {
809 [IORING_OP_OPENAT] = {
813 [IORING_OP_CLOSE] = {
815 .needs_file_no_error = 1,
818 [IORING_OP_FILES_UPDATE] = {
822 [IORING_OP_STATX] = {
830 .unbound_nonreg_file = 1,
834 [IORING_OP_WRITE] = {
837 .unbound_nonreg_file = 1,
840 [IORING_OP_FADVISE] = {
843 [IORING_OP_MADVISE] = {
849 .unbound_nonreg_file = 1,
855 .unbound_nonreg_file = 1,
859 [IORING_OP_OPENAT2] = {
863 [IORING_OP_EPOLL_CTL] = {
864 .unbound_nonreg_file = 1,
867 [IORING_OP_SPLICE] = {
870 .unbound_nonreg_file = 1,
872 [IORING_OP_PROVIDE_BUFFERS] = {},
873 [IORING_OP_REMOVE_BUFFERS] = {},
877 .unbound_nonreg_file = 1,
881 enum io_mem_account {
886 static bool io_rw_reissue(struct io_kiocb *req, long res);
887 static void io_cqring_fill_event(struct io_kiocb *req, long res);
888 static void io_put_req(struct io_kiocb *req);
889 static void io_double_put_req(struct io_kiocb *req);
890 static void __io_double_put_req(struct io_kiocb *req);
891 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
892 static void io_queue_linked_timeout(struct io_kiocb *req);
893 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
894 struct io_uring_files_update *ip,
896 static int io_grab_files(struct io_kiocb *req);
897 static void io_complete_rw_common(struct kiocb *kiocb, long res,
898 struct io_comp_state *cs);
899 static void io_cleanup_req(struct io_kiocb *req);
900 static int io_file_get(struct io_submit_state *state, struct io_kiocb *req,
901 int fd, struct file **out_file, bool fixed);
902 static void __io_queue_sqe(struct io_kiocb *req,
903 const struct io_uring_sqe *sqe,
904 struct io_comp_state *cs);
906 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
907 struct iovec **iovec, struct iov_iter *iter,
909 static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
910 struct iovec *iovec, struct iovec *fast_iov,
911 struct iov_iter *iter);
913 static struct kmem_cache *req_cachep;
915 static const struct file_operations io_uring_fops;
917 struct sock *io_uring_get_socket(struct file *file)
919 #if defined(CONFIG_UNIX)
920 if (file->f_op == &io_uring_fops) {
921 struct io_ring_ctx *ctx = file->private_data;
923 return ctx->ring_sock->sk;
928 EXPORT_SYMBOL(io_uring_get_socket);
930 static void io_get_req_task(struct io_kiocb *req)
932 if (req->flags & REQ_F_TASK_PINNED)
934 get_task_struct(req->task);
935 req->flags |= REQ_F_TASK_PINNED;
938 /* not idempotent -- it doesn't clear REQ_F_TASK_PINNED */
939 static void __io_put_req_task(struct io_kiocb *req)
941 if (req->flags & REQ_F_TASK_PINNED)
942 put_task_struct(req->task);
945 static void io_sq_thread_drop_mm(struct io_ring_ctx *ctx)
947 struct mm_struct *mm = current->mm;
950 kthread_unuse_mm(mm);
955 static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx)
958 if (unlikely(!ctx->sqo_mm || !mmget_not_zero(ctx->sqo_mm)))
960 kthread_use_mm(ctx->sqo_mm);
966 static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx,
967 struct io_kiocb *req)
969 if (!io_op_defs[req->opcode].needs_mm)
971 return __io_sq_thread_acquire_mm(ctx);
974 static inline void req_set_fail_links(struct io_kiocb *req)
976 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
977 req->flags |= REQ_F_FAIL_LINK;
980 static void io_file_put_work(struct work_struct *work);
983 * Note: must call io_req_init_async() for the first time you
984 * touch any members of io_wq_work.
986 static inline void io_req_init_async(struct io_kiocb *req)
988 if (req->flags & REQ_F_WORK_INITIALIZED)
991 memset(&req->work, 0, sizeof(req->work));
992 req->flags |= REQ_F_WORK_INITIALIZED;
995 static inline bool io_async_submit(struct io_ring_ctx *ctx)
997 return ctx->flags & IORING_SETUP_SQPOLL;
1000 static void io_ring_ctx_ref_free(struct percpu_ref *ref)
1002 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
1004 complete(&ctx->ref_comp);
1007 static inline bool io_is_timeout_noseq(struct io_kiocb *req)
1009 return !req->timeout.off;
1012 static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
1014 struct io_ring_ctx *ctx;
1017 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
1021 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
1022 if (!ctx->fallback_req)
1026 * Use 5 bits less than the max cq entries, that should give us around
1027 * 32 entries per hash list if totally full and uniformly spread.
1029 hash_bits = ilog2(p->cq_entries);
1033 ctx->cancel_hash_bits = hash_bits;
1034 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
1036 if (!ctx->cancel_hash)
1038 __hash_init(ctx->cancel_hash, 1U << hash_bits);
1040 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
1041 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
1044 ctx->flags = p->flags;
1045 init_waitqueue_head(&ctx->sqo_wait);
1046 init_waitqueue_head(&ctx->cq_wait);
1047 INIT_LIST_HEAD(&ctx->cq_overflow_list);
1048 init_completion(&ctx->ref_comp);
1049 init_completion(&ctx->sq_thread_comp);
1050 idr_init(&ctx->io_buffer_idr);
1051 idr_init(&ctx->personality_idr);
1052 mutex_init(&ctx->uring_lock);
1053 init_waitqueue_head(&ctx->wait);
1054 spin_lock_init(&ctx->completion_lock);
1055 INIT_LIST_HEAD(&ctx->poll_list);
1056 INIT_LIST_HEAD(&ctx->defer_list);
1057 INIT_LIST_HEAD(&ctx->timeout_list);
1058 init_waitqueue_head(&ctx->inflight_wait);
1059 spin_lock_init(&ctx->inflight_lock);
1060 INIT_LIST_HEAD(&ctx->inflight_list);
1061 INIT_DELAYED_WORK(&ctx->file_put_work, io_file_put_work);
1062 init_llist_head(&ctx->file_put_llist);
1065 if (ctx->fallback_req)
1066 kmem_cache_free(req_cachep, ctx->fallback_req);
1067 kfree(ctx->cancel_hash);
1072 static inline bool __req_need_defer(struct io_kiocb *req)
1074 struct io_ring_ctx *ctx = req->ctx;
1076 return req->sequence != ctx->cached_cq_tail
1077 + atomic_read(&ctx->cached_cq_overflow);
1080 static inline bool req_need_defer(struct io_kiocb *req)
1082 if (unlikely(req->flags & REQ_F_IO_DRAIN))
1083 return __req_need_defer(req);
1088 static void __io_commit_cqring(struct io_ring_ctx *ctx)
1090 struct io_rings *rings = ctx->rings;
1092 /* order cqe stores with ring update */
1093 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
1095 if (wq_has_sleeper(&ctx->cq_wait)) {
1096 wake_up_interruptible(&ctx->cq_wait);
1097 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
1101 static void io_req_work_grab_env(struct io_kiocb *req)
1103 const struct io_op_def *def = &io_op_defs[req->opcode];
1105 io_req_init_async(req);
1107 if (!req->work.mm && def->needs_mm) {
1108 mmgrab(current->mm);
1109 req->work.mm = current->mm;
1111 if (!req->work.creds)
1112 req->work.creds = get_current_cred();
1113 if (!req->work.fs && def->needs_fs) {
1114 spin_lock(¤t->fs->lock);
1115 if (!current->fs->in_exec) {
1116 req->work.fs = current->fs;
1117 req->work.fs->users++;
1119 req->work.flags |= IO_WQ_WORK_CANCEL;
1121 spin_unlock(¤t->fs->lock);
1125 static inline void io_req_work_drop_env(struct io_kiocb *req)
1127 if (!(req->flags & REQ_F_WORK_INITIALIZED))
1131 mmdrop(req->work.mm);
1132 req->work.mm = NULL;
1134 if (req->work.creds) {
1135 put_cred(req->work.creds);
1136 req->work.creds = NULL;
1139 struct fs_struct *fs = req->work.fs;
1141 spin_lock(&req->work.fs->lock);
1144 spin_unlock(&req->work.fs->lock);
1150 static void io_prep_async_work(struct io_kiocb *req)
1152 const struct io_op_def *def = &io_op_defs[req->opcode];
1154 if (req->flags & REQ_F_ISREG) {
1155 if (def->hash_reg_file)
1156 io_wq_hash_work(&req->work, file_inode(req->file));
1158 if (def->unbound_nonreg_file)
1159 req->work.flags |= IO_WQ_WORK_UNBOUND;
1162 io_req_work_grab_env(req);
1165 static void io_prep_async_link(struct io_kiocb *req)
1167 struct io_kiocb *cur;
1169 io_prep_async_work(req);
1170 if (req->flags & REQ_F_LINK_HEAD)
1171 list_for_each_entry(cur, &req->link_list, link_list)
1172 io_prep_async_work(cur);
1175 static void __io_queue_async_work(struct io_kiocb *req)
1177 struct io_ring_ctx *ctx = req->ctx;
1178 struct io_kiocb *link = io_prep_linked_timeout(req);
1180 trace_io_uring_queue_async_work(ctx, io_wq_is_hashed(&req->work), req,
1181 &req->work, req->flags);
1182 io_wq_enqueue(ctx->io_wq, &req->work);
1185 io_queue_linked_timeout(link);
1188 static void io_queue_async_work(struct io_kiocb *req)
1190 /* init ->work of the whole link before punting */
1191 io_prep_async_link(req);
1192 __io_queue_async_work(req);
1195 static void io_kill_timeout(struct io_kiocb *req)
1199 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
1201 atomic_inc(&req->ctx->cq_timeouts);
1202 list_del_init(&req->list);
1203 req->flags |= REQ_F_COMP_LOCKED;
1204 io_cqring_fill_event(req, 0);
1209 static void io_kill_timeouts(struct io_ring_ctx *ctx)
1211 struct io_kiocb *req, *tmp;
1213 spin_lock_irq(&ctx->completion_lock);
1214 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
1215 io_kill_timeout(req);
1216 spin_unlock_irq(&ctx->completion_lock);
1219 static void __io_queue_deferred(struct io_ring_ctx *ctx)
1222 struct io_kiocb *req = list_first_entry(&ctx->defer_list,
1223 struct io_kiocb, list);
1225 if (req_need_defer(req))
1227 list_del_init(&req->list);
1228 /* punt-init is done before queueing for defer */
1229 __io_queue_async_work(req);
1230 } while (!list_empty(&ctx->defer_list));
1233 static void io_flush_timeouts(struct io_ring_ctx *ctx)
1235 while (!list_empty(&ctx->timeout_list)) {
1236 struct io_kiocb *req = list_first_entry(&ctx->timeout_list,
1237 struct io_kiocb, list);
1239 if (io_is_timeout_noseq(req))
1241 if (req->timeout.target_seq != ctx->cached_cq_tail
1242 - atomic_read(&ctx->cq_timeouts))
1245 list_del_init(&req->list);
1246 io_kill_timeout(req);
1250 static void io_commit_cqring(struct io_ring_ctx *ctx)
1252 io_flush_timeouts(ctx);
1253 __io_commit_cqring(ctx);
1255 if (unlikely(!list_empty(&ctx->defer_list)))
1256 __io_queue_deferred(ctx);
1259 static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
1261 struct io_rings *rings = ctx->rings;
1264 tail = ctx->cached_cq_tail;
1266 * writes to the cq entry need to come after reading head; the
1267 * control dependency is enough as we're using WRITE_ONCE to
1270 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
1273 ctx->cached_cq_tail++;
1274 return &rings->cqes[tail & ctx->cq_mask];
1277 static inline bool io_should_trigger_evfd(struct io_ring_ctx *ctx)
1281 if (READ_ONCE(ctx->rings->cq_flags) & IORING_CQ_EVENTFD_DISABLED)
1283 if (!ctx->eventfd_async)
1285 return io_wq_current_is_worker();
1288 static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
1290 if (waitqueue_active(&ctx->wait))
1291 wake_up(&ctx->wait);
1292 if (waitqueue_active(&ctx->sqo_wait))
1293 wake_up(&ctx->sqo_wait);
1294 if (io_should_trigger_evfd(ctx))
1295 eventfd_signal(ctx->cq_ev_fd, 1);
1298 /* Returns true if there are no backlogged entries after the flush */
1299 static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1301 struct io_rings *rings = ctx->rings;
1302 struct io_uring_cqe *cqe;
1303 struct io_kiocb *req;
1304 unsigned long flags;
1308 if (list_empty_careful(&ctx->cq_overflow_list))
1310 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
1311 rings->cq_ring_entries))
1315 spin_lock_irqsave(&ctx->completion_lock, flags);
1317 /* if force is set, the ring is going away. always drop after that */
1319 ctx->cq_overflow_flushed = 1;
1322 while (!list_empty(&ctx->cq_overflow_list)) {
1323 cqe = io_get_cqring(ctx);
1327 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
1329 list_move(&req->list, &list);
1330 req->flags &= ~REQ_F_OVERFLOW;
1332 WRITE_ONCE(cqe->user_data, req->user_data);
1333 WRITE_ONCE(cqe->res, req->result);
1334 WRITE_ONCE(cqe->flags, req->cflags);
1336 WRITE_ONCE(ctx->rings->cq_overflow,
1337 atomic_inc_return(&ctx->cached_cq_overflow));
1341 io_commit_cqring(ctx);
1343 clear_bit(0, &ctx->sq_check_overflow);
1344 clear_bit(0, &ctx->cq_check_overflow);
1346 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1347 io_cqring_ev_posted(ctx);
1349 while (!list_empty(&list)) {
1350 req = list_first_entry(&list, struct io_kiocb, list);
1351 list_del(&req->list);
1358 static void __io_cqring_fill_event(struct io_kiocb *req, long res, long cflags)
1360 struct io_ring_ctx *ctx = req->ctx;
1361 struct io_uring_cqe *cqe;
1363 trace_io_uring_complete(ctx, req->user_data, res);
1366 * If we can't get a cq entry, userspace overflowed the
1367 * submission (by quite a lot). Increment the overflow count in
1370 cqe = io_get_cqring(ctx);
1372 WRITE_ONCE(cqe->user_data, req->user_data);
1373 WRITE_ONCE(cqe->res, res);
1374 WRITE_ONCE(cqe->flags, cflags);
1375 } else if (ctx->cq_overflow_flushed) {
1376 WRITE_ONCE(ctx->rings->cq_overflow,
1377 atomic_inc_return(&ctx->cached_cq_overflow));
1379 if (list_empty(&ctx->cq_overflow_list)) {
1380 set_bit(0, &ctx->sq_check_overflow);
1381 set_bit(0, &ctx->cq_check_overflow);
1383 req->flags |= REQ_F_OVERFLOW;
1384 refcount_inc(&req->refs);
1386 req->cflags = cflags;
1387 list_add_tail(&req->list, &ctx->cq_overflow_list);
1391 static void io_cqring_fill_event(struct io_kiocb *req, long res)
1393 __io_cqring_fill_event(req, res, 0);
1396 static void io_cqring_add_event(struct io_kiocb *req, long res, long cflags)
1398 struct io_ring_ctx *ctx = req->ctx;
1399 unsigned long flags;
1401 spin_lock_irqsave(&ctx->completion_lock, flags);
1402 __io_cqring_fill_event(req, res, cflags);
1403 io_commit_cqring(ctx);
1404 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1406 io_cqring_ev_posted(ctx);
1409 static void io_submit_flush_completions(struct io_comp_state *cs)
1411 struct io_ring_ctx *ctx = cs->ctx;
1413 spin_lock_irq(&ctx->completion_lock);
1414 while (!list_empty(&cs->list)) {
1415 struct io_kiocb *req;
1417 req = list_first_entry(&cs->list, struct io_kiocb, list);
1418 list_del(&req->list);
1419 __io_cqring_fill_event(req, req->result, req->cflags);
1420 if (!(req->flags & REQ_F_LINK_HEAD)) {
1421 req->flags |= REQ_F_COMP_LOCKED;
1424 spin_unlock_irq(&ctx->completion_lock);
1426 spin_lock_irq(&ctx->completion_lock);
1429 io_commit_cqring(ctx);
1430 spin_unlock_irq(&ctx->completion_lock);
1432 io_cqring_ev_posted(ctx);
1436 static void __io_req_complete(struct io_kiocb *req, long res, unsigned cflags,
1437 struct io_comp_state *cs)
1440 io_cqring_add_event(req, res, cflags);
1444 req->cflags = cflags;
1445 list_add_tail(&req->list, &cs->list);
1447 io_submit_flush_completions(cs);
1451 static void io_req_complete(struct io_kiocb *req, long res)
1453 __io_req_complete(req, res, 0, NULL);
1456 static inline bool io_is_fallback_req(struct io_kiocb *req)
1458 return req == (struct io_kiocb *)
1459 ((unsigned long) req->ctx->fallback_req & ~1UL);
1462 static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1464 struct io_kiocb *req;
1466 req = ctx->fallback_req;
1467 if (!test_and_set_bit_lock(0, (unsigned long *) &ctx->fallback_req))
1473 static struct io_kiocb *io_alloc_req(struct io_ring_ctx *ctx,
1474 struct io_submit_state *state)
1476 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
1477 struct io_kiocb *req;
1479 if (!state->free_reqs) {
1483 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
1484 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1487 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1488 * retry single alloc to be on the safe side.
1490 if (unlikely(ret <= 0)) {
1491 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1492 if (!state->reqs[0])
1496 state->free_reqs = ret - 1;
1497 req = state->reqs[ret - 1];
1500 req = state->reqs[state->free_reqs];
1505 return io_get_fallback_req(ctx);
1508 static inline void io_put_file(struct io_kiocb *req, struct file *file,
1512 percpu_ref_put(req->fixed_file_refs);
1517 static void io_dismantle_req(struct io_kiocb *req)
1519 if (req->flags & REQ_F_NEED_CLEANUP)
1520 io_cleanup_req(req);
1524 io_put_file(req, req->file, (req->flags & REQ_F_FIXED_FILE));
1525 __io_put_req_task(req);
1526 io_req_work_drop_env(req);
1528 if (req->flags & REQ_F_INFLIGHT) {
1529 struct io_ring_ctx *ctx = req->ctx;
1530 unsigned long flags;
1532 spin_lock_irqsave(&ctx->inflight_lock, flags);
1533 list_del(&req->inflight_entry);
1534 if (waitqueue_active(&ctx->inflight_wait))
1535 wake_up(&ctx->inflight_wait);
1536 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1540 static void __io_free_req(struct io_kiocb *req)
1542 struct io_ring_ctx *ctx;
1544 io_dismantle_req(req);
1546 if (likely(!io_is_fallback_req(req)))
1547 kmem_cache_free(req_cachep, req);
1549 clear_bit_unlock(0, (unsigned long *) &ctx->fallback_req);
1550 percpu_ref_put(&ctx->refs);
1553 static bool io_link_cancel_timeout(struct io_kiocb *req)
1555 struct io_ring_ctx *ctx = req->ctx;
1558 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
1560 io_cqring_fill_event(req, -ECANCELED);
1561 io_commit_cqring(ctx);
1562 req->flags &= ~REQ_F_LINK_HEAD;
1570 static bool __io_kill_linked_timeout(struct io_kiocb *req)
1572 struct io_kiocb *link;
1575 if (list_empty(&req->link_list))
1577 link = list_first_entry(&req->link_list, struct io_kiocb, link_list);
1578 if (link->opcode != IORING_OP_LINK_TIMEOUT)
1581 list_del_init(&link->link_list);
1582 wake_ev = io_link_cancel_timeout(link);
1583 req->flags &= ~REQ_F_LINK_TIMEOUT;
1587 static void io_kill_linked_timeout(struct io_kiocb *req)
1589 struct io_ring_ctx *ctx = req->ctx;
1592 if (!(req->flags & REQ_F_COMP_LOCKED)) {
1593 unsigned long flags;
1595 spin_lock_irqsave(&ctx->completion_lock, flags);
1596 wake_ev = __io_kill_linked_timeout(req);
1597 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1599 wake_ev = __io_kill_linked_timeout(req);
1603 io_cqring_ev_posted(ctx);
1606 static struct io_kiocb *io_req_link_next(struct io_kiocb *req)
1608 struct io_kiocb *nxt;
1611 * The list should never be empty when we are called here. But could
1612 * potentially happen if the chain is messed up, check to be on the
1615 if (unlikely(list_empty(&req->link_list)))
1618 nxt = list_first_entry(&req->link_list, struct io_kiocb, link_list);
1619 list_del_init(&req->link_list);
1620 if (!list_empty(&nxt->link_list))
1621 nxt->flags |= REQ_F_LINK_HEAD;
1626 * Called if REQ_F_LINK_HEAD is set, and we fail the head request
1628 static void __io_fail_links(struct io_kiocb *req)
1630 struct io_ring_ctx *ctx = req->ctx;
1632 while (!list_empty(&req->link_list)) {
1633 struct io_kiocb *link = list_first_entry(&req->link_list,
1634 struct io_kiocb, link_list);
1636 list_del_init(&link->link_list);
1637 trace_io_uring_fail_link(req, link);
1639 io_cqring_fill_event(link, -ECANCELED);
1640 __io_double_put_req(link);
1641 req->flags &= ~REQ_F_LINK_TIMEOUT;
1644 io_commit_cqring(ctx);
1645 io_cqring_ev_posted(ctx);
1648 static void io_fail_links(struct io_kiocb *req)
1650 struct io_ring_ctx *ctx = req->ctx;
1652 if (!(req->flags & REQ_F_COMP_LOCKED)) {
1653 unsigned long flags;
1655 spin_lock_irqsave(&ctx->completion_lock, flags);
1656 __io_fail_links(req);
1657 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1659 __io_fail_links(req);
1662 io_cqring_ev_posted(ctx);
1665 static struct io_kiocb *__io_req_find_next(struct io_kiocb *req)
1667 req->flags &= ~REQ_F_LINK_HEAD;
1668 if (req->flags & REQ_F_LINK_TIMEOUT)
1669 io_kill_linked_timeout(req);
1672 * If LINK is set, we have dependent requests in this chain. If we
1673 * didn't fail this request, queue the first one up, moving any other
1674 * dependencies to the next request. In case of failure, fail the rest
1677 if (likely(!(req->flags & REQ_F_FAIL_LINK)))
1678 return io_req_link_next(req);
1683 static struct io_kiocb *io_req_find_next(struct io_kiocb *req)
1685 if (likely(!(req->flags & REQ_F_LINK_HEAD)))
1687 return __io_req_find_next(req);
1690 static int io_req_task_work_add(struct io_kiocb *req, struct callback_head *cb)
1692 struct task_struct *tsk = req->task;
1693 struct io_ring_ctx *ctx = req->ctx;
1694 int ret, notify = TWA_RESUME;
1697 * SQPOLL kernel thread doesn't need notification, just a wakeup.
1698 * If we're not using an eventfd, then TWA_RESUME is always fine,
1699 * as we won't have dependencies between request completions for
1700 * other kernel wait conditions.
1702 if (ctx->flags & IORING_SETUP_SQPOLL)
1704 else if (ctx->cq_ev_fd)
1705 notify = TWA_SIGNAL;
1707 ret = task_work_add(tsk, cb, notify);
1709 wake_up_process(tsk);
1713 static void __io_req_task_cancel(struct io_kiocb *req, int error)
1715 struct io_ring_ctx *ctx = req->ctx;
1717 spin_lock_irq(&ctx->completion_lock);
1718 io_cqring_fill_event(req, error);
1719 io_commit_cqring(ctx);
1720 spin_unlock_irq(&ctx->completion_lock);
1722 io_cqring_ev_posted(ctx);
1723 req_set_fail_links(req);
1724 io_double_put_req(req);
1727 static void io_req_task_cancel(struct callback_head *cb)
1729 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
1731 __io_req_task_cancel(req, -ECANCELED);
1734 static void __io_req_task_submit(struct io_kiocb *req)
1736 struct io_ring_ctx *ctx = req->ctx;
1738 if (!__io_sq_thread_acquire_mm(ctx)) {
1739 mutex_lock(&ctx->uring_lock);
1740 __io_queue_sqe(req, NULL, NULL);
1741 mutex_unlock(&ctx->uring_lock);
1743 __io_req_task_cancel(req, -EFAULT);
1747 static void io_req_task_submit(struct callback_head *cb)
1749 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
1751 __io_req_task_submit(req);
1754 static void io_req_task_queue(struct io_kiocb *req)
1758 init_task_work(&req->task_work, io_req_task_submit);
1760 ret = io_req_task_work_add(req, &req->task_work);
1761 if (unlikely(ret)) {
1762 struct task_struct *tsk;
1764 init_task_work(&req->task_work, io_req_task_cancel);
1765 tsk = io_wq_get_task(req->ctx->io_wq);
1766 task_work_add(tsk, &req->task_work, 0);
1767 wake_up_process(tsk);
1771 static void io_queue_next(struct io_kiocb *req)
1773 struct io_kiocb *nxt = io_req_find_next(req);
1776 io_req_task_queue(nxt);
1779 static void io_free_req(struct io_kiocb *req)
1786 void *reqs[IO_IOPOLL_BATCH];
1790 static void __io_req_free_batch_flush(struct io_ring_ctx *ctx,
1791 struct req_batch *rb)
1793 kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
1794 percpu_ref_put_many(&ctx->refs, rb->to_free);
1798 static void io_req_free_batch_finish(struct io_ring_ctx *ctx,
1799 struct req_batch *rb)
1802 __io_req_free_batch_flush(ctx, rb);
1805 static void io_req_free_batch(struct req_batch *rb, struct io_kiocb *req)
1807 if (unlikely(io_is_fallback_req(req))) {
1811 if (req->flags & REQ_F_LINK_HEAD)
1814 io_dismantle_req(req);
1815 rb->reqs[rb->to_free++] = req;
1816 if (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))
1817 __io_req_free_batch_flush(req->ctx, rb);
1821 * Drop reference to request, return next in chain (if there is one) if this
1822 * was the last reference to this request.
1824 static struct io_kiocb *io_put_req_find_next(struct io_kiocb *req)
1826 struct io_kiocb *nxt = NULL;
1828 if (refcount_dec_and_test(&req->refs)) {
1829 nxt = io_req_find_next(req);
1835 static void io_put_req(struct io_kiocb *req)
1837 if (refcount_dec_and_test(&req->refs))
1841 static struct io_wq_work *io_steal_work(struct io_kiocb *req)
1843 struct io_kiocb *nxt;
1846 * A ref is owned by io-wq in which context we're. So, if that's the
1847 * last one, it's safe to steal next work. False negatives are Ok,
1848 * it just will be re-punted async in io_put_work()
1850 if (refcount_read(&req->refs) != 1)
1853 nxt = io_req_find_next(req);
1854 return nxt ? &nxt->work : NULL;
1858 * Must only be used if we don't need to care about links, usually from
1859 * within the completion handling itself.
1861 static void __io_double_put_req(struct io_kiocb *req)
1863 /* drop both submit and complete references */
1864 if (refcount_sub_and_test(2, &req->refs))
1868 static void io_double_put_req(struct io_kiocb *req)
1870 /* drop both submit and complete references */
1871 if (refcount_sub_and_test(2, &req->refs))
1875 static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
1877 struct io_rings *rings = ctx->rings;
1879 if (test_bit(0, &ctx->cq_check_overflow)) {
1881 * noflush == true is from the waitqueue handler, just ensure
1882 * we wake up the task, and the next invocation will flush the
1883 * entries. We cannot safely to it from here.
1885 if (noflush && !list_empty(&ctx->cq_overflow_list))
1888 io_cqring_overflow_flush(ctx, false);
1891 /* See comment at the top of this file */
1893 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
1896 static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1898 struct io_rings *rings = ctx->rings;
1900 /* make sure SQ entry isn't read before tail */
1901 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1904 static int io_put_kbuf(struct io_kiocb *req)
1906 struct io_buffer *kbuf;
1909 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
1910 cflags = kbuf->bid << IORING_CQE_BUFFER_SHIFT;
1911 cflags |= IORING_CQE_F_BUFFER;
1917 static inline bool io_run_task_work(void)
1919 if (current->task_works) {
1920 __set_current_state(TASK_RUNNING);
1928 static void io_iopoll_queue(struct list_head *again)
1930 struct io_kiocb *req;
1933 req = list_first_entry(again, struct io_kiocb, list);
1934 list_del(&req->list);
1935 if (!io_rw_reissue(req, -EAGAIN))
1936 io_complete_rw_common(&req->rw.kiocb, -EAGAIN, NULL);
1937 } while (!list_empty(again));
1941 * Find and free completed poll iocbs
1943 static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1944 struct list_head *done)
1946 struct req_batch rb;
1947 struct io_kiocb *req;
1950 /* order with ->result store in io_complete_rw_iopoll() */
1954 while (!list_empty(done)) {
1957 req = list_first_entry(done, struct io_kiocb, list);
1958 if (READ_ONCE(req->result) == -EAGAIN) {
1959 req->iopoll_completed = 0;
1960 list_move_tail(&req->list, &again);
1963 list_del(&req->list);
1965 if (req->flags & REQ_F_BUFFER_SELECTED)
1966 cflags = io_put_kbuf(req);
1968 __io_cqring_fill_event(req, req->result, cflags);
1971 if (refcount_dec_and_test(&req->refs))
1972 io_req_free_batch(&rb, req);
1975 io_commit_cqring(ctx);
1976 if (ctx->flags & IORING_SETUP_SQPOLL)
1977 io_cqring_ev_posted(ctx);
1978 io_req_free_batch_finish(ctx, &rb);
1980 if (!list_empty(&again))
1981 io_iopoll_queue(&again);
1984 static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1987 struct io_kiocb *req, *tmp;
1993 * Only spin for completions if we don't have multiple devices hanging
1994 * off our complete list, and we're under the requested amount.
1996 spin = !ctx->poll_multi_file && *nr_events < min;
1999 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
2000 struct kiocb *kiocb = &req->rw.kiocb;
2003 * Move completed and retryable entries to our local lists.
2004 * If we find a request that requires polling, break out
2005 * and complete those lists first, if we have entries there.
2007 if (READ_ONCE(req->iopoll_completed)) {
2008 list_move_tail(&req->list, &done);
2011 if (!list_empty(&done))
2014 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
2018 /* iopoll may have completed current req */
2019 if (READ_ONCE(req->iopoll_completed))
2020 list_move_tail(&req->list, &done);
2027 if (!list_empty(&done))
2028 io_iopoll_complete(ctx, nr_events, &done);
2034 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
2035 * non-spinning poll check - we'll still enter the driver poll loop, but only
2036 * as a non-spinning completion check.
2038 static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
2041 while (!list_empty(&ctx->poll_list) && !need_resched()) {
2044 ret = io_do_iopoll(ctx, nr_events, min);
2047 if (*nr_events >= min)
2055 * We can't just wait for polled events to come to us, we have to actively
2056 * find and complete them.
2058 static void io_iopoll_try_reap_events(struct io_ring_ctx *ctx)
2060 if (!(ctx->flags & IORING_SETUP_IOPOLL))
2063 mutex_lock(&ctx->uring_lock);
2064 while (!list_empty(&ctx->poll_list)) {
2065 unsigned int nr_events = 0;
2067 io_do_iopoll(ctx, &nr_events, 0);
2069 /* let it sleep and repeat later if can't complete a request */
2073 * Ensure we allow local-to-the-cpu processing to take place,
2074 * in this case we need to ensure that we reap all events.
2075 * Also let task_work, etc. to progress by releasing the mutex
2077 if (need_resched()) {
2078 mutex_unlock(&ctx->uring_lock);
2080 mutex_lock(&ctx->uring_lock);
2083 mutex_unlock(&ctx->uring_lock);
2086 static int io_iopoll_check(struct io_ring_ctx *ctx, long min)
2088 unsigned int nr_events = 0;
2089 int iters = 0, ret = 0;
2092 * We disallow the app entering submit/complete with polling, but we
2093 * still need to lock the ring to prevent racing with polled issue
2094 * that got punted to a workqueue.
2096 mutex_lock(&ctx->uring_lock);
2099 * Don't enter poll loop if we already have events pending.
2100 * If we do, we can potentially be spinning for commands that
2101 * already triggered a CQE (eg in error).
2103 if (io_cqring_events(ctx, false))
2107 * If a submit got punted to a workqueue, we can have the
2108 * application entering polling for a command before it gets
2109 * issued. That app will hold the uring_lock for the duration
2110 * of the poll right here, so we need to take a breather every
2111 * now and then to ensure that the issue has a chance to add
2112 * the poll to the issued list. Otherwise we can spin here
2113 * forever, while the workqueue is stuck trying to acquire the
2116 if (!(++iters & 7)) {
2117 mutex_unlock(&ctx->uring_lock);
2119 mutex_lock(&ctx->uring_lock);
2122 ret = io_iopoll_getevents(ctx, &nr_events, min);
2126 } while (min && !nr_events && !need_resched());
2128 mutex_unlock(&ctx->uring_lock);
2132 static void kiocb_end_write(struct io_kiocb *req)
2135 * Tell lockdep we inherited freeze protection from submission
2138 if (req->flags & REQ_F_ISREG) {
2139 struct inode *inode = file_inode(req->file);
2141 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2143 file_end_write(req->file);
2146 static void io_complete_rw_common(struct kiocb *kiocb, long res,
2147 struct io_comp_state *cs)
2149 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2152 if (kiocb->ki_flags & IOCB_WRITE)
2153 kiocb_end_write(req);
2155 if (res != req->result)
2156 req_set_fail_links(req);
2157 if (req->flags & REQ_F_BUFFER_SELECTED)
2158 cflags = io_put_kbuf(req);
2159 __io_req_complete(req, res, cflags, cs);
2163 static bool io_resubmit_prep(struct io_kiocb *req, int error)
2165 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2166 ssize_t ret = -ECANCELED;
2167 struct iov_iter iter;
2175 switch (req->opcode) {
2176 case IORING_OP_READV:
2177 case IORING_OP_READ_FIXED:
2178 case IORING_OP_READ:
2181 case IORING_OP_WRITEV:
2182 case IORING_OP_WRITE_FIXED:
2183 case IORING_OP_WRITE:
2187 printk_once(KERN_WARNING "io_uring: bad opcode in resubmit %d\n",
2192 ret = io_import_iovec(rw, req, &iovec, &iter, false);
2195 ret = io_setup_async_rw(req, ret, iovec, inline_vecs, &iter);
2200 req_set_fail_links(req);
2201 io_req_complete(req, ret);
2205 static void io_rw_resubmit(struct callback_head *cb)
2207 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
2208 struct io_ring_ctx *ctx = req->ctx;
2211 err = io_sq_thread_acquire_mm(ctx, req);
2213 if (io_resubmit_prep(req, err)) {
2214 refcount_inc(&req->refs);
2215 io_queue_async_work(req);
2220 static bool io_rw_reissue(struct io_kiocb *req, long res)
2225 if ((res != -EAGAIN && res != -EOPNOTSUPP) || io_wq_current_is_worker())
2228 init_task_work(&req->task_work, io_rw_resubmit);
2229 ret = io_req_task_work_add(req, &req->task_work);
2236 static void __io_complete_rw(struct io_kiocb *req, long res, long res2,
2237 struct io_comp_state *cs)
2239 if (!io_rw_reissue(req, res))
2240 io_complete_rw_common(&req->rw.kiocb, res, cs);
2243 static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
2245 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2247 __io_complete_rw(req, res, res2, NULL);
2250 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
2252 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2254 if (kiocb->ki_flags & IOCB_WRITE)
2255 kiocb_end_write(req);
2257 if (res != -EAGAIN && res != req->result)
2258 req_set_fail_links(req);
2260 WRITE_ONCE(req->result, res);
2261 /* order with io_poll_complete() checking ->result */
2263 WRITE_ONCE(req->iopoll_completed, 1);
2267 * After the iocb has been issued, it's safe to be found on the poll list.
2268 * Adding the kiocb to the list AFTER submission ensures that we don't
2269 * find it from a io_iopoll_getevents() thread before the issuer is done
2270 * accessing the kiocb cookie.
2272 static void io_iopoll_req_issued(struct io_kiocb *req)
2274 struct io_ring_ctx *ctx = req->ctx;
2277 * Track whether we have multiple files in our lists. This will impact
2278 * how we do polling eventually, not spinning if we're on potentially
2279 * different devices.
2281 if (list_empty(&ctx->poll_list)) {
2282 ctx->poll_multi_file = false;
2283 } else if (!ctx->poll_multi_file) {
2284 struct io_kiocb *list_req;
2286 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
2288 if (list_req->file != req->file)
2289 ctx->poll_multi_file = true;
2293 * For fast devices, IO may have already completed. If it has, add
2294 * it to the front so we find it first.
2296 if (READ_ONCE(req->iopoll_completed))
2297 list_add(&req->list, &ctx->poll_list);
2299 list_add_tail(&req->list, &ctx->poll_list);
2301 if ((ctx->flags & IORING_SETUP_SQPOLL) &&
2302 wq_has_sleeper(&ctx->sqo_wait))
2303 wake_up(&ctx->sqo_wait);
2306 static void __io_state_file_put(struct io_submit_state *state)
2308 int diff = state->has_refs - state->used_refs;
2311 fput_many(state->file, diff);
2315 static inline void io_state_file_put(struct io_submit_state *state)
2318 __io_state_file_put(state);
2322 * Get as many references to a file as we have IOs left in this submission,
2323 * assuming most submissions are for one file, or at least that each file
2324 * has more than one submission.
2326 static struct file *__io_file_get(struct io_submit_state *state, int fd)
2332 if (state->fd == fd) {
2337 __io_state_file_put(state);
2339 state->file = fget_many(fd, state->ios_left);
2344 state->has_refs = state->ios_left;
2345 state->used_refs = 1;
2350 static bool io_bdev_nowait(struct block_device *bdev)
2353 return !bdev || queue_is_mq(bdev_get_queue(bdev));
2360 * If we tracked the file through the SCM inflight mechanism, we could support
2361 * any file. For now, just ensure that anything potentially problematic is done
2364 static bool io_file_supports_async(struct file *file, int rw)
2366 umode_t mode = file_inode(file)->i_mode;
2368 if (S_ISBLK(mode)) {
2369 if (io_bdev_nowait(file->f_inode->i_bdev))
2373 if (S_ISCHR(mode) || S_ISSOCK(mode))
2375 if (S_ISREG(mode)) {
2376 if (io_bdev_nowait(file->f_inode->i_sb->s_bdev) &&
2377 file->f_op != &io_uring_fops)
2382 /* any ->read/write should understand O_NONBLOCK */
2383 if (file->f_flags & O_NONBLOCK)
2386 if (!(file->f_mode & FMODE_NOWAIT))
2390 return file->f_op->read_iter != NULL;
2392 return file->f_op->write_iter != NULL;
2395 static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2396 bool force_nonblock)
2398 struct io_ring_ctx *ctx = req->ctx;
2399 struct kiocb *kiocb = &req->rw.kiocb;
2403 if (S_ISREG(file_inode(req->file)->i_mode))
2404 req->flags |= REQ_F_ISREG;
2406 kiocb->ki_pos = READ_ONCE(sqe->off);
2407 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
2408 req->flags |= REQ_F_CUR_POS;
2409 kiocb->ki_pos = req->file->f_pos;
2411 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
2412 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
2413 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
2417 ioprio = READ_ONCE(sqe->ioprio);
2419 ret = ioprio_check_cap(ioprio);
2423 kiocb->ki_ioprio = ioprio;
2425 kiocb->ki_ioprio = get_current_ioprio();
2427 /* don't allow async punt if RWF_NOWAIT was requested */
2428 if (kiocb->ki_flags & IOCB_NOWAIT)
2429 req->flags |= REQ_F_NOWAIT;
2431 if (kiocb->ki_flags & IOCB_DIRECT)
2432 io_get_req_task(req);
2435 kiocb->ki_flags |= IOCB_NOWAIT;
2437 if (ctx->flags & IORING_SETUP_IOPOLL) {
2438 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
2439 !kiocb->ki_filp->f_op->iopoll)
2442 kiocb->ki_flags |= IOCB_HIPRI;
2443 kiocb->ki_complete = io_complete_rw_iopoll;
2444 req->iopoll_completed = 0;
2445 io_get_req_task(req);
2447 if (kiocb->ki_flags & IOCB_HIPRI)
2449 kiocb->ki_complete = io_complete_rw;
2452 req->rw.addr = READ_ONCE(sqe->addr);
2453 req->rw.len = READ_ONCE(sqe->len);
2454 req->buf_index = READ_ONCE(sqe->buf_index);
2458 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
2464 case -ERESTARTNOINTR:
2465 case -ERESTARTNOHAND:
2466 case -ERESTART_RESTARTBLOCK:
2468 * We can't just restart the syscall, since previously
2469 * submitted sqes may already be in progress. Just fail this
2475 kiocb->ki_complete(kiocb, ret, 0);
2479 static void kiocb_done(struct kiocb *kiocb, ssize_t ret,
2480 struct io_comp_state *cs)
2482 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2484 if (req->flags & REQ_F_CUR_POS)
2485 req->file->f_pos = kiocb->ki_pos;
2486 if (ret >= 0 && kiocb->ki_complete == io_complete_rw)
2487 __io_complete_rw(req, ret, 0, cs);
2489 io_rw_done(kiocb, ret);
2492 static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
2493 struct iov_iter *iter)
2495 struct io_ring_ctx *ctx = req->ctx;
2496 size_t len = req->rw.len;
2497 struct io_mapped_ubuf *imu;
2498 u16 index, buf_index;
2502 /* attempt to use fixed buffers without having provided iovecs */
2503 if (unlikely(!ctx->user_bufs))
2506 buf_index = req->buf_index;
2507 if (unlikely(buf_index >= ctx->nr_user_bufs))
2510 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
2511 imu = &ctx->user_bufs[index];
2512 buf_addr = req->rw.addr;
2515 if (buf_addr + len < buf_addr)
2517 /* not inside the mapped region */
2518 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
2522 * May not be a start of buffer, set size appropriately
2523 * and advance us to the beginning.
2525 offset = buf_addr - imu->ubuf;
2526 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
2530 * Don't use iov_iter_advance() here, as it's really slow for
2531 * using the latter parts of a big fixed buffer - it iterates
2532 * over each segment manually. We can cheat a bit here, because
2535 * 1) it's a BVEC iter, we set it up
2536 * 2) all bvecs are PAGE_SIZE in size, except potentially the
2537 * first and last bvec
2539 * So just find our index, and adjust the iterator afterwards.
2540 * If the offset is within the first bvec (or the whole first
2541 * bvec, just use iov_iter_advance(). This makes it easier
2542 * since we can just skip the first segment, which may not
2543 * be PAGE_SIZE aligned.
2545 const struct bio_vec *bvec = imu->bvec;
2547 if (offset <= bvec->bv_len) {
2548 iov_iter_advance(iter, offset);
2550 unsigned long seg_skip;
2552 /* skip first vec */
2553 offset -= bvec->bv_len;
2554 seg_skip = 1 + (offset >> PAGE_SHIFT);
2556 iter->bvec = bvec + seg_skip;
2557 iter->nr_segs -= seg_skip;
2558 iter->count -= bvec->bv_len + offset;
2559 iter->iov_offset = offset & ~PAGE_MASK;
2566 static void io_ring_submit_unlock(struct io_ring_ctx *ctx, bool needs_lock)
2569 mutex_unlock(&ctx->uring_lock);
2572 static void io_ring_submit_lock(struct io_ring_ctx *ctx, bool needs_lock)
2575 * "Normal" inline submissions always hold the uring_lock, since we
2576 * grab it from the system call. Same is true for the SQPOLL offload.
2577 * The only exception is when we've detached the request and issue it
2578 * from an async worker thread, grab the lock for that case.
2581 mutex_lock(&ctx->uring_lock);
2584 static struct io_buffer *io_buffer_select(struct io_kiocb *req, size_t *len,
2585 int bgid, struct io_buffer *kbuf,
2588 struct io_buffer *head;
2590 if (req->flags & REQ_F_BUFFER_SELECTED)
2593 io_ring_submit_lock(req->ctx, needs_lock);
2595 lockdep_assert_held(&req->ctx->uring_lock);
2597 head = idr_find(&req->ctx->io_buffer_idr, bgid);
2599 if (!list_empty(&head->list)) {
2600 kbuf = list_last_entry(&head->list, struct io_buffer,
2602 list_del(&kbuf->list);
2605 idr_remove(&req->ctx->io_buffer_idr, bgid);
2607 if (*len > kbuf->len)
2610 kbuf = ERR_PTR(-ENOBUFS);
2613 io_ring_submit_unlock(req->ctx, needs_lock);
2618 static void __user *io_rw_buffer_select(struct io_kiocb *req, size_t *len,
2621 struct io_buffer *kbuf;
2624 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2625 bgid = req->buf_index;
2626 kbuf = io_buffer_select(req, len, bgid, kbuf, needs_lock);
2629 req->rw.addr = (u64) (unsigned long) kbuf;
2630 req->flags |= REQ_F_BUFFER_SELECTED;
2631 return u64_to_user_ptr(kbuf->addr);
2634 #ifdef CONFIG_COMPAT
2635 static ssize_t io_compat_import(struct io_kiocb *req, struct iovec *iov,
2638 struct compat_iovec __user *uiov;
2639 compat_ssize_t clen;
2643 uiov = u64_to_user_ptr(req->rw.addr);
2644 if (!access_ok(uiov, sizeof(*uiov)))
2646 if (__get_user(clen, &uiov->iov_len))
2652 buf = io_rw_buffer_select(req, &len, needs_lock);
2654 return PTR_ERR(buf);
2655 iov[0].iov_base = buf;
2656 iov[0].iov_len = (compat_size_t) len;
2661 static ssize_t __io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
2664 struct iovec __user *uiov = u64_to_user_ptr(req->rw.addr);
2668 if (copy_from_user(iov, uiov, sizeof(*uiov)))
2671 len = iov[0].iov_len;
2674 buf = io_rw_buffer_select(req, &len, needs_lock);
2676 return PTR_ERR(buf);
2677 iov[0].iov_base = buf;
2678 iov[0].iov_len = len;
2682 static ssize_t io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
2685 if (req->flags & REQ_F_BUFFER_SELECTED) {
2686 struct io_buffer *kbuf;
2688 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2689 iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
2690 iov[0].iov_len = kbuf->len;
2695 else if (req->rw.len > 1)
2698 #ifdef CONFIG_COMPAT
2699 if (req->ctx->compat)
2700 return io_compat_import(req, iov, needs_lock);
2703 return __io_iov_buffer_select(req, iov, needs_lock);
2706 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
2707 struct iovec **iovec, struct iov_iter *iter,
2710 void __user *buf = u64_to_user_ptr(req->rw.addr);
2711 size_t sqe_len = req->rw.len;
2715 opcode = req->opcode;
2716 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
2718 return io_import_fixed(req, rw, iter);
2721 /* buffer index only valid with fixed read/write, or buffer select */
2722 if (req->buf_index && !(req->flags & REQ_F_BUFFER_SELECT))
2725 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
2726 if (req->flags & REQ_F_BUFFER_SELECT) {
2727 buf = io_rw_buffer_select(req, &sqe_len, needs_lock);
2730 return PTR_ERR(buf);
2732 req->rw.len = sqe_len;
2735 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
2737 return ret < 0 ? ret : sqe_len;
2741 struct io_async_rw *iorw = &req->io->rw;
2744 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
2745 if (iorw->iov == iorw->fast_iov)
2750 if (req->flags & REQ_F_BUFFER_SELECT) {
2751 ret = io_iov_buffer_select(req, *iovec, needs_lock);
2753 ret = (*iovec)->iov_len;
2754 iov_iter_init(iter, rw, *iovec, 1, ret);
2760 #ifdef CONFIG_COMPAT
2761 if (req->ctx->compat)
2762 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
2766 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
2770 * For files that don't have ->read_iter() and ->write_iter(), handle them
2771 * by looping over ->read() or ->write() manually.
2773 static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
2774 struct iov_iter *iter)
2779 * Don't support polled IO through this interface, and we can't
2780 * support non-blocking either. For the latter, this just causes
2781 * the kiocb to be handled from an async context.
2783 if (kiocb->ki_flags & IOCB_HIPRI)
2785 if (kiocb->ki_flags & IOCB_NOWAIT)
2788 while (iov_iter_count(iter)) {
2792 if (!iov_iter_is_bvec(iter)) {
2793 iovec = iov_iter_iovec(iter);
2795 /* fixed buffers import bvec */
2796 iovec.iov_base = kmap(iter->bvec->bv_page)
2798 iovec.iov_len = min(iter->count,
2799 iter->bvec->bv_len - iter->iov_offset);
2803 nr = file->f_op->read(file, iovec.iov_base,
2804 iovec.iov_len, &kiocb->ki_pos);
2806 nr = file->f_op->write(file, iovec.iov_base,
2807 iovec.iov_len, &kiocb->ki_pos);
2810 if (iov_iter_is_bvec(iter))
2811 kunmap(iter->bvec->bv_page);
2819 if (nr != iovec.iov_len)
2821 iov_iter_advance(iter, nr);
2827 static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
2828 struct iovec *iovec, struct iovec *fast_iov,
2829 struct iov_iter *iter)
2831 req->io->rw.nr_segs = iter->nr_segs;
2832 req->io->rw.size = io_size;
2833 req->io->rw.iov = iovec;
2834 if (!req->io->rw.iov) {
2835 req->io->rw.iov = req->io->rw.fast_iov;
2836 if (req->io->rw.iov != fast_iov)
2837 memcpy(req->io->rw.iov, fast_iov,
2838 sizeof(struct iovec) * iter->nr_segs);
2840 req->flags |= REQ_F_NEED_CLEANUP;
2844 static inline int __io_alloc_async_ctx(struct io_kiocb *req)
2846 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
2847 return req->io == NULL;
2850 static int io_alloc_async_ctx(struct io_kiocb *req)
2852 if (!io_op_defs[req->opcode].async_ctx)
2855 return __io_alloc_async_ctx(req);
2858 static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
2859 struct iovec *iovec, struct iovec *fast_iov,
2860 struct iov_iter *iter)
2862 if (!io_op_defs[req->opcode].async_ctx)
2865 if (__io_alloc_async_ctx(req))
2868 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
2873 static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2874 bool force_nonblock)
2876 struct io_async_ctx *io;
2877 struct iov_iter iter;
2880 ret = io_prep_rw(req, sqe, force_nonblock);
2884 if (unlikely(!(req->file->f_mode & FMODE_READ)))
2887 /* either don't need iovec imported or already have it */
2888 if (!req->io || req->flags & REQ_F_NEED_CLEANUP)
2892 io->rw.iov = io->rw.fast_iov;
2894 ret = io_import_iovec(READ, req, &io->rw.iov, &iter, !force_nonblock);
2899 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2903 static void io_async_buf_cancel(struct callback_head *cb)
2905 struct io_async_rw *rw;
2906 struct io_kiocb *req;
2908 rw = container_of(cb, struct io_async_rw, task_work);
2909 req = rw->wpq.wait.private;
2910 __io_req_task_cancel(req, -ECANCELED);
2913 static void io_async_buf_retry(struct callback_head *cb)
2915 struct io_async_rw *rw;
2916 struct io_kiocb *req;
2918 rw = container_of(cb, struct io_async_rw, task_work);
2919 req = rw->wpq.wait.private;
2921 __io_req_task_submit(req);
2924 static int io_async_buf_func(struct wait_queue_entry *wait, unsigned mode,
2925 int sync, void *arg)
2927 struct wait_page_queue *wpq;
2928 struct io_kiocb *req = wait->private;
2929 struct io_async_rw *rw = &req->io->rw;
2930 struct wait_page_key *key = arg;
2933 wpq = container_of(wait, struct wait_page_queue, wait);
2935 ret = wake_page_match(wpq, key);
2939 list_del_init(&wait->entry);
2941 init_task_work(&rw->task_work, io_async_buf_retry);
2942 /* submit ref gets dropped, acquire a new one */
2943 refcount_inc(&req->refs);
2944 ret = io_req_task_work_add(req, &rw->task_work);
2945 if (unlikely(ret)) {
2946 struct task_struct *tsk;
2948 /* queue just for cancelation */
2949 init_task_work(&rw->task_work, io_async_buf_cancel);
2950 tsk = io_wq_get_task(req->ctx->io_wq);
2951 task_work_add(tsk, &rw->task_work, 0);
2952 wake_up_process(tsk);
2957 static bool io_rw_should_retry(struct io_kiocb *req)
2959 struct kiocb *kiocb = &req->rw.kiocb;
2962 /* never retry for NOWAIT, we just complete with -EAGAIN */
2963 if (req->flags & REQ_F_NOWAIT)
2966 /* already tried, or we're doing O_DIRECT */
2967 if (kiocb->ki_flags & (IOCB_DIRECT | IOCB_WAITQ))
2970 * just use poll if we can, and don't attempt if the fs doesn't
2971 * support callback based unlocks
2973 if (file_can_poll(req->file) || !(req->file->f_mode & FMODE_BUF_RASYNC))
2977 * If request type doesn't require req->io to defer in general,
2978 * we need to allocate it here
2980 if (!req->io && __io_alloc_async_ctx(req))
2983 ret = kiocb_wait_page_queue_init(kiocb, &req->io->rw.wpq,
2984 io_async_buf_func, req);
2986 io_get_req_task(req);
2993 static int io_iter_do_read(struct io_kiocb *req, struct iov_iter *iter)
2995 if (req->file->f_op->read_iter)
2996 return call_read_iter(req->file, &req->rw.kiocb, iter);
2997 return loop_rw_iter(READ, req->file, &req->rw.kiocb, iter);
3000 static int io_read(struct io_kiocb *req, bool force_nonblock,
3001 struct io_comp_state *cs)
3003 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
3004 struct kiocb *kiocb = &req->rw.kiocb;
3005 struct iov_iter iter;
3007 ssize_t io_size, ret;
3009 ret = io_import_iovec(READ, req, &iovec, &iter, !force_nonblock);
3013 /* Ensure we clear previously set non-block flag */
3014 if (!force_nonblock)
3015 kiocb->ki_flags &= ~IOCB_NOWAIT;
3018 req->result = io_size;
3020 /* If the file doesn't support async, just async punt */
3021 if (force_nonblock && !io_file_supports_async(req->file, READ))
3024 iov_count = iov_iter_count(&iter);
3025 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
3027 unsigned long nr_segs = iter.nr_segs;
3030 ret2 = io_iter_do_read(req, &iter);
3032 /* Catch -EAGAIN return for forced non-blocking submission */
3033 if (!force_nonblock || (ret2 != -EAGAIN && ret2 != -EIO)) {
3034 kiocb_done(kiocb, ret2, cs);
3036 iter.count = iov_count;
3037 iter.nr_segs = nr_segs;
3039 ret = io_setup_async_rw(req, io_size, iovec,
3040 inline_vecs, &iter);
3043 /* if we can retry, do so with the callbacks armed */
3044 if (io_rw_should_retry(req)) {
3045 ret2 = io_iter_do_read(req, &iter);
3046 if (ret2 == -EIOCBQUEUED) {
3048 } else if (ret2 != -EAGAIN) {
3049 kiocb_done(kiocb, ret2, cs);
3053 kiocb->ki_flags &= ~IOCB_WAITQ;
3058 if (!(req->flags & REQ_F_NEED_CLEANUP))
3063 static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
3064 bool force_nonblock)
3066 struct io_async_ctx *io;
3067 struct iov_iter iter;
3070 ret = io_prep_rw(req, sqe, force_nonblock);
3074 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
3077 req->fsize = rlimit(RLIMIT_FSIZE);
3079 /* either don't need iovec imported or already have it */
3080 if (!req->io || req->flags & REQ_F_NEED_CLEANUP)
3084 io->rw.iov = io->rw.fast_iov;
3086 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter, !force_nonblock);
3091 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
3095 static int io_write(struct io_kiocb *req, bool force_nonblock,
3096 struct io_comp_state *cs)
3098 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
3099 struct kiocb *kiocb = &req->rw.kiocb;
3100 struct iov_iter iter;
3102 ssize_t ret, io_size;
3104 ret = io_import_iovec(WRITE, req, &iovec, &iter, !force_nonblock);
3108 /* Ensure we clear previously set non-block flag */
3109 if (!force_nonblock)
3110 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
3113 req->result = io_size;
3115 /* If the file doesn't support async, just async punt */
3116 if (force_nonblock && !io_file_supports_async(req->file, WRITE))
3119 /* file path doesn't support NOWAIT for non-direct_IO */
3120 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
3121 (req->flags & REQ_F_ISREG))
3124 iov_count = iov_iter_count(&iter);
3125 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
3127 unsigned long nr_segs = iter.nr_segs;
3131 * Open-code file_start_write here to grab freeze protection,
3132 * which will be released by another thread in
3133 * io_complete_rw(). Fool lockdep by telling it the lock got
3134 * released so that it doesn't complain about the held lock when
3135 * we return to userspace.
3137 if (req->flags & REQ_F_ISREG) {
3138 __sb_start_write(file_inode(req->file)->i_sb,
3139 SB_FREEZE_WRITE, true);
3140 __sb_writers_release(file_inode(req->file)->i_sb,
3143 kiocb->ki_flags |= IOCB_WRITE;
3145 if (!force_nonblock)
3146 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = req->fsize;
3148 if (req->file->f_op->write_iter)
3149 ret2 = call_write_iter(req->file, kiocb, &iter);
3151 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
3153 if (!force_nonblock)
3154 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
3157 * Raw bdev writes will return -EOPNOTSUPP for IOCB_NOWAIT. Just
3158 * retry them without IOCB_NOWAIT.
3160 if (ret2 == -EOPNOTSUPP && (kiocb->ki_flags & IOCB_NOWAIT))
3162 if (!force_nonblock || ret2 != -EAGAIN) {
3163 kiocb_done(kiocb, ret2, cs);
3165 iter.count = iov_count;
3166 iter.nr_segs = nr_segs;
3168 ret = io_setup_async_rw(req, io_size, iovec,
3169 inline_vecs, &iter);
3176 if (!(req->flags & REQ_F_NEED_CLEANUP))
3181 static int __io_splice_prep(struct io_kiocb *req,
3182 const struct io_uring_sqe *sqe)
3184 struct io_splice* sp = &req->splice;
3185 unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL;
3188 if (req->flags & REQ_F_NEED_CLEANUP)
3190 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3194 sp->len = READ_ONCE(sqe->len);
3195 sp->flags = READ_ONCE(sqe->splice_flags);
3197 if (unlikely(sp->flags & ~valid_flags))
3200 ret = io_file_get(NULL, req, READ_ONCE(sqe->splice_fd_in), &sp->file_in,
3201 (sp->flags & SPLICE_F_FD_IN_FIXED));
3204 req->flags |= REQ_F_NEED_CLEANUP;
3206 if (!S_ISREG(file_inode(sp->file_in)->i_mode)) {
3208 * Splice operation will be punted aync, and here need to
3209 * modify io_wq_work.flags, so initialize io_wq_work firstly.
3211 io_req_init_async(req);
3212 req->work.flags |= IO_WQ_WORK_UNBOUND;
3218 static int io_tee_prep(struct io_kiocb *req,
3219 const struct io_uring_sqe *sqe)
3221 if (READ_ONCE(sqe->splice_off_in) || READ_ONCE(sqe->off))
3223 return __io_splice_prep(req, sqe);
3226 static int io_tee(struct io_kiocb *req, bool force_nonblock)
3228 struct io_splice *sp = &req->splice;
3229 struct file *in = sp->file_in;
3230 struct file *out = sp->file_out;
3231 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
3237 ret = do_tee(in, out, sp->len, flags);
3239 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
3240 req->flags &= ~REQ_F_NEED_CLEANUP;
3243 req_set_fail_links(req);
3244 io_req_complete(req, ret);
3248 static int io_splice_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3250 struct io_splice* sp = &req->splice;
3252 sp->off_in = READ_ONCE(sqe->splice_off_in);
3253 sp->off_out = READ_ONCE(sqe->off);
3254 return __io_splice_prep(req, sqe);
3257 static int io_splice(struct io_kiocb *req, bool force_nonblock)
3259 struct io_splice *sp = &req->splice;
3260 struct file *in = sp->file_in;
3261 struct file *out = sp->file_out;
3262 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
3263 loff_t *poff_in, *poff_out;
3269 poff_in = (sp->off_in == -1) ? NULL : &sp->off_in;
3270 poff_out = (sp->off_out == -1) ? NULL : &sp->off_out;
3273 ret = do_splice(in, poff_in, out, poff_out, sp->len, flags);
3275 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
3276 req->flags &= ~REQ_F_NEED_CLEANUP;
3279 req_set_fail_links(req);
3280 io_req_complete(req, ret);
3285 * IORING_OP_NOP just posts a completion event, nothing else.
3287 static int io_nop(struct io_kiocb *req, struct io_comp_state *cs)
3289 struct io_ring_ctx *ctx = req->ctx;
3291 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3294 __io_req_complete(req, 0, 0, cs);
3298 static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3300 struct io_ring_ctx *ctx = req->ctx;
3305 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3307 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
3310 req->sync.flags = READ_ONCE(sqe->fsync_flags);
3311 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
3314 req->sync.off = READ_ONCE(sqe->off);
3315 req->sync.len = READ_ONCE(sqe->len);
3319 static int io_fsync(struct io_kiocb *req, bool force_nonblock)
3321 loff_t end = req->sync.off + req->sync.len;
3324 /* fsync always requires a blocking context */
3328 ret = vfs_fsync_range(req->file, req->sync.off,
3329 end > 0 ? end : LLONG_MAX,
3330 req->sync.flags & IORING_FSYNC_DATASYNC);
3332 req_set_fail_links(req);
3333 io_req_complete(req, ret);
3337 static int io_fallocate_prep(struct io_kiocb *req,
3338 const struct io_uring_sqe *sqe)
3340 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
3342 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3345 req->sync.off = READ_ONCE(sqe->off);
3346 req->sync.len = READ_ONCE(sqe->addr);
3347 req->sync.mode = READ_ONCE(sqe->len);
3348 req->fsize = rlimit(RLIMIT_FSIZE);
3352 static int io_fallocate(struct io_kiocb *req, bool force_nonblock)
3356 /* fallocate always requiring blocking context */
3360 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = req->fsize;
3361 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
3363 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
3365 req_set_fail_links(req);
3366 io_req_complete(req, ret);
3370 static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3372 const char __user *fname;
3375 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3377 if (unlikely(sqe->ioprio || sqe->buf_index))
3379 if (unlikely(req->flags & REQ_F_FIXED_FILE))
3382 /* open.how should be already initialised */
3383 if (!(req->open.how.flags & O_PATH) && force_o_largefile())
3384 req->open.how.flags |= O_LARGEFILE;
3386 req->open.dfd = READ_ONCE(sqe->fd);
3387 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
3388 req->open.filename = getname(fname);
3389 if (IS_ERR(req->open.filename)) {
3390 ret = PTR_ERR(req->open.filename);
3391 req->open.filename = NULL;
3394 req->open.nofile = rlimit(RLIMIT_NOFILE);
3395 req->flags |= REQ_F_NEED_CLEANUP;
3399 static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3403 if (req->flags & REQ_F_NEED_CLEANUP)
3405 mode = READ_ONCE(sqe->len);
3406 flags = READ_ONCE(sqe->open_flags);
3407 req->open.how = build_open_how(flags, mode);
3408 return __io_openat_prep(req, sqe);
3411 static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3413 struct open_how __user *how;
3417 if (req->flags & REQ_F_NEED_CLEANUP)
3419 how = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3420 len = READ_ONCE(sqe->len);
3421 if (len < OPEN_HOW_SIZE_VER0)
3424 ret = copy_struct_from_user(&req->open.how, sizeof(req->open.how), how,
3429 return __io_openat_prep(req, sqe);
3432 static int io_openat2(struct io_kiocb *req, bool force_nonblock)
3434 struct open_flags op;
3441 ret = build_open_flags(&req->open.how, &op);
3445 ret = __get_unused_fd_flags(req->open.how.flags, req->open.nofile);
3449 file = do_filp_open(req->open.dfd, req->open.filename, &op);
3452 ret = PTR_ERR(file);
3454 fsnotify_open(file);
3455 fd_install(ret, file);
3458 putname(req->open.filename);
3459 req->flags &= ~REQ_F_NEED_CLEANUP;
3461 req_set_fail_links(req);
3462 io_req_complete(req, ret);
3466 static int io_openat(struct io_kiocb *req, bool force_nonblock)
3468 return io_openat2(req, force_nonblock);
3471 static int io_remove_buffers_prep(struct io_kiocb *req,
3472 const struct io_uring_sqe *sqe)
3474 struct io_provide_buf *p = &req->pbuf;
3477 if (sqe->ioprio || sqe->rw_flags || sqe->addr || sqe->len || sqe->off)
3480 tmp = READ_ONCE(sqe->fd);
3481 if (!tmp || tmp > USHRT_MAX)
3484 memset(p, 0, sizeof(*p));
3486 p->bgid = READ_ONCE(sqe->buf_group);
3490 static int __io_remove_buffers(struct io_ring_ctx *ctx, struct io_buffer *buf,
3491 int bgid, unsigned nbufs)
3495 /* shouldn't happen */
3499 /* the head kbuf is the list itself */
3500 while (!list_empty(&buf->list)) {
3501 struct io_buffer *nxt;
3503 nxt = list_first_entry(&buf->list, struct io_buffer, list);
3504 list_del(&nxt->list);
3511 idr_remove(&ctx->io_buffer_idr, bgid);
3516 static int io_remove_buffers(struct io_kiocb *req, bool force_nonblock,
3517 struct io_comp_state *cs)
3519 struct io_provide_buf *p = &req->pbuf;
3520 struct io_ring_ctx *ctx = req->ctx;
3521 struct io_buffer *head;
3524 io_ring_submit_lock(ctx, !force_nonblock);
3526 lockdep_assert_held(&ctx->uring_lock);
3529 head = idr_find(&ctx->io_buffer_idr, p->bgid);
3531 ret = __io_remove_buffers(ctx, head, p->bgid, p->nbufs);
3533 io_ring_submit_lock(ctx, !force_nonblock);
3535 req_set_fail_links(req);
3536 __io_req_complete(req, ret, 0, cs);
3540 static int io_provide_buffers_prep(struct io_kiocb *req,
3541 const struct io_uring_sqe *sqe)
3543 struct io_provide_buf *p = &req->pbuf;
3546 if (sqe->ioprio || sqe->rw_flags)
3549 tmp = READ_ONCE(sqe->fd);
3550 if (!tmp || tmp > USHRT_MAX)
3553 p->addr = READ_ONCE(sqe->addr);
3554 p->len = READ_ONCE(sqe->len);
3556 if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
3559 p->bgid = READ_ONCE(sqe->buf_group);
3560 tmp = READ_ONCE(sqe->off);
3561 if (tmp > USHRT_MAX)
3567 static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head)
3569 struct io_buffer *buf;
3570 u64 addr = pbuf->addr;
3571 int i, bid = pbuf->bid;
3573 for (i = 0; i < pbuf->nbufs; i++) {
3574 buf = kmalloc(sizeof(*buf), GFP_KERNEL);
3579 buf->len = pbuf->len;
3584 INIT_LIST_HEAD(&buf->list);
3587 list_add_tail(&buf->list, &(*head)->list);
3591 return i ? i : -ENOMEM;
3594 static int io_provide_buffers(struct io_kiocb *req, bool force_nonblock,
3595 struct io_comp_state *cs)
3597 struct io_provide_buf *p = &req->pbuf;
3598 struct io_ring_ctx *ctx = req->ctx;
3599 struct io_buffer *head, *list;
3602 io_ring_submit_lock(ctx, !force_nonblock);
3604 lockdep_assert_held(&ctx->uring_lock);
3606 list = head = idr_find(&ctx->io_buffer_idr, p->bgid);
3608 ret = io_add_buffers(p, &head);
3613 ret = idr_alloc(&ctx->io_buffer_idr, head, p->bgid, p->bgid + 1,
3616 __io_remove_buffers(ctx, head, p->bgid, -1U);
3621 io_ring_submit_unlock(ctx, !force_nonblock);
3623 req_set_fail_links(req);
3624 __io_req_complete(req, ret, 0, cs);
3628 static int io_epoll_ctl_prep(struct io_kiocb *req,
3629 const struct io_uring_sqe *sqe)
3631 #if defined(CONFIG_EPOLL)
3632 if (sqe->ioprio || sqe->buf_index)
3634 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3637 req->epoll.epfd = READ_ONCE(sqe->fd);
3638 req->epoll.op = READ_ONCE(sqe->len);
3639 req->epoll.fd = READ_ONCE(sqe->off);
3641 if (ep_op_has_event(req->epoll.op)) {
3642 struct epoll_event __user *ev;
3644 ev = u64_to_user_ptr(READ_ONCE(sqe->addr));
3645 if (copy_from_user(&req->epoll.event, ev, sizeof(*ev)))
3655 static int io_epoll_ctl(struct io_kiocb *req, bool force_nonblock,
3656 struct io_comp_state *cs)
3658 #if defined(CONFIG_EPOLL)
3659 struct io_epoll *ie = &req->epoll;
3662 ret = do_epoll_ctl(ie->epfd, ie->op, ie->fd, &ie->event, force_nonblock);
3663 if (force_nonblock && ret == -EAGAIN)
3667 req_set_fail_links(req);
3668 __io_req_complete(req, ret, 0, cs);
3675 static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3677 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
3678 if (sqe->ioprio || sqe->buf_index || sqe->off)
3680 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3683 req->madvise.addr = READ_ONCE(sqe->addr);
3684 req->madvise.len = READ_ONCE(sqe->len);
3685 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
3692 static int io_madvise(struct io_kiocb *req, bool force_nonblock)
3694 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
3695 struct io_madvise *ma = &req->madvise;
3701 ret = do_madvise(ma->addr, ma->len, ma->advice);
3703 req_set_fail_links(req);
3704 io_req_complete(req, ret);
3711 static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3713 if (sqe->ioprio || sqe->buf_index || sqe->addr)
3715 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3718 req->fadvise.offset = READ_ONCE(sqe->off);
3719 req->fadvise.len = READ_ONCE(sqe->len);
3720 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
3724 static int io_fadvise(struct io_kiocb *req, bool force_nonblock)
3726 struct io_fadvise *fa = &req->fadvise;
3729 if (force_nonblock) {
3730 switch (fa->advice) {
3731 case POSIX_FADV_NORMAL:
3732 case POSIX_FADV_RANDOM:
3733 case POSIX_FADV_SEQUENTIAL:
3740 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
3742 req_set_fail_links(req);
3743 io_req_complete(req, ret);
3747 static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3749 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3751 if (sqe->ioprio || sqe->buf_index)
3753 if (req->flags & REQ_F_FIXED_FILE)
3756 req->statx.dfd = READ_ONCE(sqe->fd);
3757 req->statx.mask = READ_ONCE(sqe->len);
3758 req->statx.filename = u64_to_user_ptr(READ_ONCE(sqe->addr));
3759 req->statx.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3760 req->statx.flags = READ_ONCE(sqe->statx_flags);
3765 static int io_statx(struct io_kiocb *req, bool force_nonblock)
3767 struct io_statx *ctx = &req->statx;
3770 if (force_nonblock) {
3771 /* only need file table for an actual valid fd */
3772 if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD)
3773 req->flags |= REQ_F_NO_FILE_TABLE;
3777 ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
3781 req_set_fail_links(req);
3782 io_req_complete(req, ret);
3786 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3789 * If we queue this for async, it must not be cancellable. That would
3790 * leave the 'file' in an undeterminate state, and here need to modify
3791 * io_wq_work.flags, so initialize io_wq_work firstly.
3793 io_req_init_async(req);
3794 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
3796 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3798 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
3799 sqe->rw_flags || sqe->buf_index)
3801 if (req->flags & REQ_F_FIXED_FILE)
3804 req->close.fd = READ_ONCE(sqe->fd);
3805 if ((req->file && req->file->f_op == &io_uring_fops) ||
3806 req->close.fd == req->ctx->ring_fd)
3809 req->close.put_file = NULL;
3813 static int io_close(struct io_kiocb *req, bool force_nonblock,
3814 struct io_comp_state *cs)
3816 struct io_close *close = &req->close;
3819 /* might be already done during nonblock submission */
3820 if (!close->put_file) {
3821 ret = __close_fd_get_file(close->fd, &close->put_file);
3823 return (ret == -ENOENT) ? -EBADF : ret;
3826 /* if the file has a flush method, be safe and punt to async */
3827 if (close->put_file->f_op->flush && force_nonblock) {
3828 /* was never set, but play safe */
3829 req->flags &= ~REQ_F_NOWAIT;
3830 /* avoid grabbing files - we don't need the files */
3831 req->flags |= REQ_F_NO_FILE_TABLE;
3835 /* No ->flush() or already async, safely close from here */
3836 ret = filp_close(close->put_file, req->work.files);
3838 req_set_fail_links(req);
3839 fput(close->put_file);
3840 close->put_file = NULL;
3841 __io_req_complete(req, ret, 0, cs);
3845 static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3847 struct io_ring_ctx *ctx = req->ctx;
3852 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3854 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
3857 req->sync.off = READ_ONCE(sqe->off);
3858 req->sync.len = READ_ONCE(sqe->len);
3859 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
3863 static int io_sync_file_range(struct io_kiocb *req, bool force_nonblock)
3867 /* sync_file_range always requires a blocking context */
3871 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
3874 req_set_fail_links(req);
3875 io_req_complete(req, ret);
3879 #if defined(CONFIG_NET)
3880 static int io_setup_async_msg(struct io_kiocb *req,
3881 struct io_async_msghdr *kmsg)
3885 if (io_alloc_async_ctx(req)) {
3886 if (kmsg->iov != kmsg->fast_iov)
3890 req->flags |= REQ_F_NEED_CLEANUP;
3891 memcpy(&req->io->msg, kmsg, sizeof(*kmsg));
3895 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3897 struct io_sr_msg *sr = &req->sr_msg;
3898 struct io_async_ctx *io = req->io;
3901 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3904 sr->msg_flags = READ_ONCE(sqe->msg_flags);
3905 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
3906 sr->len = READ_ONCE(sqe->len);
3908 #ifdef CONFIG_COMPAT
3909 if (req->ctx->compat)
3910 sr->msg_flags |= MSG_CMSG_COMPAT;
3913 if (!io || req->opcode == IORING_OP_SEND)
3915 /* iovec is already imported */
3916 if (req->flags & REQ_F_NEED_CLEANUP)
3919 io->msg.iov = io->msg.fast_iov;
3920 ret = sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
3923 req->flags |= REQ_F_NEED_CLEANUP;
3927 static int io_sendmsg(struct io_kiocb *req, bool force_nonblock,
3928 struct io_comp_state *cs)
3930 struct io_async_msghdr *kmsg = NULL;
3931 struct socket *sock;
3934 sock = sock_from_file(req->file, &ret);
3936 struct io_async_ctx io;
3940 kmsg = &req->io->msg;
3941 kmsg->msg.msg_name = &req->io->msg.addr;
3942 /* if iov is set, it's allocated already */
3944 kmsg->iov = kmsg->fast_iov;
3945 kmsg->msg.msg_iter.iov = kmsg->iov;
3947 struct io_sr_msg *sr = &req->sr_msg;
3950 kmsg->msg.msg_name = &io.msg.addr;
3952 io.msg.iov = io.msg.fast_iov;
3953 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
3954 sr->msg_flags, &io.msg.iov);
3959 flags = req->sr_msg.msg_flags;
3960 if (flags & MSG_DONTWAIT)
3961 req->flags |= REQ_F_NOWAIT;
3962 else if (force_nonblock)
3963 flags |= MSG_DONTWAIT;
3965 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
3966 if (force_nonblock && ret == -EAGAIN)
3967 return io_setup_async_msg(req, kmsg);
3968 if (ret == -ERESTARTSYS)
3972 if (kmsg && kmsg->iov != kmsg->fast_iov)
3974 req->flags &= ~REQ_F_NEED_CLEANUP;
3976 req_set_fail_links(req);
3977 __io_req_complete(req, ret, 0, cs);
3981 static int io_send(struct io_kiocb *req, bool force_nonblock,
3982 struct io_comp_state *cs)
3984 struct socket *sock;
3987 sock = sock_from_file(req->file, &ret);
3989 struct io_sr_msg *sr = &req->sr_msg;
3994 ret = import_single_range(WRITE, sr->buf, sr->len, &iov,
3999 msg.msg_name = NULL;
4000 msg.msg_control = NULL;
4001 msg.msg_controllen = 0;
4002 msg.msg_namelen = 0;
4004 flags = req->sr_msg.msg_flags;
4005 if (flags & MSG_DONTWAIT)
4006 req->flags |= REQ_F_NOWAIT;
4007 else if (force_nonblock)
4008 flags |= MSG_DONTWAIT;
4010 msg.msg_flags = flags;
4011 ret = sock_sendmsg(sock, &msg);
4012 if (force_nonblock && ret == -EAGAIN)
4014 if (ret == -ERESTARTSYS)
4019 req_set_fail_links(req);
4020 __io_req_complete(req, ret, 0, cs);
4024 static int __io_recvmsg_copy_hdr(struct io_kiocb *req, struct io_async_ctx *io)
4026 struct io_sr_msg *sr = &req->sr_msg;
4027 struct iovec __user *uiov;
4031 ret = __copy_msghdr_from_user(&io->msg.msg, sr->msg, &io->msg.uaddr,
4036 if (req->flags & REQ_F_BUFFER_SELECT) {
4039 if (copy_from_user(io->msg.iov, uiov, sizeof(*uiov)))
4041 sr->len = io->msg.iov[0].iov_len;
4042 iov_iter_init(&io->msg.msg.msg_iter, READ, io->msg.iov, 1,
4046 ret = import_iovec(READ, uiov, iov_len, UIO_FASTIOV,
4047 &io->msg.iov, &io->msg.msg.msg_iter);
4055 #ifdef CONFIG_COMPAT
4056 static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req,
4057 struct io_async_ctx *io)
4059 struct compat_msghdr __user *msg_compat;
4060 struct io_sr_msg *sr = &req->sr_msg;
4061 struct compat_iovec __user *uiov;
4066 msg_compat = (struct compat_msghdr __user *) sr->msg;
4067 ret = __get_compat_msghdr(&io->msg.msg, msg_compat, &io->msg.uaddr,
4072 uiov = compat_ptr(ptr);
4073 if (req->flags & REQ_F_BUFFER_SELECT) {
4074 compat_ssize_t clen;
4078 if (!access_ok(uiov, sizeof(*uiov)))
4080 if (__get_user(clen, &uiov->iov_len))
4084 sr->len = io->msg.iov[0].iov_len;
4087 ret = compat_import_iovec(READ, uiov, len, UIO_FASTIOV,
4089 &io->msg.msg.msg_iter);
4098 static int io_recvmsg_copy_hdr(struct io_kiocb *req, struct io_async_ctx *io)
4100 io->msg.iov = io->msg.fast_iov;
4102 #ifdef CONFIG_COMPAT
4103 if (req->ctx->compat)
4104 return __io_compat_recvmsg_copy_hdr(req, io);
4107 return __io_recvmsg_copy_hdr(req, io);
4110 static struct io_buffer *io_recv_buffer_select(struct io_kiocb *req,
4111 int *cflags, bool needs_lock)
4113 struct io_sr_msg *sr = &req->sr_msg;
4114 struct io_buffer *kbuf;
4116 if (!(req->flags & REQ_F_BUFFER_SELECT))
4119 kbuf = io_buffer_select(req, &sr->len, sr->bgid, sr->kbuf, needs_lock);
4124 req->flags |= REQ_F_BUFFER_SELECTED;
4126 *cflags = kbuf->bid << IORING_CQE_BUFFER_SHIFT;
4127 *cflags |= IORING_CQE_F_BUFFER;
4131 static int io_recvmsg_prep(struct io_kiocb *req,
4132 const struct io_uring_sqe *sqe)
4134 struct io_sr_msg *sr = &req->sr_msg;
4135 struct io_async_ctx *io = req->io;
4138 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4141 sr->msg_flags = READ_ONCE(sqe->msg_flags);
4142 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
4143 sr->len = READ_ONCE(sqe->len);
4144 sr->bgid = READ_ONCE(sqe->buf_group);
4146 #ifdef CONFIG_COMPAT
4147 if (req->ctx->compat)
4148 sr->msg_flags |= MSG_CMSG_COMPAT;
4151 if (!io || req->opcode == IORING_OP_RECV)
4153 /* iovec is already imported */
4154 if (req->flags & REQ_F_NEED_CLEANUP)
4157 ret = io_recvmsg_copy_hdr(req, io);
4159 req->flags |= REQ_F_NEED_CLEANUP;
4163 static int io_recvmsg(struct io_kiocb *req, bool force_nonblock,
4164 struct io_comp_state *cs)
4166 struct io_async_msghdr *kmsg = NULL;
4167 struct socket *sock;
4168 int ret, cflags = 0;
4170 sock = sock_from_file(req->file, &ret);
4172 struct io_buffer *kbuf;
4173 struct io_async_ctx io;
4177 kmsg = &req->io->msg;
4178 kmsg->msg.msg_name = &req->io->msg.addr;
4179 /* if iov is set, it's allocated already */
4181 kmsg->iov = kmsg->fast_iov;
4182 kmsg->msg.msg_iter.iov = kmsg->iov;
4185 kmsg->msg.msg_name = &io.msg.addr;
4187 ret = io_recvmsg_copy_hdr(req, &io);
4192 kbuf = io_recv_buffer_select(req, &cflags, !force_nonblock);
4194 return PTR_ERR(kbuf);
4196 kmsg->fast_iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
4197 iov_iter_init(&kmsg->msg.msg_iter, READ, kmsg->iov,
4198 1, req->sr_msg.len);
4201 flags = req->sr_msg.msg_flags;
4202 if (flags & MSG_DONTWAIT)
4203 req->flags |= REQ_F_NOWAIT;
4204 else if (force_nonblock)
4205 flags |= MSG_DONTWAIT;
4207 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
4208 kmsg->uaddr, flags);
4209 if (force_nonblock && ret == -EAGAIN)
4210 return io_setup_async_msg(req, kmsg);
4211 if (ret == -ERESTARTSYS)
4215 if (kmsg && kmsg->iov != kmsg->fast_iov)
4217 req->flags &= ~REQ_F_NEED_CLEANUP;
4219 req_set_fail_links(req);
4220 __io_req_complete(req, ret, cflags, cs);
4224 static int io_recv(struct io_kiocb *req, bool force_nonblock,
4225 struct io_comp_state *cs)
4227 struct io_buffer *kbuf = NULL;
4228 struct socket *sock;
4229 int ret, cflags = 0;
4231 sock = sock_from_file(req->file, &ret);
4233 struct io_sr_msg *sr = &req->sr_msg;
4234 void __user *buf = sr->buf;
4239 kbuf = io_recv_buffer_select(req, &cflags, !force_nonblock);
4241 return PTR_ERR(kbuf);
4243 buf = u64_to_user_ptr(kbuf->addr);
4245 ret = import_single_range(READ, buf, sr->len, &iov,
4252 req->flags |= REQ_F_NEED_CLEANUP;
4253 msg.msg_name = NULL;
4254 msg.msg_control = NULL;
4255 msg.msg_controllen = 0;
4256 msg.msg_namelen = 0;
4257 msg.msg_iocb = NULL;
4260 flags = req->sr_msg.msg_flags;
4261 if (flags & MSG_DONTWAIT)
4262 req->flags |= REQ_F_NOWAIT;
4263 else if (force_nonblock)
4264 flags |= MSG_DONTWAIT;
4266 ret = sock_recvmsg(sock, &msg, flags);
4267 if (force_nonblock && ret == -EAGAIN)
4269 if (ret == -ERESTARTSYS)
4274 req->flags &= ~REQ_F_NEED_CLEANUP;
4276 req_set_fail_links(req);
4277 __io_req_complete(req, ret, cflags, cs);
4281 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4283 struct io_accept *accept = &req->accept;
4285 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
4287 if (sqe->ioprio || sqe->len || sqe->buf_index)
4290 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
4291 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4292 accept->flags = READ_ONCE(sqe->accept_flags);
4293 accept->nofile = rlimit(RLIMIT_NOFILE);
4297 static int io_accept(struct io_kiocb *req, bool force_nonblock,
4298 struct io_comp_state *cs)
4300 struct io_accept *accept = &req->accept;
4301 unsigned int file_flags = force_nonblock ? O_NONBLOCK : 0;
4304 if (req->file->f_flags & O_NONBLOCK)
4305 req->flags |= REQ_F_NOWAIT;
4307 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
4308 accept->addr_len, accept->flags,
4310 if (ret == -EAGAIN && force_nonblock)
4313 if (ret == -ERESTARTSYS)
4315 req_set_fail_links(req);
4317 __io_req_complete(req, ret, 0, cs);
4321 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4323 struct io_connect *conn = &req->connect;
4324 struct io_async_ctx *io = req->io;
4326 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
4328 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
4331 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
4332 conn->addr_len = READ_ONCE(sqe->addr2);
4337 return move_addr_to_kernel(conn->addr, conn->addr_len,
4338 &io->connect.address);
4341 static int io_connect(struct io_kiocb *req, bool force_nonblock,
4342 struct io_comp_state *cs)
4344 struct io_async_ctx __io, *io;
4345 unsigned file_flags;
4351 ret = move_addr_to_kernel(req->connect.addr,
4352 req->connect.addr_len,
4353 &__io.connect.address);
4359 file_flags = force_nonblock ? O_NONBLOCK : 0;
4361 ret = __sys_connect_file(req->file, &io->connect.address,
4362 req->connect.addr_len, file_flags);
4363 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
4366 if (io_alloc_async_ctx(req)) {
4370 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
4373 if (ret == -ERESTARTSYS)
4377 req_set_fail_links(req);
4378 __io_req_complete(req, ret, 0, cs);
4381 #else /* !CONFIG_NET */
4382 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4387 static int io_sendmsg(struct io_kiocb *req, bool force_nonblock,
4388 struct io_comp_state *cs)
4393 static int io_send(struct io_kiocb *req, bool force_nonblock,
4394 struct io_comp_state *cs)
4399 static int io_recvmsg_prep(struct io_kiocb *req,
4400 const struct io_uring_sqe *sqe)
4405 static int io_recvmsg(struct io_kiocb *req, bool force_nonblock,
4406 struct io_comp_state *cs)
4411 static int io_recv(struct io_kiocb *req, bool force_nonblock,
4412 struct io_comp_state *cs)
4417 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4422 static int io_accept(struct io_kiocb *req, bool force_nonblock,
4423 struct io_comp_state *cs)
4428 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4433 static int io_connect(struct io_kiocb *req, bool force_nonblock,
4434 struct io_comp_state *cs)
4438 #endif /* CONFIG_NET */
4440 struct io_poll_table {
4441 struct poll_table_struct pt;
4442 struct io_kiocb *req;
4446 static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,
4447 __poll_t mask, task_work_func_t func)
4451 /* for instances that support it check for an event match first: */
4452 if (mask && !(mask & poll->events))
4455 trace_io_uring_task_add(req->ctx, req->opcode, req->user_data, mask);
4457 list_del_init(&poll->wait.entry);
4460 init_task_work(&req->task_work, func);
4462 * If this fails, then the task is exiting. When a task exits, the
4463 * work gets canceled, so just cancel this request as well instead
4464 * of executing it. We can't safely execute it anyway, as we may not
4465 * have the needed state needed for it anyway.
4467 ret = io_req_task_work_add(req, &req->task_work);
4468 if (unlikely(ret)) {
4469 struct task_struct *tsk;
4471 WRITE_ONCE(poll->canceled, true);
4472 tsk = io_wq_get_task(req->ctx->io_wq);
4473 task_work_add(tsk, &req->task_work, 0);
4474 wake_up_process(tsk);
4479 static bool io_poll_rewait(struct io_kiocb *req, struct io_poll_iocb *poll)
4480 __acquires(&req->ctx->completion_lock)
4482 struct io_ring_ctx *ctx = req->ctx;
4484 if (!req->result && !READ_ONCE(poll->canceled)) {
4485 struct poll_table_struct pt = { ._key = poll->events };
4487 req->result = vfs_poll(req->file, &pt) & poll->events;
4490 spin_lock_irq(&ctx->completion_lock);
4491 if (!req->result && !READ_ONCE(poll->canceled)) {
4492 add_wait_queue(poll->head, &poll->wait);
4499 static void io_poll_remove_double(struct io_kiocb *req)
4501 struct io_poll_iocb *poll = (struct io_poll_iocb *) req->io;
4503 lockdep_assert_held(&req->ctx->completion_lock);
4505 if (poll && poll->head) {
4506 struct wait_queue_head *head = poll->head;
4508 spin_lock(&head->lock);
4509 list_del_init(&poll->wait.entry);
4510 if (poll->wait.private)
4511 refcount_dec(&req->refs);
4513 spin_unlock(&head->lock);
4517 static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
4519 struct io_ring_ctx *ctx = req->ctx;
4521 io_poll_remove_double(req);
4522 req->poll.done = true;
4523 io_cqring_fill_event(req, error ? error : mangle_poll(mask));
4524 io_commit_cqring(ctx);
4527 static void io_poll_task_handler(struct io_kiocb *req, struct io_kiocb **nxt)
4529 struct io_ring_ctx *ctx = req->ctx;
4531 if (io_poll_rewait(req, &req->poll)) {
4532 spin_unlock_irq(&ctx->completion_lock);
4536 hash_del(&req->hash_node);
4537 io_poll_complete(req, req->result, 0);
4538 req->flags |= REQ_F_COMP_LOCKED;
4539 *nxt = io_put_req_find_next(req);
4540 spin_unlock_irq(&ctx->completion_lock);
4542 io_cqring_ev_posted(ctx);
4545 static void io_poll_task_func(struct callback_head *cb)
4547 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
4548 struct io_kiocb *nxt = NULL;
4550 io_poll_task_handler(req, &nxt);
4552 __io_req_task_submit(nxt);
4555 static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,
4556 int sync, void *key)
4558 struct io_kiocb *req = wait->private;
4559 struct io_poll_iocb *poll = (struct io_poll_iocb *) req->io;
4560 __poll_t mask = key_to_poll(key);
4562 /* for instances that support it check for an event match first: */
4563 if (mask && !(mask & poll->events))
4566 if (req->poll.head) {
4569 spin_lock(&req->poll.head->lock);
4570 done = list_empty(&req->poll.wait.entry);
4572 list_del_init(&req->poll.wait.entry);
4573 spin_unlock(&req->poll.head->lock);
4575 __io_async_wake(req, poll, mask, io_poll_task_func);
4577 refcount_dec(&req->refs);
4581 static void io_init_poll_iocb(struct io_poll_iocb *poll, __poll_t events,
4582 wait_queue_func_t wake_func)
4586 poll->canceled = false;
4587 poll->events = events;
4588 INIT_LIST_HEAD(&poll->wait.entry);
4589 init_waitqueue_func_entry(&poll->wait, wake_func);
4592 static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
4593 struct wait_queue_head *head)
4595 struct io_kiocb *req = pt->req;
4598 * If poll->head is already set, it's because the file being polled
4599 * uses multiple waitqueues for poll handling (eg one for read, one
4600 * for write). Setup a separate io_poll_iocb if this happens.
4602 if (unlikely(poll->head)) {
4603 /* already have a 2nd entry, fail a third attempt */
4605 pt->error = -EINVAL;
4608 poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
4610 pt->error = -ENOMEM;
4613 io_init_poll_iocb(poll, req->poll.events, io_poll_double_wake);
4614 refcount_inc(&req->refs);
4615 poll->wait.private = req;
4616 req->io = (void *) poll;
4622 if (poll->events & EPOLLEXCLUSIVE)
4623 add_wait_queue_exclusive(head, &poll->wait);
4625 add_wait_queue(head, &poll->wait);
4628 static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
4629 struct poll_table_struct *p)
4631 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
4633 __io_queue_proc(&pt->req->apoll->poll, pt, head);
4636 static void io_async_task_func(struct callback_head *cb)
4638 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
4639 struct async_poll *apoll = req->apoll;
4640 struct io_ring_ctx *ctx = req->ctx;
4642 trace_io_uring_task_run(req->ctx, req->opcode, req->user_data);
4644 if (io_poll_rewait(req, &apoll->poll)) {
4645 spin_unlock_irq(&ctx->completion_lock);
4649 /* If req is still hashed, it cannot have been canceled. Don't check. */
4650 if (hash_hashed(&req->hash_node))
4651 hash_del(&req->hash_node);
4653 spin_unlock_irq(&ctx->completion_lock);
4655 /* restore ->work in case we need to retry again */
4656 if (req->flags & REQ_F_WORK_INITIALIZED)
4657 memcpy(&req->work, &apoll->work, sizeof(req->work));
4659 if (!READ_ONCE(apoll->poll.canceled))
4660 __io_req_task_submit(req);
4662 __io_req_task_cancel(req, -ECANCELED);
4667 static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
4670 struct io_kiocb *req = wait->private;
4671 struct io_poll_iocb *poll = &req->apoll->poll;
4673 trace_io_uring_poll_wake(req->ctx, req->opcode, req->user_data,
4676 return __io_async_wake(req, poll, key_to_poll(key), io_async_task_func);
4679 static void io_poll_req_insert(struct io_kiocb *req)
4681 struct io_ring_ctx *ctx = req->ctx;
4682 struct hlist_head *list;
4684 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
4685 hlist_add_head(&req->hash_node, list);
4688 static __poll_t __io_arm_poll_handler(struct io_kiocb *req,
4689 struct io_poll_iocb *poll,
4690 struct io_poll_table *ipt, __poll_t mask,
4691 wait_queue_func_t wake_func)
4692 __acquires(&ctx->completion_lock)
4694 struct io_ring_ctx *ctx = req->ctx;
4695 bool cancel = false;
4697 io_init_poll_iocb(poll, mask, wake_func);
4698 poll->file = req->file;
4699 poll->wait.private = req;
4701 ipt->pt._key = mask;
4703 ipt->error = -EINVAL;
4705 mask = vfs_poll(req->file, &ipt->pt) & poll->events;
4707 spin_lock_irq(&ctx->completion_lock);
4708 if (likely(poll->head)) {
4709 spin_lock(&poll->head->lock);
4710 if (unlikely(list_empty(&poll->wait.entry))) {
4716 if (mask || ipt->error)
4717 list_del_init(&poll->wait.entry);
4719 WRITE_ONCE(poll->canceled, true);
4720 else if (!poll->done) /* actually waiting for an event */
4721 io_poll_req_insert(req);
4722 spin_unlock(&poll->head->lock);
4728 static bool io_arm_poll_handler(struct io_kiocb *req)
4730 const struct io_op_def *def = &io_op_defs[req->opcode];
4731 struct io_ring_ctx *ctx = req->ctx;
4732 struct async_poll *apoll;
4733 struct io_poll_table ipt;
4737 if (!req->file || !file_can_poll(req->file))
4739 if (req->flags & REQ_F_POLLED)
4741 if (!def->pollin && !def->pollout)
4744 apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
4745 if (unlikely(!apoll))
4748 req->flags |= REQ_F_POLLED;
4749 if (req->flags & REQ_F_WORK_INITIALIZED)
4750 memcpy(&apoll->work, &req->work, sizeof(req->work));
4751 had_io = req->io != NULL;
4753 io_get_req_task(req);
4755 INIT_HLIST_NODE(&req->hash_node);
4759 mask |= POLLIN | POLLRDNORM;
4761 mask |= POLLOUT | POLLWRNORM;
4762 mask |= POLLERR | POLLPRI;
4764 ipt.pt._qproc = io_async_queue_proc;
4766 ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
4770 /* only remove double add if we did it here */
4772 io_poll_remove_double(req);
4773 spin_unlock_irq(&ctx->completion_lock);
4774 if (req->flags & REQ_F_WORK_INITIALIZED)
4775 memcpy(&req->work, &apoll->work, sizeof(req->work));
4779 spin_unlock_irq(&ctx->completion_lock);
4780 trace_io_uring_poll_arm(ctx, req->opcode, req->user_data, mask,
4781 apoll->poll.events);
4785 static bool __io_poll_remove_one(struct io_kiocb *req,
4786 struct io_poll_iocb *poll)
4788 bool do_complete = false;
4790 spin_lock(&poll->head->lock);
4791 WRITE_ONCE(poll->canceled, true);
4792 if (!list_empty(&poll->wait.entry)) {
4793 list_del_init(&poll->wait.entry);
4796 spin_unlock(&poll->head->lock);
4797 hash_del(&req->hash_node);
4801 static bool io_poll_remove_one(struct io_kiocb *req)
4805 if (req->opcode == IORING_OP_POLL_ADD) {
4806 io_poll_remove_double(req);
4807 do_complete = __io_poll_remove_one(req, &req->poll);
4809 struct async_poll *apoll = req->apoll;
4811 /* non-poll requests have submit ref still */
4812 do_complete = __io_poll_remove_one(req, &apoll->poll);
4816 * restore ->work because we will call
4817 * io_req_work_drop_env below when dropping the
4820 if (req->flags & REQ_F_WORK_INITIALIZED)
4821 memcpy(&req->work, &apoll->work,
4828 io_cqring_fill_event(req, -ECANCELED);
4829 io_commit_cqring(req->ctx);
4830 req->flags |= REQ_F_COMP_LOCKED;
4837 static void io_poll_remove_all(struct io_ring_ctx *ctx)
4839 struct hlist_node *tmp;
4840 struct io_kiocb *req;
4843 spin_lock_irq(&ctx->completion_lock);
4844 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
4845 struct hlist_head *list;
4847 list = &ctx->cancel_hash[i];
4848 hlist_for_each_entry_safe(req, tmp, list, hash_node)
4849 posted += io_poll_remove_one(req);
4851 spin_unlock_irq(&ctx->completion_lock);
4854 io_cqring_ev_posted(ctx);
4857 static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
4859 struct hlist_head *list;
4860 struct io_kiocb *req;
4862 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
4863 hlist_for_each_entry(req, list, hash_node) {
4864 if (sqe_addr != req->user_data)
4866 if (io_poll_remove_one(req))
4874 static int io_poll_remove_prep(struct io_kiocb *req,
4875 const struct io_uring_sqe *sqe)
4877 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4879 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
4883 req->poll.addr = READ_ONCE(sqe->addr);
4888 * Find a running poll command that matches one specified in sqe->addr,
4889 * and remove it if found.
4891 static int io_poll_remove(struct io_kiocb *req)
4893 struct io_ring_ctx *ctx = req->ctx;
4897 addr = req->poll.addr;
4898 spin_lock_irq(&ctx->completion_lock);
4899 ret = io_poll_cancel(ctx, addr);
4900 spin_unlock_irq(&ctx->completion_lock);
4903 req_set_fail_links(req);
4904 io_req_complete(req, ret);
4908 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
4911 struct io_kiocb *req = wait->private;
4912 struct io_poll_iocb *poll = &req->poll;
4914 return __io_async_wake(req, poll, key_to_poll(key), io_poll_task_func);
4917 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
4918 struct poll_table_struct *p)
4920 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
4922 __io_queue_proc(&pt->req->poll, pt, head);
4925 static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4927 struct io_poll_iocb *poll = &req->poll;
4930 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4932 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
4937 events = READ_ONCE(sqe->poll32_events);
4939 events = swahw32(events);
4941 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP |
4942 (events & EPOLLEXCLUSIVE);
4944 io_get_req_task(req);
4948 static int io_poll_add(struct io_kiocb *req)
4950 struct io_poll_iocb *poll = &req->poll;
4951 struct io_ring_ctx *ctx = req->ctx;
4952 struct io_poll_table ipt;
4955 INIT_HLIST_NODE(&req->hash_node);
4956 INIT_LIST_HEAD(&req->list);
4957 ipt.pt._qproc = io_poll_queue_proc;
4959 mask = __io_arm_poll_handler(req, &req->poll, &ipt, poll->events,
4962 if (mask) { /* no async, we'd stolen it */
4964 io_poll_complete(req, mask, 0);
4966 spin_unlock_irq(&ctx->completion_lock);
4969 io_cqring_ev_posted(ctx);
4975 static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
4977 struct io_timeout_data *data = container_of(timer,
4978 struct io_timeout_data, timer);
4979 struct io_kiocb *req = data->req;
4980 struct io_ring_ctx *ctx = req->ctx;
4981 unsigned long flags;
4983 atomic_inc(&ctx->cq_timeouts);
4985 spin_lock_irqsave(&ctx->completion_lock, flags);
4987 * We could be racing with timeout deletion. If the list is empty,
4988 * then timeout lookup already found it and will be handling it.
4990 if (!list_empty(&req->list))
4991 list_del_init(&req->list);
4993 io_cqring_fill_event(req, -ETIME);
4994 io_commit_cqring(ctx);
4995 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4997 io_cqring_ev_posted(ctx);
4998 req_set_fail_links(req);
5000 return HRTIMER_NORESTART;
5003 static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
5005 struct io_kiocb *req;
5008 list_for_each_entry(req, &ctx->timeout_list, list) {
5009 if (user_data == req->user_data) {
5010 list_del_init(&req->list);
5019 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
5023 req_set_fail_links(req);
5024 io_cqring_fill_event(req, -ECANCELED);
5029 static int io_timeout_remove_prep(struct io_kiocb *req,
5030 const struct io_uring_sqe *sqe)
5032 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5034 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
5037 req->timeout.addr = READ_ONCE(sqe->addr);
5038 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
5039 if (req->timeout.flags)
5046 * Remove or update an existing timeout command
5048 static int io_timeout_remove(struct io_kiocb *req)
5050 struct io_ring_ctx *ctx = req->ctx;
5053 spin_lock_irq(&ctx->completion_lock);
5054 ret = io_timeout_cancel(ctx, req->timeout.addr);
5056 io_cqring_fill_event(req, ret);
5057 io_commit_cqring(ctx);
5058 spin_unlock_irq(&ctx->completion_lock);
5059 io_cqring_ev_posted(ctx);
5061 req_set_fail_links(req);
5066 static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5067 bool is_timeout_link)
5069 struct io_timeout_data *data;
5071 u32 off = READ_ONCE(sqe->off);
5073 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5075 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
5077 if (off && is_timeout_link)
5079 flags = READ_ONCE(sqe->timeout_flags);
5080 if (flags & ~IORING_TIMEOUT_ABS)
5083 req->timeout.off = off;
5085 if (!req->io && io_alloc_async_ctx(req))
5088 data = &req->io->timeout;
5091 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5094 if (flags & IORING_TIMEOUT_ABS)
5095 data->mode = HRTIMER_MODE_ABS;
5097 data->mode = HRTIMER_MODE_REL;
5099 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
5103 static int io_timeout(struct io_kiocb *req)
5105 struct io_ring_ctx *ctx = req->ctx;
5106 struct io_timeout_data *data = &req->io->timeout;
5107 struct list_head *entry;
5108 u32 tail, off = req->timeout.off;
5110 spin_lock_irq(&ctx->completion_lock);
5113 * sqe->off holds how many events that need to occur for this
5114 * timeout event to be satisfied. If it isn't set, then this is
5115 * a pure timeout request, sequence isn't used.
5117 if (io_is_timeout_noseq(req)) {
5118 entry = ctx->timeout_list.prev;
5122 tail = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
5123 req->timeout.target_seq = tail + off;
5126 * Insertion sort, ensuring the first entry in the list is always
5127 * the one we need first.
5129 list_for_each_prev(entry, &ctx->timeout_list) {
5130 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
5132 if (io_is_timeout_noseq(nxt))
5134 /* nxt.seq is behind @tail, otherwise would've been completed */
5135 if (off >= nxt->timeout.target_seq - tail)
5139 list_add(&req->list, entry);
5140 data->timer.function = io_timeout_fn;
5141 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5142 spin_unlock_irq(&ctx->completion_lock);
5146 static bool io_cancel_cb(struct io_wq_work *work, void *data)
5148 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5150 return req->user_data == (unsigned long) data;
5153 static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
5155 enum io_wq_cancel cancel_ret;
5158 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr, false);
5159 switch (cancel_ret) {
5160 case IO_WQ_CANCEL_OK:
5163 case IO_WQ_CANCEL_RUNNING:
5166 case IO_WQ_CANCEL_NOTFOUND:
5174 static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
5175 struct io_kiocb *req, __u64 sqe_addr,
5178 unsigned long flags;
5181 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
5182 if (ret != -ENOENT) {
5183 spin_lock_irqsave(&ctx->completion_lock, flags);
5187 spin_lock_irqsave(&ctx->completion_lock, flags);
5188 ret = io_timeout_cancel(ctx, sqe_addr);
5191 ret = io_poll_cancel(ctx, sqe_addr);
5195 io_cqring_fill_event(req, ret);
5196 io_commit_cqring(ctx);
5197 spin_unlock_irqrestore(&ctx->completion_lock, flags);
5198 io_cqring_ev_posted(ctx);
5201 req_set_fail_links(req);
5205 static int io_async_cancel_prep(struct io_kiocb *req,
5206 const struct io_uring_sqe *sqe)
5208 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5210 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
5214 req->cancel.addr = READ_ONCE(sqe->addr);
5218 static int io_async_cancel(struct io_kiocb *req)
5220 struct io_ring_ctx *ctx = req->ctx;
5222 io_async_find_and_cancel(ctx, req, req->cancel.addr, 0);
5226 static int io_files_update_prep(struct io_kiocb *req,
5227 const struct io_uring_sqe *sqe)
5229 if (sqe->flags || sqe->ioprio || sqe->rw_flags)
5232 req->files_update.offset = READ_ONCE(sqe->off);
5233 req->files_update.nr_args = READ_ONCE(sqe->len);
5234 if (!req->files_update.nr_args)
5236 req->files_update.arg = READ_ONCE(sqe->addr);
5240 static int io_files_update(struct io_kiocb *req, bool force_nonblock,
5241 struct io_comp_state *cs)
5243 struct io_ring_ctx *ctx = req->ctx;
5244 struct io_uring_files_update up;
5250 up.offset = req->files_update.offset;
5251 up.fds = req->files_update.arg;
5253 mutex_lock(&ctx->uring_lock);
5254 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
5255 mutex_unlock(&ctx->uring_lock);
5258 req_set_fail_links(req);
5259 __io_req_complete(req, ret, 0, cs);
5263 static int io_req_defer_prep(struct io_kiocb *req,
5264 const struct io_uring_sqe *sqe)
5271 if (io_op_defs[req->opcode].file_table) {
5272 io_req_init_async(req);
5273 ret = io_grab_files(req);
5278 switch (req->opcode) {
5281 case IORING_OP_READV:
5282 case IORING_OP_READ_FIXED:
5283 case IORING_OP_READ:
5284 ret = io_read_prep(req, sqe, true);
5286 case IORING_OP_WRITEV:
5287 case IORING_OP_WRITE_FIXED:
5288 case IORING_OP_WRITE:
5289 ret = io_write_prep(req, sqe, true);
5291 case IORING_OP_POLL_ADD:
5292 ret = io_poll_add_prep(req, sqe);
5294 case IORING_OP_POLL_REMOVE:
5295 ret = io_poll_remove_prep(req, sqe);
5297 case IORING_OP_FSYNC:
5298 ret = io_prep_fsync(req, sqe);
5300 case IORING_OP_SYNC_FILE_RANGE:
5301 ret = io_prep_sfr(req, sqe);
5303 case IORING_OP_SENDMSG:
5304 case IORING_OP_SEND:
5305 ret = io_sendmsg_prep(req, sqe);
5307 case IORING_OP_RECVMSG:
5308 case IORING_OP_RECV:
5309 ret = io_recvmsg_prep(req, sqe);
5311 case IORING_OP_CONNECT:
5312 ret = io_connect_prep(req, sqe);
5314 case IORING_OP_TIMEOUT:
5315 ret = io_timeout_prep(req, sqe, false);
5317 case IORING_OP_TIMEOUT_REMOVE:
5318 ret = io_timeout_remove_prep(req, sqe);
5320 case IORING_OP_ASYNC_CANCEL:
5321 ret = io_async_cancel_prep(req, sqe);
5323 case IORING_OP_LINK_TIMEOUT:
5324 ret = io_timeout_prep(req, sqe, true);
5326 case IORING_OP_ACCEPT:
5327 ret = io_accept_prep(req, sqe);
5329 case IORING_OP_FALLOCATE:
5330 ret = io_fallocate_prep(req, sqe);
5332 case IORING_OP_OPENAT:
5333 ret = io_openat_prep(req, sqe);
5335 case IORING_OP_CLOSE:
5336 ret = io_close_prep(req, sqe);
5338 case IORING_OP_FILES_UPDATE:
5339 ret = io_files_update_prep(req, sqe);
5341 case IORING_OP_STATX:
5342 ret = io_statx_prep(req, sqe);
5344 case IORING_OP_FADVISE:
5345 ret = io_fadvise_prep(req, sqe);
5347 case IORING_OP_MADVISE:
5348 ret = io_madvise_prep(req, sqe);
5350 case IORING_OP_OPENAT2:
5351 ret = io_openat2_prep(req, sqe);
5353 case IORING_OP_EPOLL_CTL:
5354 ret = io_epoll_ctl_prep(req, sqe);
5356 case IORING_OP_SPLICE:
5357 ret = io_splice_prep(req, sqe);
5359 case IORING_OP_PROVIDE_BUFFERS:
5360 ret = io_provide_buffers_prep(req, sqe);
5362 case IORING_OP_REMOVE_BUFFERS:
5363 ret = io_remove_buffers_prep(req, sqe);
5366 ret = io_tee_prep(req, sqe);
5369 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
5378 static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5380 struct io_ring_ctx *ctx = req->ctx;
5383 /* Still need defer if there is pending req in defer list. */
5384 if (!req_need_defer(req) && list_empty_careful(&ctx->defer_list))
5388 if (io_alloc_async_ctx(req))
5390 ret = io_req_defer_prep(req, sqe);
5394 io_prep_async_link(req);
5396 spin_lock_irq(&ctx->completion_lock);
5397 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
5398 spin_unlock_irq(&ctx->completion_lock);
5402 trace_io_uring_defer(ctx, req, req->user_data);
5403 list_add_tail(&req->list, &ctx->defer_list);
5404 spin_unlock_irq(&ctx->completion_lock);
5405 return -EIOCBQUEUED;
5408 static void io_cleanup_req(struct io_kiocb *req)
5410 struct io_async_ctx *io = req->io;
5412 switch (req->opcode) {
5413 case IORING_OP_READV:
5414 case IORING_OP_READ_FIXED:
5415 case IORING_OP_READ:
5416 if (req->flags & REQ_F_BUFFER_SELECTED)
5417 kfree((void *)(unsigned long)req->rw.addr);
5419 case IORING_OP_WRITEV:
5420 case IORING_OP_WRITE_FIXED:
5421 case IORING_OP_WRITE:
5422 if (io->rw.iov != io->rw.fast_iov)
5425 case IORING_OP_RECVMSG:
5426 if (req->flags & REQ_F_BUFFER_SELECTED)
5427 kfree(req->sr_msg.kbuf);
5429 case IORING_OP_SENDMSG:
5430 if (io->msg.iov != io->msg.fast_iov)
5433 case IORING_OP_RECV:
5434 if (req->flags & REQ_F_BUFFER_SELECTED)
5435 kfree(req->sr_msg.kbuf);
5437 case IORING_OP_OPENAT:
5438 case IORING_OP_OPENAT2:
5440 case IORING_OP_SPLICE:
5442 io_put_file(req, req->splice.file_in,
5443 (req->splice.flags & SPLICE_F_FD_IN_FIXED));
5447 req->flags &= ~REQ_F_NEED_CLEANUP;
5450 static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5451 bool force_nonblock, struct io_comp_state *cs)
5453 struct io_ring_ctx *ctx = req->ctx;
5456 switch (req->opcode) {
5458 ret = io_nop(req, cs);
5460 case IORING_OP_READV:
5461 case IORING_OP_READ_FIXED:
5462 case IORING_OP_READ:
5464 ret = io_read_prep(req, sqe, force_nonblock);
5468 ret = io_read(req, force_nonblock, cs);
5470 case IORING_OP_WRITEV:
5471 case IORING_OP_WRITE_FIXED:
5472 case IORING_OP_WRITE:
5474 ret = io_write_prep(req, sqe, force_nonblock);
5478 ret = io_write(req, force_nonblock, cs);
5480 case IORING_OP_FSYNC:
5482 ret = io_prep_fsync(req, sqe);
5486 ret = io_fsync(req, force_nonblock);
5488 case IORING_OP_POLL_ADD:
5490 ret = io_poll_add_prep(req, sqe);
5494 ret = io_poll_add(req);
5496 case IORING_OP_POLL_REMOVE:
5498 ret = io_poll_remove_prep(req, sqe);
5502 ret = io_poll_remove(req);
5504 case IORING_OP_SYNC_FILE_RANGE:
5506 ret = io_prep_sfr(req, sqe);
5510 ret = io_sync_file_range(req, force_nonblock);
5512 case IORING_OP_SENDMSG:
5513 case IORING_OP_SEND:
5515 ret = io_sendmsg_prep(req, sqe);
5519 if (req->opcode == IORING_OP_SENDMSG)
5520 ret = io_sendmsg(req, force_nonblock, cs);
5522 ret = io_send(req, force_nonblock, cs);
5524 case IORING_OP_RECVMSG:
5525 case IORING_OP_RECV:
5527 ret = io_recvmsg_prep(req, sqe);
5531 if (req->opcode == IORING_OP_RECVMSG)
5532 ret = io_recvmsg(req, force_nonblock, cs);
5534 ret = io_recv(req, force_nonblock, cs);
5536 case IORING_OP_TIMEOUT:
5538 ret = io_timeout_prep(req, sqe, false);
5542 ret = io_timeout(req);
5544 case IORING_OP_TIMEOUT_REMOVE:
5546 ret = io_timeout_remove_prep(req, sqe);
5550 ret = io_timeout_remove(req);
5552 case IORING_OP_ACCEPT:
5554 ret = io_accept_prep(req, sqe);
5558 ret = io_accept(req, force_nonblock, cs);
5560 case IORING_OP_CONNECT:
5562 ret = io_connect_prep(req, sqe);
5566 ret = io_connect(req, force_nonblock, cs);
5568 case IORING_OP_ASYNC_CANCEL:
5570 ret = io_async_cancel_prep(req, sqe);
5574 ret = io_async_cancel(req);
5576 case IORING_OP_FALLOCATE:
5578 ret = io_fallocate_prep(req, sqe);
5582 ret = io_fallocate(req, force_nonblock);
5584 case IORING_OP_OPENAT:
5586 ret = io_openat_prep(req, sqe);
5590 ret = io_openat(req, force_nonblock);
5592 case IORING_OP_CLOSE:
5594 ret = io_close_prep(req, sqe);
5598 ret = io_close(req, force_nonblock, cs);
5600 case IORING_OP_FILES_UPDATE:
5602 ret = io_files_update_prep(req, sqe);
5606 ret = io_files_update(req, force_nonblock, cs);
5608 case IORING_OP_STATX:
5610 ret = io_statx_prep(req, sqe);
5614 ret = io_statx(req, force_nonblock);
5616 case IORING_OP_FADVISE:
5618 ret = io_fadvise_prep(req, sqe);
5622 ret = io_fadvise(req, force_nonblock);
5624 case IORING_OP_MADVISE:
5626 ret = io_madvise_prep(req, sqe);
5630 ret = io_madvise(req, force_nonblock);
5632 case IORING_OP_OPENAT2:
5634 ret = io_openat2_prep(req, sqe);
5638 ret = io_openat2(req, force_nonblock);
5640 case IORING_OP_EPOLL_CTL:
5642 ret = io_epoll_ctl_prep(req, sqe);
5646 ret = io_epoll_ctl(req, force_nonblock, cs);
5648 case IORING_OP_SPLICE:
5650 ret = io_splice_prep(req, sqe);
5654 ret = io_splice(req, force_nonblock);
5656 case IORING_OP_PROVIDE_BUFFERS:
5658 ret = io_provide_buffers_prep(req, sqe);
5662 ret = io_provide_buffers(req, force_nonblock, cs);
5664 case IORING_OP_REMOVE_BUFFERS:
5666 ret = io_remove_buffers_prep(req, sqe);
5670 ret = io_remove_buffers(req, force_nonblock, cs);
5674 ret = io_tee_prep(req, sqe);
5678 ret = io_tee(req, force_nonblock);
5688 /* If the op doesn't have a file, we're not polling for it */
5689 if ((ctx->flags & IORING_SETUP_IOPOLL) && req->file) {
5690 const bool in_async = io_wq_current_is_worker();
5692 /* workqueue context doesn't hold uring_lock, grab it now */
5694 mutex_lock(&ctx->uring_lock);
5696 io_iopoll_req_issued(req);
5699 mutex_unlock(&ctx->uring_lock);
5705 static struct io_wq_work *io_wq_submit_work(struct io_wq_work *work)
5707 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5708 struct io_kiocb *timeout;
5711 timeout = io_prep_linked_timeout(req);
5713 io_queue_linked_timeout(timeout);
5715 /* if NO_CANCEL is set, we must still run the work */
5716 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
5717 IO_WQ_WORK_CANCEL) {
5723 ret = io_issue_sqe(req, NULL, false, NULL);
5725 * We can get EAGAIN for polled IO even though we're
5726 * forcing a sync submission from here, since we can't
5727 * wait for request slots on the block side.
5736 req_set_fail_links(req);
5737 io_req_complete(req, ret);
5740 return io_steal_work(req);
5743 static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
5746 struct fixed_file_table *table;
5748 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
5749 return table->files[index & IORING_FILE_TABLE_MASK];
5752 static int io_file_get(struct io_submit_state *state, struct io_kiocb *req,
5753 int fd, struct file **out_file, bool fixed)
5755 struct io_ring_ctx *ctx = req->ctx;
5759 if (unlikely(!ctx->file_data ||
5760 (unsigned) fd >= ctx->nr_user_files))
5762 fd = array_index_nospec(fd, ctx->nr_user_files);
5763 file = io_file_from_index(ctx, fd);
5765 req->fixed_file_refs = ctx->file_data->cur_refs;
5766 percpu_ref_get(req->fixed_file_refs);
5769 trace_io_uring_file_get(ctx, fd);
5770 file = __io_file_get(state, fd);
5773 if (file || io_op_defs[req->opcode].needs_file_no_error) {
5780 static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
5785 fixed = (req->flags & REQ_F_FIXED_FILE) != 0;
5786 if (unlikely(!fixed && io_async_submit(req->ctx)))
5789 return io_file_get(state, req, fd, &req->file, fixed);
5792 static int io_grab_files(struct io_kiocb *req)
5795 struct io_ring_ctx *ctx = req->ctx;
5797 if (req->work.files || (req->flags & REQ_F_NO_FILE_TABLE))
5799 if (!ctx->ring_file)
5803 spin_lock_irq(&ctx->inflight_lock);
5805 * We use the f_ops->flush() handler to ensure that we can flush
5806 * out work accessing these files if the fd is closed. Check if
5807 * the fd has changed since we started down this path, and disallow
5808 * this operation if it has.
5810 if (fcheck(ctx->ring_fd) == ctx->ring_file) {
5811 list_add(&req->inflight_entry, &ctx->inflight_list);
5812 req->flags |= REQ_F_INFLIGHT;
5813 req->work.files = current->files;
5816 spin_unlock_irq(&ctx->inflight_lock);
5822 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
5824 struct io_timeout_data *data = container_of(timer,
5825 struct io_timeout_data, timer);
5826 struct io_kiocb *req = data->req;
5827 struct io_ring_ctx *ctx = req->ctx;
5828 struct io_kiocb *prev = NULL;
5829 unsigned long flags;
5831 spin_lock_irqsave(&ctx->completion_lock, flags);
5834 * We don't expect the list to be empty, that will only happen if we
5835 * race with the completion of the linked work.
5837 if (!list_empty(&req->link_list)) {
5838 prev = list_entry(req->link_list.prev, struct io_kiocb,
5840 if (refcount_inc_not_zero(&prev->refs)) {
5841 list_del_init(&req->link_list);
5842 prev->flags &= ~REQ_F_LINK_TIMEOUT;
5847 spin_unlock_irqrestore(&ctx->completion_lock, flags);
5850 req_set_fail_links(prev);
5851 io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME);
5854 io_req_complete(req, -ETIME);
5856 return HRTIMER_NORESTART;
5859 static void io_queue_linked_timeout(struct io_kiocb *req)
5861 struct io_ring_ctx *ctx = req->ctx;
5864 * If the list is now empty, then our linked request finished before
5865 * we got a chance to setup the timer
5867 spin_lock_irq(&ctx->completion_lock);
5868 if (!list_empty(&req->link_list)) {
5869 struct io_timeout_data *data = &req->io->timeout;
5871 data->timer.function = io_link_timeout_fn;
5872 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
5875 spin_unlock_irq(&ctx->completion_lock);
5877 /* drop submission reference */
5881 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
5883 struct io_kiocb *nxt;
5885 if (!(req->flags & REQ_F_LINK_HEAD))
5887 if (req->flags & REQ_F_LINK_TIMEOUT)
5890 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
5892 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
5895 req->flags |= REQ_F_LINK_TIMEOUT;
5899 static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5900 struct io_comp_state *cs)
5902 struct io_kiocb *linked_timeout;
5903 struct io_kiocb *nxt;
5904 const struct cred *old_creds = NULL;
5908 linked_timeout = io_prep_linked_timeout(req);
5910 if ((req->flags & REQ_F_WORK_INITIALIZED) && req->work.creds &&
5911 req->work.creds != current_cred()) {
5913 revert_creds(old_creds);
5914 if (old_creds == req->work.creds)
5915 old_creds = NULL; /* restored original creds */
5917 old_creds = override_creds(req->work.creds);
5920 ret = io_issue_sqe(req, sqe, true, cs);
5923 * We async punt it if the file wasn't marked NOWAIT, or if the file
5924 * doesn't support non-blocking read/write attempts
5926 if (ret == -EAGAIN && !(req->flags & REQ_F_NOWAIT)) {
5927 if (io_arm_poll_handler(req)) {
5929 io_queue_linked_timeout(linked_timeout);
5933 io_req_init_async(req);
5935 if (io_op_defs[req->opcode].file_table) {
5936 ret = io_grab_files(req);
5942 * Queued up for async execution, worker will release
5943 * submit reference when the iocb is actually submitted.
5945 io_queue_async_work(req);
5949 if (unlikely(ret)) {
5951 /* un-prep timeout, so it'll be killed as any other linked */
5952 req->flags &= ~REQ_F_LINK_TIMEOUT;
5953 req_set_fail_links(req);
5955 io_req_complete(req, ret);
5959 /* drop submission reference */
5960 nxt = io_put_req_find_next(req);
5962 io_queue_linked_timeout(linked_timeout);
5967 if (req->flags & REQ_F_FORCE_ASYNC)
5973 revert_creds(old_creds);
5976 static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5977 struct io_comp_state *cs)
5981 ret = io_req_defer(req, sqe);
5983 if (ret != -EIOCBQUEUED) {
5985 req_set_fail_links(req);
5987 io_req_complete(req, ret);
5989 } else if (req->flags & REQ_F_FORCE_ASYNC) {
5992 if (io_alloc_async_ctx(req))
5994 ret = io_req_defer_prep(req, sqe);
5995 if (unlikely(ret < 0))
6000 * Never try inline submit of IOSQE_ASYNC is set, go straight
6001 * to async execution.
6003 req->work.flags |= IO_WQ_WORK_CONCURRENT;
6004 io_queue_async_work(req);
6006 __io_queue_sqe(req, sqe, cs);
6010 static inline void io_queue_link_head(struct io_kiocb *req,
6011 struct io_comp_state *cs)
6013 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
6015 io_req_complete(req, -ECANCELED);
6017 io_queue_sqe(req, NULL, cs);
6020 static int io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
6021 struct io_kiocb **link, struct io_comp_state *cs)
6023 struct io_ring_ctx *ctx = req->ctx;
6027 * If we already have a head request, queue this one for async
6028 * submittal once the head completes. If we don't have a head but
6029 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
6030 * submitted sync once the chain is complete. If none of those
6031 * conditions are true (normal request), then just queue it.
6034 struct io_kiocb *head = *link;
6037 * Taking sequential execution of a link, draining both sides
6038 * of the link also fullfils IOSQE_IO_DRAIN semantics for all
6039 * requests in the link. So, it drains the head and the
6040 * next after the link request. The last one is done via
6041 * drain_next flag to persist the effect across calls.
6043 if (req->flags & REQ_F_IO_DRAIN) {
6044 head->flags |= REQ_F_IO_DRAIN;
6045 ctx->drain_next = 1;
6047 if (io_alloc_async_ctx(req))
6050 ret = io_req_defer_prep(req, sqe);
6052 /* fail even hard links since we don't submit */
6053 head->flags |= REQ_F_FAIL_LINK;
6056 trace_io_uring_link(ctx, req, head);
6057 io_get_req_task(req);
6058 list_add_tail(&req->link_list, &head->link_list);
6060 /* last request of a link, enqueue the link */
6061 if (!(req->flags & (REQ_F_LINK | REQ_F_HARDLINK))) {
6062 io_queue_link_head(head, cs);
6066 if (unlikely(ctx->drain_next)) {
6067 req->flags |= REQ_F_IO_DRAIN;
6068 ctx->drain_next = 0;
6070 if (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {
6071 req->flags |= REQ_F_LINK_HEAD;
6072 INIT_LIST_HEAD(&req->link_list);
6074 if (io_alloc_async_ctx(req))
6077 ret = io_req_defer_prep(req, sqe);
6079 req->flags |= REQ_F_FAIL_LINK;
6082 io_queue_sqe(req, sqe, cs);
6090 * Batched submission is done, ensure local IO is flushed out.
6092 static void io_submit_state_end(struct io_submit_state *state)
6094 if (!list_empty(&state->comp.list))
6095 io_submit_flush_completions(&state->comp);
6096 blk_finish_plug(&state->plug);
6097 io_state_file_put(state);
6098 if (state->free_reqs)
6099 kmem_cache_free_bulk(req_cachep, state->free_reqs, state->reqs);
6103 * Start submission side cache.
6105 static void io_submit_state_start(struct io_submit_state *state,
6106 struct io_ring_ctx *ctx, unsigned int max_ios)
6108 blk_start_plug(&state->plug);
6110 state->plug.nowait = true;
6113 INIT_LIST_HEAD(&state->comp.list);
6114 state->comp.ctx = ctx;
6115 state->free_reqs = 0;
6117 state->ios_left = max_ios;
6120 static void io_commit_sqring(struct io_ring_ctx *ctx)
6122 struct io_rings *rings = ctx->rings;
6125 * Ensure any loads from the SQEs are done at this point,
6126 * since once we write the new head, the application could
6127 * write new data to them.
6129 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
6133 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
6134 * that is mapped by userspace. This means that care needs to be taken to
6135 * ensure that reads are stable, as we cannot rely on userspace always
6136 * being a good citizen. If members of the sqe are validated and then later
6137 * used, it's important that those reads are done through READ_ONCE() to
6138 * prevent a re-load down the line.
6140 static const struct io_uring_sqe *io_get_sqe(struct io_ring_ctx *ctx)
6142 u32 *sq_array = ctx->sq_array;
6146 * The cached sq head (or cq tail) serves two purposes:
6148 * 1) allows us to batch the cost of updating the user visible
6150 * 2) allows the kernel side to track the head on its own, even
6151 * though the application is the one updating it.
6153 head = READ_ONCE(sq_array[ctx->cached_sq_head & ctx->sq_mask]);
6154 if (likely(head < ctx->sq_entries))
6155 return &ctx->sq_sqes[head];
6157 /* drop invalid entries */
6158 ctx->cached_sq_dropped++;
6159 WRITE_ONCE(ctx->rings->sq_dropped, ctx->cached_sq_dropped);
6163 static inline void io_consume_sqe(struct io_ring_ctx *ctx)
6165 ctx->cached_sq_head++;
6168 #define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
6169 IOSQE_IO_HARDLINK | IOSQE_ASYNC | \
6170 IOSQE_BUFFER_SELECT)
6172 static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
6173 const struct io_uring_sqe *sqe,
6174 struct io_submit_state *state)
6176 unsigned int sqe_flags;
6180 * All io need record the previous position, if LINK vs DARIN,
6181 * it can be used to mark the position of the first IO in the
6184 req->sequence = ctx->cached_sq_head - ctx->cached_sq_dropped;
6185 req->opcode = READ_ONCE(sqe->opcode);
6186 req->user_data = READ_ONCE(sqe->user_data);
6191 /* one is dropped after submission, the other at completion */
6192 refcount_set(&req->refs, 2);
6193 req->task = current;
6196 if (unlikely(req->opcode >= IORING_OP_LAST))
6199 if (unlikely(io_sq_thread_acquire_mm(ctx, req)))
6202 sqe_flags = READ_ONCE(sqe->flags);
6203 /* enforce forwards compatibility on users */
6204 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS))
6207 if ((sqe_flags & IOSQE_BUFFER_SELECT) &&
6208 !io_op_defs[req->opcode].buffer_select)
6211 id = READ_ONCE(sqe->personality);
6213 io_req_init_async(req);
6214 req->work.creds = idr_find(&ctx->personality_idr, id);
6215 if (unlikely(!req->work.creds))
6217 get_cred(req->work.creds);
6220 /* same numerical values with corresponding REQ_F_*, safe to copy */
6221 req->flags |= sqe_flags;
6223 if (!io_op_defs[req->opcode].needs_file)
6226 return io_req_set_file(state, req, READ_ONCE(sqe->fd));
6229 static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
6230 struct file *ring_file, int ring_fd)
6232 struct io_submit_state state;
6233 struct io_kiocb *link = NULL;
6234 int i, submitted = 0;
6236 /* if we have a backlog and couldn't flush it all, return BUSY */
6237 if (test_bit(0, &ctx->sq_check_overflow)) {
6238 if (!list_empty(&ctx->cq_overflow_list) &&
6239 !io_cqring_overflow_flush(ctx, false))
6243 /* make sure SQ entry isn't read before tail */
6244 nr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));
6246 if (!percpu_ref_tryget_many(&ctx->refs, nr))
6249 io_submit_state_start(&state, ctx, nr);
6251 ctx->ring_fd = ring_fd;
6252 ctx->ring_file = ring_file;
6254 for (i = 0; i < nr; i++) {
6255 const struct io_uring_sqe *sqe;
6256 struct io_kiocb *req;
6259 sqe = io_get_sqe(ctx);
6260 if (unlikely(!sqe)) {
6261 io_consume_sqe(ctx);
6264 req = io_alloc_req(ctx, &state);
6265 if (unlikely(!req)) {
6267 submitted = -EAGAIN;
6271 err = io_init_req(ctx, req, sqe, &state);
6272 io_consume_sqe(ctx);
6273 /* will complete beyond this point, count as submitted */
6276 if (unlikely(err)) {
6279 io_req_complete(req, err);
6283 trace_io_uring_submit_sqe(ctx, req->opcode, req->user_data,
6284 true, io_async_submit(ctx));
6285 err = io_submit_sqe(req, sqe, &link, &state.comp);
6290 if (unlikely(submitted != nr)) {
6291 int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
6293 percpu_ref_put_many(&ctx->refs, nr - ref_used);
6296 io_queue_link_head(link, &state.comp);
6297 io_submit_state_end(&state);
6299 /* Commit SQ ring head once we've consumed and submitted all SQEs */
6300 io_commit_sqring(ctx);
6305 static int io_sq_thread(void *data)
6307 struct io_ring_ctx *ctx = data;
6308 const struct cred *old_cred;
6310 unsigned long timeout;
6313 complete(&ctx->sq_thread_comp);
6315 old_cred = override_creds(ctx->creds);
6317 timeout = jiffies + ctx->sq_thread_idle;
6318 while (!kthread_should_park()) {
6319 unsigned int to_submit;
6321 if (!list_empty(&ctx->poll_list)) {
6322 unsigned nr_events = 0;
6324 mutex_lock(&ctx->uring_lock);
6325 if (!list_empty(&ctx->poll_list) && !need_resched())
6326 io_do_iopoll(ctx, &nr_events, 0);
6328 timeout = jiffies + ctx->sq_thread_idle;
6329 mutex_unlock(&ctx->uring_lock);
6332 to_submit = io_sqring_entries(ctx);
6335 * If submit got -EBUSY, flag us as needing the application
6336 * to enter the kernel to reap and flush events.
6338 if (!to_submit || ret == -EBUSY || need_resched()) {
6340 * Drop cur_mm before scheduling, we can't hold it for
6341 * long periods (or over schedule()). Do this before
6342 * adding ourselves to the waitqueue, as the unuse/drop
6345 io_sq_thread_drop_mm(ctx);
6348 * We're polling. If we're within the defined idle
6349 * period, then let us spin without work before going
6350 * to sleep. The exception is if we got EBUSY doing
6351 * more IO, we should wait for the application to
6352 * reap events and wake us up.
6354 if (!list_empty(&ctx->poll_list) || need_resched() ||
6355 (!time_after(jiffies, timeout) && ret != -EBUSY &&
6356 !percpu_ref_is_dying(&ctx->refs))) {
6362 prepare_to_wait(&ctx->sqo_wait, &wait,
6363 TASK_INTERRUPTIBLE);
6366 * While doing polled IO, before going to sleep, we need
6367 * to check if there are new reqs added to poll_list, it
6368 * is because reqs may have been punted to io worker and
6369 * will be added to poll_list later, hence check the
6372 if ((ctx->flags & IORING_SETUP_IOPOLL) &&
6373 !list_empty_careful(&ctx->poll_list)) {
6374 finish_wait(&ctx->sqo_wait, &wait);
6378 /* Tell userspace we may need a wakeup call */
6379 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
6380 /* make sure to read SQ tail after writing flags */
6383 to_submit = io_sqring_entries(ctx);
6384 if (!to_submit || ret == -EBUSY) {
6385 if (kthread_should_park()) {
6386 finish_wait(&ctx->sqo_wait, &wait);
6389 if (io_run_task_work()) {
6390 finish_wait(&ctx->sqo_wait, &wait);
6393 if (signal_pending(current))
6394 flush_signals(current);
6396 finish_wait(&ctx->sqo_wait, &wait);
6398 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6402 finish_wait(&ctx->sqo_wait, &wait);
6404 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6407 mutex_lock(&ctx->uring_lock);
6408 if (likely(!percpu_ref_is_dying(&ctx->refs)))
6409 ret = io_submit_sqes(ctx, to_submit, NULL, -1);
6410 mutex_unlock(&ctx->uring_lock);
6411 timeout = jiffies + ctx->sq_thread_idle;
6416 io_sq_thread_drop_mm(ctx);
6417 revert_creds(old_cred);
6424 struct io_wait_queue {
6425 struct wait_queue_entry wq;
6426 struct io_ring_ctx *ctx;
6428 unsigned nr_timeouts;
6431 static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
6433 struct io_ring_ctx *ctx = iowq->ctx;
6436 * Wake up if we have enough events, or if a timeout occurred since we
6437 * started waiting. For timeouts, we always want to return to userspace,
6438 * regardless of event count.
6440 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
6441 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
6444 static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
6445 int wake_flags, void *key)
6447 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
6450 /* use noflush == true, as we can't safely rely on locking context */
6451 if (!io_should_wake(iowq, true))
6454 return autoremove_wake_function(curr, mode, wake_flags, key);
6458 * Wait until events become available, if we don't already have some. The
6459 * application must reap them itself, as they reside on the shared cq ring.
6461 static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
6462 const sigset_t __user *sig, size_t sigsz)
6464 struct io_wait_queue iowq = {
6467 .func = io_wake_function,
6468 .entry = LIST_HEAD_INIT(iowq.wq.entry),
6471 .to_wait = min_events,
6473 struct io_rings *rings = ctx->rings;
6477 if (io_cqring_events(ctx, false) >= min_events)
6479 if (!io_run_task_work())
6484 #ifdef CONFIG_COMPAT
6485 if (in_compat_syscall())
6486 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
6490 ret = set_user_sigmask(sig, sigsz);
6496 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
6497 trace_io_uring_cqring_wait(ctx, min_events);
6499 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
6500 TASK_INTERRUPTIBLE);
6501 /* make sure we run task_work before checking for signals */
6502 if (io_run_task_work())
6504 if (signal_pending(current)) {
6505 if (current->jobctl & JOBCTL_TASK_WORK) {
6506 spin_lock_irq(¤t->sighand->siglock);
6507 current->jobctl &= ~JOBCTL_TASK_WORK;
6508 recalc_sigpending();
6509 spin_unlock_irq(¤t->sighand->siglock);
6515 if (io_should_wake(&iowq, false))
6519 finish_wait(&ctx->wait, &iowq.wq);
6521 restore_saved_sigmask_unless(ret == -EINTR);
6523 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
6526 static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
6528 #if defined(CONFIG_UNIX)
6529 if (ctx->ring_sock) {
6530 struct sock *sock = ctx->ring_sock->sk;
6531 struct sk_buff *skb;
6533 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
6539 for (i = 0; i < ctx->nr_user_files; i++) {
6542 file = io_file_from_index(ctx, i);
6549 static void io_file_ref_kill(struct percpu_ref *ref)
6551 struct fixed_file_data *data;
6553 data = container_of(ref, struct fixed_file_data, refs);
6554 complete(&data->done);
6557 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
6559 struct fixed_file_data *data = ctx->file_data;
6560 struct fixed_file_ref_node *ref_node = NULL;
6561 unsigned nr_tables, i;
6566 spin_lock(&data->lock);
6567 if (!list_empty(&data->ref_list))
6568 ref_node = list_first_entry(&data->ref_list,
6569 struct fixed_file_ref_node, node);
6570 spin_unlock(&data->lock);
6572 percpu_ref_kill(&ref_node->refs);
6574 percpu_ref_kill(&data->refs);
6576 /* wait for all refs nodes to complete */
6577 flush_delayed_work(&ctx->file_put_work);
6578 wait_for_completion(&data->done);
6580 __io_sqe_files_unregister(ctx);
6581 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
6582 for (i = 0; i < nr_tables; i++)
6583 kfree(data->table[i].files);
6585 percpu_ref_exit(&data->refs);
6587 ctx->file_data = NULL;
6588 ctx->nr_user_files = 0;
6592 static void io_sq_thread_stop(struct io_ring_ctx *ctx)
6594 if (ctx->sqo_thread) {
6595 wait_for_completion(&ctx->sq_thread_comp);
6597 * The park is a bit of a work-around, without it we get
6598 * warning spews on shutdown with SQPOLL set and affinity
6599 * set to a single CPU.
6601 kthread_park(ctx->sqo_thread);
6602 kthread_stop(ctx->sqo_thread);
6603 ctx->sqo_thread = NULL;
6607 static void io_finish_async(struct io_ring_ctx *ctx)
6609 io_sq_thread_stop(ctx);
6612 io_wq_destroy(ctx->io_wq);
6617 #if defined(CONFIG_UNIX)
6619 * Ensure the UNIX gc is aware of our file set, so we are certain that
6620 * the io_uring can be safely unregistered on process exit, even if we have
6621 * loops in the file referencing.
6623 static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
6625 struct sock *sk = ctx->ring_sock->sk;
6626 struct scm_fp_list *fpl;
6627 struct sk_buff *skb;
6630 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
6634 skb = alloc_skb(0, GFP_KERNEL);
6643 fpl->user = get_uid(ctx->user);
6644 for (i = 0; i < nr; i++) {
6645 struct file *file = io_file_from_index(ctx, i + offset);
6649 fpl->fp[nr_files] = get_file(file);
6650 unix_inflight(fpl->user, fpl->fp[nr_files]);
6655 fpl->max = SCM_MAX_FD;
6656 fpl->count = nr_files;
6657 UNIXCB(skb).fp = fpl;
6658 skb->destructor = unix_destruct_scm;
6659 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
6660 skb_queue_head(&sk->sk_receive_queue, skb);
6662 for (i = 0; i < nr_files; i++)
6673 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
6674 * causes regular reference counting to break down. We rely on the UNIX
6675 * garbage collection to take care of this problem for us.
6677 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
6679 unsigned left, total;
6683 left = ctx->nr_user_files;
6685 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
6687 ret = __io_sqe_files_scm(ctx, this_files, total);
6691 total += this_files;
6697 while (total < ctx->nr_user_files) {
6698 struct file *file = io_file_from_index(ctx, total);
6708 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
6714 static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
6719 for (i = 0; i < nr_tables; i++) {
6720 struct fixed_file_table *table = &ctx->file_data->table[i];
6721 unsigned this_files;
6723 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
6724 table->files = kcalloc(this_files, sizeof(struct file *),
6728 nr_files -= this_files;
6734 for (i = 0; i < nr_tables; i++) {
6735 struct fixed_file_table *table = &ctx->file_data->table[i];
6736 kfree(table->files);
6741 static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
6743 #if defined(CONFIG_UNIX)
6744 struct sock *sock = ctx->ring_sock->sk;
6745 struct sk_buff_head list, *head = &sock->sk_receive_queue;
6746 struct sk_buff *skb;
6749 __skb_queue_head_init(&list);
6752 * Find the skb that holds this file in its SCM_RIGHTS. When found,
6753 * remove this entry and rearrange the file array.
6755 skb = skb_dequeue(head);
6757 struct scm_fp_list *fp;
6759 fp = UNIXCB(skb).fp;
6760 for (i = 0; i < fp->count; i++) {
6763 if (fp->fp[i] != file)
6766 unix_notinflight(fp->user, fp->fp[i]);
6767 left = fp->count - 1 - i;
6769 memmove(&fp->fp[i], &fp->fp[i + 1],
6770 left * sizeof(struct file *));
6777 __skb_queue_tail(&list, skb);
6787 __skb_queue_tail(&list, skb);
6789 skb = skb_dequeue(head);
6792 if (skb_peek(&list)) {
6793 spin_lock_irq(&head->lock);
6794 while ((skb = __skb_dequeue(&list)) != NULL)
6795 __skb_queue_tail(head, skb);
6796 spin_unlock_irq(&head->lock);
6803 struct io_file_put {
6804 struct list_head list;
6808 static void __io_file_put_work(struct fixed_file_ref_node *ref_node)
6810 struct fixed_file_data *file_data = ref_node->file_data;
6811 struct io_ring_ctx *ctx = file_data->ctx;
6812 struct io_file_put *pfile, *tmp;
6814 list_for_each_entry_safe(pfile, tmp, &ref_node->file_list, list) {
6815 list_del(&pfile->list);
6816 io_ring_file_put(ctx, pfile->file);
6820 spin_lock(&file_data->lock);
6821 list_del(&ref_node->node);
6822 spin_unlock(&file_data->lock);
6824 percpu_ref_exit(&ref_node->refs);
6826 percpu_ref_put(&file_data->refs);
6829 static void io_file_put_work(struct work_struct *work)
6831 struct io_ring_ctx *ctx;
6832 struct llist_node *node;
6834 ctx = container_of(work, struct io_ring_ctx, file_put_work.work);
6835 node = llist_del_all(&ctx->file_put_llist);
6838 struct fixed_file_ref_node *ref_node;
6839 struct llist_node *next = node->next;
6841 ref_node = llist_entry(node, struct fixed_file_ref_node, llist);
6842 __io_file_put_work(ref_node);
6847 static void io_file_data_ref_zero(struct percpu_ref *ref)
6849 struct fixed_file_ref_node *ref_node;
6850 struct io_ring_ctx *ctx;
6854 ref_node = container_of(ref, struct fixed_file_ref_node, refs);
6855 ctx = ref_node->file_data->ctx;
6857 if (percpu_ref_is_dying(&ctx->file_data->refs))
6860 first_add = llist_add(&ref_node->llist, &ctx->file_put_llist);
6862 mod_delayed_work(system_wq, &ctx->file_put_work, 0);
6864 queue_delayed_work(system_wq, &ctx->file_put_work, delay);
6867 static struct fixed_file_ref_node *alloc_fixed_file_ref_node(
6868 struct io_ring_ctx *ctx)
6870 struct fixed_file_ref_node *ref_node;
6872 ref_node = kzalloc(sizeof(*ref_node), GFP_KERNEL);
6874 return ERR_PTR(-ENOMEM);
6876 if (percpu_ref_init(&ref_node->refs, io_file_data_ref_zero,
6879 return ERR_PTR(-ENOMEM);
6881 INIT_LIST_HEAD(&ref_node->node);
6882 INIT_LIST_HEAD(&ref_node->file_list);
6883 ref_node->file_data = ctx->file_data;
6887 static void destroy_fixed_file_ref_node(struct fixed_file_ref_node *ref_node)
6889 percpu_ref_exit(&ref_node->refs);
6893 static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
6896 __s32 __user *fds = (__s32 __user *) arg;
6901 struct fixed_file_ref_node *ref_node;
6907 if (nr_args > IORING_MAX_FIXED_FILES)
6910 ctx->file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
6911 if (!ctx->file_data)
6913 ctx->file_data->ctx = ctx;
6914 init_completion(&ctx->file_data->done);
6915 INIT_LIST_HEAD(&ctx->file_data->ref_list);
6916 spin_lock_init(&ctx->file_data->lock);
6918 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
6919 ctx->file_data->table = kcalloc(nr_tables,
6920 sizeof(struct fixed_file_table),
6922 if (!ctx->file_data->table) {
6923 kfree(ctx->file_data);
6924 ctx->file_data = NULL;
6928 if (percpu_ref_init(&ctx->file_data->refs, io_file_ref_kill,
6929 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
6930 kfree(ctx->file_data->table);
6931 kfree(ctx->file_data);
6932 ctx->file_data = NULL;
6936 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
6937 percpu_ref_exit(&ctx->file_data->refs);
6938 kfree(ctx->file_data->table);
6939 kfree(ctx->file_data);
6940 ctx->file_data = NULL;
6944 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
6945 struct fixed_file_table *table;
6949 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
6951 /* allow sparse sets */
6957 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
6958 index = i & IORING_FILE_TABLE_MASK;
6966 * Don't allow io_uring instances to be registered. If UNIX
6967 * isn't enabled, then this causes a reference cycle and this
6968 * instance can never get freed. If UNIX is enabled we'll
6969 * handle it just fine, but there's still no point in allowing
6970 * a ring fd as it doesn't support regular read/write anyway.
6972 if (file->f_op == &io_uring_fops) {
6977 table->files[index] = file;
6981 for (i = 0; i < ctx->nr_user_files; i++) {
6982 file = io_file_from_index(ctx, i);
6986 for (i = 0; i < nr_tables; i++)
6987 kfree(ctx->file_data->table[i].files);
6989 kfree(ctx->file_data->table);
6990 kfree(ctx->file_data);
6991 ctx->file_data = NULL;
6992 ctx->nr_user_files = 0;
6996 ret = io_sqe_files_scm(ctx);
6998 io_sqe_files_unregister(ctx);
7002 ref_node = alloc_fixed_file_ref_node(ctx);
7003 if (IS_ERR(ref_node)) {
7004 io_sqe_files_unregister(ctx);
7005 return PTR_ERR(ref_node);
7008 ctx->file_data->cur_refs = &ref_node->refs;
7009 spin_lock(&ctx->file_data->lock);
7010 list_add(&ref_node->node, &ctx->file_data->ref_list);
7011 spin_unlock(&ctx->file_data->lock);
7012 percpu_ref_get(&ctx->file_data->refs);
7016 static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
7019 #if defined(CONFIG_UNIX)
7020 struct sock *sock = ctx->ring_sock->sk;
7021 struct sk_buff_head *head = &sock->sk_receive_queue;
7022 struct sk_buff *skb;
7025 * See if we can merge this file into an existing skb SCM_RIGHTS
7026 * file set. If there's no room, fall back to allocating a new skb
7027 * and filling it in.
7029 spin_lock_irq(&head->lock);
7030 skb = skb_peek(head);
7032 struct scm_fp_list *fpl = UNIXCB(skb).fp;
7034 if (fpl->count < SCM_MAX_FD) {
7035 __skb_unlink(skb, head);
7036 spin_unlock_irq(&head->lock);
7037 fpl->fp[fpl->count] = get_file(file);
7038 unix_inflight(fpl->user, fpl->fp[fpl->count]);
7040 spin_lock_irq(&head->lock);
7041 __skb_queue_head(head, skb);
7046 spin_unlock_irq(&head->lock);
7053 return __io_sqe_files_scm(ctx, 1, index);
7059 static int io_queue_file_removal(struct fixed_file_data *data,
7062 struct io_file_put *pfile;
7063 struct percpu_ref *refs = data->cur_refs;
7064 struct fixed_file_ref_node *ref_node;
7066 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
7070 ref_node = container_of(refs, struct fixed_file_ref_node, refs);
7072 list_add(&pfile->list, &ref_node->file_list);
7077 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
7078 struct io_uring_files_update *up,
7081 struct fixed_file_data *data = ctx->file_data;
7082 struct fixed_file_ref_node *ref_node;
7087 bool needs_switch = false;
7089 if (check_add_overflow(up->offset, nr_args, &done))
7091 if (done > ctx->nr_user_files)
7094 ref_node = alloc_fixed_file_ref_node(ctx);
7095 if (IS_ERR(ref_node))
7096 return PTR_ERR(ref_node);
7099 fds = u64_to_user_ptr(up->fds);
7101 struct fixed_file_table *table;
7105 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
7109 i = array_index_nospec(up->offset, ctx->nr_user_files);
7110 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
7111 index = i & IORING_FILE_TABLE_MASK;
7112 if (table->files[index]) {
7113 file = io_file_from_index(ctx, index);
7114 err = io_queue_file_removal(data, file);
7117 table->files[index] = NULL;
7118 needs_switch = true;
7127 * Don't allow io_uring instances to be registered. If
7128 * UNIX isn't enabled, then this causes a reference
7129 * cycle and this instance can never get freed. If UNIX
7130 * is enabled we'll handle it just fine, but there's
7131 * still no point in allowing a ring fd as it doesn't
7132 * support regular read/write anyway.
7134 if (file->f_op == &io_uring_fops) {
7139 table->files[index] = file;
7140 err = io_sqe_file_register(ctx, file, i);
7150 percpu_ref_kill(data->cur_refs);
7151 spin_lock(&data->lock);
7152 list_add(&ref_node->node, &data->ref_list);
7153 data->cur_refs = &ref_node->refs;
7154 spin_unlock(&data->lock);
7155 percpu_ref_get(&ctx->file_data->refs);
7157 destroy_fixed_file_ref_node(ref_node);
7159 return done ? done : err;
7162 static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
7165 struct io_uring_files_update up;
7167 if (!ctx->file_data)
7171 if (copy_from_user(&up, arg, sizeof(up)))
7176 return __io_sqe_files_update(ctx, &up, nr_args);
7179 static void io_free_work(struct io_wq_work *work)
7181 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
7183 /* Consider that io_steal_work() relies on this ref */
7187 static int io_init_wq_offload(struct io_ring_ctx *ctx,
7188 struct io_uring_params *p)
7190 struct io_wq_data data;
7192 struct io_ring_ctx *ctx_attach;
7193 unsigned int concurrency;
7196 data.user = ctx->user;
7197 data.free_work = io_free_work;
7198 data.do_work = io_wq_submit_work;
7200 if (!(p->flags & IORING_SETUP_ATTACH_WQ)) {
7201 /* Do QD, or 4 * CPUS, whatever is smallest */
7202 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
7204 ctx->io_wq = io_wq_create(concurrency, &data);
7205 if (IS_ERR(ctx->io_wq)) {
7206 ret = PTR_ERR(ctx->io_wq);
7212 f = fdget(p->wq_fd);
7216 if (f.file->f_op != &io_uring_fops) {
7221 ctx_attach = f.file->private_data;
7222 /* @io_wq is protected by holding the fd */
7223 if (!io_wq_get(ctx_attach->io_wq, &data)) {
7228 ctx->io_wq = ctx_attach->io_wq;
7234 static int io_sq_offload_start(struct io_ring_ctx *ctx,
7235 struct io_uring_params *p)
7239 if (ctx->flags & IORING_SETUP_SQPOLL) {
7240 mmgrab(current->mm);
7241 ctx->sqo_mm = current->mm;
7244 if (!capable(CAP_SYS_ADMIN))
7247 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
7248 if (!ctx->sq_thread_idle)
7249 ctx->sq_thread_idle = HZ;
7251 if (p->flags & IORING_SETUP_SQ_AFF) {
7252 int cpu = p->sq_thread_cpu;
7255 if (cpu >= nr_cpu_ids)
7257 if (!cpu_online(cpu))
7260 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
7264 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
7267 if (IS_ERR(ctx->sqo_thread)) {
7268 ret = PTR_ERR(ctx->sqo_thread);
7269 ctx->sqo_thread = NULL;
7272 wake_up_process(ctx->sqo_thread);
7273 } else if (p->flags & IORING_SETUP_SQ_AFF) {
7274 /* Can't have SQ_AFF without SQPOLL */
7279 ret = io_init_wq_offload(ctx, p);
7285 io_finish_async(ctx);
7287 mmdrop(ctx->sqo_mm);
7293 static inline void __io_unaccount_mem(struct user_struct *user,
7294 unsigned long nr_pages)
7296 atomic_long_sub(nr_pages, &user->locked_vm);
7299 static inline int __io_account_mem(struct user_struct *user,
7300 unsigned long nr_pages)
7302 unsigned long page_limit, cur_pages, new_pages;
7304 /* Don't allow more pages than we can safely lock */
7305 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
7308 cur_pages = atomic_long_read(&user->locked_vm);
7309 new_pages = cur_pages + nr_pages;
7310 if (new_pages > page_limit)
7312 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
7313 new_pages) != cur_pages);
7318 static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages,
7319 enum io_mem_account acct)
7322 __io_unaccount_mem(ctx->user, nr_pages);
7325 if (acct == ACCT_LOCKED)
7326 ctx->sqo_mm->locked_vm -= nr_pages;
7327 else if (acct == ACCT_PINNED)
7328 atomic64_sub(nr_pages, &ctx->sqo_mm->pinned_vm);
7332 static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages,
7333 enum io_mem_account acct)
7337 if (ctx->limit_mem) {
7338 ret = __io_account_mem(ctx->user, nr_pages);
7344 if (acct == ACCT_LOCKED)
7345 ctx->sqo_mm->locked_vm += nr_pages;
7346 else if (acct == ACCT_PINNED)
7347 atomic64_add(nr_pages, &ctx->sqo_mm->pinned_vm);
7353 static void io_mem_free(void *ptr)
7360 page = virt_to_head_page(ptr);
7361 if (put_page_testzero(page))
7362 free_compound_page(page);
7365 static void *io_mem_alloc(size_t size)
7367 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
7370 return (void *) __get_free_pages(gfp_flags, get_order(size));
7373 static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
7376 struct io_rings *rings;
7377 size_t off, sq_array_size;
7379 off = struct_size(rings, cqes, cq_entries);
7380 if (off == SIZE_MAX)
7384 off = ALIGN(off, SMP_CACHE_BYTES);
7389 sq_array_size = array_size(sizeof(u32), sq_entries);
7390 if (sq_array_size == SIZE_MAX)
7393 if (check_add_overflow(off, sq_array_size, &off))
7402 static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
7406 pages = (size_t)1 << get_order(
7407 rings_size(sq_entries, cq_entries, NULL));
7408 pages += (size_t)1 << get_order(
7409 array_size(sizeof(struct io_uring_sqe), sq_entries));
7414 static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
7418 if (!ctx->user_bufs)
7421 for (i = 0; i < ctx->nr_user_bufs; i++) {
7422 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
7424 for (j = 0; j < imu->nr_bvecs; j++)
7425 unpin_user_page(imu->bvec[j].bv_page);
7427 io_unaccount_mem(ctx, imu->nr_bvecs, ACCT_PINNED);
7432 kfree(ctx->user_bufs);
7433 ctx->user_bufs = NULL;
7434 ctx->nr_user_bufs = 0;
7438 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
7439 void __user *arg, unsigned index)
7441 struct iovec __user *src;
7443 #ifdef CONFIG_COMPAT
7445 struct compat_iovec __user *ciovs;
7446 struct compat_iovec ciov;
7448 ciovs = (struct compat_iovec __user *) arg;
7449 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
7452 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
7453 dst->iov_len = ciov.iov_len;
7457 src = (struct iovec __user *) arg;
7458 if (copy_from_user(dst, &src[index], sizeof(*dst)))
7463 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
7466 struct vm_area_struct **vmas = NULL;
7467 struct page **pages = NULL;
7468 int i, j, got_pages = 0;
7473 if (!nr_args || nr_args > UIO_MAXIOV)
7476 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
7478 if (!ctx->user_bufs)
7481 for (i = 0; i < nr_args; i++) {
7482 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
7483 unsigned long off, start, end, ubuf;
7488 ret = io_copy_iov(ctx, &iov, arg, i);
7493 * Don't impose further limits on the size and buffer
7494 * constraints here, we'll -EINVAL later when IO is
7495 * submitted if they are wrong.
7498 if (!iov.iov_base || !iov.iov_len)
7501 /* arbitrary limit, but we need something */
7502 if (iov.iov_len > SZ_1G)
7505 ubuf = (unsigned long) iov.iov_base;
7506 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
7507 start = ubuf >> PAGE_SHIFT;
7508 nr_pages = end - start;
7510 ret = io_account_mem(ctx, nr_pages, ACCT_PINNED);
7515 if (!pages || nr_pages > got_pages) {
7518 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
7520 vmas = kvmalloc_array(nr_pages,
7521 sizeof(struct vm_area_struct *),
7523 if (!pages || !vmas) {
7525 io_unaccount_mem(ctx, nr_pages, ACCT_PINNED);
7528 got_pages = nr_pages;
7531 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
7535 io_unaccount_mem(ctx, nr_pages, ACCT_PINNED);
7540 mmap_read_lock(current->mm);
7541 pret = pin_user_pages(ubuf, nr_pages,
7542 FOLL_WRITE | FOLL_LONGTERM,
7544 if (pret == nr_pages) {
7545 /* don't support file backed memory */
7546 for (j = 0; j < nr_pages; j++) {
7547 struct vm_area_struct *vma = vmas[j];
7550 !is_file_hugepages(vma->vm_file)) {
7556 ret = pret < 0 ? pret : -EFAULT;
7558 mmap_read_unlock(current->mm);
7561 * if we did partial map, or found file backed vmas,
7562 * release any pages we did get
7565 unpin_user_pages(pages, pret);
7566 io_unaccount_mem(ctx, nr_pages, ACCT_PINNED);
7571 off = ubuf & ~PAGE_MASK;
7573 for (j = 0; j < nr_pages; j++) {
7576 vec_len = min_t(size_t, size, PAGE_SIZE - off);
7577 imu->bvec[j].bv_page = pages[j];
7578 imu->bvec[j].bv_len = vec_len;
7579 imu->bvec[j].bv_offset = off;
7583 /* store original address for later verification */
7585 imu->len = iov.iov_len;
7586 imu->nr_bvecs = nr_pages;
7588 ctx->nr_user_bufs++;
7596 io_sqe_buffer_unregister(ctx);
7600 static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
7602 __s32 __user *fds = arg;
7608 if (copy_from_user(&fd, fds, sizeof(*fds)))
7611 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
7612 if (IS_ERR(ctx->cq_ev_fd)) {
7613 int ret = PTR_ERR(ctx->cq_ev_fd);
7614 ctx->cq_ev_fd = NULL;
7621 static int io_eventfd_unregister(struct io_ring_ctx *ctx)
7623 if (ctx->cq_ev_fd) {
7624 eventfd_ctx_put(ctx->cq_ev_fd);
7625 ctx->cq_ev_fd = NULL;
7632 static int __io_destroy_buffers(int id, void *p, void *data)
7634 struct io_ring_ctx *ctx = data;
7635 struct io_buffer *buf = p;
7637 __io_remove_buffers(ctx, buf, id, -1U);
7641 static void io_destroy_buffers(struct io_ring_ctx *ctx)
7643 idr_for_each(&ctx->io_buffer_idr, __io_destroy_buffers, ctx);
7644 idr_destroy(&ctx->io_buffer_idr);
7647 static void io_ring_ctx_free(struct io_ring_ctx *ctx)
7649 io_finish_async(ctx);
7651 mmdrop(ctx->sqo_mm);
7655 io_sqe_buffer_unregister(ctx);
7656 io_sqe_files_unregister(ctx);
7657 io_eventfd_unregister(ctx);
7658 io_destroy_buffers(ctx);
7659 idr_destroy(&ctx->personality_idr);
7661 #if defined(CONFIG_UNIX)
7662 if (ctx->ring_sock) {
7663 ctx->ring_sock->file = NULL; /* so that iput() is called */
7664 sock_release(ctx->ring_sock);
7668 io_mem_free(ctx->rings);
7669 io_mem_free(ctx->sq_sqes);
7671 percpu_ref_exit(&ctx->refs);
7672 io_unaccount_mem(ctx, ring_pages(ctx->sq_entries, ctx->cq_entries),
7674 free_uid(ctx->user);
7675 put_cred(ctx->creds);
7676 kfree(ctx->cancel_hash);
7677 kmem_cache_free(req_cachep, ctx->fallback_req);
7681 static __poll_t io_uring_poll(struct file *file, poll_table *wait)
7683 struct io_ring_ctx *ctx = file->private_data;
7686 poll_wait(file, &ctx->cq_wait, wait);
7688 * synchronizes with barrier from wq_has_sleeper call in
7692 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
7693 ctx->rings->sq_ring_entries)
7694 mask |= EPOLLOUT | EPOLLWRNORM;
7695 if (io_cqring_events(ctx, false))
7696 mask |= EPOLLIN | EPOLLRDNORM;
7701 static int io_uring_fasync(int fd, struct file *file, int on)
7703 struct io_ring_ctx *ctx = file->private_data;
7705 return fasync_helper(fd, file, on, &ctx->cq_fasync);
7708 static int io_remove_personalities(int id, void *p, void *data)
7710 struct io_ring_ctx *ctx = data;
7711 const struct cred *cred;
7713 cred = idr_remove(&ctx->personality_idr, id);
7719 static void io_ring_exit_work(struct work_struct *work)
7721 struct io_ring_ctx *ctx = container_of(work, struct io_ring_ctx,
7725 * If we're doing polled IO and end up having requests being
7726 * submitted async (out-of-line), then completions can come in while
7727 * we're waiting for refs to drop. We need to reap these manually,
7728 * as nobody else will be looking for them.
7732 io_cqring_overflow_flush(ctx, true);
7733 io_iopoll_try_reap_events(ctx);
7734 } while (!wait_for_completion_timeout(&ctx->ref_comp, HZ/20));
7735 io_ring_ctx_free(ctx);
7738 static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
7740 mutex_lock(&ctx->uring_lock);
7741 percpu_ref_kill(&ctx->refs);
7742 mutex_unlock(&ctx->uring_lock);
7744 io_kill_timeouts(ctx);
7745 io_poll_remove_all(ctx);
7748 io_wq_cancel_all(ctx->io_wq);
7750 /* if we failed setting up the ctx, we might not have any rings */
7752 io_cqring_overflow_flush(ctx, true);
7753 io_iopoll_try_reap_events(ctx);
7754 idr_for_each(&ctx->personality_idr, io_remove_personalities, ctx);
7755 INIT_WORK(&ctx->exit_work, io_ring_exit_work);
7756 queue_work(system_wq, &ctx->exit_work);
7759 static int io_uring_release(struct inode *inode, struct file *file)
7761 struct io_ring_ctx *ctx = file->private_data;
7763 file->private_data = NULL;
7764 io_ring_ctx_wait_and_kill(ctx);
7768 static bool io_wq_files_match(struct io_wq_work *work, void *data)
7770 struct files_struct *files = data;
7772 return work->files == files;
7775 static void io_uring_cancel_files(struct io_ring_ctx *ctx,
7776 struct files_struct *files)
7778 if (list_empty_careful(&ctx->inflight_list))
7781 /* cancel all at once, should be faster than doing it one by one*/
7782 io_wq_cancel_cb(ctx->io_wq, io_wq_files_match, files, true);
7784 while (!list_empty_careful(&ctx->inflight_list)) {
7785 struct io_kiocb *cancel_req = NULL, *req;
7788 spin_lock_irq(&ctx->inflight_lock);
7789 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
7790 if (req->work.files != files)
7792 /* req is being completed, ignore */
7793 if (!refcount_inc_not_zero(&req->refs))
7799 prepare_to_wait(&ctx->inflight_wait, &wait,
7800 TASK_UNINTERRUPTIBLE);
7801 spin_unlock_irq(&ctx->inflight_lock);
7803 /* We need to keep going until we don't find a matching req */
7807 if (cancel_req->flags & REQ_F_OVERFLOW) {
7808 spin_lock_irq(&ctx->completion_lock);
7809 list_del(&cancel_req->list);
7810 cancel_req->flags &= ~REQ_F_OVERFLOW;
7811 if (list_empty(&ctx->cq_overflow_list)) {
7812 clear_bit(0, &ctx->sq_check_overflow);
7813 clear_bit(0, &ctx->cq_check_overflow);
7815 spin_unlock_irq(&ctx->completion_lock);
7817 WRITE_ONCE(ctx->rings->cq_overflow,
7818 atomic_inc_return(&ctx->cached_cq_overflow));
7821 * Put inflight ref and overflow ref. If that's
7822 * all we had, then we're done with this request.
7824 if (refcount_sub_and_test(2, &cancel_req->refs)) {
7825 io_free_req(cancel_req);
7826 finish_wait(&ctx->inflight_wait, &wait);
7830 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
7831 io_put_req(cancel_req);
7835 finish_wait(&ctx->inflight_wait, &wait);
7839 static bool io_cancel_task_cb(struct io_wq_work *work, void *data)
7841 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
7842 struct task_struct *task = data;
7844 return req->task == task;
7847 static int io_uring_flush(struct file *file, void *data)
7849 struct io_ring_ctx *ctx = file->private_data;
7851 io_uring_cancel_files(ctx, data);
7854 * If the task is going away, cancel work it may have pending
7856 if (fatal_signal_pending(current) || (current->flags & PF_EXITING))
7857 io_wq_cancel_cb(ctx->io_wq, io_cancel_task_cb, current, true);
7862 static void *io_uring_validate_mmap_request(struct file *file,
7863 loff_t pgoff, size_t sz)
7865 struct io_ring_ctx *ctx = file->private_data;
7866 loff_t offset = pgoff << PAGE_SHIFT;
7871 case IORING_OFF_SQ_RING:
7872 case IORING_OFF_CQ_RING:
7875 case IORING_OFF_SQES:
7879 return ERR_PTR(-EINVAL);
7882 page = virt_to_head_page(ptr);
7883 if (sz > page_size(page))
7884 return ERR_PTR(-EINVAL);
7891 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
7893 size_t sz = vma->vm_end - vma->vm_start;
7897 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
7899 return PTR_ERR(ptr);
7901 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
7902 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
7905 #else /* !CONFIG_MMU */
7907 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
7909 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
7912 static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
7914 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
7917 static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
7918 unsigned long addr, unsigned long len,
7919 unsigned long pgoff, unsigned long flags)
7923 ptr = io_uring_validate_mmap_request(file, pgoff, len);
7925 return PTR_ERR(ptr);
7927 return (unsigned long) ptr;
7930 #endif /* !CONFIG_MMU */
7932 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
7933 u32, min_complete, u32, flags, const sigset_t __user *, sig,
7936 struct io_ring_ctx *ctx;
7943 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
7951 if (f.file->f_op != &io_uring_fops)
7955 ctx = f.file->private_data;
7956 if (!percpu_ref_tryget(&ctx->refs))
7960 * For SQ polling, the thread will do all submissions and completions.
7961 * Just return the requested submit count, and wake the thread if
7965 if (ctx->flags & IORING_SETUP_SQPOLL) {
7966 if (!list_empty_careful(&ctx->cq_overflow_list))
7967 io_cqring_overflow_flush(ctx, false);
7968 if (flags & IORING_ENTER_SQ_WAKEUP)
7969 wake_up(&ctx->sqo_wait);
7970 submitted = to_submit;
7971 } else if (to_submit) {
7972 mutex_lock(&ctx->uring_lock);
7973 submitted = io_submit_sqes(ctx, to_submit, f.file, fd);
7974 mutex_unlock(&ctx->uring_lock);
7976 if (submitted != to_submit)
7979 if (flags & IORING_ENTER_GETEVENTS) {
7980 min_complete = min(min_complete, ctx->cq_entries);
7983 * When SETUP_IOPOLL and SETUP_SQPOLL are both enabled, user
7984 * space applications don't need to do io completion events
7985 * polling again, they can rely on io_sq_thread to do polling
7986 * work, which can reduce cpu usage and uring_lock contention.
7988 if (ctx->flags & IORING_SETUP_IOPOLL &&
7989 !(ctx->flags & IORING_SETUP_SQPOLL)) {
7990 ret = io_iopoll_check(ctx, min_complete);
7992 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
7997 percpu_ref_put(&ctx->refs);
8000 return submitted ? submitted : ret;
8003 #ifdef CONFIG_PROC_FS
8004 static int io_uring_show_cred(int id, void *p, void *data)
8006 const struct cred *cred = p;
8007 struct seq_file *m = data;
8008 struct user_namespace *uns = seq_user_ns(m);
8009 struct group_info *gi;
8014 seq_printf(m, "%5d\n", id);
8015 seq_put_decimal_ull(m, "\tUid:\t", from_kuid_munged(uns, cred->uid));
8016 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->euid));
8017 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->suid));
8018 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->fsuid));
8019 seq_put_decimal_ull(m, "\n\tGid:\t", from_kgid_munged(uns, cred->gid));
8020 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->egid));
8021 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->sgid));
8022 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->fsgid));
8023 seq_puts(m, "\n\tGroups:\t");
8024 gi = cred->group_info;
8025 for (g = 0; g < gi->ngroups; g++) {
8026 seq_put_decimal_ull(m, g ? " " : "",
8027 from_kgid_munged(uns, gi->gid[g]));
8029 seq_puts(m, "\n\tCapEff:\t");
8030 cap = cred->cap_effective;
8031 CAP_FOR_EACH_U32(__capi)
8032 seq_put_hex_ll(m, NULL, cap.cap[CAP_LAST_U32 - __capi], 8);
8037 static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
8041 mutex_lock(&ctx->uring_lock);
8042 seq_printf(m, "UserFiles:\t%u\n", ctx->nr_user_files);
8043 for (i = 0; i < ctx->nr_user_files; i++) {
8044 struct fixed_file_table *table;
8047 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
8048 f = table->files[i & IORING_FILE_TABLE_MASK];
8050 seq_printf(m, "%5u: %s\n", i, file_dentry(f)->d_iname);
8052 seq_printf(m, "%5u: <none>\n", i);
8054 seq_printf(m, "UserBufs:\t%u\n", ctx->nr_user_bufs);
8055 for (i = 0; i < ctx->nr_user_bufs; i++) {
8056 struct io_mapped_ubuf *buf = &ctx->user_bufs[i];
8058 seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf,
8059 (unsigned int) buf->len);
8061 if (!idr_is_empty(&ctx->personality_idr)) {
8062 seq_printf(m, "Personalities:\n");
8063 idr_for_each(&ctx->personality_idr, io_uring_show_cred, m);
8065 seq_printf(m, "PollList:\n");
8066 spin_lock_irq(&ctx->completion_lock);
8067 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
8068 struct hlist_head *list = &ctx->cancel_hash[i];
8069 struct io_kiocb *req;
8071 hlist_for_each_entry(req, list, hash_node)
8072 seq_printf(m, " op=%d, task_works=%d\n", req->opcode,
8073 req->task->task_works != NULL);
8075 spin_unlock_irq(&ctx->completion_lock);
8076 mutex_unlock(&ctx->uring_lock);
8079 static void io_uring_show_fdinfo(struct seq_file *m, struct file *f)
8081 struct io_ring_ctx *ctx = f->private_data;
8083 if (percpu_ref_tryget(&ctx->refs)) {
8084 __io_uring_show_fdinfo(ctx, m);
8085 percpu_ref_put(&ctx->refs);
8090 static const struct file_operations io_uring_fops = {
8091 .release = io_uring_release,
8092 .flush = io_uring_flush,
8093 .mmap = io_uring_mmap,
8095 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
8096 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
8098 .poll = io_uring_poll,
8099 .fasync = io_uring_fasync,
8100 #ifdef CONFIG_PROC_FS
8101 .show_fdinfo = io_uring_show_fdinfo,
8105 static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
8106 struct io_uring_params *p)
8108 struct io_rings *rings;
8109 size_t size, sq_array_offset;
8111 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
8112 if (size == SIZE_MAX)
8115 rings = io_mem_alloc(size);
8120 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
8121 rings->sq_ring_mask = p->sq_entries - 1;
8122 rings->cq_ring_mask = p->cq_entries - 1;
8123 rings->sq_ring_entries = p->sq_entries;
8124 rings->cq_ring_entries = p->cq_entries;
8125 ctx->sq_mask = rings->sq_ring_mask;
8126 ctx->cq_mask = rings->cq_ring_mask;
8127 ctx->sq_entries = rings->sq_ring_entries;
8128 ctx->cq_entries = rings->cq_ring_entries;
8130 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
8131 if (size == SIZE_MAX) {
8132 io_mem_free(ctx->rings);
8137 ctx->sq_sqes = io_mem_alloc(size);
8138 if (!ctx->sq_sqes) {
8139 io_mem_free(ctx->rings);
8148 * Allocate an anonymous fd, this is what constitutes the application
8149 * visible backing of an io_uring instance. The application mmaps this
8150 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
8151 * we have to tie this fd to a socket for file garbage collection purposes.
8153 static int io_uring_get_fd(struct io_ring_ctx *ctx)
8158 #if defined(CONFIG_UNIX)
8159 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
8165 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
8169 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
8170 O_RDWR | O_CLOEXEC);
8173 ret = PTR_ERR(file);
8177 #if defined(CONFIG_UNIX)
8178 ctx->ring_sock->file = file;
8180 fd_install(ret, file);
8183 #if defined(CONFIG_UNIX)
8184 sock_release(ctx->ring_sock);
8185 ctx->ring_sock = NULL;
8190 static int io_uring_create(unsigned entries, struct io_uring_params *p,
8191 struct io_uring_params __user *params)
8193 struct user_struct *user = NULL;
8194 struct io_ring_ctx *ctx;
8200 if (entries > IORING_MAX_ENTRIES) {
8201 if (!(p->flags & IORING_SETUP_CLAMP))
8203 entries = IORING_MAX_ENTRIES;
8207 * Use twice as many entries for the CQ ring. It's possible for the
8208 * application to drive a higher depth than the size of the SQ ring,
8209 * since the sqes are only used at submission time. This allows for
8210 * some flexibility in overcommitting a bit. If the application has
8211 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
8212 * of CQ ring entries manually.
8214 p->sq_entries = roundup_pow_of_two(entries);
8215 if (p->flags & IORING_SETUP_CQSIZE) {
8217 * If IORING_SETUP_CQSIZE is set, we do the same roundup
8218 * to a power-of-two, if it isn't already. We do NOT impose
8219 * any cq vs sq ring sizing.
8221 if (p->cq_entries < p->sq_entries)
8223 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
8224 if (!(p->flags & IORING_SETUP_CLAMP))
8226 p->cq_entries = IORING_MAX_CQ_ENTRIES;
8228 p->cq_entries = roundup_pow_of_two(p->cq_entries);
8230 p->cq_entries = 2 * p->sq_entries;
8233 user = get_uid(current_user());
8234 limit_mem = !capable(CAP_IPC_LOCK);
8237 ret = __io_account_mem(user,
8238 ring_pages(p->sq_entries, p->cq_entries));
8245 ctx = io_ring_ctx_alloc(p);
8248 __io_unaccount_mem(user, ring_pages(p->sq_entries,
8253 ctx->compat = in_compat_syscall();
8255 ctx->creds = get_current_cred();
8257 ret = io_allocate_scq_urings(ctx, p);
8261 ret = io_sq_offload_start(ctx, p);
8265 memset(&p->sq_off, 0, sizeof(p->sq_off));
8266 p->sq_off.head = offsetof(struct io_rings, sq.head);
8267 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
8268 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
8269 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
8270 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
8271 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
8272 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
8274 memset(&p->cq_off, 0, sizeof(p->cq_off));
8275 p->cq_off.head = offsetof(struct io_rings, cq.head);
8276 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
8277 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
8278 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
8279 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
8280 p->cq_off.cqes = offsetof(struct io_rings, cqes);
8281 p->cq_off.flags = offsetof(struct io_rings, cq_flags);
8283 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
8284 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS |
8285 IORING_FEAT_CUR_PERSONALITY | IORING_FEAT_FAST_POLL |
8286 IORING_FEAT_POLL_32BITS;
8288 if (copy_to_user(params, p, sizeof(*p))) {
8293 * Install ring fd as the very last thing, so we don't risk someone
8294 * having closed it before we finish setup
8296 ret = io_uring_get_fd(ctx);
8300 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
8301 io_account_mem(ctx, ring_pages(p->sq_entries, p->cq_entries),
8303 ctx->limit_mem = limit_mem;
8306 io_ring_ctx_wait_and_kill(ctx);
8311 * Sets up an aio uring context, and returns the fd. Applications asks for a
8312 * ring size, we return the actual sq/cq ring sizes (among other things) in the
8313 * params structure passed in.
8315 static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
8317 struct io_uring_params p;
8320 if (copy_from_user(&p, params, sizeof(p)))
8322 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
8327 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
8328 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
8329 IORING_SETUP_CLAMP | IORING_SETUP_ATTACH_WQ))
8332 return io_uring_create(entries, &p, params);
8335 SYSCALL_DEFINE2(io_uring_setup, u32, entries,
8336 struct io_uring_params __user *, params)
8338 return io_uring_setup(entries, params);
8341 static int io_probe(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
8343 struct io_uring_probe *p;
8347 size = struct_size(p, ops, nr_args);
8348 if (size == SIZE_MAX)
8350 p = kzalloc(size, GFP_KERNEL);
8355 if (copy_from_user(p, arg, size))
8358 if (memchr_inv(p, 0, size))
8361 p->last_op = IORING_OP_LAST - 1;
8362 if (nr_args > IORING_OP_LAST)
8363 nr_args = IORING_OP_LAST;
8365 for (i = 0; i < nr_args; i++) {
8367 if (!io_op_defs[i].not_supported)
8368 p->ops[i].flags = IO_URING_OP_SUPPORTED;
8373 if (copy_to_user(arg, p, size))
8380 static int io_register_personality(struct io_ring_ctx *ctx)
8382 const struct cred *creds = get_current_cred();
8385 id = idr_alloc_cyclic(&ctx->personality_idr, (void *) creds, 1,
8386 USHRT_MAX, GFP_KERNEL);
8392 static int io_unregister_personality(struct io_ring_ctx *ctx, unsigned id)
8394 const struct cred *old_creds;
8396 old_creds = idr_remove(&ctx->personality_idr, id);
8398 put_cred(old_creds);
8405 static bool io_register_op_must_quiesce(int op)
8408 case IORING_UNREGISTER_FILES:
8409 case IORING_REGISTER_FILES_UPDATE:
8410 case IORING_REGISTER_PROBE:
8411 case IORING_REGISTER_PERSONALITY:
8412 case IORING_UNREGISTER_PERSONALITY:
8419 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
8420 void __user *arg, unsigned nr_args)
8421 __releases(ctx->uring_lock)
8422 __acquires(ctx->uring_lock)
8427 * We're inside the ring mutex, if the ref is already dying, then
8428 * someone else killed the ctx or is already going through
8429 * io_uring_register().
8431 if (percpu_ref_is_dying(&ctx->refs))
8434 if (io_register_op_must_quiesce(opcode)) {
8435 percpu_ref_kill(&ctx->refs);
8438 * Drop uring mutex before waiting for references to exit. If
8439 * another thread is currently inside io_uring_enter() it might
8440 * need to grab the uring_lock to make progress. If we hold it
8441 * here across the drain wait, then we can deadlock. It's safe
8442 * to drop the mutex here, since no new references will come in
8443 * after we've killed the percpu ref.
8445 mutex_unlock(&ctx->uring_lock);
8446 ret = wait_for_completion_interruptible(&ctx->ref_comp);
8447 mutex_lock(&ctx->uring_lock);
8449 percpu_ref_resurrect(&ctx->refs);
8456 case IORING_REGISTER_BUFFERS:
8457 ret = io_sqe_buffer_register(ctx, arg, nr_args);
8459 case IORING_UNREGISTER_BUFFERS:
8463 ret = io_sqe_buffer_unregister(ctx);
8465 case IORING_REGISTER_FILES:
8466 ret = io_sqe_files_register(ctx, arg, nr_args);
8468 case IORING_UNREGISTER_FILES:
8472 ret = io_sqe_files_unregister(ctx);
8474 case IORING_REGISTER_FILES_UPDATE:
8475 ret = io_sqe_files_update(ctx, arg, nr_args);
8477 case IORING_REGISTER_EVENTFD:
8478 case IORING_REGISTER_EVENTFD_ASYNC:
8482 ret = io_eventfd_register(ctx, arg);
8485 if (opcode == IORING_REGISTER_EVENTFD_ASYNC)
8486 ctx->eventfd_async = 1;
8488 ctx->eventfd_async = 0;
8490 case IORING_UNREGISTER_EVENTFD:
8494 ret = io_eventfd_unregister(ctx);
8496 case IORING_REGISTER_PROBE:
8498 if (!arg || nr_args > 256)
8500 ret = io_probe(ctx, arg, nr_args);
8502 case IORING_REGISTER_PERSONALITY:
8506 ret = io_register_personality(ctx);
8508 case IORING_UNREGISTER_PERSONALITY:
8512 ret = io_unregister_personality(ctx, nr_args);
8519 if (io_register_op_must_quiesce(opcode)) {
8520 /* bring the ctx back to life */
8521 percpu_ref_reinit(&ctx->refs);
8523 reinit_completion(&ctx->ref_comp);
8528 SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
8529 void __user *, arg, unsigned int, nr_args)
8531 struct io_ring_ctx *ctx;
8540 if (f.file->f_op != &io_uring_fops)
8543 ctx = f.file->private_data;
8545 mutex_lock(&ctx->uring_lock);
8546 ret = __io_uring_register(ctx, opcode, arg, nr_args);
8547 mutex_unlock(&ctx->uring_lock);
8548 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
8549 ctx->cq_ev_fd != NULL, ret);
8555 static int __init io_uring_init(void)
8557 #define __BUILD_BUG_VERIFY_ELEMENT(stype, eoffset, etype, ename) do { \
8558 BUILD_BUG_ON(offsetof(stype, ename) != eoffset); \
8559 BUILD_BUG_ON(sizeof(etype) != sizeof_field(stype, ename)); \
8562 #define BUILD_BUG_SQE_ELEM(eoffset, etype, ename) \
8563 __BUILD_BUG_VERIFY_ELEMENT(struct io_uring_sqe, eoffset, etype, ename)
8564 BUILD_BUG_ON(sizeof(struct io_uring_sqe) != 64);
8565 BUILD_BUG_SQE_ELEM(0, __u8, opcode);
8566 BUILD_BUG_SQE_ELEM(1, __u8, flags);
8567 BUILD_BUG_SQE_ELEM(2, __u16, ioprio);
8568 BUILD_BUG_SQE_ELEM(4, __s32, fd);
8569 BUILD_BUG_SQE_ELEM(8, __u64, off);
8570 BUILD_BUG_SQE_ELEM(8, __u64, addr2);
8571 BUILD_BUG_SQE_ELEM(16, __u64, addr);
8572 BUILD_BUG_SQE_ELEM(16, __u64, splice_off_in);
8573 BUILD_BUG_SQE_ELEM(24, __u32, len);
8574 BUILD_BUG_SQE_ELEM(28, __kernel_rwf_t, rw_flags);
8575 BUILD_BUG_SQE_ELEM(28, /* compat */ int, rw_flags);
8576 BUILD_BUG_SQE_ELEM(28, /* compat */ __u32, rw_flags);
8577 BUILD_BUG_SQE_ELEM(28, __u32, fsync_flags);
8578 BUILD_BUG_SQE_ELEM(28, /* compat */ __u16, poll_events);
8579 BUILD_BUG_SQE_ELEM(28, __u32, poll32_events);
8580 BUILD_BUG_SQE_ELEM(28, __u32, sync_range_flags);
8581 BUILD_BUG_SQE_ELEM(28, __u32, msg_flags);
8582 BUILD_BUG_SQE_ELEM(28, __u32, timeout_flags);
8583 BUILD_BUG_SQE_ELEM(28, __u32, accept_flags);
8584 BUILD_BUG_SQE_ELEM(28, __u32, cancel_flags);
8585 BUILD_BUG_SQE_ELEM(28, __u32, open_flags);
8586 BUILD_BUG_SQE_ELEM(28, __u32, statx_flags);
8587 BUILD_BUG_SQE_ELEM(28, __u32, fadvise_advice);
8588 BUILD_BUG_SQE_ELEM(28, __u32, splice_flags);
8589 BUILD_BUG_SQE_ELEM(32, __u64, user_data);
8590 BUILD_BUG_SQE_ELEM(40, __u16, buf_index);
8591 BUILD_BUG_SQE_ELEM(42, __u16, personality);
8592 BUILD_BUG_SQE_ELEM(44, __s32, splice_fd_in);
8594 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
8595 BUILD_BUG_ON(__REQ_F_LAST_BIT >= 8 * sizeof(int));
8596 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
8599 __initcall(io_uring_init);
projects / linux-2.6-microblaze.git / blob