1 // SPDX-License-Identifier: GPL-2.0
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
6 * A note on the read/write ordering memory barriers that are matched between
7 * the application and kernel side.
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
30 * Also see the examples in the liburing library:
32 * git://git.kernel.dk/liburing
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
39 * Copyright (C) 2018-2019 Jens Axboe
40 * Copyright (c) 2018-2019 Christoph Hellwig
42 #include <linux/kernel.h>
43 #include <linux/init.h>
44 #include <linux/errno.h>
45 #include <linux/syscalls.h>
46 #include <linux/compat.h>
47 #include <net/compat.h>
48 #include <linux/refcount.h>
49 #include <linux/uio.h>
50 #include <linux/bits.h>
52 #include <linux/sched/signal.h>
54 #include <linux/file.h>
55 #include <linux/fdtable.h>
57 #include <linux/mman.h>
58 #include <linux/percpu.h>
59 #include <linux/slab.h>
60 #include <linux/blkdev.h>
61 #include <linux/bvec.h>
62 #include <linux/net.h>
64 #include <net/af_unix.h>
66 #include <linux/anon_inodes.h>
67 #include <linux/sched/mm.h>
68 #include <linux/uaccess.h>
69 #include <linux/nospec.h>
70 #include <linux/sizes.h>
71 #include <linux/hugetlb.h>
72 #include <linux/highmem.h>
73 #include <linux/namei.h>
74 #include <linux/fsnotify.h>
75 #include <linux/fadvise.h>
76 #include <linux/eventpoll.h>
77 #include <linux/splice.h>
78 #include <linux/task_work.h>
79 #include <linux/pagemap.h>
80 #include <linux/io_uring.h>
81 #include <linux/freezer.h>
83 #define CREATE_TRACE_POINTS
84 #include <trace/events/io_uring.h>
86 #include <uapi/linux/io_uring.h>
91 #define IORING_MAX_ENTRIES 32768
92 #define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
95 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
97 #define IORING_FILE_TABLE_SHIFT 9
98 #define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
99 #define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
100 #define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
101 #define IORING_MAX_RESTRICTIONS (IORING_RESTRICTION_LAST + \
102 IORING_REGISTER_LAST + IORING_OP_LAST)
104 #define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
105 IOSQE_IO_HARDLINK | IOSQE_ASYNC | \
109 u32 head ____cacheline_aligned_in_smp;
110 u32 tail ____cacheline_aligned_in_smp;
114 * This data is shared with the application through the mmap at offsets
115 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
117 * The offsets to the member fields are published through struct
118 * io_sqring_offsets when calling io_uring_setup.
122 * Head and tail offsets into the ring; the offsets need to be
123 * masked to get valid indices.
125 * The kernel controls head of the sq ring and the tail of the cq ring,
126 * and the application controls tail of the sq ring and the head of the
129 struct io_uring sq, cq;
131 * Bitmasks to apply to head and tail offsets (constant, equals
134 u32 sq_ring_mask, cq_ring_mask;
135 /* Ring sizes (constant, power of 2) */
136 u32 sq_ring_entries, cq_ring_entries;
138 * Number of invalid entries dropped by the kernel due to
139 * invalid index stored in array
141 * Written by the kernel, shouldn't be modified by the
142 * application (i.e. get number of "new events" by comparing to
145 * After a new SQ head value was read by the application this
146 * counter includes all submissions that were dropped reaching
147 * the new SQ head (and possibly more).
153 * Written by the kernel, shouldn't be modified by the
156 * The application needs a full memory barrier before checking
157 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
163 * Written by the application, shouldn't be modified by the
168 * Number of completion events lost because the queue was full;
169 * this should be avoided by the application by making sure
170 * there are not more requests pending than there is space in
171 * the completion queue.
173 * Written by the kernel, shouldn't be modified by the
174 * application (i.e. get number of "new events" by comparing to
177 * As completion events come in out of order this counter is not
178 * ordered with any other data.
182 * Ring buffer of completion events.
184 * The kernel writes completion events fresh every time they are
185 * produced, so the application is allowed to modify pending
188 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
191 enum io_uring_cmd_flags {
192 IO_URING_F_NONBLOCK = 1,
193 IO_URING_F_COMPLETE_DEFER = 2,
196 struct io_mapped_ubuf {
199 struct bio_vec *bvec;
200 unsigned int nr_bvecs;
201 unsigned long acct_pages;
207 struct list_head list;
214 struct fixed_rsrc_table {
218 struct fixed_rsrc_ref_node {
219 struct percpu_ref refs;
220 struct list_head node;
221 struct list_head rsrc_list;
222 struct fixed_rsrc_data *rsrc_data;
223 void (*rsrc_put)(struct io_ring_ctx *ctx,
224 struct io_rsrc_put *prsrc);
225 struct llist_node llist;
229 struct fixed_rsrc_data {
230 struct fixed_rsrc_table *table;
231 struct io_ring_ctx *ctx;
233 struct fixed_rsrc_ref_node *node;
234 struct percpu_ref refs;
235 struct completion done;
240 struct list_head list;
246 struct io_restriction {
247 DECLARE_BITMAP(register_op, IORING_REGISTER_LAST);
248 DECLARE_BITMAP(sqe_op, IORING_OP_LAST);
249 u8 sqe_flags_allowed;
250 u8 sqe_flags_required;
255 IO_SQ_THREAD_SHOULD_STOP = 0,
256 IO_SQ_THREAD_SHOULD_PARK,
261 atomic_t park_pending;
264 /* ctx's that are using this sqd */
265 struct list_head ctx_list;
267 struct task_struct *thread;
268 struct wait_queue_head wait;
270 unsigned sq_thread_idle;
276 struct completion exited;
279 #define IO_IOPOLL_BATCH 8
280 #define IO_COMPL_BATCH 32
281 #define IO_REQ_CACHE_SIZE 32
282 #define IO_REQ_ALLOC_BATCH 8
284 struct io_comp_state {
285 struct io_kiocb *reqs[IO_COMPL_BATCH];
287 unsigned int locked_free_nr;
288 /* inline/task_work completion list, under ->uring_lock */
289 struct list_head free_list;
290 /* IRQ completion list, under ->completion_lock */
291 struct list_head locked_free_list;
294 struct io_submit_link {
295 struct io_kiocb *head;
296 struct io_kiocb *last;
299 struct io_submit_state {
300 struct blk_plug plug;
301 struct io_submit_link link;
304 * io_kiocb alloc cache
306 void *reqs[IO_REQ_CACHE_SIZE];
307 unsigned int free_reqs;
312 * Batch completion logic
314 struct io_comp_state comp;
317 * File reference cache
321 unsigned int file_refs;
322 unsigned int ios_left;
327 struct percpu_ref refs;
328 } ____cacheline_aligned_in_smp;
332 unsigned int compat: 1;
333 unsigned int cq_overflow_flushed: 1;
334 unsigned int drain_next: 1;
335 unsigned int eventfd_async: 1;
336 unsigned int restricted: 1;
339 * Ring buffer of indices into array of io_uring_sqe, which is
340 * mmapped by the application using the IORING_OFF_SQES offset.
342 * This indirection could e.g. be used to assign fixed
343 * io_uring_sqe entries to operations and only submit them to
344 * the queue when needed.
346 * The kernel modifies neither the indices array nor the entries
350 unsigned cached_sq_head;
353 unsigned sq_thread_idle;
354 unsigned cached_sq_dropped;
355 unsigned cached_cq_overflow;
356 unsigned long sq_check_overflow;
358 /* hashed buffered write serialization */
359 struct io_wq_hash *hash_map;
361 struct list_head defer_list;
362 struct list_head timeout_list;
363 struct list_head cq_overflow_list;
365 struct io_uring_sqe *sq_sqes;
366 } ____cacheline_aligned_in_smp;
369 struct mutex uring_lock;
370 wait_queue_head_t wait;
371 } ____cacheline_aligned_in_smp;
373 struct io_submit_state submit_state;
375 struct io_rings *rings;
377 /* Only used for accounting purposes */
378 struct mm_struct *mm_account;
380 const struct cred *sq_creds; /* cred used for __io_sq_thread() */
381 struct io_sq_data *sq_data; /* if using sq thread polling */
383 struct wait_queue_head sqo_sq_wait;
384 struct list_head sqd_list;
387 * If used, fixed file set. Writers must ensure that ->refs is dead,
388 * readers must ensure that ->refs is alive as long as the file* is
389 * used. Only updated through io_uring_register(2).
391 struct fixed_rsrc_data *file_data;
392 unsigned nr_user_files;
394 /* if used, fixed mapped user buffers */
395 unsigned nr_user_bufs;
396 struct io_mapped_ubuf *user_bufs;
398 struct user_struct *user;
400 struct completion ref_comp;
402 #if defined(CONFIG_UNIX)
403 struct socket *ring_sock;
406 struct xarray io_buffers;
408 struct xarray personalities;
412 unsigned cached_cq_tail;
415 atomic_t cq_timeouts;
416 unsigned cq_last_tm_flush;
417 unsigned long cq_check_overflow;
418 struct wait_queue_head cq_wait;
419 struct fasync_struct *cq_fasync;
420 struct eventfd_ctx *cq_ev_fd;
421 } ____cacheline_aligned_in_smp;
424 spinlock_t completion_lock;
427 * ->iopoll_list is protected by the ctx->uring_lock for
428 * io_uring instances that don't use IORING_SETUP_SQPOLL.
429 * For SQPOLL, only the single threaded io_sq_thread() will
430 * manipulate the list, hence no extra locking is needed there.
432 struct list_head iopoll_list;
433 struct hlist_head *cancel_hash;
434 unsigned cancel_hash_bits;
435 bool poll_multi_file;
437 spinlock_t inflight_lock;
438 struct list_head inflight_list;
439 } ____cacheline_aligned_in_smp;
441 struct delayed_work rsrc_put_work;
442 struct llist_head rsrc_put_llist;
443 struct list_head rsrc_ref_list;
444 spinlock_t rsrc_ref_lock;
446 struct io_restriction restrictions;
449 struct callback_head *exit_task_work;
451 struct wait_queue_head hash_wait;
453 /* Keep this last, we don't need it for the fast path */
454 struct work_struct exit_work;
455 struct list_head tctx_list;
459 * First field must be the file pointer in all the
460 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
462 struct io_poll_iocb {
464 struct wait_queue_head *head;
468 struct wait_queue_entry wait;
471 struct io_poll_remove {
481 struct io_timeout_data {
482 struct io_kiocb *req;
483 struct hrtimer timer;
484 struct timespec64 ts;
485 enum hrtimer_mode mode;
490 struct sockaddr __user *addr;
491 int __user *addr_len;
493 unsigned long nofile;
513 struct list_head list;
514 /* head of the link, used by linked timeouts only */
515 struct io_kiocb *head;
518 struct io_timeout_rem {
523 struct timespec64 ts;
528 /* NOTE: kiocb has the file as the first member, so don't do it here */
536 struct sockaddr __user *addr;
543 struct user_msghdr __user *umsg;
549 struct io_buffer *kbuf;
555 struct filename *filename;
557 unsigned long nofile;
560 struct io_rsrc_update {
586 struct epoll_event event;
590 struct file *file_out;
591 struct file *file_in;
598 struct io_provide_buf {
612 const char __user *filename;
613 struct statx __user *buffer;
625 struct filename *oldpath;
626 struct filename *newpath;
634 struct filename *filename;
637 struct io_completion {
639 struct list_head list;
643 struct io_async_connect {
644 struct sockaddr_storage address;
647 struct io_async_msghdr {
648 struct iovec fast_iov[UIO_FASTIOV];
649 /* points to an allocated iov, if NULL we use fast_iov instead */
650 struct iovec *free_iov;
651 struct sockaddr __user *uaddr;
653 struct sockaddr_storage addr;
657 struct iovec fast_iov[UIO_FASTIOV];
658 const struct iovec *free_iovec;
659 struct iov_iter iter;
661 struct wait_page_queue wpq;
665 REQ_F_FIXED_FILE_BIT = IOSQE_FIXED_FILE_BIT,
666 REQ_F_IO_DRAIN_BIT = IOSQE_IO_DRAIN_BIT,
667 REQ_F_LINK_BIT = IOSQE_IO_LINK_BIT,
668 REQ_F_HARDLINK_BIT = IOSQE_IO_HARDLINK_BIT,
669 REQ_F_FORCE_ASYNC_BIT = IOSQE_ASYNC_BIT,
670 REQ_F_BUFFER_SELECT_BIT = IOSQE_BUFFER_SELECT_BIT,
676 REQ_F_LINK_TIMEOUT_BIT,
678 REQ_F_NEED_CLEANUP_BIT,
680 REQ_F_BUFFER_SELECTED_BIT,
681 REQ_F_NO_FILE_TABLE_BIT,
682 REQ_F_LTIMEOUT_ACTIVE_BIT,
683 REQ_F_COMPLETE_INLINE_BIT,
685 /* not a real bit, just to check we're not overflowing the space */
691 REQ_F_FIXED_FILE = BIT(REQ_F_FIXED_FILE_BIT),
692 /* drain existing IO first */
693 REQ_F_IO_DRAIN = BIT(REQ_F_IO_DRAIN_BIT),
695 REQ_F_LINK = BIT(REQ_F_LINK_BIT),
696 /* doesn't sever on completion < 0 */
697 REQ_F_HARDLINK = BIT(REQ_F_HARDLINK_BIT),
699 REQ_F_FORCE_ASYNC = BIT(REQ_F_FORCE_ASYNC_BIT),
700 /* IOSQE_BUFFER_SELECT */
701 REQ_F_BUFFER_SELECT = BIT(REQ_F_BUFFER_SELECT_BIT),
703 /* fail rest of links */
704 REQ_F_FAIL_LINK = BIT(REQ_F_FAIL_LINK_BIT),
705 /* on inflight list, should be cancelled and waited on exit reliably */
706 REQ_F_INFLIGHT = BIT(REQ_F_INFLIGHT_BIT),
707 /* read/write uses file position */
708 REQ_F_CUR_POS = BIT(REQ_F_CUR_POS_BIT),
709 /* must not punt to workers */
710 REQ_F_NOWAIT = BIT(REQ_F_NOWAIT_BIT),
711 /* has or had linked timeout */
712 REQ_F_LINK_TIMEOUT = BIT(REQ_F_LINK_TIMEOUT_BIT),
714 REQ_F_ISREG = BIT(REQ_F_ISREG_BIT),
716 REQ_F_NEED_CLEANUP = BIT(REQ_F_NEED_CLEANUP_BIT),
717 /* already went through poll handler */
718 REQ_F_POLLED = BIT(REQ_F_POLLED_BIT),
719 /* buffer already selected */
720 REQ_F_BUFFER_SELECTED = BIT(REQ_F_BUFFER_SELECTED_BIT),
721 /* doesn't need file table for this request */
722 REQ_F_NO_FILE_TABLE = BIT(REQ_F_NO_FILE_TABLE_BIT),
723 /* linked timeout is active, i.e. prepared by link's head */
724 REQ_F_LTIMEOUT_ACTIVE = BIT(REQ_F_LTIMEOUT_ACTIVE_BIT),
725 /* completion is deferred through io_comp_state */
726 REQ_F_COMPLETE_INLINE = BIT(REQ_F_COMPLETE_INLINE_BIT),
730 struct io_poll_iocb poll;
731 struct io_poll_iocb *double_poll;
734 struct io_task_work {
735 struct io_wq_work_node node;
736 task_work_func_t func;
740 * NOTE! Each of the iocb union members has the file pointer
741 * as the first entry in their struct definition. So you can
742 * access the file pointer through any of the sub-structs,
743 * or directly as just 'ki_filp' in this struct.
749 struct io_poll_iocb poll;
750 struct io_poll_remove poll_remove;
751 struct io_accept accept;
753 struct io_cancel cancel;
754 struct io_timeout timeout;
755 struct io_timeout_rem timeout_rem;
756 struct io_connect connect;
757 struct io_sr_msg sr_msg;
759 struct io_close close;
760 struct io_rsrc_update rsrc_update;
761 struct io_fadvise fadvise;
762 struct io_madvise madvise;
763 struct io_epoll epoll;
764 struct io_splice splice;
765 struct io_provide_buf pbuf;
766 struct io_statx statx;
767 struct io_shutdown shutdown;
768 struct io_rename rename;
769 struct io_unlink unlink;
770 /* use only after cleaning per-op data, see io_clean_op() */
771 struct io_completion compl;
774 /* opcode allocated if it needs to store data for async defer */
777 /* polled IO has completed */
783 struct io_ring_ctx *ctx;
786 struct task_struct *task;
789 struct io_kiocb *link;
790 struct percpu_ref *fixed_rsrc_refs;
793 * 1. used with ctx->iopoll_list with reads/writes
794 * 2. to track reqs with ->files (see io_op_def::file_table)
796 struct list_head inflight_entry;
798 struct io_task_work io_task_work;
799 struct callback_head task_work;
801 /* for polled requests, i.e. IORING_OP_POLL_ADD and async armed poll */
802 struct hlist_node hash_node;
803 struct async_poll *apoll;
804 struct io_wq_work work;
807 struct io_tctx_node {
808 struct list_head ctx_node;
809 struct task_struct *task;
810 struct io_ring_ctx *ctx;
813 struct io_defer_entry {
814 struct list_head list;
815 struct io_kiocb *req;
820 /* needs req->file assigned */
821 unsigned needs_file : 1;
822 /* hash wq insertion if file is a regular file */
823 unsigned hash_reg_file : 1;
824 /* unbound wq insertion if file is a non-regular file */
825 unsigned unbound_nonreg_file : 1;
826 /* opcode is not supported by this kernel */
827 unsigned not_supported : 1;
828 /* set if opcode supports polled "wait" */
830 unsigned pollout : 1;
831 /* op supports buffer selection */
832 unsigned buffer_select : 1;
833 /* must always have async data allocated */
834 unsigned needs_async_data : 1;
835 /* should block plug */
837 /* size of async data needed, if any */
838 unsigned short async_size;
841 static const struct io_op_def io_op_defs[] = {
842 [IORING_OP_NOP] = {},
843 [IORING_OP_READV] = {
845 .unbound_nonreg_file = 1,
848 .needs_async_data = 1,
850 .async_size = sizeof(struct io_async_rw),
852 [IORING_OP_WRITEV] = {
855 .unbound_nonreg_file = 1,
857 .needs_async_data = 1,
859 .async_size = sizeof(struct io_async_rw),
861 [IORING_OP_FSYNC] = {
864 [IORING_OP_READ_FIXED] = {
866 .unbound_nonreg_file = 1,
869 .async_size = sizeof(struct io_async_rw),
871 [IORING_OP_WRITE_FIXED] = {
874 .unbound_nonreg_file = 1,
877 .async_size = sizeof(struct io_async_rw),
879 [IORING_OP_POLL_ADD] = {
881 .unbound_nonreg_file = 1,
883 [IORING_OP_POLL_REMOVE] = {},
884 [IORING_OP_SYNC_FILE_RANGE] = {
887 [IORING_OP_SENDMSG] = {
889 .unbound_nonreg_file = 1,
891 .needs_async_data = 1,
892 .async_size = sizeof(struct io_async_msghdr),
894 [IORING_OP_RECVMSG] = {
896 .unbound_nonreg_file = 1,
899 .needs_async_data = 1,
900 .async_size = sizeof(struct io_async_msghdr),
902 [IORING_OP_TIMEOUT] = {
903 .needs_async_data = 1,
904 .async_size = sizeof(struct io_timeout_data),
906 [IORING_OP_TIMEOUT_REMOVE] = {
907 /* used by timeout updates' prep() */
909 [IORING_OP_ACCEPT] = {
911 .unbound_nonreg_file = 1,
914 [IORING_OP_ASYNC_CANCEL] = {},
915 [IORING_OP_LINK_TIMEOUT] = {
916 .needs_async_data = 1,
917 .async_size = sizeof(struct io_timeout_data),
919 [IORING_OP_CONNECT] = {
921 .unbound_nonreg_file = 1,
923 .needs_async_data = 1,
924 .async_size = sizeof(struct io_async_connect),
926 [IORING_OP_FALLOCATE] = {
929 [IORING_OP_OPENAT] = {},
930 [IORING_OP_CLOSE] = {},
931 [IORING_OP_FILES_UPDATE] = {},
932 [IORING_OP_STATX] = {},
935 .unbound_nonreg_file = 1,
939 .async_size = sizeof(struct io_async_rw),
941 [IORING_OP_WRITE] = {
943 .unbound_nonreg_file = 1,
946 .async_size = sizeof(struct io_async_rw),
948 [IORING_OP_FADVISE] = {
951 [IORING_OP_MADVISE] = {},
954 .unbound_nonreg_file = 1,
959 .unbound_nonreg_file = 1,
963 [IORING_OP_OPENAT2] = {
965 [IORING_OP_EPOLL_CTL] = {
966 .unbound_nonreg_file = 1,
968 [IORING_OP_SPLICE] = {
971 .unbound_nonreg_file = 1,
973 [IORING_OP_PROVIDE_BUFFERS] = {},
974 [IORING_OP_REMOVE_BUFFERS] = {},
978 .unbound_nonreg_file = 1,
980 [IORING_OP_SHUTDOWN] = {
983 [IORING_OP_RENAMEAT] = {},
984 [IORING_OP_UNLINKAT] = {},
987 static bool io_disarm_next(struct io_kiocb *req);
988 static void io_uring_del_task_file(unsigned long index);
989 static void io_uring_try_cancel_requests(struct io_ring_ctx *ctx,
990 struct task_struct *task,
991 struct files_struct *files);
992 static void io_uring_cancel_sqpoll(struct io_ring_ctx *ctx);
993 static void destroy_fixed_rsrc_ref_node(struct fixed_rsrc_ref_node *ref_node);
994 static struct fixed_rsrc_ref_node *alloc_fixed_rsrc_ref_node(
995 struct io_ring_ctx *ctx);
996 static void io_ring_file_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc);
998 static bool io_rw_reissue(struct io_kiocb *req);
999 static void io_cqring_fill_event(struct io_kiocb *req, long res);
1000 static void io_put_req(struct io_kiocb *req);
1001 static void io_put_req_deferred(struct io_kiocb *req, int nr);
1002 static void io_double_put_req(struct io_kiocb *req);
1003 static void io_dismantle_req(struct io_kiocb *req);
1004 static void io_put_task(struct task_struct *task, int nr);
1005 static void io_queue_next(struct io_kiocb *req);
1006 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
1007 static void __io_queue_linked_timeout(struct io_kiocb *req);
1008 static void io_queue_linked_timeout(struct io_kiocb *req);
1009 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
1010 struct io_uring_rsrc_update *ip,
1012 static void __io_clean_op(struct io_kiocb *req);
1013 static struct file *io_file_get(struct io_submit_state *state,
1014 struct io_kiocb *req, int fd, bool fixed);
1015 static void __io_queue_sqe(struct io_kiocb *req);
1016 static void io_rsrc_put_work(struct work_struct *work);
1018 static int io_import_iovec(int rw, struct io_kiocb *req, struct iovec **iovec,
1019 struct iov_iter *iter, bool needs_lock);
1020 static int io_setup_async_rw(struct io_kiocb *req, const struct iovec *iovec,
1021 const struct iovec *fast_iov,
1022 struct iov_iter *iter, bool force);
1023 static void io_req_task_queue(struct io_kiocb *req);
1024 static void io_submit_flush_completions(struct io_comp_state *cs,
1025 struct io_ring_ctx *ctx);
1027 static struct kmem_cache *req_cachep;
1029 static const struct file_operations io_uring_fops;
1031 struct sock *io_uring_get_socket(struct file *file)
1033 #if defined(CONFIG_UNIX)
1034 if (file->f_op == &io_uring_fops) {
1035 struct io_ring_ctx *ctx = file->private_data;
1037 return ctx->ring_sock->sk;
1042 EXPORT_SYMBOL(io_uring_get_socket);
1044 #define io_for_each_link(pos, head) \
1045 for (pos = (head); pos; pos = pos->link)
1047 static inline void io_clean_op(struct io_kiocb *req)
1049 if (req->flags & (REQ_F_NEED_CLEANUP | REQ_F_BUFFER_SELECTED))
1053 static inline void io_set_resource_node(struct io_kiocb *req)
1055 struct io_ring_ctx *ctx = req->ctx;
1057 if (!req->fixed_rsrc_refs) {
1058 req->fixed_rsrc_refs = &ctx->file_data->node->refs;
1059 percpu_ref_get(req->fixed_rsrc_refs);
1063 static bool io_match_task(struct io_kiocb *head,
1064 struct task_struct *task,
1065 struct files_struct *files)
1067 struct io_kiocb *req;
1069 if (task && head->task != task) {
1070 /* in terms of cancelation, always match if req task is dead */
1071 if (head->task->flags & PF_EXITING)
1078 io_for_each_link(req, head) {
1079 if (req->flags & REQ_F_INFLIGHT)
1081 if (req->task->files == files)
1087 static inline void req_set_fail_links(struct io_kiocb *req)
1089 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1090 req->flags |= REQ_F_FAIL_LINK;
1093 static void io_ring_ctx_ref_free(struct percpu_ref *ref)
1095 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
1097 complete(&ctx->ref_comp);
1100 static inline bool io_is_timeout_noseq(struct io_kiocb *req)
1102 return !req->timeout.off;
1105 static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
1107 struct io_ring_ctx *ctx;
1110 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
1115 * Use 5 bits less than the max cq entries, that should give us around
1116 * 32 entries per hash list if totally full and uniformly spread.
1118 hash_bits = ilog2(p->cq_entries);
1122 ctx->cancel_hash_bits = hash_bits;
1123 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
1125 if (!ctx->cancel_hash)
1127 __hash_init(ctx->cancel_hash, 1U << hash_bits);
1129 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
1130 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
1133 ctx->flags = p->flags;
1134 init_waitqueue_head(&ctx->sqo_sq_wait);
1135 INIT_LIST_HEAD(&ctx->sqd_list);
1136 init_waitqueue_head(&ctx->cq_wait);
1137 INIT_LIST_HEAD(&ctx->cq_overflow_list);
1138 init_completion(&ctx->ref_comp);
1139 xa_init_flags(&ctx->io_buffers, XA_FLAGS_ALLOC1);
1140 xa_init_flags(&ctx->personalities, XA_FLAGS_ALLOC1);
1141 mutex_init(&ctx->uring_lock);
1142 init_waitqueue_head(&ctx->wait);
1143 spin_lock_init(&ctx->completion_lock);
1144 INIT_LIST_HEAD(&ctx->iopoll_list);
1145 INIT_LIST_HEAD(&ctx->defer_list);
1146 INIT_LIST_HEAD(&ctx->timeout_list);
1147 spin_lock_init(&ctx->inflight_lock);
1148 INIT_LIST_HEAD(&ctx->inflight_list);
1149 spin_lock_init(&ctx->rsrc_ref_lock);
1150 INIT_LIST_HEAD(&ctx->rsrc_ref_list);
1151 INIT_DELAYED_WORK(&ctx->rsrc_put_work, io_rsrc_put_work);
1152 init_llist_head(&ctx->rsrc_put_llist);
1153 INIT_LIST_HEAD(&ctx->tctx_list);
1154 INIT_LIST_HEAD(&ctx->submit_state.comp.free_list);
1155 INIT_LIST_HEAD(&ctx->submit_state.comp.locked_free_list);
1158 kfree(ctx->cancel_hash);
1163 static bool req_need_defer(struct io_kiocb *req, u32 seq)
1165 if (unlikely(req->flags & REQ_F_IO_DRAIN)) {
1166 struct io_ring_ctx *ctx = req->ctx;
1168 return seq != ctx->cached_cq_tail
1169 + READ_ONCE(ctx->cached_cq_overflow);
1175 static void io_req_track_inflight(struct io_kiocb *req)
1177 struct io_ring_ctx *ctx = req->ctx;
1179 if (!(req->flags & REQ_F_INFLIGHT)) {
1180 req->flags |= REQ_F_INFLIGHT;
1182 spin_lock_irq(&ctx->inflight_lock);
1183 list_add(&req->inflight_entry, &ctx->inflight_list);
1184 spin_unlock_irq(&ctx->inflight_lock);
1188 static void io_prep_async_work(struct io_kiocb *req)
1190 const struct io_op_def *def = &io_op_defs[req->opcode];
1191 struct io_ring_ctx *ctx = req->ctx;
1193 if (!req->work.creds)
1194 req->work.creds = get_current_cred();
1196 if (req->flags & REQ_F_FORCE_ASYNC)
1197 req->work.flags |= IO_WQ_WORK_CONCURRENT;
1199 if (req->flags & REQ_F_ISREG) {
1200 if (def->hash_reg_file || (ctx->flags & IORING_SETUP_IOPOLL))
1201 io_wq_hash_work(&req->work, file_inode(req->file));
1203 if (def->unbound_nonreg_file)
1204 req->work.flags |= IO_WQ_WORK_UNBOUND;
1208 static void io_prep_async_link(struct io_kiocb *req)
1210 struct io_kiocb *cur;
1212 io_for_each_link(cur, req)
1213 io_prep_async_work(cur);
1216 static void io_queue_async_work(struct io_kiocb *req)
1218 struct io_ring_ctx *ctx = req->ctx;
1219 struct io_kiocb *link = io_prep_linked_timeout(req);
1220 struct io_uring_task *tctx = req->task->io_uring;
1223 BUG_ON(!tctx->io_wq);
1225 trace_io_uring_queue_async_work(ctx, io_wq_is_hashed(&req->work), req,
1226 &req->work, req->flags);
1227 /* init ->work of the whole link before punting */
1228 io_prep_async_link(req);
1229 io_wq_enqueue(tctx->io_wq, &req->work);
1231 io_queue_linked_timeout(link);
1234 static void io_kill_timeout(struct io_kiocb *req)
1236 struct io_timeout_data *io = req->async_data;
1239 ret = hrtimer_try_to_cancel(&io->timer);
1241 atomic_set(&req->ctx->cq_timeouts,
1242 atomic_read(&req->ctx->cq_timeouts) + 1);
1243 list_del_init(&req->timeout.list);
1244 io_cqring_fill_event(req, 0);
1245 io_put_req_deferred(req, 1);
1250 * Returns true if we found and killed one or more timeouts
1252 static bool io_kill_timeouts(struct io_ring_ctx *ctx, struct task_struct *tsk,
1253 struct files_struct *files)
1255 struct io_kiocb *req, *tmp;
1258 spin_lock_irq(&ctx->completion_lock);
1259 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, timeout.list) {
1260 if (io_match_task(req, tsk, files)) {
1261 io_kill_timeout(req);
1265 spin_unlock_irq(&ctx->completion_lock);
1266 return canceled != 0;
1269 static void __io_queue_deferred(struct io_ring_ctx *ctx)
1272 struct io_defer_entry *de = list_first_entry(&ctx->defer_list,
1273 struct io_defer_entry, list);
1275 if (req_need_defer(de->req, de->seq))
1277 list_del_init(&de->list);
1278 io_req_task_queue(de->req);
1280 } while (!list_empty(&ctx->defer_list));
1283 static void io_flush_timeouts(struct io_ring_ctx *ctx)
1287 if (list_empty(&ctx->timeout_list))
1290 seq = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
1293 u32 events_needed, events_got;
1294 struct io_kiocb *req = list_first_entry(&ctx->timeout_list,
1295 struct io_kiocb, timeout.list);
1297 if (io_is_timeout_noseq(req))
1301 * Since seq can easily wrap around over time, subtract
1302 * the last seq at which timeouts were flushed before comparing.
1303 * Assuming not more than 2^31-1 events have happened since,
1304 * these subtractions won't have wrapped, so we can check if
1305 * target is in [last_seq, current_seq] by comparing the two.
1307 events_needed = req->timeout.target_seq - ctx->cq_last_tm_flush;
1308 events_got = seq - ctx->cq_last_tm_flush;
1309 if (events_got < events_needed)
1312 list_del_init(&req->timeout.list);
1313 io_kill_timeout(req);
1314 } while (!list_empty(&ctx->timeout_list));
1316 ctx->cq_last_tm_flush = seq;
1319 static void io_commit_cqring(struct io_ring_ctx *ctx)
1321 io_flush_timeouts(ctx);
1323 /* order cqe stores with ring update */
1324 smp_store_release(&ctx->rings->cq.tail, ctx->cached_cq_tail);
1326 if (unlikely(!list_empty(&ctx->defer_list)))
1327 __io_queue_deferred(ctx);
1330 static inline bool io_sqring_full(struct io_ring_ctx *ctx)
1332 struct io_rings *r = ctx->rings;
1334 return READ_ONCE(r->sq.tail) - ctx->cached_sq_head == r->sq_ring_entries;
1337 static inline unsigned int __io_cqring_events(struct io_ring_ctx *ctx)
1339 return ctx->cached_cq_tail - READ_ONCE(ctx->rings->cq.head);
1342 static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
1344 struct io_rings *rings = ctx->rings;
1348 * writes to the cq entry need to come after reading head; the
1349 * control dependency is enough as we're using WRITE_ONCE to
1352 if (__io_cqring_events(ctx) == rings->cq_ring_entries)
1355 tail = ctx->cached_cq_tail++;
1356 return &rings->cqes[tail & ctx->cq_mask];
1359 static inline bool io_should_trigger_evfd(struct io_ring_ctx *ctx)
1363 if (READ_ONCE(ctx->rings->cq_flags) & IORING_CQ_EVENTFD_DISABLED)
1365 if (!ctx->eventfd_async)
1367 return io_wq_current_is_worker();
1370 static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
1372 /* see waitqueue_active() comment */
1375 if (waitqueue_active(&ctx->wait))
1376 wake_up(&ctx->wait);
1377 if (ctx->sq_data && waitqueue_active(&ctx->sq_data->wait))
1378 wake_up(&ctx->sq_data->wait);
1379 if (io_should_trigger_evfd(ctx))
1380 eventfd_signal(ctx->cq_ev_fd, 1);
1381 if (waitqueue_active(&ctx->cq_wait)) {
1382 wake_up_interruptible(&ctx->cq_wait);
1383 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
1387 static void io_cqring_ev_posted_iopoll(struct io_ring_ctx *ctx)
1389 /* see waitqueue_active() comment */
1392 if (ctx->flags & IORING_SETUP_SQPOLL) {
1393 if (waitqueue_active(&ctx->wait))
1394 wake_up(&ctx->wait);
1396 if (io_should_trigger_evfd(ctx))
1397 eventfd_signal(ctx->cq_ev_fd, 1);
1398 if (waitqueue_active(&ctx->cq_wait)) {
1399 wake_up_interruptible(&ctx->cq_wait);
1400 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
1404 /* Returns true if there are no backlogged entries after the flush */
1405 static bool __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force,
1406 struct task_struct *tsk,
1407 struct files_struct *files)
1409 struct io_rings *rings = ctx->rings;
1410 struct io_kiocb *req, *tmp;
1411 struct io_uring_cqe *cqe;
1412 unsigned long flags;
1413 bool all_flushed, posted;
1416 if (!force && __io_cqring_events(ctx) == rings->cq_ring_entries)
1420 spin_lock_irqsave(&ctx->completion_lock, flags);
1421 list_for_each_entry_safe(req, tmp, &ctx->cq_overflow_list, compl.list) {
1422 if (!io_match_task(req, tsk, files))
1425 cqe = io_get_cqring(ctx);
1429 list_move(&req->compl.list, &list);
1431 WRITE_ONCE(cqe->user_data, req->user_data);
1432 WRITE_ONCE(cqe->res, req->result);
1433 WRITE_ONCE(cqe->flags, req->compl.cflags);
1435 ctx->cached_cq_overflow++;
1436 WRITE_ONCE(ctx->rings->cq_overflow,
1437 ctx->cached_cq_overflow);
1442 all_flushed = list_empty(&ctx->cq_overflow_list);
1444 clear_bit(0, &ctx->sq_check_overflow);
1445 clear_bit(0, &ctx->cq_check_overflow);
1446 ctx->rings->sq_flags &= ~IORING_SQ_CQ_OVERFLOW;
1450 io_commit_cqring(ctx);
1451 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1453 io_cqring_ev_posted(ctx);
1455 while (!list_empty(&list)) {
1456 req = list_first_entry(&list, struct io_kiocb, compl.list);
1457 list_del(&req->compl.list);
1464 static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force,
1465 struct task_struct *tsk,
1466 struct files_struct *files)
1470 if (test_bit(0, &ctx->cq_check_overflow)) {
1471 /* iopoll syncs against uring_lock, not completion_lock */
1472 if (ctx->flags & IORING_SETUP_IOPOLL)
1473 mutex_lock(&ctx->uring_lock);
1474 ret = __io_cqring_overflow_flush(ctx, force, tsk, files);
1475 if (ctx->flags & IORING_SETUP_IOPOLL)
1476 mutex_unlock(&ctx->uring_lock);
1482 static void __io_cqring_fill_event(struct io_kiocb *req, long res, long cflags)
1484 struct io_ring_ctx *ctx = req->ctx;
1485 struct io_uring_cqe *cqe;
1487 trace_io_uring_complete(ctx, req->user_data, res);
1490 * If we can't get a cq entry, userspace overflowed the
1491 * submission (by quite a lot). Increment the overflow count in
1494 cqe = io_get_cqring(ctx);
1496 WRITE_ONCE(cqe->user_data, req->user_data);
1497 WRITE_ONCE(cqe->res, res);
1498 WRITE_ONCE(cqe->flags, cflags);
1499 } else if (ctx->cq_overflow_flushed ||
1500 atomic_read(&req->task->io_uring->in_idle)) {
1502 * If we're in ring overflow flush mode, or in task cancel mode,
1503 * then we cannot store the request for later flushing, we need
1504 * to drop it on the floor.
1506 ctx->cached_cq_overflow++;
1507 WRITE_ONCE(ctx->rings->cq_overflow, ctx->cached_cq_overflow);
1509 if (list_empty(&ctx->cq_overflow_list)) {
1510 set_bit(0, &ctx->sq_check_overflow);
1511 set_bit(0, &ctx->cq_check_overflow);
1512 ctx->rings->sq_flags |= IORING_SQ_CQ_OVERFLOW;
1516 req->compl.cflags = cflags;
1517 refcount_inc(&req->refs);
1518 list_add_tail(&req->compl.list, &ctx->cq_overflow_list);
1522 static void io_cqring_fill_event(struct io_kiocb *req, long res)
1524 __io_cqring_fill_event(req, res, 0);
1527 static void io_req_complete_post(struct io_kiocb *req, long res,
1528 unsigned int cflags)
1530 struct io_ring_ctx *ctx = req->ctx;
1531 unsigned long flags;
1533 spin_lock_irqsave(&ctx->completion_lock, flags);
1534 __io_cqring_fill_event(req, res, cflags);
1536 * If we're the last reference to this request, add to our locked
1539 if (refcount_dec_and_test(&req->refs)) {
1540 struct io_comp_state *cs = &ctx->submit_state.comp;
1542 if (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {
1543 if (req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_FAIL_LINK))
1544 io_disarm_next(req);
1546 io_req_task_queue(req->link);
1550 io_dismantle_req(req);
1551 io_put_task(req->task, 1);
1552 list_add(&req->compl.list, &cs->locked_free_list);
1553 cs->locked_free_nr++;
1555 if (!percpu_ref_tryget(&ctx->refs))
1558 io_commit_cqring(ctx);
1559 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1562 io_cqring_ev_posted(ctx);
1563 percpu_ref_put(&ctx->refs);
1567 static void io_req_complete_state(struct io_kiocb *req, long res,
1568 unsigned int cflags)
1572 req->compl.cflags = cflags;
1573 req->flags |= REQ_F_COMPLETE_INLINE;
1576 static inline void __io_req_complete(struct io_kiocb *req, unsigned issue_flags,
1577 long res, unsigned cflags)
1579 if (issue_flags & IO_URING_F_COMPLETE_DEFER)
1580 io_req_complete_state(req, res, cflags);
1582 io_req_complete_post(req, res, cflags);
1585 static inline void io_req_complete(struct io_kiocb *req, long res)
1587 __io_req_complete(req, 0, res, 0);
1590 static bool io_flush_cached_reqs(struct io_ring_ctx *ctx)
1592 struct io_submit_state *state = &ctx->submit_state;
1593 struct io_comp_state *cs = &state->comp;
1594 struct io_kiocb *req = NULL;
1597 * If we have more than a batch's worth of requests in our IRQ side
1598 * locked cache, grab the lock and move them over to our submission
1601 if (READ_ONCE(cs->locked_free_nr) > IO_COMPL_BATCH) {
1602 spin_lock_irq(&ctx->completion_lock);
1603 list_splice_init(&cs->locked_free_list, &cs->free_list);
1604 cs->locked_free_nr = 0;
1605 spin_unlock_irq(&ctx->completion_lock);
1608 while (!list_empty(&cs->free_list)) {
1609 req = list_first_entry(&cs->free_list, struct io_kiocb,
1611 list_del(&req->compl.list);
1612 state->reqs[state->free_reqs++] = req;
1613 if (state->free_reqs == ARRAY_SIZE(state->reqs))
1620 static struct io_kiocb *io_alloc_req(struct io_ring_ctx *ctx)
1622 struct io_submit_state *state = &ctx->submit_state;
1624 BUILD_BUG_ON(IO_REQ_ALLOC_BATCH > ARRAY_SIZE(state->reqs));
1626 if (!state->free_reqs) {
1627 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
1630 if (io_flush_cached_reqs(ctx))
1633 ret = kmem_cache_alloc_bulk(req_cachep, gfp, IO_REQ_ALLOC_BATCH,
1637 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1638 * retry single alloc to be on the safe side.
1640 if (unlikely(ret <= 0)) {
1641 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1642 if (!state->reqs[0])
1646 state->free_reqs = ret;
1650 return state->reqs[state->free_reqs];
1653 static inline void io_put_file(struct io_kiocb *req, struct file *file,
1660 static void io_dismantle_req(struct io_kiocb *req)
1664 if (req->async_data)
1665 kfree(req->async_data);
1667 io_put_file(req, req->file, (req->flags & REQ_F_FIXED_FILE));
1668 if (req->fixed_rsrc_refs)
1669 percpu_ref_put(req->fixed_rsrc_refs);
1670 if (req->work.creds) {
1671 put_cred(req->work.creds);
1672 req->work.creds = NULL;
1675 if (req->flags & REQ_F_INFLIGHT) {
1676 struct io_ring_ctx *ctx = req->ctx;
1677 unsigned long flags;
1679 spin_lock_irqsave(&ctx->inflight_lock, flags);
1680 list_del(&req->inflight_entry);
1681 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1682 req->flags &= ~REQ_F_INFLIGHT;
1686 /* must to be called somewhat shortly after putting a request */
1687 static inline void io_put_task(struct task_struct *task, int nr)
1689 struct io_uring_task *tctx = task->io_uring;
1691 percpu_counter_sub(&tctx->inflight, nr);
1692 if (unlikely(atomic_read(&tctx->in_idle)))
1693 wake_up(&tctx->wait);
1694 put_task_struct_many(task, nr);
1697 static void __io_free_req(struct io_kiocb *req)
1699 struct io_ring_ctx *ctx = req->ctx;
1701 io_dismantle_req(req);
1702 io_put_task(req->task, 1);
1704 kmem_cache_free(req_cachep, req);
1705 percpu_ref_put(&ctx->refs);
1708 static inline void io_remove_next_linked(struct io_kiocb *req)
1710 struct io_kiocb *nxt = req->link;
1712 req->link = nxt->link;
1716 static bool io_kill_linked_timeout(struct io_kiocb *req)
1717 __must_hold(&req->ctx->completion_lock)
1719 struct io_kiocb *link = req->link;
1720 bool cancelled = false;
1723 * Can happen if a linked timeout fired and link had been like
1724 * req -> link t-out -> link t-out [-> ...]
1726 if (link && (link->flags & REQ_F_LTIMEOUT_ACTIVE)) {
1727 struct io_timeout_data *io = link->async_data;
1730 io_remove_next_linked(req);
1731 link->timeout.head = NULL;
1732 ret = hrtimer_try_to_cancel(&io->timer);
1734 io_cqring_fill_event(link, -ECANCELED);
1735 io_put_req_deferred(link, 1);
1739 req->flags &= ~REQ_F_LINK_TIMEOUT;
1743 static void io_fail_links(struct io_kiocb *req)
1744 __must_hold(&req->ctx->completion_lock)
1746 struct io_kiocb *nxt, *link = req->link;
1753 trace_io_uring_fail_link(req, link);
1754 io_cqring_fill_event(link, -ECANCELED);
1755 io_put_req_deferred(link, 2);
1760 static bool io_disarm_next(struct io_kiocb *req)
1761 __must_hold(&req->ctx->completion_lock)
1763 bool posted = false;
1765 if (likely(req->flags & REQ_F_LINK_TIMEOUT))
1766 posted = io_kill_linked_timeout(req);
1767 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
1768 posted |= (req->link != NULL);
1774 static struct io_kiocb *__io_req_find_next(struct io_kiocb *req)
1776 struct io_kiocb *nxt;
1779 * If LINK is set, we have dependent requests in this chain. If we
1780 * didn't fail this request, queue the first one up, moving any other
1781 * dependencies to the next request. In case of failure, fail the rest
1784 if (req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_FAIL_LINK)) {
1785 struct io_ring_ctx *ctx = req->ctx;
1786 unsigned long flags;
1789 spin_lock_irqsave(&ctx->completion_lock, flags);
1790 posted = io_disarm_next(req);
1792 io_commit_cqring(req->ctx);
1793 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1795 io_cqring_ev_posted(ctx);
1802 static inline struct io_kiocb *io_req_find_next(struct io_kiocb *req)
1804 if (likely(!(req->flags & (REQ_F_LINK|REQ_F_HARDLINK))))
1806 return __io_req_find_next(req);
1809 static void ctx_flush_and_put(struct io_ring_ctx *ctx)
1813 if (ctx->submit_state.comp.nr) {
1814 mutex_lock(&ctx->uring_lock);
1815 io_submit_flush_completions(&ctx->submit_state.comp, ctx);
1816 mutex_unlock(&ctx->uring_lock);
1818 percpu_ref_put(&ctx->refs);
1821 static bool __tctx_task_work(struct io_uring_task *tctx)
1823 struct io_ring_ctx *ctx = NULL;
1824 struct io_wq_work_list list;
1825 struct io_wq_work_node *node;
1827 if (wq_list_empty(&tctx->task_list))
1830 spin_lock_irq(&tctx->task_lock);
1831 list = tctx->task_list;
1832 INIT_WQ_LIST(&tctx->task_list);
1833 spin_unlock_irq(&tctx->task_lock);
1837 struct io_wq_work_node *next = node->next;
1838 struct io_kiocb *req;
1840 req = container_of(node, struct io_kiocb, io_task_work.node);
1841 if (req->ctx != ctx) {
1842 ctx_flush_and_put(ctx);
1844 percpu_ref_get(&ctx->refs);
1847 req->task_work.func(&req->task_work);
1851 ctx_flush_and_put(ctx);
1852 return list.first != NULL;
1855 static void tctx_task_work(struct callback_head *cb)
1857 struct io_uring_task *tctx = container_of(cb, struct io_uring_task, task_work);
1859 clear_bit(0, &tctx->task_state);
1861 while (__tctx_task_work(tctx))
1865 static int io_task_work_add(struct task_struct *tsk, struct io_kiocb *req,
1866 enum task_work_notify_mode notify)
1868 struct io_uring_task *tctx = tsk->io_uring;
1869 struct io_wq_work_node *node, *prev;
1870 unsigned long flags;
1873 WARN_ON_ONCE(!tctx);
1875 spin_lock_irqsave(&tctx->task_lock, flags);
1876 wq_list_add_tail(&req->io_task_work.node, &tctx->task_list);
1877 spin_unlock_irqrestore(&tctx->task_lock, flags);
1879 /* task_work already pending, we're done */
1880 if (test_bit(0, &tctx->task_state) ||
1881 test_and_set_bit(0, &tctx->task_state))
1884 if (!task_work_add(tsk, &tctx->task_work, notify))
1888 * Slow path - we failed, find and delete work. if the work is not
1889 * in the list, it got run and we're fine.
1892 spin_lock_irqsave(&tctx->task_lock, flags);
1893 wq_list_for_each(node, prev, &tctx->task_list) {
1894 if (&req->io_task_work.node == node) {
1895 wq_list_del(&tctx->task_list, node, prev);
1900 spin_unlock_irqrestore(&tctx->task_lock, flags);
1901 clear_bit(0, &tctx->task_state);
1905 static int io_req_task_work_add(struct io_kiocb *req)
1907 struct task_struct *tsk = req->task;
1908 struct io_ring_ctx *ctx = req->ctx;
1909 enum task_work_notify_mode notify;
1912 if (tsk->flags & PF_EXITING)
1916 * SQPOLL kernel thread doesn't need notification, just a wakeup. For
1917 * all other cases, use TWA_SIGNAL unconditionally to ensure we're
1918 * processing task_work. There's no reliable way to tell if TWA_RESUME
1922 if (!(ctx->flags & IORING_SETUP_SQPOLL))
1923 notify = TWA_SIGNAL;
1925 ret = io_task_work_add(tsk, req, notify);
1927 wake_up_process(tsk);
1932 static void io_req_task_work_add_fallback(struct io_kiocb *req,
1933 task_work_func_t cb)
1935 struct io_ring_ctx *ctx = req->ctx;
1936 struct callback_head *head;
1938 init_task_work(&req->task_work, cb);
1940 head = READ_ONCE(ctx->exit_task_work);
1941 req->task_work.next = head;
1942 } while (cmpxchg(&ctx->exit_task_work, head, &req->task_work) != head);
1945 static void __io_req_task_cancel(struct io_kiocb *req, int error)
1947 struct io_ring_ctx *ctx = req->ctx;
1949 spin_lock_irq(&ctx->completion_lock);
1950 io_cqring_fill_event(req, error);
1951 io_commit_cqring(ctx);
1952 spin_unlock_irq(&ctx->completion_lock);
1954 io_cqring_ev_posted(ctx);
1955 req_set_fail_links(req);
1956 io_double_put_req(req);
1959 static void io_req_task_cancel(struct callback_head *cb)
1961 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
1962 struct io_ring_ctx *ctx = req->ctx;
1964 mutex_lock(&ctx->uring_lock);
1965 __io_req_task_cancel(req, req->result);
1966 mutex_unlock(&ctx->uring_lock);
1967 percpu_ref_put(&ctx->refs);
1970 static void __io_req_task_submit(struct io_kiocb *req)
1972 struct io_ring_ctx *ctx = req->ctx;
1974 /* ctx stays valid until unlock, even if we drop all ours ctx->refs */
1975 mutex_lock(&ctx->uring_lock);
1976 if (!(current->flags & PF_EXITING) && !current->in_execve)
1977 __io_queue_sqe(req);
1979 __io_req_task_cancel(req, -EFAULT);
1980 mutex_unlock(&ctx->uring_lock);
1983 static void io_req_task_submit(struct callback_head *cb)
1985 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
1987 __io_req_task_submit(req);
1990 static void io_req_task_queue(struct io_kiocb *req)
1994 req->task_work.func = io_req_task_submit;
1995 ret = io_req_task_work_add(req);
1996 if (unlikely(ret)) {
1997 req->result = -ECANCELED;
1998 percpu_ref_get(&req->ctx->refs);
1999 io_req_task_work_add_fallback(req, io_req_task_cancel);
2003 static void io_req_task_queue_fail(struct io_kiocb *req, int ret)
2005 percpu_ref_get(&req->ctx->refs);
2007 req->task_work.func = io_req_task_cancel;
2009 if (unlikely(io_req_task_work_add(req)))
2010 io_req_task_work_add_fallback(req, io_req_task_cancel);
2013 static inline void io_queue_next(struct io_kiocb *req)
2015 struct io_kiocb *nxt = io_req_find_next(req);
2018 io_req_task_queue(nxt);
2021 static void io_free_req(struct io_kiocb *req)
2028 struct task_struct *task;
2033 static inline void io_init_req_batch(struct req_batch *rb)
2040 static void io_req_free_batch_finish(struct io_ring_ctx *ctx,
2041 struct req_batch *rb)
2044 io_put_task(rb->task, rb->task_refs);
2046 percpu_ref_put_many(&ctx->refs, rb->ctx_refs);
2049 static void io_req_free_batch(struct req_batch *rb, struct io_kiocb *req,
2050 struct io_submit_state *state)
2054 if (req->task != rb->task) {
2056 io_put_task(rb->task, rb->task_refs);
2057 rb->task = req->task;
2063 io_dismantle_req(req);
2064 if (state->free_reqs != ARRAY_SIZE(state->reqs))
2065 state->reqs[state->free_reqs++] = req;
2067 list_add(&req->compl.list, &state->comp.free_list);
2070 static void io_submit_flush_completions(struct io_comp_state *cs,
2071 struct io_ring_ctx *ctx)
2074 struct io_kiocb *req;
2075 struct req_batch rb;
2077 io_init_req_batch(&rb);
2078 spin_lock_irq(&ctx->completion_lock);
2079 for (i = 0; i < nr; i++) {
2081 __io_cqring_fill_event(req, req->result, req->compl.cflags);
2083 io_commit_cqring(ctx);
2084 spin_unlock_irq(&ctx->completion_lock);
2086 io_cqring_ev_posted(ctx);
2087 for (i = 0; i < nr; i++) {
2090 /* submission and completion refs */
2091 if (refcount_sub_and_test(2, &req->refs))
2092 io_req_free_batch(&rb, req, &ctx->submit_state);
2095 io_req_free_batch_finish(ctx, &rb);
2100 * Drop reference to request, return next in chain (if there is one) if this
2101 * was the last reference to this request.
2103 static struct io_kiocb *io_put_req_find_next(struct io_kiocb *req)
2105 struct io_kiocb *nxt = NULL;
2107 if (refcount_dec_and_test(&req->refs)) {
2108 nxt = io_req_find_next(req);
2114 static void io_put_req(struct io_kiocb *req)
2116 if (refcount_dec_and_test(&req->refs))
2120 static void io_put_req_deferred_cb(struct callback_head *cb)
2122 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
2127 static void io_free_req_deferred(struct io_kiocb *req)
2131 req->task_work.func = io_put_req_deferred_cb;
2132 ret = io_req_task_work_add(req);
2134 io_req_task_work_add_fallback(req, io_put_req_deferred_cb);
2137 static inline void io_put_req_deferred(struct io_kiocb *req, int refs)
2139 if (refcount_sub_and_test(refs, &req->refs))
2140 io_free_req_deferred(req);
2143 static void io_double_put_req(struct io_kiocb *req)
2145 /* drop both submit and complete references */
2146 if (refcount_sub_and_test(2, &req->refs))
2150 static unsigned io_cqring_events(struct io_ring_ctx *ctx)
2152 /* See comment at the top of this file */
2154 return __io_cqring_events(ctx);
2157 static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
2159 struct io_rings *rings = ctx->rings;
2161 /* make sure SQ entry isn't read before tail */
2162 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
2165 static unsigned int io_put_kbuf(struct io_kiocb *req, struct io_buffer *kbuf)
2167 unsigned int cflags;
2169 cflags = kbuf->bid << IORING_CQE_BUFFER_SHIFT;
2170 cflags |= IORING_CQE_F_BUFFER;
2171 req->flags &= ~REQ_F_BUFFER_SELECTED;
2176 static inline unsigned int io_put_rw_kbuf(struct io_kiocb *req)
2178 struct io_buffer *kbuf;
2180 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2181 return io_put_kbuf(req, kbuf);
2184 static inline bool io_run_task_work(void)
2187 * Not safe to run on exiting task, and the task_work handling will
2188 * not add work to such a task.
2190 if (unlikely(current->flags & PF_EXITING))
2192 if (current->task_works) {
2193 __set_current_state(TASK_RUNNING);
2202 * Find and free completed poll iocbs
2204 static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
2205 struct list_head *done)
2207 struct req_batch rb;
2208 struct io_kiocb *req;
2210 /* order with ->result store in io_complete_rw_iopoll() */
2213 io_init_req_batch(&rb);
2214 while (!list_empty(done)) {
2217 req = list_first_entry(done, struct io_kiocb, inflight_entry);
2218 list_del(&req->inflight_entry);
2220 if (READ_ONCE(req->result) == -EAGAIN) {
2221 req->iopoll_completed = 0;
2222 if (io_rw_reissue(req))
2226 if (req->flags & REQ_F_BUFFER_SELECTED)
2227 cflags = io_put_rw_kbuf(req);
2229 __io_cqring_fill_event(req, req->result, cflags);
2232 if (refcount_dec_and_test(&req->refs))
2233 io_req_free_batch(&rb, req, &ctx->submit_state);
2236 io_commit_cqring(ctx);
2237 io_cqring_ev_posted_iopoll(ctx);
2238 io_req_free_batch_finish(ctx, &rb);
2241 static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
2244 struct io_kiocb *req, *tmp;
2250 * Only spin for completions if we don't have multiple devices hanging
2251 * off our complete list, and we're under the requested amount.
2253 spin = !ctx->poll_multi_file && *nr_events < min;
2256 list_for_each_entry_safe(req, tmp, &ctx->iopoll_list, inflight_entry) {
2257 struct kiocb *kiocb = &req->rw.kiocb;
2260 * Move completed and retryable entries to our local lists.
2261 * If we find a request that requires polling, break out
2262 * and complete those lists first, if we have entries there.
2264 if (READ_ONCE(req->iopoll_completed)) {
2265 list_move_tail(&req->inflight_entry, &done);
2268 if (!list_empty(&done))
2271 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
2275 /* iopoll may have completed current req */
2276 if (READ_ONCE(req->iopoll_completed))
2277 list_move_tail(&req->inflight_entry, &done);
2284 if (!list_empty(&done))
2285 io_iopoll_complete(ctx, nr_events, &done);
2291 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
2292 * non-spinning poll check - we'll still enter the driver poll loop, but only
2293 * as a non-spinning completion check.
2295 static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
2298 while (!list_empty(&ctx->iopoll_list) && !need_resched()) {
2301 ret = io_do_iopoll(ctx, nr_events, min);
2304 if (*nr_events >= min)
2312 * We can't just wait for polled events to come to us, we have to actively
2313 * find and complete them.
2315 static void io_iopoll_try_reap_events(struct io_ring_ctx *ctx)
2317 if (!(ctx->flags & IORING_SETUP_IOPOLL))
2320 mutex_lock(&ctx->uring_lock);
2321 while (!list_empty(&ctx->iopoll_list)) {
2322 unsigned int nr_events = 0;
2324 io_do_iopoll(ctx, &nr_events, 0);
2326 /* let it sleep and repeat later if can't complete a request */
2330 * Ensure we allow local-to-the-cpu processing to take place,
2331 * in this case we need to ensure that we reap all events.
2332 * Also let task_work, etc. to progress by releasing the mutex
2334 if (need_resched()) {
2335 mutex_unlock(&ctx->uring_lock);
2337 mutex_lock(&ctx->uring_lock);
2340 mutex_unlock(&ctx->uring_lock);
2343 static int io_iopoll_check(struct io_ring_ctx *ctx, long min)
2345 unsigned int nr_events = 0;
2346 int iters = 0, ret = 0;
2349 * We disallow the app entering submit/complete with polling, but we
2350 * still need to lock the ring to prevent racing with polled issue
2351 * that got punted to a workqueue.
2353 mutex_lock(&ctx->uring_lock);
2356 * Don't enter poll loop if we already have events pending.
2357 * If we do, we can potentially be spinning for commands that
2358 * already triggered a CQE (eg in error).
2360 if (test_bit(0, &ctx->cq_check_overflow))
2361 __io_cqring_overflow_flush(ctx, false, NULL, NULL);
2362 if (io_cqring_events(ctx))
2366 * If a submit got punted to a workqueue, we can have the
2367 * application entering polling for a command before it gets
2368 * issued. That app will hold the uring_lock for the duration
2369 * of the poll right here, so we need to take a breather every
2370 * now and then to ensure that the issue has a chance to add
2371 * the poll to the issued list. Otherwise we can spin here
2372 * forever, while the workqueue is stuck trying to acquire the
2375 if (!(++iters & 7)) {
2376 mutex_unlock(&ctx->uring_lock);
2378 mutex_lock(&ctx->uring_lock);
2381 ret = io_iopoll_getevents(ctx, &nr_events, min);
2385 } while (min && !nr_events && !need_resched());
2387 mutex_unlock(&ctx->uring_lock);
2391 static void kiocb_end_write(struct io_kiocb *req)
2394 * Tell lockdep we inherited freeze protection from submission
2397 if (req->flags & REQ_F_ISREG) {
2398 struct inode *inode = file_inode(req->file);
2400 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2402 file_end_write(req->file);
2406 static bool io_resubmit_prep(struct io_kiocb *req)
2408 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2410 struct iov_iter iter;
2412 /* already prepared */
2413 if (req->async_data)
2416 switch (req->opcode) {
2417 case IORING_OP_READV:
2418 case IORING_OP_READ_FIXED:
2419 case IORING_OP_READ:
2422 case IORING_OP_WRITEV:
2423 case IORING_OP_WRITE_FIXED:
2424 case IORING_OP_WRITE:
2428 printk_once(KERN_WARNING "io_uring: bad opcode in resubmit %d\n",
2433 ret = io_import_iovec(rw, req, &iovec, &iter, false);
2436 return !io_setup_async_rw(req, iovec, inline_vecs, &iter, false);
2439 static bool io_rw_should_reissue(struct io_kiocb *req)
2441 umode_t mode = file_inode(req->file)->i_mode;
2442 struct io_ring_ctx *ctx = req->ctx;
2444 if (!S_ISBLK(mode) && !S_ISREG(mode))
2446 if ((req->flags & REQ_F_NOWAIT) || (io_wq_current_is_worker() &&
2447 !(ctx->flags & IORING_SETUP_IOPOLL)))
2450 * If ref is dying, we might be running poll reap from the exit work.
2451 * Don't attempt to reissue from that path, just let it fail with
2454 if (percpu_ref_is_dying(&ctx->refs))
2460 static bool io_rw_reissue(struct io_kiocb *req)
2463 if (!io_rw_should_reissue(req))
2466 lockdep_assert_held(&req->ctx->uring_lock);
2468 if (io_resubmit_prep(req)) {
2469 refcount_inc(&req->refs);
2470 io_queue_async_work(req);
2473 req_set_fail_links(req);
2478 static void __io_complete_rw(struct io_kiocb *req, long res, long res2,
2479 unsigned int issue_flags)
2483 if ((res == -EAGAIN || res == -EOPNOTSUPP) && io_rw_reissue(req))
2485 if (res != req->result)
2486 req_set_fail_links(req);
2488 if (req->rw.kiocb.ki_flags & IOCB_WRITE)
2489 kiocb_end_write(req);
2490 if (req->flags & REQ_F_BUFFER_SELECTED)
2491 cflags = io_put_rw_kbuf(req);
2492 __io_req_complete(req, issue_flags, res, cflags);
2495 static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
2497 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2499 __io_complete_rw(req, res, res2, 0);
2502 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
2504 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2507 /* Rewind iter, if we have one. iopoll path resubmits as usual */
2508 if (res == -EAGAIN && io_rw_should_reissue(req)) {
2509 struct io_async_rw *rw = req->async_data;
2512 iov_iter_revert(&rw->iter,
2513 req->result - iov_iter_count(&rw->iter));
2514 else if (!io_resubmit_prep(req))
2519 if (kiocb->ki_flags & IOCB_WRITE)
2520 kiocb_end_write(req);
2522 if (res != -EAGAIN && res != req->result)
2523 req_set_fail_links(req);
2525 WRITE_ONCE(req->result, res);
2526 /* order with io_poll_complete() checking ->result */
2528 WRITE_ONCE(req->iopoll_completed, 1);
2532 * After the iocb has been issued, it's safe to be found on the poll list.
2533 * Adding the kiocb to the list AFTER submission ensures that we don't
2534 * find it from a io_iopoll_getevents() thread before the issuer is done
2535 * accessing the kiocb cookie.
2537 static void io_iopoll_req_issued(struct io_kiocb *req, bool in_async)
2539 struct io_ring_ctx *ctx = req->ctx;
2542 * Track whether we have multiple files in our lists. This will impact
2543 * how we do polling eventually, not spinning if we're on potentially
2544 * different devices.
2546 if (list_empty(&ctx->iopoll_list)) {
2547 ctx->poll_multi_file = false;
2548 } else if (!ctx->poll_multi_file) {
2549 struct io_kiocb *list_req;
2551 list_req = list_first_entry(&ctx->iopoll_list, struct io_kiocb,
2553 if (list_req->file != req->file)
2554 ctx->poll_multi_file = true;
2558 * For fast devices, IO may have already completed. If it has, add
2559 * it to the front so we find it first.
2561 if (READ_ONCE(req->iopoll_completed))
2562 list_add(&req->inflight_entry, &ctx->iopoll_list);
2564 list_add_tail(&req->inflight_entry, &ctx->iopoll_list);
2567 * If IORING_SETUP_SQPOLL is enabled, sqes are either handled in sq thread
2568 * task context or in io worker task context. If current task context is
2569 * sq thread, we don't need to check whether should wake up sq thread.
2571 if (in_async && (ctx->flags & IORING_SETUP_SQPOLL) &&
2572 wq_has_sleeper(&ctx->sq_data->wait))
2573 wake_up(&ctx->sq_data->wait);
2576 static inline void io_state_file_put(struct io_submit_state *state)
2578 if (state->file_refs) {
2579 fput_many(state->file, state->file_refs);
2580 state->file_refs = 0;
2585 * Get as many references to a file as we have IOs left in this submission,
2586 * assuming most submissions are for one file, or at least that each file
2587 * has more than one submission.
2589 static struct file *__io_file_get(struct io_submit_state *state, int fd)
2594 if (state->file_refs) {
2595 if (state->fd == fd) {
2599 io_state_file_put(state);
2601 state->file = fget_many(fd, state->ios_left);
2602 if (unlikely(!state->file))
2606 state->file_refs = state->ios_left - 1;
2610 static bool io_bdev_nowait(struct block_device *bdev)
2612 return !bdev || blk_queue_nowait(bdev_get_queue(bdev));
2616 * If we tracked the file through the SCM inflight mechanism, we could support
2617 * any file. For now, just ensure that anything potentially problematic is done
2620 static bool io_file_supports_async(struct file *file, int rw)
2622 umode_t mode = file_inode(file)->i_mode;
2624 if (S_ISBLK(mode)) {
2625 if (IS_ENABLED(CONFIG_BLOCK) &&
2626 io_bdev_nowait(I_BDEV(file->f_mapping->host)))
2630 if (S_ISCHR(mode) || S_ISSOCK(mode))
2632 if (S_ISREG(mode)) {
2633 if (IS_ENABLED(CONFIG_BLOCK) &&
2634 io_bdev_nowait(file->f_inode->i_sb->s_bdev) &&
2635 file->f_op != &io_uring_fops)
2640 /* any ->read/write should understand O_NONBLOCK */
2641 if (file->f_flags & O_NONBLOCK)
2644 if (!(file->f_mode & FMODE_NOWAIT))
2648 return file->f_op->read_iter != NULL;
2650 return file->f_op->write_iter != NULL;
2653 static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2655 struct io_ring_ctx *ctx = req->ctx;
2656 struct kiocb *kiocb = &req->rw.kiocb;
2657 struct file *file = req->file;
2661 if (S_ISREG(file_inode(file)->i_mode))
2662 req->flags |= REQ_F_ISREG;
2664 kiocb->ki_pos = READ_ONCE(sqe->off);
2665 if (kiocb->ki_pos == -1 && !(file->f_mode & FMODE_STREAM)) {
2666 req->flags |= REQ_F_CUR_POS;
2667 kiocb->ki_pos = file->f_pos;
2669 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
2670 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
2671 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
2675 /* don't allow async punt for O_NONBLOCK or RWF_NOWAIT */
2676 if ((kiocb->ki_flags & IOCB_NOWAIT) || (file->f_flags & O_NONBLOCK))
2677 req->flags |= REQ_F_NOWAIT;
2679 ioprio = READ_ONCE(sqe->ioprio);
2681 ret = ioprio_check_cap(ioprio);
2685 kiocb->ki_ioprio = ioprio;
2687 kiocb->ki_ioprio = get_current_ioprio();
2689 if (ctx->flags & IORING_SETUP_IOPOLL) {
2690 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
2691 !kiocb->ki_filp->f_op->iopoll)
2694 kiocb->ki_flags |= IOCB_HIPRI;
2695 kiocb->ki_complete = io_complete_rw_iopoll;
2696 req->iopoll_completed = 0;
2698 if (kiocb->ki_flags & IOCB_HIPRI)
2700 kiocb->ki_complete = io_complete_rw;
2703 req->rw.addr = READ_ONCE(sqe->addr);
2704 req->rw.len = READ_ONCE(sqe->len);
2705 req->buf_index = READ_ONCE(sqe->buf_index);
2709 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
2715 case -ERESTARTNOINTR:
2716 case -ERESTARTNOHAND:
2717 case -ERESTART_RESTARTBLOCK:
2719 * We can't just restart the syscall, since previously
2720 * submitted sqes may already be in progress. Just fail this
2726 kiocb->ki_complete(kiocb, ret, 0);
2730 static void kiocb_done(struct kiocb *kiocb, ssize_t ret,
2731 unsigned int issue_flags)
2733 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2734 struct io_async_rw *io = req->async_data;
2736 /* add previously done IO, if any */
2737 if (io && io->bytes_done > 0) {
2739 ret = io->bytes_done;
2741 ret += io->bytes_done;
2744 if (req->flags & REQ_F_CUR_POS)
2745 req->file->f_pos = kiocb->ki_pos;
2746 if (ret >= 0 && kiocb->ki_complete == io_complete_rw)
2747 __io_complete_rw(req, ret, 0, issue_flags);
2749 io_rw_done(kiocb, ret);
2752 static int io_import_fixed(struct io_kiocb *req, int rw, struct iov_iter *iter)
2754 struct io_ring_ctx *ctx = req->ctx;
2755 size_t len = req->rw.len;
2756 struct io_mapped_ubuf *imu;
2757 u16 index, buf_index = req->buf_index;
2761 if (unlikely(buf_index >= ctx->nr_user_bufs))
2763 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
2764 imu = &ctx->user_bufs[index];
2765 buf_addr = req->rw.addr;
2768 if (buf_addr + len < buf_addr)
2770 /* not inside the mapped region */
2771 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
2775 * May not be a start of buffer, set size appropriately
2776 * and advance us to the beginning.
2778 offset = buf_addr - imu->ubuf;
2779 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
2783 * Don't use iov_iter_advance() here, as it's really slow for
2784 * using the latter parts of a big fixed buffer - it iterates
2785 * over each segment manually. We can cheat a bit here, because
2788 * 1) it's a BVEC iter, we set it up
2789 * 2) all bvecs are PAGE_SIZE in size, except potentially the
2790 * first and last bvec
2792 * So just find our index, and adjust the iterator afterwards.
2793 * If the offset is within the first bvec (or the whole first
2794 * bvec, just use iov_iter_advance(). This makes it easier
2795 * since we can just skip the first segment, which may not
2796 * be PAGE_SIZE aligned.
2798 const struct bio_vec *bvec = imu->bvec;
2800 if (offset <= bvec->bv_len) {
2801 iov_iter_advance(iter, offset);
2803 unsigned long seg_skip;
2805 /* skip first vec */
2806 offset -= bvec->bv_len;
2807 seg_skip = 1 + (offset >> PAGE_SHIFT);
2809 iter->bvec = bvec + seg_skip;
2810 iter->nr_segs -= seg_skip;
2811 iter->count -= bvec->bv_len + offset;
2812 iter->iov_offset = offset & ~PAGE_MASK;
2819 static void io_ring_submit_unlock(struct io_ring_ctx *ctx, bool needs_lock)
2822 mutex_unlock(&ctx->uring_lock);
2825 static void io_ring_submit_lock(struct io_ring_ctx *ctx, bool needs_lock)
2828 * "Normal" inline submissions always hold the uring_lock, since we
2829 * grab it from the system call. Same is true for the SQPOLL offload.
2830 * The only exception is when we've detached the request and issue it
2831 * from an async worker thread, grab the lock for that case.
2834 mutex_lock(&ctx->uring_lock);
2837 static struct io_buffer *io_buffer_select(struct io_kiocb *req, size_t *len,
2838 int bgid, struct io_buffer *kbuf,
2841 struct io_buffer *head;
2843 if (req->flags & REQ_F_BUFFER_SELECTED)
2846 io_ring_submit_lock(req->ctx, needs_lock);
2848 lockdep_assert_held(&req->ctx->uring_lock);
2850 head = xa_load(&req->ctx->io_buffers, bgid);
2852 if (!list_empty(&head->list)) {
2853 kbuf = list_last_entry(&head->list, struct io_buffer,
2855 list_del(&kbuf->list);
2858 xa_erase(&req->ctx->io_buffers, bgid);
2860 if (*len > kbuf->len)
2863 kbuf = ERR_PTR(-ENOBUFS);
2866 io_ring_submit_unlock(req->ctx, needs_lock);
2871 static void __user *io_rw_buffer_select(struct io_kiocb *req, size_t *len,
2874 struct io_buffer *kbuf;
2877 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2878 bgid = req->buf_index;
2879 kbuf = io_buffer_select(req, len, bgid, kbuf, needs_lock);
2882 req->rw.addr = (u64) (unsigned long) kbuf;
2883 req->flags |= REQ_F_BUFFER_SELECTED;
2884 return u64_to_user_ptr(kbuf->addr);
2887 #ifdef CONFIG_COMPAT
2888 static ssize_t io_compat_import(struct io_kiocb *req, struct iovec *iov,
2891 struct compat_iovec __user *uiov;
2892 compat_ssize_t clen;
2896 uiov = u64_to_user_ptr(req->rw.addr);
2897 if (!access_ok(uiov, sizeof(*uiov)))
2899 if (__get_user(clen, &uiov->iov_len))
2905 buf = io_rw_buffer_select(req, &len, needs_lock);
2907 return PTR_ERR(buf);
2908 iov[0].iov_base = buf;
2909 iov[0].iov_len = (compat_size_t) len;
2914 static ssize_t __io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
2917 struct iovec __user *uiov = u64_to_user_ptr(req->rw.addr);
2921 if (copy_from_user(iov, uiov, sizeof(*uiov)))
2924 len = iov[0].iov_len;
2927 buf = io_rw_buffer_select(req, &len, needs_lock);
2929 return PTR_ERR(buf);
2930 iov[0].iov_base = buf;
2931 iov[0].iov_len = len;
2935 static ssize_t io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
2938 if (req->flags & REQ_F_BUFFER_SELECTED) {
2939 struct io_buffer *kbuf;
2941 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2942 iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
2943 iov[0].iov_len = kbuf->len;
2946 if (req->rw.len != 1)
2949 #ifdef CONFIG_COMPAT
2950 if (req->ctx->compat)
2951 return io_compat_import(req, iov, needs_lock);
2954 return __io_iov_buffer_select(req, iov, needs_lock);
2957 static int io_import_iovec(int rw, struct io_kiocb *req, struct iovec **iovec,
2958 struct iov_iter *iter, bool needs_lock)
2960 void __user *buf = u64_to_user_ptr(req->rw.addr);
2961 size_t sqe_len = req->rw.len;
2962 u8 opcode = req->opcode;
2965 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
2967 return io_import_fixed(req, rw, iter);
2970 /* buffer index only valid with fixed read/write, or buffer select */
2971 if (req->buf_index && !(req->flags & REQ_F_BUFFER_SELECT))
2974 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
2975 if (req->flags & REQ_F_BUFFER_SELECT) {
2976 buf = io_rw_buffer_select(req, &sqe_len, needs_lock);
2978 return PTR_ERR(buf);
2979 req->rw.len = sqe_len;
2982 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
2987 if (req->flags & REQ_F_BUFFER_SELECT) {
2988 ret = io_iov_buffer_select(req, *iovec, needs_lock);
2990 iov_iter_init(iter, rw, *iovec, 1, (*iovec)->iov_len);
2995 return __import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter,
2999 static inline loff_t *io_kiocb_ppos(struct kiocb *kiocb)
3001 return (kiocb->ki_filp->f_mode & FMODE_STREAM) ? NULL : &kiocb->ki_pos;
3005 * For files that don't have ->read_iter() and ->write_iter(), handle them
3006 * by looping over ->read() or ->write() manually.
3008 static ssize_t loop_rw_iter(int rw, struct io_kiocb *req, struct iov_iter *iter)
3010 struct kiocb *kiocb = &req->rw.kiocb;
3011 struct file *file = req->file;
3015 * Don't support polled IO through this interface, and we can't
3016 * support non-blocking either. For the latter, this just causes
3017 * the kiocb to be handled from an async context.
3019 if (kiocb->ki_flags & IOCB_HIPRI)
3021 if (kiocb->ki_flags & IOCB_NOWAIT)
3024 while (iov_iter_count(iter)) {
3028 if (!iov_iter_is_bvec(iter)) {
3029 iovec = iov_iter_iovec(iter);
3031 iovec.iov_base = u64_to_user_ptr(req->rw.addr);
3032 iovec.iov_len = req->rw.len;
3036 nr = file->f_op->read(file, iovec.iov_base,
3037 iovec.iov_len, io_kiocb_ppos(kiocb));
3039 nr = file->f_op->write(file, iovec.iov_base,
3040 iovec.iov_len, io_kiocb_ppos(kiocb));
3049 if (nr != iovec.iov_len)
3053 iov_iter_advance(iter, nr);
3059 static void io_req_map_rw(struct io_kiocb *req, const struct iovec *iovec,
3060 const struct iovec *fast_iov, struct iov_iter *iter)
3062 struct io_async_rw *rw = req->async_data;
3064 memcpy(&rw->iter, iter, sizeof(*iter));
3065 rw->free_iovec = iovec;
3067 /* can only be fixed buffers, no need to do anything */
3068 if (iov_iter_is_bvec(iter))
3071 unsigned iov_off = 0;
3073 rw->iter.iov = rw->fast_iov;
3074 if (iter->iov != fast_iov) {
3075 iov_off = iter->iov - fast_iov;
3076 rw->iter.iov += iov_off;
3078 if (rw->fast_iov != fast_iov)
3079 memcpy(rw->fast_iov + iov_off, fast_iov + iov_off,
3080 sizeof(struct iovec) * iter->nr_segs);
3082 req->flags |= REQ_F_NEED_CLEANUP;
3086 static inline int __io_alloc_async_data(struct io_kiocb *req)
3088 WARN_ON_ONCE(!io_op_defs[req->opcode].async_size);
3089 req->async_data = kmalloc(io_op_defs[req->opcode].async_size, GFP_KERNEL);
3090 return req->async_data == NULL;
3093 static int io_alloc_async_data(struct io_kiocb *req)
3095 if (!io_op_defs[req->opcode].needs_async_data)
3098 return __io_alloc_async_data(req);
3101 static int io_setup_async_rw(struct io_kiocb *req, const struct iovec *iovec,
3102 const struct iovec *fast_iov,
3103 struct iov_iter *iter, bool force)
3105 if (!force && !io_op_defs[req->opcode].needs_async_data)
3107 if (!req->async_data) {
3108 if (__io_alloc_async_data(req)) {
3113 io_req_map_rw(req, iovec, fast_iov, iter);
3118 static inline int io_rw_prep_async(struct io_kiocb *req, int rw)
3120 struct io_async_rw *iorw = req->async_data;
3121 struct iovec *iov = iorw->fast_iov;
3124 ret = io_import_iovec(rw, req, &iov, &iorw->iter, false);
3125 if (unlikely(ret < 0))
3128 iorw->bytes_done = 0;
3129 iorw->free_iovec = iov;
3131 req->flags |= REQ_F_NEED_CLEANUP;
3135 static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3137 if (unlikely(!(req->file->f_mode & FMODE_READ)))
3139 return io_prep_rw(req, sqe);
3143 * This is our waitqueue callback handler, registered through lock_page_async()
3144 * when we initially tried to do the IO with the iocb armed our waitqueue.
3145 * This gets called when the page is unlocked, and we generally expect that to
3146 * happen when the page IO is completed and the page is now uptodate. This will
3147 * queue a task_work based retry of the operation, attempting to copy the data
3148 * again. If the latter fails because the page was NOT uptodate, then we will
3149 * do a thread based blocking retry of the operation. That's the unexpected
3152 static int io_async_buf_func(struct wait_queue_entry *wait, unsigned mode,
3153 int sync, void *arg)
3155 struct wait_page_queue *wpq;
3156 struct io_kiocb *req = wait->private;
3157 struct wait_page_key *key = arg;
3159 wpq = container_of(wait, struct wait_page_queue, wait);
3161 if (!wake_page_match(wpq, key))
3164 req->rw.kiocb.ki_flags &= ~IOCB_WAITQ;
3165 list_del_init(&wait->entry);
3167 /* submit ref gets dropped, acquire a new one */
3168 refcount_inc(&req->refs);
3169 io_req_task_queue(req);
3174 * This controls whether a given IO request should be armed for async page
3175 * based retry. If we return false here, the request is handed to the async
3176 * worker threads for retry. If we're doing buffered reads on a regular file,
3177 * we prepare a private wait_page_queue entry and retry the operation. This
3178 * will either succeed because the page is now uptodate and unlocked, or it
3179 * will register a callback when the page is unlocked at IO completion. Through
3180 * that callback, io_uring uses task_work to setup a retry of the operation.
3181 * That retry will attempt the buffered read again. The retry will generally
3182 * succeed, or in rare cases where it fails, we then fall back to using the
3183 * async worker threads for a blocking retry.
3185 static bool io_rw_should_retry(struct io_kiocb *req)
3187 struct io_async_rw *rw = req->async_data;
3188 struct wait_page_queue *wait = &rw->wpq;
3189 struct kiocb *kiocb = &req->rw.kiocb;
3191 /* never retry for NOWAIT, we just complete with -EAGAIN */
3192 if (req->flags & REQ_F_NOWAIT)
3195 /* Only for buffered IO */
3196 if (kiocb->ki_flags & (IOCB_DIRECT | IOCB_HIPRI))
3200 * just use poll if we can, and don't attempt if the fs doesn't
3201 * support callback based unlocks
3203 if (file_can_poll(req->file) || !(req->file->f_mode & FMODE_BUF_RASYNC))
3206 wait->wait.func = io_async_buf_func;
3207 wait->wait.private = req;
3208 wait->wait.flags = 0;
3209 INIT_LIST_HEAD(&wait->wait.entry);
3210 kiocb->ki_flags |= IOCB_WAITQ;
3211 kiocb->ki_flags &= ~IOCB_NOWAIT;
3212 kiocb->ki_waitq = wait;
3216 static int io_iter_do_read(struct io_kiocb *req, struct iov_iter *iter)
3218 if (req->file->f_op->read_iter)
3219 return call_read_iter(req->file, &req->rw.kiocb, iter);
3220 else if (req->file->f_op->read)
3221 return loop_rw_iter(READ, req, iter);
3226 static int io_read(struct io_kiocb *req, unsigned int issue_flags)
3228 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
3229 struct kiocb *kiocb = &req->rw.kiocb;
3230 struct iov_iter __iter, *iter = &__iter;
3231 struct io_async_rw *rw = req->async_data;
3232 ssize_t io_size, ret, ret2;
3233 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
3239 ret = io_import_iovec(READ, req, &iovec, iter, !force_nonblock);
3243 io_size = iov_iter_count(iter);
3244 req->result = io_size;
3246 /* Ensure we clear previously set non-block flag */
3247 if (!force_nonblock)
3248 kiocb->ki_flags &= ~IOCB_NOWAIT;
3250 kiocb->ki_flags |= IOCB_NOWAIT;
3252 /* If the file doesn't support async, just async punt */
3253 if (force_nonblock && !io_file_supports_async(req->file, READ)) {
3254 ret = io_setup_async_rw(req, iovec, inline_vecs, iter, true);
3255 return ret ?: -EAGAIN;
3258 ret = rw_verify_area(READ, req->file, io_kiocb_ppos(kiocb), io_size);
3259 if (unlikely(ret)) {
3264 ret = io_iter_do_read(req, iter);
3266 if (ret == -EIOCBQUEUED) {
3267 if (req->async_data)
3268 iov_iter_revert(iter, io_size - iov_iter_count(iter));
3270 } else if (ret == -EAGAIN) {
3271 /* IOPOLL retry should happen for io-wq threads */
3272 if (!force_nonblock && !(req->ctx->flags & IORING_SETUP_IOPOLL))
3274 /* no retry on NONBLOCK nor RWF_NOWAIT */
3275 if (req->flags & REQ_F_NOWAIT)
3277 /* some cases will consume bytes even on error returns */
3278 iov_iter_revert(iter, io_size - iov_iter_count(iter));
3280 } else if (ret <= 0 || ret == io_size || !force_nonblock ||
3281 (req->flags & REQ_F_NOWAIT) || !(req->flags & REQ_F_ISREG)) {
3282 /* read all, failed, already did sync or don't want to retry */
3286 ret2 = io_setup_async_rw(req, iovec, inline_vecs, iter, true);
3291 rw = req->async_data;
3292 /* now use our persistent iterator, if we aren't already */
3297 rw->bytes_done += ret;
3298 /* if we can retry, do so with the callbacks armed */
3299 if (!io_rw_should_retry(req)) {
3300 kiocb->ki_flags &= ~IOCB_WAITQ;
3305 * Now retry read with the IOCB_WAITQ parts set in the iocb. If
3306 * we get -EIOCBQUEUED, then we'll get a notification when the
3307 * desired page gets unlocked. We can also get a partial read
3308 * here, and if we do, then just retry at the new offset.
3310 ret = io_iter_do_read(req, iter);
3311 if (ret == -EIOCBQUEUED)
3313 /* we got some bytes, but not all. retry. */
3314 kiocb->ki_flags &= ~IOCB_WAITQ;
3315 } while (ret > 0 && ret < io_size);
3317 kiocb_done(kiocb, ret, issue_flags);
3319 /* it's faster to check here then delegate to kfree */
3325 static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3327 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
3329 return io_prep_rw(req, sqe);
3332 static int io_write(struct io_kiocb *req, unsigned int issue_flags)
3334 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
3335 struct kiocb *kiocb = &req->rw.kiocb;
3336 struct iov_iter __iter, *iter = &__iter;
3337 struct io_async_rw *rw = req->async_data;
3338 ssize_t ret, ret2, io_size;
3339 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
3345 ret = io_import_iovec(WRITE, req, &iovec, iter, !force_nonblock);
3349 io_size = iov_iter_count(iter);
3350 req->result = io_size;
3352 /* Ensure we clear previously set non-block flag */
3353 if (!force_nonblock)
3354 kiocb->ki_flags &= ~IOCB_NOWAIT;
3356 kiocb->ki_flags |= IOCB_NOWAIT;
3358 /* If the file doesn't support async, just async punt */
3359 if (force_nonblock && !io_file_supports_async(req->file, WRITE))
3362 /* file path doesn't support NOWAIT for non-direct_IO */
3363 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
3364 (req->flags & REQ_F_ISREG))
3367 ret = rw_verify_area(WRITE, req->file, io_kiocb_ppos(kiocb), io_size);
3372 * Open-code file_start_write here to grab freeze protection,
3373 * which will be released by another thread in
3374 * io_complete_rw(). Fool lockdep by telling it the lock got
3375 * released so that it doesn't complain about the held lock when
3376 * we return to userspace.
3378 if (req->flags & REQ_F_ISREG) {
3379 sb_start_write(file_inode(req->file)->i_sb);
3380 __sb_writers_release(file_inode(req->file)->i_sb,
3383 kiocb->ki_flags |= IOCB_WRITE;
3385 if (req->file->f_op->write_iter)
3386 ret2 = call_write_iter(req->file, kiocb, iter);
3387 else if (req->file->f_op->write)
3388 ret2 = loop_rw_iter(WRITE, req, iter);
3393 * Raw bdev writes will return -EOPNOTSUPP for IOCB_NOWAIT. Just
3394 * retry them without IOCB_NOWAIT.
3396 if (ret2 == -EOPNOTSUPP && (kiocb->ki_flags & IOCB_NOWAIT))
3398 /* no retry on NONBLOCK nor RWF_NOWAIT */
3399 if (ret2 == -EAGAIN && (req->flags & REQ_F_NOWAIT))
3401 if (ret2 == -EIOCBQUEUED && req->async_data)
3402 iov_iter_revert(iter, io_size - iov_iter_count(iter));
3403 if (!force_nonblock || ret2 != -EAGAIN) {
3404 /* IOPOLL retry should happen for io-wq threads */
3405 if ((req->ctx->flags & IORING_SETUP_IOPOLL) && ret2 == -EAGAIN)
3408 kiocb_done(kiocb, ret2, issue_flags);
3411 /* some cases will consume bytes even on error returns */
3412 iov_iter_revert(iter, io_size - iov_iter_count(iter));
3413 ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
3414 return ret ?: -EAGAIN;
3417 /* it's reportedly faster than delegating the null check to kfree() */
3423 static int io_renameat_prep(struct io_kiocb *req,
3424 const struct io_uring_sqe *sqe)
3426 struct io_rename *ren = &req->rename;
3427 const char __user *oldf, *newf;
3429 if (unlikely(req->flags & REQ_F_FIXED_FILE))
3432 ren->old_dfd = READ_ONCE(sqe->fd);
3433 oldf = u64_to_user_ptr(READ_ONCE(sqe->addr));
3434 newf = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3435 ren->new_dfd = READ_ONCE(sqe->len);
3436 ren->flags = READ_ONCE(sqe->rename_flags);
3438 ren->oldpath = getname(oldf);
3439 if (IS_ERR(ren->oldpath))
3440 return PTR_ERR(ren->oldpath);
3442 ren->newpath = getname(newf);
3443 if (IS_ERR(ren->newpath)) {
3444 putname(ren->oldpath);
3445 return PTR_ERR(ren->newpath);
3448 req->flags |= REQ_F_NEED_CLEANUP;
3452 static int io_renameat(struct io_kiocb *req, unsigned int issue_flags)
3454 struct io_rename *ren = &req->rename;
3457 if (issue_flags & IO_URING_F_NONBLOCK)
3460 ret = do_renameat2(ren->old_dfd, ren->oldpath, ren->new_dfd,
3461 ren->newpath, ren->flags);
3463 req->flags &= ~REQ_F_NEED_CLEANUP;
3465 req_set_fail_links(req);
3466 io_req_complete(req, ret);
3470 static int io_unlinkat_prep(struct io_kiocb *req,
3471 const struct io_uring_sqe *sqe)
3473 struct io_unlink *un = &req->unlink;
3474 const char __user *fname;
3476 if (unlikely(req->flags & REQ_F_FIXED_FILE))
3479 un->dfd = READ_ONCE(sqe->fd);
3481 un->flags = READ_ONCE(sqe->unlink_flags);
3482 if (un->flags & ~AT_REMOVEDIR)
3485 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
3486 un->filename = getname(fname);
3487 if (IS_ERR(un->filename))
3488 return PTR_ERR(un->filename);
3490 req->flags |= REQ_F_NEED_CLEANUP;
3494 static int io_unlinkat(struct io_kiocb *req, unsigned int issue_flags)
3496 struct io_unlink *un = &req->unlink;
3499 if (issue_flags & IO_URING_F_NONBLOCK)
3502 if (un->flags & AT_REMOVEDIR)
3503 ret = do_rmdir(un->dfd, un->filename);
3505 ret = do_unlinkat(un->dfd, un->filename);
3507 req->flags &= ~REQ_F_NEED_CLEANUP;
3509 req_set_fail_links(req);
3510 io_req_complete(req, ret);
3514 static int io_shutdown_prep(struct io_kiocb *req,
3515 const struct io_uring_sqe *sqe)
3517 #if defined(CONFIG_NET)
3518 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3520 if (sqe->ioprio || sqe->off || sqe->addr || sqe->rw_flags ||
3524 req->shutdown.how = READ_ONCE(sqe->len);
3531 static int io_shutdown(struct io_kiocb *req, unsigned int issue_flags)
3533 #if defined(CONFIG_NET)
3534 struct socket *sock;
3537 if (issue_flags & IO_URING_F_NONBLOCK)
3540 sock = sock_from_file(req->file);
3541 if (unlikely(!sock))
3544 ret = __sys_shutdown_sock(sock, req->shutdown.how);
3546 req_set_fail_links(req);
3547 io_req_complete(req, ret);
3554 static int __io_splice_prep(struct io_kiocb *req,
3555 const struct io_uring_sqe *sqe)
3557 struct io_splice* sp = &req->splice;
3558 unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL;
3560 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3564 sp->len = READ_ONCE(sqe->len);
3565 sp->flags = READ_ONCE(sqe->splice_flags);
3567 if (unlikely(sp->flags & ~valid_flags))
3570 sp->file_in = io_file_get(NULL, req, READ_ONCE(sqe->splice_fd_in),
3571 (sp->flags & SPLICE_F_FD_IN_FIXED));
3574 req->flags |= REQ_F_NEED_CLEANUP;
3576 if (!S_ISREG(file_inode(sp->file_in)->i_mode)) {
3578 * Splice operation will be punted aync, and here need to
3579 * modify io_wq_work.flags, so initialize io_wq_work firstly.
3581 req->work.flags |= IO_WQ_WORK_UNBOUND;
3587 static int io_tee_prep(struct io_kiocb *req,
3588 const struct io_uring_sqe *sqe)
3590 if (READ_ONCE(sqe->splice_off_in) || READ_ONCE(sqe->off))
3592 return __io_splice_prep(req, sqe);
3595 static int io_tee(struct io_kiocb *req, unsigned int issue_flags)
3597 struct io_splice *sp = &req->splice;
3598 struct file *in = sp->file_in;
3599 struct file *out = sp->file_out;
3600 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
3603 if (issue_flags & IO_URING_F_NONBLOCK)
3606 ret = do_tee(in, out, sp->len, flags);
3608 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
3609 req->flags &= ~REQ_F_NEED_CLEANUP;
3612 req_set_fail_links(req);
3613 io_req_complete(req, ret);
3617 static int io_splice_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3619 struct io_splice* sp = &req->splice;
3621 sp->off_in = READ_ONCE(sqe->splice_off_in);
3622 sp->off_out = READ_ONCE(sqe->off);
3623 return __io_splice_prep(req, sqe);
3626 static int io_splice(struct io_kiocb *req, unsigned int issue_flags)
3628 struct io_splice *sp = &req->splice;
3629 struct file *in = sp->file_in;
3630 struct file *out = sp->file_out;
3631 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
3632 loff_t *poff_in, *poff_out;
3635 if (issue_flags & IO_URING_F_NONBLOCK)
3638 poff_in = (sp->off_in == -1) ? NULL : &sp->off_in;
3639 poff_out = (sp->off_out == -1) ? NULL : &sp->off_out;
3642 ret = do_splice(in, poff_in, out, poff_out, sp->len, flags);
3644 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
3645 req->flags &= ~REQ_F_NEED_CLEANUP;
3648 req_set_fail_links(req);
3649 io_req_complete(req, ret);
3654 * IORING_OP_NOP just posts a completion event, nothing else.
3656 static int io_nop(struct io_kiocb *req, unsigned int issue_flags)
3658 struct io_ring_ctx *ctx = req->ctx;
3660 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3663 __io_req_complete(req, issue_flags, 0, 0);
3667 static int io_fsync_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3669 struct io_ring_ctx *ctx = req->ctx;
3674 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3676 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
3679 req->sync.flags = READ_ONCE(sqe->fsync_flags);
3680 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
3683 req->sync.off = READ_ONCE(sqe->off);
3684 req->sync.len = READ_ONCE(sqe->len);
3688 static int io_fsync(struct io_kiocb *req, unsigned int issue_flags)
3690 loff_t end = req->sync.off + req->sync.len;
3693 /* fsync always requires a blocking context */
3694 if (issue_flags & IO_URING_F_NONBLOCK)
3697 ret = vfs_fsync_range(req->file, req->sync.off,
3698 end > 0 ? end : LLONG_MAX,
3699 req->sync.flags & IORING_FSYNC_DATASYNC);
3701 req_set_fail_links(req);
3702 io_req_complete(req, ret);
3706 static int io_fallocate_prep(struct io_kiocb *req,
3707 const struct io_uring_sqe *sqe)
3709 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
3711 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3714 req->sync.off = READ_ONCE(sqe->off);
3715 req->sync.len = READ_ONCE(sqe->addr);
3716 req->sync.mode = READ_ONCE(sqe->len);
3720 static int io_fallocate(struct io_kiocb *req, unsigned int issue_flags)
3724 /* fallocate always requiring blocking context */
3725 if (issue_flags & IO_URING_F_NONBLOCK)
3727 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
3730 req_set_fail_links(req);
3731 io_req_complete(req, ret);
3735 static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3737 const char __user *fname;
3740 if (unlikely(sqe->ioprio || sqe->buf_index))
3742 if (unlikely(req->flags & REQ_F_FIXED_FILE))
3745 /* open.how should be already initialised */
3746 if (!(req->open.how.flags & O_PATH) && force_o_largefile())
3747 req->open.how.flags |= O_LARGEFILE;
3749 req->open.dfd = READ_ONCE(sqe->fd);
3750 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
3751 req->open.filename = getname(fname);
3752 if (IS_ERR(req->open.filename)) {
3753 ret = PTR_ERR(req->open.filename);
3754 req->open.filename = NULL;
3757 req->open.nofile = rlimit(RLIMIT_NOFILE);
3758 req->flags |= REQ_F_NEED_CLEANUP;
3762 static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3766 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3768 mode = READ_ONCE(sqe->len);
3769 flags = READ_ONCE(sqe->open_flags);
3770 req->open.how = build_open_how(flags, mode);
3771 return __io_openat_prep(req, sqe);
3774 static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3776 struct open_how __user *how;
3780 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3782 how = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3783 len = READ_ONCE(sqe->len);
3784 if (len < OPEN_HOW_SIZE_VER0)
3787 ret = copy_struct_from_user(&req->open.how, sizeof(req->open.how), how,
3792 return __io_openat_prep(req, sqe);
3795 static int io_openat2(struct io_kiocb *req, unsigned int issue_flags)
3797 struct open_flags op;
3800 bool resolve_nonblock;
3803 ret = build_open_flags(&req->open.how, &op);
3806 nonblock_set = op.open_flag & O_NONBLOCK;
3807 resolve_nonblock = req->open.how.resolve & RESOLVE_CACHED;
3808 if (issue_flags & IO_URING_F_NONBLOCK) {
3810 * Don't bother trying for O_TRUNC, O_CREAT, or O_TMPFILE open,
3811 * it'll always -EAGAIN
3813 if (req->open.how.flags & (O_TRUNC | O_CREAT | O_TMPFILE))
3815 op.lookup_flags |= LOOKUP_CACHED;
3816 op.open_flag |= O_NONBLOCK;
3819 ret = __get_unused_fd_flags(req->open.how.flags, req->open.nofile);
3823 file = do_filp_open(req->open.dfd, req->open.filename, &op);
3824 /* only retry if RESOLVE_CACHED wasn't already set by application */
3825 if ((!resolve_nonblock && (issue_flags & IO_URING_F_NONBLOCK)) &&
3826 file == ERR_PTR(-EAGAIN)) {
3828 * We could hang on to this 'fd', but seems like marginal
3829 * gain for something that is now known to be a slower path.
3830 * So just put it, and we'll get a new one when we retry.
3838 ret = PTR_ERR(file);
3840 if ((issue_flags & IO_URING_F_NONBLOCK) && !nonblock_set)
3841 file->f_flags &= ~O_NONBLOCK;
3842 fsnotify_open(file);
3843 fd_install(ret, file);
3846 putname(req->open.filename);
3847 req->flags &= ~REQ_F_NEED_CLEANUP;
3849 req_set_fail_links(req);
3850 io_req_complete(req, ret);
3854 static int io_openat(struct io_kiocb *req, unsigned int issue_flags)
3856 return io_openat2(req, issue_flags);
3859 static int io_remove_buffers_prep(struct io_kiocb *req,
3860 const struct io_uring_sqe *sqe)
3862 struct io_provide_buf *p = &req->pbuf;
3865 if (sqe->ioprio || sqe->rw_flags || sqe->addr || sqe->len || sqe->off)
3868 tmp = READ_ONCE(sqe->fd);
3869 if (!tmp || tmp > USHRT_MAX)
3872 memset(p, 0, sizeof(*p));
3874 p->bgid = READ_ONCE(sqe->buf_group);
3878 static int __io_remove_buffers(struct io_ring_ctx *ctx, struct io_buffer *buf,
3879 int bgid, unsigned nbufs)
3883 /* shouldn't happen */
3887 /* the head kbuf is the list itself */
3888 while (!list_empty(&buf->list)) {
3889 struct io_buffer *nxt;
3891 nxt = list_first_entry(&buf->list, struct io_buffer, list);
3892 list_del(&nxt->list);
3899 xa_erase(&ctx->io_buffers, bgid);
3904 static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
3906 struct io_provide_buf *p = &req->pbuf;
3907 struct io_ring_ctx *ctx = req->ctx;
3908 struct io_buffer *head;
3910 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
3912 io_ring_submit_lock(ctx, !force_nonblock);
3914 lockdep_assert_held(&ctx->uring_lock);
3917 head = xa_load(&ctx->io_buffers, p->bgid);
3919 ret = __io_remove_buffers(ctx, head, p->bgid, p->nbufs);
3921 req_set_fail_links(req);
3923 /* need to hold the lock to complete IOPOLL requests */
3924 if (ctx->flags & IORING_SETUP_IOPOLL) {
3925 __io_req_complete(req, issue_flags, ret, 0);
3926 io_ring_submit_unlock(ctx, !force_nonblock);
3928 io_ring_submit_unlock(ctx, !force_nonblock);
3929 __io_req_complete(req, issue_flags, ret, 0);
3934 static int io_provide_buffers_prep(struct io_kiocb *req,
3935 const struct io_uring_sqe *sqe)
3937 struct io_provide_buf *p = &req->pbuf;
3940 if (sqe->ioprio || sqe->rw_flags)
3943 tmp = READ_ONCE(sqe->fd);
3944 if (!tmp || tmp > USHRT_MAX)
3947 p->addr = READ_ONCE(sqe->addr);
3948 p->len = READ_ONCE(sqe->len);
3950 if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
3953 p->bgid = READ_ONCE(sqe->buf_group);
3954 tmp = READ_ONCE(sqe->off);
3955 if (tmp > USHRT_MAX)
3961 static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head)
3963 struct io_buffer *buf;
3964 u64 addr = pbuf->addr;
3965 int i, bid = pbuf->bid;
3967 for (i = 0; i < pbuf->nbufs; i++) {
3968 buf = kmalloc(sizeof(*buf), GFP_KERNEL);
3973 buf->len = pbuf->len;
3978 INIT_LIST_HEAD(&buf->list);
3981 list_add_tail(&buf->list, &(*head)->list);
3985 return i ? i : -ENOMEM;
3988 static int io_provide_buffers(struct io_kiocb *req, unsigned int issue_flags)
3990 struct io_provide_buf *p = &req->pbuf;
3991 struct io_ring_ctx *ctx = req->ctx;
3992 struct io_buffer *head, *list;
3994 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
3996 io_ring_submit_lock(ctx, !force_nonblock);
3998 lockdep_assert_held(&ctx->uring_lock);
4000 list = head = xa_load(&ctx->io_buffers, p->bgid);
4002 ret = io_add_buffers(p, &head);
4003 if (ret >= 0 && !list) {
4004 ret = xa_insert(&ctx->io_buffers, p->bgid, head, GFP_KERNEL);
4006 __io_remove_buffers(ctx, head, p->bgid, -1U);
4009 req_set_fail_links(req);
4011 /* need to hold the lock to complete IOPOLL requests */
4012 if (ctx->flags & IORING_SETUP_IOPOLL) {
4013 __io_req_complete(req, issue_flags, ret, 0);
4014 io_ring_submit_unlock(ctx, !force_nonblock);
4016 io_ring_submit_unlock(ctx, !force_nonblock);
4017 __io_req_complete(req, issue_flags, ret, 0);
4022 static int io_epoll_ctl_prep(struct io_kiocb *req,
4023 const struct io_uring_sqe *sqe)
4025 #if defined(CONFIG_EPOLL)
4026 if (sqe->ioprio || sqe->buf_index)
4028 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL)))
4031 req->epoll.epfd = READ_ONCE(sqe->fd);
4032 req->epoll.op = READ_ONCE(sqe->len);
4033 req->epoll.fd = READ_ONCE(sqe->off);
4035 if (ep_op_has_event(req->epoll.op)) {
4036 struct epoll_event __user *ev;
4038 ev = u64_to_user_ptr(READ_ONCE(sqe->addr));
4039 if (copy_from_user(&req->epoll.event, ev, sizeof(*ev)))
4049 static int io_epoll_ctl(struct io_kiocb *req, unsigned int issue_flags)
4051 #if defined(CONFIG_EPOLL)
4052 struct io_epoll *ie = &req->epoll;
4054 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
4056 ret = do_epoll_ctl(ie->epfd, ie->op, ie->fd, &ie->event, force_nonblock);
4057 if (force_nonblock && ret == -EAGAIN)
4061 req_set_fail_links(req);
4062 __io_req_complete(req, issue_flags, ret, 0);
4069 static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4071 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
4072 if (sqe->ioprio || sqe->buf_index || sqe->off)
4074 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4077 req->madvise.addr = READ_ONCE(sqe->addr);
4078 req->madvise.len = READ_ONCE(sqe->len);
4079 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
4086 static int io_madvise(struct io_kiocb *req, unsigned int issue_flags)
4088 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
4089 struct io_madvise *ma = &req->madvise;
4092 if (issue_flags & IO_URING_F_NONBLOCK)
4095 ret = do_madvise(current->mm, ma->addr, ma->len, ma->advice);
4097 req_set_fail_links(req);
4098 io_req_complete(req, ret);
4105 static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4107 if (sqe->ioprio || sqe->buf_index || sqe->addr)
4109 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4112 req->fadvise.offset = READ_ONCE(sqe->off);
4113 req->fadvise.len = READ_ONCE(sqe->len);
4114 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
4118 static int io_fadvise(struct io_kiocb *req, unsigned int issue_flags)
4120 struct io_fadvise *fa = &req->fadvise;
4123 if (issue_flags & IO_URING_F_NONBLOCK) {
4124 switch (fa->advice) {
4125 case POSIX_FADV_NORMAL:
4126 case POSIX_FADV_RANDOM:
4127 case POSIX_FADV_SEQUENTIAL:
4134 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
4136 req_set_fail_links(req);
4137 io_req_complete(req, ret);
4141 static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4143 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL)))
4145 if (sqe->ioprio || sqe->buf_index)
4147 if (req->flags & REQ_F_FIXED_FILE)
4150 req->statx.dfd = READ_ONCE(sqe->fd);
4151 req->statx.mask = READ_ONCE(sqe->len);
4152 req->statx.filename = u64_to_user_ptr(READ_ONCE(sqe->addr));
4153 req->statx.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4154 req->statx.flags = READ_ONCE(sqe->statx_flags);
4159 static int io_statx(struct io_kiocb *req, unsigned int issue_flags)
4161 struct io_statx *ctx = &req->statx;
4164 if (issue_flags & IO_URING_F_NONBLOCK) {
4165 /* only need file table for an actual valid fd */
4166 if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD)
4167 req->flags |= REQ_F_NO_FILE_TABLE;
4171 ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
4175 req_set_fail_links(req);
4176 io_req_complete(req, ret);
4180 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4182 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4184 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
4185 sqe->rw_flags || sqe->buf_index)
4187 if (req->flags & REQ_F_FIXED_FILE)
4190 req->close.fd = READ_ONCE(sqe->fd);
4194 static int io_close(struct io_kiocb *req, unsigned int issue_flags)
4196 struct files_struct *files = current->files;
4197 struct io_close *close = &req->close;
4198 struct fdtable *fdt;
4204 spin_lock(&files->file_lock);
4205 fdt = files_fdtable(files);
4206 if (close->fd >= fdt->max_fds) {
4207 spin_unlock(&files->file_lock);
4210 file = fdt->fd[close->fd];
4212 spin_unlock(&files->file_lock);
4216 if (file->f_op == &io_uring_fops) {
4217 spin_unlock(&files->file_lock);
4222 /* if the file has a flush method, be safe and punt to async */
4223 if (file->f_op->flush && (issue_flags & IO_URING_F_NONBLOCK)) {
4224 spin_unlock(&files->file_lock);
4228 ret = __close_fd_get_file(close->fd, &file);
4229 spin_unlock(&files->file_lock);
4236 /* No ->flush() or already async, safely close from here */
4237 ret = filp_close(file, current->files);
4240 req_set_fail_links(req);
4243 __io_req_complete(req, issue_flags, ret, 0);
4247 static int io_sfr_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4249 struct io_ring_ctx *ctx = req->ctx;
4251 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
4253 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
4256 req->sync.off = READ_ONCE(sqe->off);
4257 req->sync.len = READ_ONCE(sqe->len);
4258 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
4262 static int io_sync_file_range(struct io_kiocb *req, unsigned int issue_flags)
4266 /* sync_file_range always requires a blocking context */
4267 if (issue_flags & IO_URING_F_NONBLOCK)
4270 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
4273 req_set_fail_links(req);
4274 io_req_complete(req, ret);
4278 #if defined(CONFIG_NET)
4279 static int io_setup_async_msg(struct io_kiocb *req,
4280 struct io_async_msghdr *kmsg)
4282 struct io_async_msghdr *async_msg = req->async_data;
4286 if (io_alloc_async_data(req)) {
4287 kfree(kmsg->free_iov);
4290 async_msg = req->async_data;
4291 req->flags |= REQ_F_NEED_CLEANUP;
4292 memcpy(async_msg, kmsg, sizeof(*kmsg));
4293 async_msg->msg.msg_name = &async_msg->addr;
4294 /* if were using fast_iov, set it to the new one */
4295 if (!async_msg->free_iov)
4296 async_msg->msg.msg_iter.iov = async_msg->fast_iov;
4301 static int io_sendmsg_copy_hdr(struct io_kiocb *req,
4302 struct io_async_msghdr *iomsg)
4304 iomsg->msg.msg_name = &iomsg->addr;
4305 iomsg->free_iov = iomsg->fast_iov;
4306 return sendmsg_copy_msghdr(&iomsg->msg, req->sr_msg.umsg,
4307 req->sr_msg.msg_flags, &iomsg->free_iov);
4310 static int io_sendmsg_prep_async(struct io_kiocb *req)
4314 if (!io_op_defs[req->opcode].needs_async_data)
4316 ret = io_sendmsg_copy_hdr(req, req->async_data);
4318 req->flags |= REQ_F_NEED_CLEANUP;
4322 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4324 struct io_sr_msg *sr = &req->sr_msg;
4326 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4329 sr->msg_flags = READ_ONCE(sqe->msg_flags);
4330 sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
4331 sr->len = READ_ONCE(sqe->len);
4333 #ifdef CONFIG_COMPAT
4334 if (req->ctx->compat)
4335 sr->msg_flags |= MSG_CMSG_COMPAT;
4340 static int io_sendmsg(struct io_kiocb *req, unsigned int issue_flags)
4342 struct io_async_msghdr iomsg, *kmsg;
4343 struct socket *sock;
4347 sock = sock_from_file(req->file);
4348 if (unlikely(!sock))
4351 kmsg = req->async_data;
4353 ret = io_sendmsg_copy_hdr(req, &iomsg);
4359 flags = req->sr_msg.msg_flags;
4360 if (flags & MSG_DONTWAIT)
4361 req->flags |= REQ_F_NOWAIT;
4362 else if (issue_flags & IO_URING_F_NONBLOCK)
4363 flags |= MSG_DONTWAIT;
4365 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
4366 if ((issue_flags & IO_URING_F_NONBLOCK) && ret == -EAGAIN)
4367 return io_setup_async_msg(req, kmsg);
4368 if (ret == -ERESTARTSYS)
4371 /* fast path, check for non-NULL to avoid function call */
4373 kfree(kmsg->free_iov);
4374 req->flags &= ~REQ_F_NEED_CLEANUP;
4376 req_set_fail_links(req);
4377 __io_req_complete(req, issue_flags, ret, 0);
4381 static int io_send(struct io_kiocb *req, unsigned int issue_flags)
4383 struct io_sr_msg *sr = &req->sr_msg;
4386 struct socket *sock;
4390 sock = sock_from_file(req->file);
4391 if (unlikely(!sock))
4394 ret = import_single_range(WRITE, sr->buf, sr->len, &iov, &msg.msg_iter);
4398 msg.msg_name = NULL;
4399 msg.msg_control = NULL;
4400 msg.msg_controllen = 0;
4401 msg.msg_namelen = 0;
4403 flags = req->sr_msg.msg_flags;
4404 if (flags & MSG_DONTWAIT)
4405 req->flags |= REQ_F_NOWAIT;
4406 else if (issue_flags & IO_URING_F_NONBLOCK)
4407 flags |= MSG_DONTWAIT;
4409 msg.msg_flags = flags;
4410 ret = sock_sendmsg(sock, &msg);
4411 if ((issue_flags & IO_URING_F_NONBLOCK) && ret == -EAGAIN)
4413 if (ret == -ERESTARTSYS)
4417 req_set_fail_links(req);
4418 __io_req_complete(req, issue_flags, ret, 0);
4422 static int __io_recvmsg_copy_hdr(struct io_kiocb *req,
4423 struct io_async_msghdr *iomsg)
4425 struct io_sr_msg *sr = &req->sr_msg;
4426 struct iovec __user *uiov;
4430 ret = __copy_msghdr_from_user(&iomsg->msg, sr->umsg,
4431 &iomsg->uaddr, &uiov, &iov_len);
4435 if (req->flags & REQ_F_BUFFER_SELECT) {
4438 if (copy_from_user(iomsg->fast_iov, uiov, sizeof(*uiov)))
4440 sr->len = iomsg->fast_iov[0].iov_len;
4441 iomsg->free_iov = NULL;
4443 iomsg->free_iov = iomsg->fast_iov;
4444 ret = __import_iovec(READ, uiov, iov_len, UIO_FASTIOV,
4445 &iomsg->free_iov, &iomsg->msg.msg_iter,
4454 #ifdef CONFIG_COMPAT
4455 static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req,
4456 struct io_async_msghdr *iomsg)
4458 struct compat_msghdr __user *msg_compat;
4459 struct io_sr_msg *sr = &req->sr_msg;
4460 struct compat_iovec __user *uiov;
4465 msg_compat = (struct compat_msghdr __user *) sr->umsg;
4466 ret = __get_compat_msghdr(&iomsg->msg, msg_compat, &iomsg->uaddr,
4471 uiov = compat_ptr(ptr);
4472 if (req->flags & REQ_F_BUFFER_SELECT) {
4473 compat_ssize_t clen;
4477 if (!access_ok(uiov, sizeof(*uiov)))
4479 if (__get_user(clen, &uiov->iov_len))
4484 iomsg->free_iov = NULL;
4486 iomsg->free_iov = iomsg->fast_iov;
4487 ret = __import_iovec(READ, (struct iovec __user *)uiov, len,
4488 UIO_FASTIOV, &iomsg->free_iov,
4489 &iomsg->msg.msg_iter, true);
4498 static int io_recvmsg_copy_hdr(struct io_kiocb *req,
4499 struct io_async_msghdr *iomsg)
4501 iomsg->msg.msg_name = &iomsg->addr;
4503 #ifdef CONFIG_COMPAT
4504 if (req->ctx->compat)
4505 return __io_compat_recvmsg_copy_hdr(req, iomsg);
4508 return __io_recvmsg_copy_hdr(req, iomsg);
4511 static struct io_buffer *io_recv_buffer_select(struct io_kiocb *req,
4514 struct io_sr_msg *sr = &req->sr_msg;
4515 struct io_buffer *kbuf;
4517 kbuf = io_buffer_select(req, &sr->len, sr->bgid, sr->kbuf, needs_lock);
4522 req->flags |= REQ_F_BUFFER_SELECTED;
4526 static inline unsigned int io_put_recv_kbuf(struct io_kiocb *req)
4528 return io_put_kbuf(req, req->sr_msg.kbuf);
4531 static int io_recvmsg_prep_async(struct io_kiocb *req)
4535 if (!io_op_defs[req->opcode].needs_async_data)
4537 ret = io_recvmsg_copy_hdr(req, req->async_data);
4539 req->flags |= REQ_F_NEED_CLEANUP;
4543 static int io_recvmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4545 struct io_sr_msg *sr = &req->sr_msg;
4547 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4550 sr->msg_flags = READ_ONCE(sqe->msg_flags);
4551 sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
4552 sr->len = READ_ONCE(sqe->len);
4553 sr->bgid = READ_ONCE(sqe->buf_group);
4555 #ifdef CONFIG_COMPAT
4556 if (req->ctx->compat)
4557 sr->msg_flags |= MSG_CMSG_COMPAT;
4562 static int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)
4564 struct io_async_msghdr iomsg, *kmsg;
4565 struct socket *sock;
4566 struct io_buffer *kbuf;
4568 int ret, cflags = 0;
4569 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
4571 sock = sock_from_file(req->file);
4572 if (unlikely(!sock))
4575 kmsg = req->async_data;
4577 ret = io_recvmsg_copy_hdr(req, &iomsg);
4583 if (req->flags & REQ_F_BUFFER_SELECT) {
4584 kbuf = io_recv_buffer_select(req, !force_nonblock);
4586 return PTR_ERR(kbuf);
4587 kmsg->fast_iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
4588 kmsg->fast_iov[0].iov_len = req->sr_msg.len;
4589 iov_iter_init(&kmsg->msg.msg_iter, READ, kmsg->fast_iov,
4590 1, req->sr_msg.len);
4593 flags = req->sr_msg.msg_flags;
4594 if (flags & MSG_DONTWAIT)
4595 req->flags |= REQ_F_NOWAIT;
4596 else if (force_nonblock)
4597 flags |= MSG_DONTWAIT;
4599 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.umsg,
4600 kmsg->uaddr, flags);
4601 if (force_nonblock && ret == -EAGAIN)
4602 return io_setup_async_msg(req, kmsg);
4603 if (ret == -ERESTARTSYS)
4606 if (req->flags & REQ_F_BUFFER_SELECTED)
4607 cflags = io_put_recv_kbuf(req);
4608 /* fast path, check for non-NULL to avoid function call */
4610 kfree(kmsg->free_iov);
4611 req->flags &= ~REQ_F_NEED_CLEANUP;
4613 req_set_fail_links(req);
4614 __io_req_complete(req, issue_flags, ret, cflags);
4618 static int io_recv(struct io_kiocb *req, unsigned int issue_flags)
4620 struct io_buffer *kbuf;
4621 struct io_sr_msg *sr = &req->sr_msg;
4623 void __user *buf = sr->buf;
4624 struct socket *sock;
4627 int ret, cflags = 0;
4628 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
4630 sock = sock_from_file(req->file);
4631 if (unlikely(!sock))
4634 if (req->flags & REQ_F_BUFFER_SELECT) {
4635 kbuf = io_recv_buffer_select(req, !force_nonblock);
4637 return PTR_ERR(kbuf);
4638 buf = u64_to_user_ptr(kbuf->addr);
4641 ret = import_single_range(READ, buf, sr->len, &iov, &msg.msg_iter);
4645 msg.msg_name = NULL;
4646 msg.msg_control = NULL;
4647 msg.msg_controllen = 0;
4648 msg.msg_namelen = 0;
4649 msg.msg_iocb = NULL;
4652 flags = req->sr_msg.msg_flags;
4653 if (flags & MSG_DONTWAIT)
4654 req->flags |= REQ_F_NOWAIT;
4655 else if (force_nonblock)
4656 flags |= MSG_DONTWAIT;
4658 ret = sock_recvmsg(sock, &msg, flags);
4659 if (force_nonblock && ret == -EAGAIN)
4661 if (ret == -ERESTARTSYS)
4664 if (req->flags & REQ_F_BUFFER_SELECTED)
4665 cflags = io_put_recv_kbuf(req);
4667 req_set_fail_links(req);
4668 __io_req_complete(req, issue_flags, ret, cflags);
4672 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4674 struct io_accept *accept = &req->accept;
4676 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4678 if (sqe->ioprio || sqe->len || sqe->buf_index)
4681 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
4682 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4683 accept->flags = READ_ONCE(sqe->accept_flags);
4684 accept->nofile = rlimit(RLIMIT_NOFILE);
4688 static int io_accept(struct io_kiocb *req, unsigned int issue_flags)
4690 struct io_accept *accept = &req->accept;
4691 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
4692 unsigned int file_flags = force_nonblock ? O_NONBLOCK : 0;
4695 if (req->file->f_flags & O_NONBLOCK)
4696 req->flags |= REQ_F_NOWAIT;
4698 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
4699 accept->addr_len, accept->flags,
4701 if (ret == -EAGAIN && force_nonblock)
4704 if (ret == -ERESTARTSYS)
4706 req_set_fail_links(req);
4708 __io_req_complete(req, issue_flags, ret, 0);
4712 static int io_connect_prep_async(struct io_kiocb *req)
4714 struct io_async_connect *io = req->async_data;
4715 struct io_connect *conn = &req->connect;
4717 return move_addr_to_kernel(conn->addr, conn->addr_len, &io->address);
4720 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4722 struct io_connect *conn = &req->connect;
4724 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4726 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
4729 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
4730 conn->addr_len = READ_ONCE(sqe->addr2);
4734 static int io_connect(struct io_kiocb *req, unsigned int issue_flags)
4736 struct io_async_connect __io, *io;
4737 unsigned file_flags;
4739 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
4741 if (req->async_data) {
4742 io = req->async_data;
4744 ret = move_addr_to_kernel(req->connect.addr,
4745 req->connect.addr_len,
4752 file_flags = force_nonblock ? O_NONBLOCK : 0;
4754 ret = __sys_connect_file(req->file, &io->address,
4755 req->connect.addr_len, file_flags);
4756 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
4757 if (req->async_data)
4759 if (io_alloc_async_data(req)) {
4763 io = req->async_data;
4764 memcpy(req->async_data, &__io, sizeof(__io));
4767 if (ret == -ERESTARTSYS)
4771 req_set_fail_links(req);
4772 __io_req_complete(req, issue_flags, ret, 0);
4775 #else /* !CONFIG_NET */
4776 #define IO_NETOP_FN(op) \
4777 static int io_##op(struct io_kiocb *req, unsigned int issue_flags) \
4779 return -EOPNOTSUPP; \
4782 #define IO_NETOP_PREP(op) \
4784 static int io_##op##_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) \
4786 return -EOPNOTSUPP; \
4789 #define IO_NETOP_PREP_ASYNC(op) \
4791 static int io_##op##_prep_async(struct io_kiocb *req) \
4793 return -EOPNOTSUPP; \
4796 IO_NETOP_PREP_ASYNC(sendmsg);
4797 IO_NETOP_PREP_ASYNC(recvmsg);
4798 IO_NETOP_PREP_ASYNC(connect);
4799 IO_NETOP_PREP(accept);
4802 #endif /* CONFIG_NET */
4804 struct io_poll_table {
4805 struct poll_table_struct pt;
4806 struct io_kiocb *req;
4810 static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,
4811 __poll_t mask, task_work_func_t func)
4815 /* for instances that support it check for an event match first: */
4816 if (mask && !(mask & poll->events))
4819 trace_io_uring_task_add(req->ctx, req->opcode, req->user_data, mask);
4821 list_del_init(&poll->wait.entry);
4824 req->task_work.func = func;
4825 percpu_ref_get(&req->ctx->refs);
4828 * If this fails, then the task is exiting. When a task exits, the
4829 * work gets canceled, so just cancel this request as well instead
4830 * of executing it. We can't safely execute it anyway, as we may not
4831 * have the needed state needed for it anyway.
4833 ret = io_req_task_work_add(req);
4834 if (unlikely(ret)) {
4835 WRITE_ONCE(poll->canceled, true);
4836 io_req_task_work_add_fallback(req, func);
4841 static bool io_poll_rewait(struct io_kiocb *req, struct io_poll_iocb *poll)
4842 __acquires(&req->ctx->completion_lock)
4844 struct io_ring_ctx *ctx = req->ctx;
4846 if (!req->result && !READ_ONCE(poll->canceled)) {
4847 struct poll_table_struct pt = { ._key = poll->events };
4849 req->result = vfs_poll(req->file, &pt) & poll->events;
4852 spin_lock_irq(&ctx->completion_lock);
4853 if (!req->result && !READ_ONCE(poll->canceled)) {
4854 add_wait_queue(poll->head, &poll->wait);
4861 static struct io_poll_iocb *io_poll_get_double(struct io_kiocb *req)
4863 /* pure poll stashes this in ->async_data, poll driven retry elsewhere */
4864 if (req->opcode == IORING_OP_POLL_ADD)
4865 return req->async_data;
4866 return req->apoll->double_poll;
4869 static struct io_poll_iocb *io_poll_get_single(struct io_kiocb *req)
4871 if (req->opcode == IORING_OP_POLL_ADD)
4873 return &req->apoll->poll;
4876 static void io_poll_remove_double(struct io_kiocb *req)
4878 struct io_poll_iocb *poll = io_poll_get_double(req);
4880 lockdep_assert_held(&req->ctx->completion_lock);
4882 if (poll && poll->head) {
4883 struct wait_queue_head *head = poll->head;
4885 spin_lock(&head->lock);
4886 list_del_init(&poll->wait.entry);
4887 if (poll->wait.private)
4888 refcount_dec(&req->refs);
4890 spin_unlock(&head->lock);
4894 static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
4896 struct io_ring_ctx *ctx = req->ctx;
4898 io_poll_remove_double(req);
4899 req->poll.done = true;
4900 io_cqring_fill_event(req, error ? error : mangle_poll(mask));
4901 io_commit_cqring(ctx);
4904 static void io_poll_task_func(struct callback_head *cb)
4906 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
4907 struct io_ring_ctx *ctx = req->ctx;
4908 struct io_kiocb *nxt;
4910 if (io_poll_rewait(req, &req->poll)) {
4911 spin_unlock_irq(&ctx->completion_lock);
4913 hash_del(&req->hash_node);
4914 io_poll_complete(req, req->result, 0);
4915 spin_unlock_irq(&ctx->completion_lock);
4917 nxt = io_put_req_find_next(req);
4918 io_cqring_ev_posted(ctx);
4920 __io_req_task_submit(nxt);
4923 percpu_ref_put(&ctx->refs);
4926 static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,
4927 int sync, void *key)
4929 struct io_kiocb *req = wait->private;
4930 struct io_poll_iocb *poll = io_poll_get_single(req);
4931 __poll_t mask = key_to_poll(key);
4933 /* for instances that support it check for an event match first: */
4934 if (mask && !(mask & poll->events))
4937 list_del_init(&wait->entry);
4939 if (poll && poll->head) {
4942 spin_lock(&poll->head->lock);
4943 done = list_empty(&poll->wait.entry);
4945 list_del_init(&poll->wait.entry);
4946 /* make sure double remove sees this as being gone */
4947 wait->private = NULL;
4948 spin_unlock(&poll->head->lock);
4950 /* use wait func handler, so it matches the rq type */
4951 poll->wait.func(&poll->wait, mode, sync, key);
4954 refcount_dec(&req->refs);
4958 static void io_init_poll_iocb(struct io_poll_iocb *poll, __poll_t events,
4959 wait_queue_func_t wake_func)
4963 poll->canceled = false;
4964 poll->events = events;
4965 INIT_LIST_HEAD(&poll->wait.entry);
4966 init_waitqueue_func_entry(&poll->wait, wake_func);
4969 static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
4970 struct wait_queue_head *head,
4971 struct io_poll_iocb **poll_ptr)
4973 struct io_kiocb *req = pt->req;
4976 * If poll->head is already set, it's because the file being polled
4977 * uses multiple waitqueues for poll handling (eg one for read, one
4978 * for write). Setup a separate io_poll_iocb if this happens.
4980 if (unlikely(poll->head)) {
4981 struct io_poll_iocb *poll_one = poll;
4983 /* already have a 2nd entry, fail a third attempt */
4985 pt->error = -EINVAL;
4988 /* double add on the same waitqueue head, ignore */
4989 if (poll->head == head)
4991 poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
4993 pt->error = -ENOMEM;
4996 io_init_poll_iocb(poll, poll_one->events, io_poll_double_wake);
4997 refcount_inc(&req->refs);
4998 poll->wait.private = req;
5005 if (poll->events & EPOLLEXCLUSIVE)
5006 add_wait_queue_exclusive(head, &poll->wait);
5008 add_wait_queue(head, &poll->wait);
5011 static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
5012 struct poll_table_struct *p)
5014 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
5015 struct async_poll *apoll = pt->req->apoll;
5017 __io_queue_proc(&apoll->poll, pt, head, &apoll->double_poll);
5020 static void io_async_task_func(struct callback_head *cb)
5022 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
5023 struct async_poll *apoll = req->apoll;
5024 struct io_ring_ctx *ctx = req->ctx;
5026 trace_io_uring_task_run(req->ctx, req->opcode, req->user_data);
5028 if (io_poll_rewait(req, &apoll->poll)) {
5029 spin_unlock_irq(&ctx->completion_lock);
5030 percpu_ref_put(&ctx->refs);
5034 /* If req is still hashed, it cannot have been canceled. Don't check. */
5035 if (hash_hashed(&req->hash_node))
5036 hash_del(&req->hash_node);
5038 io_poll_remove_double(req);
5039 spin_unlock_irq(&ctx->completion_lock);
5041 if (!READ_ONCE(apoll->poll.canceled))
5042 __io_req_task_submit(req);
5044 __io_req_task_cancel(req, -ECANCELED);
5046 percpu_ref_put(&ctx->refs);
5047 kfree(apoll->double_poll);
5051 static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
5054 struct io_kiocb *req = wait->private;
5055 struct io_poll_iocb *poll = &req->apoll->poll;
5057 trace_io_uring_poll_wake(req->ctx, req->opcode, req->user_data,
5060 return __io_async_wake(req, poll, key_to_poll(key), io_async_task_func);
5063 static void io_poll_req_insert(struct io_kiocb *req)
5065 struct io_ring_ctx *ctx = req->ctx;
5066 struct hlist_head *list;
5068 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
5069 hlist_add_head(&req->hash_node, list);
5072 static __poll_t __io_arm_poll_handler(struct io_kiocb *req,
5073 struct io_poll_iocb *poll,
5074 struct io_poll_table *ipt, __poll_t mask,
5075 wait_queue_func_t wake_func)
5076 __acquires(&ctx->completion_lock)
5078 struct io_ring_ctx *ctx = req->ctx;
5079 bool cancel = false;
5081 INIT_HLIST_NODE(&req->hash_node);
5082 io_init_poll_iocb(poll, mask, wake_func);
5083 poll->file = req->file;
5084 poll->wait.private = req;
5086 ipt->pt._key = mask;
5088 ipt->error = -EINVAL;
5090 mask = vfs_poll(req->file, &ipt->pt) & poll->events;
5092 spin_lock_irq(&ctx->completion_lock);
5093 if (likely(poll->head)) {
5094 spin_lock(&poll->head->lock);
5095 if (unlikely(list_empty(&poll->wait.entry))) {
5101 if (mask || ipt->error)
5102 list_del_init(&poll->wait.entry);
5104 WRITE_ONCE(poll->canceled, true);
5105 else if (!poll->done) /* actually waiting for an event */
5106 io_poll_req_insert(req);
5107 spin_unlock(&poll->head->lock);
5113 static bool io_arm_poll_handler(struct io_kiocb *req)
5115 const struct io_op_def *def = &io_op_defs[req->opcode];
5116 struct io_ring_ctx *ctx = req->ctx;
5117 struct async_poll *apoll;
5118 struct io_poll_table ipt;
5122 if (!req->file || !file_can_poll(req->file))
5124 if (req->flags & REQ_F_POLLED)
5128 else if (def->pollout)
5132 /* if we can't nonblock try, then no point in arming a poll handler */
5133 if (!io_file_supports_async(req->file, rw))
5136 apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
5137 if (unlikely(!apoll))
5139 apoll->double_poll = NULL;
5141 req->flags |= REQ_F_POLLED;
5146 mask |= POLLIN | POLLRDNORM;
5148 mask |= POLLOUT | POLLWRNORM;
5150 /* If reading from MSG_ERRQUEUE using recvmsg, ignore POLLIN */
5151 if ((req->opcode == IORING_OP_RECVMSG) &&
5152 (req->sr_msg.msg_flags & MSG_ERRQUEUE))
5155 mask |= POLLERR | POLLPRI;
5157 ipt.pt._qproc = io_async_queue_proc;
5159 ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
5161 if (ret || ipt.error) {
5162 io_poll_remove_double(req);
5163 spin_unlock_irq(&ctx->completion_lock);
5164 kfree(apoll->double_poll);
5168 spin_unlock_irq(&ctx->completion_lock);
5169 trace_io_uring_poll_arm(ctx, req->opcode, req->user_data, mask,
5170 apoll->poll.events);
5174 static bool __io_poll_remove_one(struct io_kiocb *req,
5175 struct io_poll_iocb *poll)
5177 bool do_complete = false;
5179 spin_lock(&poll->head->lock);
5180 WRITE_ONCE(poll->canceled, true);
5181 if (!list_empty(&poll->wait.entry)) {
5182 list_del_init(&poll->wait.entry);
5185 spin_unlock(&poll->head->lock);
5186 hash_del(&req->hash_node);
5190 static bool io_poll_remove_one(struct io_kiocb *req)
5194 io_poll_remove_double(req);
5196 if (req->opcode == IORING_OP_POLL_ADD) {
5197 do_complete = __io_poll_remove_one(req, &req->poll);
5199 struct async_poll *apoll = req->apoll;
5201 /* non-poll requests have submit ref still */
5202 do_complete = __io_poll_remove_one(req, &apoll->poll);
5205 kfree(apoll->double_poll);
5211 io_cqring_fill_event(req, -ECANCELED);
5212 io_commit_cqring(req->ctx);
5213 req_set_fail_links(req);
5214 io_put_req_deferred(req, 1);
5221 * Returns true if we found and killed one or more poll requests
5223 static bool io_poll_remove_all(struct io_ring_ctx *ctx, struct task_struct *tsk,
5224 struct files_struct *files)
5226 struct hlist_node *tmp;
5227 struct io_kiocb *req;
5230 spin_lock_irq(&ctx->completion_lock);
5231 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
5232 struct hlist_head *list;
5234 list = &ctx->cancel_hash[i];
5235 hlist_for_each_entry_safe(req, tmp, list, hash_node) {
5236 if (io_match_task(req, tsk, files))
5237 posted += io_poll_remove_one(req);
5240 spin_unlock_irq(&ctx->completion_lock);
5243 io_cqring_ev_posted(ctx);
5248 static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
5250 struct hlist_head *list;
5251 struct io_kiocb *req;
5253 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
5254 hlist_for_each_entry(req, list, hash_node) {
5255 if (sqe_addr != req->user_data)
5257 if (io_poll_remove_one(req))
5265 static int io_poll_remove_prep(struct io_kiocb *req,
5266 const struct io_uring_sqe *sqe)
5268 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5270 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
5274 req->poll_remove.addr = READ_ONCE(sqe->addr);
5279 * Find a running poll command that matches one specified in sqe->addr,
5280 * and remove it if found.
5282 static int io_poll_remove(struct io_kiocb *req, unsigned int issue_flags)
5284 struct io_ring_ctx *ctx = req->ctx;
5287 spin_lock_irq(&ctx->completion_lock);
5288 ret = io_poll_cancel(ctx, req->poll_remove.addr);
5289 spin_unlock_irq(&ctx->completion_lock);
5292 req_set_fail_links(req);
5293 io_req_complete(req, ret);
5297 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
5300 struct io_kiocb *req = wait->private;
5301 struct io_poll_iocb *poll = &req->poll;
5303 return __io_async_wake(req, poll, key_to_poll(key), io_poll_task_func);
5306 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
5307 struct poll_table_struct *p)
5309 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
5311 __io_queue_proc(&pt->req->poll, pt, head, (struct io_poll_iocb **) &pt->req->async_data);
5314 static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5316 struct io_poll_iocb *poll = &req->poll;
5319 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5321 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
5324 events = READ_ONCE(sqe->poll32_events);
5326 events = swahw32(events);
5328 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP |
5329 (events & EPOLLEXCLUSIVE);
5333 static int io_poll_add(struct io_kiocb *req, unsigned int issue_flags)
5335 struct io_poll_iocb *poll = &req->poll;
5336 struct io_ring_ctx *ctx = req->ctx;
5337 struct io_poll_table ipt;
5340 ipt.pt._qproc = io_poll_queue_proc;
5342 mask = __io_arm_poll_handler(req, &req->poll, &ipt, poll->events,
5345 if (mask) { /* no async, we'd stolen it */
5347 io_poll_complete(req, mask, 0);
5349 spin_unlock_irq(&ctx->completion_lock);
5352 io_cqring_ev_posted(ctx);
5358 static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
5360 struct io_timeout_data *data = container_of(timer,
5361 struct io_timeout_data, timer);
5362 struct io_kiocb *req = data->req;
5363 struct io_ring_ctx *ctx = req->ctx;
5364 unsigned long flags;
5366 spin_lock_irqsave(&ctx->completion_lock, flags);
5367 list_del_init(&req->timeout.list);
5368 atomic_set(&req->ctx->cq_timeouts,
5369 atomic_read(&req->ctx->cq_timeouts) + 1);
5371 io_cqring_fill_event(req, -ETIME);
5372 io_commit_cqring(ctx);
5373 spin_unlock_irqrestore(&ctx->completion_lock, flags);
5375 io_cqring_ev_posted(ctx);
5376 req_set_fail_links(req);
5378 return HRTIMER_NORESTART;
5381 static struct io_kiocb *io_timeout_extract(struct io_ring_ctx *ctx,
5384 struct io_timeout_data *io;
5385 struct io_kiocb *req;
5388 list_for_each_entry(req, &ctx->timeout_list, timeout.list) {
5389 if (user_data == req->user_data) {
5396 return ERR_PTR(ret);
5398 io = req->async_data;
5399 ret = hrtimer_try_to_cancel(&io->timer);
5401 return ERR_PTR(-EALREADY);
5402 list_del_init(&req->timeout.list);
5406 static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
5408 struct io_kiocb *req = io_timeout_extract(ctx, user_data);
5411 return PTR_ERR(req);
5413 req_set_fail_links(req);
5414 io_cqring_fill_event(req, -ECANCELED);
5415 io_put_req_deferred(req, 1);
5419 static int io_timeout_update(struct io_ring_ctx *ctx, __u64 user_data,
5420 struct timespec64 *ts, enum hrtimer_mode mode)
5422 struct io_kiocb *req = io_timeout_extract(ctx, user_data);
5423 struct io_timeout_data *data;
5426 return PTR_ERR(req);
5428 req->timeout.off = 0; /* noseq */
5429 data = req->async_data;
5430 list_add_tail(&req->timeout.list, &ctx->timeout_list);
5431 hrtimer_init(&data->timer, CLOCK_MONOTONIC, mode);
5432 data->timer.function = io_timeout_fn;
5433 hrtimer_start(&data->timer, timespec64_to_ktime(*ts), mode);
5437 static int io_timeout_remove_prep(struct io_kiocb *req,
5438 const struct io_uring_sqe *sqe)
5440 struct io_timeout_rem *tr = &req->timeout_rem;
5442 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5444 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
5446 if (sqe->ioprio || sqe->buf_index || sqe->len)
5449 tr->addr = READ_ONCE(sqe->addr);
5450 tr->flags = READ_ONCE(sqe->timeout_flags);
5451 if (tr->flags & IORING_TIMEOUT_UPDATE) {
5452 if (tr->flags & ~(IORING_TIMEOUT_UPDATE|IORING_TIMEOUT_ABS))
5454 if (get_timespec64(&tr->ts, u64_to_user_ptr(sqe->addr2)))
5456 } else if (tr->flags) {
5457 /* timeout removal doesn't support flags */
5464 static inline enum hrtimer_mode io_translate_timeout_mode(unsigned int flags)
5466 return (flags & IORING_TIMEOUT_ABS) ? HRTIMER_MODE_ABS
5471 * Remove or update an existing timeout command
5473 static int io_timeout_remove(struct io_kiocb *req, unsigned int issue_flags)
5475 struct io_timeout_rem *tr = &req->timeout_rem;
5476 struct io_ring_ctx *ctx = req->ctx;
5479 spin_lock_irq(&ctx->completion_lock);
5480 if (!(req->timeout_rem.flags & IORING_TIMEOUT_UPDATE))
5481 ret = io_timeout_cancel(ctx, tr->addr);
5483 ret = io_timeout_update(ctx, tr->addr, &tr->ts,
5484 io_translate_timeout_mode(tr->flags));
5486 io_cqring_fill_event(req, ret);
5487 io_commit_cqring(ctx);
5488 spin_unlock_irq(&ctx->completion_lock);
5489 io_cqring_ev_posted(ctx);
5491 req_set_fail_links(req);
5496 static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5497 bool is_timeout_link)
5499 struct io_timeout_data *data;
5501 u32 off = READ_ONCE(sqe->off);
5503 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5505 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
5507 if (off && is_timeout_link)
5509 flags = READ_ONCE(sqe->timeout_flags);
5510 if (flags & ~IORING_TIMEOUT_ABS)
5513 req->timeout.off = off;
5515 if (!req->async_data && io_alloc_async_data(req))
5518 data = req->async_data;
5521 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5524 data->mode = io_translate_timeout_mode(flags);
5525 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
5526 io_req_track_inflight(req);
5530 static int io_timeout(struct io_kiocb *req, unsigned int issue_flags)
5532 struct io_ring_ctx *ctx = req->ctx;
5533 struct io_timeout_data *data = req->async_data;
5534 struct list_head *entry;
5535 u32 tail, off = req->timeout.off;
5537 spin_lock_irq(&ctx->completion_lock);
5540 * sqe->off holds how many events that need to occur for this
5541 * timeout event to be satisfied. If it isn't set, then this is
5542 * a pure timeout request, sequence isn't used.
5544 if (io_is_timeout_noseq(req)) {
5545 entry = ctx->timeout_list.prev;
5549 tail = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
5550 req->timeout.target_seq = tail + off;
5552 /* Update the last seq here in case io_flush_timeouts() hasn't.
5553 * This is safe because ->completion_lock is held, and submissions
5554 * and completions are never mixed in the same ->completion_lock section.
5556 ctx->cq_last_tm_flush = tail;
5559 * Insertion sort, ensuring the first entry in the list is always
5560 * the one we need first.
5562 list_for_each_prev(entry, &ctx->timeout_list) {
5563 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb,
5566 if (io_is_timeout_noseq(nxt))
5568 /* nxt.seq is behind @tail, otherwise would've been completed */
5569 if (off >= nxt->timeout.target_seq - tail)
5573 list_add(&req->timeout.list, entry);
5574 data->timer.function = io_timeout_fn;
5575 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5576 spin_unlock_irq(&ctx->completion_lock);
5580 struct io_cancel_data {
5581 struct io_ring_ctx *ctx;
5585 static bool io_cancel_cb(struct io_wq_work *work, void *data)
5587 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5588 struct io_cancel_data *cd = data;
5590 return req->ctx == cd->ctx && req->user_data == cd->user_data;
5593 static int io_async_cancel_one(struct io_uring_task *tctx, u64 user_data,
5594 struct io_ring_ctx *ctx)
5596 struct io_cancel_data data = { .ctx = ctx, .user_data = user_data, };
5597 enum io_wq_cancel cancel_ret;
5600 if (!tctx || !tctx->io_wq)
5603 cancel_ret = io_wq_cancel_cb(tctx->io_wq, io_cancel_cb, &data, false);
5604 switch (cancel_ret) {
5605 case IO_WQ_CANCEL_OK:
5608 case IO_WQ_CANCEL_RUNNING:
5611 case IO_WQ_CANCEL_NOTFOUND:
5619 static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
5620 struct io_kiocb *req, __u64 sqe_addr,
5623 unsigned long flags;
5626 ret = io_async_cancel_one(req->task->io_uring, sqe_addr, ctx);
5627 if (ret != -ENOENT) {
5628 spin_lock_irqsave(&ctx->completion_lock, flags);
5632 spin_lock_irqsave(&ctx->completion_lock, flags);
5633 ret = io_timeout_cancel(ctx, sqe_addr);
5636 ret = io_poll_cancel(ctx, sqe_addr);
5640 io_cqring_fill_event(req, ret);
5641 io_commit_cqring(ctx);
5642 spin_unlock_irqrestore(&ctx->completion_lock, flags);
5643 io_cqring_ev_posted(ctx);
5646 req_set_fail_links(req);
5650 static int io_async_cancel_prep(struct io_kiocb *req,
5651 const struct io_uring_sqe *sqe)
5653 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5655 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
5657 if (sqe->ioprio || sqe->off || sqe->len || sqe->cancel_flags)
5660 req->cancel.addr = READ_ONCE(sqe->addr);
5664 static int io_async_cancel(struct io_kiocb *req, unsigned int issue_flags)
5666 struct io_ring_ctx *ctx = req->ctx;
5667 u64 sqe_addr = req->cancel.addr;
5668 struct io_tctx_node *node;
5671 /* tasks should wait for their io-wq threads, so safe w/o sync */
5672 ret = io_async_cancel_one(req->task->io_uring, sqe_addr, ctx);
5673 spin_lock_irq(&ctx->completion_lock);
5676 ret = io_timeout_cancel(ctx, sqe_addr);
5679 ret = io_poll_cancel(ctx, sqe_addr);
5682 spin_unlock_irq(&ctx->completion_lock);
5684 /* slow path, try all io-wq's */
5685 io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));
5687 list_for_each_entry(node, &ctx->tctx_list, ctx_node) {
5688 struct io_uring_task *tctx = node->task->io_uring;
5690 if (!tctx || !tctx->io_wq)
5692 ret = io_async_cancel_one(tctx, req->cancel.addr, ctx);
5696 io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));
5698 spin_lock_irq(&ctx->completion_lock);
5700 io_cqring_fill_event(req, ret);
5701 io_commit_cqring(ctx);
5702 spin_unlock_irq(&ctx->completion_lock);
5703 io_cqring_ev_posted(ctx);
5706 req_set_fail_links(req);
5711 static int io_rsrc_update_prep(struct io_kiocb *req,
5712 const struct io_uring_sqe *sqe)
5714 if (unlikely(req->ctx->flags & IORING_SETUP_SQPOLL))
5716 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
5718 if (sqe->ioprio || sqe->rw_flags)
5721 req->rsrc_update.offset = READ_ONCE(sqe->off);
5722 req->rsrc_update.nr_args = READ_ONCE(sqe->len);
5723 if (!req->rsrc_update.nr_args)
5725 req->rsrc_update.arg = READ_ONCE(sqe->addr);
5729 static int io_files_update(struct io_kiocb *req, unsigned int issue_flags)
5731 struct io_ring_ctx *ctx = req->ctx;
5732 struct io_uring_rsrc_update up;
5735 if (issue_flags & IO_URING_F_NONBLOCK)
5738 up.offset = req->rsrc_update.offset;
5739 up.data = req->rsrc_update.arg;
5741 mutex_lock(&ctx->uring_lock);
5742 ret = __io_sqe_files_update(ctx, &up, req->rsrc_update.nr_args);
5743 mutex_unlock(&ctx->uring_lock);
5746 req_set_fail_links(req);
5747 __io_req_complete(req, issue_flags, ret, 0);
5751 static int io_req_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5753 switch (req->opcode) {
5756 case IORING_OP_READV:
5757 case IORING_OP_READ_FIXED:
5758 case IORING_OP_READ:
5759 return io_read_prep(req, sqe);
5760 case IORING_OP_WRITEV:
5761 case IORING_OP_WRITE_FIXED:
5762 case IORING_OP_WRITE:
5763 return io_write_prep(req, sqe);
5764 case IORING_OP_POLL_ADD:
5765 return io_poll_add_prep(req, sqe);
5766 case IORING_OP_POLL_REMOVE:
5767 return io_poll_remove_prep(req, sqe);
5768 case IORING_OP_FSYNC:
5769 return io_fsync_prep(req, sqe);
5770 case IORING_OP_SYNC_FILE_RANGE:
5771 return io_sfr_prep(req, sqe);
5772 case IORING_OP_SENDMSG:
5773 case IORING_OP_SEND:
5774 return io_sendmsg_prep(req, sqe);
5775 case IORING_OP_RECVMSG:
5776 case IORING_OP_RECV:
5777 return io_recvmsg_prep(req, sqe);
5778 case IORING_OP_CONNECT:
5779 return io_connect_prep(req, sqe);
5780 case IORING_OP_TIMEOUT:
5781 return io_timeout_prep(req, sqe, false);
5782 case IORING_OP_TIMEOUT_REMOVE:
5783 return io_timeout_remove_prep(req, sqe);
5784 case IORING_OP_ASYNC_CANCEL:
5785 return io_async_cancel_prep(req, sqe);
5786 case IORING_OP_LINK_TIMEOUT:
5787 return io_timeout_prep(req, sqe, true);
5788 case IORING_OP_ACCEPT:
5789 return io_accept_prep(req, sqe);
5790 case IORING_OP_FALLOCATE:
5791 return io_fallocate_prep(req, sqe);
5792 case IORING_OP_OPENAT:
5793 return io_openat_prep(req, sqe);
5794 case IORING_OP_CLOSE:
5795 return io_close_prep(req, sqe);
5796 case IORING_OP_FILES_UPDATE:
5797 return io_rsrc_update_prep(req, sqe);
5798 case IORING_OP_STATX:
5799 return io_statx_prep(req, sqe);
5800 case IORING_OP_FADVISE:
5801 return io_fadvise_prep(req, sqe);
5802 case IORING_OP_MADVISE:
5803 return io_madvise_prep(req, sqe);
5804 case IORING_OP_OPENAT2:
5805 return io_openat2_prep(req, sqe);
5806 case IORING_OP_EPOLL_CTL:
5807 return io_epoll_ctl_prep(req, sqe);
5808 case IORING_OP_SPLICE:
5809 return io_splice_prep(req, sqe);
5810 case IORING_OP_PROVIDE_BUFFERS:
5811 return io_provide_buffers_prep(req, sqe);
5812 case IORING_OP_REMOVE_BUFFERS:
5813 return io_remove_buffers_prep(req, sqe);
5815 return io_tee_prep(req, sqe);
5816 case IORING_OP_SHUTDOWN:
5817 return io_shutdown_prep(req, sqe);
5818 case IORING_OP_RENAMEAT:
5819 return io_renameat_prep(req, sqe);
5820 case IORING_OP_UNLINKAT:
5821 return io_unlinkat_prep(req, sqe);
5824 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
5829 static int io_req_prep_async(struct io_kiocb *req)
5831 switch (req->opcode) {
5832 case IORING_OP_READV:
5833 case IORING_OP_READ_FIXED:
5834 case IORING_OP_READ:
5835 return io_rw_prep_async(req, READ);
5836 case IORING_OP_WRITEV:
5837 case IORING_OP_WRITE_FIXED:
5838 case IORING_OP_WRITE:
5839 return io_rw_prep_async(req, WRITE);
5840 case IORING_OP_SENDMSG:
5841 case IORING_OP_SEND:
5842 return io_sendmsg_prep_async(req);
5843 case IORING_OP_RECVMSG:
5844 case IORING_OP_RECV:
5845 return io_recvmsg_prep_async(req);
5846 case IORING_OP_CONNECT:
5847 return io_connect_prep_async(req);
5852 static int io_req_defer_prep(struct io_kiocb *req)
5854 if (!io_op_defs[req->opcode].needs_async_data)
5856 /* some opcodes init it during the inital prep */
5857 if (req->async_data)
5859 if (__io_alloc_async_data(req))
5861 return io_req_prep_async(req);
5864 static u32 io_get_sequence(struct io_kiocb *req)
5866 struct io_kiocb *pos;
5867 struct io_ring_ctx *ctx = req->ctx;
5868 u32 total_submitted, nr_reqs = 0;
5870 io_for_each_link(pos, req)
5873 total_submitted = ctx->cached_sq_head - ctx->cached_sq_dropped;
5874 return total_submitted - nr_reqs;
5877 static int io_req_defer(struct io_kiocb *req)
5879 struct io_ring_ctx *ctx = req->ctx;
5880 struct io_defer_entry *de;
5884 /* Still need defer if there is pending req in defer list. */
5885 if (likely(list_empty_careful(&ctx->defer_list) &&
5886 !(req->flags & REQ_F_IO_DRAIN)))
5889 seq = io_get_sequence(req);
5890 /* Still a chance to pass the sequence check */
5891 if (!req_need_defer(req, seq) && list_empty_careful(&ctx->defer_list))
5894 ret = io_req_defer_prep(req);
5897 io_prep_async_link(req);
5898 de = kmalloc(sizeof(*de), GFP_KERNEL);
5902 spin_lock_irq(&ctx->completion_lock);
5903 if (!req_need_defer(req, seq) && list_empty(&ctx->defer_list)) {
5904 spin_unlock_irq(&ctx->completion_lock);
5906 io_queue_async_work(req);
5907 return -EIOCBQUEUED;
5910 trace_io_uring_defer(ctx, req, req->user_data);
5913 list_add_tail(&de->list, &ctx->defer_list);
5914 spin_unlock_irq(&ctx->completion_lock);
5915 return -EIOCBQUEUED;
5918 static void __io_clean_op(struct io_kiocb *req)
5920 if (req->flags & REQ_F_BUFFER_SELECTED) {
5921 switch (req->opcode) {
5922 case IORING_OP_READV:
5923 case IORING_OP_READ_FIXED:
5924 case IORING_OP_READ:
5925 kfree((void *)(unsigned long)req->rw.addr);
5927 case IORING_OP_RECVMSG:
5928 case IORING_OP_RECV:
5929 kfree(req->sr_msg.kbuf);
5932 req->flags &= ~REQ_F_BUFFER_SELECTED;
5935 if (req->flags & REQ_F_NEED_CLEANUP) {
5936 switch (req->opcode) {
5937 case IORING_OP_READV:
5938 case IORING_OP_READ_FIXED:
5939 case IORING_OP_READ:
5940 case IORING_OP_WRITEV:
5941 case IORING_OP_WRITE_FIXED:
5942 case IORING_OP_WRITE: {
5943 struct io_async_rw *io = req->async_data;
5945 kfree(io->free_iovec);
5948 case IORING_OP_RECVMSG:
5949 case IORING_OP_SENDMSG: {
5950 struct io_async_msghdr *io = req->async_data;
5952 kfree(io->free_iov);
5955 case IORING_OP_SPLICE:
5957 io_put_file(req, req->splice.file_in,
5958 (req->splice.flags & SPLICE_F_FD_IN_FIXED));
5960 case IORING_OP_OPENAT:
5961 case IORING_OP_OPENAT2:
5962 if (req->open.filename)
5963 putname(req->open.filename);
5965 case IORING_OP_RENAMEAT:
5966 putname(req->rename.oldpath);
5967 putname(req->rename.newpath);
5969 case IORING_OP_UNLINKAT:
5970 putname(req->unlink.filename);
5973 req->flags &= ~REQ_F_NEED_CLEANUP;
5977 static int io_issue_sqe(struct io_kiocb *req, unsigned int issue_flags)
5979 struct io_ring_ctx *ctx = req->ctx;
5980 const struct cred *creds = NULL;
5983 if (req->work.creds && req->work.creds != current_cred())
5984 creds = override_creds(req->work.creds);
5986 switch (req->opcode) {
5988 ret = io_nop(req, issue_flags);
5990 case IORING_OP_READV:
5991 case IORING_OP_READ_FIXED:
5992 case IORING_OP_READ:
5993 ret = io_read(req, issue_flags);
5995 case IORING_OP_WRITEV:
5996 case IORING_OP_WRITE_FIXED:
5997 case IORING_OP_WRITE:
5998 ret = io_write(req, issue_flags);
6000 case IORING_OP_FSYNC:
6001 ret = io_fsync(req, issue_flags);
6003 case IORING_OP_POLL_ADD:
6004 ret = io_poll_add(req, issue_flags);
6006 case IORING_OP_POLL_REMOVE:
6007 ret = io_poll_remove(req, issue_flags);
6009 case IORING_OP_SYNC_FILE_RANGE:
6010 ret = io_sync_file_range(req, issue_flags);
6012 case IORING_OP_SENDMSG:
6013 ret = io_sendmsg(req, issue_flags);
6015 case IORING_OP_SEND:
6016 ret = io_send(req, issue_flags);
6018 case IORING_OP_RECVMSG:
6019 ret = io_recvmsg(req, issue_flags);
6021 case IORING_OP_RECV:
6022 ret = io_recv(req, issue_flags);
6024 case IORING_OP_TIMEOUT:
6025 ret = io_timeout(req, issue_flags);
6027 case IORING_OP_TIMEOUT_REMOVE:
6028 ret = io_timeout_remove(req, issue_flags);
6030 case IORING_OP_ACCEPT:
6031 ret = io_accept(req, issue_flags);
6033 case IORING_OP_CONNECT:
6034 ret = io_connect(req, issue_flags);
6036 case IORING_OP_ASYNC_CANCEL:
6037 ret = io_async_cancel(req, issue_flags);
6039 case IORING_OP_FALLOCATE:
6040 ret = io_fallocate(req, issue_flags);
6042 case IORING_OP_OPENAT:
6043 ret = io_openat(req, issue_flags);
6045 case IORING_OP_CLOSE:
6046 ret = io_close(req, issue_flags);
6048 case IORING_OP_FILES_UPDATE:
6049 ret = io_files_update(req, issue_flags);
6051 case IORING_OP_STATX:
6052 ret = io_statx(req, issue_flags);
6054 case IORING_OP_FADVISE:
6055 ret = io_fadvise(req, issue_flags);
6057 case IORING_OP_MADVISE:
6058 ret = io_madvise(req, issue_flags);
6060 case IORING_OP_OPENAT2:
6061 ret = io_openat2(req, issue_flags);
6063 case IORING_OP_EPOLL_CTL:
6064 ret = io_epoll_ctl(req, issue_flags);
6066 case IORING_OP_SPLICE:
6067 ret = io_splice(req, issue_flags);
6069 case IORING_OP_PROVIDE_BUFFERS:
6070 ret = io_provide_buffers(req, issue_flags);
6072 case IORING_OP_REMOVE_BUFFERS:
6073 ret = io_remove_buffers(req, issue_flags);
6076 ret = io_tee(req, issue_flags);
6078 case IORING_OP_SHUTDOWN:
6079 ret = io_shutdown(req, issue_flags);
6081 case IORING_OP_RENAMEAT:
6082 ret = io_renameat(req, issue_flags);
6084 case IORING_OP_UNLINKAT:
6085 ret = io_unlinkat(req, issue_flags);
6093 revert_creds(creds);
6098 /* If the op doesn't have a file, we're not polling for it */
6099 if ((ctx->flags & IORING_SETUP_IOPOLL) && req->file) {
6100 const bool in_async = io_wq_current_is_worker();
6102 /* workqueue context doesn't hold uring_lock, grab it now */
6104 mutex_lock(&ctx->uring_lock);
6106 io_iopoll_req_issued(req, in_async);
6109 mutex_unlock(&ctx->uring_lock);
6115 static void io_wq_submit_work(struct io_wq_work *work)
6117 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
6118 struct io_kiocb *timeout;
6121 timeout = io_prep_linked_timeout(req);
6123 io_queue_linked_timeout(timeout);
6125 if (work->flags & IO_WQ_WORK_CANCEL)
6130 ret = io_issue_sqe(req, 0);
6132 * We can get EAGAIN for polled IO even though we're
6133 * forcing a sync submission from here, since we can't
6134 * wait for request slots on the block side.
6142 /* avoid locking problems by failing it from a clean context */
6144 /* io-wq is going to take one down */
6145 refcount_inc(&req->refs);
6146 io_req_task_queue_fail(req, ret);
6150 static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
6153 struct fixed_rsrc_table *table;
6155 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
6156 return table->files[index & IORING_FILE_TABLE_MASK];
6159 static struct file *io_file_get(struct io_submit_state *state,
6160 struct io_kiocb *req, int fd, bool fixed)
6162 struct io_ring_ctx *ctx = req->ctx;
6166 if (unlikely((unsigned int)fd >= ctx->nr_user_files))
6168 fd = array_index_nospec(fd, ctx->nr_user_files);
6169 file = io_file_from_index(ctx, fd);
6170 io_set_resource_node(req);
6172 trace_io_uring_file_get(ctx, fd);
6173 file = __io_file_get(state, fd);
6176 if (file && unlikely(file->f_op == &io_uring_fops))
6177 io_req_track_inflight(req);
6181 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
6183 struct io_timeout_data *data = container_of(timer,
6184 struct io_timeout_data, timer);
6185 struct io_kiocb *prev, *req = data->req;
6186 struct io_ring_ctx *ctx = req->ctx;
6187 unsigned long flags;
6189 spin_lock_irqsave(&ctx->completion_lock, flags);
6190 prev = req->timeout.head;
6191 req->timeout.head = NULL;
6194 * We don't expect the list to be empty, that will only happen if we
6195 * race with the completion of the linked work.
6197 if (prev && refcount_inc_not_zero(&prev->refs))
6198 io_remove_next_linked(prev);
6201 spin_unlock_irqrestore(&ctx->completion_lock, flags);
6204 io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME);
6205 io_put_req_deferred(prev, 1);
6207 io_req_complete_post(req, -ETIME, 0);
6208 io_put_req_deferred(req, 1);
6210 return HRTIMER_NORESTART;
6213 static void __io_queue_linked_timeout(struct io_kiocb *req)
6216 * If the back reference is NULL, then our linked request finished
6217 * before we got a chance to setup the timer
6219 if (req->timeout.head) {
6220 struct io_timeout_data *data = req->async_data;
6222 data->timer.function = io_link_timeout_fn;
6223 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
6228 static void io_queue_linked_timeout(struct io_kiocb *req)
6230 struct io_ring_ctx *ctx = req->ctx;
6232 spin_lock_irq(&ctx->completion_lock);
6233 __io_queue_linked_timeout(req);
6234 spin_unlock_irq(&ctx->completion_lock);
6236 /* drop submission reference */
6240 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
6242 struct io_kiocb *nxt = req->link;
6244 if (!nxt || (req->flags & REQ_F_LINK_TIMEOUT) ||
6245 nxt->opcode != IORING_OP_LINK_TIMEOUT)
6248 nxt->timeout.head = req;
6249 nxt->flags |= REQ_F_LTIMEOUT_ACTIVE;
6250 req->flags |= REQ_F_LINK_TIMEOUT;
6254 static void __io_queue_sqe(struct io_kiocb *req)
6256 struct io_kiocb *linked_timeout = io_prep_linked_timeout(req);
6259 ret = io_issue_sqe(req, IO_URING_F_NONBLOCK|IO_URING_F_COMPLETE_DEFER);
6262 * We async punt it if the file wasn't marked NOWAIT, or if the file
6263 * doesn't support non-blocking read/write attempts
6265 if (ret == -EAGAIN && !(req->flags & REQ_F_NOWAIT)) {
6266 if (!io_arm_poll_handler(req)) {
6268 * Queued up for async execution, worker will release
6269 * submit reference when the iocb is actually submitted.
6271 io_queue_async_work(req);
6273 } else if (likely(!ret)) {
6274 /* drop submission reference */
6275 if (req->flags & REQ_F_COMPLETE_INLINE) {
6276 struct io_ring_ctx *ctx = req->ctx;
6277 struct io_comp_state *cs = &ctx->submit_state.comp;
6279 cs->reqs[cs->nr++] = req;
6280 if (cs->nr == ARRAY_SIZE(cs->reqs))
6281 io_submit_flush_completions(cs, ctx);
6286 req_set_fail_links(req);
6288 io_req_complete(req, ret);
6291 io_queue_linked_timeout(linked_timeout);
6294 static void io_queue_sqe(struct io_kiocb *req)
6298 ret = io_req_defer(req);
6300 if (ret != -EIOCBQUEUED) {
6302 req_set_fail_links(req);
6304 io_req_complete(req, ret);
6306 } else if (req->flags & REQ_F_FORCE_ASYNC) {
6307 ret = io_req_defer_prep(req);
6310 io_queue_async_work(req);
6312 __io_queue_sqe(req);
6317 * Check SQE restrictions (opcode and flags).
6319 * Returns 'true' if SQE is allowed, 'false' otherwise.
6321 static inline bool io_check_restriction(struct io_ring_ctx *ctx,
6322 struct io_kiocb *req,
6323 unsigned int sqe_flags)
6325 if (!ctx->restricted)
6328 if (!test_bit(req->opcode, ctx->restrictions.sqe_op))
6331 if ((sqe_flags & ctx->restrictions.sqe_flags_required) !=
6332 ctx->restrictions.sqe_flags_required)
6335 if (sqe_flags & ~(ctx->restrictions.sqe_flags_allowed |
6336 ctx->restrictions.sqe_flags_required))
6342 static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
6343 const struct io_uring_sqe *sqe)
6345 struct io_submit_state *state;
6346 unsigned int sqe_flags;
6347 int personality, ret = 0;
6349 req->opcode = READ_ONCE(sqe->opcode);
6350 /* same numerical values with corresponding REQ_F_*, safe to copy */
6351 req->flags = sqe_flags = READ_ONCE(sqe->flags);
6352 req->user_data = READ_ONCE(sqe->user_data);
6353 req->async_data = NULL;
6357 req->fixed_rsrc_refs = NULL;
6358 /* one is dropped after submission, the other at completion */
6359 refcount_set(&req->refs, 2);
6360 req->task = current;
6362 req->work.list.next = NULL;
6363 req->work.creds = NULL;
6364 req->work.flags = 0;
6366 /* enforce forwards compatibility on users */
6367 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS)) {
6372 if (unlikely(req->opcode >= IORING_OP_LAST))
6375 if (unlikely(!io_check_restriction(ctx, req, sqe_flags)))
6378 if ((sqe_flags & IOSQE_BUFFER_SELECT) &&
6379 !io_op_defs[req->opcode].buffer_select)
6382 personality = READ_ONCE(sqe->personality);
6384 req->work.creds = xa_load(&ctx->personalities, personality);
6385 if (!req->work.creds)
6387 get_cred(req->work.creds);
6389 state = &ctx->submit_state;
6392 * Plug now if we have more than 1 IO left after this, and the target
6393 * is potentially a read/write to block based storage.
6395 if (!state->plug_started && state->ios_left > 1 &&
6396 io_op_defs[req->opcode].plug) {
6397 blk_start_plug(&state->plug);
6398 state->plug_started = true;
6401 if (io_op_defs[req->opcode].needs_file) {
6402 bool fixed = req->flags & REQ_F_FIXED_FILE;
6404 req->file = io_file_get(state, req, READ_ONCE(sqe->fd), fixed);
6405 if (unlikely(!req->file))
6413 static int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req,
6414 const struct io_uring_sqe *sqe)
6416 struct io_submit_link *link = &ctx->submit_state.link;
6419 ret = io_init_req(ctx, req, sqe);
6420 if (unlikely(ret)) {
6423 io_req_complete(req, ret);
6425 /* fail even hard links since we don't submit */
6426 link->head->flags |= REQ_F_FAIL_LINK;
6427 io_put_req(link->head);
6428 io_req_complete(link->head, -ECANCELED);
6433 ret = io_req_prep(req, sqe);
6437 /* don't need @sqe from now on */
6438 trace_io_uring_submit_sqe(ctx, req->opcode, req->user_data,
6439 true, ctx->flags & IORING_SETUP_SQPOLL);
6442 * If we already have a head request, queue this one for async
6443 * submittal once the head completes. If we don't have a head but
6444 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
6445 * submitted sync once the chain is complete. If none of those
6446 * conditions are true (normal request), then just queue it.
6449 struct io_kiocb *head = link->head;
6452 * Taking sequential execution of a link, draining both sides
6453 * of the link also fullfils IOSQE_IO_DRAIN semantics for all
6454 * requests in the link. So, it drains the head and the
6455 * next after the link request. The last one is done via
6456 * drain_next flag to persist the effect across calls.
6458 if (req->flags & REQ_F_IO_DRAIN) {
6459 head->flags |= REQ_F_IO_DRAIN;
6460 ctx->drain_next = 1;
6462 ret = io_req_defer_prep(req);
6465 trace_io_uring_link(ctx, req, head);
6466 link->last->link = req;
6469 /* last request of a link, enqueue the link */
6470 if (!(req->flags & (REQ_F_LINK | REQ_F_HARDLINK))) {
6475 if (unlikely(ctx->drain_next)) {
6476 req->flags |= REQ_F_IO_DRAIN;
6477 ctx->drain_next = 0;
6479 if (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {
6491 * Batched submission is done, ensure local IO is flushed out.
6493 static void io_submit_state_end(struct io_submit_state *state,
6494 struct io_ring_ctx *ctx)
6496 if (state->link.head)
6497 io_queue_sqe(state->link.head);
6499 io_submit_flush_completions(&state->comp, ctx);
6500 if (state->plug_started)
6501 blk_finish_plug(&state->plug);
6502 io_state_file_put(state);
6506 * Start submission side cache.
6508 static void io_submit_state_start(struct io_submit_state *state,
6509 unsigned int max_ios)
6511 state->plug_started = false;
6512 state->ios_left = max_ios;
6513 /* set only head, no need to init link_last in advance */
6514 state->link.head = NULL;
6517 static void io_commit_sqring(struct io_ring_ctx *ctx)
6519 struct io_rings *rings = ctx->rings;
6522 * Ensure any loads from the SQEs are done at this point,
6523 * since once we write the new head, the application could
6524 * write new data to them.
6526 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
6530 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
6531 * that is mapped by userspace. This means that care needs to be taken to
6532 * ensure that reads are stable, as we cannot rely on userspace always
6533 * being a good citizen. If members of the sqe are validated and then later
6534 * used, it's important that those reads are done through READ_ONCE() to
6535 * prevent a re-load down the line.
6537 static const struct io_uring_sqe *io_get_sqe(struct io_ring_ctx *ctx)
6539 u32 *sq_array = ctx->sq_array;
6543 * The cached sq head (or cq tail) serves two purposes:
6545 * 1) allows us to batch the cost of updating the user visible
6547 * 2) allows the kernel side to track the head on its own, even
6548 * though the application is the one updating it.
6550 head = READ_ONCE(sq_array[ctx->cached_sq_head++ & ctx->sq_mask]);
6551 if (likely(head < ctx->sq_entries))
6552 return &ctx->sq_sqes[head];
6554 /* drop invalid entries */
6555 ctx->cached_sq_dropped++;
6556 WRITE_ONCE(ctx->rings->sq_dropped, ctx->cached_sq_dropped);
6560 static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr)
6564 /* if we have a backlog and couldn't flush it all, return BUSY */
6565 if (test_bit(0, &ctx->sq_check_overflow)) {
6566 if (!__io_cqring_overflow_flush(ctx, false, NULL, NULL))
6570 /* make sure SQ entry isn't read before tail */
6571 nr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));
6573 if (!percpu_ref_tryget_many(&ctx->refs, nr))
6576 percpu_counter_add(¤t->io_uring->inflight, nr);
6577 refcount_add(nr, ¤t->usage);
6578 io_submit_state_start(&ctx->submit_state, nr);
6580 while (submitted < nr) {
6581 const struct io_uring_sqe *sqe;
6582 struct io_kiocb *req;
6584 req = io_alloc_req(ctx);
6585 if (unlikely(!req)) {
6587 submitted = -EAGAIN;
6590 sqe = io_get_sqe(ctx);
6591 if (unlikely(!sqe)) {
6592 kmem_cache_free(req_cachep, req);
6595 /* will complete beyond this point, count as submitted */
6597 if (io_submit_sqe(ctx, req, sqe))
6601 if (unlikely(submitted != nr)) {
6602 int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
6603 struct io_uring_task *tctx = current->io_uring;
6604 int unused = nr - ref_used;
6606 percpu_ref_put_many(&ctx->refs, unused);
6607 percpu_counter_sub(&tctx->inflight, unused);
6608 put_task_struct_many(current, unused);
6611 io_submit_state_end(&ctx->submit_state, ctx);
6612 /* Commit SQ ring head once we've consumed and submitted all SQEs */
6613 io_commit_sqring(ctx);
6618 static inline void io_ring_set_wakeup_flag(struct io_ring_ctx *ctx)
6620 /* Tell userspace we may need a wakeup call */
6621 spin_lock_irq(&ctx->completion_lock);
6622 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
6623 spin_unlock_irq(&ctx->completion_lock);
6626 static inline void io_ring_clear_wakeup_flag(struct io_ring_ctx *ctx)
6628 spin_lock_irq(&ctx->completion_lock);
6629 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6630 spin_unlock_irq(&ctx->completion_lock);
6633 static int __io_sq_thread(struct io_ring_ctx *ctx, bool cap_entries)
6635 unsigned int to_submit;
6638 to_submit = io_sqring_entries(ctx);
6639 /* if we're handling multiple rings, cap submit size for fairness */
6640 if (cap_entries && to_submit > 8)
6643 if (!list_empty(&ctx->iopoll_list) || to_submit) {
6644 unsigned nr_events = 0;
6646 mutex_lock(&ctx->uring_lock);
6647 if (!list_empty(&ctx->iopoll_list))
6648 io_do_iopoll(ctx, &nr_events, 0);
6650 if (to_submit && likely(!percpu_ref_is_dying(&ctx->refs)) &&
6651 !(ctx->flags & IORING_SETUP_R_DISABLED))
6652 ret = io_submit_sqes(ctx, to_submit);
6653 mutex_unlock(&ctx->uring_lock);
6656 if (!io_sqring_full(ctx) && wq_has_sleeper(&ctx->sqo_sq_wait))
6657 wake_up(&ctx->sqo_sq_wait);
6662 static void io_sqd_update_thread_idle(struct io_sq_data *sqd)
6664 struct io_ring_ctx *ctx;
6665 unsigned sq_thread_idle = 0;
6667 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
6668 if (sq_thread_idle < ctx->sq_thread_idle)
6669 sq_thread_idle = ctx->sq_thread_idle;
6672 sqd->sq_thread_idle = sq_thread_idle;
6675 static int io_sq_thread(void *data)
6677 struct io_sq_data *sqd = data;
6678 struct io_ring_ctx *ctx;
6679 unsigned long timeout = 0;
6680 char buf[TASK_COMM_LEN];
6683 sprintf(buf, "iou-sqp-%d", sqd->task_pid);
6684 set_task_comm(current, buf);
6685 current->pf_io_worker = NULL;
6687 if (sqd->sq_cpu != -1)
6688 set_cpus_allowed_ptr(current, cpumask_of(sqd->sq_cpu));
6690 set_cpus_allowed_ptr(current, cpu_online_mask);
6691 current->flags |= PF_NO_SETAFFINITY;
6693 mutex_lock(&sqd->lock);
6694 while (!test_bit(IO_SQ_THREAD_SHOULD_STOP, &sqd->state)) {
6696 bool cap_entries, sqt_spin, needs_sched;
6698 if (test_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state)) {
6699 mutex_unlock(&sqd->lock);
6701 mutex_lock(&sqd->lock);
6703 timeout = jiffies + sqd->sq_thread_idle;
6706 if (fatal_signal_pending(current))
6709 cap_entries = !list_is_singular(&sqd->ctx_list);
6710 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
6711 const struct cred *creds = NULL;
6713 if (ctx->sq_creds != current_cred())
6714 creds = override_creds(ctx->sq_creds);
6715 ret = __io_sq_thread(ctx, cap_entries);
6717 revert_creds(creds);
6718 if (!sqt_spin && (ret > 0 || !list_empty(&ctx->iopoll_list)))
6722 if (sqt_spin || !time_after(jiffies, timeout)) {
6726 timeout = jiffies + sqd->sq_thread_idle;
6731 prepare_to_wait(&sqd->wait, &wait, TASK_INTERRUPTIBLE);
6732 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
6733 if ((ctx->flags & IORING_SETUP_IOPOLL) &&
6734 !list_empty_careful(&ctx->iopoll_list)) {
6735 needs_sched = false;
6738 if (io_sqring_entries(ctx)) {
6739 needs_sched = false;
6744 if (needs_sched && !test_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state)) {
6745 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
6746 io_ring_set_wakeup_flag(ctx);
6748 mutex_unlock(&sqd->lock);
6751 mutex_lock(&sqd->lock);
6752 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
6753 io_ring_clear_wakeup_flag(ctx);
6756 finish_wait(&sqd->wait, &wait);
6757 timeout = jiffies + sqd->sq_thread_idle;
6760 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
6761 io_uring_cancel_sqpoll(ctx);
6763 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
6764 io_ring_set_wakeup_flag(ctx);
6765 mutex_unlock(&sqd->lock);
6768 complete(&sqd->exited);
6772 struct io_wait_queue {
6773 struct wait_queue_entry wq;
6774 struct io_ring_ctx *ctx;
6776 unsigned nr_timeouts;
6779 static inline bool io_should_wake(struct io_wait_queue *iowq)
6781 struct io_ring_ctx *ctx = iowq->ctx;
6784 * Wake up if we have enough events, or if a timeout occurred since we
6785 * started waiting. For timeouts, we always want to return to userspace,
6786 * regardless of event count.
6788 return io_cqring_events(ctx) >= iowq->to_wait ||
6789 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
6792 static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
6793 int wake_flags, void *key)
6795 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
6799 * Cannot safely flush overflowed CQEs from here, ensure we wake up
6800 * the task, and the next invocation will do it.
6802 if (io_should_wake(iowq) || test_bit(0, &iowq->ctx->cq_check_overflow))
6803 return autoremove_wake_function(curr, mode, wake_flags, key);
6807 static int io_run_task_work_sig(void)
6809 if (io_run_task_work())
6811 if (!signal_pending(current))
6813 if (test_tsk_thread_flag(current, TIF_NOTIFY_SIGNAL))
6814 return -ERESTARTSYS;
6818 /* when returns >0, the caller should retry */
6819 static inline int io_cqring_wait_schedule(struct io_ring_ctx *ctx,
6820 struct io_wait_queue *iowq,
6821 signed long *timeout)
6825 /* make sure we run task_work before checking for signals */
6826 ret = io_run_task_work_sig();
6827 if (ret || io_should_wake(iowq))
6829 /* let the caller flush overflows, retry */
6830 if (test_bit(0, &ctx->cq_check_overflow))
6833 *timeout = schedule_timeout(*timeout);
6834 return !*timeout ? -ETIME : 1;
6838 * Wait until events become available, if we don't already have some. The
6839 * application must reap them itself, as they reside on the shared cq ring.
6841 static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
6842 const sigset_t __user *sig, size_t sigsz,
6843 struct __kernel_timespec __user *uts)
6845 struct io_wait_queue iowq = {
6848 .func = io_wake_function,
6849 .entry = LIST_HEAD_INIT(iowq.wq.entry),
6852 .to_wait = min_events,
6854 struct io_rings *rings = ctx->rings;
6855 signed long timeout = MAX_SCHEDULE_TIMEOUT;
6859 io_cqring_overflow_flush(ctx, false, NULL, NULL);
6860 if (io_cqring_events(ctx) >= min_events)
6862 if (!io_run_task_work())
6867 #ifdef CONFIG_COMPAT
6868 if (in_compat_syscall())
6869 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
6873 ret = set_user_sigmask(sig, sigsz);
6880 struct timespec64 ts;
6882 if (get_timespec64(&ts, uts))
6884 timeout = timespec64_to_jiffies(&ts);
6887 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
6888 trace_io_uring_cqring_wait(ctx, min_events);
6890 /* if we can't even flush overflow, don't wait for more */
6891 if (!io_cqring_overflow_flush(ctx, false, NULL, NULL)) {
6895 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
6896 TASK_INTERRUPTIBLE);
6897 ret = io_cqring_wait_schedule(ctx, &iowq, &timeout);
6898 finish_wait(&ctx->wait, &iowq.wq);
6902 restore_saved_sigmask_unless(ret == -EINTR);
6904 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
6907 static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
6909 #if defined(CONFIG_UNIX)
6910 if (ctx->ring_sock) {
6911 struct sock *sock = ctx->ring_sock->sk;
6912 struct sk_buff *skb;
6914 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
6920 for (i = 0; i < ctx->nr_user_files; i++) {
6923 file = io_file_from_index(ctx, i);
6930 static void io_rsrc_data_ref_zero(struct percpu_ref *ref)
6932 struct fixed_rsrc_data *data;
6934 data = container_of(ref, struct fixed_rsrc_data, refs);
6935 complete(&data->done);
6938 static inline void io_rsrc_ref_lock(struct io_ring_ctx *ctx)
6940 spin_lock_bh(&ctx->rsrc_ref_lock);
6943 static inline void io_rsrc_ref_unlock(struct io_ring_ctx *ctx)
6945 spin_unlock_bh(&ctx->rsrc_ref_lock);
6948 static void io_sqe_rsrc_set_node(struct io_ring_ctx *ctx,
6949 struct fixed_rsrc_data *rsrc_data,
6950 struct fixed_rsrc_ref_node *ref_node)
6952 io_rsrc_ref_lock(ctx);
6953 rsrc_data->node = ref_node;
6954 list_add_tail(&ref_node->node, &ctx->rsrc_ref_list);
6955 io_rsrc_ref_unlock(ctx);
6956 percpu_ref_get(&rsrc_data->refs);
6959 static void io_sqe_rsrc_kill_node(struct io_ring_ctx *ctx, struct fixed_rsrc_data *data)
6961 struct fixed_rsrc_ref_node *ref_node = NULL;
6963 io_rsrc_ref_lock(ctx);
6964 ref_node = data->node;
6966 io_rsrc_ref_unlock(ctx);
6968 percpu_ref_kill(&ref_node->refs);
6971 static int io_rsrc_ref_quiesce(struct fixed_rsrc_data *data,
6972 struct io_ring_ctx *ctx,
6973 void (*rsrc_put)(struct io_ring_ctx *ctx,
6974 struct io_rsrc_put *prsrc))
6976 struct fixed_rsrc_ref_node *backup_node;
6982 data->quiesce = true;
6985 backup_node = alloc_fixed_rsrc_ref_node(ctx);
6988 backup_node->rsrc_data = data;
6989 backup_node->rsrc_put = rsrc_put;
6991 io_sqe_rsrc_kill_node(ctx, data);
6992 percpu_ref_kill(&data->refs);
6993 flush_delayed_work(&ctx->rsrc_put_work);
6995 ret = wait_for_completion_interruptible(&data->done);
6999 percpu_ref_resurrect(&data->refs);
7000 io_sqe_rsrc_set_node(ctx, data, backup_node);
7002 reinit_completion(&data->done);
7003 mutex_unlock(&ctx->uring_lock);
7004 ret = io_run_task_work_sig();
7005 mutex_lock(&ctx->uring_lock);
7007 data->quiesce = false;
7010 destroy_fixed_rsrc_ref_node(backup_node);
7014 static struct fixed_rsrc_data *alloc_fixed_rsrc_data(struct io_ring_ctx *ctx)
7016 struct fixed_rsrc_data *data;
7018 data = kzalloc(sizeof(*data), GFP_KERNEL);
7022 if (percpu_ref_init(&data->refs, io_rsrc_data_ref_zero,
7023 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
7028 init_completion(&data->done);
7032 static void free_fixed_rsrc_data(struct fixed_rsrc_data *data)
7034 percpu_ref_exit(&data->refs);
7039 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
7041 struct fixed_rsrc_data *data = ctx->file_data;
7042 unsigned nr_tables, i;
7046 * percpu_ref_is_dying() is to stop parallel files unregister
7047 * Since we possibly drop uring lock later in this function to
7050 if (!data || percpu_ref_is_dying(&data->refs))
7052 ret = io_rsrc_ref_quiesce(data, ctx, io_ring_file_put);
7056 __io_sqe_files_unregister(ctx);
7057 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
7058 for (i = 0; i < nr_tables; i++)
7059 kfree(data->table[i].files);
7060 free_fixed_rsrc_data(data);
7061 ctx->file_data = NULL;
7062 ctx->nr_user_files = 0;
7066 static void io_sq_thread_unpark(struct io_sq_data *sqd)
7067 __releases(&sqd->lock)
7069 WARN_ON_ONCE(sqd->thread == current);
7072 * Do the dance but not conditional clear_bit() because it'd race with
7073 * other threads incrementing park_pending and setting the bit.
7075 clear_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state);
7076 if (atomic_dec_return(&sqd->park_pending))
7077 set_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state);
7078 mutex_unlock(&sqd->lock);
7081 static void io_sq_thread_park(struct io_sq_data *sqd)
7082 __acquires(&sqd->lock)
7084 WARN_ON_ONCE(sqd->thread == current);
7086 atomic_inc(&sqd->park_pending);
7087 set_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state);
7088 mutex_lock(&sqd->lock);
7090 wake_up_process(sqd->thread);
7093 static void io_sq_thread_stop(struct io_sq_data *sqd)
7095 WARN_ON_ONCE(sqd->thread == current);
7097 mutex_lock(&sqd->lock);
7098 set_bit(IO_SQ_THREAD_SHOULD_STOP, &sqd->state);
7100 wake_up_process(sqd->thread);
7101 mutex_unlock(&sqd->lock);
7102 wait_for_completion(&sqd->exited);
7105 static void io_put_sq_data(struct io_sq_data *sqd)
7107 if (refcount_dec_and_test(&sqd->refs)) {
7108 WARN_ON_ONCE(atomic_read(&sqd->park_pending));
7110 io_sq_thread_stop(sqd);
7115 static void io_sq_thread_finish(struct io_ring_ctx *ctx)
7117 struct io_sq_data *sqd = ctx->sq_data;
7120 io_sq_thread_park(sqd);
7121 list_del_init(&ctx->sqd_list);
7122 io_sqd_update_thread_idle(sqd);
7123 io_sq_thread_unpark(sqd);
7125 io_put_sq_data(sqd);
7126 ctx->sq_data = NULL;
7128 put_cred(ctx->sq_creds);
7132 static struct io_sq_data *io_attach_sq_data(struct io_uring_params *p)
7134 struct io_ring_ctx *ctx_attach;
7135 struct io_sq_data *sqd;
7138 f = fdget(p->wq_fd);
7140 return ERR_PTR(-ENXIO);
7141 if (f.file->f_op != &io_uring_fops) {
7143 return ERR_PTR(-EINVAL);
7146 ctx_attach = f.file->private_data;
7147 sqd = ctx_attach->sq_data;
7150 return ERR_PTR(-EINVAL);
7152 if (sqd->task_tgid != current->tgid) {
7154 return ERR_PTR(-EPERM);
7157 refcount_inc(&sqd->refs);
7162 static struct io_sq_data *io_get_sq_data(struct io_uring_params *p,
7165 struct io_sq_data *sqd;
7168 if (p->flags & IORING_SETUP_ATTACH_WQ) {
7169 sqd = io_attach_sq_data(p);
7174 /* fall through for EPERM case, setup new sqd/task */
7175 if (PTR_ERR(sqd) != -EPERM)
7179 sqd = kzalloc(sizeof(*sqd), GFP_KERNEL);
7181 return ERR_PTR(-ENOMEM);
7183 atomic_set(&sqd->park_pending, 0);
7184 refcount_set(&sqd->refs, 1);
7185 INIT_LIST_HEAD(&sqd->ctx_list);
7186 mutex_init(&sqd->lock);
7187 init_waitqueue_head(&sqd->wait);
7188 init_completion(&sqd->exited);
7192 #if defined(CONFIG_UNIX)
7194 * Ensure the UNIX gc is aware of our file set, so we are certain that
7195 * the io_uring can be safely unregistered on process exit, even if we have
7196 * loops in the file referencing.
7198 static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
7200 struct sock *sk = ctx->ring_sock->sk;
7201 struct scm_fp_list *fpl;
7202 struct sk_buff *skb;
7205 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
7209 skb = alloc_skb(0, GFP_KERNEL);
7218 fpl->user = get_uid(current_user());
7219 for (i = 0; i < nr; i++) {
7220 struct file *file = io_file_from_index(ctx, i + offset);
7224 fpl->fp[nr_files] = get_file(file);
7225 unix_inflight(fpl->user, fpl->fp[nr_files]);
7230 fpl->max = SCM_MAX_FD;
7231 fpl->count = nr_files;
7232 UNIXCB(skb).fp = fpl;
7233 skb->destructor = unix_destruct_scm;
7234 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
7235 skb_queue_head(&sk->sk_receive_queue, skb);
7237 for (i = 0; i < nr_files; i++)
7248 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
7249 * causes regular reference counting to break down. We rely on the UNIX
7250 * garbage collection to take care of this problem for us.
7252 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
7254 unsigned left, total;
7258 left = ctx->nr_user_files;
7260 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
7262 ret = __io_sqe_files_scm(ctx, this_files, total);
7266 total += this_files;
7272 while (total < ctx->nr_user_files) {
7273 struct file *file = io_file_from_index(ctx, total);
7283 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
7289 static int io_sqe_alloc_file_tables(struct fixed_rsrc_data *file_data,
7290 unsigned nr_tables, unsigned nr_files)
7294 for (i = 0; i < nr_tables; i++) {
7295 struct fixed_rsrc_table *table = &file_data->table[i];
7296 unsigned this_files;
7298 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
7299 table->files = kcalloc(this_files, sizeof(struct file *),
7303 nr_files -= this_files;
7309 for (i = 0; i < nr_tables; i++) {
7310 struct fixed_rsrc_table *table = &file_data->table[i];
7311 kfree(table->files);
7316 static void io_ring_file_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)
7318 struct file *file = prsrc->file;
7319 #if defined(CONFIG_UNIX)
7320 struct sock *sock = ctx->ring_sock->sk;
7321 struct sk_buff_head list, *head = &sock->sk_receive_queue;
7322 struct sk_buff *skb;
7325 __skb_queue_head_init(&list);
7328 * Find the skb that holds this file in its SCM_RIGHTS. When found,
7329 * remove this entry and rearrange the file array.
7331 skb = skb_dequeue(head);
7333 struct scm_fp_list *fp;
7335 fp = UNIXCB(skb).fp;
7336 for (i = 0; i < fp->count; i++) {
7339 if (fp->fp[i] != file)
7342 unix_notinflight(fp->user, fp->fp[i]);
7343 left = fp->count - 1 - i;
7345 memmove(&fp->fp[i], &fp->fp[i + 1],
7346 left * sizeof(struct file *));
7353 __skb_queue_tail(&list, skb);
7363 __skb_queue_tail(&list, skb);
7365 skb = skb_dequeue(head);
7368 if (skb_peek(&list)) {
7369 spin_lock_irq(&head->lock);
7370 while ((skb = __skb_dequeue(&list)) != NULL)
7371 __skb_queue_tail(head, skb);
7372 spin_unlock_irq(&head->lock);
7379 static void __io_rsrc_put_work(struct fixed_rsrc_ref_node *ref_node)
7381 struct fixed_rsrc_data *rsrc_data = ref_node->rsrc_data;
7382 struct io_ring_ctx *ctx = rsrc_data->ctx;
7383 struct io_rsrc_put *prsrc, *tmp;
7385 list_for_each_entry_safe(prsrc, tmp, &ref_node->rsrc_list, list) {
7386 list_del(&prsrc->list);
7387 ref_node->rsrc_put(ctx, prsrc);
7391 percpu_ref_exit(&ref_node->refs);
7393 percpu_ref_put(&rsrc_data->refs);
7396 static void io_rsrc_put_work(struct work_struct *work)
7398 struct io_ring_ctx *ctx;
7399 struct llist_node *node;
7401 ctx = container_of(work, struct io_ring_ctx, rsrc_put_work.work);
7402 node = llist_del_all(&ctx->rsrc_put_llist);
7405 struct fixed_rsrc_ref_node *ref_node;
7406 struct llist_node *next = node->next;
7408 ref_node = llist_entry(node, struct fixed_rsrc_ref_node, llist);
7409 __io_rsrc_put_work(ref_node);
7414 static struct file **io_fixed_file_slot(struct fixed_rsrc_data *file_data,
7417 struct fixed_rsrc_table *table;
7419 table = &file_data->table[i >> IORING_FILE_TABLE_SHIFT];
7420 return &table->files[i & IORING_FILE_TABLE_MASK];
7423 static void io_rsrc_node_ref_zero(struct percpu_ref *ref)
7425 struct fixed_rsrc_ref_node *ref_node;
7426 struct fixed_rsrc_data *data;
7427 struct io_ring_ctx *ctx;
7428 bool first_add = false;
7431 ref_node = container_of(ref, struct fixed_rsrc_ref_node, refs);
7432 data = ref_node->rsrc_data;
7435 io_rsrc_ref_lock(ctx);
7436 ref_node->done = true;
7438 while (!list_empty(&ctx->rsrc_ref_list)) {
7439 ref_node = list_first_entry(&ctx->rsrc_ref_list,
7440 struct fixed_rsrc_ref_node, node);
7441 /* recycle ref nodes in order */
7442 if (!ref_node->done)
7444 list_del(&ref_node->node);
7445 first_add |= llist_add(&ref_node->llist, &ctx->rsrc_put_llist);
7447 io_rsrc_ref_unlock(ctx);
7449 if (percpu_ref_is_dying(&data->refs))
7453 mod_delayed_work(system_wq, &ctx->rsrc_put_work, 0);
7455 queue_delayed_work(system_wq, &ctx->rsrc_put_work, delay);
7458 static struct fixed_rsrc_ref_node *alloc_fixed_rsrc_ref_node(
7459 struct io_ring_ctx *ctx)
7461 struct fixed_rsrc_ref_node *ref_node;
7463 ref_node = kzalloc(sizeof(*ref_node), GFP_KERNEL);
7467 if (percpu_ref_init(&ref_node->refs, io_rsrc_node_ref_zero,
7472 INIT_LIST_HEAD(&ref_node->node);
7473 INIT_LIST_HEAD(&ref_node->rsrc_list);
7474 ref_node->done = false;
7478 static void init_fixed_file_ref_node(struct io_ring_ctx *ctx,
7479 struct fixed_rsrc_ref_node *ref_node)
7481 ref_node->rsrc_data = ctx->file_data;
7482 ref_node->rsrc_put = io_ring_file_put;
7485 static void destroy_fixed_rsrc_ref_node(struct fixed_rsrc_ref_node *ref_node)
7487 percpu_ref_exit(&ref_node->refs);
7492 static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
7495 __s32 __user *fds = (__s32 __user *) arg;
7496 unsigned nr_tables, i;
7498 int fd, ret = -ENOMEM;
7499 struct fixed_rsrc_ref_node *ref_node;
7500 struct fixed_rsrc_data *file_data;
7506 if (nr_args > IORING_MAX_FIXED_FILES)
7509 file_data = alloc_fixed_rsrc_data(ctx);
7512 ctx->file_data = file_data;
7514 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
7515 file_data->table = kcalloc(nr_tables, sizeof(*file_data->table),
7517 if (!file_data->table)
7520 if (io_sqe_alloc_file_tables(file_data, nr_tables, nr_args))
7523 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
7524 if (copy_from_user(&fd, &fds[i], sizeof(fd))) {
7528 /* allow sparse sets */
7538 * Don't allow io_uring instances to be registered. If UNIX
7539 * isn't enabled, then this causes a reference cycle and this
7540 * instance can never get freed. If UNIX is enabled we'll
7541 * handle it just fine, but there's still no point in allowing
7542 * a ring fd as it doesn't support regular read/write anyway.
7544 if (file->f_op == &io_uring_fops) {
7548 *io_fixed_file_slot(file_data, i) = file;
7551 ret = io_sqe_files_scm(ctx);
7553 io_sqe_files_unregister(ctx);
7557 ref_node = alloc_fixed_rsrc_ref_node(ctx);
7559 io_sqe_files_unregister(ctx);
7562 init_fixed_file_ref_node(ctx, ref_node);
7564 io_sqe_rsrc_set_node(ctx, file_data, ref_node);
7567 for (i = 0; i < ctx->nr_user_files; i++) {
7568 file = io_file_from_index(ctx, i);
7572 for (i = 0; i < nr_tables; i++)
7573 kfree(file_data->table[i].files);
7574 ctx->nr_user_files = 0;
7576 free_fixed_rsrc_data(ctx->file_data);
7577 ctx->file_data = NULL;
7581 static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
7584 #if defined(CONFIG_UNIX)
7585 struct sock *sock = ctx->ring_sock->sk;
7586 struct sk_buff_head *head = &sock->sk_receive_queue;
7587 struct sk_buff *skb;
7590 * See if we can merge this file into an existing skb SCM_RIGHTS
7591 * file set. If there's no room, fall back to allocating a new skb
7592 * and filling it in.
7594 spin_lock_irq(&head->lock);
7595 skb = skb_peek(head);
7597 struct scm_fp_list *fpl = UNIXCB(skb).fp;
7599 if (fpl->count < SCM_MAX_FD) {
7600 __skb_unlink(skb, head);
7601 spin_unlock_irq(&head->lock);
7602 fpl->fp[fpl->count] = get_file(file);
7603 unix_inflight(fpl->user, fpl->fp[fpl->count]);
7605 spin_lock_irq(&head->lock);
7606 __skb_queue_head(head, skb);
7611 spin_unlock_irq(&head->lock);
7618 return __io_sqe_files_scm(ctx, 1, index);
7624 static int io_queue_rsrc_removal(struct fixed_rsrc_data *data, void *rsrc)
7626 struct io_rsrc_put *prsrc;
7627 struct fixed_rsrc_ref_node *ref_node = data->node;
7629 prsrc = kzalloc(sizeof(*prsrc), GFP_KERNEL);
7634 list_add(&prsrc->list, &ref_node->rsrc_list);
7639 static inline int io_queue_file_removal(struct fixed_rsrc_data *data,
7642 return io_queue_rsrc_removal(data, (void *)file);
7645 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
7646 struct io_uring_rsrc_update *up,
7649 struct fixed_rsrc_data *data = ctx->file_data;
7650 struct fixed_rsrc_ref_node *ref_node;
7651 struct file *file, **file_slot;
7655 bool needs_switch = false;
7657 if (check_add_overflow(up->offset, nr_args, &done))
7659 if (done > ctx->nr_user_files)
7662 ref_node = alloc_fixed_rsrc_ref_node(ctx);
7665 init_fixed_file_ref_node(ctx, ref_node);
7667 fds = u64_to_user_ptr(up->data);
7668 for (done = 0; done < nr_args; done++) {
7670 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
7674 if (fd == IORING_REGISTER_FILES_SKIP)
7677 i = array_index_nospec(up->offset + done, ctx->nr_user_files);
7678 file_slot = io_fixed_file_slot(ctx->file_data, i);
7681 err = io_queue_file_removal(data, *file_slot);
7685 needs_switch = true;
7694 * Don't allow io_uring instances to be registered. If
7695 * UNIX isn't enabled, then this causes a reference
7696 * cycle and this instance can never get freed. If UNIX
7697 * is enabled we'll handle it just fine, but there's
7698 * still no point in allowing a ring fd as it doesn't
7699 * support regular read/write anyway.
7701 if (file->f_op == &io_uring_fops) {
7707 err = io_sqe_file_register(ctx, file, i);
7717 percpu_ref_kill(&data->node->refs);
7718 io_sqe_rsrc_set_node(ctx, data, ref_node);
7720 destroy_fixed_rsrc_ref_node(ref_node);
7722 return done ? done : err;
7725 static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
7728 struct io_uring_rsrc_update up;
7730 if (!ctx->file_data)
7734 if (copy_from_user(&up, arg, sizeof(up)))
7739 return __io_sqe_files_update(ctx, &up, nr_args);
7742 static struct io_wq_work *io_free_work(struct io_wq_work *work)
7744 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
7746 req = io_put_req_find_next(req);
7747 return req ? &req->work : NULL;
7750 static struct io_wq *io_init_wq_offload(struct io_ring_ctx *ctx)
7752 struct io_wq_hash *hash;
7753 struct io_wq_data data;
7754 unsigned int concurrency;
7756 hash = ctx->hash_map;
7758 hash = kzalloc(sizeof(*hash), GFP_KERNEL);
7760 return ERR_PTR(-ENOMEM);
7761 refcount_set(&hash->refs, 1);
7762 init_waitqueue_head(&hash->wait);
7763 ctx->hash_map = hash;
7767 data.free_work = io_free_work;
7768 data.do_work = io_wq_submit_work;
7770 /* Do QD, or 4 * CPUS, whatever is smallest */
7771 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
7773 return io_wq_create(concurrency, &data);
7776 static int io_uring_alloc_task_context(struct task_struct *task,
7777 struct io_ring_ctx *ctx)
7779 struct io_uring_task *tctx;
7782 tctx = kmalloc(sizeof(*tctx), GFP_KERNEL);
7783 if (unlikely(!tctx))
7786 ret = percpu_counter_init(&tctx->inflight, 0, GFP_KERNEL);
7787 if (unlikely(ret)) {
7792 tctx->io_wq = io_init_wq_offload(ctx);
7793 if (IS_ERR(tctx->io_wq)) {
7794 ret = PTR_ERR(tctx->io_wq);
7795 percpu_counter_destroy(&tctx->inflight);
7801 init_waitqueue_head(&tctx->wait);
7803 atomic_set(&tctx->in_idle, 0);
7804 task->io_uring = tctx;
7805 spin_lock_init(&tctx->task_lock);
7806 INIT_WQ_LIST(&tctx->task_list);
7807 tctx->task_state = 0;
7808 init_task_work(&tctx->task_work, tctx_task_work);
7812 void __io_uring_free(struct task_struct *tsk)
7814 struct io_uring_task *tctx = tsk->io_uring;
7816 WARN_ON_ONCE(!xa_empty(&tctx->xa));
7817 WARN_ON_ONCE(tctx->io_wq);
7819 percpu_counter_destroy(&tctx->inflight);
7821 tsk->io_uring = NULL;
7824 static int io_sq_offload_create(struct io_ring_ctx *ctx,
7825 struct io_uring_params *p)
7829 /* Retain compatibility with failing for an invalid attach attempt */
7830 if ((ctx->flags & (IORING_SETUP_ATTACH_WQ | IORING_SETUP_SQPOLL)) ==
7831 IORING_SETUP_ATTACH_WQ) {
7834 f = fdget(p->wq_fd);
7837 if (f.file->f_op != &io_uring_fops) {
7843 if (ctx->flags & IORING_SETUP_SQPOLL) {
7844 struct task_struct *tsk;
7845 struct io_sq_data *sqd;
7849 if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_NICE))
7852 sqd = io_get_sq_data(p, &attached);
7858 ctx->sq_creds = get_current_cred();
7860 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
7861 if (!ctx->sq_thread_idle)
7862 ctx->sq_thread_idle = HZ;
7865 io_sq_thread_park(sqd);
7866 /* don't attach to a dying SQPOLL thread, would be racy */
7867 if (attached && !sqd->thread) {
7870 list_add(&ctx->sqd_list, &sqd->ctx_list);
7871 io_sqd_update_thread_idle(sqd);
7873 io_sq_thread_unpark(sqd);
7876 io_put_sq_data(sqd);
7877 ctx->sq_data = NULL;
7879 } else if (attached) {
7883 if (p->flags & IORING_SETUP_SQ_AFF) {
7884 int cpu = p->sq_thread_cpu;
7887 if (cpu >= nr_cpu_ids)
7889 if (!cpu_online(cpu))
7897 sqd->task_pid = current->pid;
7898 sqd->task_tgid = current->tgid;
7899 tsk = create_io_thread(io_sq_thread, sqd, NUMA_NO_NODE);
7906 ret = io_uring_alloc_task_context(tsk, ctx);
7907 wake_up_new_task(tsk);
7910 } else if (p->flags & IORING_SETUP_SQ_AFF) {
7911 /* Can't have SQ_AFF without SQPOLL */
7918 io_sq_thread_finish(ctx);
7921 complete(&ctx->sq_data->exited);
7925 static inline void __io_unaccount_mem(struct user_struct *user,
7926 unsigned long nr_pages)
7928 atomic_long_sub(nr_pages, &user->locked_vm);
7931 static inline int __io_account_mem(struct user_struct *user,
7932 unsigned long nr_pages)
7934 unsigned long page_limit, cur_pages, new_pages;
7936 /* Don't allow more pages than we can safely lock */
7937 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
7940 cur_pages = atomic_long_read(&user->locked_vm);
7941 new_pages = cur_pages + nr_pages;
7942 if (new_pages > page_limit)
7944 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
7945 new_pages) != cur_pages);
7950 static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
7953 __io_unaccount_mem(ctx->user, nr_pages);
7955 if (ctx->mm_account)
7956 atomic64_sub(nr_pages, &ctx->mm_account->pinned_vm);
7959 static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
7964 ret = __io_account_mem(ctx->user, nr_pages);
7969 if (ctx->mm_account)
7970 atomic64_add(nr_pages, &ctx->mm_account->pinned_vm);
7975 static void io_mem_free(void *ptr)
7982 page = virt_to_head_page(ptr);
7983 if (put_page_testzero(page))
7984 free_compound_page(page);
7987 static void *io_mem_alloc(size_t size)
7989 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
7990 __GFP_NORETRY | __GFP_ACCOUNT;
7992 return (void *) __get_free_pages(gfp_flags, get_order(size));
7995 static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
7998 struct io_rings *rings;
7999 size_t off, sq_array_size;
8001 off = struct_size(rings, cqes, cq_entries);
8002 if (off == SIZE_MAX)
8006 off = ALIGN(off, SMP_CACHE_BYTES);
8014 sq_array_size = array_size(sizeof(u32), sq_entries);
8015 if (sq_array_size == SIZE_MAX)
8018 if (check_add_overflow(off, sq_array_size, &off))
8024 static int io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
8028 if (!ctx->user_bufs)
8031 for (i = 0; i < ctx->nr_user_bufs; i++) {
8032 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
8034 for (j = 0; j < imu->nr_bvecs; j++)
8035 unpin_user_page(imu->bvec[j].bv_page);
8037 if (imu->acct_pages)
8038 io_unaccount_mem(ctx, imu->acct_pages);
8043 kfree(ctx->user_bufs);
8044 ctx->user_bufs = NULL;
8045 ctx->nr_user_bufs = 0;
8049 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
8050 void __user *arg, unsigned index)
8052 struct iovec __user *src;
8054 #ifdef CONFIG_COMPAT
8056 struct compat_iovec __user *ciovs;
8057 struct compat_iovec ciov;
8059 ciovs = (struct compat_iovec __user *) arg;
8060 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
8063 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
8064 dst->iov_len = ciov.iov_len;
8068 src = (struct iovec __user *) arg;
8069 if (copy_from_user(dst, &src[index], sizeof(*dst)))
8075 * Not super efficient, but this is just a registration time. And we do cache
8076 * the last compound head, so generally we'll only do a full search if we don't
8079 * We check if the given compound head page has already been accounted, to
8080 * avoid double accounting it. This allows us to account the full size of the
8081 * page, not just the constituent pages of a huge page.
8083 static bool headpage_already_acct(struct io_ring_ctx *ctx, struct page **pages,
8084 int nr_pages, struct page *hpage)
8088 /* check current page array */
8089 for (i = 0; i < nr_pages; i++) {
8090 if (!PageCompound(pages[i]))
8092 if (compound_head(pages[i]) == hpage)
8096 /* check previously registered pages */
8097 for (i = 0; i < ctx->nr_user_bufs; i++) {
8098 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
8100 for (j = 0; j < imu->nr_bvecs; j++) {
8101 if (!PageCompound(imu->bvec[j].bv_page))
8103 if (compound_head(imu->bvec[j].bv_page) == hpage)
8111 static int io_buffer_account_pin(struct io_ring_ctx *ctx, struct page **pages,
8112 int nr_pages, struct io_mapped_ubuf *imu,
8113 struct page **last_hpage)
8117 for (i = 0; i < nr_pages; i++) {
8118 if (!PageCompound(pages[i])) {
8123 hpage = compound_head(pages[i]);
8124 if (hpage == *last_hpage)
8126 *last_hpage = hpage;
8127 if (headpage_already_acct(ctx, pages, i, hpage))
8129 imu->acct_pages += page_size(hpage) >> PAGE_SHIFT;
8133 if (!imu->acct_pages)
8136 ret = io_account_mem(ctx, imu->acct_pages);
8138 imu->acct_pages = 0;
8142 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
8143 struct io_mapped_ubuf *imu,
8144 struct page **last_hpage)
8146 struct vm_area_struct **vmas = NULL;
8147 struct page **pages = NULL;
8148 unsigned long off, start, end, ubuf;
8150 int ret, pret, nr_pages, i;
8152 ubuf = (unsigned long) iov->iov_base;
8153 end = (ubuf + iov->iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
8154 start = ubuf >> PAGE_SHIFT;
8155 nr_pages = end - start;
8159 pages = kvmalloc_array(nr_pages, sizeof(struct page *), GFP_KERNEL);
8163 vmas = kvmalloc_array(nr_pages, sizeof(struct vm_area_struct *),
8168 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
8174 mmap_read_lock(current->mm);
8175 pret = pin_user_pages(ubuf, nr_pages, FOLL_WRITE | FOLL_LONGTERM,
8177 if (pret == nr_pages) {
8178 /* don't support file backed memory */
8179 for (i = 0; i < nr_pages; i++) {
8180 struct vm_area_struct *vma = vmas[i];
8183 !is_file_hugepages(vma->vm_file)) {
8189 ret = pret < 0 ? pret : -EFAULT;
8191 mmap_read_unlock(current->mm);
8194 * if we did partial map, or found file backed vmas,
8195 * release any pages we did get
8198 unpin_user_pages(pages, pret);
8203 ret = io_buffer_account_pin(ctx, pages, pret, imu, last_hpage);
8205 unpin_user_pages(pages, pret);
8210 off = ubuf & ~PAGE_MASK;
8211 size = iov->iov_len;
8212 for (i = 0; i < nr_pages; i++) {
8215 vec_len = min_t(size_t, size, PAGE_SIZE - off);
8216 imu->bvec[i].bv_page = pages[i];
8217 imu->bvec[i].bv_len = vec_len;
8218 imu->bvec[i].bv_offset = off;
8222 /* store original address for later verification */
8224 imu->len = iov->iov_len;
8225 imu->nr_bvecs = nr_pages;
8233 static int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args)
8237 if (!nr_args || nr_args > UIO_MAXIOV)
8240 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
8242 if (!ctx->user_bufs)
8248 static int io_buffer_validate(struct iovec *iov)
8251 * Don't impose further limits on the size and buffer
8252 * constraints here, we'll -EINVAL later when IO is
8253 * submitted if they are wrong.
8255 if (!iov->iov_base || !iov->iov_len)
8258 /* arbitrary limit, but we need something */
8259 if (iov->iov_len > SZ_1G)
8265 static int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg,
8266 unsigned int nr_args)
8270 struct page *last_hpage = NULL;
8272 ret = io_buffers_map_alloc(ctx, nr_args);
8276 for (i = 0; i < nr_args; i++) {
8277 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
8279 ret = io_copy_iov(ctx, &iov, arg, i);
8283 ret = io_buffer_validate(&iov);
8287 ret = io_sqe_buffer_register(ctx, &iov, imu, &last_hpage);
8291 ctx->nr_user_bufs++;
8295 io_sqe_buffers_unregister(ctx);
8300 static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
8302 __s32 __user *fds = arg;
8308 if (copy_from_user(&fd, fds, sizeof(*fds)))
8311 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
8312 if (IS_ERR(ctx->cq_ev_fd)) {
8313 int ret = PTR_ERR(ctx->cq_ev_fd);
8314 ctx->cq_ev_fd = NULL;
8321 static int io_eventfd_unregister(struct io_ring_ctx *ctx)
8323 if (ctx->cq_ev_fd) {
8324 eventfd_ctx_put(ctx->cq_ev_fd);
8325 ctx->cq_ev_fd = NULL;
8332 static void io_destroy_buffers(struct io_ring_ctx *ctx)
8334 struct io_buffer *buf;
8335 unsigned long index;
8337 xa_for_each(&ctx->io_buffers, index, buf)
8338 __io_remove_buffers(ctx, buf, index, -1U);
8341 static void io_req_cache_free(struct list_head *list, struct task_struct *tsk)
8343 struct io_kiocb *req, *nxt;
8345 list_for_each_entry_safe(req, nxt, list, compl.list) {
8346 if (tsk && req->task != tsk)
8348 list_del(&req->compl.list);
8349 kmem_cache_free(req_cachep, req);
8353 static void io_req_caches_free(struct io_ring_ctx *ctx)
8355 struct io_submit_state *submit_state = &ctx->submit_state;
8356 struct io_comp_state *cs = &ctx->submit_state.comp;
8358 mutex_lock(&ctx->uring_lock);
8360 if (submit_state->free_reqs) {
8361 kmem_cache_free_bulk(req_cachep, submit_state->free_reqs,
8362 submit_state->reqs);
8363 submit_state->free_reqs = 0;
8366 spin_lock_irq(&ctx->completion_lock);
8367 list_splice_init(&cs->locked_free_list, &cs->free_list);
8368 cs->locked_free_nr = 0;
8369 spin_unlock_irq(&ctx->completion_lock);
8371 io_req_cache_free(&cs->free_list, NULL);
8373 mutex_unlock(&ctx->uring_lock);
8376 static void io_ring_ctx_free(struct io_ring_ctx *ctx)
8379 * Some may use context even when all refs and requests have been put,
8380 * and they are free to do so while still holding uring_lock or
8381 * completion_lock, see __io_req_task_submit(). Wait for them to finish.
8383 mutex_lock(&ctx->uring_lock);
8384 mutex_unlock(&ctx->uring_lock);
8385 spin_lock_irq(&ctx->completion_lock);
8386 spin_unlock_irq(&ctx->completion_lock);
8388 io_sq_thread_finish(ctx);
8389 io_sqe_buffers_unregister(ctx);
8391 if (ctx->mm_account) {
8392 mmdrop(ctx->mm_account);
8393 ctx->mm_account = NULL;
8396 mutex_lock(&ctx->uring_lock);
8397 io_sqe_files_unregister(ctx);
8398 mutex_unlock(&ctx->uring_lock);
8399 io_eventfd_unregister(ctx);
8400 io_destroy_buffers(ctx);
8402 #if defined(CONFIG_UNIX)
8403 if (ctx->ring_sock) {
8404 ctx->ring_sock->file = NULL; /* so that iput() is called */
8405 sock_release(ctx->ring_sock);
8409 io_mem_free(ctx->rings);
8410 io_mem_free(ctx->sq_sqes);
8412 percpu_ref_exit(&ctx->refs);
8413 free_uid(ctx->user);
8414 io_req_caches_free(ctx);
8416 io_wq_put_hash(ctx->hash_map);
8417 kfree(ctx->cancel_hash);
8421 static __poll_t io_uring_poll(struct file *file, poll_table *wait)
8423 struct io_ring_ctx *ctx = file->private_data;
8426 poll_wait(file, &ctx->cq_wait, wait);
8428 * synchronizes with barrier from wq_has_sleeper call in
8432 if (!io_sqring_full(ctx))
8433 mask |= EPOLLOUT | EPOLLWRNORM;
8436 * Don't flush cqring overflow list here, just do a simple check.
8437 * Otherwise there could possible be ABBA deadlock:
8440 * lock(&ctx->uring_lock);
8442 * lock(&ctx->uring_lock);
8445 * Users may get EPOLLIN meanwhile seeing nothing in cqring, this
8446 * pushs them to do the flush.
8448 if (io_cqring_events(ctx) || test_bit(0, &ctx->cq_check_overflow))
8449 mask |= EPOLLIN | EPOLLRDNORM;
8454 static int io_uring_fasync(int fd, struct file *file, int on)
8456 struct io_ring_ctx *ctx = file->private_data;
8458 return fasync_helper(fd, file, on, &ctx->cq_fasync);
8461 static int io_unregister_personality(struct io_ring_ctx *ctx, unsigned id)
8463 const struct cred *creds;
8465 creds = xa_erase(&ctx->personalities, id);
8474 static bool io_run_ctx_fallback(struct io_ring_ctx *ctx)
8476 struct callback_head *work, *next;
8477 bool executed = false;
8480 work = xchg(&ctx->exit_task_work, NULL);
8496 struct io_tctx_exit {
8497 struct callback_head task_work;
8498 struct completion completion;
8499 struct io_ring_ctx *ctx;
8502 static void io_tctx_exit_cb(struct callback_head *cb)
8504 struct io_uring_task *tctx = current->io_uring;
8505 struct io_tctx_exit *work;
8507 work = container_of(cb, struct io_tctx_exit, task_work);
8509 * When @in_idle, we're in cancellation and it's racy to remove the
8510 * node. It'll be removed by the end of cancellation, just ignore it.
8512 if (!atomic_read(&tctx->in_idle))
8513 io_uring_del_task_file((unsigned long)work->ctx);
8514 complete(&work->completion);
8517 static void io_ring_exit_work(struct work_struct *work)
8519 struct io_ring_ctx *ctx = container_of(work, struct io_ring_ctx, exit_work);
8520 unsigned long timeout = jiffies + HZ * 60 * 5;
8521 struct io_tctx_exit exit;
8522 struct io_tctx_node *node;
8526 * If we're doing polled IO and end up having requests being
8527 * submitted async (out-of-line), then completions can come in while
8528 * we're waiting for refs to drop. We need to reap these manually,
8529 * as nobody else will be looking for them.
8532 io_uring_try_cancel_requests(ctx, NULL, NULL);
8534 WARN_ON_ONCE(time_after(jiffies, timeout));
8535 } while (!wait_for_completion_timeout(&ctx->ref_comp, HZ/20));
8537 mutex_lock(&ctx->uring_lock);
8538 while (!list_empty(&ctx->tctx_list)) {
8539 WARN_ON_ONCE(time_after(jiffies, timeout));
8541 node = list_first_entry(&ctx->tctx_list, struct io_tctx_node,
8544 init_completion(&exit.completion);
8545 init_task_work(&exit.task_work, io_tctx_exit_cb);
8546 ret = task_work_add(node->task, &exit.task_work, TWA_SIGNAL);
8547 if (WARN_ON_ONCE(ret))
8549 wake_up_process(node->task);
8551 mutex_unlock(&ctx->uring_lock);
8552 wait_for_completion(&exit.completion);
8554 mutex_lock(&ctx->uring_lock);
8556 mutex_unlock(&ctx->uring_lock);
8558 io_ring_ctx_free(ctx);
8561 static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
8563 unsigned long index;
8564 struct creds *creds;
8566 mutex_lock(&ctx->uring_lock);
8567 percpu_ref_kill(&ctx->refs);
8568 /* if force is set, the ring is going away. always drop after that */
8569 ctx->cq_overflow_flushed = 1;
8571 __io_cqring_overflow_flush(ctx, true, NULL, NULL);
8572 xa_for_each(&ctx->personalities, index, creds)
8573 io_unregister_personality(ctx, index);
8574 mutex_unlock(&ctx->uring_lock);
8576 /* prevent SQPOLL from submitting new requests */
8578 io_sq_thread_park(ctx->sq_data);
8579 list_del_init(&ctx->sqd_list);
8580 io_sqd_update_thread_idle(ctx->sq_data);
8581 io_sq_thread_unpark(ctx->sq_data);
8584 io_kill_timeouts(ctx, NULL, NULL);
8585 io_poll_remove_all(ctx, NULL, NULL);
8587 /* if we failed setting up the ctx, we might not have any rings */
8588 io_iopoll_try_reap_events(ctx);
8590 INIT_WORK(&ctx->exit_work, io_ring_exit_work);
8592 * Use system_unbound_wq to avoid spawning tons of event kworkers
8593 * if we're exiting a ton of rings at the same time. It just adds
8594 * noise and overhead, there's no discernable change in runtime
8595 * over using system_wq.
8597 queue_work(system_unbound_wq, &ctx->exit_work);
8600 static int io_uring_release(struct inode *inode, struct file *file)
8602 struct io_ring_ctx *ctx = file->private_data;
8604 file->private_data = NULL;
8605 io_ring_ctx_wait_and_kill(ctx);
8609 struct io_task_cancel {
8610 struct task_struct *task;
8611 struct files_struct *files;
8614 static bool io_cancel_task_cb(struct io_wq_work *work, void *data)
8616 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
8617 struct io_task_cancel *cancel = data;
8620 if (cancel->files && (req->flags & REQ_F_LINK_TIMEOUT)) {
8621 unsigned long flags;
8622 struct io_ring_ctx *ctx = req->ctx;
8624 /* protect against races with linked timeouts */
8625 spin_lock_irqsave(&ctx->completion_lock, flags);
8626 ret = io_match_task(req, cancel->task, cancel->files);
8627 spin_unlock_irqrestore(&ctx->completion_lock, flags);
8629 ret = io_match_task(req, cancel->task, cancel->files);
8634 static bool io_cancel_defer_files(struct io_ring_ctx *ctx,
8635 struct task_struct *task,
8636 struct files_struct *files)
8638 struct io_defer_entry *de;
8641 spin_lock_irq(&ctx->completion_lock);
8642 list_for_each_entry_reverse(de, &ctx->defer_list, list) {
8643 if (io_match_task(de->req, task, files)) {
8644 list_cut_position(&list, &ctx->defer_list, &de->list);
8648 spin_unlock_irq(&ctx->completion_lock);
8649 if (list_empty(&list))
8652 while (!list_empty(&list)) {
8653 de = list_first_entry(&list, struct io_defer_entry, list);
8654 list_del_init(&de->list);
8655 req_set_fail_links(de->req);
8656 io_put_req(de->req);
8657 io_req_complete(de->req, -ECANCELED);
8663 static bool io_cancel_ctx_cb(struct io_wq_work *work, void *data)
8665 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
8667 return req->ctx == data;
8670 static bool io_uring_try_cancel_iowq(struct io_ring_ctx *ctx)
8672 struct io_tctx_node *node;
8673 enum io_wq_cancel cret;
8676 mutex_lock(&ctx->uring_lock);
8677 list_for_each_entry(node, &ctx->tctx_list, ctx_node) {
8678 struct io_uring_task *tctx = node->task->io_uring;
8681 * io_wq will stay alive while we hold uring_lock, because it's
8682 * killed after ctx nodes, which requires to take the lock.
8684 if (!tctx || !tctx->io_wq)
8686 cret = io_wq_cancel_cb(tctx->io_wq, io_cancel_ctx_cb, ctx, true);
8687 ret |= (cret != IO_WQ_CANCEL_NOTFOUND);
8689 mutex_unlock(&ctx->uring_lock);
8694 static void io_uring_try_cancel_requests(struct io_ring_ctx *ctx,
8695 struct task_struct *task,
8696 struct files_struct *files)
8698 struct io_task_cancel cancel = { .task = task, .files = files, };
8699 struct io_uring_task *tctx = task ? task->io_uring : NULL;
8702 enum io_wq_cancel cret;
8706 ret |= io_uring_try_cancel_iowq(ctx);
8707 } else if (tctx && tctx->io_wq) {
8709 * Cancels requests of all rings, not only @ctx, but
8710 * it's fine as the task is in exit/exec.
8712 cret = io_wq_cancel_cb(tctx->io_wq, io_cancel_task_cb,
8714 ret |= (cret != IO_WQ_CANCEL_NOTFOUND);
8717 /* SQPOLL thread does its own polling */
8718 if ((!(ctx->flags & IORING_SETUP_SQPOLL) && !files) ||
8719 (ctx->sq_data && ctx->sq_data->thread == current)) {
8720 while (!list_empty_careful(&ctx->iopoll_list)) {
8721 io_iopoll_try_reap_events(ctx);
8726 ret |= io_cancel_defer_files(ctx, task, files);
8727 ret |= io_poll_remove_all(ctx, task, files);
8728 ret |= io_kill_timeouts(ctx, task, files);
8729 ret |= io_run_task_work();
8730 ret |= io_run_ctx_fallback(ctx);
8731 io_cqring_overflow_flush(ctx, true, task, files);
8738 static int io_uring_count_inflight(struct io_ring_ctx *ctx,
8739 struct task_struct *task,
8740 struct files_struct *files)
8742 struct io_kiocb *req;
8745 spin_lock_irq(&ctx->inflight_lock);
8746 list_for_each_entry(req, &ctx->inflight_list, inflight_entry)
8747 cnt += io_match_task(req, task, files);
8748 spin_unlock_irq(&ctx->inflight_lock);
8752 static void io_uring_cancel_files(struct io_ring_ctx *ctx,
8753 struct task_struct *task,
8754 struct files_struct *files)
8756 while (!list_empty_careful(&ctx->inflight_list)) {
8760 inflight = io_uring_count_inflight(ctx, task, files);
8764 io_uring_try_cancel_requests(ctx, task, files);
8766 prepare_to_wait(&task->io_uring->wait, &wait,
8767 TASK_UNINTERRUPTIBLE);
8768 if (inflight == io_uring_count_inflight(ctx, task, files))
8770 finish_wait(&task->io_uring->wait, &wait);
8775 * Note that this task has used io_uring. We use it for cancelation purposes.
8777 static int io_uring_add_task_file(struct io_ring_ctx *ctx)
8779 struct io_uring_task *tctx = current->io_uring;
8780 struct io_tctx_node *node;
8783 if (unlikely(!tctx)) {
8784 ret = io_uring_alloc_task_context(current, ctx);
8787 tctx = current->io_uring;
8789 if (tctx->last != ctx) {
8790 void *old = xa_load(&tctx->xa, (unsigned long)ctx);
8793 node = kmalloc(sizeof(*node), GFP_KERNEL);
8797 node->task = current;
8799 ret = xa_err(xa_store(&tctx->xa, (unsigned long)ctx,
8806 mutex_lock(&ctx->uring_lock);
8807 list_add(&node->ctx_node, &ctx->tctx_list);
8808 mutex_unlock(&ctx->uring_lock);
8816 * Remove this io_uring_file -> task mapping.
8818 static void io_uring_del_task_file(unsigned long index)
8820 struct io_uring_task *tctx = current->io_uring;
8821 struct io_tctx_node *node;
8825 node = xa_erase(&tctx->xa, index);
8829 WARN_ON_ONCE(current != node->task);
8830 WARN_ON_ONCE(list_empty(&node->ctx_node));
8832 mutex_lock(&node->ctx->uring_lock);
8833 list_del(&node->ctx_node);
8834 mutex_unlock(&node->ctx->uring_lock);
8836 if (tctx->last == node->ctx)
8841 static void io_uring_clean_tctx(struct io_uring_task *tctx)
8843 struct io_tctx_node *node;
8844 unsigned long index;
8846 xa_for_each(&tctx->xa, index, node)
8847 io_uring_del_task_file(index);
8849 io_wq_put_and_exit(tctx->io_wq);
8854 static s64 tctx_inflight(struct io_uring_task *tctx)
8856 return percpu_counter_sum(&tctx->inflight);
8859 static void io_sqpoll_cancel_cb(struct callback_head *cb)
8861 struct io_tctx_exit *work = container_of(cb, struct io_tctx_exit, task_work);
8862 struct io_ring_ctx *ctx = work->ctx;
8863 struct io_sq_data *sqd = ctx->sq_data;
8866 io_uring_cancel_sqpoll(ctx);
8867 complete(&work->completion);
8870 static void io_sqpoll_cancel_sync(struct io_ring_ctx *ctx)
8872 struct io_sq_data *sqd = ctx->sq_data;
8873 struct io_tctx_exit work = { .ctx = ctx, };
8874 struct task_struct *task;
8876 io_sq_thread_park(sqd);
8877 list_del_init(&ctx->sqd_list);
8878 io_sqd_update_thread_idle(sqd);
8881 init_completion(&work.completion);
8882 init_task_work(&work.task_work, io_sqpoll_cancel_cb);
8883 WARN_ON_ONCE(task_work_add(task, &work.task_work, TWA_SIGNAL));
8884 wake_up_process(task);
8886 io_sq_thread_unpark(sqd);
8889 wait_for_completion(&work.completion);
8892 void __io_uring_files_cancel(struct files_struct *files)
8894 struct io_uring_task *tctx = current->io_uring;
8895 struct io_tctx_node *node;
8896 unsigned long index;
8898 /* make sure overflow events are dropped */
8899 atomic_inc(&tctx->in_idle);
8900 xa_for_each(&tctx->xa, index, node) {
8901 struct io_ring_ctx *ctx = node->ctx;
8904 io_sqpoll_cancel_sync(ctx);
8907 io_uring_cancel_files(ctx, current, files);
8909 io_uring_try_cancel_requests(ctx, current, NULL);
8911 atomic_dec(&tctx->in_idle);
8914 io_uring_clean_tctx(tctx);
8917 /* should only be called by SQPOLL task */
8918 static void io_uring_cancel_sqpoll(struct io_ring_ctx *ctx)
8920 struct io_sq_data *sqd = ctx->sq_data;
8921 struct io_uring_task *tctx = current->io_uring;
8925 WARN_ON_ONCE(!sqd || ctx->sq_data->thread != current);
8927 atomic_inc(&tctx->in_idle);
8929 /* read completions before cancelations */
8930 inflight = tctx_inflight(tctx);
8933 io_uring_try_cancel_requests(ctx, current, NULL);
8935 prepare_to_wait(&tctx->wait, &wait, TASK_UNINTERRUPTIBLE);
8937 * If we've seen completions, retry without waiting. This
8938 * avoids a race where a completion comes in before we did
8939 * prepare_to_wait().
8941 if (inflight == tctx_inflight(tctx))
8943 finish_wait(&tctx->wait, &wait);
8945 atomic_dec(&tctx->in_idle);
8949 * Find any io_uring fd that this task has registered or done IO on, and cancel
8952 void __io_uring_task_cancel(void)
8954 struct io_uring_task *tctx = current->io_uring;
8958 /* make sure overflow events are dropped */
8959 atomic_inc(&tctx->in_idle);
8961 /* read completions before cancelations */
8962 inflight = tctx_inflight(tctx);
8965 __io_uring_files_cancel(NULL);
8967 prepare_to_wait(&tctx->wait, &wait, TASK_UNINTERRUPTIBLE);
8970 * If we've seen completions, retry without waiting. This
8971 * avoids a race where a completion comes in before we did
8972 * prepare_to_wait().
8974 if (inflight == tctx_inflight(tctx))
8976 finish_wait(&tctx->wait, &wait);
8979 atomic_dec(&tctx->in_idle);
8981 io_uring_clean_tctx(tctx);
8982 /* all current's requests should be gone, we can kill tctx */
8983 __io_uring_free(current);
8986 static void *io_uring_validate_mmap_request(struct file *file,
8987 loff_t pgoff, size_t sz)
8989 struct io_ring_ctx *ctx = file->private_data;
8990 loff_t offset = pgoff << PAGE_SHIFT;
8995 case IORING_OFF_SQ_RING:
8996 case IORING_OFF_CQ_RING:
8999 case IORING_OFF_SQES:
9003 return ERR_PTR(-EINVAL);
9006 page = virt_to_head_page(ptr);
9007 if (sz > page_size(page))
9008 return ERR_PTR(-EINVAL);
9015 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
9017 size_t sz = vma->vm_end - vma->vm_start;
9021 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
9023 return PTR_ERR(ptr);
9025 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
9026 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
9029 #else /* !CONFIG_MMU */
9031 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
9033 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
9036 static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
9038 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
9041 static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
9042 unsigned long addr, unsigned long len,
9043 unsigned long pgoff, unsigned long flags)
9047 ptr = io_uring_validate_mmap_request(file, pgoff, len);
9049 return PTR_ERR(ptr);
9051 return (unsigned long) ptr;
9054 #endif /* !CONFIG_MMU */
9056 static int io_sqpoll_wait_sq(struct io_ring_ctx *ctx)
9061 if (!io_sqring_full(ctx))
9063 prepare_to_wait(&ctx->sqo_sq_wait, &wait, TASK_INTERRUPTIBLE);
9065 if (!io_sqring_full(ctx))
9068 } while (!signal_pending(current));
9070 finish_wait(&ctx->sqo_sq_wait, &wait);
9074 static int io_get_ext_arg(unsigned flags, const void __user *argp, size_t *argsz,
9075 struct __kernel_timespec __user **ts,
9076 const sigset_t __user **sig)
9078 struct io_uring_getevents_arg arg;
9081 * If EXT_ARG isn't set, then we have no timespec and the argp pointer
9082 * is just a pointer to the sigset_t.
9084 if (!(flags & IORING_ENTER_EXT_ARG)) {
9085 *sig = (const sigset_t __user *) argp;
9091 * EXT_ARG is set - ensure we agree on the size of it and copy in our
9092 * timespec and sigset_t pointers if good.
9094 if (*argsz != sizeof(arg))
9096 if (copy_from_user(&arg, argp, sizeof(arg)))
9098 *sig = u64_to_user_ptr(arg.sigmask);
9099 *argsz = arg.sigmask_sz;
9100 *ts = u64_to_user_ptr(arg.ts);
9104 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
9105 u32, min_complete, u32, flags, const void __user *, argp,
9108 struct io_ring_ctx *ctx;
9115 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP |
9116 IORING_ENTER_SQ_WAIT | IORING_ENTER_EXT_ARG))
9124 if (f.file->f_op != &io_uring_fops)
9128 ctx = f.file->private_data;
9129 if (!percpu_ref_tryget(&ctx->refs))
9133 if (ctx->flags & IORING_SETUP_R_DISABLED)
9137 * For SQ polling, the thread will do all submissions and completions.
9138 * Just return the requested submit count, and wake the thread if
9142 if (ctx->flags & IORING_SETUP_SQPOLL) {
9143 io_cqring_overflow_flush(ctx, false, NULL, NULL);
9146 if (unlikely(ctx->sq_data->thread == NULL)) {
9149 if (flags & IORING_ENTER_SQ_WAKEUP)
9150 wake_up(&ctx->sq_data->wait);
9151 if (flags & IORING_ENTER_SQ_WAIT) {
9152 ret = io_sqpoll_wait_sq(ctx);
9156 submitted = to_submit;
9157 } else if (to_submit) {
9158 ret = io_uring_add_task_file(ctx);
9161 mutex_lock(&ctx->uring_lock);
9162 submitted = io_submit_sqes(ctx, to_submit);
9163 mutex_unlock(&ctx->uring_lock);
9165 if (submitted != to_submit)
9168 if (flags & IORING_ENTER_GETEVENTS) {
9169 const sigset_t __user *sig;
9170 struct __kernel_timespec __user *ts;
9172 ret = io_get_ext_arg(flags, argp, &argsz, &ts, &sig);
9176 min_complete = min(min_complete, ctx->cq_entries);
9179 * When SETUP_IOPOLL and SETUP_SQPOLL are both enabled, user
9180 * space applications don't need to do io completion events
9181 * polling again, they can rely on io_sq_thread to do polling
9182 * work, which can reduce cpu usage and uring_lock contention.
9184 if (ctx->flags & IORING_SETUP_IOPOLL &&
9185 !(ctx->flags & IORING_SETUP_SQPOLL)) {
9186 ret = io_iopoll_check(ctx, min_complete);
9188 ret = io_cqring_wait(ctx, min_complete, sig, argsz, ts);
9193 percpu_ref_put(&ctx->refs);
9196 return submitted ? submitted : ret;
9199 #ifdef CONFIG_PROC_FS
9200 static int io_uring_show_cred(struct seq_file *m, unsigned int id,
9201 const struct cred *cred)
9203 struct user_namespace *uns = seq_user_ns(m);
9204 struct group_info *gi;
9209 seq_printf(m, "%5d\n", id);
9210 seq_put_decimal_ull(m, "\tUid:\t", from_kuid_munged(uns, cred->uid));
9211 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->euid));
9212 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->suid));
9213 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->fsuid));
9214 seq_put_decimal_ull(m, "\n\tGid:\t", from_kgid_munged(uns, cred->gid));
9215 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->egid));
9216 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->sgid));
9217 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->fsgid));
9218 seq_puts(m, "\n\tGroups:\t");
9219 gi = cred->group_info;
9220 for (g = 0; g < gi->ngroups; g++) {
9221 seq_put_decimal_ull(m, g ? " " : "",
9222 from_kgid_munged(uns, gi->gid[g]));
9224 seq_puts(m, "\n\tCapEff:\t");
9225 cap = cred->cap_effective;
9226 CAP_FOR_EACH_U32(__capi)
9227 seq_put_hex_ll(m, NULL, cap.cap[CAP_LAST_U32 - __capi], 8);
9232 static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
9234 struct io_sq_data *sq = NULL;
9239 * Avoid ABBA deadlock between the seq lock and the io_uring mutex,
9240 * since fdinfo case grabs it in the opposite direction of normal use
9241 * cases. If we fail to get the lock, we just don't iterate any
9242 * structures that could be going away outside the io_uring mutex.
9244 has_lock = mutex_trylock(&ctx->uring_lock);
9246 if (has_lock && (ctx->flags & IORING_SETUP_SQPOLL)) {
9252 seq_printf(m, "SqThread:\t%d\n", sq ? task_pid_nr(sq->thread) : -1);
9253 seq_printf(m, "SqThreadCpu:\t%d\n", sq ? task_cpu(sq->thread) : -1);
9254 seq_printf(m, "UserFiles:\t%u\n", ctx->nr_user_files);
9255 for (i = 0; has_lock && i < ctx->nr_user_files; i++) {
9256 struct file *f = *io_fixed_file_slot(ctx->file_data, i);
9259 seq_printf(m, "%5u: %s\n", i, file_dentry(f)->d_iname);
9261 seq_printf(m, "%5u: <none>\n", i);
9263 seq_printf(m, "UserBufs:\t%u\n", ctx->nr_user_bufs);
9264 for (i = 0; has_lock && i < ctx->nr_user_bufs; i++) {
9265 struct io_mapped_ubuf *buf = &ctx->user_bufs[i];
9267 seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf,
9268 (unsigned int) buf->len);
9270 if (has_lock && !xa_empty(&ctx->personalities)) {
9271 unsigned long index;
9272 const struct cred *cred;
9274 seq_printf(m, "Personalities:\n");
9275 xa_for_each(&ctx->personalities, index, cred)
9276 io_uring_show_cred(m, index, cred);
9278 seq_printf(m, "PollList:\n");
9279 spin_lock_irq(&ctx->completion_lock);
9280 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
9281 struct hlist_head *list = &ctx->cancel_hash[i];
9282 struct io_kiocb *req;
9284 hlist_for_each_entry(req, list, hash_node)
9285 seq_printf(m, " op=%d, task_works=%d\n", req->opcode,
9286 req->task->task_works != NULL);
9288 spin_unlock_irq(&ctx->completion_lock);
9290 mutex_unlock(&ctx->uring_lock);
9293 static void io_uring_show_fdinfo(struct seq_file *m, struct file *f)
9295 struct io_ring_ctx *ctx = f->private_data;
9297 if (percpu_ref_tryget(&ctx->refs)) {
9298 __io_uring_show_fdinfo(ctx, m);
9299 percpu_ref_put(&ctx->refs);
9304 static const struct file_operations io_uring_fops = {
9305 .release = io_uring_release,
9306 .mmap = io_uring_mmap,
9308 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
9309 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
9311 .poll = io_uring_poll,
9312 .fasync = io_uring_fasync,
9313 #ifdef CONFIG_PROC_FS
9314 .show_fdinfo = io_uring_show_fdinfo,
9318 static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
9319 struct io_uring_params *p)
9321 struct io_rings *rings;
9322 size_t size, sq_array_offset;
9324 /* make sure these are sane, as we already accounted them */
9325 ctx->sq_entries = p->sq_entries;
9326 ctx->cq_entries = p->cq_entries;
9328 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
9329 if (size == SIZE_MAX)
9332 rings = io_mem_alloc(size);
9337 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
9338 rings->sq_ring_mask = p->sq_entries - 1;
9339 rings->cq_ring_mask = p->cq_entries - 1;
9340 rings->sq_ring_entries = p->sq_entries;
9341 rings->cq_ring_entries = p->cq_entries;
9342 ctx->sq_mask = rings->sq_ring_mask;
9343 ctx->cq_mask = rings->cq_ring_mask;
9345 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
9346 if (size == SIZE_MAX) {
9347 io_mem_free(ctx->rings);
9352 ctx->sq_sqes = io_mem_alloc(size);
9353 if (!ctx->sq_sqes) {
9354 io_mem_free(ctx->rings);
9362 static int io_uring_install_fd(struct io_ring_ctx *ctx, struct file *file)
9366 fd = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
9370 ret = io_uring_add_task_file(ctx);
9375 fd_install(fd, file);
9380 * Allocate an anonymous fd, this is what constitutes the application
9381 * visible backing of an io_uring instance. The application mmaps this
9382 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
9383 * we have to tie this fd to a socket for file garbage collection purposes.
9385 static struct file *io_uring_get_file(struct io_ring_ctx *ctx)
9388 #if defined(CONFIG_UNIX)
9391 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
9394 return ERR_PTR(ret);
9397 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
9398 O_RDWR | O_CLOEXEC);
9399 #if defined(CONFIG_UNIX)
9401 sock_release(ctx->ring_sock);
9402 ctx->ring_sock = NULL;
9404 ctx->ring_sock->file = file;
9410 static int io_uring_create(unsigned entries, struct io_uring_params *p,
9411 struct io_uring_params __user *params)
9413 struct io_ring_ctx *ctx;
9419 if (entries > IORING_MAX_ENTRIES) {
9420 if (!(p->flags & IORING_SETUP_CLAMP))
9422 entries = IORING_MAX_ENTRIES;
9426 * Use twice as many entries for the CQ ring. It's possible for the
9427 * application to drive a higher depth than the size of the SQ ring,
9428 * since the sqes are only used at submission time. This allows for
9429 * some flexibility in overcommitting a bit. If the application has
9430 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
9431 * of CQ ring entries manually.
9433 p->sq_entries = roundup_pow_of_two(entries);
9434 if (p->flags & IORING_SETUP_CQSIZE) {
9436 * If IORING_SETUP_CQSIZE is set, we do the same roundup
9437 * to a power-of-two, if it isn't already. We do NOT impose
9438 * any cq vs sq ring sizing.
9442 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
9443 if (!(p->flags & IORING_SETUP_CLAMP))
9445 p->cq_entries = IORING_MAX_CQ_ENTRIES;
9447 p->cq_entries = roundup_pow_of_two(p->cq_entries);
9448 if (p->cq_entries < p->sq_entries)
9451 p->cq_entries = 2 * p->sq_entries;
9454 ctx = io_ring_ctx_alloc(p);
9457 ctx->compat = in_compat_syscall();
9458 if (!capable(CAP_IPC_LOCK))
9459 ctx->user = get_uid(current_user());
9462 * This is just grabbed for accounting purposes. When a process exits,
9463 * the mm is exited and dropped before the files, hence we need to hang
9464 * on to this mm purely for the purposes of being able to unaccount
9465 * memory (locked/pinned vm). It's not used for anything else.
9467 mmgrab(current->mm);
9468 ctx->mm_account = current->mm;
9470 ret = io_allocate_scq_urings(ctx, p);
9474 ret = io_sq_offload_create(ctx, p);
9478 memset(&p->sq_off, 0, sizeof(p->sq_off));
9479 p->sq_off.head = offsetof(struct io_rings, sq.head);
9480 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
9481 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
9482 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
9483 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
9484 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
9485 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
9487 memset(&p->cq_off, 0, sizeof(p->cq_off));
9488 p->cq_off.head = offsetof(struct io_rings, cq.head);
9489 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
9490 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
9491 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
9492 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
9493 p->cq_off.cqes = offsetof(struct io_rings, cqes);
9494 p->cq_off.flags = offsetof(struct io_rings, cq_flags);
9496 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
9497 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS |
9498 IORING_FEAT_CUR_PERSONALITY | IORING_FEAT_FAST_POLL |
9499 IORING_FEAT_POLL_32BITS | IORING_FEAT_SQPOLL_NONFIXED |
9500 IORING_FEAT_EXT_ARG | IORING_FEAT_NATIVE_WORKERS;
9502 if (copy_to_user(params, p, sizeof(*p))) {
9507 file = io_uring_get_file(ctx);
9509 ret = PTR_ERR(file);
9514 * Install ring fd as the very last thing, so we don't risk someone
9515 * having closed it before we finish setup
9517 ret = io_uring_install_fd(ctx, file);
9519 /* fput will clean it up */
9524 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
9527 io_ring_ctx_wait_and_kill(ctx);
9532 * Sets up an aio uring context, and returns the fd. Applications asks for a
9533 * ring size, we return the actual sq/cq ring sizes (among other things) in the
9534 * params structure passed in.
9536 static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
9538 struct io_uring_params p;
9541 if (copy_from_user(&p, params, sizeof(p)))
9543 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
9548 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
9549 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
9550 IORING_SETUP_CLAMP | IORING_SETUP_ATTACH_WQ |
9551 IORING_SETUP_R_DISABLED))
9554 return io_uring_create(entries, &p, params);
9557 SYSCALL_DEFINE2(io_uring_setup, u32, entries,
9558 struct io_uring_params __user *, params)
9560 return io_uring_setup(entries, params);
9563 static int io_probe(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
9565 struct io_uring_probe *p;
9569 size = struct_size(p, ops, nr_args);
9570 if (size == SIZE_MAX)
9572 p = kzalloc(size, GFP_KERNEL);
9577 if (copy_from_user(p, arg, size))
9580 if (memchr_inv(p, 0, size))
9583 p->last_op = IORING_OP_LAST - 1;
9584 if (nr_args > IORING_OP_LAST)
9585 nr_args = IORING_OP_LAST;
9587 for (i = 0; i < nr_args; i++) {
9589 if (!io_op_defs[i].not_supported)
9590 p->ops[i].flags = IO_URING_OP_SUPPORTED;
9595 if (copy_to_user(arg, p, size))
9602 static int io_register_personality(struct io_ring_ctx *ctx)
9604 const struct cred *creds;
9608 creds = get_current_cred();
9610 ret = xa_alloc_cyclic(&ctx->personalities, &id, (void *)creds,
9611 XA_LIMIT(0, USHRT_MAX), &ctx->pers_next, GFP_KERNEL);
9618 static int io_register_restrictions(struct io_ring_ctx *ctx, void __user *arg,
9619 unsigned int nr_args)
9621 struct io_uring_restriction *res;
9625 /* Restrictions allowed only if rings started disabled */
9626 if (!(ctx->flags & IORING_SETUP_R_DISABLED))
9629 /* We allow only a single restrictions registration */
9630 if (ctx->restrictions.registered)
9633 if (!arg || nr_args > IORING_MAX_RESTRICTIONS)
9636 size = array_size(nr_args, sizeof(*res));
9637 if (size == SIZE_MAX)
9640 res = memdup_user(arg, size);
9642 return PTR_ERR(res);
9646 for (i = 0; i < nr_args; i++) {
9647 switch (res[i].opcode) {
9648 case IORING_RESTRICTION_REGISTER_OP:
9649 if (res[i].register_op >= IORING_REGISTER_LAST) {
9654 __set_bit(res[i].register_op,
9655 ctx->restrictions.register_op);
9657 case IORING_RESTRICTION_SQE_OP:
9658 if (res[i].sqe_op >= IORING_OP_LAST) {
9663 __set_bit(res[i].sqe_op, ctx->restrictions.sqe_op);
9665 case IORING_RESTRICTION_SQE_FLAGS_ALLOWED:
9666 ctx->restrictions.sqe_flags_allowed = res[i].sqe_flags;
9668 case IORING_RESTRICTION_SQE_FLAGS_REQUIRED:
9669 ctx->restrictions.sqe_flags_required = res[i].sqe_flags;
9678 /* Reset all restrictions if an error happened */
9680 memset(&ctx->restrictions, 0, sizeof(ctx->restrictions));
9682 ctx->restrictions.registered = true;
9688 static int io_register_enable_rings(struct io_ring_ctx *ctx)
9690 if (!(ctx->flags & IORING_SETUP_R_DISABLED))
9693 if (ctx->restrictions.registered)
9694 ctx->restricted = 1;
9696 ctx->flags &= ~IORING_SETUP_R_DISABLED;
9697 if (ctx->sq_data && wq_has_sleeper(&ctx->sq_data->wait))
9698 wake_up(&ctx->sq_data->wait);
9702 static bool io_register_op_must_quiesce(int op)
9705 case IORING_UNREGISTER_FILES:
9706 case IORING_REGISTER_FILES_UPDATE:
9707 case IORING_REGISTER_PROBE:
9708 case IORING_REGISTER_PERSONALITY:
9709 case IORING_UNREGISTER_PERSONALITY:
9716 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
9717 void __user *arg, unsigned nr_args)
9718 __releases(ctx->uring_lock)
9719 __acquires(ctx->uring_lock)
9724 * We're inside the ring mutex, if the ref is already dying, then
9725 * someone else killed the ctx or is already going through
9726 * io_uring_register().
9728 if (percpu_ref_is_dying(&ctx->refs))
9731 if (io_register_op_must_quiesce(opcode)) {
9732 percpu_ref_kill(&ctx->refs);
9735 * Drop uring mutex before waiting for references to exit. If
9736 * another thread is currently inside io_uring_enter() it might
9737 * need to grab the uring_lock to make progress. If we hold it
9738 * here across the drain wait, then we can deadlock. It's safe
9739 * to drop the mutex here, since no new references will come in
9740 * after we've killed the percpu ref.
9742 mutex_unlock(&ctx->uring_lock);
9744 ret = wait_for_completion_interruptible(&ctx->ref_comp);
9747 ret = io_run_task_work_sig();
9752 mutex_lock(&ctx->uring_lock);
9755 percpu_ref_resurrect(&ctx->refs);
9760 if (ctx->restricted) {
9761 if (opcode >= IORING_REGISTER_LAST) {
9766 if (!test_bit(opcode, ctx->restrictions.register_op)) {
9773 case IORING_REGISTER_BUFFERS:
9774 ret = io_sqe_buffers_register(ctx, arg, nr_args);
9776 case IORING_UNREGISTER_BUFFERS:
9780 ret = io_sqe_buffers_unregister(ctx);
9782 case IORING_REGISTER_FILES:
9783 ret = io_sqe_files_register(ctx, arg, nr_args);
9785 case IORING_UNREGISTER_FILES:
9789 ret = io_sqe_files_unregister(ctx);
9791 case IORING_REGISTER_FILES_UPDATE:
9792 ret = io_sqe_files_update(ctx, arg, nr_args);
9794 case IORING_REGISTER_EVENTFD:
9795 case IORING_REGISTER_EVENTFD_ASYNC:
9799 ret = io_eventfd_register(ctx, arg);
9802 if (opcode == IORING_REGISTER_EVENTFD_ASYNC)
9803 ctx->eventfd_async = 1;
9805 ctx->eventfd_async = 0;
9807 case IORING_UNREGISTER_EVENTFD:
9811 ret = io_eventfd_unregister(ctx);
9813 case IORING_REGISTER_PROBE:
9815 if (!arg || nr_args > 256)
9817 ret = io_probe(ctx, arg, nr_args);
9819 case IORING_REGISTER_PERSONALITY:
9823 ret = io_register_personality(ctx);
9825 case IORING_UNREGISTER_PERSONALITY:
9829 ret = io_unregister_personality(ctx, nr_args);
9831 case IORING_REGISTER_ENABLE_RINGS:
9835 ret = io_register_enable_rings(ctx);
9837 case IORING_REGISTER_RESTRICTIONS:
9838 ret = io_register_restrictions(ctx, arg, nr_args);
9846 if (io_register_op_must_quiesce(opcode)) {
9847 /* bring the ctx back to life */
9848 percpu_ref_reinit(&ctx->refs);
9850 reinit_completion(&ctx->ref_comp);
9855 SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
9856 void __user *, arg, unsigned int, nr_args)
9858 struct io_ring_ctx *ctx;
9867 if (f.file->f_op != &io_uring_fops)
9870 ctx = f.file->private_data;
9874 mutex_lock(&ctx->uring_lock);
9875 ret = __io_uring_register(ctx, opcode, arg, nr_args);
9876 mutex_unlock(&ctx->uring_lock);
9877 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
9878 ctx->cq_ev_fd != NULL, ret);
9884 static int __init io_uring_init(void)
9886 #define __BUILD_BUG_VERIFY_ELEMENT(stype, eoffset, etype, ename) do { \
9887 BUILD_BUG_ON(offsetof(stype, ename) != eoffset); \
9888 BUILD_BUG_ON(sizeof(etype) != sizeof_field(stype, ename)); \
9891 #define BUILD_BUG_SQE_ELEM(eoffset, etype, ename) \
9892 __BUILD_BUG_VERIFY_ELEMENT(struct io_uring_sqe, eoffset, etype, ename)
9893 BUILD_BUG_ON(sizeof(struct io_uring_sqe) != 64);
9894 BUILD_BUG_SQE_ELEM(0, __u8, opcode);
9895 BUILD_BUG_SQE_ELEM(1, __u8, flags);
9896 BUILD_BUG_SQE_ELEM(2, __u16, ioprio);
9897 BUILD_BUG_SQE_ELEM(4, __s32, fd);
9898 BUILD_BUG_SQE_ELEM(8, __u64, off);
9899 BUILD_BUG_SQE_ELEM(8, __u64, addr2);
9900 BUILD_BUG_SQE_ELEM(16, __u64, addr);
9901 BUILD_BUG_SQE_ELEM(16, __u64, splice_off_in);
9902 BUILD_BUG_SQE_ELEM(24, __u32, len);
9903 BUILD_BUG_SQE_ELEM(28, __kernel_rwf_t, rw_flags);
9904 BUILD_BUG_SQE_ELEM(28, /* compat */ int, rw_flags);
9905 BUILD_BUG_SQE_ELEM(28, /* compat */ __u32, rw_flags);
9906 BUILD_BUG_SQE_ELEM(28, __u32, fsync_flags);
9907 BUILD_BUG_SQE_ELEM(28, /* compat */ __u16, poll_events);
9908 BUILD_BUG_SQE_ELEM(28, __u32, poll32_events);
9909 BUILD_BUG_SQE_ELEM(28, __u32, sync_range_flags);
9910 BUILD_BUG_SQE_ELEM(28, __u32, msg_flags);
9911 BUILD_BUG_SQE_ELEM(28, __u32, timeout_flags);
9912 BUILD_BUG_SQE_ELEM(28, __u32, accept_flags);
9913 BUILD_BUG_SQE_ELEM(28, __u32, cancel_flags);
9914 BUILD_BUG_SQE_ELEM(28, __u32, open_flags);
9915 BUILD_BUG_SQE_ELEM(28, __u32, statx_flags);
9916 BUILD_BUG_SQE_ELEM(28, __u32, fadvise_advice);
9917 BUILD_BUG_SQE_ELEM(28, __u32, splice_flags);
9918 BUILD_BUG_SQE_ELEM(32, __u64, user_data);
9919 BUILD_BUG_SQE_ELEM(40, __u16, buf_index);
9920 BUILD_BUG_SQE_ELEM(42, __u16, personality);
9921 BUILD_BUG_SQE_ELEM(44, __s32, splice_fd_in);
9923 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
9924 BUILD_BUG_ON(__REQ_F_LAST_BIT >= 8 * sizeof(int));
9925 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC |
9929 __initcall(io_uring_init);
projects / linux-2.6-microblaze.git / blob