1 // SPDX-License-Identifier: GPL-2.0
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
6 * A note on the read/write ordering memory barriers that are matched between
7 * the application and kernel side.
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
30 * Also see the examples in the liburing library:
32 * git://git.kernel.dk/liburing
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
39 * Copyright (C) 2018-2019 Jens Axboe
40 * Copyright (c) 2018-2019 Christoph Hellwig
42 #include <linux/kernel.h>
43 #include <linux/init.h>
44 #include <linux/errno.h>
45 #include <linux/syscalls.h>
46 #include <linux/compat.h>
47 #include <net/compat.h>
48 #include <linux/refcount.h>
49 #include <linux/uio.h>
50 #include <linux/bits.h>
52 #include <linux/sched/signal.h>
54 #include <linux/file.h>
55 #include <linux/fdtable.h>
57 #include <linux/mman.h>
58 #include <linux/percpu.h>
59 #include <linux/slab.h>
60 #include <linux/kthread.h>
61 #include <linux/blkdev.h>
62 #include <linux/bvec.h>
63 #include <linux/net.h>
65 #include <net/af_unix.h>
67 #include <linux/anon_inodes.h>
68 #include <linux/sched/mm.h>
69 #include <linux/uaccess.h>
70 #include <linux/nospec.h>
71 #include <linux/sizes.h>
72 #include <linux/hugetlb.h>
73 #include <linux/highmem.h>
74 #include <linux/namei.h>
75 #include <linux/fsnotify.h>
76 #include <linux/fadvise.h>
77 #include <linux/eventpoll.h>
78 #include <linux/fs_struct.h>
79 #include <linux/splice.h>
80 #include <linux/task_work.h>
81 #include <linux/pagemap.h>
82 #include <linux/io_uring.h>
83 #include <linux/blk-cgroup.h>
84 #include <linux/audit.h>
86 #define CREATE_TRACE_POINTS
87 #include <trace/events/io_uring.h>
89 #include <uapi/linux/io_uring.h>
94 #define IORING_MAX_ENTRIES 32768
95 #define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
98 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
100 #define IORING_FILE_TABLE_SHIFT 9
101 #define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
102 #define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
103 #define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
104 #define IORING_MAX_RESTRICTIONS (IORING_RESTRICTION_LAST + \
105 IORING_REGISTER_LAST + IORING_OP_LAST)
108 u32 head ____cacheline_aligned_in_smp;
109 u32 tail ____cacheline_aligned_in_smp;
113 * This data is shared with the application through the mmap at offsets
114 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
116 * The offsets to the member fields are published through struct
117 * io_sqring_offsets when calling io_uring_setup.
121 * Head and tail offsets into the ring; the offsets need to be
122 * masked to get valid indices.
124 * The kernel controls head of the sq ring and the tail of the cq ring,
125 * and the application controls tail of the sq ring and the head of the
128 struct io_uring sq, cq;
130 * Bitmasks to apply to head and tail offsets (constant, equals
133 u32 sq_ring_mask, cq_ring_mask;
134 /* Ring sizes (constant, power of 2) */
135 u32 sq_ring_entries, cq_ring_entries;
137 * Number of invalid entries dropped by the kernel due to
138 * invalid index stored in array
140 * Written by the kernel, shouldn't be modified by the
141 * application (i.e. get number of "new events" by comparing to
144 * After a new SQ head value was read by the application this
145 * counter includes all submissions that were dropped reaching
146 * the new SQ head (and possibly more).
152 * Written by the kernel, shouldn't be modified by the
155 * The application needs a full memory barrier before checking
156 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
162 * Written by the application, shouldn't be modified by the
167 * Number of completion events lost because the queue was full;
168 * this should be avoided by the application by making sure
169 * there are not more requests pending than there is space in
170 * the completion queue.
172 * Written by the kernel, shouldn't be modified by the
173 * application (i.e. get number of "new events" by comparing to
176 * As completion events come in out of order this counter is not
177 * ordered with any other data.
181 * Ring buffer of completion events.
183 * The kernel writes completion events fresh every time they are
184 * produced, so the application is allowed to modify pending
187 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
190 struct io_mapped_ubuf {
193 struct bio_vec *bvec;
194 unsigned int nr_bvecs;
195 unsigned long acct_pages;
198 struct fixed_file_table {
202 struct fixed_file_ref_node {
203 struct percpu_ref refs;
204 struct list_head node;
205 struct list_head file_list;
206 struct fixed_file_data *file_data;
207 struct llist_node llist;
210 struct fixed_file_data {
211 struct fixed_file_table *table;
212 struct io_ring_ctx *ctx;
214 struct fixed_file_ref_node *node;
215 struct percpu_ref refs;
216 struct completion done;
217 struct list_head ref_list;
222 struct list_head list;
228 struct io_restriction {
229 DECLARE_BITMAP(register_op, IORING_REGISTER_LAST);
230 DECLARE_BITMAP(sqe_op, IORING_OP_LAST);
231 u8 sqe_flags_allowed;
232 u8 sqe_flags_required;
240 /* ctx's that are using this sqd */
241 struct list_head ctx_list;
242 struct list_head ctx_new_list;
243 struct mutex ctx_lock;
245 struct task_struct *thread;
246 struct wait_queue_head wait;
251 struct percpu_ref refs;
252 } ____cacheline_aligned_in_smp;
256 unsigned int compat: 1;
257 unsigned int limit_mem: 1;
258 unsigned int cq_overflow_flushed: 1;
259 unsigned int drain_next: 1;
260 unsigned int eventfd_async: 1;
261 unsigned int restricted: 1;
264 * Ring buffer of indices into array of io_uring_sqe, which is
265 * mmapped by the application using the IORING_OFF_SQES offset.
267 * This indirection could e.g. be used to assign fixed
268 * io_uring_sqe entries to operations and only submit them to
269 * the queue when needed.
271 * The kernel modifies neither the indices array nor the entries
275 unsigned cached_sq_head;
278 unsigned sq_thread_idle;
279 unsigned cached_sq_dropped;
280 unsigned cached_cq_overflow;
281 unsigned long sq_check_overflow;
283 struct list_head defer_list;
284 struct list_head timeout_list;
285 struct list_head cq_overflow_list;
287 wait_queue_head_t inflight_wait;
288 struct io_uring_sqe *sq_sqes;
289 } ____cacheline_aligned_in_smp;
291 struct io_rings *rings;
297 * For SQPOLL usage - we hold a reference to the parent task, so we
298 * have access to the ->files
300 struct task_struct *sqo_task;
302 /* Only used for accounting purposes */
303 struct mm_struct *mm_account;
305 #ifdef CONFIG_BLK_CGROUP
306 struct cgroup_subsys_state *sqo_blkcg_css;
309 struct io_sq_data *sq_data; /* if using sq thread polling */
311 struct wait_queue_head sqo_sq_wait;
312 struct wait_queue_entry sqo_wait_entry;
313 struct list_head sqd_list;
316 * If used, fixed file set. Writers must ensure that ->refs is dead,
317 * readers must ensure that ->refs is alive as long as the file* is
318 * used. Only updated through io_uring_register(2).
320 struct fixed_file_data *file_data;
321 unsigned nr_user_files;
323 /* if used, fixed mapped user buffers */
324 unsigned nr_user_bufs;
325 struct io_mapped_ubuf *user_bufs;
327 struct user_struct *user;
329 const struct cred *creds;
333 unsigned int sessionid;
336 struct completion ref_comp;
337 struct completion sq_thread_comp;
339 /* if all else fails... */
340 struct io_kiocb *fallback_req;
342 #if defined(CONFIG_UNIX)
343 struct socket *ring_sock;
346 struct idr io_buffer_idr;
348 struct idr personality_idr;
351 unsigned cached_cq_tail;
354 atomic_t cq_timeouts;
355 unsigned long cq_check_overflow;
356 struct wait_queue_head cq_wait;
357 struct fasync_struct *cq_fasync;
358 struct eventfd_ctx *cq_ev_fd;
359 } ____cacheline_aligned_in_smp;
362 struct mutex uring_lock;
363 wait_queue_head_t wait;
364 } ____cacheline_aligned_in_smp;
367 spinlock_t completion_lock;
370 * ->iopoll_list is protected by the ctx->uring_lock for
371 * io_uring instances that don't use IORING_SETUP_SQPOLL.
372 * For SQPOLL, only the single threaded io_sq_thread() will
373 * manipulate the list, hence no extra locking is needed there.
375 struct list_head iopoll_list;
376 struct hlist_head *cancel_hash;
377 unsigned cancel_hash_bits;
378 bool poll_multi_file;
380 spinlock_t inflight_lock;
381 struct list_head inflight_list;
382 } ____cacheline_aligned_in_smp;
384 struct delayed_work file_put_work;
385 struct llist_head file_put_llist;
387 struct work_struct exit_work;
388 struct io_restriction restrictions;
392 * First field must be the file pointer in all the
393 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
395 struct io_poll_iocb {
398 struct wait_queue_head *head;
404 struct wait_queue_entry wait;
409 struct file *put_file;
413 struct io_timeout_data {
414 struct io_kiocb *req;
415 struct hrtimer timer;
416 struct timespec64 ts;
417 enum hrtimer_mode mode;
422 struct sockaddr __user *addr;
423 int __user *addr_len;
425 unsigned long nofile;
445 struct list_head list;
448 struct io_timeout_rem {
454 /* NOTE: kiocb has the file as the first member, so don't do it here */
462 struct sockaddr __user *addr;
469 struct user_msghdr __user *umsg;
475 struct io_buffer *kbuf;
481 struct filename *filename;
483 unsigned long nofile;
486 struct io_files_update {
512 struct epoll_event event;
516 struct file *file_out;
517 struct file *file_in;
524 struct io_provide_buf {
538 const char __user *filename;
539 struct statx __user *buffer;
542 struct io_completion {
544 struct list_head list;
548 struct io_async_connect {
549 struct sockaddr_storage address;
552 struct io_async_msghdr {
553 struct iovec fast_iov[UIO_FASTIOV];
555 struct sockaddr __user *uaddr;
557 struct sockaddr_storage addr;
561 struct iovec fast_iov[UIO_FASTIOV];
562 const struct iovec *free_iovec;
563 struct iov_iter iter;
565 struct wait_page_queue wpq;
569 REQ_F_FIXED_FILE_BIT = IOSQE_FIXED_FILE_BIT,
570 REQ_F_IO_DRAIN_BIT = IOSQE_IO_DRAIN_BIT,
571 REQ_F_LINK_BIT = IOSQE_IO_LINK_BIT,
572 REQ_F_HARDLINK_BIT = IOSQE_IO_HARDLINK_BIT,
573 REQ_F_FORCE_ASYNC_BIT = IOSQE_ASYNC_BIT,
574 REQ_F_BUFFER_SELECT_BIT = IOSQE_BUFFER_SELECT_BIT,
581 REQ_F_LINK_TIMEOUT_BIT,
583 REQ_F_NEED_CLEANUP_BIT,
585 REQ_F_BUFFER_SELECTED_BIT,
586 REQ_F_NO_FILE_TABLE_BIT,
587 REQ_F_WORK_INITIALIZED_BIT,
588 REQ_F_LTIMEOUT_ACTIVE_BIT,
590 /* not a real bit, just to check we're not overflowing the space */
596 REQ_F_FIXED_FILE = BIT(REQ_F_FIXED_FILE_BIT),
597 /* drain existing IO first */
598 REQ_F_IO_DRAIN = BIT(REQ_F_IO_DRAIN_BIT),
600 REQ_F_LINK = BIT(REQ_F_LINK_BIT),
601 /* doesn't sever on completion < 0 */
602 REQ_F_HARDLINK = BIT(REQ_F_HARDLINK_BIT),
604 REQ_F_FORCE_ASYNC = BIT(REQ_F_FORCE_ASYNC_BIT),
605 /* IOSQE_BUFFER_SELECT */
606 REQ_F_BUFFER_SELECT = BIT(REQ_F_BUFFER_SELECT_BIT),
609 REQ_F_LINK_HEAD = BIT(REQ_F_LINK_HEAD_BIT),
610 /* fail rest of links */
611 REQ_F_FAIL_LINK = BIT(REQ_F_FAIL_LINK_BIT),
612 /* on inflight list */
613 REQ_F_INFLIGHT = BIT(REQ_F_INFLIGHT_BIT),
614 /* read/write uses file position */
615 REQ_F_CUR_POS = BIT(REQ_F_CUR_POS_BIT),
616 /* must not punt to workers */
617 REQ_F_NOWAIT = BIT(REQ_F_NOWAIT_BIT),
618 /* has or had linked timeout */
619 REQ_F_LINK_TIMEOUT = BIT(REQ_F_LINK_TIMEOUT_BIT),
621 REQ_F_ISREG = BIT(REQ_F_ISREG_BIT),
623 REQ_F_NEED_CLEANUP = BIT(REQ_F_NEED_CLEANUP_BIT),
624 /* already went through poll handler */
625 REQ_F_POLLED = BIT(REQ_F_POLLED_BIT),
626 /* buffer already selected */
627 REQ_F_BUFFER_SELECTED = BIT(REQ_F_BUFFER_SELECTED_BIT),
628 /* doesn't need file table for this request */
629 REQ_F_NO_FILE_TABLE = BIT(REQ_F_NO_FILE_TABLE_BIT),
630 /* io_wq_work is initialized */
631 REQ_F_WORK_INITIALIZED = BIT(REQ_F_WORK_INITIALIZED_BIT),
632 /* linked timeout is active, i.e. prepared by link's head */
633 REQ_F_LTIMEOUT_ACTIVE = BIT(REQ_F_LTIMEOUT_ACTIVE_BIT),
637 struct io_poll_iocb poll;
638 struct io_poll_iocb *double_poll;
642 * NOTE! Each of the iocb union members has the file pointer
643 * as the first entry in their struct definition. So you can
644 * access the file pointer through any of the sub-structs,
645 * or directly as just 'ki_filp' in this struct.
651 struct io_poll_iocb poll;
652 struct io_accept accept;
654 struct io_cancel cancel;
655 struct io_timeout timeout;
656 struct io_timeout_rem timeout_rem;
657 struct io_connect connect;
658 struct io_sr_msg sr_msg;
660 struct io_close close;
661 struct io_files_update files_update;
662 struct io_fadvise fadvise;
663 struct io_madvise madvise;
664 struct io_epoll epoll;
665 struct io_splice splice;
666 struct io_provide_buf pbuf;
667 struct io_statx statx;
668 /* use only after cleaning per-op data, see io_clean_op() */
669 struct io_completion compl;
672 /* opcode allocated if it needs to store data for async defer */
675 /* polled IO has completed */
681 struct io_ring_ctx *ctx;
684 struct task_struct *task;
687 struct list_head link_list;
690 * 1. used with ctx->iopoll_list with reads/writes
691 * 2. to track reqs with ->files (see io_op_def::file_table)
693 struct list_head inflight_entry;
695 struct percpu_ref *fixed_file_refs;
696 struct callback_head task_work;
697 /* for polled requests, i.e. IORING_OP_POLL_ADD and async armed poll */
698 struct hlist_node hash_node;
699 struct async_poll *apoll;
700 struct io_wq_work work;
703 struct io_defer_entry {
704 struct list_head list;
705 struct io_kiocb *req;
709 #define IO_IOPOLL_BATCH 8
711 struct io_comp_state {
713 struct list_head list;
714 struct io_ring_ctx *ctx;
717 struct io_submit_state {
718 struct blk_plug plug;
721 * io_kiocb alloc cache
723 void *reqs[IO_IOPOLL_BATCH];
724 unsigned int free_reqs;
727 * Batch completion logic
729 struct io_comp_state comp;
732 * File reference cache
736 unsigned int has_refs;
737 unsigned int ios_left;
741 /* needs req->file assigned */
742 unsigned needs_file : 1;
743 /* don't fail if file grab fails */
744 unsigned needs_file_no_error : 1;
745 /* hash wq insertion if file is a regular file */
746 unsigned hash_reg_file : 1;
747 /* unbound wq insertion if file is a non-regular file */
748 unsigned unbound_nonreg_file : 1;
749 /* opcode is not supported by this kernel */
750 unsigned not_supported : 1;
751 /* set if opcode supports polled "wait" */
753 unsigned pollout : 1;
754 /* op supports buffer selection */
755 unsigned buffer_select : 1;
756 /* must always have async data allocated */
757 unsigned needs_async_data : 1;
758 /* size of async data needed, if any */
759 unsigned short async_size;
763 static const struct io_op_def io_op_defs[] = {
764 [IORING_OP_NOP] = {},
765 [IORING_OP_READV] = {
767 .unbound_nonreg_file = 1,
770 .needs_async_data = 1,
771 .async_size = sizeof(struct io_async_rw),
772 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG,
774 [IORING_OP_WRITEV] = {
777 .unbound_nonreg_file = 1,
779 .needs_async_data = 1,
780 .async_size = sizeof(struct io_async_rw),
781 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG |
784 [IORING_OP_FSYNC] = {
786 .work_flags = IO_WQ_WORK_BLKCG,
788 [IORING_OP_READ_FIXED] = {
790 .unbound_nonreg_file = 1,
792 .async_size = sizeof(struct io_async_rw),
793 .work_flags = IO_WQ_WORK_BLKCG,
795 [IORING_OP_WRITE_FIXED] = {
798 .unbound_nonreg_file = 1,
800 .async_size = sizeof(struct io_async_rw),
801 .work_flags = IO_WQ_WORK_BLKCG | IO_WQ_WORK_FSIZE,
803 [IORING_OP_POLL_ADD] = {
805 .unbound_nonreg_file = 1,
807 [IORING_OP_POLL_REMOVE] = {},
808 [IORING_OP_SYNC_FILE_RANGE] = {
810 .work_flags = IO_WQ_WORK_BLKCG,
812 [IORING_OP_SENDMSG] = {
814 .unbound_nonreg_file = 1,
816 .needs_async_data = 1,
817 .async_size = sizeof(struct io_async_msghdr),
818 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG |
821 [IORING_OP_RECVMSG] = {
823 .unbound_nonreg_file = 1,
826 .needs_async_data = 1,
827 .async_size = sizeof(struct io_async_msghdr),
828 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG |
831 [IORING_OP_TIMEOUT] = {
832 .needs_async_data = 1,
833 .async_size = sizeof(struct io_timeout_data),
834 .work_flags = IO_WQ_WORK_MM,
836 [IORING_OP_TIMEOUT_REMOVE] = {},
837 [IORING_OP_ACCEPT] = {
839 .unbound_nonreg_file = 1,
841 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_FILES,
843 [IORING_OP_ASYNC_CANCEL] = {},
844 [IORING_OP_LINK_TIMEOUT] = {
845 .needs_async_data = 1,
846 .async_size = sizeof(struct io_timeout_data),
847 .work_flags = IO_WQ_WORK_MM,
849 [IORING_OP_CONNECT] = {
851 .unbound_nonreg_file = 1,
853 .needs_async_data = 1,
854 .async_size = sizeof(struct io_async_connect),
855 .work_flags = IO_WQ_WORK_MM,
857 [IORING_OP_FALLOCATE] = {
859 .work_flags = IO_WQ_WORK_BLKCG | IO_WQ_WORK_FSIZE,
861 [IORING_OP_OPENAT] = {
862 .work_flags = IO_WQ_WORK_FILES | IO_WQ_WORK_BLKCG |
865 [IORING_OP_CLOSE] = {
867 .needs_file_no_error = 1,
868 .work_flags = IO_WQ_WORK_FILES | IO_WQ_WORK_BLKCG,
870 [IORING_OP_FILES_UPDATE] = {
871 .work_flags = IO_WQ_WORK_FILES | IO_WQ_WORK_MM,
873 [IORING_OP_STATX] = {
874 .work_flags = IO_WQ_WORK_FILES | IO_WQ_WORK_MM |
875 IO_WQ_WORK_FS | IO_WQ_WORK_BLKCG,
879 .unbound_nonreg_file = 1,
882 .async_size = sizeof(struct io_async_rw),
883 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG,
885 [IORING_OP_WRITE] = {
887 .unbound_nonreg_file = 1,
889 .async_size = sizeof(struct io_async_rw),
890 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG |
893 [IORING_OP_FADVISE] = {
895 .work_flags = IO_WQ_WORK_BLKCG,
897 [IORING_OP_MADVISE] = {
898 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG,
902 .unbound_nonreg_file = 1,
904 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG,
908 .unbound_nonreg_file = 1,
911 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG,
913 [IORING_OP_OPENAT2] = {
914 .work_flags = IO_WQ_WORK_FILES | IO_WQ_WORK_FS |
917 [IORING_OP_EPOLL_CTL] = {
918 .unbound_nonreg_file = 1,
919 .work_flags = IO_WQ_WORK_FILES,
921 [IORING_OP_SPLICE] = {
924 .unbound_nonreg_file = 1,
925 .work_flags = IO_WQ_WORK_BLKCG,
927 [IORING_OP_PROVIDE_BUFFERS] = {},
928 [IORING_OP_REMOVE_BUFFERS] = {},
932 .unbound_nonreg_file = 1,
936 enum io_mem_account {
941 static void __io_complete_rw(struct io_kiocb *req, long res, long res2,
942 struct io_comp_state *cs);
943 static void io_cqring_fill_event(struct io_kiocb *req, long res);
944 static void io_put_req(struct io_kiocb *req);
945 static void io_put_req_deferred(struct io_kiocb *req, int nr);
946 static void io_double_put_req(struct io_kiocb *req);
947 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
948 static void __io_queue_linked_timeout(struct io_kiocb *req);
949 static void io_queue_linked_timeout(struct io_kiocb *req);
950 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
951 struct io_uring_files_update *ip,
953 static void __io_clean_op(struct io_kiocb *req);
954 static struct file *io_file_get(struct io_submit_state *state,
955 struct io_kiocb *req, int fd, bool fixed);
956 static void __io_queue_sqe(struct io_kiocb *req, struct io_comp_state *cs);
957 static void io_file_put_work(struct work_struct *work);
959 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
960 struct iovec **iovec, struct iov_iter *iter,
962 static int io_setup_async_rw(struct io_kiocb *req, const struct iovec *iovec,
963 const struct iovec *fast_iov,
964 struct iov_iter *iter, bool force);
966 static struct kmem_cache *req_cachep;
968 static const struct file_operations io_uring_fops;
970 struct sock *io_uring_get_socket(struct file *file)
972 #if defined(CONFIG_UNIX)
973 if (file->f_op == &io_uring_fops) {
974 struct io_ring_ctx *ctx = file->private_data;
976 return ctx->ring_sock->sk;
981 EXPORT_SYMBOL(io_uring_get_socket);
983 static inline void io_clean_op(struct io_kiocb *req)
985 if (req->flags & (REQ_F_NEED_CLEANUP | REQ_F_BUFFER_SELECTED |
990 static void io_sq_thread_drop_mm(void)
992 struct mm_struct *mm = current->mm;
995 kthread_unuse_mm(mm);
1000 static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx)
1003 if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL) ||
1004 !ctx->sqo_task->mm ||
1005 !mmget_not_zero(ctx->sqo_task->mm)))
1007 kthread_use_mm(ctx->sqo_task->mm);
1013 static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx,
1014 struct io_kiocb *req)
1016 if (!(io_op_defs[req->opcode].work_flags & IO_WQ_WORK_MM))
1018 return __io_sq_thread_acquire_mm(ctx);
1021 static void io_sq_thread_associate_blkcg(struct io_ring_ctx *ctx,
1022 struct cgroup_subsys_state **cur_css)
1025 #ifdef CONFIG_BLK_CGROUP
1026 /* puts the old one when swapping */
1027 if (*cur_css != ctx->sqo_blkcg_css) {
1028 kthread_associate_blkcg(ctx->sqo_blkcg_css);
1029 *cur_css = ctx->sqo_blkcg_css;
1034 static void io_sq_thread_unassociate_blkcg(void)
1036 #ifdef CONFIG_BLK_CGROUP
1037 kthread_associate_blkcg(NULL);
1041 static inline void req_set_fail_links(struct io_kiocb *req)
1043 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1044 req->flags |= REQ_F_FAIL_LINK;
1048 * None of these are dereferenced, they are simply used to check if any of
1049 * them have changed. If we're under current and check they are still the
1050 * same, we're fine to grab references to them for actual out-of-line use.
1052 static void io_init_identity(struct io_identity *id)
1054 id->files = current->files;
1055 id->mm = current->mm;
1056 #ifdef CONFIG_BLK_CGROUP
1058 id->blkcg_css = blkcg_css();
1061 id->creds = current_cred();
1062 id->nsproxy = current->nsproxy;
1063 id->fs = current->fs;
1064 id->fsize = rlimit(RLIMIT_FSIZE);
1066 id->loginuid = current->loginuid;
1067 id->sessionid = current->sessionid;
1069 refcount_set(&id->count, 1);
1072 static inline void __io_req_init_async(struct io_kiocb *req)
1074 memset(&req->work, 0, sizeof(req->work));
1075 req->flags |= REQ_F_WORK_INITIALIZED;
1079 * Note: must call io_req_init_async() for the first time you
1080 * touch any members of io_wq_work.
1082 static inline void io_req_init_async(struct io_kiocb *req)
1084 struct io_uring_task *tctx = current->io_uring;
1086 if (req->flags & REQ_F_WORK_INITIALIZED)
1089 __io_req_init_async(req);
1091 /* Grab a ref if this isn't our static identity */
1092 req->work.identity = tctx->identity;
1093 if (tctx->identity != &tctx->__identity)
1094 refcount_inc(&req->work.identity->count);
1097 static inline bool io_async_submit(struct io_ring_ctx *ctx)
1099 return ctx->flags & IORING_SETUP_SQPOLL;
1102 static void io_ring_ctx_ref_free(struct percpu_ref *ref)
1104 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
1106 complete(&ctx->ref_comp);
1109 static inline bool io_is_timeout_noseq(struct io_kiocb *req)
1111 return !req->timeout.off;
1114 static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
1116 struct io_ring_ctx *ctx;
1119 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
1123 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
1124 if (!ctx->fallback_req)
1128 * Use 5 bits less than the max cq entries, that should give us around
1129 * 32 entries per hash list if totally full and uniformly spread.
1131 hash_bits = ilog2(p->cq_entries);
1135 ctx->cancel_hash_bits = hash_bits;
1136 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
1138 if (!ctx->cancel_hash)
1140 __hash_init(ctx->cancel_hash, 1U << hash_bits);
1142 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
1143 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
1146 ctx->flags = p->flags;
1147 init_waitqueue_head(&ctx->sqo_sq_wait);
1148 INIT_LIST_HEAD(&ctx->sqd_list);
1149 init_waitqueue_head(&ctx->cq_wait);
1150 INIT_LIST_HEAD(&ctx->cq_overflow_list);
1151 init_completion(&ctx->ref_comp);
1152 init_completion(&ctx->sq_thread_comp);
1153 idr_init(&ctx->io_buffer_idr);
1154 idr_init(&ctx->personality_idr);
1155 mutex_init(&ctx->uring_lock);
1156 init_waitqueue_head(&ctx->wait);
1157 spin_lock_init(&ctx->completion_lock);
1158 INIT_LIST_HEAD(&ctx->iopoll_list);
1159 INIT_LIST_HEAD(&ctx->defer_list);
1160 INIT_LIST_HEAD(&ctx->timeout_list);
1161 init_waitqueue_head(&ctx->inflight_wait);
1162 spin_lock_init(&ctx->inflight_lock);
1163 INIT_LIST_HEAD(&ctx->inflight_list);
1164 INIT_DELAYED_WORK(&ctx->file_put_work, io_file_put_work);
1165 init_llist_head(&ctx->file_put_llist);
1168 if (ctx->fallback_req)
1169 kmem_cache_free(req_cachep, ctx->fallback_req);
1170 kfree(ctx->cancel_hash);
1175 static bool req_need_defer(struct io_kiocb *req, u32 seq)
1177 if (unlikely(req->flags & REQ_F_IO_DRAIN)) {
1178 struct io_ring_ctx *ctx = req->ctx;
1180 return seq != ctx->cached_cq_tail
1181 + READ_ONCE(ctx->cached_cq_overflow);
1187 static void __io_commit_cqring(struct io_ring_ctx *ctx)
1189 struct io_rings *rings = ctx->rings;
1191 /* order cqe stores with ring update */
1192 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
1194 if (wq_has_sleeper(&ctx->cq_wait)) {
1195 wake_up_interruptible(&ctx->cq_wait);
1196 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
1200 static void io_put_identity(struct io_uring_task *tctx, struct io_kiocb *req)
1202 if (req->work.identity == &tctx->__identity)
1204 if (refcount_dec_and_test(&req->work.identity->count))
1205 kfree(req->work.identity);
1208 static void io_req_clean_work(struct io_kiocb *req)
1210 if (!(req->flags & REQ_F_WORK_INITIALIZED))
1213 req->flags &= ~REQ_F_WORK_INITIALIZED;
1215 if (req->work.flags & IO_WQ_WORK_MM) {
1216 mmdrop(req->work.identity->mm);
1217 req->work.flags &= ~IO_WQ_WORK_MM;
1219 #ifdef CONFIG_BLK_CGROUP
1220 if (req->work.flags & IO_WQ_WORK_BLKCG) {
1221 css_put(req->work.identity->blkcg_css);
1222 req->work.flags &= ~IO_WQ_WORK_BLKCG;
1225 if (req->work.flags & IO_WQ_WORK_CREDS) {
1226 put_cred(req->work.identity->creds);
1227 req->work.flags &= ~IO_WQ_WORK_CREDS;
1229 if (req->work.flags & IO_WQ_WORK_FS) {
1230 struct fs_struct *fs = req->work.identity->fs;
1232 spin_lock(&req->work.identity->fs->lock);
1235 spin_unlock(&req->work.identity->fs->lock);
1238 req->work.flags &= ~IO_WQ_WORK_FS;
1241 io_put_identity(req->task->io_uring, req);
1245 * Create a private copy of io_identity, since some fields don't match
1246 * the current context.
1248 static bool io_identity_cow(struct io_kiocb *req)
1250 struct io_uring_task *tctx = current->io_uring;
1251 const struct cred *creds = NULL;
1252 struct io_identity *id;
1254 if (req->work.flags & IO_WQ_WORK_CREDS)
1255 creds = req->work.identity->creds;
1257 id = kmemdup(req->work.identity, sizeof(*id), GFP_KERNEL);
1258 if (unlikely(!id)) {
1259 req->work.flags |= IO_WQ_WORK_CANCEL;
1264 * We can safely just re-init the creds we copied Either the field
1265 * matches the current one, or we haven't grabbed it yet. The only
1266 * exception is ->creds, through registered personalities, so handle
1267 * that one separately.
1269 io_init_identity(id);
1271 req->work.identity->creds = creds;
1273 /* add one for this request */
1274 refcount_inc(&id->count);
1276 /* drop old identity, assign new one. one ref for req, one for tctx */
1277 if (req->work.identity != tctx->identity &&
1278 refcount_sub_and_test(2, &req->work.identity->count))
1279 kfree(req->work.identity);
1281 req->work.identity = id;
1282 tctx->identity = id;
1286 static bool io_grab_identity(struct io_kiocb *req)
1288 const struct io_op_def *def = &io_op_defs[req->opcode];
1289 struct io_identity *id = req->work.identity;
1290 struct io_ring_ctx *ctx = req->ctx;
1292 if (def->work_flags & IO_WQ_WORK_FSIZE) {
1293 if (id->fsize != rlimit(RLIMIT_FSIZE))
1295 req->work.flags |= IO_WQ_WORK_FSIZE;
1298 if (!(req->work.flags & IO_WQ_WORK_FILES) &&
1299 (def->work_flags & IO_WQ_WORK_FILES) &&
1300 !(req->flags & REQ_F_NO_FILE_TABLE)) {
1301 if (id->files != current->files ||
1302 id->nsproxy != current->nsproxy)
1304 atomic_inc(&id->files->count);
1305 get_nsproxy(id->nsproxy);
1306 req->flags |= REQ_F_INFLIGHT;
1308 spin_lock_irq(&ctx->inflight_lock);
1309 list_add(&req->inflight_entry, &ctx->inflight_list);
1310 spin_unlock_irq(&ctx->inflight_lock);
1311 req->work.flags |= IO_WQ_WORK_FILES;
1313 #ifdef CONFIG_BLK_CGROUP
1314 if (!(req->work.flags & IO_WQ_WORK_BLKCG) &&
1315 (def->work_flags & IO_WQ_WORK_BLKCG)) {
1317 if (id->blkcg_css != blkcg_css()) {
1322 * This should be rare, either the cgroup is dying or the task
1323 * is moving cgroups. Just punt to root for the handful of ios.
1325 if (css_tryget_online(id->blkcg_css))
1326 req->work.flags |= IO_WQ_WORK_BLKCG;
1330 if (!(req->work.flags & IO_WQ_WORK_CREDS)) {
1331 if (id->creds != current_cred())
1333 get_cred(id->creds);
1334 req->work.flags |= IO_WQ_WORK_CREDS;
1337 if (!uid_eq(current->loginuid, id->loginuid) ||
1338 current->sessionid != id->sessionid)
1341 if (!(req->work.flags & IO_WQ_WORK_FS) &&
1342 (def->work_flags & IO_WQ_WORK_FS)) {
1343 if (current->fs != id->fs)
1345 spin_lock(&id->fs->lock);
1346 if (!id->fs->in_exec) {
1348 req->work.flags |= IO_WQ_WORK_FS;
1350 req->work.flags |= IO_WQ_WORK_CANCEL;
1352 spin_unlock(¤t->fs->lock);
1358 static void io_prep_async_work(struct io_kiocb *req)
1360 const struct io_op_def *def = &io_op_defs[req->opcode];
1361 struct io_ring_ctx *ctx = req->ctx;
1362 struct io_identity *id;
1364 io_req_init_async(req);
1365 id = req->work.identity;
1367 if (req->flags & REQ_F_ISREG) {
1368 if (def->hash_reg_file || (ctx->flags & IORING_SETUP_IOPOLL))
1369 io_wq_hash_work(&req->work, file_inode(req->file));
1371 if (def->unbound_nonreg_file)
1372 req->work.flags |= IO_WQ_WORK_UNBOUND;
1375 /* ->mm can never change on us */
1376 if (!(req->work.flags & IO_WQ_WORK_MM) &&
1377 (def->work_flags & IO_WQ_WORK_MM)) {
1379 req->work.flags |= IO_WQ_WORK_MM;
1382 /* if we fail grabbing identity, we must COW, regrab, and retry */
1383 if (io_grab_identity(req))
1386 if (!io_identity_cow(req))
1389 /* can't fail at this point */
1390 if (!io_grab_identity(req))
1394 static void io_prep_async_link(struct io_kiocb *req)
1396 struct io_kiocb *cur;
1398 io_prep_async_work(req);
1399 if (req->flags & REQ_F_LINK_HEAD)
1400 list_for_each_entry(cur, &req->link_list, link_list)
1401 io_prep_async_work(cur);
1404 static struct io_kiocb *__io_queue_async_work(struct io_kiocb *req)
1406 struct io_ring_ctx *ctx = req->ctx;
1407 struct io_kiocb *link = io_prep_linked_timeout(req);
1409 trace_io_uring_queue_async_work(ctx, io_wq_is_hashed(&req->work), req,
1410 &req->work, req->flags);
1411 io_wq_enqueue(ctx->io_wq, &req->work);
1415 static void io_queue_async_work(struct io_kiocb *req)
1417 struct io_kiocb *link;
1419 /* init ->work of the whole link before punting */
1420 io_prep_async_link(req);
1421 link = __io_queue_async_work(req);
1424 io_queue_linked_timeout(link);
1427 static void io_kill_timeout(struct io_kiocb *req)
1429 struct io_timeout_data *io = req->async_data;
1432 ret = hrtimer_try_to_cancel(&io->timer);
1434 atomic_set(&req->ctx->cq_timeouts,
1435 atomic_read(&req->ctx->cq_timeouts) + 1);
1436 list_del_init(&req->timeout.list);
1437 io_cqring_fill_event(req, 0);
1438 io_put_req_deferred(req, 1);
1442 static bool io_task_match(struct io_kiocb *req, struct task_struct *tsk)
1444 struct io_ring_ctx *ctx = req->ctx;
1446 if (!tsk || req->task == tsk)
1448 if (ctx->flags & IORING_SETUP_SQPOLL) {
1449 if (ctx->sq_data && req->task == ctx->sq_data->thread)
1456 * Returns true if we found and killed one or more timeouts
1458 static bool io_kill_timeouts(struct io_ring_ctx *ctx, struct task_struct *tsk)
1460 struct io_kiocb *req, *tmp;
1463 spin_lock_irq(&ctx->completion_lock);
1464 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, timeout.list) {
1465 if (io_task_match(req, tsk)) {
1466 io_kill_timeout(req);
1470 spin_unlock_irq(&ctx->completion_lock);
1471 return canceled != 0;
1474 static void __io_queue_deferred(struct io_ring_ctx *ctx)
1477 struct io_defer_entry *de = list_first_entry(&ctx->defer_list,
1478 struct io_defer_entry, list);
1479 struct io_kiocb *link;
1481 if (req_need_defer(de->req, de->seq))
1483 list_del_init(&de->list);
1484 /* punt-init is done before queueing for defer */
1485 link = __io_queue_async_work(de->req);
1487 __io_queue_linked_timeout(link);
1488 /* drop submission reference */
1489 io_put_req_deferred(link, 1);
1492 } while (!list_empty(&ctx->defer_list));
1495 static void io_flush_timeouts(struct io_ring_ctx *ctx)
1497 while (!list_empty(&ctx->timeout_list)) {
1498 struct io_kiocb *req = list_first_entry(&ctx->timeout_list,
1499 struct io_kiocb, timeout.list);
1501 if (io_is_timeout_noseq(req))
1503 if (req->timeout.target_seq != ctx->cached_cq_tail
1504 - atomic_read(&ctx->cq_timeouts))
1507 list_del_init(&req->timeout.list);
1508 io_kill_timeout(req);
1512 static void io_commit_cqring(struct io_ring_ctx *ctx)
1514 io_flush_timeouts(ctx);
1515 __io_commit_cqring(ctx);
1517 if (unlikely(!list_empty(&ctx->defer_list)))
1518 __io_queue_deferred(ctx);
1521 static inline bool io_sqring_full(struct io_ring_ctx *ctx)
1523 struct io_rings *r = ctx->rings;
1525 return READ_ONCE(r->sq.tail) - ctx->cached_sq_head == r->sq_ring_entries;
1528 static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
1530 struct io_rings *rings = ctx->rings;
1533 tail = ctx->cached_cq_tail;
1535 * writes to the cq entry need to come after reading head; the
1536 * control dependency is enough as we're using WRITE_ONCE to
1539 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
1542 ctx->cached_cq_tail++;
1543 return &rings->cqes[tail & ctx->cq_mask];
1546 static inline bool io_should_trigger_evfd(struct io_ring_ctx *ctx)
1550 if (READ_ONCE(ctx->rings->cq_flags) & IORING_CQ_EVENTFD_DISABLED)
1552 if (!ctx->eventfd_async)
1554 return io_wq_current_is_worker();
1557 static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
1559 if (waitqueue_active(&ctx->wait))
1560 wake_up(&ctx->wait);
1561 if (ctx->sq_data && waitqueue_active(&ctx->sq_data->wait))
1562 wake_up(&ctx->sq_data->wait);
1563 if (io_should_trigger_evfd(ctx))
1564 eventfd_signal(ctx->cq_ev_fd, 1);
1567 static void io_cqring_mark_overflow(struct io_ring_ctx *ctx)
1569 if (list_empty(&ctx->cq_overflow_list)) {
1570 clear_bit(0, &ctx->sq_check_overflow);
1571 clear_bit(0, &ctx->cq_check_overflow);
1572 ctx->rings->sq_flags &= ~IORING_SQ_CQ_OVERFLOW;
1576 static inline bool io_match_files(struct io_kiocb *req,
1577 struct files_struct *files)
1581 if ((req->flags & REQ_F_WORK_INITIALIZED) &&
1582 (req->work.flags & IO_WQ_WORK_FILES))
1583 return req->work.identity->files == files;
1587 /* Returns true if there are no backlogged entries after the flush */
1588 static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force,
1589 struct task_struct *tsk,
1590 struct files_struct *files)
1592 struct io_rings *rings = ctx->rings;
1593 struct io_kiocb *req, *tmp;
1594 struct io_uring_cqe *cqe;
1595 unsigned long flags;
1599 if (list_empty_careful(&ctx->cq_overflow_list))
1601 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
1602 rings->cq_ring_entries))
1606 spin_lock_irqsave(&ctx->completion_lock, flags);
1608 /* if force is set, the ring is going away. always drop after that */
1610 ctx->cq_overflow_flushed = 1;
1613 list_for_each_entry_safe(req, tmp, &ctx->cq_overflow_list, compl.list) {
1614 if (tsk && req->task != tsk)
1616 if (!io_match_files(req, files))
1619 cqe = io_get_cqring(ctx);
1623 list_move(&req->compl.list, &list);
1625 WRITE_ONCE(cqe->user_data, req->user_data);
1626 WRITE_ONCE(cqe->res, req->result);
1627 WRITE_ONCE(cqe->flags, req->compl.cflags);
1629 ctx->cached_cq_overflow++;
1630 WRITE_ONCE(ctx->rings->cq_overflow,
1631 ctx->cached_cq_overflow);
1635 io_commit_cqring(ctx);
1636 io_cqring_mark_overflow(ctx);
1638 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1639 io_cqring_ev_posted(ctx);
1641 while (!list_empty(&list)) {
1642 req = list_first_entry(&list, struct io_kiocb, compl.list);
1643 list_del(&req->compl.list);
1650 static void __io_cqring_fill_event(struct io_kiocb *req, long res, long cflags)
1652 struct io_ring_ctx *ctx = req->ctx;
1653 struct io_uring_cqe *cqe;
1655 trace_io_uring_complete(ctx, req->user_data, res);
1658 * If we can't get a cq entry, userspace overflowed the
1659 * submission (by quite a lot). Increment the overflow count in
1662 cqe = io_get_cqring(ctx);
1664 WRITE_ONCE(cqe->user_data, req->user_data);
1665 WRITE_ONCE(cqe->res, res);
1666 WRITE_ONCE(cqe->flags, cflags);
1667 } else if (ctx->cq_overflow_flushed || req->task->io_uring->in_idle) {
1669 * If we're in ring overflow flush mode, or in task cancel mode,
1670 * then we cannot store the request for later flushing, we need
1671 * to drop it on the floor.
1673 ctx->cached_cq_overflow++;
1674 WRITE_ONCE(ctx->rings->cq_overflow, ctx->cached_cq_overflow);
1676 if (list_empty(&ctx->cq_overflow_list)) {
1677 set_bit(0, &ctx->sq_check_overflow);
1678 set_bit(0, &ctx->cq_check_overflow);
1679 ctx->rings->sq_flags |= IORING_SQ_CQ_OVERFLOW;
1683 req->compl.cflags = cflags;
1684 refcount_inc(&req->refs);
1685 list_add_tail(&req->compl.list, &ctx->cq_overflow_list);
1689 static void io_cqring_fill_event(struct io_kiocb *req, long res)
1691 __io_cqring_fill_event(req, res, 0);
1694 static void io_cqring_add_event(struct io_kiocb *req, long res, long cflags)
1696 struct io_ring_ctx *ctx = req->ctx;
1697 unsigned long flags;
1699 spin_lock_irqsave(&ctx->completion_lock, flags);
1700 __io_cqring_fill_event(req, res, cflags);
1701 io_commit_cqring(ctx);
1702 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1704 io_cqring_ev_posted(ctx);
1707 static void io_submit_flush_completions(struct io_comp_state *cs)
1709 struct io_ring_ctx *ctx = cs->ctx;
1711 spin_lock_irq(&ctx->completion_lock);
1712 while (!list_empty(&cs->list)) {
1713 struct io_kiocb *req;
1715 req = list_first_entry(&cs->list, struct io_kiocb, compl.list);
1716 list_del(&req->compl.list);
1717 __io_cqring_fill_event(req, req->result, req->compl.cflags);
1720 * io_free_req() doesn't care about completion_lock unless one
1721 * of these flags is set. REQ_F_WORK_INITIALIZED is in the list
1722 * because of a potential deadlock with req->work.fs->lock
1724 if (req->flags & (REQ_F_FAIL_LINK|REQ_F_LINK_TIMEOUT
1725 |REQ_F_WORK_INITIALIZED)) {
1726 spin_unlock_irq(&ctx->completion_lock);
1728 spin_lock_irq(&ctx->completion_lock);
1733 io_commit_cqring(ctx);
1734 spin_unlock_irq(&ctx->completion_lock);
1736 io_cqring_ev_posted(ctx);
1740 static void __io_req_complete(struct io_kiocb *req, long res, unsigned cflags,
1741 struct io_comp_state *cs)
1744 io_cqring_add_event(req, res, cflags);
1749 req->compl.cflags = cflags;
1750 list_add_tail(&req->compl.list, &cs->list);
1752 io_submit_flush_completions(cs);
1756 static void io_req_complete(struct io_kiocb *req, long res)
1758 __io_req_complete(req, res, 0, NULL);
1761 static inline bool io_is_fallback_req(struct io_kiocb *req)
1763 return req == (struct io_kiocb *)
1764 ((unsigned long) req->ctx->fallback_req & ~1UL);
1767 static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1769 struct io_kiocb *req;
1771 req = ctx->fallback_req;
1772 if (!test_and_set_bit_lock(0, (unsigned long *) &ctx->fallback_req))
1778 static struct io_kiocb *io_alloc_req(struct io_ring_ctx *ctx,
1779 struct io_submit_state *state)
1781 if (!state->free_reqs) {
1782 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
1786 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
1787 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1790 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1791 * retry single alloc to be on the safe side.
1793 if (unlikely(ret <= 0)) {
1794 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1795 if (!state->reqs[0])
1799 state->free_reqs = ret;
1803 return state->reqs[state->free_reqs];
1805 return io_get_fallback_req(ctx);
1808 static inline void io_put_file(struct io_kiocb *req, struct file *file,
1812 percpu_ref_put(req->fixed_file_refs);
1817 static void io_dismantle_req(struct io_kiocb *req)
1821 if (req->async_data)
1822 kfree(req->async_data);
1824 io_put_file(req, req->file, (req->flags & REQ_F_FIXED_FILE));
1826 io_req_clean_work(req);
1829 static void __io_free_req(struct io_kiocb *req)
1831 struct io_uring_task *tctx = req->task->io_uring;
1832 struct io_ring_ctx *ctx = req->ctx;
1834 io_dismantle_req(req);
1836 percpu_counter_dec(&tctx->inflight);
1838 wake_up(&tctx->wait);
1839 put_task_struct(req->task);
1841 if (likely(!io_is_fallback_req(req)))
1842 kmem_cache_free(req_cachep, req);
1844 clear_bit_unlock(0, (unsigned long *) &ctx->fallback_req);
1845 percpu_ref_put(&ctx->refs);
1848 static bool io_link_cancel_timeout(struct io_kiocb *req)
1850 struct io_timeout_data *io = req->async_data;
1851 struct io_ring_ctx *ctx = req->ctx;
1854 ret = hrtimer_try_to_cancel(&io->timer);
1856 io_cqring_fill_event(req, -ECANCELED);
1857 io_commit_cqring(ctx);
1858 req->flags &= ~REQ_F_LINK_HEAD;
1859 io_put_req_deferred(req, 1);
1866 static bool __io_kill_linked_timeout(struct io_kiocb *req)
1868 struct io_kiocb *link;
1871 if (list_empty(&req->link_list))
1873 link = list_first_entry(&req->link_list, struct io_kiocb, link_list);
1874 if (link->opcode != IORING_OP_LINK_TIMEOUT)
1877 * Can happen if a linked timeout fired and link had been like
1878 * req -> link t-out -> link t-out [-> ...]
1880 if (!(link->flags & REQ_F_LTIMEOUT_ACTIVE))
1883 list_del_init(&link->link_list);
1884 wake_ev = io_link_cancel_timeout(link);
1885 req->flags &= ~REQ_F_LINK_TIMEOUT;
1889 static void io_kill_linked_timeout(struct io_kiocb *req)
1891 struct io_ring_ctx *ctx = req->ctx;
1892 unsigned long flags;
1895 spin_lock_irqsave(&ctx->completion_lock, flags);
1896 wake_ev = __io_kill_linked_timeout(req);
1897 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1900 io_cqring_ev_posted(ctx);
1903 static struct io_kiocb *io_req_link_next(struct io_kiocb *req)
1905 struct io_kiocb *nxt;
1908 * The list should never be empty when we are called here. But could
1909 * potentially happen if the chain is messed up, check to be on the
1912 if (unlikely(list_empty(&req->link_list)))
1915 nxt = list_first_entry(&req->link_list, struct io_kiocb, link_list);
1916 list_del_init(&req->link_list);
1917 if (!list_empty(&nxt->link_list))
1918 nxt->flags |= REQ_F_LINK_HEAD;
1923 * Called if REQ_F_LINK_HEAD is set, and we fail the head request
1925 static void io_fail_links(struct io_kiocb *req)
1927 struct io_ring_ctx *ctx = req->ctx;
1928 unsigned long flags;
1930 spin_lock_irqsave(&ctx->completion_lock, flags);
1931 while (!list_empty(&req->link_list)) {
1932 struct io_kiocb *link = list_first_entry(&req->link_list,
1933 struct io_kiocb, link_list);
1935 list_del_init(&link->link_list);
1936 trace_io_uring_fail_link(req, link);
1938 io_cqring_fill_event(link, -ECANCELED);
1941 * It's ok to free under spinlock as they're not linked anymore,
1942 * but avoid REQ_F_WORK_INITIALIZED because it may deadlock on
1945 if (link->flags & REQ_F_WORK_INITIALIZED)
1946 io_put_req_deferred(link, 2);
1948 io_double_put_req(link);
1951 io_commit_cqring(ctx);
1952 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1954 io_cqring_ev_posted(ctx);
1957 static struct io_kiocb *__io_req_find_next(struct io_kiocb *req)
1959 req->flags &= ~REQ_F_LINK_HEAD;
1960 if (req->flags & REQ_F_LINK_TIMEOUT)
1961 io_kill_linked_timeout(req);
1964 * If LINK is set, we have dependent requests in this chain. If we
1965 * didn't fail this request, queue the first one up, moving any other
1966 * dependencies to the next request. In case of failure, fail the rest
1969 if (likely(!(req->flags & REQ_F_FAIL_LINK)))
1970 return io_req_link_next(req);
1975 static struct io_kiocb *io_req_find_next(struct io_kiocb *req)
1977 if (likely(!(req->flags & REQ_F_LINK_HEAD)))
1979 return __io_req_find_next(req);
1982 static int io_req_task_work_add(struct io_kiocb *req, bool twa_signal_ok)
1984 struct task_struct *tsk = req->task;
1985 struct io_ring_ctx *ctx = req->ctx;
1988 if (tsk->flags & PF_EXITING)
1992 * SQPOLL kernel thread doesn't need notification, just a wakeup. For
1993 * all other cases, use TWA_SIGNAL unconditionally to ensure we're
1994 * processing task_work. There's no reliable way to tell if TWA_RESUME
1998 if (!(ctx->flags & IORING_SETUP_SQPOLL) && twa_signal_ok)
1999 notify = TWA_SIGNAL;
2001 ret = task_work_add(tsk, &req->task_work, notify);
2003 wake_up_process(tsk);
2008 static void __io_req_task_cancel(struct io_kiocb *req, int error)
2010 struct io_ring_ctx *ctx = req->ctx;
2012 spin_lock_irq(&ctx->completion_lock);
2013 io_cqring_fill_event(req, error);
2014 io_commit_cqring(ctx);
2015 spin_unlock_irq(&ctx->completion_lock);
2017 io_cqring_ev_posted(ctx);
2018 req_set_fail_links(req);
2019 io_double_put_req(req);
2022 static void io_req_task_cancel(struct callback_head *cb)
2024 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
2025 struct io_ring_ctx *ctx = req->ctx;
2027 __io_req_task_cancel(req, -ECANCELED);
2028 percpu_ref_put(&ctx->refs);
2031 static void __io_req_task_submit(struct io_kiocb *req)
2033 struct io_ring_ctx *ctx = req->ctx;
2035 if (!__io_sq_thread_acquire_mm(ctx)) {
2036 mutex_lock(&ctx->uring_lock);
2037 __io_queue_sqe(req, NULL);
2038 mutex_unlock(&ctx->uring_lock);
2040 __io_req_task_cancel(req, -EFAULT);
2044 static void io_req_task_submit(struct callback_head *cb)
2046 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
2047 struct io_ring_ctx *ctx = req->ctx;
2049 __io_req_task_submit(req);
2050 percpu_ref_put(&ctx->refs);
2053 static void io_req_task_queue(struct io_kiocb *req)
2057 init_task_work(&req->task_work, io_req_task_submit);
2058 percpu_ref_get(&req->ctx->refs);
2060 ret = io_req_task_work_add(req, true);
2061 if (unlikely(ret)) {
2062 struct task_struct *tsk;
2064 init_task_work(&req->task_work, io_req_task_cancel);
2065 tsk = io_wq_get_task(req->ctx->io_wq);
2066 task_work_add(tsk, &req->task_work, 0);
2067 wake_up_process(tsk);
2071 static void io_queue_next(struct io_kiocb *req)
2073 struct io_kiocb *nxt = io_req_find_next(req);
2076 io_req_task_queue(nxt);
2079 static void io_free_req(struct io_kiocb *req)
2086 void *reqs[IO_IOPOLL_BATCH];
2089 struct task_struct *task;
2093 static inline void io_init_req_batch(struct req_batch *rb)
2100 static void __io_req_free_batch_flush(struct io_ring_ctx *ctx,
2101 struct req_batch *rb)
2103 kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
2104 percpu_ref_put_many(&ctx->refs, rb->to_free);
2108 static void io_req_free_batch_finish(struct io_ring_ctx *ctx,
2109 struct req_batch *rb)
2112 __io_req_free_batch_flush(ctx, rb);
2114 struct io_uring_task *tctx = rb->task->io_uring;
2116 percpu_counter_sub(&tctx->inflight, rb->task_refs);
2117 put_task_struct_many(rb->task, rb->task_refs);
2122 static void io_req_free_batch(struct req_batch *rb, struct io_kiocb *req)
2124 if (unlikely(io_is_fallback_req(req))) {
2128 if (req->flags & REQ_F_LINK_HEAD)
2131 if (req->task != rb->task) {
2133 struct io_uring_task *tctx = rb->task->io_uring;
2135 percpu_counter_sub(&tctx->inflight, rb->task_refs);
2136 put_task_struct_many(rb->task, rb->task_refs);
2138 rb->task = req->task;
2143 io_dismantle_req(req);
2144 rb->reqs[rb->to_free++] = req;
2145 if (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))
2146 __io_req_free_batch_flush(req->ctx, rb);
2150 * Drop reference to request, return next in chain (if there is one) if this
2151 * was the last reference to this request.
2153 static struct io_kiocb *io_put_req_find_next(struct io_kiocb *req)
2155 struct io_kiocb *nxt = NULL;
2157 if (refcount_dec_and_test(&req->refs)) {
2158 nxt = io_req_find_next(req);
2164 static void io_put_req(struct io_kiocb *req)
2166 if (refcount_dec_and_test(&req->refs))
2170 static void io_put_req_deferred_cb(struct callback_head *cb)
2172 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
2177 static void io_free_req_deferred(struct io_kiocb *req)
2181 init_task_work(&req->task_work, io_put_req_deferred_cb);
2182 ret = io_req_task_work_add(req, true);
2183 if (unlikely(ret)) {
2184 struct task_struct *tsk;
2186 tsk = io_wq_get_task(req->ctx->io_wq);
2187 task_work_add(tsk, &req->task_work, 0);
2188 wake_up_process(tsk);
2192 static inline void io_put_req_deferred(struct io_kiocb *req, int refs)
2194 if (refcount_sub_and_test(refs, &req->refs))
2195 io_free_req_deferred(req);
2198 static struct io_wq_work *io_steal_work(struct io_kiocb *req)
2200 struct io_kiocb *nxt;
2203 * A ref is owned by io-wq in which context we're. So, if that's the
2204 * last one, it's safe to steal next work. False negatives are Ok,
2205 * it just will be re-punted async in io_put_work()
2207 if (refcount_read(&req->refs) != 1)
2210 nxt = io_req_find_next(req);
2211 return nxt ? &nxt->work : NULL;
2214 static void io_double_put_req(struct io_kiocb *req)
2216 /* drop both submit and complete references */
2217 if (refcount_sub_and_test(2, &req->refs))
2221 static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
2223 struct io_rings *rings = ctx->rings;
2225 if (test_bit(0, &ctx->cq_check_overflow)) {
2227 * noflush == true is from the waitqueue handler, just ensure
2228 * we wake up the task, and the next invocation will flush the
2229 * entries. We cannot safely to it from here.
2231 if (noflush && !list_empty(&ctx->cq_overflow_list))
2234 io_cqring_overflow_flush(ctx, false, NULL, NULL);
2237 /* See comment at the top of this file */
2239 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
2242 static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
2244 struct io_rings *rings = ctx->rings;
2246 /* make sure SQ entry isn't read before tail */
2247 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
2250 static unsigned int io_put_kbuf(struct io_kiocb *req, struct io_buffer *kbuf)
2252 unsigned int cflags;
2254 cflags = kbuf->bid << IORING_CQE_BUFFER_SHIFT;
2255 cflags |= IORING_CQE_F_BUFFER;
2256 req->flags &= ~REQ_F_BUFFER_SELECTED;
2261 static inline unsigned int io_put_rw_kbuf(struct io_kiocb *req)
2263 struct io_buffer *kbuf;
2265 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2266 return io_put_kbuf(req, kbuf);
2269 static inline bool io_run_task_work(void)
2272 * Not safe to run on exiting task, and the task_work handling will
2273 * not add work to such a task.
2275 if (unlikely(current->flags & PF_EXITING))
2277 if (current->task_works) {
2278 __set_current_state(TASK_RUNNING);
2286 static void io_iopoll_queue(struct list_head *again)
2288 struct io_kiocb *req;
2291 req = list_first_entry(again, struct io_kiocb, inflight_entry);
2292 list_del(&req->inflight_entry);
2293 __io_complete_rw(req, -EAGAIN, 0, NULL);
2294 } while (!list_empty(again));
2298 * Find and free completed poll iocbs
2300 static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
2301 struct list_head *done)
2303 struct req_batch rb;
2304 struct io_kiocb *req;
2307 /* order with ->result store in io_complete_rw_iopoll() */
2310 io_init_req_batch(&rb);
2311 while (!list_empty(done)) {
2314 req = list_first_entry(done, struct io_kiocb, inflight_entry);
2315 if (READ_ONCE(req->result) == -EAGAIN) {
2317 req->iopoll_completed = 0;
2318 list_move_tail(&req->inflight_entry, &again);
2321 list_del(&req->inflight_entry);
2323 if (req->flags & REQ_F_BUFFER_SELECTED)
2324 cflags = io_put_rw_kbuf(req);
2326 __io_cqring_fill_event(req, req->result, cflags);
2329 if (refcount_dec_and_test(&req->refs))
2330 io_req_free_batch(&rb, req);
2333 io_commit_cqring(ctx);
2334 if (ctx->flags & IORING_SETUP_SQPOLL)
2335 io_cqring_ev_posted(ctx);
2336 io_req_free_batch_finish(ctx, &rb);
2338 if (!list_empty(&again))
2339 io_iopoll_queue(&again);
2342 static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
2345 struct io_kiocb *req, *tmp;
2351 * Only spin for completions if we don't have multiple devices hanging
2352 * off our complete list, and we're under the requested amount.
2354 spin = !ctx->poll_multi_file && *nr_events < min;
2357 list_for_each_entry_safe(req, tmp, &ctx->iopoll_list, inflight_entry) {
2358 struct kiocb *kiocb = &req->rw.kiocb;
2361 * Move completed and retryable entries to our local lists.
2362 * If we find a request that requires polling, break out
2363 * and complete those lists first, if we have entries there.
2365 if (READ_ONCE(req->iopoll_completed)) {
2366 list_move_tail(&req->inflight_entry, &done);
2369 if (!list_empty(&done))
2372 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
2376 /* iopoll may have completed current req */
2377 if (READ_ONCE(req->iopoll_completed))
2378 list_move_tail(&req->inflight_entry, &done);
2385 if (!list_empty(&done))
2386 io_iopoll_complete(ctx, nr_events, &done);
2392 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
2393 * non-spinning poll check - we'll still enter the driver poll loop, but only
2394 * as a non-spinning completion check.
2396 static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
2399 while (!list_empty(&ctx->iopoll_list) && !need_resched()) {
2402 ret = io_do_iopoll(ctx, nr_events, min);
2405 if (*nr_events >= min)
2413 * We can't just wait for polled events to come to us, we have to actively
2414 * find and complete them.
2416 static void io_iopoll_try_reap_events(struct io_ring_ctx *ctx)
2418 if (!(ctx->flags & IORING_SETUP_IOPOLL))
2421 mutex_lock(&ctx->uring_lock);
2422 while (!list_empty(&ctx->iopoll_list)) {
2423 unsigned int nr_events = 0;
2425 io_do_iopoll(ctx, &nr_events, 0);
2427 /* let it sleep and repeat later if can't complete a request */
2431 * Ensure we allow local-to-the-cpu processing to take place,
2432 * in this case we need to ensure that we reap all events.
2433 * Also let task_work, etc. to progress by releasing the mutex
2435 if (need_resched()) {
2436 mutex_unlock(&ctx->uring_lock);
2438 mutex_lock(&ctx->uring_lock);
2441 mutex_unlock(&ctx->uring_lock);
2444 static int io_iopoll_check(struct io_ring_ctx *ctx, long min)
2446 unsigned int nr_events = 0;
2447 int iters = 0, ret = 0;
2450 * We disallow the app entering submit/complete with polling, but we
2451 * still need to lock the ring to prevent racing with polled issue
2452 * that got punted to a workqueue.
2454 mutex_lock(&ctx->uring_lock);
2457 * Don't enter poll loop if we already have events pending.
2458 * If we do, we can potentially be spinning for commands that
2459 * already triggered a CQE (eg in error).
2461 if (io_cqring_events(ctx, false))
2465 * If a submit got punted to a workqueue, we can have the
2466 * application entering polling for a command before it gets
2467 * issued. That app will hold the uring_lock for the duration
2468 * of the poll right here, so we need to take a breather every
2469 * now and then to ensure that the issue has a chance to add
2470 * the poll to the issued list. Otherwise we can spin here
2471 * forever, while the workqueue is stuck trying to acquire the
2474 if (!(++iters & 7)) {
2475 mutex_unlock(&ctx->uring_lock);
2477 mutex_lock(&ctx->uring_lock);
2480 ret = io_iopoll_getevents(ctx, &nr_events, min);
2484 } while (min && !nr_events && !need_resched());
2486 mutex_unlock(&ctx->uring_lock);
2490 static void kiocb_end_write(struct io_kiocb *req)
2493 * Tell lockdep we inherited freeze protection from submission
2496 if (req->flags & REQ_F_ISREG) {
2497 struct inode *inode = file_inode(req->file);
2499 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2501 file_end_write(req->file);
2504 static void io_complete_rw_common(struct kiocb *kiocb, long res,
2505 struct io_comp_state *cs)
2507 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2510 if (kiocb->ki_flags & IOCB_WRITE)
2511 kiocb_end_write(req);
2513 if (res != req->result)
2514 req_set_fail_links(req);
2515 if (req->flags & REQ_F_BUFFER_SELECTED)
2516 cflags = io_put_rw_kbuf(req);
2517 __io_req_complete(req, res, cflags, cs);
2521 static bool io_resubmit_prep(struct io_kiocb *req, int error)
2523 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2524 ssize_t ret = -ECANCELED;
2525 struct iov_iter iter;
2533 switch (req->opcode) {
2534 case IORING_OP_READV:
2535 case IORING_OP_READ_FIXED:
2536 case IORING_OP_READ:
2539 case IORING_OP_WRITEV:
2540 case IORING_OP_WRITE_FIXED:
2541 case IORING_OP_WRITE:
2545 printk_once(KERN_WARNING "io_uring: bad opcode in resubmit %d\n",
2550 if (!req->async_data) {
2551 ret = io_import_iovec(rw, req, &iovec, &iter, false);
2554 ret = io_setup_async_rw(req, iovec, inline_vecs, &iter, false);
2562 req_set_fail_links(req);
2563 io_req_complete(req, ret);
2568 static bool io_rw_reissue(struct io_kiocb *req, long res)
2571 umode_t mode = file_inode(req->file)->i_mode;
2574 if (!S_ISBLK(mode) && !S_ISREG(mode))
2576 if ((res != -EAGAIN && res != -EOPNOTSUPP) || io_wq_current_is_worker())
2579 ret = io_sq_thread_acquire_mm(req->ctx, req);
2581 if (io_resubmit_prep(req, ret)) {
2582 refcount_inc(&req->refs);
2583 io_queue_async_work(req);
2591 static void __io_complete_rw(struct io_kiocb *req, long res, long res2,
2592 struct io_comp_state *cs)
2594 if (!io_rw_reissue(req, res))
2595 io_complete_rw_common(&req->rw.kiocb, res, cs);
2598 static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
2600 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2602 __io_complete_rw(req, res, res2, NULL);
2605 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
2607 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2609 if (kiocb->ki_flags & IOCB_WRITE)
2610 kiocb_end_write(req);
2612 if (res != -EAGAIN && res != req->result)
2613 req_set_fail_links(req);
2615 WRITE_ONCE(req->result, res);
2616 /* order with io_poll_complete() checking ->result */
2618 WRITE_ONCE(req->iopoll_completed, 1);
2622 * After the iocb has been issued, it's safe to be found on the poll list.
2623 * Adding the kiocb to the list AFTER submission ensures that we don't
2624 * find it from a io_iopoll_getevents() thread before the issuer is done
2625 * accessing the kiocb cookie.
2627 static void io_iopoll_req_issued(struct io_kiocb *req)
2629 struct io_ring_ctx *ctx = req->ctx;
2632 * Track whether we have multiple files in our lists. This will impact
2633 * how we do polling eventually, not spinning if we're on potentially
2634 * different devices.
2636 if (list_empty(&ctx->iopoll_list)) {
2637 ctx->poll_multi_file = false;
2638 } else if (!ctx->poll_multi_file) {
2639 struct io_kiocb *list_req;
2641 list_req = list_first_entry(&ctx->iopoll_list, struct io_kiocb,
2643 if (list_req->file != req->file)
2644 ctx->poll_multi_file = true;
2648 * For fast devices, IO may have already completed. If it has, add
2649 * it to the front so we find it first.
2651 if (READ_ONCE(req->iopoll_completed))
2652 list_add(&req->inflight_entry, &ctx->iopoll_list);
2654 list_add_tail(&req->inflight_entry, &ctx->iopoll_list);
2656 if ((ctx->flags & IORING_SETUP_SQPOLL) &&
2657 wq_has_sleeper(&ctx->sq_data->wait))
2658 wake_up(&ctx->sq_data->wait);
2661 static void __io_state_file_put(struct io_submit_state *state)
2663 if (state->has_refs)
2664 fput_many(state->file, state->has_refs);
2668 static inline void io_state_file_put(struct io_submit_state *state)
2671 __io_state_file_put(state);
2675 * Get as many references to a file as we have IOs left in this submission,
2676 * assuming most submissions are for one file, or at least that each file
2677 * has more than one submission.
2679 static struct file *__io_file_get(struct io_submit_state *state, int fd)
2685 if (state->fd == fd) {
2689 __io_state_file_put(state);
2691 state->file = fget_many(fd, state->ios_left);
2696 state->has_refs = state->ios_left - 1;
2700 static bool io_bdev_nowait(struct block_device *bdev)
2703 return !bdev || blk_queue_nowait(bdev_get_queue(bdev));
2710 * If we tracked the file through the SCM inflight mechanism, we could support
2711 * any file. For now, just ensure that anything potentially problematic is done
2714 static bool io_file_supports_async(struct file *file, int rw)
2716 umode_t mode = file_inode(file)->i_mode;
2718 if (S_ISBLK(mode)) {
2719 if (io_bdev_nowait(file->f_inode->i_bdev))
2723 if (S_ISCHR(mode) || S_ISSOCK(mode))
2725 if (S_ISREG(mode)) {
2726 if (io_bdev_nowait(file->f_inode->i_sb->s_bdev) &&
2727 file->f_op != &io_uring_fops)
2732 /* any ->read/write should understand O_NONBLOCK */
2733 if (file->f_flags & O_NONBLOCK)
2736 if (!(file->f_mode & FMODE_NOWAIT))
2740 return file->f_op->read_iter != NULL;
2742 return file->f_op->write_iter != NULL;
2745 static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2747 struct io_ring_ctx *ctx = req->ctx;
2748 struct kiocb *kiocb = &req->rw.kiocb;
2752 if (S_ISREG(file_inode(req->file)->i_mode))
2753 req->flags |= REQ_F_ISREG;
2755 kiocb->ki_pos = READ_ONCE(sqe->off);
2756 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
2757 req->flags |= REQ_F_CUR_POS;
2758 kiocb->ki_pos = req->file->f_pos;
2760 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
2761 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
2762 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
2766 ioprio = READ_ONCE(sqe->ioprio);
2768 ret = ioprio_check_cap(ioprio);
2772 kiocb->ki_ioprio = ioprio;
2774 kiocb->ki_ioprio = get_current_ioprio();
2776 /* don't allow async punt if RWF_NOWAIT was requested */
2777 if (kiocb->ki_flags & IOCB_NOWAIT)
2778 req->flags |= REQ_F_NOWAIT;
2780 if (ctx->flags & IORING_SETUP_IOPOLL) {
2781 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
2782 !kiocb->ki_filp->f_op->iopoll)
2785 kiocb->ki_flags |= IOCB_HIPRI;
2786 kiocb->ki_complete = io_complete_rw_iopoll;
2787 req->iopoll_completed = 0;
2789 if (kiocb->ki_flags & IOCB_HIPRI)
2791 kiocb->ki_complete = io_complete_rw;
2794 req->rw.addr = READ_ONCE(sqe->addr);
2795 req->rw.len = READ_ONCE(sqe->len);
2796 req->buf_index = READ_ONCE(sqe->buf_index);
2800 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
2806 case -ERESTARTNOINTR:
2807 case -ERESTARTNOHAND:
2808 case -ERESTART_RESTARTBLOCK:
2810 * We can't just restart the syscall, since previously
2811 * submitted sqes may already be in progress. Just fail this
2817 kiocb->ki_complete(kiocb, ret, 0);
2821 static void kiocb_done(struct kiocb *kiocb, ssize_t ret,
2822 struct io_comp_state *cs)
2824 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2825 struct io_async_rw *io = req->async_data;
2827 /* add previously done IO, if any */
2828 if (io && io->bytes_done > 0) {
2830 ret = io->bytes_done;
2832 ret += io->bytes_done;
2835 if (req->flags & REQ_F_CUR_POS)
2836 req->file->f_pos = kiocb->ki_pos;
2837 if (ret >= 0 && kiocb->ki_complete == io_complete_rw)
2838 __io_complete_rw(req, ret, 0, cs);
2840 io_rw_done(kiocb, ret);
2843 static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
2844 struct iov_iter *iter)
2846 struct io_ring_ctx *ctx = req->ctx;
2847 size_t len = req->rw.len;
2848 struct io_mapped_ubuf *imu;
2849 u16 index, buf_index = req->buf_index;
2853 if (unlikely(buf_index >= ctx->nr_user_bufs))
2855 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
2856 imu = &ctx->user_bufs[index];
2857 buf_addr = req->rw.addr;
2860 if (buf_addr + len < buf_addr)
2862 /* not inside the mapped region */
2863 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
2867 * May not be a start of buffer, set size appropriately
2868 * and advance us to the beginning.
2870 offset = buf_addr - imu->ubuf;
2871 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
2875 * Don't use iov_iter_advance() here, as it's really slow for
2876 * using the latter parts of a big fixed buffer - it iterates
2877 * over each segment manually. We can cheat a bit here, because
2880 * 1) it's a BVEC iter, we set it up
2881 * 2) all bvecs are PAGE_SIZE in size, except potentially the
2882 * first and last bvec
2884 * So just find our index, and adjust the iterator afterwards.
2885 * If the offset is within the first bvec (or the whole first
2886 * bvec, just use iov_iter_advance(). This makes it easier
2887 * since we can just skip the first segment, which may not
2888 * be PAGE_SIZE aligned.
2890 const struct bio_vec *bvec = imu->bvec;
2892 if (offset <= bvec->bv_len) {
2893 iov_iter_advance(iter, offset);
2895 unsigned long seg_skip;
2897 /* skip first vec */
2898 offset -= bvec->bv_len;
2899 seg_skip = 1 + (offset >> PAGE_SHIFT);
2901 iter->bvec = bvec + seg_skip;
2902 iter->nr_segs -= seg_skip;
2903 iter->count -= bvec->bv_len + offset;
2904 iter->iov_offset = offset & ~PAGE_MASK;
2911 static void io_ring_submit_unlock(struct io_ring_ctx *ctx, bool needs_lock)
2914 mutex_unlock(&ctx->uring_lock);
2917 static void io_ring_submit_lock(struct io_ring_ctx *ctx, bool needs_lock)
2920 * "Normal" inline submissions always hold the uring_lock, since we
2921 * grab it from the system call. Same is true for the SQPOLL offload.
2922 * The only exception is when we've detached the request and issue it
2923 * from an async worker thread, grab the lock for that case.
2926 mutex_lock(&ctx->uring_lock);
2929 static struct io_buffer *io_buffer_select(struct io_kiocb *req, size_t *len,
2930 int bgid, struct io_buffer *kbuf,
2933 struct io_buffer *head;
2935 if (req->flags & REQ_F_BUFFER_SELECTED)
2938 io_ring_submit_lock(req->ctx, needs_lock);
2940 lockdep_assert_held(&req->ctx->uring_lock);
2942 head = idr_find(&req->ctx->io_buffer_idr, bgid);
2944 if (!list_empty(&head->list)) {
2945 kbuf = list_last_entry(&head->list, struct io_buffer,
2947 list_del(&kbuf->list);
2950 idr_remove(&req->ctx->io_buffer_idr, bgid);
2952 if (*len > kbuf->len)
2955 kbuf = ERR_PTR(-ENOBUFS);
2958 io_ring_submit_unlock(req->ctx, needs_lock);
2963 static void __user *io_rw_buffer_select(struct io_kiocb *req, size_t *len,
2966 struct io_buffer *kbuf;
2969 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2970 bgid = req->buf_index;
2971 kbuf = io_buffer_select(req, len, bgid, kbuf, needs_lock);
2974 req->rw.addr = (u64) (unsigned long) kbuf;
2975 req->flags |= REQ_F_BUFFER_SELECTED;
2976 return u64_to_user_ptr(kbuf->addr);
2979 #ifdef CONFIG_COMPAT
2980 static ssize_t io_compat_import(struct io_kiocb *req, struct iovec *iov,
2983 struct compat_iovec __user *uiov;
2984 compat_ssize_t clen;
2988 uiov = u64_to_user_ptr(req->rw.addr);
2989 if (!access_ok(uiov, sizeof(*uiov)))
2991 if (__get_user(clen, &uiov->iov_len))
2997 buf = io_rw_buffer_select(req, &len, needs_lock);
2999 return PTR_ERR(buf);
3000 iov[0].iov_base = buf;
3001 iov[0].iov_len = (compat_size_t) len;
3006 static ssize_t __io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
3009 struct iovec __user *uiov = u64_to_user_ptr(req->rw.addr);
3013 if (copy_from_user(iov, uiov, sizeof(*uiov)))
3016 len = iov[0].iov_len;
3019 buf = io_rw_buffer_select(req, &len, needs_lock);
3021 return PTR_ERR(buf);
3022 iov[0].iov_base = buf;
3023 iov[0].iov_len = len;
3027 static ssize_t io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
3030 if (req->flags & REQ_F_BUFFER_SELECTED) {
3031 struct io_buffer *kbuf;
3033 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
3034 iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
3035 iov[0].iov_len = kbuf->len;
3040 else if (req->rw.len > 1)
3043 #ifdef CONFIG_COMPAT
3044 if (req->ctx->compat)
3045 return io_compat_import(req, iov, needs_lock);
3048 return __io_iov_buffer_select(req, iov, needs_lock);
3051 static ssize_t __io_import_iovec(int rw, struct io_kiocb *req,
3052 struct iovec **iovec, struct iov_iter *iter,
3055 void __user *buf = u64_to_user_ptr(req->rw.addr);
3056 size_t sqe_len = req->rw.len;
3060 opcode = req->opcode;
3061 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
3063 return io_import_fixed(req, rw, iter);
3066 /* buffer index only valid with fixed read/write, or buffer select */
3067 if (req->buf_index && !(req->flags & REQ_F_BUFFER_SELECT))
3070 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
3071 if (req->flags & REQ_F_BUFFER_SELECT) {
3072 buf = io_rw_buffer_select(req, &sqe_len, needs_lock);
3074 return PTR_ERR(buf);
3075 req->rw.len = sqe_len;
3078 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
3080 return ret < 0 ? ret : sqe_len;
3083 if (req->flags & REQ_F_BUFFER_SELECT) {
3084 ret = io_iov_buffer_select(req, *iovec, needs_lock);
3086 ret = (*iovec)->iov_len;
3087 iov_iter_init(iter, rw, *iovec, 1, ret);
3093 return __import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter,
3097 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
3098 struct iovec **iovec, struct iov_iter *iter,
3101 struct io_async_rw *iorw = req->async_data;
3104 return __io_import_iovec(rw, req, iovec, iter, needs_lock);
3106 return iov_iter_count(&iorw->iter);
3109 static inline loff_t *io_kiocb_ppos(struct kiocb *kiocb)
3111 return (kiocb->ki_filp->f_mode & FMODE_STREAM) ? NULL : &kiocb->ki_pos;
3115 * For files that don't have ->read_iter() and ->write_iter(), handle them
3116 * by looping over ->read() or ->write() manually.
3118 static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
3119 struct iov_iter *iter)
3124 * Don't support polled IO through this interface, and we can't
3125 * support non-blocking either. For the latter, this just causes
3126 * the kiocb to be handled from an async context.
3128 if (kiocb->ki_flags & IOCB_HIPRI)
3130 if (kiocb->ki_flags & IOCB_NOWAIT)
3133 while (iov_iter_count(iter)) {
3137 if (!iov_iter_is_bvec(iter)) {
3138 iovec = iov_iter_iovec(iter);
3140 /* fixed buffers import bvec */
3141 iovec.iov_base = kmap(iter->bvec->bv_page)
3143 iovec.iov_len = min(iter->count,
3144 iter->bvec->bv_len - iter->iov_offset);
3148 nr = file->f_op->read(file, iovec.iov_base,
3149 iovec.iov_len, io_kiocb_ppos(kiocb));
3151 nr = file->f_op->write(file, iovec.iov_base,
3152 iovec.iov_len, io_kiocb_ppos(kiocb));
3155 if (iov_iter_is_bvec(iter))
3156 kunmap(iter->bvec->bv_page);
3164 if (nr != iovec.iov_len)
3166 iov_iter_advance(iter, nr);
3172 static void io_req_map_rw(struct io_kiocb *req, const struct iovec *iovec,
3173 const struct iovec *fast_iov, struct iov_iter *iter)
3175 struct io_async_rw *rw = req->async_data;
3177 memcpy(&rw->iter, iter, sizeof(*iter));
3178 rw->free_iovec = iovec;
3180 /* can only be fixed buffers, no need to do anything */
3181 if (iter->type == ITER_BVEC)
3184 unsigned iov_off = 0;
3186 rw->iter.iov = rw->fast_iov;
3187 if (iter->iov != fast_iov) {
3188 iov_off = iter->iov - fast_iov;
3189 rw->iter.iov += iov_off;
3191 if (rw->fast_iov != fast_iov)
3192 memcpy(rw->fast_iov + iov_off, fast_iov + iov_off,
3193 sizeof(struct iovec) * iter->nr_segs);
3195 req->flags |= REQ_F_NEED_CLEANUP;
3199 static inline int __io_alloc_async_data(struct io_kiocb *req)
3201 WARN_ON_ONCE(!io_op_defs[req->opcode].async_size);
3202 req->async_data = kmalloc(io_op_defs[req->opcode].async_size, GFP_KERNEL);
3203 return req->async_data == NULL;
3206 static int io_alloc_async_data(struct io_kiocb *req)
3208 if (!io_op_defs[req->opcode].needs_async_data)
3211 return __io_alloc_async_data(req);
3214 static int io_setup_async_rw(struct io_kiocb *req, const struct iovec *iovec,
3215 const struct iovec *fast_iov,
3216 struct iov_iter *iter, bool force)
3218 if (!force && !io_op_defs[req->opcode].needs_async_data)
3220 if (!req->async_data) {
3221 if (__io_alloc_async_data(req))
3224 io_req_map_rw(req, iovec, fast_iov, iter);
3229 static inline int io_rw_prep_async(struct io_kiocb *req, int rw)
3231 struct io_async_rw *iorw = req->async_data;
3232 struct iovec *iov = iorw->fast_iov;
3235 ret = __io_import_iovec(rw, req, &iov, &iorw->iter, false);
3236 if (unlikely(ret < 0))
3239 iorw->bytes_done = 0;
3240 iorw->free_iovec = iov;
3242 req->flags |= REQ_F_NEED_CLEANUP;
3246 static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3250 ret = io_prep_rw(req, sqe);
3254 if (unlikely(!(req->file->f_mode & FMODE_READ)))
3257 /* either don't need iovec imported or already have it */
3258 if (!req->async_data)
3260 return io_rw_prep_async(req, READ);
3264 * This is our waitqueue callback handler, registered through lock_page_async()
3265 * when we initially tried to do the IO with the iocb armed our waitqueue.
3266 * This gets called when the page is unlocked, and we generally expect that to
3267 * happen when the page IO is completed and the page is now uptodate. This will
3268 * queue a task_work based retry of the operation, attempting to copy the data
3269 * again. If the latter fails because the page was NOT uptodate, then we will
3270 * do a thread based blocking retry of the operation. That's the unexpected
3273 static int io_async_buf_func(struct wait_queue_entry *wait, unsigned mode,
3274 int sync, void *arg)
3276 struct wait_page_queue *wpq;
3277 struct io_kiocb *req = wait->private;
3278 struct wait_page_key *key = arg;
3281 wpq = container_of(wait, struct wait_page_queue, wait);
3283 if (!wake_page_match(wpq, key))
3286 req->rw.kiocb.ki_flags &= ~IOCB_WAITQ;
3287 list_del_init(&wait->entry);
3289 init_task_work(&req->task_work, io_req_task_submit);
3290 percpu_ref_get(&req->ctx->refs);
3292 /* submit ref gets dropped, acquire a new one */
3293 refcount_inc(&req->refs);
3294 ret = io_req_task_work_add(req, true);
3295 if (unlikely(ret)) {
3296 struct task_struct *tsk;
3298 /* queue just for cancelation */
3299 init_task_work(&req->task_work, io_req_task_cancel);
3300 tsk = io_wq_get_task(req->ctx->io_wq);
3301 task_work_add(tsk, &req->task_work, 0);
3302 wake_up_process(tsk);
3308 * This controls whether a given IO request should be armed for async page
3309 * based retry. If we return false here, the request is handed to the async
3310 * worker threads for retry. If we're doing buffered reads on a regular file,
3311 * we prepare a private wait_page_queue entry and retry the operation. This
3312 * will either succeed because the page is now uptodate and unlocked, or it
3313 * will register a callback when the page is unlocked at IO completion. Through
3314 * that callback, io_uring uses task_work to setup a retry of the operation.
3315 * That retry will attempt the buffered read again. The retry will generally
3316 * succeed, or in rare cases where it fails, we then fall back to using the
3317 * async worker threads for a blocking retry.
3319 static bool io_rw_should_retry(struct io_kiocb *req)
3321 struct io_async_rw *rw = req->async_data;
3322 struct wait_page_queue *wait = &rw->wpq;
3323 struct kiocb *kiocb = &req->rw.kiocb;
3325 /* never retry for NOWAIT, we just complete with -EAGAIN */
3326 if (req->flags & REQ_F_NOWAIT)
3329 /* Only for buffered IO */
3330 if (kiocb->ki_flags & (IOCB_DIRECT | IOCB_HIPRI))
3334 * just use poll if we can, and don't attempt if the fs doesn't
3335 * support callback based unlocks
3337 if (file_can_poll(req->file) || !(req->file->f_mode & FMODE_BUF_RASYNC))
3340 wait->wait.func = io_async_buf_func;
3341 wait->wait.private = req;
3342 wait->wait.flags = 0;
3343 INIT_LIST_HEAD(&wait->wait.entry);
3344 kiocb->ki_flags |= IOCB_WAITQ;
3345 kiocb->ki_flags &= ~IOCB_NOWAIT;
3346 kiocb->ki_waitq = wait;
3350 static int io_iter_do_read(struct io_kiocb *req, struct iov_iter *iter)
3352 if (req->file->f_op->read_iter)
3353 return call_read_iter(req->file, &req->rw.kiocb, iter);
3354 else if (req->file->f_op->read)
3355 return loop_rw_iter(READ, req->file, &req->rw.kiocb, iter);
3360 static int io_read(struct io_kiocb *req, bool force_nonblock,
3361 struct io_comp_state *cs)
3363 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
3364 struct kiocb *kiocb = &req->rw.kiocb;
3365 struct iov_iter __iter, *iter = &__iter;
3366 struct io_async_rw *rw = req->async_data;
3367 ssize_t io_size, ret, ret2;
3374 ret = io_import_iovec(READ, req, &iovec, iter, !force_nonblock);
3377 iov_count = iov_iter_count(iter);
3379 req->result = io_size;
3382 /* Ensure we clear previously set non-block flag */
3383 if (!force_nonblock)
3384 kiocb->ki_flags &= ~IOCB_NOWAIT;
3386 kiocb->ki_flags |= IOCB_NOWAIT;
3389 /* If the file doesn't support async, just async punt */
3390 no_async = force_nonblock && !io_file_supports_async(req->file, READ);
3394 ret = rw_verify_area(READ, req->file, io_kiocb_ppos(kiocb), iov_count);
3398 ret = io_iter_do_read(req, iter);
3402 } else if (ret == -EIOCBQUEUED) {
3405 } else if (ret == -EAGAIN) {
3406 /* IOPOLL retry should happen for io-wq threads */
3407 if (!force_nonblock && !(req->ctx->flags & IORING_SETUP_IOPOLL))
3409 /* no retry on NONBLOCK marked file */
3410 if (req->file->f_flags & O_NONBLOCK)
3412 /* some cases will consume bytes even on error returns */
3413 iov_iter_revert(iter, iov_count - iov_iter_count(iter));
3416 } else if (ret < 0) {
3417 /* make sure -ERESTARTSYS -> -EINTR is done */
3421 /* read it all, or we did blocking attempt. no retry. */
3422 if (!iov_iter_count(iter) || !force_nonblock ||
3423 (req->file->f_flags & O_NONBLOCK))
3428 ret2 = io_setup_async_rw(req, iovec, inline_vecs, iter, true);
3435 rw = req->async_data;
3436 /* it's copied and will be cleaned with ->io */
3438 /* now use our persistent iterator, if we aren't already */
3441 rw->bytes_done += ret;
3442 /* if we can retry, do so with the callbacks armed */
3443 if (!io_rw_should_retry(req)) {
3444 kiocb->ki_flags &= ~IOCB_WAITQ;
3449 * Now retry read with the IOCB_WAITQ parts set in the iocb. If we
3450 * get -EIOCBQUEUED, then we'll get a notification when the desired
3451 * page gets unlocked. We can also get a partial read here, and if we
3452 * do, then just retry at the new offset.
3454 ret = io_iter_do_read(req, iter);
3455 if (ret == -EIOCBQUEUED) {
3458 } else if (ret > 0 && ret < io_size) {
3459 /* we got some bytes, but not all. retry. */
3463 kiocb_done(kiocb, ret, cs);
3466 /* it's reportedly faster than delegating the null check to kfree() */
3472 static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3476 ret = io_prep_rw(req, sqe);
3480 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
3483 /* either don't need iovec imported or already have it */
3484 if (!req->async_data)
3486 return io_rw_prep_async(req, WRITE);
3489 static int io_write(struct io_kiocb *req, bool force_nonblock,
3490 struct io_comp_state *cs)
3492 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
3493 struct kiocb *kiocb = &req->rw.kiocb;
3494 struct iov_iter __iter, *iter = &__iter;
3495 struct io_async_rw *rw = req->async_data;
3497 ssize_t ret, ret2, io_size;
3502 ret = io_import_iovec(WRITE, req, &iovec, iter, !force_nonblock);
3505 iov_count = iov_iter_count(iter);
3507 req->result = io_size;
3509 /* Ensure we clear previously set non-block flag */
3510 if (!force_nonblock)
3511 kiocb->ki_flags &= ~IOCB_NOWAIT;
3513 kiocb->ki_flags |= IOCB_NOWAIT;
3515 /* If the file doesn't support async, just async punt */
3516 if (force_nonblock && !io_file_supports_async(req->file, WRITE))
3519 /* file path doesn't support NOWAIT for non-direct_IO */
3520 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
3521 (req->flags & REQ_F_ISREG))
3524 ret = rw_verify_area(WRITE, req->file, io_kiocb_ppos(kiocb), iov_count);
3529 * Open-code file_start_write here to grab freeze protection,
3530 * which will be released by another thread in
3531 * io_complete_rw(). Fool lockdep by telling it the lock got
3532 * released so that it doesn't complain about the held lock when
3533 * we return to userspace.
3535 if (req->flags & REQ_F_ISREG) {
3536 __sb_start_write(file_inode(req->file)->i_sb,
3537 SB_FREEZE_WRITE, true);
3538 __sb_writers_release(file_inode(req->file)->i_sb,
3541 kiocb->ki_flags |= IOCB_WRITE;
3543 if (req->file->f_op->write_iter)
3544 ret2 = call_write_iter(req->file, kiocb, iter);
3545 else if (req->file->f_op->write)
3546 ret2 = loop_rw_iter(WRITE, req->file, kiocb, iter);
3551 * Raw bdev writes will return -EOPNOTSUPP for IOCB_NOWAIT. Just
3552 * retry them without IOCB_NOWAIT.
3554 if (ret2 == -EOPNOTSUPP && (kiocb->ki_flags & IOCB_NOWAIT))
3556 /* no retry on NONBLOCK marked file */
3557 if (ret2 == -EAGAIN && (req->file->f_flags & O_NONBLOCK))
3559 if (!force_nonblock || ret2 != -EAGAIN) {
3560 /* IOPOLL retry should happen for io-wq threads */
3561 if ((req->ctx->flags & IORING_SETUP_IOPOLL) && ret2 == -EAGAIN)
3564 kiocb_done(kiocb, ret2, cs);
3567 /* some cases will consume bytes even on error returns */
3568 iov_iter_revert(iter, iov_count - iov_iter_count(iter));
3569 ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
3574 /* it's reportedly faster than delegating the null check to kfree() */
3580 static int __io_splice_prep(struct io_kiocb *req,
3581 const struct io_uring_sqe *sqe)
3583 struct io_splice* sp = &req->splice;
3584 unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL;
3586 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3590 sp->len = READ_ONCE(sqe->len);
3591 sp->flags = READ_ONCE(sqe->splice_flags);
3593 if (unlikely(sp->flags & ~valid_flags))
3596 sp->file_in = io_file_get(NULL, req, READ_ONCE(sqe->splice_fd_in),
3597 (sp->flags & SPLICE_F_FD_IN_FIXED));
3600 req->flags |= REQ_F_NEED_CLEANUP;
3602 if (!S_ISREG(file_inode(sp->file_in)->i_mode)) {
3604 * Splice operation will be punted aync, and here need to
3605 * modify io_wq_work.flags, so initialize io_wq_work firstly.
3607 io_req_init_async(req);
3608 req->work.flags |= IO_WQ_WORK_UNBOUND;
3614 static int io_tee_prep(struct io_kiocb *req,
3615 const struct io_uring_sqe *sqe)
3617 if (READ_ONCE(sqe->splice_off_in) || READ_ONCE(sqe->off))
3619 return __io_splice_prep(req, sqe);
3622 static int io_tee(struct io_kiocb *req, bool force_nonblock)
3624 struct io_splice *sp = &req->splice;
3625 struct file *in = sp->file_in;
3626 struct file *out = sp->file_out;
3627 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
3633 ret = do_tee(in, out, sp->len, flags);
3635 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
3636 req->flags &= ~REQ_F_NEED_CLEANUP;
3639 req_set_fail_links(req);
3640 io_req_complete(req, ret);
3644 static int io_splice_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3646 struct io_splice* sp = &req->splice;
3648 sp->off_in = READ_ONCE(sqe->splice_off_in);
3649 sp->off_out = READ_ONCE(sqe->off);
3650 return __io_splice_prep(req, sqe);
3653 static int io_splice(struct io_kiocb *req, bool force_nonblock)
3655 struct io_splice *sp = &req->splice;
3656 struct file *in = sp->file_in;
3657 struct file *out = sp->file_out;
3658 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
3659 loff_t *poff_in, *poff_out;
3665 poff_in = (sp->off_in == -1) ? NULL : &sp->off_in;
3666 poff_out = (sp->off_out == -1) ? NULL : &sp->off_out;
3669 ret = do_splice(in, poff_in, out, poff_out, sp->len, flags);
3671 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
3672 req->flags &= ~REQ_F_NEED_CLEANUP;
3675 req_set_fail_links(req);
3676 io_req_complete(req, ret);
3681 * IORING_OP_NOP just posts a completion event, nothing else.
3683 static int io_nop(struct io_kiocb *req, struct io_comp_state *cs)
3685 struct io_ring_ctx *ctx = req->ctx;
3687 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3690 __io_req_complete(req, 0, 0, cs);
3694 static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3696 struct io_ring_ctx *ctx = req->ctx;
3701 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3703 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
3706 req->sync.flags = READ_ONCE(sqe->fsync_flags);
3707 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
3710 req->sync.off = READ_ONCE(sqe->off);
3711 req->sync.len = READ_ONCE(sqe->len);
3715 static int io_fsync(struct io_kiocb *req, bool force_nonblock)
3717 loff_t end = req->sync.off + req->sync.len;
3720 /* fsync always requires a blocking context */
3724 ret = vfs_fsync_range(req->file, req->sync.off,
3725 end > 0 ? end : LLONG_MAX,
3726 req->sync.flags & IORING_FSYNC_DATASYNC);
3728 req_set_fail_links(req);
3729 io_req_complete(req, ret);
3733 static int io_fallocate_prep(struct io_kiocb *req,
3734 const struct io_uring_sqe *sqe)
3736 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
3738 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3741 req->sync.off = READ_ONCE(sqe->off);
3742 req->sync.len = READ_ONCE(sqe->addr);
3743 req->sync.mode = READ_ONCE(sqe->len);
3747 static int io_fallocate(struct io_kiocb *req, bool force_nonblock)
3751 /* fallocate always requiring blocking context */
3754 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
3757 req_set_fail_links(req);
3758 io_req_complete(req, ret);
3762 static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3764 const char __user *fname;
3767 if (unlikely(sqe->ioprio || sqe->buf_index))
3769 if (unlikely(req->flags & REQ_F_FIXED_FILE))
3772 /* open.how should be already initialised */
3773 if (!(req->open.how.flags & O_PATH) && force_o_largefile())
3774 req->open.how.flags |= O_LARGEFILE;
3776 req->open.dfd = READ_ONCE(sqe->fd);
3777 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
3778 req->open.filename = getname(fname);
3779 if (IS_ERR(req->open.filename)) {
3780 ret = PTR_ERR(req->open.filename);
3781 req->open.filename = NULL;
3784 req->open.nofile = rlimit(RLIMIT_NOFILE);
3785 req->flags |= REQ_F_NEED_CLEANUP;
3789 static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3793 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3795 mode = READ_ONCE(sqe->len);
3796 flags = READ_ONCE(sqe->open_flags);
3797 req->open.how = build_open_how(flags, mode);
3798 return __io_openat_prep(req, sqe);
3801 static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3803 struct open_how __user *how;
3807 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3809 how = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3810 len = READ_ONCE(sqe->len);
3811 if (len < OPEN_HOW_SIZE_VER0)
3814 ret = copy_struct_from_user(&req->open.how, sizeof(req->open.how), how,
3819 return __io_openat_prep(req, sqe);
3822 static int io_openat2(struct io_kiocb *req, bool force_nonblock)
3824 struct open_flags op;
3831 ret = build_open_flags(&req->open.how, &op);
3835 ret = __get_unused_fd_flags(req->open.how.flags, req->open.nofile);
3839 file = do_filp_open(req->open.dfd, req->open.filename, &op);
3842 ret = PTR_ERR(file);
3844 fsnotify_open(file);
3845 fd_install(ret, file);
3848 putname(req->open.filename);
3849 req->flags &= ~REQ_F_NEED_CLEANUP;
3851 req_set_fail_links(req);
3852 io_req_complete(req, ret);
3856 static int io_openat(struct io_kiocb *req, bool force_nonblock)
3858 return io_openat2(req, force_nonblock);
3861 static int io_remove_buffers_prep(struct io_kiocb *req,
3862 const struct io_uring_sqe *sqe)
3864 struct io_provide_buf *p = &req->pbuf;
3867 if (sqe->ioprio || sqe->rw_flags || sqe->addr || sqe->len || sqe->off)
3870 tmp = READ_ONCE(sqe->fd);
3871 if (!tmp || tmp > USHRT_MAX)
3874 memset(p, 0, sizeof(*p));
3876 p->bgid = READ_ONCE(sqe->buf_group);
3880 static int __io_remove_buffers(struct io_ring_ctx *ctx, struct io_buffer *buf,
3881 int bgid, unsigned nbufs)
3885 /* shouldn't happen */
3889 /* the head kbuf is the list itself */
3890 while (!list_empty(&buf->list)) {
3891 struct io_buffer *nxt;
3893 nxt = list_first_entry(&buf->list, struct io_buffer, list);
3894 list_del(&nxt->list);
3901 idr_remove(&ctx->io_buffer_idr, bgid);
3906 static int io_remove_buffers(struct io_kiocb *req, bool force_nonblock,
3907 struct io_comp_state *cs)
3909 struct io_provide_buf *p = &req->pbuf;
3910 struct io_ring_ctx *ctx = req->ctx;
3911 struct io_buffer *head;
3914 io_ring_submit_lock(ctx, !force_nonblock);
3916 lockdep_assert_held(&ctx->uring_lock);
3919 head = idr_find(&ctx->io_buffer_idr, p->bgid);
3921 ret = __io_remove_buffers(ctx, head, p->bgid, p->nbufs);
3923 io_ring_submit_lock(ctx, !force_nonblock);
3925 req_set_fail_links(req);
3926 __io_req_complete(req, ret, 0, cs);
3930 static int io_provide_buffers_prep(struct io_kiocb *req,
3931 const struct io_uring_sqe *sqe)
3933 struct io_provide_buf *p = &req->pbuf;
3936 if (sqe->ioprio || sqe->rw_flags)
3939 tmp = READ_ONCE(sqe->fd);
3940 if (!tmp || tmp > USHRT_MAX)
3943 p->addr = READ_ONCE(sqe->addr);
3944 p->len = READ_ONCE(sqe->len);
3946 if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
3949 p->bgid = READ_ONCE(sqe->buf_group);
3950 tmp = READ_ONCE(sqe->off);
3951 if (tmp > USHRT_MAX)
3957 static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head)
3959 struct io_buffer *buf;
3960 u64 addr = pbuf->addr;
3961 int i, bid = pbuf->bid;
3963 for (i = 0; i < pbuf->nbufs; i++) {
3964 buf = kmalloc(sizeof(*buf), GFP_KERNEL);
3969 buf->len = pbuf->len;
3974 INIT_LIST_HEAD(&buf->list);
3977 list_add_tail(&buf->list, &(*head)->list);
3981 return i ? i : -ENOMEM;
3984 static int io_provide_buffers(struct io_kiocb *req, bool force_nonblock,
3985 struct io_comp_state *cs)
3987 struct io_provide_buf *p = &req->pbuf;
3988 struct io_ring_ctx *ctx = req->ctx;
3989 struct io_buffer *head, *list;
3992 io_ring_submit_lock(ctx, !force_nonblock);
3994 lockdep_assert_held(&ctx->uring_lock);
3996 list = head = idr_find(&ctx->io_buffer_idr, p->bgid);
3998 ret = io_add_buffers(p, &head);
4003 ret = idr_alloc(&ctx->io_buffer_idr, head, p->bgid, p->bgid + 1,
4006 __io_remove_buffers(ctx, head, p->bgid, -1U);
4011 io_ring_submit_unlock(ctx, !force_nonblock);
4013 req_set_fail_links(req);
4014 __io_req_complete(req, ret, 0, cs);
4018 static int io_epoll_ctl_prep(struct io_kiocb *req,
4019 const struct io_uring_sqe *sqe)
4021 #if defined(CONFIG_EPOLL)
4022 if (sqe->ioprio || sqe->buf_index)
4024 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL)))
4027 req->epoll.epfd = READ_ONCE(sqe->fd);
4028 req->epoll.op = READ_ONCE(sqe->len);
4029 req->epoll.fd = READ_ONCE(sqe->off);
4031 if (ep_op_has_event(req->epoll.op)) {
4032 struct epoll_event __user *ev;
4034 ev = u64_to_user_ptr(READ_ONCE(sqe->addr));
4035 if (copy_from_user(&req->epoll.event, ev, sizeof(*ev)))
4045 static int io_epoll_ctl(struct io_kiocb *req, bool force_nonblock,
4046 struct io_comp_state *cs)
4048 #if defined(CONFIG_EPOLL)
4049 struct io_epoll *ie = &req->epoll;
4052 ret = do_epoll_ctl(ie->epfd, ie->op, ie->fd, &ie->event, force_nonblock);
4053 if (force_nonblock && ret == -EAGAIN)
4057 req_set_fail_links(req);
4058 __io_req_complete(req, ret, 0, cs);
4065 static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4067 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
4068 if (sqe->ioprio || sqe->buf_index || sqe->off)
4070 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4073 req->madvise.addr = READ_ONCE(sqe->addr);
4074 req->madvise.len = READ_ONCE(sqe->len);
4075 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
4082 static int io_madvise(struct io_kiocb *req, bool force_nonblock)
4084 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
4085 struct io_madvise *ma = &req->madvise;
4091 ret = do_madvise(ma->addr, ma->len, ma->advice);
4093 req_set_fail_links(req);
4094 io_req_complete(req, ret);
4101 static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4103 if (sqe->ioprio || sqe->buf_index || sqe->addr)
4105 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4108 req->fadvise.offset = READ_ONCE(sqe->off);
4109 req->fadvise.len = READ_ONCE(sqe->len);
4110 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
4114 static int io_fadvise(struct io_kiocb *req, bool force_nonblock)
4116 struct io_fadvise *fa = &req->fadvise;
4119 if (force_nonblock) {
4120 switch (fa->advice) {
4121 case POSIX_FADV_NORMAL:
4122 case POSIX_FADV_RANDOM:
4123 case POSIX_FADV_SEQUENTIAL:
4130 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
4132 req_set_fail_links(req);
4133 io_req_complete(req, ret);
4137 static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4139 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL)))
4141 if (sqe->ioprio || sqe->buf_index)
4143 if (req->flags & REQ_F_FIXED_FILE)
4146 req->statx.dfd = READ_ONCE(sqe->fd);
4147 req->statx.mask = READ_ONCE(sqe->len);
4148 req->statx.filename = u64_to_user_ptr(READ_ONCE(sqe->addr));
4149 req->statx.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4150 req->statx.flags = READ_ONCE(sqe->statx_flags);
4155 static int io_statx(struct io_kiocb *req, bool force_nonblock)
4157 struct io_statx *ctx = &req->statx;
4160 if (force_nonblock) {
4161 /* only need file table for an actual valid fd */
4162 if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD)
4163 req->flags |= REQ_F_NO_FILE_TABLE;
4167 ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
4171 req_set_fail_links(req);
4172 io_req_complete(req, ret);
4176 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4179 * If we queue this for async, it must not be cancellable. That would
4180 * leave the 'file' in an undeterminate state, and here need to modify
4181 * io_wq_work.flags, so initialize io_wq_work firstly.
4183 io_req_init_async(req);
4184 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
4186 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
4188 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
4189 sqe->rw_flags || sqe->buf_index)
4191 if (req->flags & REQ_F_FIXED_FILE)
4194 req->close.fd = READ_ONCE(sqe->fd);
4195 if ((req->file && req->file->f_op == &io_uring_fops))
4198 req->close.put_file = NULL;
4202 static int io_close(struct io_kiocb *req, bool force_nonblock,
4203 struct io_comp_state *cs)
4205 struct io_close *close = &req->close;
4208 /* might be already done during nonblock submission */
4209 if (!close->put_file) {
4210 ret = __close_fd_get_file(close->fd, &close->put_file);
4212 return (ret == -ENOENT) ? -EBADF : ret;
4215 /* if the file has a flush method, be safe and punt to async */
4216 if (close->put_file->f_op->flush && force_nonblock) {
4217 /* was never set, but play safe */
4218 req->flags &= ~REQ_F_NOWAIT;
4219 /* avoid grabbing files - we don't need the files */
4220 req->flags |= REQ_F_NO_FILE_TABLE;
4224 /* No ->flush() or already async, safely close from here */
4225 ret = filp_close(close->put_file, req->work.identity->files);
4227 req_set_fail_links(req);
4228 fput(close->put_file);
4229 close->put_file = NULL;
4230 __io_req_complete(req, ret, 0, cs);
4234 static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4236 struct io_ring_ctx *ctx = req->ctx;
4241 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
4243 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
4246 req->sync.off = READ_ONCE(sqe->off);
4247 req->sync.len = READ_ONCE(sqe->len);
4248 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
4252 static int io_sync_file_range(struct io_kiocb *req, bool force_nonblock)
4256 /* sync_file_range always requires a blocking context */
4260 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
4263 req_set_fail_links(req);
4264 io_req_complete(req, ret);
4268 #if defined(CONFIG_NET)
4269 static int io_setup_async_msg(struct io_kiocb *req,
4270 struct io_async_msghdr *kmsg)
4272 struct io_async_msghdr *async_msg = req->async_data;
4276 if (io_alloc_async_data(req)) {
4277 if (kmsg->iov != kmsg->fast_iov)
4281 async_msg = req->async_data;
4282 req->flags |= REQ_F_NEED_CLEANUP;
4283 memcpy(async_msg, kmsg, sizeof(*kmsg));
4287 static int io_sendmsg_copy_hdr(struct io_kiocb *req,
4288 struct io_async_msghdr *iomsg)
4290 iomsg->iov = iomsg->fast_iov;
4291 iomsg->msg.msg_name = &iomsg->addr;
4292 return sendmsg_copy_msghdr(&iomsg->msg, req->sr_msg.umsg,
4293 req->sr_msg.msg_flags, &iomsg->iov);
4296 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4298 struct io_async_msghdr *async_msg = req->async_data;
4299 struct io_sr_msg *sr = &req->sr_msg;
4302 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4305 sr->msg_flags = READ_ONCE(sqe->msg_flags);
4306 sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
4307 sr->len = READ_ONCE(sqe->len);
4309 #ifdef CONFIG_COMPAT
4310 if (req->ctx->compat)
4311 sr->msg_flags |= MSG_CMSG_COMPAT;
4314 if (!async_msg || !io_op_defs[req->opcode].needs_async_data)
4316 ret = io_sendmsg_copy_hdr(req, async_msg);
4318 req->flags |= REQ_F_NEED_CLEANUP;
4322 static int io_sendmsg(struct io_kiocb *req, bool force_nonblock,
4323 struct io_comp_state *cs)
4325 struct io_async_msghdr iomsg, *kmsg;
4326 struct socket *sock;
4330 sock = sock_from_file(req->file, &ret);
4331 if (unlikely(!sock))
4334 if (req->async_data) {
4335 kmsg = req->async_data;
4336 kmsg->msg.msg_name = &kmsg->addr;
4337 /* if iov is set, it's allocated already */
4339 kmsg->iov = kmsg->fast_iov;
4340 kmsg->msg.msg_iter.iov = kmsg->iov;
4342 ret = io_sendmsg_copy_hdr(req, &iomsg);
4348 flags = req->sr_msg.msg_flags;
4349 if (flags & MSG_DONTWAIT)
4350 req->flags |= REQ_F_NOWAIT;
4351 else if (force_nonblock)
4352 flags |= MSG_DONTWAIT;
4354 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
4355 if (force_nonblock && ret == -EAGAIN)
4356 return io_setup_async_msg(req, kmsg);
4357 if (ret == -ERESTARTSYS)
4360 if (kmsg->iov != kmsg->fast_iov)
4362 req->flags &= ~REQ_F_NEED_CLEANUP;
4364 req_set_fail_links(req);
4365 __io_req_complete(req, ret, 0, cs);
4369 static int io_send(struct io_kiocb *req, bool force_nonblock,
4370 struct io_comp_state *cs)
4372 struct io_sr_msg *sr = &req->sr_msg;
4375 struct socket *sock;
4379 sock = sock_from_file(req->file, &ret);
4380 if (unlikely(!sock))
4383 ret = import_single_range(WRITE, sr->buf, sr->len, &iov, &msg.msg_iter);
4387 msg.msg_name = NULL;
4388 msg.msg_control = NULL;
4389 msg.msg_controllen = 0;
4390 msg.msg_namelen = 0;
4392 flags = req->sr_msg.msg_flags;
4393 if (flags & MSG_DONTWAIT)
4394 req->flags |= REQ_F_NOWAIT;
4395 else if (force_nonblock)
4396 flags |= MSG_DONTWAIT;
4398 msg.msg_flags = flags;
4399 ret = sock_sendmsg(sock, &msg);
4400 if (force_nonblock && ret == -EAGAIN)
4402 if (ret == -ERESTARTSYS)
4406 req_set_fail_links(req);
4407 __io_req_complete(req, ret, 0, cs);
4411 static int __io_recvmsg_copy_hdr(struct io_kiocb *req,
4412 struct io_async_msghdr *iomsg)
4414 struct io_sr_msg *sr = &req->sr_msg;
4415 struct iovec __user *uiov;
4419 ret = __copy_msghdr_from_user(&iomsg->msg, sr->umsg,
4420 &iomsg->uaddr, &uiov, &iov_len);
4424 if (req->flags & REQ_F_BUFFER_SELECT) {
4427 if (copy_from_user(iomsg->iov, uiov, sizeof(*uiov)))
4429 sr->len = iomsg->iov[0].iov_len;
4430 iov_iter_init(&iomsg->msg.msg_iter, READ, iomsg->iov, 1,
4434 ret = __import_iovec(READ, uiov, iov_len, UIO_FASTIOV,
4435 &iomsg->iov, &iomsg->msg.msg_iter,
4444 #ifdef CONFIG_COMPAT
4445 static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req,
4446 struct io_async_msghdr *iomsg)
4448 struct compat_msghdr __user *msg_compat;
4449 struct io_sr_msg *sr = &req->sr_msg;
4450 struct compat_iovec __user *uiov;
4455 msg_compat = (struct compat_msghdr __user *) sr->umsg;
4456 ret = __get_compat_msghdr(&iomsg->msg, msg_compat, &iomsg->uaddr,
4461 uiov = compat_ptr(ptr);
4462 if (req->flags & REQ_F_BUFFER_SELECT) {
4463 compat_ssize_t clen;
4467 if (!access_ok(uiov, sizeof(*uiov)))
4469 if (__get_user(clen, &uiov->iov_len))
4473 sr->len = iomsg->iov[0].iov_len;
4476 ret = __import_iovec(READ, (struct iovec __user *)uiov, len,
4477 UIO_FASTIOV, &iomsg->iov,
4478 &iomsg->msg.msg_iter, true);
4487 static int io_recvmsg_copy_hdr(struct io_kiocb *req,
4488 struct io_async_msghdr *iomsg)
4490 iomsg->msg.msg_name = &iomsg->addr;
4491 iomsg->iov = iomsg->fast_iov;
4493 #ifdef CONFIG_COMPAT
4494 if (req->ctx->compat)
4495 return __io_compat_recvmsg_copy_hdr(req, iomsg);
4498 return __io_recvmsg_copy_hdr(req, iomsg);
4501 static struct io_buffer *io_recv_buffer_select(struct io_kiocb *req,
4504 struct io_sr_msg *sr = &req->sr_msg;
4505 struct io_buffer *kbuf;
4507 kbuf = io_buffer_select(req, &sr->len, sr->bgid, sr->kbuf, needs_lock);
4512 req->flags |= REQ_F_BUFFER_SELECTED;
4516 static inline unsigned int io_put_recv_kbuf(struct io_kiocb *req)
4518 return io_put_kbuf(req, req->sr_msg.kbuf);
4521 static int io_recvmsg_prep(struct io_kiocb *req,
4522 const struct io_uring_sqe *sqe)
4524 struct io_async_msghdr *async_msg = req->async_data;
4525 struct io_sr_msg *sr = &req->sr_msg;
4528 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4531 sr->msg_flags = READ_ONCE(sqe->msg_flags);
4532 sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
4533 sr->len = READ_ONCE(sqe->len);
4534 sr->bgid = READ_ONCE(sqe->buf_group);
4536 #ifdef CONFIG_COMPAT
4537 if (req->ctx->compat)
4538 sr->msg_flags |= MSG_CMSG_COMPAT;
4541 if (!async_msg || !io_op_defs[req->opcode].needs_async_data)
4543 ret = io_recvmsg_copy_hdr(req, async_msg);
4545 req->flags |= REQ_F_NEED_CLEANUP;
4549 static int io_recvmsg(struct io_kiocb *req, bool force_nonblock,
4550 struct io_comp_state *cs)
4552 struct io_async_msghdr iomsg, *kmsg;
4553 struct socket *sock;
4554 struct io_buffer *kbuf;
4556 int ret, cflags = 0;
4558 sock = sock_from_file(req->file, &ret);
4559 if (unlikely(!sock))
4562 if (req->async_data) {
4563 kmsg = req->async_data;
4564 kmsg->msg.msg_name = &kmsg->addr;
4565 /* if iov is set, it's allocated already */
4567 kmsg->iov = kmsg->fast_iov;
4568 kmsg->msg.msg_iter.iov = kmsg->iov;
4570 ret = io_recvmsg_copy_hdr(req, &iomsg);
4576 if (req->flags & REQ_F_BUFFER_SELECT) {
4577 kbuf = io_recv_buffer_select(req, !force_nonblock);
4579 return PTR_ERR(kbuf);
4580 kmsg->fast_iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
4581 iov_iter_init(&kmsg->msg.msg_iter, READ, kmsg->iov,
4582 1, req->sr_msg.len);
4585 flags = req->sr_msg.msg_flags;
4586 if (flags & MSG_DONTWAIT)
4587 req->flags |= REQ_F_NOWAIT;
4588 else if (force_nonblock)
4589 flags |= MSG_DONTWAIT;
4591 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.umsg,
4592 kmsg->uaddr, flags);
4593 if (force_nonblock && ret == -EAGAIN)
4594 return io_setup_async_msg(req, kmsg);
4595 if (ret == -ERESTARTSYS)
4598 if (req->flags & REQ_F_BUFFER_SELECTED)
4599 cflags = io_put_recv_kbuf(req);
4600 if (kmsg->iov != kmsg->fast_iov)
4602 req->flags &= ~REQ_F_NEED_CLEANUP;
4604 req_set_fail_links(req);
4605 __io_req_complete(req, ret, cflags, cs);
4609 static int io_recv(struct io_kiocb *req, bool force_nonblock,
4610 struct io_comp_state *cs)
4612 struct io_buffer *kbuf;
4613 struct io_sr_msg *sr = &req->sr_msg;
4615 void __user *buf = sr->buf;
4616 struct socket *sock;
4619 int ret, cflags = 0;
4621 sock = sock_from_file(req->file, &ret);
4622 if (unlikely(!sock))
4625 if (req->flags & REQ_F_BUFFER_SELECT) {
4626 kbuf = io_recv_buffer_select(req, !force_nonblock);
4628 return PTR_ERR(kbuf);
4629 buf = u64_to_user_ptr(kbuf->addr);
4632 ret = import_single_range(READ, buf, sr->len, &iov, &msg.msg_iter);
4636 msg.msg_name = NULL;
4637 msg.msg_control = NULL;
4638 msg.msg_controllen = 0;
4639 msg.msg_namelen = 0;
4640 msg.msg_iocb = NULL;
4643 flags = req->sr_msg.msg_flags;
4644 if (flags & MSG_DONTWAIT)
4645 req->flags |= REQ_F_NOWAIT;
4646 else if (force_nonblock)
4647 flags |= MSG_DONTWAIT;
4649 ret = sock_recvmsg(sock, &msg, flags);
4650 if (force_nonblock && ret == -EAGAIN)
4652 if (ret == -ERESTARTSYS)
4655 if (req->flags & REQ_F_BUFFER_SELECTED)
4656 cflags = io_put_recv_kbuf(req);
4658 req_set_fail_links(req);
4659 __io_req_complete(req, ret, cflags, cs);
4663 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4665 struct io_accept *accept = &req->accept;
4667 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
4669 if (sqe->ioprio || sqe->len || sqe->buf_index)
4672 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
4673 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4674 accept->flags = READ_ONCE(sqe->accept_flags);
4675 accept->nofile = rlimit(RLIMIT_NOFILE);
4679 static int io_accept(struct io_kiocb *req, bool force_nonblock,
4680 struct io_comp_state *cs)
4682 struct io_accept *accept = &req->accept;
4683 unsigned int file_flags = force_nonblock ? O_NONBLOCK : 0;
4686 if (req->file->f_flags & O_NONBLOCK)
4687 req->flags |= REQ_F_NOWAIT;
4689 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
4690 accept->addr_len, accept->flags,
4692 if (ret == -EAGAIN && force_nonblock)
4695 if (ret == -ERESTARTSYS)
4697 req_set_fail_links(req);
4699 __io_req_complete(req, ret, 0, cs);
4703 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4705 struct io_connect *conn = &req->connect;
4706 struct io_async_connect *io = req->async_data;
4708 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
4710 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
4713 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
4714 conn->addr_len = READ_ONCE(sqe->addr2);
4719 return move_addr_to_kernel(conn->addr, conn->addr_len,
4723 static int io_connect(struct io_kiocb *req, bool force_nonblock,
4724 struct io_comp_state *cs)
4726 struct io_async_connect __io, *io;
4727 unsigned file_flags;
4730 if (req->async_data) {
4731 io = req->async_data;
4733 ret = move_addr_to_kernel(req->connect.addr,
4734 req->connect.addr_len,
4741 file_flags = force_nonblock ? O_NONBLOCK : 0;
4743 ret = __sys_connect_file(req->file, &io->address,
4744 req->connect.addr_len, file_flags);
4745 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
4746 if (req->async_data)
4748 if (io_alloc_async_data(req)) {
4752 io = req->async_data;
4753 memcpy(req->async_data, &__io, sizeof(__io));
4756 if (ret == -ERESTARTSYS)
4760 req_set_fail_links(req);
4761 __io_req_complete(req, ret, 0, cs);
4764 #else /* !CONFIG_NET */
4765 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4770 static int io_sendmsg(struct io_kiocb *req, bool force_nonblock,
4771 struct io_comp_state *cs)
4776 static int io_send(struct io_kiocb *req, bool force_nonblock,
4777 struct io_comp_state *cs)
4782 static int io_recvmsg_prep(struct io_kiocb *req,
4783 const struct io_uring_sqe *sqe)
4788 static int io_recvmsg(struct io_kiocb *req, bool force_nonblock,
4789 struct io_comp_state *cs)
4794 static int io_recv(struct io_kiocb *req, bool force_nonblock,
4795 struct io_comp_state *cs)
4800 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4805 static int io_accept(struct io_kiocb *req, bool force_nonblock,
4806 struct io_comp_state *cs)
4811 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4816 static int io_connect(struct io_kiocb *req, bool force_nonblock,
4817 struct io_comp_state *cs)
4821 #endif /* CONFIG_NET */
4823 struct io_poll_table {
4824 struct poll_table_struct pt;
4825 struct io_kiocb *req;
4829 static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,
4830 __poll_t mask, task_work_func_t func)
4835 /* for instances that support it check for an event match first: */
4836 if (mask && !(mask & poll->events))
4839 trace_io_uring_task_add(req->ctx, req->opcode, req->user_data, mask);
4841 list_del_init(&poll->wait.entry);
4844 init_task_work(&req->task_work, func);
4845 percpu_ref_get(&req->ctx->refs);
4848 * If we using the signalfd wait_queue_head for this wakeup, then
4849 * it's not safe to use TWA_SIGNAL as we could be recursing on the
4850 * tsk->sighand->siglock on doing the wakeup. Should not be needed
4851 * either, as the normal wakeup will suffice.
4853 twa_signal_ok = (poll->head != &req->task->sighand->signalfd_wqh);
4856 * If this fails, then the task is exiting. When a task exits, the
4857 * work gets canceled, so just cancel this request as well instead
4858 * of executing it. We can't safely execute it anyway, as we may not
4859 * have the needed state needed for it anyway.
4861 ret = io_req_task_work_add(req, twa_signal_ok);
4862 if (unlikely(ret)) {
4863 struct task_struct *tsk;
4865 WRITE_ONCE(poll->canceled, true);
4866 tsk = io_wq_get_task(req->ctx->io_wq);
4867 task_work_add(tsk, &req->task_work, 0);
4868 wake_up_process(tsk);
4873 static bool io_poll_rewait(struct io_kiocb *req, struct io_poll_iocb *poll)
4874 __acquires(&req->ctx->completion_lock)
4876 struct io_ring_ctx *ctx = req->ctx;
4878 if (!req->result && !READ_ONCE(poll->canceled)) {
4879 struct poll_table_struct pt = { ._key = poll->events };
4881 req->result = vfs_poll(req->file, &pt) & poll->events;
4884 spin_lock_irq(&ctx->completion_lock);
4885 if (!req->result && !READ_ONCE(poll->canceled)) {
4886 add_wait_queue(poll->head, &poll->wait);
4893 static struct io_poll_iocb *io_poll_get_double(struct io_kiocb *req)
4895 /* pure poll stashes this in ->async_data, poll driven retry elsewhere */
4896 if (req->opcode == IORING_OP_POLL_ADD)
4897 return req->async_data;
4898 return req->apoll->double_poll;
4901 static struct io_poll_iocb *io_poll_get_single(struct io_kiocb *req)
4903 if (req->opcode == IORING_OP_POLL_ADD)
4905 return &req->apoll->poll;
4908 static void io_poll_remove_double(struct io_kiocb *req)
4910 struct io_poll_iocb *poll = io_poll_get_double(req);
4912 lockdep_assert_held(&req->ctx->completion_lock);
4914 if (poll && poll->head) {
4915 struct wait_queue_head *head = poll->head;
4917 spin_lock(&head->lock);
4918 list_del_init(&poll->wait.entry);
4919 if (poll->wait.private)
4920 refcount_dec(&req->refs);
4922 spin_unlock(&head->lock);
4926 static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
4928 struct io_ring_ctx *ctx = req->ctx;
4930 io_poll_remove_double(req);
4931 req->poll.done = true;
4932 io_cqring_fill_event(req, error ? error : mangle_poll(mask));
4933 io_commit_cqring(ctx);
4936 static void io_poll_task_func(struct callback_head *cb)
4938 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
4939 struct io_ring_ctx *ctx = req->ctx;
4940 struct io_kiocb *nxt;
4942 if (io_poll_rewait(req, &req->poll)) {
4943 spin_unlock_irq(&ctx->completion_lock);
4945 hash_del(&req->hash_node);
4946 io_poll_complete(req, req->result, 0);
4947 spin_unlock_irq(&ctx->completion_lock);
4949 nxt = io_put_req_find_next(req);
4950 io_cqring_ev_posted(ctx);
4952 __io_req_task_submit(nxt);
4955 percpu_ref_put(&ctx->refs);
4958 static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,
4959 int sync, void *key)
4961 struct io_kiocb *req = wait->private;
4962 struct io_poll_iocb *poll = io_poll_get_single(req);
4963 __poll_t mask = key_to_poll(key);
4965 /* for instances that support it check for an event match first: */
4966 if (mask && !(mask & poll->events))
4969 list_del_init(&wait->entry);
4971 if (poll && poll->head) {
4974 spin_lock(&poll->head->lock);
4975 done = list_empty(&poll->wait.entry);
4977 list_del_init(&poll->wait.entry);
4978 /* make sure double remove sees this as being gone */
4979 wait->private = NULL;
4980 spin_unlock(&poll->head->lock);
4982 __io_async_wake(req, poll, mask, io_poll_task_func);
4984 refcount_dec(&req->refs);
4988 static void io_init_poll_iocb(struct io_poll_iocb *poll, __poll_t events,
4989 wait_queue_func_t wake_func)
4993 poll->canceled = false;
4994 poll->events = events;
4995 INIT_LIST_HEAD(&poll->wait.entry);
4996 init_waitqueue_func_entry(&poll->wait, wake_func);
4999 static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
5000 struct wait_queue_head *head,
5001 struct io_poll_iocb **poll_ptr)
5003 struct io_kiocb *req = pt->req;
5006 * If poll->head is already set, it's because the file being polled
5007 * uses multiple waitqueues for poll handling (eg one for read, one
5008 * for write). Setup a separate io_poll_iocb if this happens.
5010 if (unlikely(poll->head)) {
5011 struct io_poll_iocb *poll_one = poll;
5013 /* already have a 2nd entry, fail a third attempt */
5015 pt->error = -EINVAL;
5018 poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
5020 pt->error = -ENOMEM;
5023 io_init_poll_iocb(poll, poll_one->events, io_poll_double_wake);
5024 refcount_inc(&req->refs);
5025 poll->wait.private = req;
5032 if (poll->events & EPOLLEXCLUSIVE)
5033 add_wait_queue_exclusive(head, &poll->wait);
5035 add_wait_queue(head, &poll->wait);
5038 static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
5039 struct poll_table_struct *p)
5041 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
5042 struct async_poll *apoll = pt->req->apoll;
5044 __io_queue_proc(&apoll->poll, pt, head, &apoll->double_poll);
5047 static void io_async_task_func(struct callback_head *cb)
5049 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
5050 struct async_poll *apoll = req->apoll;
5051 struct io_ring_ctx *ctx = req->ctx;
5053 trace_io_uring_task_run(req->ctx, req->opcode, req->user_data);
5055 if (io_poll_rewait(req, &apoll->poll)) {
5056 spin_unlock_irq(&ctx->completion_lock);
5057 percpu_ref_put(&ctx->refs);
5061 /* If req is still hashed, it cannot have been canceled. Don't check. */
5062 if (hash_hashed(&req->hash_node))
5063 hash_del(&req->hash_node);
5065 io_poll_remove_double(req);
5066 spin_unlock_irq(&ctx->completion_lock);
5068 if (!READ_ONCE(apoll->poll.canceled))
5069 __io_req_task_submit(req);
5071 __io_req_task_cancel(req, -ECANCELED);
5073 percpu_ref_put(&ctx->refs);
5074 kfree(apoll->double_poll);
5078 static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
5081 struct io_kiocb *req = wait->private;
5082 struct io_poll_iocb *poll = &req->apoll->poll;
5084 trace_io_uring_poll_wake(req->ctx, req->opcode, req->user_data,
5087 return __io_async_wake(req, poll, key_to_poll(key), io_async_task_func);
5090 static void io_poll_req_insert(struct io_kiocb *req)
5092 struct io_ring_ctx *ctx = req->ctx;
5093 struct hlist_head *list;
5095 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
5096 hlist_add_head(&req->hash_node, list);
5099 static __poll_t __io_arm_poll_handler(struct io_kiocb *req,
5100 struct io_poll_iocb *poll,
5101 struct io_poll_table *ipt, __poll_t mask,
5102 wait_queue_func_t wake_func)
5103 __acquires(&ctx->completion_lock)
5105 struct io_ring_ctx *ctx = req->ctx;
5106 bool cancel = false;
5108 INIT_HLIST_NODE(&req->hash_node);
5109 io_init_poll_iocb(poll, mask, wake_func);
5110 poll->file = req->file;
5111 poll->wait.private = req;
5113 ipt->pt._key = mask;
5115 ipt->error = -EINVAL;
5117 mask = vfs_poll(req->file, &ipt->pt) & poll->events;
5119 spin_lock_irq(&ctx->completion_lock);
5120 if (likely(poll->head)) {
5121 spin_lock(&poll->head->lock);
5122 if (unlikely(list_empty(&poll->wait.entry))) {
5128 if (mask || ipt->error)
5129 list_del_init(&poll->wait.entry);
5131 WRITE_ONCE(poll->canceled, true);
5132 else if (!poll->done) /* actually waiting for an event */
5133 io_poll_req_insert(req);
5134 spin_unlock(&poll->head->lock);
5140 static bool io_arm_poll_handler(struct io_kiocb *req)
5142 const struct io_op_def *def = &io_op_defs[req->opcode];
5143 struct io_ring_ctx *ctx = req->ctx;
5144 struct async_poll *apoll;
5145 struct io_poll_table ipt;
5149 if (!req->file || !file_can_poll(req->file))
5151 if (req->flags & REQ_F_POLLED)
5155 else if (def->pollout)
5159 /* if we can't nonblock try, then no point in arming a poll handler */
5160 if (!io_file_supports_async(req->file, rw))
5163 apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
5164 if (unlikely(!apoll))
5166 apoll->double_poll = NULL;
5168 req->flags |= REQ_F_POLLED;
5173 mask |= POLLIN | POLLRDNORM;
5175 mask |= POLLOUT | POLLWRNORM;
5177 /* If reading from MSG_ERRQUEUE using recvmsg, ignore POLLIN */
5178 if ((req->opcode == IORING_OP_RECVMSG) &&
5179 (req->sr_msg.msg_flags & MSG_ERRQUEUE))
5182 mask |= POLLERR | POLLPRI;
5184 ipt.pt._qproc = io_async_queue_proc;
5186 ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
5188 if (ret || ipt.error) {
5189 io_poll_remove_double(req);
5190 spin_unlock_irq(&ctx->completion_lock);
5191 kfree(apoll->double_poll);
5195 spin_unlock_irq(&ctx->completion_lock);
5196 trace_io_uring_poll_arm(ctx, req->opcode, req->user_data, mask,
5197 apoll->poll.events);
5201 static bool __io_poll_remove_one(struct io_kiocb *req,
5202 struct io_poll_iocb *poll)
5204 bool do_complete = false;
5206 spin_lock(&poll->head->lock);
5207 WRITE_ONCE(poll->canceled, true);
5208 if (!list_empty(&poll->wait.entry)) {
5209 list_del_init(&poll->wait.entry);
5212 spin_unlock(&poll->head->lock);
5213 hash_del(&req->hash_node);
5217 static bool io_poll_remove_one(struct io_kiocb *req)
5221 io_poll_remove_double(req);
5223 if (req->opcode == IORING_OP_POLL_ADD) {
5224 do_complete = __io_poll_remove_one(req, &req->poll);
5226 struct async_poll *apoll = req->apoll;
5228 /* non-poll requests have submit ref still */
5229 do_complete = __io_poll_remove_one(req, &apoll->poll);
5232 kfree(apoll->double_poll);
5238 io_cqring_fill_event(req, -ECANCELED);
5239 io_commit_cqring(req->ctx);
5240 req_set_fail_links(req);
5241 io_put_req_deferred(req, 1);
5248 * Returns true if we found and killed one or more poll requests
5250 static bool io_poll_remove_all(struct io_ring_ctx *ctx, struct task_struct *tsk)
5252 struct hlist_node *tmp;
5253 struct io_kiocb *req;
5256 spin_lock_irq(&ctx->completion_lock);
5257 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
5258 struct hlist_head *list;
5260 list = &ctx->cancel_hash[i];
5261 hlist_for_each_entry_safe(req, tmp, list, hash_node) {
5262 if (io_task_match(req, tsk))
5263 posted += io_poll_remove_one(req);
5266 spin_unlock_irq(&ctx->completion_lock);
5269 io_cqring_ev_posted(ctx);
5274 static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
5276 struct hlist_head *list;
5277 struct io_kiocb *req;
5279 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
5280 hlist_for_each_entry(req, list, hash_node) {
5281 if (sqe_addr != req->user_data)
5283 if (io_poll_remove_one(req))
5291 static int io_poll_remove_prep(struct io_kiocb *req,
5292 const struct io_uring_sqe *sqe)
5294 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5296 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
5300 req->poll.addr = READ_ONCE(sqe->addr);
5305 * Find a running poll command that matches one specified in sqe->addr,
5306 * and remove it if found.
5308 static int io_poll_remove(struct io_kiocb *req)
5310 struct io_ring_ctx *ctx = req->ctx;
5314 addr = req->poll.addr;
5315 spin_lock_irq(&ctx->completion_lock);
5316 ret = io_poll_cancel(ctx, addr);
5317 spin_unlock_irq(&ctx->completion_lock);
5320 req_set_fail_links(req);
5321 io_req_complete(req, ret);
5325 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
5328 struct io_kiocb *req = wait->private;
5329 struct io_poll_iocb *poll = &req->poll;
5331 return __io_async_wake(req, poll, key_to_poll(key), io_poll_task_func);
5334 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
5335 struct poll_table_struct *p)
5337 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
5339 __io_queue_proc(&pt->req->poll, pt, head, (struct io_poll_iocb **) &pt->req->async_data);
5342 static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5344 struct io_poll_iocb *poll = &req->poll;
5347 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5349 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
5352 events = READ_ONCE(sqe->poll32_events);
5354 events = swahw32(events);
5356 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP |
5357 (events & EPOLLEXCLUSIVE);
5361 static int io_poll_add(struct io_kiocb *req)
5363 struct io_poll_iocb *poll = &req->poll;
5364 struct io_ring_ctx *ctx = req->ctx;
5365 struct io_poll_table ipt;
5368 ipt.pt._qproc = io_poll_queue_proc;
5370 mask = __io_arm_poll_handler(req, &req->poll, &ipt, poll->events,
5373 if (mask) { /* no async, we'd stolen it */
5375 io_poll_complete(req, mask, 0);
5377 spin_unlock_irq(&ctx->completion_lock);
5380 io_cqring_ev_posted(ctx);
5386 static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
5388 struct io_timeout_data *data = container_of(timer,
5389 struct io_timeout_data, timer);
5390 struct io_kiocb *req = data->req;
5391 struct io_ring_ctx *ctx = req->ctx;
5392 unsigned long flags;
5394 spin_lock_irqsave(&ctx->completion_lock, flags);
5395 list_del_init(&req->timeout.list);
5396 atomic_set(&req->ctx->cq_timeouts,
5397 atomic_read(&req->ctx->cq_timeouts) + 1);
5399 io_cqring_fill_event(req, -ETIME);
5400 io_commit_cqring(ctx);
5401 spin_unlock_irqrestore(&ctx->completion_lock, flags);
5403 io_cqring_ev_posted(ctx);
5404 req_set_fail_links(req);
5406 return HRTIMER_NORESTART;
5409 static int __io_timeout_cancel(struct io_kiocb *req)
5411 struct io_timeout_data *io = req->async_data;
5414 ret = hrtimer_try_to_cancel(&io->timer);
5417 list_del_init(&req->timeout.list);
5419 req_set_fail_links(req);
5420 io_cqring_fill_event(req, -ECANCELED);
5421 io_put_req_deferred(req, 1);
5425 static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
5427 struct io_kiocb *req;
5430 list_for_each_entry(req, &ctx->timeout_list, timeout.list) {
5431 if (user_data == req->user_data) {
5440 return __io_timeout_cancel(req);
5443 static int io_timeout_remove_prep(struct io_kiocb *req,
5444 const struct io_uring_sqe *sqe)
5446 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5448 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
5450 if (sqe->ioprio || sqe->buf_index || sqe->len || sqe->timeout_flags)
5453 req->timeout_rem.addr = READ_ONCE(sqe->addr);
5458 * Remove or update an existing timeout command
5460 static int io_timeout_remove(struct io_kiocb *req)
5462 struct io_ring_ctx *ctx = req->ctx;
5465 spin_lock_irq(&ctx->completion_lock);
5466 ret = io_timeout_cancel(ctx, req->timeout_rem.addr);
5468 io_cqring_fill_event(req, ret);
5469 io_commit_cqring(ctx);
5470 spin_unlock_irq(&ctx->completion_lock);
5471 io_cqring_ev_posted(ctx);
5473 req_set_fail_links(req);
5478 static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5479 bool is_timeout_link)
5481 struct io_timeout_data *data;
5483 u32 off = READ_ONCE(sqe->off);
5485 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5487 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
5489 if (off && is_timeout_link)
5491 flags = READ_ONCE(sqe->timeout_flags);
5492 if (flags & ~IORING_TIMEOUT_ABS)
5495 req->timeout.off = off;
5497 if (!req->async_data && io_alloc_async_data(req))
5500 data = req->async_data;
5503 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5506 if (flags & IORING_TIMEOUT_ABS)
5507 data->mode = HRTIMER_MODE_ABS;
5509 data->mode = HRTIMER_MODE_REL;
5511 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
5515 static int io_timeout(struct io_kiocb *req)
5517 struct io_ring_ctx *ctx = req->ctx;
5518 struct io_timeout_data *data = req->async_data;
5519 struct list_head *entry;
5520 u32 tail, off = req->timeout.off;
5522 spin_lock_irq(&ctx->completion_lock);
5525 * sqe->off holds how many events that need to occur for this
5526 * timeout event to be satisfied. If it isn't set, then this is
5527 * a pure timeout request, sequence isn't used.
5529 if (io_is_timeout_noseq(req)) {
5530 entry = ctx->timeout_list.prev;
5534 tail = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
5535 req->timeout.target_seq = tail + off;
5538 * Insertion sort, ensuring the first entry in the list is always
5539 * the one we need first.
5541 list_for_each_prev(entry, &ctx->timeout_list) {
5542 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb,
5545 if (io_is_timeout_noseq(nxt))
5547 /* nxt.seq is behind @tail, otherwise would've been completed */
5548 if (off >= nxt->timeout.target_seq - tail)
5552 list_add(&req->timeout.list, entry);
5553 data->timer.function = io_timeout_fn;
5554 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5555 spin_unlock_irq(&ctx->completion_lock);
5559 static bool io_cancel_cb(struct io_wq_work *work, void *data)
5561 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5563 return req->user_data == (unsigned long) data;
5566 static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
5568 enum io_wq_cancel cancel_ret;
5571 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr, false);
5572 switch (cancel_ret) {
5573 case IO_WQ_CANCEL_OK:
5576 case IO_WQ_CANCEL_RUNNING:
5579 case IO_WQ_CANCEL_NOTFOUND:
5587 static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
5588 struct io_kiocb *req, __u64 sqe_addr,
5591 unsigned long flags;
5594 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
5595 if (ret != -ENOENT) {
5596 spin_lock_irqsave(&ctx->completion_lock, flags);
5600 spin_lock_irqsave(&ctx->completion_lock, flags);
5601 ret = io_timeout_cancel(ctx, sqe_addr);
5604 ret = io_poll_cancel(ctx, sqe_addr);
5608 io_cqring_fill_event(req, ret);
5609 io_commit_cqring(ctx);
5610 spin_unlock_irqrestore(&ctx->completion_lock, flags);
5611 io_cqring_ev_posted(ctx);
5614 req_set_fail_links(req);
5618 static int io_async_cancel_prep(struct io_kiocb *req,
5619 const struct io_uring_sqe *sqe)
5621 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5623 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
5625 if (sqe->ioprio || sqe->off || sqe->len || sqe->cancel_flags)
5628 req->cancel.addr = READ_ONCE(sqe->addr);
5632 static int io_async_cancel(struct io_kiocb *req)
5634 struct io_ring_ctx *ctx = req->ctx;
5636 io_async_find_and_cancel(ctx, req, req->cancel.addr, 0);
5640 static int io_files_update_prep(struct io_kiocb *req,
5641 const struct io_uring_sqe *sqe)
5643 if (unlikely(req->ctx->flags & IORING_SETUP_SQPOLL))
5645 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
5647 if (sqe->ioprio || sqe->rw_flags)
5650 req->files_update.offset = READ_ONCE(sqe->off);
5651 req->files_update.nr_args = READ_ONCE(sqe->len);
5652 if (!req->files_update.nr_args)
5654 req->files_update.arg = READ_ONCE(sqe->addr);
5658 static int io_files_update(struct io_kiocb *req, bool force_nonblock,
5659 struct io_comp_state *cs)
5661 struct io_ring_ctx *ctx = req->ctx;
5662 struct io_uring_files_update up;
5668 up.offset = req->files_update.offset;
5669 up.fds = req->files_update.arg;
5671 mutex_lock(&ctx->uring_lock);
5672 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
5673 mutex_unlock(&ctx->uring_lock);
5676 req_set_fail_links(req);
5677 __io_req_complete(req, ret, 0, cs);
5681 static int io_req_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5683 switch (req->opcode) {
5686 case IORING_OP_READV:
5687 case IORING_OP_READ_FIXED:
5688 case IORING_OP_READ:
5689 return io_read_prep(req, sqe);
5690 case IORING_OP_WRITEV:
5691 case IORING_OP_WRITE_FIXED:
5692 case IORING_OP_WRITE:
5693 return io_write_prep(req, sqe);
5694 case IORING_OP_POLL_ADD:
5695 return io_poll_add_prep(req, sqe);
5696 case IORING_OP_POLL_REMOVE:
5697 return io_poll_remove_prep(req, sqe);
5698 case IORING_OP_FSYNC:
5699 return io_prep_fsync(req, sqe);
5700 case IORING_OP_SYNC_FILE_RANGE:
5701 return io_prep_sfr(req, sqe);
5702 case IORING_OP_SENDMSG:
5703 case IORING_OP_SEND:
5704 return io_sendmsg_prep(req, sqe);
5705 case IORING_OP_RECVMSG:
5706 case IORING_OP_RECV:
5707 return io_recvmsg_prep(req, sqe);
5708 case IORING_OP_CONNECT:
5709 return io_connect_prep(req, sqe);
5710 case IORING_OP_TIMEOUT:
5711 return io_timeout_prep(req, sqe, false);
5712 case IORING_OP_TIMEOUT_REMOVE:
5713 return io_timeout_remove_prep(req, sqe);
5714 case IORING_OP_ASYNC_CANCEL:
5715 return io_async_cancel_prep(req, sqe);
5716 case IORING_OP_LINK_TIMEOUT:
5717 return io_timeout_prep(req, sqe, true);
5718 case IORING_OP_ACCEPT:
5719 return io_accept_prep(req, sqe);
5720 case IORING_OP_FALLOCATE:
5721 return io_fallocate_prep(req, sqe);
5722 case IORING_OP_OPENAT:
5723 return io_openat_prep(req, sqe);
5724 case IORING_OP_CLOSE:
5725 return io_close_prep(req, sqe);
5726 case IORING_OP_FILES_UPDATE:
5727 return io_files_update_prep(req, sqe);
5728 case IORING_OP_STATX:
5729 return io_statx_prep(req, sqe);
5730 case IORING_OP_FADVISE:
5731 return io_fadvise_prep(req, sqe);
5732 case IORING_OP_MADVISE:
5733 return io_madvise_prep(req, sqe);
5734 case IORING_OP_OPENAT2:
5735 return io_openat2_prep(req, sqe);
5736 case IORING_OP_EPOLL_CTL:
5737 return io_epoll_ctl_prep(req, sqe);
5738 case IORING_OP_SPLICE:
5739 return io_splice_prep(req, sqe);
5740 case IORING_OP_PROVIDE_BUFFERS:
5741 return io_provide_buffers_prep(req, sqe);
5742 case IORING_OP_REMOVE_BUFFERS:
5743 return io_remove_buffers_prep(req, sqe);
5745 return io_tee_prep(req, sqe);
5748 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
5753 static int io_req_defer_prep(struct io_kiocb *req,
5754 const struct io_uring_sqe *sqe)
5758 if (io_alloc_async_data(req))
5760 return io_req_prep(req, sqe);
5763 static u32 io_get_sequence(struct io_kiocb *req)
5765 struct io_kiocb *pos;
5766 struct io_ring_ctx *ctx = req->ctx;
5767 u32 total_submitted, nr_reqs = 1;
5769 if (req->flags & REQ_F_LINK_HEAD)
5770 list_for_each_entry(pos, &req->link_list, link_list)
5773 total_submitted = ctx->cached_sq_head - ctx->cached_sq_dropped;
5774 return total_submitted - nr_reqs;
5777 static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5779 struct io_ring_ctx *ctx = req->ctx;
5780 struct io_defer_entry *de;
5784 /* Still need defer if there is pending req in defer list. */
5785 if (likely(list_empty_careful(&ctx->defer_list) &&
5786 !(req->flags & REQ_F_IO_DRAIN)))
5789 seq = io_get_sequence(req);
5790 /* Still a chance to pass the sequence check */
5791 if (!req_need_defer(req, seq) && list_empty_careful(&ctx->defer_list))
5794 if (!req->async_data) {
5795 ret = io_req_defer_prep(req, sqe);
5799 io_prep_async_link(req);
5800 de = kmalloc(sizeof(*de), GFP_KERNEL);
5804 spin_lock_irq(&ctx->completion_lock);
5805 if (!req_need_defer(req, seq) && list_empty(&ctx->defer_list)) {
5806 spin_unlock_irq(&ctx->completion_lock);
5808 io_queue_async_work(req);
5809 return -EIOCBQUEUED;
5812 trace_io_uring_defer(ctx, req, req->user_data);
5815 list_add_tail(&de->list, &ctx->defer_list);
5816 spin_unlock_irq(&ctx->completion_lock);
5817 return -EIOCBQUEUED;
5820 static void io_req_drop_files(struct io_kiocb *req)
5822 struct io_ring_ctx *ctx = req->ctx;
5823 unsigned long flags;
5825 spin_lock_irqsave(&ctx->inflight_lock, flags);
5826 list_del(&req->inflight_entry);
5827 if (waitqueue_active(&ctx->inflight_wait))
5828 wake_up(&ctx->inflight_wait);
5829 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
5830 req->flags &= ~REQ_F_INFLIGHT;
5831 put_files_struct(req->work.identity->files);
5832 put_nsproxy(req->work.identity->nsproxy);
5833 req->work.flags &= ~IO_WQ_WORK_FILES;
5836 static void __io_clean_op(struct io_kiocb *req)
5838 if (req->flags & REQ_F_BUFFER_SELECTED) {
5839 switch (req->opcode) {
5840 case IORING_OP_READV:
5841 case IORING_OP_READ_FIXED:
5842 case IORING_OP_READ:
5843 kfree((void *)(unsigned long)req->rw.addr);
5845 case IORING_OP_RECVMSG:
5846 case IORING_OP_RECV:
5847 kfree(req->sr_msg.kbuf);
5850 req->flags &= ~REQ_F_BUFFER_SELECTED;
5853 if (req->flags & REQ_F_NEED_CLEANUP) {
5854 switch (req->opcode) {
5855 case IORING_OP_READV:
5856 case IORING_OP_READ_FIXED:
5857 case IORING_OP_READ:
5858 case IORING_OP_WRITEV:
5859 case IORING_OP_WRITE_FIXED:
5860 case IORING_OP_WRITE: {
5861 struct io_async_rw *io = req->async_data;
5863 kfree(io->free_iovec);
5866 case IORING_OP_RECVMSG:
5867 case IORING_OP_SENDMSG: {
5868 struct io_async_msghdr *io = req->async_data;
5869 if (io->iov != io->fast_iov)
5873 case IORING_OP_SPLICE:
5875 io_put_file(req, req->splice.file_in,
5876 (req->splice.flags & SPLICE_F_FD_IN_FIXED));
5878 case IORING_OP_OPENAT:
5879 case IORING_OP_OPENAT2:
5880 if (req->open.filename)
5881 putname(req->open.filename);
5884 req->flags &= ~REQ_F_NEED_CLEANUP;
5887 if (req->flags & REQ_F_INFLIGHT)
5888 io_req_drop_files(req);
5891 static int io_issue_sqe(struct io_kiocb *req, bool force_nonblock,
5892 struct io_comp_state *cs)
5894 struct io_ring_ctx *ctx = req->ctx;
5897 switch (req->opcode) {
5899 ret = io_nop(req, cs);
5901 case IORING_OP_READV:
5902 case IORING_OP_READ_FIXED:
5903 case IORING_OP_READ:
5904 ret = io_read(req, force_nonblock, cs);
5906 case IORING_OP_WRITEV:
5907 case IORING_OP_WRITE_FIXED:
5908 case IORING_OP_WRITE:
5909 ret = io_write(req, force_nonblock, cs);
5911 case IORING_OP_FSYNC:
5912 ret = io_fsync(req, force_nonblock);
5914 case IORING_OP_POLL_ADD:
5915 ret = io_poll_add(req);
5917 case IORING_OP_POLL_REMOVE:
5918 ret = io_poll_remove(req);
5920 case IORING_OP_SYNC_FILE_RANGE:
5921 ret = io_sync_file_range(req, force_nonblock);
5923 case IORING_OP_SENDMSG:
5924 ret = io_sendmsg(req, force_nonblock, cs);
5926 case IORING_OP_SEND:
5927 ret = io_send(req, force_nonblock, cs);
5929 case IORING_OP_RECVMSG:
5930 ret = io_recvmsg(req, force_nonblock, cs);
5932 case IORING_OP_RECV:
5933 ret = io_recv(req, force_nonblock, cs);
5935 case IORING_OP_TIMEOUT:
5936 ret = io_timeout(req);
5938 case IORING_OP_TIMEOUT_REMOVE:
5939 ret = io_timeout_remove(req);
5941 case IORING_OP_ACCEPT:
5942 ret = io_accept(req, force_nonblock, cs);
5944 case IORING_OP_CONNECT:
5945 ret = io_connect(req, force_nonblock, cs);
5947 case IORING_OP_ASYNC_CANCEL:
5948 ret = io_async_cancel(req);
5950 case IORING_OP_FALLOCATE:
5951 ret = io_fallocate(req, force_nonblock);
5953 case IORING_OP_OPENAT:
5954 ret = io_openat(req, force_nonblock);
5956 case IORING_OP_CLOSE:
5957 ret = io_close(req, force_nonblock, cs);
5959 case IORING_OP_FILES_UPDATE:
5960 ret = io_files_update(req, force_nonblock, cs);
5962 case IORING_OP_STATX:
5963 ret = io_statx(req, force_nonblock);
5965 case IORING_OP_FADVISE:
5966 ret = io_fadvise(req, force_nonblock);
5968 case IORING_OP_MADVISE:
5969 ret = io_madvise(req, force_nonblock);
5971 case IORING_OP_OPENAT2:
5972 ret = io_openat2(req, force_nonblock);
5974 case IORING_OP_EPOLL_CTL:
5975 ret = io_epoll_ctl(req, force_nonblock, cs);
5977 case IORING_OP_SPLICE:
5978 ret = io_splice(req, force_nonblock);
5980 case IORING_OP_PROVIDE_BUFFERS:
5981 ret = io_provide_buffers(req, force_nonblock, cs);
5983 case IORING_OP_REMOVE_BUFFERS:
5984 ret = io_remove_buffers(req, force_nonblock, cs);
5987 ret = io_tee(req, force_nonblock);
5997 /* If the op doesn't have a file, we're not polling for it */
5998 if ((ctx->flags & IORING_SETUP_IOPOLL) && req->file) {
5999 const bool in_async = io_wq_current_is_worker();
6001 /* workqueue context doesn't hold uring_lock, grab it now */
6003 mutex_lock(&ctx->uring_lock);
6005 io_iopoll_req_issued(req);
6008 mutex_unlock(&ctx->uring_lock);
6014 static struct io_wq_work *io_wq_submit_work(struct io_wq_work *work)
6016 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
6017 struct io_kiocb *timeout;
6020 timeout = io_prep_linked_timeout(req);
6022 io_queue_linked_timeout(timeout);
6024 /* if NO_CANCEL is set, we must still run the work */
6025 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
6026 IO_WQ_WORK_CANCEL) {
6032 ret = io_issue_sqe(req, false, NULL);
6034 * We can get EAGAIN for polled IO even though we're
6035 * forcing a sync submission from here, since we can't
6036 * wait for request slots on the block side.
6045 req_set_fail_links(req);
6046 io_req_complete(req, ret);
6049 return io_steal_work(req);
6052 static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
6055 struct fixed_file_table *table;
6057 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
6058 return table->files[index & IORING_FILE_TABLE_MASK];
6061 static struct file *io_file_get(struct io_submit_state *state,
6062 struct io_kiocb *req, int fd, bool fixed)
6064 struct io_ring_ctx *ctx = req->ctx;
6068 if (unlikely((unsigned int)fd >= ctx->nr_user_files))
6070 fd = array_index_nospec(fd, ctx->nr_user_files);
6071 file = io_file_from_index(ctx, fd);
6073 req->fixed_file_refs = &ctx->file_data->node->refs;
6074 percpu_ref_get(req->fixed_file_refs);
6077 trace_io_uring_file_get(ctx, fd);
6078 file = __io_file_get(state, fd);
6084 static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
6089 fixed = (req->flags & REQ_F_FIXED_FILE) != 0;
6090 if (unlikely(!fixed && io_async_submit(req->ctx)))
6093 req->file = io_file_get(state, req, fd, fixed);
6094 if (req->file || io_op_defs[req->opcode].needs_file_no_error)
6099 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
6101 struct io_timeout_data *data = container_of(timer,
6102 struct io_timeout_data, timer);
6103 struct io_kiocb *req = data->req;
6104 struct io_ring_ctx *ctx = req->ctx;
6105 struct io_kiocb *prev = NULL;
6106 unsigned long flags;
6108 spin_lock_irqsave(&ctx->completion_lock, flags);
6111 * We don't expect the list to be empty, that will only happen if we
6112 * race with the completion of the linked work.
6114 if (!list_empty(&req->link_list)) {
6115 prev = list_entry(req->link_list.prev, struct io_kiocb,
6117 if (refcount_inc_not_zero(&prev->refs))
6118 list_del_init(&req->link_list);
6123 spin_unlock_irqrestore(&ctx->completion_lock, flags);
6126 req_set_fail_links(prev);
6127 io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME);
6130 io_req_complete(req, -ETIME);
6132 return HRTIMER_NORESTART;
6135 static void __io_queue_linked_timeout(struct io_kiocb *req)
6138 * If the list is now empty, then our linked request finished before
6139 * we got a chance to setup the timer
6141 if (!list_empty(&req->link_list)) {
6142 struct io_timeout_data *data = req->async_data;
6144 data->timer.function = io_link_timeout_fn;
6145 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
6150 static void io_queue_linked_timeout(struct io_kiocb *req)
6152 struct io_ring_ctx *ctx = req->ctx;
6154 spin_lock_irq(&ctx->completion_lock);
6155 __io_queue_linked_timeout(req);
6156 spin_unlock_irq(&ctx->completion_lock);
6158 /* drop submission reference */
6162 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
6164 struct io_kiocb *nxt;
6166 if (!(req->flags & REQ_F_LINK_HEAD))
6168 if (req->flags & REQ_F_LINK_TIMEOUT)
6171 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
6173 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
6176 nxt->flags |= REQ_F_LTIMEOUT_ACTIVE;
6177 req->flags |= REQ_F_LINK_TIMEOUT;
6181 static void __io_queue_sqe(struct io_kiocb *req, struct io_comp_state *cs)
6183 struct io_kiocb *linked_timeout;
6184 struct io_kiocb *nxt;
6185 const struct cred *old_creds = NULL;
6189 linked_timeout = io_prep_linked_timeout(req);
6191 if ((req->flags & REQ_F_WORK_INITIALIZED) &&
6192 (req->work.flags & IO_WQ_WORK_CREDS) &&
6193 req->work.identity->creds != current_cred()) {
6195 revert_creds(old_creds);
6196 if (old_creds == req->work.identity->creds)
6197 old_creds = NULL; /* restored original creds */
6199 old_creds = override_creds(req->work.identity->creds);
6202 ret = io_issue_sqe(req, true, cs);
6205 * We async punt it if the file wasn't marked NOWAIT, or if the file
6206 * doesn't support non-blocking read/write attempts
6208 if (ret == -EAGAIN && !(req->flags & REQ_F_NOWAIT)) {
6209 if (!io_arm_poll_handler(req)) {
6212 * Queued up for async execution, worker will release
6213 * submit reference when the iocb is actually submitted.
6215 io_queue_async_work(req);
6219 io_queue_linked_timeout(linked_timeout);
6223 if (unlikely(ret)) {
6224 /* un-prep timeout, so it'll be killed as any other linked */
6225 req->flags &= ~REQ_F_LINK_TIMEOUT;
6226 req_set_fail_links(req);
6228 io_req_complete(req, ret);
6232 /* drop submission reference */
6233 nxt = io_put_req_find_next(req);
6235 io_queue_linked_timeout(linked_timeout);
6240 if (req->flags & REQ_F_FORCE_ASYNC) {
6241 linked_timeout = NULL;
6248 revert_creds(old_creds);
6251 static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
6252 struct io_comp_state *cs)
6256 ret = io_req_defer(req, sqe);
6258 if (ret != -EIOCBQUEUED) {
6260 req_set_fail_links(req);
6262 io_req_complete(req, ret);
6264 } else if (req->flags & REQ_F_FORCE_ASYNC) {
6265 if (!req->async_data) {
6266 ret = io_req_defer_prep(req, sqe);
6272 * Never try inline submit of IOSQE_ASYNC is set, go straight
6273 * to async execution.
6275 io_req_init_async(req);
6276 req->work.flags |= IO_WQ_WORK_CONCURRENT;
6277 io_queue_async_work(req);
6280 ret = io_req_prep(req, sqe);
6284 __io_queue_sqe(req, cs);
6288 static inline void io_queue_link_head(struct io_kiocb *req,
6289 struct io_comp_state *cs)
6291 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
6293 io_req_complete(req, -ECANCELED);
6295 io_queue_sqe(req, NULL, cs);
6298 static int io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
6299 struct io_kiocb **link, struct io_comp_state *cs)
6301 struct io_ring_ctx *ctx = req->ctx;
6305 * If we already have a head request, queue this one for async
6306 * submittal once the head completes. If we don't have a head but
6307 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
6308 * submitted sync once the chain is complete. If none of those
6309 * conditions are true (normal request), then just queue it.
6312 struct io_kiocb *head = *link;
6315 * Taking sequential execution of a link, draining both sides
6316 * of the link also fullfils IOSQE_IO_DRAIN semantics for all
6317 * requests in the link. So, it drains the head and the
6318 * next after the link request. The last one is done via
6319 * drain_next flag to persist the effect across calls.
6321 if (req->flags & REQ_F_IO_DRAIN) {
6322 head->flags |= REQ_F_IO_DRAIN;
6323 ctx->drain_next = 1;
6325 ret = io_req_defer_prep(req, sqe);
6326 if (unlikely(ret)) {
6327 /* fail even hard links since we don't submit */
6328 head->flags |= REQ_F_FAIL_LINK;
6331 trace_io_uring_link(ctx, req, head);
6332 list_add_tail(&req->link_list, &head->link_list);
6334 /* last request of a link, enqueue the link */
6335 if (!(req->flags & (REQ_F_LINK | REQ_F_HARDLINK))) {
6336 io_queue_link_head(head, cs);
6340 if (unlikely(ctx->drain_next)) {
6341 req->flags |= REQ_F_IO_DRAIN;
6342 ctx->drain_next = 0;
6344 if (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {
6345 req->flags |= REQ_F_LINK_HEAD;
6346 INIT_LIST_HEAD(&req->link_list);
6348 ret = io_req_defer_prep(req, sqe);
6350 req->flags |= REQ_F_FAIL_LINK;
6353 io_queue_sqe(req, sqe, cs);
6361 * Batched submission is done, ensure local IO is flushed out.
6363 static void io_submit_state_end(struct io_submit_state *state)
6365 if (!list_empty(&state->comp.list))
6366 io_submit_flush_completions(&state->comp);
6367 blk_finish_plug(&state->plug);
6368 io_state_file_put(state);
6369 if (state->free_reqs)
6370 kmem_cache_free_bulk(req_cachep, state->free_reqs, state->reqs);
6374 * Start submission side cache.
6376 static void io_submit_state_start(struct io_submit_state *state,
6377 struct io_ring_ctx *ctx, unsigned int max_ios)
6379 blk_start_plug(&state->plug);
6381 INIT_LIST_HEAD(&state->comp.list);
6382 state->comp.ctx = ctx;
6383 state->free_reqs = 0;
6385 state->ios_left = max_ios;
6388 static void io_commit_sqring(struct io_ring_ctx *ctx)
6390 struct io_rings *rings = ctx->rings;
6393 * Ensure any loads from the SQEs are done at this point,
6394 * since once we write the new head, the application could
6395 * write new data to them.
6397 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
6401 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
6402 * that is mapped by userspace. This means that care needs to be taken to
6403 * ensure that reads are stable, as we cannot rely on userspace always
6404 * being a good citizen. If members of the sqe are validated and then later
6405 * used, it's important that those reads are done through READ_ONCE() to
6406 * prevent a re-load down the line.
6408 static const struct io_uring_sqe *io_get_sqe(struct io_ring_ctx *ctx)
6410 u32 *sq_array = ctx->sq_array;
6414 * The cached sq head (or cq tail) serves two purposes:
6416 * 1) allows us to batch the cost of updating the user visible
6418 * 2) allows the kernel side to track the head on its own, even
6419 * though the application is the one updating it.
6421 head = READ_ONCE(sq_array[ctx->cached_sq_head & ctx->sq_mask]);
6422 if (likely(head < ctx->sq_entries))
6423 return &ctx->sq_sqes[head];
6425 /* drop invalid entries */
6426 ctx->cached_sq_dropped++;
6427 WRITE_ONCE(ctx->rings->sq_dropped, ctx->cached_sq_dropped);
6431 static inline void io_consume_sqe(struct io_ring_ctx *ctx)
6433 ctx->cached_sq_head++;
6437 * Check SQE restrictions (opcode and flags).
6439 * Returns 'true' if SQE is allowed, 'false' otherwise.
6441 static inline bool io_check_restriction(struct io_ring_ctx *ctx,
6442 struct io_kiocb *req,
6443 unsigned int sqe_flags)
6445 if (!ctx->restricted)
6448 if (!test_bit(req->opcode, ctx->restrictions.sqe_op))
6451 if ((sqe_flags & ctx->restrictions.sqe_flags_required) !=
6452 ctx->restrictions.sqe_flags_required)
6455 if (sqe_flags & ~(ctx->restrictions.sqe_flags_allowed |
6456 ctx->restrictions.sqe_flags_required))
6462 #define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
6463 IOSQE_IO_HARDLINK | IOSQE_ASYNC | \
6464 IOSQE_BUFFER_SELECT)
6466 static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
6467 const struct io_uring_sqe *sqe,
6468 struct io_submit_state *state)
6470 unsigned int sqe_flags;
6473 req->opcode = READ_ONCE(sqe->opcode);
6474 req->user_data = READ_ONCE(sqe->user_data);
6475 req->async_data = NULL;
6479 /* one is dropped after submission, the other at completion */
6480 refcount_set(&req->refs, 2);
6481 req->task = current;
6484 if (unlikely(req->opcode >= IORING_OP_LAST))
6487 if (unlikely(io_sq_thread_acquire_mm(ctx, req)))
6490 sqe_flags = READ_ONCE(sqe->flags);
6491 /* enforce forwards compatibility on users */
6492 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS))
6495 if (unlikely(!io_check_restriction(ctx, req, sqe_flags)))
6498 if ((sqe_flags & IOSQE_BUFFER_SELECT) &&
6499 !io_op_defs[req->opcode].buffer_select)
6502 id = READ_ONCE(sqe->personality);
6504 struct io_identity *iod;
6506 iod = idr_find(&ctx->personality_idr, id);
6509 refcount_inc(&iod->count);
6511 __io_req_init_async(req);
6512 get_cred(iod->creds);
6513 req->work.identity = iod;
6514 req->work.flags |= IO_WQ_WORK_CREDS;
6517 /* same numerical values with corresponding REQ_F_*, safe to copy */
6518 req->flags |= sqe_flags;
6520 if (!io_op_defs[req->opcode].needs_file)
6523 ret = io_req_set_file(state, req, READ_ONCE(sqe->fd));
6528 static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr)
6530 struct io_submit_state state;
6531 struct io_kiocb *link = NULL;
6532 int i, submitted = 0;
6534 /* if we have a backlog and couldn't flush it all, return BUSY */
6535 if (test_bit(0, &ctx->sq_check_overflow)) {
6536 if (!list_empty(&ctx->cq_overflow_list) &&
6537 !io_cqring_overflow_flush(ctx, false, NULL, NULL))
6541 /* make sure SQ entry isn't read before tail */
6542 nr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));
6544 if (!percpu_ref_tryget_many(&ctx->refs, nr))
6547 percpu_counter_add(¤t->io_uring->inflight, nr);
6548 refcount_add(nr, ¤t->usage);
6550 io_submit_state_start(&state, ctx, nr);
6552 for (i = 0; i < nr; i++) {
6553 const struct io_uring_sqe *sqe;
6554 struct io_kiocb *req;
6557 sqe = io_get_sqe(ctx);
6558 if (unlikely(!sqe)) {
6559 io_consume_sqe(ctx);
6562 req = io_alloc_req(ctx, &state);
6563 if (unlikely(!req)) {
6565 submitted = -EAGAIN;
6568 io_consume_sqe(ctx);
6569 /* will complete beyond this point, count as submitted */
6572 err = io_init_req(ctx, req, sqe, &state);
6573 if (unlikely(err)) {
6576 io_req_complete(req, err);
6580 trace_io_uring_submit_sqe(ctx, req->opcode, req->user_data,
6581 true, io_async_submit(ctx));
6582 err = io_submit_sqe(req, sqe, &link, &state.comp);
6587 if (unlikely(submitted != nr)) {
6588 int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
6589 struct io_uring_task *tctx = current->io_uring;
6590 int unused = nr - ref_used;
6592 percpu_ref_put_many(&ctx->refs, unused);
6593 percpu_counter_sub(&tctx->inflight, unused);
6594 put_task_struct_many(current, unused);
6597 io_queue_link_head(link, &state.comp);
6598 io_submit_state_end(&state);
6600 /* Commit SQ ring head once we've consumed and submitted all SQEs */
6601 io_commit_sqring(ctx);
6606 static inline void io_ring_set_wakeup_flag(struct io_ring_ctx *ctx)
6608 /* Tell userspace we may need a wakeup call */
6609 spin_lock_irq(&ctx->completion_lock);
6610 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
6611 spin_unlock_irq(&ctx->completion_lock);
6614 static inline void io_ring_clear_wakeup_flag(struct io_ring_ctx *ctx)
6616 spin_lock_irq(&ctx->completion_lock);
6617 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6618 spin_unlock_irq(&ctx->completion_lock);
6621 static int io_sq_wake_function(struct wait_queue_entry *wqe, unsigned mode,
6622 int sync, void *key)
6624 struct io_ring_ctx *ctx = container_of(wqe, struct io_ring_ctx, sqo_wait_entry);
6627 ret = autoremove_wake_function(wqe, mode, sync, key);
6629 unsigned long flags;
6631 spin_lock_irqsave(&ctx->completion_lock, flags);
6632 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6633 spin_unlock_irqrestore(&ctx->completion_lock, flags);
6644 static enum sq_ret __io_sq_thread(struct io_ring_ctx *ctx,
6645 unsigned long start_jiffies, bool cap_entries)
6647 unsigned long timeout = start_jiffies + ctx->sq_thread_idle;
6648 struct io_sq_data *sqd = ctx->sq_data;
6649 unsigned int to_submit;
6653 if (!list_empty(&ctx->iopoll_list)) {
6654 unsigned nr_events = 0;
6656 mutex_lock(&ctx->uring_lock);
6657 if (!list_empty(&ctx->iopoll_list) && !need_resched())
6658 io_do_iopoll(ctx, &nr_events, 0);
6659 mutex_unlock(&ctx->uring_lock);
6662 to_submit = io_sqring_entries(ctx);
6665 * If submit got -EBUSY, flag us as needing the application
6666 * to enter the kernel to reap and flush events.
6668 if (!to_submit || ret == -EBUSY || need_resched()) {
6670 * Drop cur_mm before scheduling, we can't hold it for
6671 * long periods (or over schedule()). Do this before
6672 * adding ourselves to the waitqueue, as the unuse/drop
6675 io_sq_thread_drop_mm();
6678 * We're polling. If we're within the defined idle
6679 * period, then let us spin without work before going
6680 * to sleep. The exception is if we got EBUSY doing
6681 * more IO, we should wait for the application to
6682 * reap events and wake us up.
6684 if (!list_empty(&ctx->iopoll_list) || need_resched() ||
6685 (!time_after(jiffies, timeout) && ret != -EBUSY &&
6686 !percpu_ref_is_dying(&ctx->refs)))
6689 prepare_to_wait(&sqd->wait, &ctx->sqo_wait_entry,
6690 TASK_INTERRUPTIBLE);
6693 * While doing polled IO, before going to sleep, we need
6694 * to check if there are new reqs added to iopoll_list,
6695 * it is because reqs may have been punted to io worker
6696 * and will be added to iopoll_list later, hence check
6697 * the iopoll_list again.
6699 if ((ctx->flags & IORING_SETUP_IOPOLL) &&
6700 !list_empty_careful(&ctx->iopoll_list)) {
6701 finish_wait(&sqd->wait, &ctx->sqo_wait_entry);
6705 to_submit = io_sqring_entries(ctx);
6706 if (!to_submit || ret == -EBUSY)
6710 finish_wait(&sqd->wait, &ctx->sqo_wait_entry);
6711 io_ring_clear_wakeup_flag(ctx);
6713 /* if we're handling multiple rings, cap submit size for fairness */
6714 if (cap_entries && to_submit > 8)
6717 mutex_lock(&ctx->uring_lock);
6718 if (likely(!percpu_ref_is_dying(&ctx->refs)))
6719 ret = io_submit_sqes(ctx, to_submit);
6720 mutex_unlock(&ctx->uring_lock);
6722 if (!io_sqring_full(ctx) && wq_has_sleeper(&ctx->sqo_sq_wait))
6723 wake_up(&ctx->sqo_sq_wait);
6725 return SQT_DID_WORK;
6728 static void io_sqd_init_new(struct io_sq_data *sqd)
6730 struct io_ring_ctx *ctx;
6732 while (!list_empty(&sqd->ctx_new_list)) {
6733 ctx = list_first_entry(&sqd->ctx_new_list, struct io_ring_ctx, sqd_list);
6734 init_wait(&ctx->sqo_wait_entry);
6735 ctx->sqo_wait_entry.func = io_sq_wake_function;
6736 list_move_tail(&ctx->sqd_list, &sqd->ctx_list);
6737 complete(&ctx->sq_thread_comp);
6741 static int io_sq_thread(void *data)
6743 struct cgroup_subsys_state *cur_css = NULL;
6744 const struct cred *old_cred = NULL;
6745 struct io_sq_data *sqd = data;
6746 struct io_ring_ctx *ctx;
6747 unsigned long start_jiffies;
6749 start_jiffies = jiffies;
6750 while (!kthread_should_stop()) {
6751 enum sq_ret ret = 0;
6755 * Any changes to the sqd lists are synchronized through the
6756 * kthread parking. This synchronizes the thread vs users,
6757 * the users are synchronized on the sqd->ctx_lock.
6759 if (kthread_should_park())
6762 if (unlikely(!list_empty(&sqd->ctx_new_list)))
6763 io_sqd_init_new(sqd);
6765 cap_entries = !list_is_singular(&sqd->ctx_list);
6767 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
6768 if (current->cred != ctx->creds) {
6770 revert_creds(old_cred);
6771 old_cred = override_creds(ctx->creds);
6773 io_sq_thread_associate_blkcg(ctx, &cur_css);
6775 current->loginuid = ctx->loginuid;
6776 current->sessionid = ctx->sessionid;
6779 ret |= __io_sq_thread(ctx, start_jiffies, cap_entries);
6781 io_sq_thread_drop_mm();
6784 if (ret & SQT_SPIN) {
6787 } else if (ret == SQT_IDLE) {
6788 if (kthread_should_park())
6790 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
6791 io_ring_set_wakeup_flag(ctx);
6793 start_jiffies = jiffies;
6794 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
6795 io_ring_clear_wakeup_flag(ctx);
6802 io_sq_thread_unassociate_blkcg();
6804 revert_creds(old_cred);
6811 struct io_wait_queue {
6812 struct wait_queue_entry wq;
6813 struct io_ring_ctx *ctx;
6815 unsigned nr_timeouts;
6818 static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
6820 struct io_ring_ctx *ctx = iowq->ctx;
6823 * Wake up if we have enough events, or if a timeout occurred since we
6824 * started waiting. For timeouts, we always want to return to userspace,
6825 * regardless of event count.
6827 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
6828 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
6831 static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
6832 int wake_flags, void *key)
6834 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
6837 /* use noflush == true, as we can't safely rely on locking context */
6838 if (!io_should_wake(iowq, true))
6841 return autoremove_wake_function(curr, mode, wake_flags, key);
6844 static int io_run_task_work_sig(void)
6846 if (io_run_task_work())
6848 if (!signal_pending(current))
6850 if (current->jobctl & JOBCTL_TASK_WORK) {
6851 spin_lock_irq(¤t->sighand->siglock);
6852 current->jobctl &= ~JOBCTL_TASK_WORK;
6853 recalc_sigpending();
6854 spin_unlock_irq(¤t->sighand->siglock);
6861 * Wait until events become available, if we don't already have some. The
6862 * application must reap them itself, as they reside on the shared cq ring.
6864 static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
6865 const sigset_t __user *sig, size_t sigsz)
6867 struct io_wait_queue iowq = {
6870 .func = io_wake_function,
6871 .entry = LIST_HEAD_INIT(iowq.wq.entry),
6874 .to_wait = min_events,
6876 struct io_rings *rings = ctx->rings;
6880 if (io_cqring_events(ctx, false) >= min_events)
6882 if (!io_run_task_work())
6887 #ifdef CONFIG_COMPAT
6888 if (in_compat_syscall())
6889 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
6893 ret = set_user_sigmask(sig, sigsz);
6899 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
6900 trace_io_uring_cqring_wait(ctx, min_events);
6902 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
6903 TASK_INTERRUPTIBLE);
6904 /* make sure we run task_work before checking for signals */
6905 ret = io_run_task_work_sig();
6910 if (io_should_wake(&iowq, false))
6914 finish_wait(&ctx->wait, &iowq.wq);
6916 restore_saved_sigmask_unless(ret == -EINTR);
6918 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
6921 static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
6923 #if defined(CONFIG_UNIX)
6924 if (ctx->ring_sock) {
6925 struct sock *sock = ctx->ring_sock->sk;
6926 struct sk_buff *skb;
6928 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
6934 for (i = 0; i < ctx->nr_user_files; i++) {
6937 file = io_file_from_index(ctx, i);
6944 static void io_file_ref_kill(struct percpu_ref *ref)
6946 struct fixed_file_data *data;
6948 data = container_of(ref, struct fixed_file_data, refs);
6949 complete(&data->done);
6952 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
6954 struct fixed_file_data *data = ctx->file_data;
6955 struct fixed_file_ref_node *ref_node = NULL;
6956 unsigned nr_tables, i;
6961 spin_lock(&data->lock);
6962 if (!list_empty(&data->ref_list))
6963 ref_node = list_first_entry(&data->ref_list,
6964 struct fixed_file_ref_node, node);
6965 spin_unlock(&data->lock);
6967 percpu_ref_kill(&ref_node->refs);
6969 percpu_ref_kill(&data->refs);
6971 /* wait for all refs nodes to complete */
6972 flush_delayed_work(&ctx->file_put_work);
6973 wait_for_completion(&data->done);
6975 __io_sqe_files_unregister(ctx);
6976 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
6977 for (i = 0; i < nr_tables; i++)
6978 kfree(data->table[i].files);
6980 percpu_ref_exit(&data->refs);
6982 ctx->file_data = NULL;
6983 ctx->nr_user_files = 0;
6987 static void io_put_sq_data(struct io_sq_data *sqd)
6989 if (refcount_dec_and_test(&sqd->refs)) {
6991 * The park is a bit of a work-around, without it we get
6992 * warning spews on shutdown with SQPOLL set and affinity
6993 * set to a single CPU.
6996 kthread_park(sqd->thread);
6997 kthread_stop(sqd->thread);
7004 static struct io_sq_data *io_attach_sq_data(struct io_uring_params *p)
7006 struct io_ring_ctx *ctx_attach;
7007 struct io_sq_data *sqd;
7010 f = fdget(p->wq_fd);
7012 return ERR_PTR(-ENXIO);
7013 if (f.file->f_op != &io_uring_fops) {
7015 return ERR_PTR(-EINVAL);
7018 ctx_attach = f.file->private_data;
7019 sqd = ctx_attach->sq_data;
7022 return ERR_PTR(-EINVAL);
7025 refcount_inc(&sqd->refs);
7030 static struct io_sq_data *io_get_sq_data(struct io_uring_params *p)
7032 struct io_sq_data *sqd;
7034 if (p->flags & IORING_SETUP_ATTACH_WQ)
7035 return io_attach_sq_data(p);
7037 sqd = kzalloc(sizeof(*sqd), GFP_KERNEL);
7039 return ERR_PTR(-ENOMEM);
7041 refcount_set(&sqd->refs, 1);
7042 INIT_LIST_HEAD(&sqd->ctx_list);
7043 INIT_LIST_HEAD(&sqd->ctx_new_list);
7044 mutex_init(&sqd->ctx_lock);
7045 mutex_init(&sqd->lock);
7046 init_waitqueue_head(&sqd->wait);
7050 static void io_sq_thread_unpark(struct io_sq_data *sqd)
7051 __releases(&sqd->lock)
7055 kthread_unpark(sqd->thread);
7056 mutex_unlock(&sqd->lock);
7059 static void io_sq_thread_park(struct io_sq_data *sqd)
7060 __acquires(&sqd->lock)
7064 mutex_lock(&sqd->lock);
7065 kthread_park(sqd->thread);
7068 static void io_sq_thread_stop(struct io_ring_ctx *ctx)
7070 struct io_sq_data *sqd = ctx->sq_data;
7075 * We may arrive here from the error branch in
7076 * io_sq_offload_create() where the kthread is created
7077 * without being waked up, thus wake it up now to make
7078 * sure the wait will complete.
7080 wake_up_process(sqd->thread);
7081 wait_for_completion(&ctx->sq_thread_comp);
7083 io_sq_thread_park(sqd);
7086 mutex_lock(&sqd->ctx_lock);
7087 list_del(&ctx->sqd_list);
7088 mutex_unlock(&sqd->ctx_lock);
7091 finish_wait(&sqd->wait, &ctx->sqo_wait_entry);
7092 io_sq_thread_unpark(sqd);
7095 io_put_sq_data(sqd);
7096 ctx->sq_data = NULL;
7100 static void io_finish_async(struct io_ring_ctx *ctx)
7102 io_sq_thread_stop(ctx);
7105 io_wq_destroy(ctx->io_wq);
7110 #if defined(CONFIG_UNIX)
7112 * Ensure the UNIX gc is aware of our file set, so we are certain that
7113 * the io_uring can be safely unregistered on process exit, even if we have
7114 * loops in the file referencing.
7116 static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
7118 struct sock *sk = ctx->ring_sock->sk;
7119 struct scm_fp_list *fpl;
7120 struct sk_buff *skb;
7123 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
7127 skb = alloc_skb(0, GFP_KERNEL);
7136 fpl->user = get_uid(ctx->user);
7137 for (i = 0; i < nr; i++) {
7138 struct file *file = io_file_from_index(ctx, i + offset);
7142 fpl->fp[nr_files] = get_file(file);
7143 unix_inflight(fpl->user, fpl->fp[nr_files]);
7148 fpl->max = SCM_MAX_FD;
7149 fpl->count = nr_files;
7150 UNIXCB(skb).fp = fpl;
7151 skb->destructor = unix_destruct_scm;
7152 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
7153 skb_queue_head(&sk->sk_receive_queue, skb);
7155 for (i = 0; i < nr_files; i++)
7166 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
7167 * causes regular reference counting to break down. We rely on the UNIX
7168 * garbage collection to take care of this problem for us.
7170 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
7172 unsigned left, total;
7176 left = ctx->nr_user_files;
7178 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
7180 ret = __io_sqe_files_scm(ctx, this_files, total);
7184 total += this_files;
7190 while (total < ctx->nr_user_files) {
7191 struct file *file = io_file_from_index(ctx, total);
7201 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
7207 static int io_sqe_alloc_file_tables(struct fixed_file_data *file_data,
7208 unsigned nr_tables, unsigned nr_files)
7212 for (i = 0; i < nr_tables; i++) {
7213 struct fixed_file_table *table = &file_data->table[i];
7214 unsigned this_files;
7216 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
7217 table->files = kcalloc(this_files, sizeof(struct file *),
7221 nr_files -= this_files;
7227 for (i = 0; i < nr_tables; i++) {
7228 struct fixed_file_table *table = &file_data->table[i];
7229 kfree(table->files);
7234 static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
7236 #if defined(CONFIG_UNIX)
7237 struct sock *sock = ctx->ring_sock->sk;
7238 struct sk_buff_head list, *head = &sock->sk_receive_queue;
7239 struct sk_buff *skb;
7242 __skb_queue_head_init(&list);
7245 * Find the skb that holds this file in its SCM_RIGHTS. When found,
7246 * remove this entry and rearrange the file array.
7248 skb = skb_dequeue(head);
7250 struct scm_fp_list *fp;
7252 fp = UNIXCB(skb).fp;
7253 for (i = 0; i < fp->count; i++) {
7256 if (fp->fp[i] != file)
7259 unix_notinflight(fp->user, fp->fp[i]);
7260 left = fp->count - 1 - i;
7262 memmove(&fp->fp[i], &fp->fp[i + 1],
7263 left * sizeof(struct file *));
7270 __skb_queue_tail(&list, skb);
7280 __skb_queue_tail(&list, skb);
7282 skb = skb_dequeue(head);
7285 if (skb_peek(&list)) {
7286 spin_lock_irq(&head->lock);
7287 while ((skb = __skb_dequeue(&list)) != NULL)
7288 __skb_queue_tail(head, skb);
7289 spin_unlock_irq(&head->lock);
7296 struct io_file_put {
7297 struct list_head list;
7301 static void __io_file_put_work(struct fixed_file_ref_node *ref_node)
7303 struct fixed_file_data *file_data = ref_node->file_data;
7304 struct io_ring_ctx *ctx = file_data->ctx;
7305 struct io_file_put *pfile, *tmp;
7307 list_for_each_entry_safe(pfile, tmp, &ref_node->file_list, list) {
7308 list_del(&pfile->list);
7309 io_ring_file_put(ctx, pfile->file);
7313 spin_lock(&file_data->lock);
7314 list_del(&ref_node->node);
7315 spin_unlock(&file_data->lock);
7317 percpu_ref_exit(&ref_node->refs);
7319 percpu_ref_put(&file_data->refs);
7322 static void io_file_put_work(struct work_struct *work)
7324 struct io_ring_ctx *ctx;
7325 struct llist_node *node;
7327 ctx = container_of(work, struct io_ring_ctx, file_put_work.work);
7328 node = llist_del_all(&ctx->file_put_llist);
7331 struct fixed_file_ref_node *ref_node;
7332 struct llist_node *next = node->next;
7334 ref_node = llist_entry(node, struct fixed_file_ref_node, llist);
7335 __io_file_put_work(ref_node);
7340 static void io_file_data_ref_zero(struct percpu_ref *ref)
7342 struct fixed_file_ref_node *ref_node;
7343 struct io_ring_ctx *ctx;
7347 ref_node = container_of(ref, struct fixed_file_ref_node, refs);
7348 ctx = ref_node->file_data->ctx;
7350 if (percpu_ref_is_dying(&ctx->file_data->refs))
7353 first_add = llist_add(&ref_node->llist, &ctx->file_put_llist);
7355 mod_delayed_work(system_wq, &ctx->file_put_work, 0);
7357 queue_delayed_work(system_wq, &ctx->file_put_work, delay);
7360 static struct fixed_file_ref_node *alloc_fixed_file_ref_node(
7361 struct io_ring_ctx *ctx)
7363 struct fixed_file_ref_node *ref_node;
7365 ref_node = kzalloc(sizeof(*ref_node), GFP_KERNEL);
7367 return ERR_PTR(-ENOMEM);
7369 if (percpu_ref_init(&ref_node->refs, io_file_data_ref_zero,
7372 return ERR_PTR(-ENOMEM);
7374 INIT_LIST_HEAD(&ref_node->node);
7375 INIT_LIST_HEAD(&ref_node->file_list);
7376 ref_node->file_data = ctx->file_data;
7380 static void destroy_fixed_file_ref_node(struct fixed_file_ref_node *ref_node)
7382 percpu_ref_exit(&ref_node->refs);
7386 static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
7389 __s32 __user *fds = (__s32 __user *) arg;
7390 unsigned nr_tables, i;
7392 int fd, ret = -ENOMEM;
7393 struct fixed_file_ref_node *ref_node;
7394 struct fixed_file_data *file_data;
7400 if (nr_args > IORING_MAX_FIXED_FILES)
7403 file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
7406 file_data->ctx = ctx;
7407 init_completion(&file_data->done);
7408 INIT_LIST_HEAD(&file_data->ref_list);
7409 spin_lock_init(&file_data->lock);
7411 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
7412 file_data->table = kcalloc(nr_tables, sizeof(*file_data->table),
7414 if (!file_data->table)
7417 if (percpu_ref_init(&file_data->refs, io_file_ref_kill,
7418 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
7421 if (io_sqe_alloc_file_tables(file_data, nr_tables, nr_args))
7423 ctx->file_data = file_data;
7425 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
7426 struct fixed_file_table *table;
7429 if (copy_from_user(&fd, &fds[i], sizeof(fd))) {
7433 /* allow sparse sets */
7443 * Don't allow io_uring instances to be registered. If UNIX
7444 * isn't enabled, then this causes a reference cycle and this
7445 * instance can never get freed. If UNIX is enabled we'll
7446 * handle it just fine, but there's still no point in allowing
7447 * a ring fd as it doesn't support regular read/write anyway.
7449 if (file->f_op == &io_uring_fops) {
7453 table = &file_data->table[i >> IORING_FILE_TABLE_SHIFT];
7454 index = i & IORING_FILE_TABLE_MASK;
7455 table->files[index] = file;
7458 ret = io_sqe_files_scm(ctx);
7460 io_sqe_files_unregister(ctx);
7464 ref_node = alloc_fixed_file_ref_node(ctx);
7465 if (IS_ERR(ref_node)) {
7466 io_sqe_files_unregister(ctx);
7467 return PTR_ERR(ref_node);
7470 file_data->node = ref_node;
7471 spin_lock(&file_data->lock);
7472 list_add(&ref_node->node, &file_data->ref_list);
7473 spin_unlock(&file_data->lock);
7474 percpu_ref_get(&file_data->refs);
7477 for (i = 0; i < ctx->nr_user_files; i++) {
7478 file = io_file_from_index(ctx, i);
7482 for (i = 0; i < nr_tables; i++)
7483 kfree(file_data->table[i].files);
7484 ctx->nr_user_files = 0;
7486 percpu_ref_exit(&file_data->refs);
7488 kfree(file_data->table);
7490 ctx->file_data = NULL;
7494 static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
7497 #if defined(CONFIG_UNIX)
7498 struct sock *sock = ctx->ring_sock->sk;
7499 struct sk_buff_head *head = &sock->sk_receive_queue;
7500 struct sk_buff *skb;
7503 * See if we can merge this file into an existing skb SCM_RIGHTS
7504 * file set. If there's no room, fall back to allocating a new skb
7505 * and filling it in.
7507 spin_lock_irq(&head->lock);
7508 skb = skb_peek(head);
7510 struct scm_fp_list *fpl = UNIXCB(skb).fp;
7512 if (fpl->count < SCM_MAX_FD) {
7513 __skb_unlink(skb, head);
7514 spin_unlock_irq(&head->lock);
7515 fpl->fp[fpl->count] = get_file(file);
7516 unix_inflight(fpl->user, fpl->fp[fpl->count]);
7518 spin_lock_irq(&head->lock);
7519 __skb_queue_head(head, skb);
7524 spin_unlock_irq(&head->lock);
7531 return __io_sqe_files_scm(ctx, 1, index);
7537 static int io_queue_file_removal(struct fixed_file_data *data,
7540 struct io_file_put *pfile;
7541 struct fixed_file_ref_node *ref_node = data->node;
7543 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
7548 list_add(&pfile->list, &ref_node->file_list);
7553 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
7554 struct io_uring_files_update *up,
7557 struct fixed_file_data *data = ctx->file_data;
7558 struct fixed_file_ref_node *ref_node;
7563 bool needs_switch = false;
7565 if (check_add_overflow(up->offset, nr_args, &done))
7567 if (done > ctx->nr_user_files)
7570 ref_node = alloc_fixed_file_ref_node(ctx);
7571 if (IS_ERR(ref_node))
7572 return PTR_ERR(ref_node);
7575 fds = u64_to_user_ptr(up->fds);
7577 struct fixed_file_table *table;
7581 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
7585 i = array_index_nospec(up->offset, ctx->nr_user_files);
7586 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
7587 index = i & IORING_FILE_TABLE_MASK;
7588 if (table->files[index]) {
7589 file = table->files[index];
7590 err = io_queue_file_removal(data, file);
7593 table->files[index] = NULL;
7594 needs_switch = true;
7603 * Don't allow io_uring instances to be registered. If
7604 * UNIX isn't enabled, then this causes a reference
7605 * cycle and this instance can never get freed. If UNIX
7606 * is enabled we'll handle it just fine, but there's
7607 * still no point in allowing a ring fd as it doesn't
7608 * support regular read/write anyway.
7610 if (file->f_op == &io_uring_fops) {
7615 table->files[index] = file;
7616 err = io_sqe_file_register(ctx, file, i);
7618 table->files[index] = NULL;
7629 percpu_ref_kill(&data->node->refs);
7630 spin_lock(&data->lock);
7631 list_add(&ref_node->node, &data->ref_list);
7632 data->node = ref_node;
7633 spin_unlock(&data->lock);
7634 percpu_ref_get(&ctx->file_data->refs);
7636 destroy_fixed_file_ref_node(ref_node);
7638 return done ? done : err;
7641 static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
7644 struct io_uring_files_update up;
7646 if (!ctx->file_data)
7650 if (copy_from_user(&up, arg, sizeof(up)))
7655 return __io_sqe_files_update(ctx, &up, nr_args);
7658 static void io_free_work(struct io_wq_work *work)
7660 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
7662 /* Consider that io_steal_work() relies on this ref */
7666 static int io_init_wq_offload(struct io_ring_ctx *ctx,
7667 struct io_uring_params *p)
7669 struct io_wq_data data;
7671 struct io_ring_ctx *ctx_attach;
7672 unsigned int concurrency;
7675 data.user = ctx->user;
7676 data.free_work = io_free_work;
7677 data.do_work = io_wq_submit_work;
7679 if (!(p->flags & IORING_SETUP_ATTACH_WQ)) {
7680 /* Do QD, or 4 * CPUS, whatever is smallest */
7681 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
7683 ctx->io_wq = io_wq_create(concurrency, &data);
7684 if (IS_ERR(ctx->io_wq)) {
7685 ret = PTR_ERR(ctx->io_wq);
7691 f = fdget(p->wq_fd);
7695 if (f.file->f_op != &io_uring_fops) {
7700 ctx_attach = f.file->private_data;
7701 /* @io_wq is protected by holding the fd */
7702 if (!io_wq_get(ctx_attach->io_wq, &data)) {
7707 ctx->io_wq = ctx_attach->io_wq;
7713 static int io_uring_alloc_task_context(struct task_struct *task)
7715 struct io_uring_task *tctx;
7718 tctx = kmalloc(sizeof(*tctx), GFP_KERNEL);
7719 if (unlikely(!tctx))
7722 ret = percpu_counter_init(&tctx->inflight, 0, GFP_KERNEL);
7723 if (unlikely(ret)) {
7729 init_waitqueue_head(&tctx->wait);
7732 io_init_identity(&tctx->__identity);
7733 tctx->identity = &tctx->__identity;
7734 task->io_uring = tctx;
7738 void __io_uring_free(struct task_struct *tsk)
7740 struct io_uring_task *tctx = tsk->io_uring;
7742 WARN_ON_ONCE(!xa_empty(&tctx->xa));
7743 WARN_ON_ONCE(refcount_read(&tctx->identity->count) != 1);
7744 if (tctx->identity != &tctx->__identity)
7745 kfree(tctx->identity);
7746 percpu_counter_destroy(&tctx->inflight);
7748 tsk->io_uring = NULL;
7751 static int io_sq_offload_create(struct io_ring_ctx *ctx,
7752 struct io_uring_params *p)
7756 if (ctx->flags & IORING_SETUP_SQPOLL) {
7757 struct io_sq_data *sqd;
7760 if (!capable(CAP_SYS_ADMIN))
7763 sqd = io_get_sq_data(p);
7770 io_sq_thread_park(sqd);
7771 mutex_lock(&sqd->ctx_lock);
7772 list_add(&ctx->sqd_list, &sqd->ctx_new_list);
7773 mutex_unlock(&sqd->ctx_lock);
7774 io_sq_thread_unpark(sqd);
7776 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
7777 if (!ctx->sq_thread_idle)
7778 ctx->sq_thread_idle = HZ;
7783 if (p->flags & IORING_SETUP_SQ_AFF) {
7784 int cpu = p->sq_thread_cpu;
7787 if (cpu >= nr_cpu_ids)
7789 if (!cpu_online(cpu))
7792 sqd->thread = kthread_create_on_cpu(io_sq_thread, sqd,
7793 cpu, "io_uring-sq");
7795 sqd->thread = kthread_create(io_sq_thread, sqd,
7798 if (IS_ERR(sqd->thread)) {
7799 ret = PTR_ERR(sqd->thread);
7803 ret = io_uring_alloc_task_context(sqd->thread);
7806 } else if (p->flags & IORING_SETUP_SQ_AFF) {
7807 /* Can't have SQ_AFF without SQPOLL */
7813 ret = io_init_wq_offload(ctx, p);
7819 io_finish_async(ctx);
7823 static void io_sq_offload_start(struct io_ring_ctx *ctx)
7825 struct io_sq_data *sqd = ctx->sq_data;
7827 if ((ctx->flags & IORING_SETUP_SQPOLL) && sqd->thread)
7828 wake_up_process(sqd->thread);
7831 static inline void __io_unaccount_mem(struct user_struct *user,
7832 unsigned long nr_pages)
7834 atomic_long_sub(nr_pages, &user->locked_vm);
7837 static inline int __io_account_mem(struct user_struct *user,
7838 unsigned long nr_pages)
7840 unsigned long page_limit, cur_pages, new_pages;
7842 /* Don't allow more pages than we can safely lock */
7843 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
7846 cur_pages = atomic_long_read(&user->locked_vm);
7847 new_pages = cur_pages + nr_pages;
7848 if (new_pages > page_limit)
7850 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
7851 new_pages) != cur_pages);
7856 static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages,
7857 enum io_mem_account acct)
7860 __io_unaccount_mem(ctx->user, nr_pages);
7862 if (ctx->mm_account) {
7863 if (acct == ACCT_LOCKED)
7864 ctx->mm_account->locked_vm -= nr_pages;
7865 else if (acct == ACCT_PINNED)
7866 atomic64_sub(nr_pages, &ctx->mm_account->pinned_vm);
7870 static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages,
7871 enum io_mem_account acct)
7875 if (ctx->limit_mem) {
7876 ret = __io_account_mem(ctx->user, nr_pages);
7881 if (ctx->mm_account) {
7882 if (acct == ACCT_LOCKED)
7883 ctx->mm_account->locked_vm += nr_pages;
7884 else if (acct == ACCT_PINNED)
7885 atomic64_add(nr_pages, &ctx->mm_account->pinned_vm);
7891 static void io_mem_free(void *ptr)
7898 page = virt_to_head_page(ptr);
7899 if (put_page_testzero(page))
7900 free_compound_page(page);
7903 static void *io_mem_alloc(size_t size)
7905 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
7908 return (void *) __get_free_pages(gfp_flags, get_order(size));
7911 static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
7914 struct io_rings *rings;
7915 size_t off, sq_array_size;
7917 off = struct_size(rings, cqes, cq_entries);
7918 if (off == SIZE_MAX)
7922 off = ALIGN(off, SMP_CACHE_BYTES);
7930 sq_array_size = array_size(sizeof(u32), sq_entries);
7931 if (sq_array_size == SIZE_MAX)
7934 if (check_add_overflow(off, sq_array_size, &off))
7940 static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
7944 pages = (size_t)1 << get_order(
7945 rings_size(sq_entries, cq_entries, NULL));
7946 pages += (size_t)1 << get_order(
7947 array_size(sizeof(struct io_uring_sqe), sq_entries));
7952 static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
7956 if (!ctx->user_bufs)
7959 for (i = 0; i < ctx->nr_user_bufs; i++) {
7960 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
7962 for (j = 0; j < imu->nr_bvecs; j++)
7963 unpin_user_page(imu->bvec[j].bv_page);
7965 if (imu->acct_pages)
7966 io_unaccount_mem(ctx, imu->acct_pages, ACCT_PINNED);
7971 kfree(ctx->user_bufs);
7972 ctx->user_bufs = NULL;
7973 ctx->nr_user_bufs = 0;
7977 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
7978 void __user *arg, unsigned index)
7980 struct iovec __user *src;
7982 #ifdef CONFIG_COMPAT
7984 struct compat_iovec __user *ciovs;
7985 struct compat_iovec ciov;
7987 ciovs = (struct compat_iovec __user *) arg;
7988 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
7991 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
7992 dst->iov_len = ciov.iov_len;
7996 src = (struct iovec __user *) arg;
7997 if (copy_from_user(dst, &src[index], sizeof(*dst)))
8003 * Not super efficient, but this is just a registration time. And we do cache
8004 * the last compound head, so generally we'll only do a full search if we don't
8007 * We check if the given compound head page has already been accounted, to
8008 * avoid double accounting it. This allows us to account the full size of the
8009 * page, not just the constituent pages of a huge page.
8011 static bool headpage_already_acct(struct io_ring_ctx *ctx, struct page **pages,
8012 int nr_pages, struct page *hpage)
8016 /* check current page array */
8017 for (i = 0; i < nr_pages; i++) {
8018 if (!PageCompound(pages[i]))
8020 if (compound_head(pages[i]) == hpage)
8024 /* check previously registered pages */
8025 for (i = 0; i < ctx->nr_user_bufs; i++) {
8026 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
8028 for (j = 0; j < imu->nr_bvecs; j++) {
8029 if (!PageCompound(imu->bvec[j].bv_page))
8031 if (compound_head(imu->bvec[j].bv_page) == hpage)
8039 static int io_buffer_account_pin(struct io_ring_ctx *ctx, struct page **pages,
8040 int nr_pages, struct io_mapped_ubuf *imu,
8041 struct page **last_hpage)
8045 for (i = 0; i < nr_pages; i++) {
8046 if (!PageCompound(pages[i])) {
8051 hpage = compound_head(pages[i]);
8052 if (hpage == *last_hpage)
8054 *last_hpage = hpage;
8055 if (headpage_already_acct(ctx, pages, i, hpage))
8057 imu->acct_pages += page_size(hpage) >> PAGE_SHIFT;
8061 if (!imu->acct_pages)
8064 ret = io_account_mem(ctx, imu->acct_pages, ACCT_PINNED);
8066 imu->acct_pages = 0;
8070 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
8073 struct vm_area_struct **vmas = NULL;
8074 struct page **pages = NULL;
8075 struct page *last_hpage = NULL;
8076 int i, j, got_pages = 0;
8081 if (!nr_args || nr_args > UIO_MAXIOV)
8084 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
8086 if (!ctx->user_bufs)
8089 for (i = 0; i < nr_args; i++) {
8090 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
8091 unsigned long off, start, end, ubuf;
8096 ret = io_copy_iov(ctx, &iov, arg, i);
8101 * Don't impose further limits on the size and buffer
8102 * constraints here, we'll -EINVAL later when IO is
8103 * submitted if they are wrong.
8106 if (!iov.iov_base || !iov.iov_len)
8109 /* arbitrary limit, but we need something */
8110 if (iov.iov_len > SZ_1G)
8113 ubuf = (unsigned long) iov.iov_base;
8114 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
8115 start = ubuf >> PAGE_SHIFT;
8116 nr_pages = end - start;
8119 if (!pages || nr_pages > got_pages) {
8122 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
8124 vmas = kvmalloc_array(nr_pages,
8125 sizeof(struct vm_area_struct *),
8127 if (!pages || !vmas) {
8131 got_pages = nr_pages;
8134 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
8141 mmap_read_lock(current->mm);
8142 pret = pin_user_pages(ubuf, nr_pages,
8143 FOLL_WRITE | FOLL_LONGTERM,
8145 if (pret == nr_pages) {
8146 /* don't support file backed memory */
8147 for (j = 0; j < nr_pages; j++) {
8148 struct vm_area_struct *vma = vmas[j];
8151 !is_file_hugepages(vma->vm_file)) {
8157 ret = pret < 0 ? pret : -EFAULT;
8159 mmap_read_unlock(current->mm);
8162 * if we did partial map, or found file backed vmas,
8163 * release any pages we did get
8166 unpin_user_pages(pages, pret);
8171 ret = io_buffer_account_pin(ctx, pages, pret, imu, &last_hpage);
8173 unpin_user_pages(pages, pret);
8178 off = ubuf & ~PAGE_MASK;
8180 for (j = 0; j < nr_pages; j++) {
8183 vec_len = min_t(size_t, size, PAGE_SIZE - off);
8184 imu->bvec[j].bv_page = pages[j];
8185 imu->bvec[j].bv_len = vec_len;
8186 imu->bvec[j].bv_offset = off;
8190 /* store original address for later verification */
8192 imu->len = iov.iov_len;
8193 imu->nr_bvecs = nr_pages;
8195 ctx->nr_user_bufs++;
8203 io_sqe_buffer_unregister(ctx);
8207 static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
8209 __s32 __user *fds = arg;
8215 if (copy_from_user(&fd, fds, sizeof(*fds)))
8218 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
8219 if (IS_ERR(ctx->cq_ev_fd)) {
8220 int ret = PTR_ERR(ctx->cq_ev_fd);
8221 ctx->cq_ev_fd = NULL;
8228 static int io_eventfd_unregister(struct io_ring_ctx *ctx)
8230 if (ctx->cq_ev_fd) {
8231 eventfd_ctx_put(ctx->cq_ev_fd);
8232 ctx->cq_ev_fd = NULL;
8239 static int __io_destroy_buffers(int id, void *p, void *data)
8241 struct io_ring_ctx *ctx = data;
8242 struct io_buffer *buf = p;
8244 __io_remove_buffers(ctx, buf, id, -1U);
8248 static void io_destroy_buffers(struct io_ring_ctx *ctx)
8250 idr_for_each(&ctx->io_buffer_idr, __io_destroy_buffers, ctx);
8251 idr_destroy(&ctx->io_buffer_idr);
8254 static void io_ring_ctx_free(struct io_ring_ctx *ctx)
8256 io_finish_async(ctx);
8257 io_sqe_buffer_unregister(ctx);
8259 if (ctx->sqo_task) {
8260 put_task_struct(ctx->sqo_task);
8261 ctx->sqo_task = NULL;
8262 mmdrop(ctx->mm_account);
8263 ctx->mm_account = NULL;
8266 #ifdef CONFIG_BLK_CGROUP
8267 if (ctx->sqo_blkcg_css)
8268 css_put(ctx->sqo_blkcg_css);
8271 io_sqe_files_unregister(ctx);
8272 io_eventfd_unregister(ctx);
8273 io_destroy_buffers(ctx);
8274 idr_destroy(&ctx->personality_idr);
8276 #if defined(CONFIG_UNIX)
8277 if (ctx->ring_sock) {
8278 ctx->ring_sock->file = NULL; /* so that iput() is called */
8279 sock_release(ctx->ring_sock);
8283 io_mem_free(ctx->rings);
8284 io_mem_free(ctx->sq_sqes);
8286 percpu_ref_exit(&ctx->refs);
8287 free_uid(ctx->user);
8288 put_cred(ctx->creds);
8289 kfree(ctx->cancel_hash);
8290 kmem_cache_free(req_cachep, ctx->fallback_req);
8294 static __poll_t io_uring_poll(struct file *file, poll_table *wait)
8296 struct io_ring_ctx *ctx = file->private_data;
8299 poll_wait(file, &ctx->cq_wait, wait);
8301 * synchronizes with barrier from wq_has_sleeper call in
8305 if (!io_sqring_full(ctx))
8306 mask |= EPOLLOUT | EPOLLWRNORM;
8307 if (io_cqring_events(ctx, false))
8308 mask |= EPOLLIN | EPOLLRDNORM;
8313 static int io_uring_fasync(int fd, struct file *file, int on)
8315 struct io_ring_ctx *ctx = file->private_data;
8317 return fasync_helper(fd, file, on, &ctx->cq_fasync);
8320 static int io_remove_personalities(int id, void *p, void *data)
8322 struct io_ring_ctx *ctx = data;
8323 struct io_identity *iod;
8325 iod = idr_remove(&ctx->personality_idr, id);
8327 put_cred(iod->creds);
8328 if (refcount_dec_and_test(&iod->count))
8334 static void io_ring_exit_work(struct work_struct *work)
8336 struct io_ring_ctx *ctx = container_of(work, struct io_ring_ctx,
8340 * If we're doing polled IO and end up having requests being
8341 * submitted async (out-of-line), then completions can come in while
8342 * we're waiting for refs to drop. We need to reap these manually,
8343 * as nobody else will be looking for them.
8347 io_cqring_overflow_flush(ctx, true, NULL, NULL);
8348 io_iopoll_try_reap_events(ctx);
8349 } while (!wait_for_completion_timeout(&ctx->ref_comp, HZ/20));
8350 io_ring_ctx_free(ctx);
8353 static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
8355 mutex_lock(&ctx->uring_lock);
8356 percpu_ref_kill(&ctx->refs);
8357 mutex_unlock(&ctx->uring_lock);
8359 io_kill_timeouts(ctx, NULL);
8360 io_poll_remove_all(ctx, NULL);
8363 io_wq_cancel_all(ctx->io_wq);
8365 /* if we failed setting up the ctx, we might not have any rings */
8367 io_cqring_overflow_flush(ctx, true, NULL, NULL);
8368 io_iopoll_try_reap_events(ctx);
8369 idr_for_each(&ctx->personality_idr, io_remove_personalities, ctx);
8372 * Do this upfront, so we won't have a grace period where the ring
8373 * is closed but resources aren't reaped yet. This can cause
8374 * spurious failure in setting up a new ring.
8376 io_unaccount_mem(ctx, ring_pages(ctx->sq_entries, ctx->cq_entries),
8379 INIT_WORK(&ctx->exit_work, io_ring_exit_work);
8381 * Use system_unbound_wq to avoid spawning tons of event kworkers
8382 * if we're exiting a ton of rings at the same time. It just adds
8383 * noise and overhead, there's no discernable change in runtime
8384 * over using system_wq.
8386 queue_work(system_unbound_wq, &ctx->exit_work);
8389 static int io_uring_release(struct inode *inode, struct file *file)
8391 struct io_ring_ctx *ctx = file->private_data;
8393 file->private_data = NULL;
8394 io_ring_ctx_wait_and_kill(ctx);
8398 static bool io_wq_files_match(struct io_wq_work *work, void *data)
8400 struct files_struct *files = data;
8402 return !files || ((work->flags & IO_WQ_WORK_FILES) &&
8403 work->identity->files == files);
8407 * Returns true if 'preq' is the link parent of 'req'
8409 static bool io_match_link(struct io_kiocb *preq, struct io_kiocb *req)
8411 struct io_kiocb *link;
8413 if (!(preq->flags & REQ_F_LINK_HEAD))
8416 list_for_each_entry(link, &preq->link_list, link_list) {
8424 static bool io_match_link_files(struct io_kiocb *req,
8425 struct files_struct *files)
8427 struct io_kiocb *link;
8429 if (io_match_files(req, files))
8431 if (req->flags & REQ_F_LINK_HEAD) {
8432 list_for_each_entry(link, &req->link_list, link_list) {
8433 if (io_match_files(link, files))
8441 * We're looking to cancel 'req' because it's holding on to our files, but
8442 * 'req' could be a link to another request. See if it is, and cancel that
8443 * parent request if so.
8445 static bool io_poll_remove_link(struct io_ring_ctx *ctx, struct io_kiocb *req)
8447 struct hlist_node *tmp;
8448 struct io_kiocb *preq;
8452 spin_lock_irq(&ctx->completion_lock);
8453 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
8454 struct hlist_head *list;
8456 list = &ctx->cancel_hash[i];
8457 hlist_for_each_entry_safe(preq, tmp, list, hash_node) {
8458 found = io_match_link(preq, req);
8460 io_poll_remove_one(preq);
8465 spin_unlock_irq(&ctx->completion_lock);
8469 static bool io_timeout_remove_link(struct io_ring_ctx *ctx,
8470 struct io_kiocb *req)
8472 struct io_kiocb *preq;
8475 spin_lock_irq(&ctx->completion_lock);
8476 list_for_each_entry(preq, &ctx->timeout_list, timeout.list) {
8477 found = io_match_link(preq, req);
8479 __io_timeout_cancel(preq);
8483 spin_unlock_irq(&ctx->completion_lock);
8487 static bool io_cancel_link_cb(struct io_wq_work *work, void *data)
8489 return io_match_link(container_of(work, struct io_kiocb, work), data);
8492 static void io_attempt_cancel(struct io_ring_ctx *ctx, struct io_kiocb *req)
8494 enum io_wq_cancel cret;
8496 /* cancel this particular work, if it's running */
8497 cret = io_wq_cancel_work(ctx->io_wq, &req->work);
8498 if (cret != IO_WQ_CANCEL_NOTFOUND)
8501 /* find links that hold this pending, cancel those */
8502 cret = io_wq_cancel_cb(ctx->io_wq, io_cancel_link_cb, req, true);
8503 if (cret != IO_WQ_CANCEL_NOTFOUND)
8506 /* if we have a poll link holding this pending, cancel that */
8507 if (io_poll_remove_link(ctx, req))
8510 /* final option, timeout link is holding this req pending */
8511 io_timeout_remove_link(ctx, req);
8514 static void io_cancel_defer_files(struct io_ring_ctx *ctx,
8515 struct files_struct *files)
8517 struct io_defer_entry *de = NULL;
8520 spin_lock_irq(&ctx->completion_lock);
8521 list_for_each_entry_reverse(de, &ctx->defer_list, list) {
8522 if (io_match_link_files(de->req, files)) {
8523 list_cut_position(&list, &ctx->defer_list, &de->list);
8527 spin_unlock_irq(&ctx->completion_lock);
8529 while (!list_empty(&list)) {
8530 de = list_first_entry(&list, struct io_defer_entry, list);
8531 list_del_init(&de->list);
8532 req_set_fail_links(de->req);
8533 io_put_req(de->req);
8534 io_req_complete(de->req, -ECANCELED);
8540 * Returns true if we found and killed one or more files pinning requests
8542 static bool io_uring_cancel_files(struct io_ring_ctx *ctx,
8543 struct files_struct *files)
8545 if (list_empty_careful(&ctx->inflight_list))
8548 io_cancel_defer_files(ctx, files);
8549 /* cancel all at once, should be faster than doing it one by one*/
8550 io_wq_cancel_cb(ctx->io_wq, io_wq_files_match, files, true);
8552 while (!list_empty_careful(&ctx->inflight_list)) {
8553 struct io_kiocb *cancel_req = NULL, *req;
8556 spin_lock_irq(&ctx->inflight_lock);
8557 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
8558 if (files && (req->work.flags & IO_WQ_WORK_FILES) &&
8559 req->work.identity->files != files)
8561 /* req is being completed, ignore */
8562 if (!refcount_inc_not_zero(&req->refs))
8568 prepare_to_wait(&ctx->inflight_wait, &wait,
8569 TASK_UNINTERRUPTIBLE);
8570 spin_unlock_irq(&ctx->inflight_lock);
8572 /* We need to keep going until we don't find a matching req */
8575 /* cancel this request, or head link requests */
8576 io_attempt_cancel(ctx, cancel_req);
8577 io_put_req(cancel_req);
8578 /* cancellations _may_ trigger task work */
8581 finish_wait(&ctx->inflight_wait, &wait);
8587 static bool io_cancel_task_cb(struct io_wq_work *work, void *data)
8589 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
8590 struct task_struct *task = data;
8592 return io_task_match(req, task);
8595 static bool __io_uring_cancel_task_requests(struct io_ring_ctx *ctx,
8596 struct task_struct *task,
8597 struct files_struct *files)
8601 ret = io_uring_cancel_files(ctx, files);
8603 enum io_wq_cancel cret;
8605 cret = io_wq_cancel_cb(ctx->io_wq, io_cancel_task_cb, task, true);
8606 if (cret != IO_WQ_CANCEL_NOTFOUND)
8609 /* SQPOLL thread does its own polling */
8610 if (!(ctx->flags & IORING_SETUP_SQPOLL)) {
8611 while (!list_empty_careful(&ctx->iopoll_list)) {
8612 io_iopoll_try_reap_events(ctx);
8617 ret |= io_poll_remove_all(ctx, task);
8618 ret |= io_kill_timeouts(ctx, task);
8625 * We need to iteratively cancel requests, in case a request has dependent
8626 * hard links. These persist even for failure of cancelations, hence keep
8627 * looping until none are found.
8629 static void io_uring_cancel_task_requests(struct io_ring_ctx *ctx,
8630 struct files_struct *files)
8632 struct task_struct *task = current;
8634 if ((ctx->flags & IORING_SETUP_SQPOLL) && ctx->sq_data)
8635 task = ctx->sq_data->thread;
8637 io_cqring_overflow_flush(ctx, true, task, files);
8639 while (__io_uring_cancel_task_requests(ctx, task, files)) {
8646 * Note that this task has used io_uring. We use it for cancelation purposes.
8648 static int io_uring_add_task_file(struct file *file)
8650 struct io_uring_task *tctx = current->io_uring;
8652 if (unlikely(!tctx)) {
8655 ret = io_uring_alloc_task_context(current);
8658 tctx = current->io_uring;
8660 if (tctx->last != file) {
8661 void *old = xa_load(&tctx->xa, (unsigned long)file);
8665 xa_store(&tctx->xa, (unsigned long)file, file, GFP_KERNEL);
8674 * Remove this io_uring_file -> task mapping.
8676 static void io_uring_del_task_file(struct file *file)
8678 struct io_uring_task *tctx = current->io_uring;
8680 if (tctx->last == file)
8682 file = xa_erase(&tctx->xa, (unsigned long)file);
8687 static void __io_uring_attempt_task_drop(struct file *file)
8689 struct file *old = xa_load(¤t->io_uring->xa, (unsigned long)file);
8692 io_uring_del_task_file(file);
8696 * Drop task note for this file if we're the only ones that hold it after
8699 static void io_uring_attempt_task_drop(struct file *file, bool exiting)
8701 if (!current->io_uring)
8704 * fput() is pending, will be 2 if the only other ref is our potential
8705 * task file note. If the task is exiting, drop regardless of count.
8707 if (!exiting && atomic_long_read(&file->f_count) != 2)
8710 __io_uring_attempt_task_drop(file);
8713 void __io_uring_files_cancel(struct files_struct *files)
8715 struct io_uring_task *tctx = current->io_uring;
8717 unsigned long index;
8719 /* make sure overflow events are dropped */
8720 tctx->in_idle = true;
8722 xa_for_each(&tctx->xa, index, file) {
8723 struct io_ring_ctx *ctx = file->private_data;
8725 io_uring_cancel_task_requests(ctx, files);
8727 io_uring_del_task_file(file);
8732 * Find any io_uring fd that this task has registered or done IO on, and cancel
8735 void __io_uring_task_cancel(void)
8737 struct io_uring_task *tctx = current->io_uring;
8741 /* make sure overflow events are dropped */
8742 tctx->in_idle = true;
8745 /* read completions before cancelations */
8746 inflight = percpu_counter_sum(&tctx->inflight);
8749 __io_uring_files_cancel(NULL);
8751 prepare_to_wait(&tctx->wait, &wait, TASK_UNINTERRUPTIBLE);
8754 * If we've seen completions, retry. This avoids a race where
8755 * a completion comes in before we did prepare_to_wait().
8757 if (inflight != percpu_counter_sum(&tctx->inflight))
8762 finish_wait(&tctx->wait, &wait);
8763 tctx->in_idle = false;
8766 static int io_uring_flush(struct file *file, void *data)
8768 struct io_ring_ctx *ctx = file->private_data;
8771 * If the task is going away, cancel work it may have pending
8773 if (fatal_signal_pending(current) || (current->flags & PF_EXITING))
8776 io_uring_cancel_task_requests(ctx, data);
8777 io_uring_attempt_task_drop(file, !data);
8781 static void *io_uring_validate_mmap_request(struct file *file,
8782 loff_t pgoff, size_t sz)
8784 struct io_ring_ctx *ctx = file->private_data;
8785 loff_t offset = pgoff << PAGE_SHIFT;
8790 case IORING_OFF_SQ_RING:
8791 case IORING_OFF_CQ_RING:
8794 case IORING_OFF_SQES:
8798 return ERR_PTR(-EINVAL);
8801 page = virt_to_head_page(ptr);
8802 if (sz > page_size(page))
8803 return ERR_PTR(-EINVAL);
8810 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
8812 size_t sz = vma->vm_end - vma->vm_start;
8816 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
8818 return PTR_ERR(ptr);
8820 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
8821 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
8824 #else /* !CONFIG_MMU */
8826 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
8828 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
8831 static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
8833 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
8836 static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
8837 unsigned long addr, unsigned long len,
8838 unsigned long pgoff, unsigned long flags)
8842 ptr = io_uring_validate_mmap_request(file, pgoff, len);
8844 return PTR_ERR(ptr);
8846 return (unsigned long) ptr;
8849 #endif /* !CONFIG_MMU */
8851 static void io_sqpoll_wait_sq(struct io_ring_ctx *ctx)
8856 if (!io_sqring_full(ctx))
8859 prepare_to_wait(&ctx->sqo_sq_wait, &wait, TASK_INTERRUPTIBLE);
8861 if (!io_sqring_full(ctx))
8865 } while (!signal_pending(current));
8867 finish_wait(&ctx->sqo_sq_wait, &wait);
8870 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
8871 u32, min_complete, u32, flags, const sigset_t __user *, sig,
8874 struct io_ring_ctx *ctx;
8881 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP |
8882 IORING_ENTER_SQ_WAIT))
8890 if (f.file->f_op != &io_uring_fops)
8894 ctx = f.file->private_data;
8895 if (!percpu_ref_tryget(&ctx->refs))
8899 if (ctx->flags & IORING_SETUP_R_DISABLED)
8903 * For SQ polling, the thread will do all submissions and completions.
8904 * Just return the requested submit count, and wake the thread if
8908 if (ctx->flags & IORING_SETUP_SQPOLL) {
8909 if (!list_empty_careful(&ctx->cq_overflow_list))
8910 io_cqring_overflow_flush(ctx, false, NULL, NULL);
8911 if (flags & IORING_ENTER_SQ_WAKEUP)
8912 wake_up(&ctx->sq_data->wait);
8913 if (flags & IORING_ENTER_SQ_WAIT)
8914 io_sqpoll_wait_sq(ctx);
8915 submitted = to_submit;
8916 } else if (to_submit) {
8917 ret = io_uring_add_task_file(f.file);
8920 mutex_lock(&ctx->uring_lock);
8921 submitted = io_submit_sqes(ctx, to_submit);
8922 mutex_unlock(&ctx->uring_lock);
8924 if (submitted != to_submit)
8927 if (flags & IORING_ENTER_GETEVENTS) {
8928 min_complete = min(min_complete, ctx->cq_entries);
8931 * When SETUP_IOPOLL and SETUP_SQPOLL are both enabled, user
8932 * space applications don't need to do io completion events
8933 * polling again, they can rely on io_sq_thread to do polling
8934 * work, which can reduce cpu usage and uring_lock contention.
8936 if (ctx->flags & IORING_SETUP_IOPOLL &&
8937 !(ctx->flags & IORING_SETUP_SQPOLL)) {
8938 ret = io_iopoll_check(ctx, min_complete);
8940 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
8945 percpu_ref_put(&ctx->refs);
8948 return submitted ? submitted : ret;
8951 #ifdef CONFIG_PROC_FS
8952 static int io_uring_show_cred(int id, void *p, void *data)
8954 const struct cred *cred = p;
8955 struct seq_file *m = data;
8956 struct user_namespace *uns = seq_user_ns(m);
8957 struct group_info *gi;
8962 seq_printf(m, "%5d\n", id);
8963 seq_put_decimal_ull(m, "\tUid:\t", from_kuid_munged(uns, cred->uid));
8964 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->euid));
8965 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->suid));
8966 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->fsuid));
8967 seq_put_decimal_ull(m, "\n\tGid:\t", from_kgid_munged(uns, cred->gid));
8968 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->egid));
8969 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->sgid));
8970 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->fsgid));
8971 seq_puts(m, "\n\tGroups:\t");
8972 gi = cred->group_info;
8973 for (g = 0; g < gi->ngroups; g++) {
8974 seq_put_decimal_ull(m, g ? " " : "",
8975 from_kgid_munged(uns, gi->gid[g]));
8977 seq_puts(m, "\n\tCapEff:\t");
8978 cap = cred->cap_effective;
8979 CAP_FOR_EACH_U32(__capi)
8980 seq_put_hex_ll(m, NULL, cap.cap[CAP_LAST_U32 - __capi], 8);
8985 static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
8987 struct io_sq_data *sq = NULL;
8992 * Avoid ABBA deadlock between the seq lock and the io_uring mutex,
8993 * since fdinfo case grabs it in the opposite direction of normal use
8994 * cases. If we fail to get the lock, we just don't iterate any
8995 * structures that could be going away outside the io_uring mutex.
8997 has_lock = mutex_trylock(&ctx->uring_lock);
8999 if (has_lock && (ctx->flags & IORING_SETUP_SQPOLL))
9002 seq_printf(m, "SqThread:\t%d\n", sq ? task_pid_nr(sq->thread) : -1);
9003 seq_printf(m, "SqThreadCpu:\t%d\n", sq ? task_cpu(sq->thread) : -1);
9004 seq_printf(m, "UserFiles:\t%u\n", ctx->nr_user_files);
9005 for (i = 0; has_lock && i < ctx->nr_user_files; i++) {
9006 struct fixed_file_table *table;
9009 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
9010 f = table->files[i & IORING_FILE_TABLE_MASK];
9012 seq_printf(m, "%5u: %s\n", i, file_dentry(f)->d_iname);
9014 seq_printf(m, "%5u: <none>\n", i);
9016 seq_printf(m, "UserBufs:\t%u\n", ctx->nr_user_bufs);
9017 for (i = 0; has_lock && i < ctx->nr_user_bufs; i++) {
9018 struct io_mapped_ubuf *buf = &ctx->user_bufs[i];
9020 seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf,
9021 (unsigned int) buf->len);
9023 if (has_lock && !idr_is_empty(&ctx->personality_idr)) {
9024 seq_printf(m, "Personalities:\n");
9025 idr_for_each(&ctx->personality_idr, io_uring_show_cred, m);
9027 seq_printf(m, "PollList:\n");
9028 spin_lock_irq(&ctx->completion_lock);
9029 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
9030 struct hlist_head *list = &ctx->cancel_hash[i];
9031 struct io_kiocb *req;
9033 hlist_for_each_entry(req, list, hash_node)
9034 seq_printf(m, " op=%d, task_works=%d\n", req->opcode,
9035 req->task->task_works != NULL);
9037 spin_unlock_irq(&ctx->completion_lock);
9039 mutex_unlock(&ctx->uring_lock);
9042 static void io_uring_show_fdinfo(struct seq_file *m, struct file *f)
9044 struct io_ring_ctx *ctx = f->private_data;
9046 if (percpu_ref_tryget(&ctx->refs)) {
9047 __io_uring_show_fdinfo(ctx, m);
9048 percpu_ref_put(&ctx->refs);
9053 static const struct file_operations io_uring_fops = {
9054 .release = io_uring_release,
9055 .flush = io_uring_flush,
9056 .mmap = io_uring_mmap,
9058 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
9059 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
9061 .poll = io_uring_poll,
9062 .fasync = io_uring_fasync,
9063 #ifdef CONFIG_PROC_FS
9064 .show_fdinfo = io_uring_show_fdinfo,
9068 static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
9069 struct io_uring_params *p)
9071 struct io_rings *rings;
9072 size_t size, sq_array_offset;
9074 /* make sure these are sane, as we already accounted them */
9075 ctx->sq_entries = p->sq_entries;
9076 ctx->cq_entries = p->cq_entries;
9078 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
9079 if (size == SIZE_MAX)
9082 rings = io_mem_alloc(size);
9087 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
9088 rings->sq_ring_mask = p->sq_entries - 1;
9089 rings->cq_ring_mask = p->cq_entries - 1;
9090 rings->sq_ring_entries = p->sq_entries;
9091 rings->cq_ring_entries = p->cq_entries;
9092 ctx->sq_mask = rings->sq_ring_mask;
9093 ctx->cq_mask = rings->cq_ring_mask;
9095 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
9096 if (size == SIZE_MAX) {
9097 io_mem_free(ctx->rings);
9102 ctx->sq_sqes = io_mem_alloc(size);
9103 if (!ctx->sq_sqes) {
9104 io_mem_free(ctx->rings);
9113 * Allocate an anonymous fd, this is what constitutes the application
9114 * visible backing of an io_uring instance. The application mmaps this
9115 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
9116 * we have to tie this fd to a socket for file garbage collection purposes.
9118 static int io_uring_get_fd(struct io_ring_ctx *ctx)
9123 #if defined(CONFIG_UNIX)
9124 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
9130 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
9134 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
9135 O_RDWR | O_CLOEXEC);
9139 ret = PTR_ERR(file);
9143 #if defined(CONFIG_UNIX)
9144 ctx->ring_sock->file = file;
9146 if (unlikely(io_uring_add_task_file(file))) {
9147 file = ERR_PTR(-ENOMEM);
9150 fd_install(ret, file);
9153 #if defined(CONFIG_UNIX)
9154 sock_release(ctx->ring_sock);
9155 ctx->ring_sock = NULL;
9160 static int io_uring_create(unsigned entries, struct io_uring_params *p,
9161 struct io_uring_params __user *params)
9163 struct user_struct *user = NULL;
9164 struct io_ring_ctx *ctx;
9170 if (entries > IORING_MAX_ENTRIES) {
9171 if (!(p->flags & IORING_SETUP_CLAMP))
9173 entries = IORING_MAX_ENTRIES;
9177 * Use twice as many entries for the CQ ring. It's possible for the
9178 * application to drive a higher depth than the size of the SQ ring,
9179 * since the sqes are only used at submission time. This allows for
9180 * some flexibility in overcommitting a bit. If the application has
9181 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
9182 * of CQ ring entries manually.
9184 p->sq_entries = roundup_pow_of_two(entries);
9185 if (p->flags & IORING_SETUP_CQSIZE) {
9187 * If IORING_SETUP_CQSIZE is set, we do the same roundup
9188 * to a power-of-two, if it isn't already. We do NOT impose
9189 * any cq vs sq ring sizing.
9191 if (p->cq_entries < p->sq_entries)
9193 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
9194 if (!(p->flags & IORING_SETUP_CLAMP))
9196 p->cq_entries = IORING_MAX_CQ_ENTRIES;
9198 p->cq_entries = roundup_pow_of_two(p->cq_entries);
9200 p->cq_entries = 2 * p->sq_entries;
9203 user = get_uid(current_user());
9204 limit_mem = !capable(CAP_IPC_LOCK);
9207 ret = __io_account_mem(user,
9208 ring_pages(p->sq_entries, p->cq_entries));
9215 ctx = io_ring_ctx_alloc(p);
9218 __io_unaccount_mem(user, ring_pages(p->sq_entries,
9223 ctx->compat = in_compat_syscall();
9225 ctx->creds = get_current_cred();
9227 ctx->loginuid = current->loginuid;
9228 ctx->sessionid = current->sessionid;
9230 ctx->sqo_task = get_task_struct(current);
9233 * This is just grabbed for accounting purposes. When a process exits,
9234 * the mm is exited and dropped before the files, hence we need to hang
9235 * on to this mm purely for the purposes of being able to unaccount
9236 * memory (locked/pinned vm). It's not used for anything else.
9238 mmgrab(current->mm);
9239 ctx->mm_account = current->mm;
9241 #ifdef CONFIG_BLK_CGROUP
9243 * The sq thread will belong to the original cgroup it was inited in.
9244 * If the cgroup goes offline (e.g. disabling the io controller), then
9245 * issued bios will be associated with the closest cgroup later in the
9249 ctx->sqo_blkcg_css = blkcg_css();
9250 ret = css_tryget_online(ctx->sqo_blkcg_css);
9253 /* don't init against a dying cgroup, have the user try again */
9254 ctx->sqo_blkcg_css = NULL;
9261 * Account memory _before_ installing the file descriptor. Once
9262 * the descriptor is installed, it can get closed at any time. Also
9263 * do this before hitting the general error path, as ring freeing
9264 * will un-account as well.
9266 io_account_mem(ctx, ring_pages(p->sq_entries, p->cq_entries),
9268 ctx->limit_mem = limit_mem;
9270 ret = io_allocate_scq_urings(ctx, p);
9274 ret = io_sq_offload_create(ctx, p);
9278 if (!(p->flags & IORING_SETUP_R_DISABLED))
9279 io_sq_offload_start(ctx);
9281 memset(&p->sq_off, 0, sizeof(p->sq_off));
9282 p->sq_off.head = offsetof(struct io_rings, sq.head);
9283 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
9284 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
9285 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
9286 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
9287 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
9288 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
9290 memset(&p->cq_off, 0, sizeof(p->cq_off));
9291 p->cq_off.head = offsetof(struct io_rings, cq.head);
9292 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
9293 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
9294 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
9295 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
9296 p->cq_off.cqes = offsetof(struct io_rings, cqes);
9297 p->cq_off.flags = offsetof(struct io_rings, cq_flags);
9299 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
9300 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS |
9301 IORING_FEAT_CUR_PERSONALITY | IORING_FEAT_FAST_POLL |
9302 IORING_FEAT_POLL_32BITS;
9304 if (copy_to_user(params, p, sizeof(*p))) {
9310 * Install ring fd as the very last thing, so we don't risk someone
9311 * having closed it before we finish setup
9313 ret = io_uring_get_fd(ctx);
9317 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
9320 io_ring_ctx_wait_and_kill(ctx);
9325 * Sets up an aio uring context, and returns the fd. Applications asks for a
9326 * ring size, we return the actual sq/cq ring sizes (among other things) in the
9327 * params structure passed in.
9329 static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
9331 struct io_uring_params p;
9334 if (copy_from_user(&p, params, sizeof(p)))
9336 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
9341 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
9342 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
9343 IORING_SETUP_CLAMP | IORING_SETUP_ATTACH_WQ |
9344 IORING_SETUP_R_DISABLED))
9347 return io_uring_create(entries, &p, params);
9350 SYSCALL_DEFINE2(io_uring_setup, u32, entries,
9351 struct io_uring_params __user *, params)
9353 return io_uring_setup(entries, params);
9356 static int io_probe(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
9358 struct io_uring_probe *p;
9362 size = struct_size(p, ops, nr_args);
9363 if (size == SIZE_MAX)
9365 p = kzalloc(size, GFP_KERNEL);
9370 if (copy_from_user(p, arg, size))
9373 if (memchr_inv(p, 0, size))
9376 p->last_op = IORING_OP_LAST - 1;
9377 if (nr_args > IORING_OP_LAST)
9378 nr_args = IORING_OP_LAST;
9380 for (i = 0; i < nr_args; i++) {
9382 if (!io_op_defs[i].not_supported)
9383 p->ops[i].flags = IO_URING_OP_SUPPORTED;
9388 if (copy_to_user(arg, p, size))
9395 static int io_register_personality(struct io_ring_ctx *ctx)
9397 struct io_identity *id;
9400 id = kmalloc(sizeof(*id), GFP_KERNEL);
9404 io_init_identity(id);
9405 id->creds = get_current_cred();
9407 ret = idr_alloc_cyclic(&ctx->personality_idr, id, 1, USHRT_MAX, GFP_KERNEL);
9409 put_cred(id->creds);
9415 static int io_unregister_personality(struct io_ring_ctx *ctx, unsigned id)
9417 struct io_identity *iod;
9419 iod = idr_remove(&ctx->personality_idr, id);
9421 put_cred(iod->creds);
9422 if (refcount_dec_and_test(&iod->count))
9430 static int io_register_restrictions(struct io_ring_ctx *ctx, void __user *arg,
9431 unsigned int nr_args)
9433 struct io_uring_restriction *res;
9437 /* Restrictions allowed only if rings started disabled */
9438 if (!(ctx->flags & IORING_SETUP_R_DISABLED))
9441 /* We allow only a single restrictions registration */
9442 if (ctx->restrictions.registered)
9445 if (!arg || nr_args > IORING_MAX_RESTRICTIONS)
9448 size = array_size(nr_args, sizeof(*res));
9449 if (size == SIZE_MAX)
9452 res = memdup_user(arg, size);
9454 return PTR_ERR(res);
9458 for (i = 0; i < nr_args; i++) {
9459 switch (res[i].opcode) {
9460 case IORING_RESTRICTION_REGISTER_OP:
9461 if (res[i].register_op >= IORING_REGISTER_LAST) {
9466 __set_bit(res[i].register_op,
9467 ctx->restrictions.register_op);
9469 case IORING_RESTRICTION_SQE_OP:
9470 if (res[i].sqe_op >= IORING_OP_LAST) {
9475 __set_bit(res[i].sqe_op, ctx->restrictions.sqe_op);
9477 case IORING_RESTRICTION_SQE_FLAGS_ALLOWED:
9478 ctx->restrictions.sqe_flags_allowed = res[i].sqe_flags;
9480 case IORING_RESTRICTION_SQE_FLAGS_REQUIRED:
9481 ctx->restrictions.sqe_flags_required = res[i].sqe_flags;
9490 /* Reset all restrictions if an error happened */
9492 memset(&ctx->restrictions, 0, sizeof(ctx->restrictions));
9494 ctx->restrictions.registered = true;
9500 static int io_register_enable_rings(struct io_ring_ctx *ctx)
9502 if (!(ctx->flags & IORING_SETUP_R_DISABLED))
9505 if (ctx->restrictions.registered)
9506 ctx->restricted = 1;
9508 ctx->flags &= ~IORING_SETUP_R_DISABLED;
9510 io_sq_offload_start(ctx);
9515 static bool io_register_op_must_quiesce(int op)
9518 case IORING_UNREGISTER_FILES:
9519 case IORING_REGISTER_FILES_UPDATE:
9520 case IORING_REGISTER_PROBE:
9521 case IORING_REGISTER_PERSONALITY:
9522 case IORING_UNREGISTER_PERSONALITY:
9529 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
9530 void __user *arg, unsigned nr_args)
9531 __releases(ctx->uring_lock)
9532 __acquires(ctx->uring_lock)
9537 * We're inside the ring mutex, if the ref is already dying, then
9538 * someone else killed the ctx or is already going through
9539 * io_uring_register().
9541 if (percpu_ref_is_dying(&ctx->refs))
9544 if (io_register_op_must_quiesce(opcode)) {
9545 percpu_ref_kill(&ctx->refs);
9548 * Drop uring mutex before waiting for references to exit. If
9549 * another thread is currently inside io_uring_enter() it might
9550 * need to grab the uring_lock to make progress. If we hold it
9551 * here across the drain wait, then we can deadlock. It's safe
9552 * to drop the mutex here, since no new references will come in
9553 * after we've killed the percpu ref.
9555 mutex_unlock(&ctx->uring_lock);
9557 ret = wait_for_completion_interruptible(&ctx->ref_comp);
9560 ret = io_run_task_work_sig();
9565 mutex_lock(&ctx->uring_lock);
9568 percpu_ref_resurrect(&ctx->refs);
9573 if (ctx->restricted) {
9574 if (opcode >= IORING_REGISTER_LAST) {
9579 if (!test_bit(opcode, ctx->restrictions.register_op)) {
9586 case IORING_REGISTER_BUFFERS:
9587 ret = io_sqe_buffer_register(ctx, arg, nr_args);
9589 case IORING_UNREGISTER_BUFFERS:
9593 ret = io_sqe_buffer_unregister(ctx);
9595 case IORING_REGISTER_FILES:
9596 ret = io_sqe_files_register(ctx, arg, nr_args);
9598 case IORING_UNREGISTER_FILES:
9602 ret = io_sqe_files_unregister(ctx);
9604 case IORING_REGISTER_FILES_UPDATE:
9605 ret = io_sqe_files_update(ctx, arg, nr_args);
9607 case IORING_REGISTER_EVENTFD:
9608 case IORING_REGISTER_EVENTFD_ASYNC:
9612 ret = io_eventfd_register(ctx, arg);
9615 if (opcode == IORING_REGISTER_EVENTFD_ASYNC)
9616 ctx->eventfd_async = 1;
9618 ctx->eventfd_async = 0;
9620 case IORING_UNREGISTER_EVENTFD:
9624 ret = io_eventfd_unregister(ctx);
9626 case IORING_REGISTER_PROBE:
9628 if (!arg || nr_args > 256)
9630 ret = io_probe(ctx, arg, nr_args);
9632 case IORING_REGISTER_PERSONALITY:
9636 ret = io_register_personality(ctx);
9638 case IORING_UNREGISTER_PERSONALITY:
9642 ret = io_unregister_personality(ctx, nr_args);
9644 case IORING_REGISTER_ENABLE_RINGS:
9648 ret = io_register_enable_rings(ctx);
9650 case IORING_REGISTER_RESTRICTIONS:
9651 ret = io_register_restrictions(ctx, arg, nr_args);
9659 if (io_register_op_must_quiesce(opcode)) {
9660 /* bring the ctx back to life */
9661 percpu_ref_reinit(&ctx->refs);
9663 reinit_completion(&ctx->ref_comp);
9668 SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
9669 void __user *, arg, unsigned int, nr_args)
9671 struct io_ring_ctx *ctx;
9680 if (f.file->f_op != &io_uring_fops)
9683 ctx = f.file->private_data;
9685 mutex_lock(&ctx->uring_lock);
9686 ret = __io_uring_register(ctx, opcode, arg, nr_args);
9687 mutex_unlock(&ctx->uring_lock);
9688 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
9689 ctx->cq_ev_fd != NULL, ret);
9695 static int __init io_uring_init(void)
9697 #define __BUILD_BUG_VERIFY_ELEMENT(stype, eoffset, etype, ename) do { \
9698 BUILD_BUG_ON(offsetof(stype, ename) != eoffset); \
9699 BUILD_BUG_ON(sizeof(etype) != sizeof_field(stype, ename)); \
9702 #define BUILD_BUG_SQE_ELEM(eoffset, etype, ename) \
9703 __BUILD_BUG_VERIFY_ELEMENT(struct io_uring_sqe, eoffset, etype, ename)
9704 BUILD_BUG_ON(sizeof(struct io_uring_sqe) != 64);
9705 BUILD_BUG_SQE_ELEM(0, __u8, opcode);
9706 BUILD_BUG_SQE_ELEM(1, __u8, flags);
9707 BUILD_BUG_SQE_ELEM(2, __u16, ioprio);
9708 BUILD_BUG_SQE_ELEM(4, __s32, fd);
9709 BUILD_BUG_SQE_ELEM(8, __u64, off);
9710 BUILD_BUG_SQE_ELEM(8, __u64, addr2);
9711 BUILD_BUG_SQE_ELEM(16, __u64, addr);
9712 BUILD_BUG_SQE_ELEM(16, __u64, splice_off_in);
9713 BUILD_BUG_SQE_ELEM(24, __u32, len);
9714 BUILD_BUG_SQE_ELEM(28, __kernel_rwf_t, rw_flags);
9715 BUILD_BUG_SQE_ELEM(28, /* compat */ int, rw_flags);
9716 BUILD_BUG_SQE_ELEM(28, /* compat */ __u32, rw_flags);
9717 BUILD_BUG_SQE_ELEM(28, __u32, fsync_flags);
9718 BUILD_BUG_SQE_ELEM(28, /* compat */ __u16, poll_events);
9719 BUILD_BUG_SQE_ELEM(28, __u32, poll32_events);
9720 BUILD_BUG_SQE_ELEM(28, __u32, sync_range_flags);
9721 BUILD_BUG_SQE_ELEM(28, __u32, msg_flags);
9722 BUILD_BUG_SQE_ELEM(28, __u32, timeout_flags);
9723 BUILD_BUG_SQE_ELEM(28, __u32, accept_flags);
9724 BUILD_BUG_SQE_ELEM(28, __u32, cancel_flags);
9725 BUILD_BUG_SQE_ELEM(28, __u32, open_flags);
9726 BUILD_BUG_SQE_ELEM(28, __u32, statx_flags);
9727 BUILD_BUG_SQE_ELEM(28, __u32, fadvise_advice);
9728 BUILD_BUG_SQE_ELEM(28, __u32, splice_flags);
9729 BUILD_BUG_SQE_ELEM(32, __u64, user_data);
9730 BUILD_BUG_SQE_ELEM(40, __u16, buf_index);
9731 BUILD_BUG_SQE_ELEM(42, __u16, personality);
9732 BUILD_BUG_SQE_ELEM(44, __s32, splice_fd_in);
9734 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
9735 BUILD_BUG_ON(__REQ_F_LAST_BIT >= 8 * sizeof(int));
9736 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
9739 __initcall(io_uring_init);
projects / linux-2.6-microblaze.git / blob