1 // SPDX-License-Identifier: GPL-2.0
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
6 * A note on the read/write ordering memory barriers that are matched between
7 * the application and kernel side.
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
30 * Also see the examples in the liburing library:
32 * git://git.kernel.dk/liburing
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
39 * Copyright (C) 2018-2019 Jens Axboe
40 * Copyright (c) 2018-2019 Christoph Hellwig
42 #include <linux/kernel.h>
43 #include <linux/init.h>
44 #include <linux/errno.h>
45 #include <linux/syscalls.h>
46 #include <linux/compat.h>
47 #include <net/compat.h>
48 #include <linux/refcount.h>
49 #include <linux/uio.h>
50 #include <linux/bits.h>
52 #include <linux/sched/signal.h>
54 #include <linux/file.h>
55 #include <linux/fdtable.h>
57 #include <linux/mman.h>
58 #include <linux/percpu.h>
59 #include <linux/slab.h>
60 #include <linux/kthread.h>
61 #include <linux/blkdev.h>
62 #include <linux/bvec.h>
63 #include <linux/net.h>
65 #include <net/af_unix.h>
67 #include <linux/anon_inodes.h>
68 #include <linux/sched/mm.h>
69 #include <linux/uaccess.h>
70 #include <linux/nospec.h>
71 #include <linux/sizes.h>
72 #include <linux/hugetlb.h>
73 #include <linux/highmem.h>
74 #include <linux/namei.h>
75 #include <linux/fsnotify.h>
76 #include <linux/fadvise.h>
77 #include <linux/eventpoll.h>
78 #include <linux/fs_struct.h>
79 #include <linux/splice.h>
80 #include <linux/task_work.h>
82 #define CREATE_TRACE_POINTS
83 #include <trace/events/io_uring.h>
85 #include <uapi/linux/io_uring.h>
90 #define IORING_MAX_ENTRIES 32768
91 #define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
94 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
96 #define IORING_FILE_TABLE_SHIFT 9
97 #define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
98 #define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
99 #define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
102 u32 head ____cacheline_aligned_in_smp;
103 u32 tail ____cacheline_aligned_in_smp;
107 * This data is shared with the application through the mmap at offsets
108 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
110 * The offsets to the member fields are published through struct
111 * io_sqring_offsets when calling io_uring_setup.
115 * Head and tail offsets into the ring; the offsets need to be
116 * masked to get valid indices.
118 * The kernel controls head of the sq ring and the tail of the cq ring,
119 * and the application controls tail of the sq ring and the head of the
122 struct io_uring sq, cq;
124 * Bitmasks to apply to head and tail offsets (constant, equals
127 u32 sq_ring_mask, cq_ring_mask;
128 /* Ring sizes (constant, power of 2) */
129 u32 sq_ring_entries, cq_ring_entries;
131 * Number of invalid entries dropped by the kernel due to
132 * invalid index stored in array
134 * Written by the kernel, shouldn't be modified by the
135 * application (i.e. get number of "new events" by comparing to
138 * After a new SQ head value was read by the application this
139 * counter includes all submissions that were dropped reaching
140 * the new SQ head (and possibly more).
146 * Written by the kernel, shouldn't be modified by the
149 * The application needs a full memory barrier before checking
150 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
156 * Written by the application, shouldn't be modified by the
161 * Number of completion events lost because the queue was full;
162 * this should be avoided by the application by making sure
163 * there are not more requests pending than there is space in
164 * the completion queue.
166 * Written by the kernel, shouldn't be modified by the
167 * application (i.e. get number of "new events" by comparing to
170 * As completion events come in out of order this counter is not
171 * ordered with any other data.
175 * Ring buffer of completion events.
177 * The kernel writes completion events fresh every time they are
178 * produced, so the application is allowed to modify pending
181 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
184 struct io_mapped_ubuf {
187 struct bio_vec *bvec;
188 unsigned int nr_bvecs;
191 struct fixed_file_table {
195 struct fixed_file_ref_node {
196 struct percpu_ref refs;
197 struct list_head node;
198 struct list_head file_list;
199 struct fixed_file_data *file_data;
200 struct llist_node llist;
203 struct fixed_file_data {
204 struct fixed_file_table *table;
205 struct io_ring_ctx *ctx;
207 struct percpu_ref *cur_refs;
208 struct percpu_ref refs;
209 struct completion done;
210 struct list_head ref_list;
215 struct list_head list;
223 struct percpu_ref refs;
224 } ____cacheline_aligned_in_smp;
228 unsigned int compat: 1;
229 unsigned int account_mem: 1;
230 unsigned int cq_overflow_flushed: 1;
231 unsigned int drain_next: 1;
232 unsigned int eventfd_async: 1;
235 * Ring buffer of indices into array of io_uring_sqe, which is
236 * mmapped by the application using the IORING_OFF_SQES offset.
238 * This indirection could e.g. be used to assign fixed
239 * io_uring_sqe entries to operations and only submit them to
240 * the queue when needed.
242 * The kernel modifies neither the indices array nor the entries
246 unsigned cached_sq_head;
249 unsigned sq_thread_idle;
250 unsigned cached_sq_dropped;
251 atomic_t cached_cq_overflow;
252 unsigned long sq_check_overflow;
254 struct list_head defer_list;
255 struct list_head timeout_list;
256 struct list_head cq_overflow_list;
258 wait_queue_head_t inflight_wait;
259 struct io_uring_sqe *sq_sqes;
260 } ____cacheline_aligned_in_smp;
262 struct io_rings *rings;
266 struct task_struct *sqo_thread; /* if using sq thread polling */
267 struct mm_struct *sqo_mm;
268 wait_queue_head_t sqo_wait;
271 * If used, fixed file set. Writers must ensure that ->refs is dead,
272 * readers must ensure that ->refs is alive as long as the file* is
273 * used. Only updated through io_uring_register(2).
275 struct fixed_file_data *file_data;
276 unsigned nr_user_files;
278 struct file *ring_file;
280 /* if used, fixed mapped user buffers */
281 unsigned nr_user_bufs;
282 struct io_mapped_ubuf *user_bufs;
284 struct user_struct *user;
286 const struct cred *creds;
288 struct completion ref_comp;
289 struct completion sq_thread_comp;
291 /* if all else fails... */
292 struct io_kiocb *fallback_req;
294 #if defined(CONFIG_UNIX)
295 struct socket *ring_sock;
298 struct idr io_buffer_idr;
300 struct idr personality_idr;
303 unsigned cached_cq_tail;
306 atomic_t cq_timeouts;
307 unsigned long cq_check_overflow;
308 struct wait_queue_head cq_wait;
309 struct fasync_struct *cq_fasync;
310 struct eventfd_ctx *cq_ev_fd;
311 } ____cacheline_aligned_in_smp;
314 struct mutex uring_lock;
315 wait_queue_head_t wait;
316 } ____cacheline_aligned_in_smp;
319 spinlock_t completion_lock;
322 * ->poll_list is protected by the ctx->uring_lock for
323 * io_uring instances that don't use IORING_SETUP_SQPOLL.
324 * For SQPOLL, only the single threaded io_sq_thread() will
325 * manipulate the list, hence no extra locking is needed there.
327 struct list_head poll_list;
328 struct hlist_head *cancel_hash;
329 unsigned cancel_hash_bits;
330 bool poll_multi_file;
332 spinlock_t inflight_lock;
333 struct list_head inflight_list;
334 } ____cacheline_aligned_in_smp;
336 struct delayed_work file_put_work;
337 struct llist_head file_put_llist;
339 struct work_struct exit_work;
343 * First field must be the file pointer in all the
344 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
346 struct io_poll_iocb {
349 struct wait_queue_head *head;
355 struct wait_queue_entry wait;
360 struct file *put_file;
364 struct io_timeout_data {
365 struct io_kiocb *req;
366 struct hrtimer timer;
367 struct timespec64 ts;
368 enum hrtimer_mode mode;
373 struct sockaddr __user *addr;
374 int __user *addr_len;
376 unsigned long nofile;
401 /* NOTE: kiocb has the file as the first member, so don't do it here */
409 struct sockaddr __user *addr;
416 struct user_msghdr __user *msg;
422 struct io_buffer *kbuf;
428 struct filename *filename;
430 unsigned long nofile;
433 struct io_files_update {
459 struct epoll_event event;
463 struct file *file_out;
464 struct file *file_in;
471 struct io_provide_buf {
485 const char __user *filename;
486 struct statx __user *buffer;
489 struct io_async_connect {
490 struct sockaddr_storage address;
493 struct io_async_msghdr {
494 struct iovec fast_iov[UIO_FASTIOV];
496 struct sockaddr __user *uaddr;
498 struct sockaddr_storage addr;
502 struct iovec fast_iov[UIO_FASTIOV];
508 struct io_async_ctx {
510 struct io_async_rw rw;
511 struct io_async_msghdr msg;
512 struct io_async_connect connect;
513 struct io_timeout_data timeout;
518 REQ_F_FIXED_FILE_BIT = IOSQE_FIXED_FILE_BIT,
519 REQ_F_IO_DRAIN_BIT = IOSQE_IO_DRAIN_BIT,
520 REQ_F_LINK_BIT = IOSQE_IO_LINK_BIT,
521 REQ_F_HARDLINK_BIT = IOSQE_IO_HARDLINK_BIT,
522 REQ_F_FORCE_ASYNC_BIT = IOSQE_ASYNC_BIT,
523 REQ_F_BUFFER_SELECT_BIT = IOSQE_BUFFER_SELECT_BIT,
531 REQ_F_LINK_TIMEOUT_BIT,
535 REQ_F_TIMEOUT_NOSEQ_BIT,
536 REQ_F_COMP_LOCKED_BIT,
537 REQ_F_NEED_CLEANUP_BIT,
540 REQ_F_BUFFER_SELECTED_BIT,
541 REQ_F_NO_FILE_TABLE_BIT,
542 REQ_F_QUEUE_TIMEOUT_BIT,
543 REQ_F_WORK_INITIALIZED_BIT,
544 REQ_F_TASK_PINNED_BIT,
546 /* not a real bit, just to check we're not overflowing the space */
552 REQ_F_FIXED_FILE = BIT(REQ_F_FIXED_FILE_BIT),
553 /* drain existing IO first */
554 REQ_F_IO_DRAIN = BIT(REQ_F_IO_DRAIN_BIT),
556 REQ_F_LINK = BIT(REQ_F_LINK_BIT),
557 /* doesn't sever on completion < 0 */
558 REQ_F_HARDLINK = BIT(REQ_F_HARDLINK_BIT),
560 REQ_F_FORCE_ASYNC = BIT(REQ_F_FORCE_ASYNC_BIT),
561 /* IOSQE_BUFFER_SELECT */
562 REQ_F_BUFFER_SELECT = BIT(REQ_F_BUFFER_SELECT_BIT),
565 REQ_F_LINK_HEAD = BIT(REQ_F_LINK_HEAD_BIT),
566 /* already grabbed next link */
567 REQ_F_LINK_NEXT = BIT(REQ_F_LINK_NEXT_BIT),
568 /* fail rest of links */
569 REQ_F_FAIL_LINK = BIT(REQ_F_FAIL_LINK_BIT),
570 /* on inflight list */
571 REQ_F_INFLIGHT = BIT(REQ_F_INFLIGHT_BIT),
572 /* read/write uses file position */
573 REQ_F_CUR_POS = BIT(REQ_F_CUR_POS_BIT),
574 /* must not punt to workers */
575 REQ_F_NOWAIT = BIT(REQ_F_NOWAIT_BIT),
576 /* has linked timeout */
577 REQ_F_LINK_TIMEOUT = BIT(REQ_F_LINK_TIMEOUT_BIT),
578 /* timeout request */
579 REQ_F_TIMEOUT = BIT(REQ_F_TIMEOUT_BIT),
581 REQ_F_ISREG = BIT(REQ_F_ISREG_BIT),
582 /* must be punted even for NONBLOCK */
583 REQ_F_MUST_PUNT = BIT(REQ_F_MUST_PUNT_BIT),
584 /* no timeout sequence */
585 REQ_F_TIMEOUT_NOSEQ = BIT(REQ_F_TIMEOUT_NOSEQ_BIT),
586 /* completion under lock */
587 REQ_F_COMP_LOCKED = BIT(REQ_F_COMP_LOCKED_BIT),
589 REQ_F_NEED_CLEANUP = BIT(REQ_F_NEED_CLEANUP_BIT),
590 /* in overflow list */
591 REQ_F_OVERFLOW = BIT(REQ_F_OVERFLOW_BIT),
592 /* already went through poll handler */
593 REQ_F_POLLED = BIT(REQ_F_POLLED_BIT),
594 /* buffer already selected */
595 REQ_F_BUFFER_SELECTED = BIT(REQ_F_BUFFER_SELECTED_BIT),
596 /* doesn't need file table for this request */
597 REQ_F_NO_FILE_TABLE = BIT(REQ_F_NO_FILE_TABLE_BIT),
598 /* needs to queue linked timeout */
599 REQ_F_QUEUE_TIMEOUT = BIT(REQ_F_QUEUE_TIMEOUT_BIT),
600 /* io_wq_work is initialized */
601 REQ_F_WORK_INITIALIZED = BIT(REQ_F_WORK_INITIALIZED_BIT),
602 /* req->task is refcounted */
603 REQ_F_TASK_PINNED = BIT(REQ_F_TASK_PINNED_BIT),
607 struct io_poll_iocb poll;
608 struct io_wq_work work;
612 * NOTE! Each of the iocb union members has the file pointer
613 * as the first entry in their struct definition. So you can
614 * access the file pointer through any of the sub-structs,
615 * or directly as just 'ki_filp' in this struct.
621 struct io_poll_iocb poll;
622 struct io_accept accept;
624 struct io_cancel cancel;
625 struct io_timeout timeout;
626 struct io_connect connect;
627 struct io_sr_msg sr_msg;
629 struct io_close close;
630 struct io_files_update files_update;
631 struct io_fadvise fadvise;
632 struct io_madvise madvise;
633 struct io_epoll epoll;
634 struct io_splice splice;
635 struct io_provide_buf pbuf;
636 struct io_statx statx;
639 struct io_async_ctx *io;
642 /* polled IO has completed */
647 struct io_ring_ctx *ctx;
648 struct list_head list;
651 struct task_struct *task;
657 struct list_head link_list;
659 struct list_head inflight_entry;
661 struct percpu_ref *fixed_file_refs;
665 * Only commands that never go async can use the below fields,
666 * obviously. Right now only IORING_OP_POLL_ADD uses them, and
667 * async armed poll handlers for regular commands. The latter
668 * restore the work, if needed.
671 struct callback_head task_work;
672 struct hlist_node hash_node;
673 struct async_poll *apoll;
675 struct io_wq_work work;
679 #define IO_PLUG_THRESHOLD 2
680 #define IO_IOPOLL_BATCH 8
682 struct io_submit_state {
683 struct blk_plug plug;
686 * io_kiocb alloc cache
688 void *reqs[IO_IOPOLL_BATCH];
689 unsigned int free_reqs;
692 * File reference cache
696 unsigned int has_refs;
697 unsigned int used_refs;
698 unsigned int ios_left;
702 /* needs req->io allocated for deferral/async */
703 unsigned async_ctx : 1;
704 /* needs current->mm setup, does mm access */
705 unsigned needs_mm : 1;
706 /* needs req->file assigned */
707 unsigned needs_file : 1;
708 /* don't fail if file grab fails */
709 unsigned needs_file_no_error : 1;
710 /* hash wq insertion if file is a regular file */
711 unsigned hash_reg_file : 1;
712 /* unbound wq insertion if file is a non-regular file */
713 unsigned unbound_nonreg_file : 1;
714 /* opcode is not supported by this kernel */
715 unsigned not_supported : 1;
716 /* needs file table */
717 unsigned file_table : 1;
719 unsigned needs_fs : 1;
720 /* set if opcode supports polled "wait" */
722 unsigned pollout : 1;
723 /* op supports buffer selection */
724 unsigned buffer_select : 1;
727 static const struct io_op_def io_op_defs[] = {
728 [IORING_OP_NOP] = {},
729 [IORING_OP_READV] = {
733 .unbound_nonreg_file = 1,
737 [IORING_OP_WRITEV] = {
742 .unbound_nonreg_file = 1,
745 [IORING_OP_FSYNC] = {
748 [IORING_OP_READ_FIXED] = {
750 .unbound_nonreg_file = 1,
753 [IORING_OP_WRITE_FIXED] = {
756 .unbound_nonreg_file = 1,
759 [IORING_OP_POLL_ADD] = {
761 .unbound_nonreg_file = 1,
763 [IORING_OP_POLL_REMOVE] = {},
764 [IORING_OP_SYNC_FILE_RANGE] = {
767 [IORING_OP_SENDMSG] = {
771 .unbound_nonreg_file = 1,
775 [IORING_OP_RECVMSG] = {
779 .unbound_nonreg_file = 1,
784 [IORING_OP_TIMEOUT] = {
788 [IORING_OP_TIMEOUT_REMOVE] = {},
789 [IORING_OP_ACCEPT] = {
792 .unbound_nonreg_file = 1,
796 [IORING_OP_ASYNC_CANCEL] = {},
797 [IORING_OP_LINK_TIMEOUT] = {
801 [IORING_OP_CONNECT] = {
805 .unbound_nonreg_file = 1,
808 [IORING_OP_FALLOCATE] = {
811 [IORING_OP_OPENAT] = {
815 [IORING_OP_CLOSE] = {
817 .needs_file_no_error = 1,
820 [IORING_OP_FILES_UPDATE] = {
824 [IORING_OP_STATX] = {
832 .unbound_nonreg_file = 1,
836 [IORING_OP_WRITE] = {
839 .unbound_nonreg_file = 1,
842 [IORING_OP_FADVISE] = {
845 [IORING_OP_MADVISE] = {
851 .unbound_nonreg_file = 1,
857 .unbound_nonreg_file = 1,
861 [IORING_OP_OPENAT2] = {
865 [IORING_OP_EPOLL_CTL] = {
866 .unbound_nonreg_file = 1,
869 [IORING_OP_SPLICE] = {
872 .unbound_nonreg_file = 1,
874 [IORING_OP_PROVIDE_BUFFERS] = {},
875 [IORING_OP_REMOVE_BUFFERS] = {},
879 .unbound_nonreg_file = 1,
883 static void io_wq_submit_work(struct io_wq_work **workptr);
884 static void io_cqring_fill_event(struct io_kiocb *req, long res);
885 static void io_put_req(struct io_kiocb *req);
886 static void __io_double_put_req(struct io_kiocb *req);
887 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
888 static void io_queue_linked_timeout(struct io_kiocb *req);
889 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
890 struct io_uring_files_update *ip,
892 static int io_grab_files(struct io_kiocb *req);
893 static void io_complete_rw_common(struct kiocb *kiocb, long res);
894 static void io_cleanup_req(struct io_kiocb *req);
895 static int io_file_get(struct io_submit_state *state, struct io_kiocb *req,
896 int fd, struct file **out_file, bool fixed);
897 static void __io_queue_sqe(struct io_kiocb *req,
898 const struct io_uring_sqe *sqe);
900 static struct kmem_cache *req_cachep;
902 static const struct file_operations io_uring_fops;
904 struct sock *io_uring_get_socket(struct file *file)
906 #if defined(CONFIG_UNIX)
907 if (file->f_op == &io_uring_fops) {
908 struct io_ring_ctx *ctx = file->private_data;
910 return ctx->ring_sock->sk;
915 EXPORT_SYMBOL(io_uring_get_socket);
917 static void io_get_req_task(struct io_kiocb *req)
919 if (req->flags & REQ_F_TASK_PINNED)
921 get_task_struct(req->task);
922 req->flags |= REQ_F_TASK_PINNED;
925 /* not idempotent -- it doesn't clear REQ_F_TASK_PINNED */
926 static void __io_put_req_task(struct io_kiocb *req)
928 if (req->flags & REQ_F_TASK_PINNED)
929 put_task_struct(req->task);
932 static void io_file_put_work(struct work_struct *work);
935 * Note: must call io_req_init_async() for the first time you
936 * touch any members of io_wq_work.
938 static inline void io_req_init_async(struct io_kiocb *req)
940 if (req->flags & REQ_F_WORK_INITIALIZED)
943 memset(&req->work, 0, sizeof(req->work));
944 req->flags |= REQ_F_WORK_INITIALIZED;
947 static inline bool io_async_submit(struct io_ring_ctx *ctx)
949 return ctx->flags & IORING_SETUP_SQPOLL;
952 static void io_ring_ctx_ref_free(struct percpu_ref *ref)
954 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
956 complete(&ctx->ref_comp);
959 static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
961 struct io_ring_ctx *ctx;
964 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
968 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
969 if (!ctx->fallback_req)
973 * Use 5 bits less than the max cq entries, that should give us around
974 * 32 entries per hash list if totally full and uniformly spread.
976 hash_bits = ilog2(p->cq_entries);
980 ctx->cancel_hash_bits = hash_bits;
981 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
983 if (!ctx->cancel_hash)
985 __hash_init(ctx->cancel_hash, 1U << hash_bits);
987 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
988 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
991 ctx->flags = p->flags;
992 init_waitqueue_head(&ctx->sqo_wait);
993 init_waitqueue_head(&ctx->cq_wait);
994 INIT_LIST_HEAD(&ctx->cq_overflow_list);
995 init_completion(&ctx->ref_comp);
996 init_completion(&ctx->sq_thread_comp);
997 idr_init(&ctx->io_buffer_idr);
998 idr_init(&ctx->personality_idr);
999 mutex_init(&ctx->uring_lock);
1000 init_waitqueue_head(&ctx->wait);
1001 spin_lock_init(&ctx->completion_lock);
1002 INIT_LIST_HEAD(&ctx->poll_list);
1003 INIT_LIST_HEAD(&ctx->defer_list);
1004 INIT_LIST_HEAD(&ctx->timeout_list);
1005 init_waitqueue_head(&ctx->inflight_wait);
1006 spin_lock_init(&ctx->inflight_lock);
1007 INIT_LIST_HEAD(&ctx->inflight_list);
1008 INIT_DELAYED_WORK(&ctx->file_put_work, io_file_put_work);
1009 init_llist_head(&ctx->file_put_llist);
1012 if (ctx->fallback_req)
1013 kmem_cache_free(req_cachep, ctx->fallback_req);
1014 kfree(ctx->cancel_hash);
1019 static inline bool __req_need_defer(struct io_kiocb *req)
1021 struct io_ring_ctx *ctx = req->ctx;
1023 return req->sequence != ctx->cached_cq_tail
1024 + atomic_read(&ctx->cached_cq_overflow);
1027 static inline bool req_need_defer(struct io_kiocb *req)
1029 if (unlikely(req->flags & REQ_F_IO_DRAIN))
1030 return __req_need_defer(req);
1035 static void __io_commit_cqring(struct io_ring_ctx *ctx)
1037 struct io_rings *rings = ctx->rings;
1039 /* order cqe stores with ring update */
1040 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
1042 if (wq_has_sleeper(&ctx->cq_wait)) {
1043 wake_up_interruptible(&ctx->cq_wait);
1044 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
1048 static inline void io_req_work_grab_env(struct io_kiocb *req,
1049 const struct io_op_def *def)
1051 if (!req->work.mm && def->needs_mm) {
1052 mmgrab(current->mm);
1053 req->work.mm = current->mm;
1055 if (!req->work.creds)
1056 req->work.creds = get_current_cred();
1057 if (!req->work.fs && def->needs_fs) {
1058 spin_lock(¤t->fs->lock);
1059 if (!current->fs->in_exec) {
1060 req->work.fs = current->fs;
1061 req->work.fs->users++;
1063 req->work.flags |= IO_WQ_WORK_CANCEL;
1065 spin_unlock(¤t->fs->lock);
1069 static inline void io_req_work_drop_env(struct io_kiocb *req)
1071 if (!(req->flags & REQ_F_WORK_INITIALIZED))
1075 mmdrop(req->work.mm);
1076 req->work.mm = NULL;
1078 if (req->work.creds) {
1079 put_cred(req->work.creds);
1080 req->work.creds = NULL;
1083 struct fs_struct *fs = req->work.fs;
1085 spin_lock(&req->work.fs->lock);
1088 spin_unlock(&req->work.fs->lock);
1094 static inline void io_prep_async_work(struct io_kiocb *req,
1095 struct io_kiocb **link)
1097 const struct io_op_def *def = &io_op_defs[req->opcode];
1099 if (req->flags & REQ_F_ISREG) {
1100 if (def->hash_reg_file)
1101 io_wq_hash_work(&req->work, file_inode(req->file));
1103 if (def->unbound_nonreg_file)
1104 req->work.flags |= IO_WQ_WORK_UNBOUND;
1107 io_req_init_async(req);
1108 io_req_work_grab_env(req, def);
1110 *link = io_prep_linked_timeout(req);
1113 static inline void io_queue_async_work(struct io_kiocb *req)
1115 struct io_ring_ctx *ctx = req->ctx;
1116 struct io_kiocb *link;
1118 io_prep_async_work(req, &link);
1120 trace_io_uring_queue_async_work(ctx, io_wq_is_hashed(&req->work), req,
1121 &req->work, req->flags);
1122 io_wq_enqueue(ctx->io_wq, &req->work);
1125 io_queue_linked_timeout(link);
1128 static void io_kill_timeout(struct io_kiocb *req)
1132 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
1134 atomic_inc(&req->ctx->cq_timeouts);
1135 list_del_init(&req->list);
1136 req->flags |= REQ_F_COMP_LOCKED;
1137 io_cqring_fill_event(req, 0);
1142 static void io_kill_timeouts(struct io_ring_ctx *ctx)
1144 struct io_kiocb *req, *tmp;
1146 spin_lock_irq(&ctx->completion_lock);
1147 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
1148 io_kill_timeout(req);
1149 spin_unlock_irq(&ctx->completion_lock);
1152 static void __io_queue_deferred(struct io_ring_ctx *ctx)
1155 struct io_kiocb *req = list_first_entry(&ctx->defer_list,
1156 struct io_kiocb, list);
1158 if (req_need_defer(req))
1160 list_del_init(&req->list);
1161 io_queue_async_work(req);
1162 } while (!list_empty(&ctx->defer_list));
1165 static void io_flush_timeouts(struct io_ring_ctx *ctx)
1167 while (!list_empty(&ctx->timeout_list)) {
1168 struct io_kiocb *req = list_first_entry(&ctx->timeout_list,
1169 struct io_kiocb, list);
1171 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
1173 if (req->timeout.target_seq != ctx->cached_cq_tail
1174 - atomic_read(&ctx->cq_timeouts))
1177 list_del_init(&req->list);
1178 io_kill_timeout(req);
1182 static void io_commit_cqring(struct io_ring_ctx *ctx)
1184 io_flush_timeouts(ctx);
1185 __io_commit_cqring(ctx);
1187 if (unlikely(!list_empty(&ctx->defer_list)))
1188 __io_queue_deferred(ctx);
1191 static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
1193 struct io_rings *rings = ctx->rings;
1196 tail = ctx->cached_cq_tail;
1198 * writes to the cq entry need to come after reading head; the
1199 * control dependency is enough as we're using WRITE_ONCE to
1202 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
1205 ctx->cached_cq_tail++;
1206 return &rings->cqes[tail & ctx->cq_mask];
1209 static inline bool io_should_trigger_evfd(struct io_ring_ctx *ctx)
1213 if (READ_ONCE(ctx->rings->cq_flags) & IORING_CQ_EVENTFD_DISABLED)
1215 if (!ctx->eventfd_async)
1217 return io_wq_current_is_worker();
1220 static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
1222 if (waitqueue_active(&ctx->wait))
1223 wake_up(&ctx->wait);
1224 if (waitqueue_active(&ctx->sqo_wait))
1225 wake_up(&ctx->sqo_wait);
1226 if (io_should_trigger_evfd(ctx))
1227 eventfd_signal(ctx->cq_ev_fd, 1);
1230 /* Returns true if there are no backlogged entries after the flush */
1231 static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1233 struct io_rings *rings = ctx->rings;
1234 struct io_uring_cqe *cqe;
1235 struct io_kiocb *req;
1236 unsigned long flags;
1240 if (list_empty_careful(&ctx->cq_overflow_list))
1242 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
1243 rings->cq_ring_entries))
1247 spin_lock_irqsave(&ctx->completion_lock, flags);
1249 /* if force is set, the ring is going away. always drop after that */
1251 ctx->cq_overflow_flushed = 1;
1254 while (!list_empty(&ctx->cq_overflow_list)) {
1255 cqe = io_get_cqring(ctx);
1259 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
1261 list_move(&req->list, &list);
1262 req->flags &= ~REQ_F_OVERFLOW;
1264 WRITE_ONCE(cqe->user_data, req->user_data);
1265 WRITE_ONCE(cqe->res, req->result);
1266 WRITE_ONCE(cqe->flags, req->cflags);
1268 WRITE_ONCE(ctx->rings->cq_overflow,
1269 atomic_inc_return(&ctx->cached_cq_overflow));
1273 io_commit_cqring(ctx);
1275 clear_bit(0, &ctx->sq_check_overflow);
1276 clear_bit(0, &ctx->cq_check_overflow);
1277 ctx->rings->sq_flags &= ~IORING_SQ_CQ_OVERFLOW;
1279 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1280 io_cqring_ev_posted(ctx);
1282 while (!list_empty(&list)) {
1283 req = list_first_entry(&list, struct io_kiocb, list);
1284 list_del(&req->list);
1291 static void __io_cqring_fill_event(struct io_kiocb *req, long res, long cflags)
1293 struct io_ring_ctx *ctx = req->ctx;
1294 struct io_uring_cqe *cqe;
1296 trace_io_uring_complete(ctx, req->user_data, res);
1299 * If we can't get a cq entry, userspace overflowed the
1300 * submission (by quite a lot). Increment the overflow count in
1303 cqe = io_get_cqring(ctx);
1305 WRITE_ONCE(cqe->user_data, req->user_data);
1306 WRITE_ONCE(cqe->res, res);
1307 WRITE_ONCE(cqe->flags, cflags);
1308 } else if (ctx->cq_overflow_flushed) {
1309 WRITE_ONCE(ctx->rings->cq_overflow,
1310 atomic_inc_return(&ctx->cached_cq_overflow));
1312 if (list_empty(&ctx->cq_overflow_list)) {
1313 set_bit(0, &ctx->sq_check_overflow);
1314 set_bit(0, &ctx->cq_check_overflow);
1315 ctx->rings->sq_flags |= IORING_SQ_CQ_OVERFLOW;
1317 req->flags |= REQ_F_OVERFLOW;
1318 refcount_inc(&req->refs);
1320 req->cflags = cflags;
1321 list_add_tail(&req->list, &ctx->cq_overflow_list);
1325 static void io_cqring_fill_event(struct io_kiocb *req, long res)
1327 __io_cqring_fill_event(req, res, 0);
1330 static void __io_cqring_add_event(struct io_kiocb *req, long res, long cflags)
1332 struct io_ring_ctx *ctx = req->ctx;
1333 unsigned long flags;
1335 spin_lock_irqsave(&ctx->completion_lock, flags);
1336 __io_cqring_fill_event(req, res, cflags);
1337 io_commit_cqring(ctx);
1338 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1340 io_cqring_ev_posted(ctx);
1343 static void io_cqring_add_event(struct io_kiocb *req, long res)
1345 __io_cqring_add_event(req, res, 0);
1348 static inline bool io_is_fallback_req(struct io_kiocb *req)
1350 return req == (struct io_kiocb *)
1351 ((unsigned long) req->ctx->fallback_req & ~1UL);
1354 static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1356 struct io_kiocb *req;
1358 req = ctx->fallback_req;
1359 if (!test_and_set_bit_lock(0, (unsigned long *) &ctx->fallback_req))
1365 static struct io_kiocb *io_alloc_req(struct io_ring_ctx *ctx,
1366 struct io_submit_state *state)
1368 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
1369 struct io_kiocb *req;
1372 req = kmem_cache_alloc(req_cachep, gfp);
1375 } else if (!state->free_reqs) {
1379 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
1380 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1383 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1384 * retry single alloc to be on the safe side.
1386 if (unlikely(ret <= 0)) {
1387 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1388 if (!state->reqs[0])
1392 state->free_reqs = ret - 1;
1393 req = state->reqs[ret - 1];
1396 req = state->reqs[state->free_reqs];
1401 return io_get_fallback_req(ctx);
1404 static inline void io_put_file(struct io_kiocb *req, struct file *file,
1408 percpu_ref_put(req->fixed_file_refs);
1413 static void __io_req_aux_free(struct io_kiocb *req)
1415 if (req->flags & REQ_F_NEED_CLEANUP)
1416 io_cleanup_req(req);
1420 io_put_file(req, req->file, (req->flags & REQ_F_FIXED_FILE));
1421 __io_put_req_task(req);
1422 io_req_work_drop_env(req);
1425 static void __io_free_req(struct io_kiocb *req)
1427 __io_req_aux_free(req);
1429 if (req->flags & REQ_F_INFLIGHT) {
1430 struct io_ring_ctx *ctx = req->ctx;
1431 unsigned long flags;
1433 spin_lock_irqsave(&ctx->inflight_lock, flags);
1434 list_del(&req->inflight_entry);
1435 if (waitqueue_active(&ctx->inflight_wait))
1436 wake_up(&ctx->inflight_wait);
1437 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1440 percpu_ref_put(&req->ctx->refs);
1441 if (likely(!io_is_fallback_req(req)))
1442 kmem_cache_free(req_cachep, req);
1444 clear_bit_unlock(0, (unsigned long *) &req->ctx->fallback_req);
1448 void *reqs[IO_IOPOLL_BATCH];
1453 static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
1457 if (rb->need_iter) {
1458 int i, inflight = 0;
1459 unsigned long flags;
1461 for (i = 0; i < rb->to_free; i++) {
1462 struct io_kiocb *req = rb->reqs[i];
1464 if (req->flags & REQ_F_INFLIGHT)
1466 __io_req_aux_free(req);
1471 spin_lock_irqsave(&ctx->inflight_lock, flags);
1472 for (i = 0; i < rb->to_free; i++) {
1473 struct io_kiocb *req = rb->reqs[i];
1475 if (req->flags & REQ_F_INFLIGHT) {
1476 list_del(&req->inflight_entry);
1481 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1483 if (waitqueue_active(&ctx->inflight_wait))
1484 wake_up(&ctx->inflight_wait);
1487 kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
1488 percpu_ref_put_many(&ctx->refs, rb->to_free);
1489 rb->to_free = rb->need_iter = 0;
1492 static bool io_link_cancel_timeout(struct io_kiocb *req)
1494 struct io_ring_ctx *ctx = req->ctx;
1497 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
1499 io_cqring_fill_event(req, -ECANCELED);
1500 io_commit_cqring(ctx);
1501 req->flags &= ~REQ_F_LINK_HEAD;
1509 static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
1511 struct io_ring_ctx *ctx = req->ctx;
1512 bool wake_ev = false;
1514 /* Already got next link */
1515 if (req->flags & REQ_F_LINK_NEXT)
1519 * The list should never be empty when we are called here. But could
1520 * potentially happen if the chain is messed up, check to be on the
1523 while (!list_empty(&req->link_list)) {
1524 struct io_kiocb *nxt = list_first_entry(&req->link_list,
1525 struct io_kiocb, link_list);
1527 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
1528 (nxt->flags & REQ_F_TIMEOUT))) {
1529 list_del_init(&nxt->link_list);
1530 wake_ev |= io_link_cancel_timeout(nxt);
1531 req->flags &= ~REQ_F_LINK_TIMEOUT;
1535 list_del_init(&req->link_list);
1536 if (!list_empty(&nxt->link_list))
1537 nxt->flags |= REQ_F_LINK_HEAD;
1542 req->flags |= REQ_F_LINK_NEXT;
1544 io_cqring_ev_posted(ctx);
1548 * Called if REQ_F_LINK_HEAD is set, and we fail the head request
1550 static void io_fail_links(struct io_kiocb *req)
1552 struct io_ring_ctx *ctx = req->ctx;
1553 unsigned long flags;
1555 spin_lock_irqsave(&ctx->completion_lock, flags);
1557 while (!list_empty(&req->link_list)) {
1558 struct io_kiocb *link = list_first_entry(&req->link_list,
1559 struct io_kiocb, link_list);
1561 list_del_init(&link->link_list);
1562 trace_io_uring_fail_link(req, link);
1564 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
1565 link->opcode == IORING_OP_LINK_TIMEOUT) {
1566 io_link_cancel_timeout(link);
1568 io_cqring_fill_event(link, -ECANCELED);
1569 __io_double_put_req(link);
1571 req->flags &= ~REQ_F_LINK_TIMEOUT;
1574 io_commit_cqring(ctx);
1575 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1576 io_cqring_ev_posted(ctx);
1579 static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
1581 if (likely(!(req->flags & REQ_F_LINK_HEAD)))
1585 * If LINK is set, we have dependent requests in this chain. If we
1586 * didn't fail this request, queue the first one up, moving any other
1587 * dependencies to the next request. In case of failure, fail the rest
1590 if (req->flags & REQ_F_FAIL_LINK) {
1592 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1593 REQ_F_LINK_TIMEOUT) {
1594 struct io_ring_ctx *ctx = req->ctx;
1595 unsigned long flags;
1598 * If this is a timeout link, we could be racing with the
1599 * timeout timer. Grab the completion lock for this case to
1600 * protect against that.
1602 spin_lock_irqsave(&ctx->completion_lock, flags);
1603 io_req_link_next(req, nxt);
1604 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1606 io_req_link_next(req, nxt);
1610 static void io_free_req(struct io_kiocb *req)
1612 struct io_kiocb *nxt = NULL;
1614 io_req_find_next(req, &nxt);
1618 io_queue_async_work(nxt);
1621 static void io_wq_assign_next(struct io_wq_work **workptr, struct io_kiocb *nxt)
1623 struct io_kiocb *link;
1624 const struct io_op_def *def = &io_op_defs[nxt->opcode];
1626 if ((nxt->flags & REQ_F_ISREG) && def->hash_reg_file)
1627 io_wq_hash_work(&nxt->work, file_inode(nxt->file));
1629 *workptr = &nxt->work;
1630 link = io_prep_linked_timeout(nxt);
1632 nxt->flags |= REQ_F_QUEUE_TIMEOUT;
1636 * Drop reference to request, return next in chain (if there is one) if this
1637 * was the last reference to this request.
1639 __attribute__((nonnull))
1640 static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
1642 if (refcount_dec_and_test(&req->refs)) {
1643 io_req_find_next(req, nxtptr);
1648 static void io_put_req(struct io_kiocb *req)
1650 if (refcount_dec_and_test(&req->refs))
1654 static void io_steal_work(struct io_kiocb *req,
1655 struct io_wq_work **workptr)
1658 * It's in an io-wq worker, so there always should be at least
1659 * one reference, which will be dropped in io_put_work() just
1660 * after the current handler returns.
1662 * It also means, that if the counter dropped to 1, then there is
1663 * no asynchronous users left, so it's safe to steal the next work.
1665 if (refcount_read(&req->refs) == 1) {
1666 struct io_kiocb *nxt = NULL;
1668 io_req_find_next(req, &nxt);
1670 io_wq_assign_next(workptr, nxt);
1675 * Must only be used if we don't need to care about links, usually from
1676 * within the completion handling itself.
1678 static void __io_double_put_req(struct io_kiocb *req)
1680 /* drop both submit and complete references */
1681 if (refcount_sub_and_test(2, &req->refs))
1685 static void io_double_put_req(struct io_kiocb *req)
1687 /* drop both submit and complete references */
1688 if (refcount_sub_and_test(2, &req->refs))
1692 static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
1694 struct io_rings *rings = ctx->rings;
1696 if (test_bit(0, &ctx->cq_check_overflow)) {
1698 * noflush == true is from the waitqueue handler, just ensure
1699 * we wake up the task, and the next invocation will flush the
1700 * entries. We cannot safely to it from here.
1702 if (noflush && !list_empty(&ctx->cq_overflow_list))
1705 io_cqring_overflow_flush(ctx, false);
1708 /* See comment at the top of this file */
1710 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
1713 static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1715 struct io_rings *rings = ctx->rings;
1717 /* make sure SQ entry isn't read before tail */
1718 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1721 static inline bool io_req_multi_free(struct req_batch *rb, struct io_kiocb *req)
1723 if ((req->flags & REQ_F_LINK_HEAD) || io_is_fallback_req(req))
1726 if (req->file || req->io)
1729 rb->reqs[rb->to_free++] = req;
1730 if (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))
1731 io_free_req_many(req->ctx, rb);
1735 static int io_put_kbuf(struct io_kiocb *req)
1737 struct io_buffer *kbuf;
1740 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
1741 cflags = kbuf->bid << IORING_CQE_BUFFER_SHIFT;
1742 cflags |= IORING_CQE_F_BUFFER;
1748 static void io_iopoll_queue(struct list_head *again)
1750 struct io_kiocb *req;
1753 req = list_first_entry(again, struct io_kiocb, list);
1754 list_del(&req->list);
1756 /* shouldn't happen unless io_uring is dying, cancel reqs */
1757 if (unlikely(!current->mm)) {
1758 io_complete_rw_common(&req->rw.kiocb, -EAGAIN);
1763 refcount_inc(&req->refs);
1764 io_queue_async_work(req);
1765 } while (!list_empty(again));
1769 * Find and free completed poll iocbs
1771 static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1772 struct list_head *done)
1774 struct req_batch rb;
1775 struct io_kiocb *req;
1778 /* order with ->result store in io_complete_rw_iopoll() */
1781 rb.to_free = rb.need_iter = 0;
1782 while (!list_empty(done)) {
1785 req = list_first_entry(done, struct io_kiocb, list);
1786 if (READ_ONCE(req->result) == -EAGAIN) {
1787 req->iopoll_completed = 0;
1788 list_move_tail(&req->list, &again);
1791 list_del(&req->list);
1793 if (req->flags & REQ_F_BUFFER_SELECTED)
1794 cflags = io_put_kbuf(req);
1796 __io_cqring_fill_event(req, req->result, cflags);
1799 if (refcount_dec_and_test(&req->refs) &&
1800 !io_req_multi_free(&rb, req))
1804 io_commit_cqring(ctx);
1805 if (ctx->flags & IORING_SETUP_SQPOLL)
1806 io_cqring_ev_posted(ctx);
1807 io_free_req_many(ctx, &rb);
1809 if (!list_empty(&again))
1810 io_iopoll_queue(&again);
1813 static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1816 struct io_kiocb *req, *tmp;
1822 * Only spin for completions if we don't have multiple devices hanging
1823 * off our complete list, and we're under the requested amount.
1825 spin = !ctx->poll_multi_file && *nr_events < min;
1828 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
1829 struct kiocb *kiocb = &req->rw.kiocb;
1832 * Move completed and retryable entries to our local lists.
1833 * If we find a request that requires polling, break out
1834 * and complete those lists first, if we have entries there.
1836 if (READ_ONCE(req->iopoll_completed)) {
1837 list_move_tail(&req->list, &done);
1840 if (!list_empty(&done))
1843 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1852 if (!list_empty(&done))
1853 io_iopoll_complete(ctx, nr_events, &done);
1859 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
1860 * non-spinning poll check - we'll still enter the driver poll loop, but only
1861 * as a non-spinning completion check.
1863 static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1866 while (!list_empty(&ctx->poll_list) && !need_resched()) {
1869 ret = io_do_iopoll(ctx, nr_events, min);
1872 if (!min || *nr_events >= min)
1880 * We can't just wait for polled events to come to us, we have to actively
1881 * find and complete them.
1883 static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1885 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1888 mutex_lock(&ctx->uring_lock);
1889 while (!list_empty(&ctx->poll_list)) {
1890 unsigned int nr_events = 0;
1892 io_iopoll_getevents(ctx, &nr_events, 1);
1895 * Ensure we allow local-to-the-cpu processing to take place,
1896 * in this case we need to ensure that we reap all events.
1900 mutex_unlock(&ctx->uring_lock);
1903 static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1906 int iters = 0, ret = 0;
1909 * We disallow the app entering submit/complete with polling, but we
1910 * still need to lock the ring to prevent racing with polled issue
1911 * that got punted to a workqueue.
1913 mutex_lock(&ctx->uring_lock);
1918 * Don't enter poll loop if we already have events pending.
1919 * If we do, we can potentially be spinning for commands that
1920 * already triggered a CQE (eg in error).
1922 if (io_cqring_events(ctx, false))
1926 * If a submit got punted to a workqueue, we can have the
1927 * application entering polling for a command before it gets
1928 * issued. That app will hold the uring_lock for the duration
1929 * of the poll right here, so we need to take a breather every
1930 * now and then to ensure that the issue has a chance to add
1931 * the poll to the issued list. Otherwise we can spin here
1932 * forever, while the workqueue is stuck trying to acquire the
1935 if (!(++iters & 7)) {
1936 mutex_unlock(&ctx->uring_lock);
1937 mutex_lock(&ctx->uring_lock);
1940 if (*nr_events < min)
1941 tmin = min - *nr_events;
1943 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1947 } while (min && !*nr_events && !need_resched());
1949 mutex_unlock(&ctx->uring_lock);
1953 static void kiocb_end_write(struct io_kiocb *req)
1956 * Tell lockdep we inherited freeze protection from submission
1959 if (req->flags & REQ_F_ISREG) {
1960 struct inode *inode = file_inode(req->file);
1962 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
1964 file_end_write(req->file);
1967 static inline void req_set_fail_links(struct io_kiocb *req)
1969 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1970 req->flags |= REQ_F_FAIL_LINK;
1973 static void io_complete_rw_common(struct kiocb *kiocb, long res)
1975 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1978 if (kiocb->ki_flags & IOCB_WRITE)
1979 kiocb_end_write(req);
1981 if (res != req->result)
1982 req_set_fail_links(req);
1983 if (req->flags & REQ_F_BUFFER_SELECTED)
1984 cflags = io_put_kbuf(req);
1985 __io_cqring_add_event(req, res, cflags);
1988 static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1990 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1992 io_complete_rw_common(kiocb, res);
1996 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1998 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2000 if (kiocb->ki_flags & IOCB_WRITE)
2001 kiocb_end_write(req);
2003 if (res != -EAGAIN && res != req->result)
2004 req_set_fail_links(req);
2006 WRITE_ONCE(req->result, res);
2007 /* order with io_poll_complete() checking ->result */
2009 WRITE_ONCE(req->iopoll_completed, 1);
2013 * After the iocb has been issued, it's safe to be found on the poll list.
2014 * Adding the kiocb to the list AFTER submission ensures that we don't
2015 * find it from a io_iopoll_getevents() thread before the issuer is done
2016 * accessing the kiocb cookie.
2018 static void io_iopoll_req_issued(struct io_kiocb *req)
2020 struct io_ring_ctx *ctx = req->ctx;
2023 * Track whether we have multiple files in our lists. This will impact
2024 * how we do polling eventually, not spinning if we're on potentially
2025 * different devices.
2027 if (list_empty(&ctx->poll_list)) {
2028 ctx->poll_multi_file = false;
2029 } else if (!ctx->poll_multi_file) {
2030 struct io_kiocb *list_req;
2032 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
2034 if (list_req->file != req->file)
2035 ctx->poll_multi_file = true;
2039 * For fast devices, IO may have already completed. If it has, add
2040 * it to the front so we find it first.
2042 if (READ_ONCE(req->iopoll_completed))
2043 list_add(&req->list, &ctx->poll_list);
2045 list_add_tail(&req->list, &ctx->poll_list);
2047 if ((ctx->flags & IORING_SETUP_SQPOLL) &&
2048 wq_has_sleeper(&ctx->sqo_wait))
2049 wake_up(&ctx->sqo_wait);
2052 static void __io_state_file_put(struct io_submit_state *state)
2054 int diff = state->has_refs - state->used_refs;
2057 fput_many(state->file, diff);
2061 static inline void io_state_file_put(struct io_submit_state *state)
2064 __io_state_file_put(state);
2068 * Get as many references to a file as we have IOs left in this submission,
2069 * assuming most submissions are for one file, or at least that each file
2070 * has more than one submission.
2072 static struct file *__io_file_get(struct io_submit_state *state, int fd)
2078 if (state->fd == fd) {
2083 __io_state_file_put(state);
2085 state->file = fget_many(fd, state->ios_left);
2090 state->has_refs = state->ios_left;
2091 state->used_refs = 1;
2097 * If we tracked the file through the SCM inflight mechanism, we could support
2098 * any file. For now, just ensure that anything potentially problematic is done
2101 static bool io_file_supports_async(struct file *file, int rw)
2103 umode_t mode = file_inode(file)->i_mode;
2105 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
2107 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
2110 /* any ->read/write should understand O_NONBLOCK */
2111 if (file->f_flags & O_NONBLOCK)
2114 if (!(file->f_mode & FMODE_NOWAIT))
2118 return file->f_op->read_iter != NULL;
2120 return file->f_op->write_iter != NULL;
2123 static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2124 bool force_nonblock)
2126 struct io_ring_ctx *ctx = req->ctx;
2127 struct kiocb *kiocb = &req->rw.kiocb;
2131 if (S_ISREG(file_inode(req->file)->i_mode))
2132 req->flags |= REQ_F_ISREG;
2134 kiocb->ki_pos = READ_ONCE(sqe->off);
2135 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
2136 req->flags |= REQ_F_CUR_POS;
2137 kiocb->ki_pos = req->file->f_pos;
2139 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
2140 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
2141 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
2145 ioprio = READ_ONCE(sqe->ioprio);
2147 ret = ioprio_check_cap(ioprio);
2151 kiocb->ki_ioprio = ioprio;
2153 kiocb->ki_ioprio = get_current_ioprio();
2155 /* don't allow async punt if RWF_NOWAIT was requested */
2156 if (kiocb->ki_flags & IOCB_NOWAIT)
2157 req->flags |= REQ_F_NOWAIT;
2160 kiocb->ki_flags |= IOCB_NOWAIT;
2162 if (ctx->flags & IORING_SETUP_IOPOLL) {
2163 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
2164 !kiocb->ki_filp->f_op->iopoll)
2167 kiocb->ki_flags |= IOCB_HIPRI;
2168 kiocb->ki_complete = io_complete_rw_iopoll;
2170 req->iopoll_completed = 0;
2172 if (kiocb->ki_flags & IOCB_HIPRI)
2174 kiocb->ki_complete = io_complete_rw;
2177 req->rw.addr = READ_ONCE(sqe->addr);
2178 req->rw.len = READ_ONCE(sqe->len);
2179 req->buf_index = READ_ONCE(sqe->buf_index);
2183 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
2189 case -ERESTARTNOINTR:
2190 case -ERESTARTNOHAND:
2191 case -ERESTART_RESTARTBLOCK:
2193 * We can't just restart the syscall, since previously
2194 * submitted sqes may already be in progress. Just fail this
2200 kiocb->ki_complete(kiocb, ret, 0);
2204 static void kiocb_done(struct kiocb *kiocb, ssize_t ret)
2206 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2208 if (req->flags & REQ_F_CUR_POS)
2209 req->file->f_pos = kiocb->ki_pos;
2210 if (ret >= 0 && kiocb->ki_complete == io_complete_rw)
2211 io_complete_rw(kiocb, ret, 0);
2213 io_rw_done(kiocb, ret);
2216 static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
2217 struct iov_iter *iter)
2219 struct io_ring_ctx *ctx = req->ctx;
2220 size_t len = req->rw.len;
2221 struct io_mapped_ubuf *imu;
2222 u16 index, buf_index;
2226 /* attempt to use fixed buffers without having provided iovecs */
2227 if (unlikely(!ctx->user_bufs))
2230 buf_index = req->buf_index;
2231 if (unlikely(buf_index >= ctx->nr_user_bufs))
2234 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
2235 imu = &ctx->user_bufs[index];
2236 buf_addr = req->rw.addr;
2239 if (buf_addr + len < buf_addr)
2241 /* not inside the mapped region */
2242 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
2246 * May not be a start of buffer, set size appropriately
2247 * and advance us to the beginning.
2249 offset = buf_addr - imu->ubuf;
2250 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
2254 * Don't use iov_iter_advance() here, as it's really slow for
2255 * using the latter parts of a big fixed buffer - it iterates
2256 * over each segment manually. We can cheat a bit here, because
2259 * 1) it's a BVEC iter, we set it up
2260 * 2) all bvecs are PAGE_SIZE in size, except potentially the
2261 * first and last bvec
2263 * So just find our index, and adjust the iterator afterwards.
2264 * If the offset is within the first bvec (or the whole first
2265 * bvec, just use iov_iter_advance(). This makes it easier
2266 * since we can just skip the first segment, which may not
2267 * be PAGE_SIZE aligned.
2269 const struct bio_vec *bvec = imu->bvec;
2271 if (offset <= bvec->bv_len) {
2272 iov_iter_advance(iter, offset);
2274 unsigned long seg_skip;
2276 /* skip first vec */
2277 offset -= bvec->bv_len;
2278 seg_skip = 1 + (offset >> PAGE_SHIFT);
2280 iter->bvec = bvec + seg_skip;
2281 iter->nr_segs -= seg_skip;
2282 iter->count -= bvec->bv_len + offset;
2283 iter->iov_offset = offset & ~PAGE_MASK;
2290 static void io_ring_submit_unlock(struct io_ring_ctx *ctx, bool needs_lock)
2293 mutex_unlock(&ctx->uring_lock);
2296 static void io_ring_submit_lock(struct io_ring_ctx *ctx, bool needs_lock)
2299 * "Normal" inline submissions always hold the uring_lock, since we
2300 * grab it from the system call. Same is true for the SQPOLL offload.
2301 * The only exception is when we've detached the request and issue it
2302 * from an async worker thread, grab the lock for that case.
2305 mutex_lock(&ctx->uring_lock);
2308 static struct io_buffer *io_buffer_select(struct io_kiocb *req, size_t *len,
2309 int bgid, struct io_buffer *kbuf,
2312 struct io_buffer *head;
2314 if (req->flags & REQ_F_BUFFER_SELECTED)
2317 io_ring_submit_lock(req->ctx, needs_lock);
2319 lockdep_assert_held(&req->ctx->uring_lock);
2321 head = idr_find(&req->ctx->io_buffer_idr, bgid);
2323 if (!list_empty(&head->list)) {
2324 kbuf = list_last_entry(&head->list, struct io_buffer,
2326 list_del(&kbuf->list);
2329 idr_remove(&req->ctx->io_buffer_idr, bgid);
2331 if (*len > kbuf->len)
2334 kbuf = ERR_PTR(-ENOBUFS);
2337 io_ring_submit_unlock(req->ctx, needs_lock);
2342 static void __user *io_rw_buffer_select(struct io_kiocb *req, size_t *len,
2345 struct io_buffer *kbuf;
2348 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2349 bgid = req->buf_index;
2350 kbuf = io_buffer_select(req, len, bgid, kbuf, needs_lock);
2353 req->rw.addr = (u64) (unsigned long) kbuf;
2354 req->flags |= REQ_F_BUFFER_SELECTED;
2355 return u64_to_user_ptr(kbuf->addr);
2358 #ifdef CONFIG_COMPAT
2359 static ssize_t io_compat_import(struct io_kiocb *req, struct iovec *iov,
2362 struct compat_iovec __user *uiov;
2363 compat_ssize_t clen;
2367 uiov = u64_to_user_ptr(req->rw.addr);
2368 if (!access_ok(uiov, sizeof(*uiov)))
2370 if (__get_user(clen, &uiov->iov_len))
2376 buf = io_rw_buffer_select(req, &len, needs_lock);
2378 return PTR_ERR(buf);
2379 iov[0].iov_base = buf;
2380 iov[0].iov_len = (compat_size_t) len;
2385 static ssize_t __io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
2388 struct iovec __user *uiov = u64_to_user_ptr(req->rw.addr);
2392 if (copy_from_user(iov, uiov, sizeof(*uiov)))
2395 len = iov[0].iov_len;
2398 buf = io_rw_buffer_select(req, &len, needs_lock);
2400 return PTR_ERR(buf);
2401 iov[0].iov_base = buf;
2402 iov[0].iov_len = len;
2406 static ssize_t io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
2409 if (req->flags & REQ_F_BUFFER_SELECTED) {
2410 struct io_buffer *kbuf;
2412 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2413 iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
2414 iov[0].iov_len = kbuf->len;
2419 else if (req->rw.len > 1)
2422 #ifdef CONFIG_COMPAT
2423 if (req->ctx->compat)
2424 return io_compat_import(req, iov, needs_lock);
2427 return __io_iov_buffer_select(req, iov, needs_lock);
2430 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
2431 struct iovec **iovec, struct iov_iter *iter,
2434 void __user *buf = u64_to_user_ptr(req->rw.addr);
2435 size_t sqe_len = req->rw.len;
2439 opcode = req->opcode;
2440 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
2442 return io_import_fixed(req, rw, iter);
2445 /* buffer index only valid with fixed read/write, or buffer select */
2446 if (req->buf_index && !(req->flags & REQ_F_BUFFER_SELECT))
2449 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
2450 if (req->flags & REQ_F_BUFFER_SELECT) {
2451 buf = io_rw_buffer_select(req, &sqe_len, needs_lock);
2454 return PTR_ERR(buf);
2456 req->rw.len = sqe_len;
2459 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
2461 return ret < 0 ? ret : sqe_len;
2465 struct io_async_rw *iorw = &req->io->rw;
2468 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
2469 if (iorw->iov == iorw->fast_iov)
2474 if (req->flags & REQ_F_BUFFER_SELECT) {
2475 ret = io_iov_buffer_select(req, *iovec, needs_lock);
2477 ret = (*iovec)->iov_len;
2478 iov_iter_init(iter, rw, *iovec, 1, ret);
2484 #ifdef CONFIG_COMPAT
2485 if (req->ctx->compat)
2486 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
2490 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
2494 * For files that don't have ->read_iter() and ->write_iter(), handle them
2495 * by looping over ->read() or ->write() manually.
2497 static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
2498 struct iov_iter *iter)
2503 * Don't support polled IO through this interface, and we can't
2504 * support non-blocking either. For the latter, this just causes
2505 * the kiocb to be handled from an async context.
2507 if (kiocb->ki_flags & IOCB_HIPRI)
2509 if (kiocb->ki_flags & IOCB_NOWAIT)
2512 while (iov_iter_count(iter)) {
2516 if (!iov_iter_is_bvec(iter)) {
2517 iovec = iov_iter_iovec(iter);
2519 /* fixed buffers import bvec */
2520 iovec.iov_base = kmap(iter->bvec->bv_page)
2522 iovec.iov_len = min(iter->count,
2523 iter->bvec->bv_len - iter->iov_offset);
2527 nr = file->f_op->read(file, iovec.iov_base,
2528 iovec.iov_len, &kiocb->ki_pos);
2530 nr = file->f_op->write(file, iovec.iov_base,
2531 iovec.iov_len, &kiocb->ki_pos);
2534 if (iov_iter_is_bvec(iter))
2535 kunmap(iter->bvec->bv_page);
2543 if (nr != iovec.iov_len)
2545 iov_iter_advance(iter, nr);
2551 static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
2552 struct iovec *iovec, struct iovec *fast_iov,
2553 struct iov_iter *iter)
2555 req->io->rw.nr_segs = iter->nr_segs;
2556 req->io->rw.size = io_size;
2557 req->io->rw.iov = iovec;
2558 if (!req->io->rw.iov) {
2559 req->io->rw.iov = req->io->rw.fast_iov;
2560 if (req->io->rw.iov != fast_iov)
2561 memcpy(req->io->rw.iov, fast_iov,
2562 sizeof(struct iovec) * iter->nr_segs);
2564 req->flags |= REQ_F_NEED_CLEANUP;
2568 static inline int __io_alloc_async_ctx(struct io_kiocb *req)
2570 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
2571 return req->io == NULL;
2574 static int io_alloc_async_ctx(struct io_kiocb *req)
2576 if (!io_op_defs[req->opcode].async_ctx)
2579 return __io_alloc_async_ctx(req);
2582 static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
2583 struct iovec *iovec, struct iovec *fast_iov,
2584 struct iov_iter *iter)
2586 if (!io_op_defs[req->opcode].async_ctx)
2589 if (__io_alloc_async_ctx(req))
2592 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
2597 static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2598 bool force_nonblock)
2600 struct io_async_ctx *io;
2601 struct iov_iter iter;
2604 ret = io_prep_rw(req, sqe, force_nonblock);
2608 if (unlikely(!(req->file->f_mode & FMODE_READ)))
2611 /* either don't need iovec imported or already have it */
2612 if (!req->io || req->flags & REQ_F_NEED_CLEANUP)
2616 io->rw.iov = io->rw.fast_iov;
2618 ret = io_import_iovec(READ, req, &io->rw.iov, &iter, !force_nonblock);
2623 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2627 static int io_read(struct io_kiocb *req, bool force_nonblock)
2629 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2630 struct kiocb *kiocb = &req->rw.kiocb;
2631 struct iov_iter iter;
2633 ssize_t io_size, ret;
2635 ret = io_import_iovec(READ, req, &iovec, &iter, !force_nonblock);
2639 /* Ensure we clear previously set non-block flag */
2640 if (!force_nonblock)
2641 kiocb->ki_flags &= ~IOCB_NOWAIT;
2645 if (req->flags & REQ_F_LINK_HEAD)
2646 req->result = io_size;
2649 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2650 * we know to async punt it even if it was opened O_NONBLOCK
2652 if (force_nonblock && !io_file_supports_async(req->file, READ))
2655 iov_count = iov_iter_count(&iter);
2656 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
2660 if (req->file->f_op->read_iter)
2661 ret2 = call_read_iter(req->file, kiocb, &iter);
2663 ret2 = loop_rw_iter(READ, req->file, kiocb, &iter);
2665 /* Catch -EAGAIN return for forced non-blocking submission */
2666 if (!force_nonblock || ret2 != -EAGAIN) {
2667 kiocb_done(kiocb, ret2);
2670 ret = io_setup_async_rw(req, io_size, iovec,
2671 inline_vecs, &iter);
2674 /* any defer here is final, must blocking retry */
2675 if (!(req->flags & REQ_F_NOWAIT) &&
2676 !file_can_poll(req->file))
2677 req->flags |= REQ_F_MUST_PUNT;
2682 if (!(req->flags & REQ_F_NEED_CLEANUP))
2687 static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2688 bool force_nonblock)
2690 struct io_async_ctx *io;
2691 struct iov_iter iter;
2694 ret = io_prep_rw(req, sqe, force_nonblock);
2698 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
2701 req->fsize = rlimit(RLIMIT_FSIZE);
2703 /* either don't need iovec imported or already have it */
2704 if (!req->io || req->flags & REQ_F_NEED_CLEANUP)
2708 io->rw.iov = io->rw.fast_iov;
2710 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter, !force_nonblock);
2715 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2719 static int io_write(struct io_kiocb *req, bool force_nonblock)
2721 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2722 struct kiocb *kiocb = &req->rw.kiocb;
2723 struct iov_iter iter;
2725 ssize_t ret, io_size;
2727 ret = io_import_iovec(WRITE, req, &iovec, &iter, !force_nonblock);
2731 /* Ensure we clear previously set non-block flag */
2732 if (!force_nonblock)
2733 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
2737 if (req->flags & REQ_F_LINK_HEAD)
2738 req->result = io_size;
2741 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2742 * we know to async punt it even if it was opened O_NONBLOCK
2744 if (force_nonblock && !io_file_supports_async(req->file, WRITE))
2747 /* file path doesn't support NOWAIT for non-direct_IO */
2748 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
2749 (req->flags & REQ_F_ISREG))
2752 iov_count = iov_iter_count(&iter);
2753 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
2758 * Open-code file_start_write here to grab freeze protection,
2759 * which will be released by another thread in
2760 * io_complete_rw(). Fool lockdep by telling it the lock got
2761 * released so that it doesn't complain about the held lock when
2762 * we return to userspace.
2764 if (req->flags & REQ_F_ISREG) {
2765 __sb_start_write(file_inode(req->file)->i_sb,
2766 SB_FREEZE_WRITE, true);
2767 __sb_writers_release(file_inode(req->file)->i_sb,
2770 kiocb->ki_flags |= IOCB_WRITE;
2772 if (!force_nonblock)
2773 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = req->fsize;
2775 if (req->file->f_op->write_iter)
2776 ret2 = call_write_iter(req->file, kiocb, &iter);
2778 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
2780 if (!force_nonblock)
2781 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
2784 * Raw bdev writes will return -EOPNOTSUPP for IOCB_NOWAIT. Just
2785 * retry them without IOCB_NOWAIT.
2787 if (ret2 == -EOPNOTSUPP && (kiocb->ki_flags & IOCB_NOWAIT))
2789 if (!force_nonblock || ret2 != -EAGAIN) {
2790 kiocb_done(kiocb, ret2);
2793 ret = io_setup_async_rw(req, io_size, iovec,
2794 inline_vecs, &iter);
2797 /* any defer here is final, must blocking retry */
2798 if (!(req->flags & REQ_F_NOWAIT) &&
2799 !file_can_poll(req->file))
2800 req->flags |= REQ_F_MUST_PUNT;
2805 if (!(req->flags & REQ_F_NEED_CLEANUP))
2810 static int __io_splice_prep(struct io_kiocb *req,
2811 const struct io_uring_sqe *sqe)
2813 struct io_splice* sp = &req->splice;
2814 unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL;
2817 if (req->flags & REQ_F_NEED_CLEANUP)
2819 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2823 sp->len = READ_ONCE(sqe->len);
2824 sp->flags = READ_ONCE(sqe->splice_flags);
2826 if (unlikely(sp->flags & ~valid_flags))
2829 ret = io_file_get(NULL, req, READ_ONCE(sqe->splice_fd_in), &sp->file_in,
2830 (sp->flags & SPLICE_F_FD_IN_FIXED));
2833 req->flags |= REQ_F_NEED_CLEANUP;
2835 if (!S_ISREG(file_inode(sp->file_in)->i_mode)) {
2837 * Splice operation will be punted aync, and here need to
2838 * modify io_wq_work.flags, so initialize io_wq_work firstly.
2840 io_req_init_async(req);
2841 req->work.flags |= IO_WQ_WORK_UNBOUND;
2847 static int io_tee_prep(struct io_kiocb *req,
2848 const struct io_uring_sqe *sqe)
2850 if (READ_ONCE(sqe->splice_off_in) || READ_ONCE(sqe->off))
2852 return __io_splice_prep(req, sqe);
2855 static int io_tee(struct io_kiocb *req, bool force_nonblock)
2857 struct io_splice *sp = &req->splice;
2858 struct file *in = sp->file_in;
2859 struct file *out = sp->file_out;
2860 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
2866 ret = do_tee(in, out, sp->len, flags);
2868 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
2869 req->flags &= ~REQ_F_NEED_CLEANUP;
2871 io_cqring_add_event(req, ret);
2873 req_set_fail_links(req);
2878 static int io_splice_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2880 struct io_splice* sp = &req->splice;
2882 sp->off_in = READ_ONCE(sqe->splice_off_in);
2883 sp->off_out = READ_ONCE(sqe->off);
2884 return __io_splice_prep(req, sqe);
2887 static int io_splice(struct io_kiocb *req, bool force_nonblock)
2889 struct io_splice *sp = &req->splice;
2890 struct file *in = sp->file_in;
2891 struct file *out = sp->file_out;
2892 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
2893 loff_t *poff_in, *poff_out;
2899 poff_in = (sp->off_in == -1) ? NULL : &sp->off_in;
2900 poff_out = (sp->off_out == -1) ? NULL : &sp->off_out;
2903 ret = do_splice(in, poff_in, out, poff_out, sp->len, flags);
2905 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
2906 req->flags &= ~REQ_F_NEED_CLEANUP;
2908 io_cqring_add_event(req, ret);
2910 req_set_fail_links(req);
2916 * IORING_OP_NOP just posts a completion event, nothing else.
2918 static int io_nop(struct io_kiocb *req)
2920 struct io_ring_ctx *ctx = req->ctx;
2922 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2925 io_cqring_add_event(req, 0);
2930 static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2932 struct io_ring_ctx *ctx = req->ctx;
2937 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2939 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2942 req->sync.flags = READ_ONCE(sqe->fsync_flags);
2943 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
2946 req->sync.off = READ_ONCE(sqe->off);
2947 req->sync.len = READ_ONCE(sqe->len);
2951 static int io_fsync(struct io_kiocb *req, bool force_nonblock)
2953 loff_t end = req->sync.off + req->sync.len;
2956 /* fsync always requires a blocking context */
2960 ret = vfs_fsync_range(req->file, req->sync.off,
2961 end > 0 ? end : LLONG_MAX,
2962 req->sync.flags & IORING_FSYNC_DATASYNC);
2964 req_set_fail_links(req);
2965 io_cqring_add_event(req, ret);
2970 static int io_fallocate_prep(struct io_kiocb *req,
2971 const struct io_uring_sqe *sqe)
2973 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
2975 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2978 req->sync.off = READ_ONCE(sqe->off);
2979 req->sync.len = READ_ONCE(sqe->addr);
2980 req->sync.mode = READ_ONCE(sqe->len);
2981 req->fsize = rlimit(RLIMIT_FSIZE);
2985 static int io_fallocate(struct io_kiocb *req, bool force_nonblock)
2989 /* fallocate always requiring blocking context */
2993 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = req->fsize;
2994 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
2996 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
2998 req_set_fail_links(req);
2999 io_cqring_add_event(req, ret);
3004 static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3006 const char __user *fname;
3009 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3011 if (unlikely(sqe->ioprio || sqe->buf_index))
3013 if (unlikely(req->flags & REQ_F_FIXED_FILE))
3016 /* open.how should be already initialised */
3017 if (!(req->open.how.flags & O_PATH) && force_o_largefile())
3018 req->open.how.flags |= O_LARGEFILE;
3020 req->open.dfd = READ_ONCE(sqe->fd);
3021 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
3022 req->open.filename = getname(fname);
3023 if (IS_ERR(req->open.filename)) {
3024 ret = PTR_ERR(req->open.filename);
3025 req->open.filename = NULL;
3028 req->open.nofile = rlimit(RLIMIT_NOFILE);
3029 req->flags |= REQ_F_NEED_CLEANUP;
3033 static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3037 if (req->flags & REQ_F_NEED_CLEANUP)
3039 mode = READ_ONCE(sqe->len);
3040 flags = READ_ONCE(sqe->open_flags);
3041 req->open.how = build_open_how(flags, mode);
3042 return __io_openat_prep(req, sqe);
3045 static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3047 struct open_how __user *how;
3051 if (req->flags & REQ_F_NEED_CLEANUP)
3053 how = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3054 len = READ_ONCE(sqe->len);
3055 if (len < OPEN_HOW_SIZE_VER0)
3058 ret = copy_struct_from_user(&req->open.how, sizeof(req->open.how), how,
3063 return __io_openat_prep(req, sqe);
3066 static int io_openat2(struct io_kiocb *req, bool force_nonblock)
3068 struct open_flags op;
3075 ret = build_open_flags(&req->open.how, &op);
3079 ret = __get_unused_fd_flags(req->open.how.flags, req->open.nofile);
3083 file = do_filp_open(req->open.dfd, req->open.filename, &op);
3086 ret = PTR_ERR(file);
3088 fsnotify_open(file);
3089 fd_install(ret, file);
3092 putname(req->open.filename);
3093 req->flags &= ~REQ_F_NEED_CLEANUP;
3095 req_set_fail_links(req);
3096 io_cqring_add_event(req, ret);
3101 static int io_openat(struct io_kiocb *req, bool force_nonblock)
3103 return io_openat2(req, force_nonblock);
3106 static int io_remove_buffers_prep(struct io_kiocb *req,
3107 const struct io_uring_sqe *sqe)
3109 struct io_provide_buf *p = &req->pbuf;
3112 if (sqe->ioprio || sqe->rw_flags || sqe->addr || sqe->len || sqe->off)
3115 tmp = READ_ONCE(sqe->fd);
3116 if (!tmp || tmp > USHRT_MAX)
3119 memset(p, 0, sizeof(*p));
3121 p->bgid = READ_ONCE(sqe->buf_group);
3125 static int __io_remove_buffers(struct io_ring_ctx *ctx, struct io_buffer *buf,
3126 int bgid, unsigned nbufs)
3130 /* shouldn't happen */
3134 /* the head kbuf is the list itself */
3135 while (!list_empty(&buf->list)) {
3136 struct io_buffer *nxt;
3138 nxt = list_first_entry(&buf->list, struct io_buffer, list);
3139 list_del(&nxt->list);
3146 idr_remove(&ctx->io_buffer_idr, bgid);
3151 static int io_remove_buffers(struct io_kiocb *req, bool force_nonblock)
3153 struct io_provide_buf *p = &req->pbuf;
3154 struct io_ring_ctx *ctx = req->ctx;
3155 struct io_buffer *head;
3158 io_ring_submit_lock(ctx, !force_nonblock);
3160 lockdep_assert_held(&ctx->uring_lock);
3163 head = idr_find(&ctx->io_buffer_idr, p->bgid);
3165 ret = __io_remove_buffers(ctx, head, p->bgid, p->nbufs);
3167 io_ring_submit_lock(ctx, !force_nonblock);
3169 req_set_fail_links(req);
3170 io_cqring_add_event(req, ret);
3175 static int io_provide_buffers_prep(struct io_kiocb *req,
3176 const struct io_uring_sqe *sqe)
3178 struct io_provide_buf *p = &req->pbuf;
3181 if (sqe->ioprio || sqe->rw_flags)
3184 tmp = READ_ONCE(sqe->fd);
3185 if (!tmp || tmp > USHRT_MAX)
3188 p->addr = READ_ONCE(sqe->addr);
3189 p->len = READ_ONCE(sqe->len);
3191 if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
3194 p->bgid = READ_ONCE(sqe->buf_group);
3195 tmp = READ_ONCE(sqe->off);
3196 if (tmp > USHRT_MAX)
3202 static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head)
3204 struct io_buffer *buf;
3205 u64 addr = pbuf->addr;
3206 int i, bid = pbuf->bid;
3208 for (i = 0; i < pbuf->nbufs; i++) {
3209 buf = kmalloc(sizeof(*buf), GFP_KERNEL);
3214 buf->len = pbuf->len;
3219 INIT_LIST_HEAD(&buf->list);
3222 list_add_tail(&buf->list, &(*head)->list);
3226 return i ? i : -ENOMEM;
3229 static int io_provide_buffers(struct io_kiocb *req, bool force_nonblock)
3231 struct io_provide_buf *p = &req->pbuf;
3232 struct io_ring_ctx *ctx = req->ctx;
3233 struct io_buffer *head, *list;
3236 io_ring_submit_lock(ctx, !force_nonblock);
3238 lockdep_assert_held(&ctx->uring_lock);
3240 list = head = idr_find(&ctx->io_buffer_idr, p->bgid);
3242 ret = io_add_buffers(p, &head);
3247 ret = idr_alloc(&ctx->io_buffer_idr, head, p->bgid, p->bgid + 1,
3250 __io_remove_buffers(ctx, head, p->bgid, -1U);
3255 io_ring_submit_unlock(ctx, !force_nonblock);
3257 req_set_fail_links(req);
3258 io_cqring_add_event(req, ret);
3263 static int io_epoll_ctl_prep(struct io_kiocb *req,
3264 const struct io_uring_sqe *sqe)
3266 #if defined(CONFIG_EPOLL)
3267 if (sqe->ioprio || sqe->buf_index)
3269 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3272 req->epoll.epfd = READ_ONCE(sqe->fd);
3273 req->epoll.op = READ_ONCE(sqe->len);
3274 req->epoll.fd = READ_ONCE(sqe->off);
3276 if (ep_op_has_event(req->epoll.op)) {
3277 struct epoll_event __user *ev;
3279 ev = u64_to_user_ptr(READ_ONCE(sqe->addr));
3280 if (copy_from_user(&req->epoll.event, ev, sizeof(*ev)))
3290 static int io_epoll_ctl(struct io_kiocb *req, bool force_nonblock)
3292 #if defined(CONFIG_EPOLL)
3293 struct io_epoll *ie = &req->epoll;
3296 ret = do_epoll_ctl(ie->epfd, ie->op, ie->fd, &ie->event, force_nonblock);
3297 if (force_nonblock && ret == -EAGAIN)
3301 req_set_fail_links(req);
3302 io_cqring_add_event(req, ret);
3310 static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3312 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
3313 if (sqe->ioprio || sqe->buf_index || sqe->off)
3315 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3318 req->madvise.addr = READ_ONCE(sqe->addr);
3319 req->madvise.len = READ_ONCE(sqe->len);
3320 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
3327 static int io_madvise(struct io_kiocb *req, bool force_nonblock)
3329 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
3330 struct io_madvise *ma = &req->madvise;
3336 ret = do_madvise(ma->addr, ma->len, ma->advice);
3338 req_set_fail_links(req);
3339 io_cqring_add_event(req, ret);
3347 static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3349 if (sqe->ioprio || sqe->buf_index || sqe->addr)
3351 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3354 req->fadvise.offset = READ_ONCE(sqe->off);
3355 req->fadvise.len = READ_ONCE(sqe->len);
3356 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
3360 static int io_fadvise(struct io_kiocb *req, bool force_nonblock)
3362 struct io_fadvise *fa = &req->fadvise;
3365 if (force_nonblock) {
3366 switch (fa->advice) {
3367 case POSIX_FADV_NORMAL:
3368 case POSIX_FADV_RANDOM:
3369 case POSIX_FADV_SEQUENTIAL:
3376 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
3378 req_set_fail_links(req);
3379 io_cqring_add_event(req, ret);
3384 static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3386 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3388 if (sqe->ioprio || sqe->buf_index)
3390 if (req->flags & REQ_F_FIXED_FILE)
3393 req->statx.dfd = READ_ONCE(sqe->fd);
3394 req->statx.mask = READ_ONCE(sqe->len);
3395 req->statx.filename = u64_to_user_ptr(READ_ONCE(sqe->addr));
3396 req->statx.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3397 req->statx.flags = READ_ONCE(sqe->statx_flags);
3402 static int io_statx(struct io_kiocb *req, bool force_nonblock)
3404 struct io_statx *ctx = &req->statx;
3407 if (force_nonblock) {
3408 /* only need file table for an actual valid fd */
3409 if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD)
3410 req->flags |= REQ_F_NO_FILE_TABLE;
3414 ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
3418 req_set_fail_links(req);
3419 io_cqring_add_event(req, ret);
3424 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3427 * If we queue this for async, it must not be cancellable. That would
3428 * leave the 'file' in an undeterminate state, and here need to modify
3429 * io_wq_work.flags, so initialize io_wq_work firstly.
3431 io_req_init_async(req);
3432 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
3434 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3436 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
3437 sqe->rw_flags || sqe->buf_index)
3439 if (req->flags & REQ_F_FIXED_FILE)
3442 req->close.fd = READ_ONCE(sqe->fd);
3443 if ((req->file && req->file->f_op == &io_uring_fops) ||
3444 req->close.fd == req->ctx->ring_fd)
3447 req->close.put_file = NULL;
3451 static int io_close(struct io_kiocb *req, bool force_nonblock)
3453 struct io_close *close = &req->close;
3456 /* might be already done during nonblock submission */
3457 if (!close->put_file) {
3458 ret = __close_fd_get_file(close->fd, &close->put_file);
3460 return (ret == -ENOENT) ? -EBADF : ret;
3463 /* if the file has a flush method, be safe and punt to async */
3464 if (close->put_file->f_op->flush && force_nonblock) {
3465 /* avoid grabbing files - we don't need the files */
3466 req->flags |= REQ_F_NO_FILE_TABLE | REQ_F_MUST_PUNT;
3470 /* No ->flush() or already async, safely close from here */
3471 ret = filp_close(close->put_file, req->work.files);
3473 req_set_fail_links(req);
3474 io_cqring_add_event(req, ret);
3475 fput(close->put_file);
3476 close->put_file = NULL;
3481 static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3483 struct io_ring_ctx *ctx = req->ctx;
3488 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3490 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
3493 req->sync.off = READ_ONCE(sqe->off);
3494 req->sync.len = READ_ONCE(sqe->len);
3495 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
3499 static int io_sync_file_range(struct io_kiocb *req, bool force_nonblock)
3503 /* sync_file_range always requires a blocking context */
3507 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
3510 req_set_fail_links(req);
3511 io_cqring_add_event(req, ret);
3516 #if defined(CONFIG_NET)
3517 static int io_setup_async_msg(struct io_kiocb *req,
3518 struct io_async_msghdr *kmsg)
3522 if (io_alloc_async_ctx(req)) {
3523 if (kmsg->iov != kmsg->fast_iov)
3527 req->flags |= REQ_F_NEED_CLEANUP;
3528 memcpy(&req->io->msg, kmsg, sizeof(*kmsg));
3532 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3534 struct io_sr_msg *sr = &req->sr_msg;
3535 struct io_async_ctx *io = req->io;
3538 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3541 sr->msg_flags = READ_ONCE(sqe->msg_flags);
3542 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
3543 sr->len = READ_ONCE(sqe->len);
3545 #ifdef CONFIG_COMPAT
3546 if (req->ctx->compat)
3547 sr->msg_flags |= MSG_CMSG_COMPAT;
3550 if (!io || req->opcode == IORING_OP_SEND)
3552 /* iovec is already imported */
3553 if (req->flags & REQ_F_NEED_CLEANUP)
3556 io->msg.iov = io->msg.fast_iov;
3557 ret = sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
3560 req->flags |= REQ_F_NEED_CLEANUP;
3564 static int io_sendmsg(struct io_kiocb *req, bool force_nonblock)
3566 struct io_async_msghdr *kmsg = NULL;
3567 struct socket *sock;
3570 sock = sock_from_file(req->file, &ret);
3572 struct io_async_ctx io;
3576 kmsg = &req->io->msg;
3577 kmsg->msg.msg_name = &req->io->msg.addr;
3578 /* if iov is set, it's allocated already */
3580 kmsg->iov = kmsg->fast_iov;
3581 kmsg->msg.msg_iter.iov = kmsg->iov;
3583 struct io_sr_msg *sr = &req->sr_msg;
3586 kmsg->msg.msg_name = &io.msg.addr;
3588 io.msg.iov = io.msg.fast_iov;
3589 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
3590 sr->msg_flags, &io.msg.iov);
3595 flags = req->sr_msg.msg_flags;
3596 if (flags & MSG_DONTWAIT)
3597 req->flags |= REQ_F_NOWAIT;
3598 else if (force_nonblock)
3599 flags |= MSG_DONTWAIT;
3601 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
3602 if (force_nonblock && ret == -EAGAIN)
3603 return io_setup_async_msg(req, kmsg);
3604 if (ret == -ERESTARTSYS)
3608 if (kmsg && kmsg->iov != kmsg->fast_iov)
3610 req->flags &= ~REQ_F_NEED_CLEANUP;
3611 io_cqring_add_event(req, ret);
3613 req_set_fail_links(req);
3618 static int io_send(struct io_kiocb *req, bool force_nonblock)
3620 struct socket *sock;
3623 sock = sock_from_file(req->file, &ret);
3625 struct io_sr_msg *sr = &req->sr_msg;
3630 ret = import_single_range(WRITE, sr->buf, sr->len, &iov,
3635 msg.msg_name = NULL;
3636 msg.msg_control = NULL;
3637 msg.msg_controllen = 0;
3638 msg.msg_namelen = 0;
3640 flags = req->sr_msg.msg_flags;
3641 if (flags & MSG_DONTWAIT)
3642 req->flags |= REQ_F_NOWAIT;
3643 else if (force_nonblock)
3644 flags |= MSG_DONTWAIT;
3646 msg.msg_flags = flags;
3647 ret = sock_sendmsg(sock, &msg);
3648 if (force_nonblock && ret == -EAGAIN)
3650 if (ret == -ERESTARTSYS)
3654 io_cqring_add_event(req, ret);
3656 req_set_fail_links(req);
3661 static int __io_recvmsg_copy_hdr(struct io_kiocb *req, struct io_async_ctx *io)
3663 struct io_sr_msg *sr = &req->sr_msg;
3664 struct iovec __user *uiov;
3668 ret = __copy_msghdr_from_user(&io->msg.msg, sr->msg, &io->msg.uaddr,
3673 if (req->flags & REQ_F_BUFFER_SELECT) {
3676 if (copy_from_user(io->msg.iov, uiov, sizeof(*uiov)))
3678 sr->len = io->msg.iov[0].iov_len;
3679 iov_iter_init(&io->msg.msg.msg_iter, READ, io->msg.iov, 1,
3683 ret = import_iovec(READ, uiov, iov_len, UIO_FASTIOV,
3684 &io->msg.iov, &io->msg.msg.msg_iter);
3692 #ifdef CONFIG_COMPAT
3693 static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req,
3694 struct io_async_ctx *io)
3696 struct compat_msghdr __user *msg_compat;
3697 struct io_sr_msg *sr = &req->sr_msg;
3698 struct compat_iovec __user *uiov;
3703 msg_compat = (struct compat_msghdr __user *) sr->msg;
3704 ret = __get_compat_msghdr(&io->msg.msg, msg_compat, &io->msg.uaddr,
3709 uiov = compat_ptr(ptr);
3710 if (req->flags & REQ_F_BUFFER_SELECT) {
3711 compat_ssize_t clen;
3715 if (!access_ok(uiov, sizeof(*uiov)))
3717 if (__get_user(clen, &uiov->iov_len))
3721 sr->len = io->msg.iov[0].iov_len;
3724 ret = compat_import_iovec(READ, uiov, len, UIO_FASTIOV,
3726 &io->msg.msg.msg_iter);
3735 static int io_recvmsg_copy_hdr(struct io_kiocb *req, struct io_async_ctx *io)
3737 io->msg.iov = io->msg.fast_iov;
3739 #ifdef CONFIG_COMPAT
3740 if (req->ctx->compat)
3741 return __io_compat_recvmsg_copy_hdr(req, io);
3744 return __io_recvmsg_copy_hdr(req, io);
3747 static struct io_buffer *io_recv_buffer_select(struct io_kiocb *req,
3748 int *cflags, bool needs_lock)
3750 struct io_sr_msg *sr = &req->sr_msg;
3751 struct io_buffer *kbuf;
3753 if (!(req->flags & REQ_F_BUFFER_SELECT))
3756 kbuf = io_buffer_select(req, &sr->len, sr->bgid, sr->kbuf, needs_lock);
3761 req->flags |= REQ_F_BUFFER_SELECTED;
3763 *cflags = kbuf->bid << IORING_CQE_BUFFER_SHIFT;
3764 *cflags |= IORING_CQE_F_BUFFER;
3768 static int io_recvmsg_prep(struct io_kiocb *req,
3769 const struct io_uring_sqe *sqe)
3771 struct io_sr_msg *sr = &req->sr_msg;
3772 struct io_async_ctx *io = req->io;
3775 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3778 sr->msg_flags = READ_ONCE(sqe->msg_flags);
3779 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
3780 sr->len = READ_ONCE(sqe->len);
3781 sr->bgid = READ_ONCE(sqe->buf_group);
3783 #ifdef CONFIG_COMPAT
3784 if (req->ctx->compat)
3785 sr->msg_flags |= MSG_CMSG_COMPAT;
3788 if (!io || req->opcode == IORING_OP_RECV)
3790 /* iovec is already imported */
3791 if (req->flags & REQ_F_NEED_CLEANUP)
3794 ret = io_recvmsg_copy_hdr(req, io);
3796 req->flags |= REQ_F_NEED_CLEANUP;
3800 static int io_recvmsg(struct io_kiocb *req, bool force_nonblock)
3802 struct io_async_msghdr *kmsg = NULL;
3803 struct socket *sock;
3804 int ret, cflags = 0;
3806 sock = sock_from_file(req->file, &ret);
3808 struct io_buffer *kbuf;
3809 struct io_async_ctx io;
3813 kmsg = &req->io->msg;
3814 kmsg->msg.msg_name = &req->io->msg.addr;
3815 /* if iov is set, it's allocated already */
3817 kmsg->iov = kmsg->fast_iov;
3818 kmsg->msg.msg_iter.iov = kmsg->iov;
3821 kmsg->msg.msg_name = &io.msg.addr;
3823 ret = io_recvmsg_copy_hdr(req, &io);
3828 kbuf = io_recv_buffer_select(req, &cflags, !force_nonblock);
3830 return PTR_ERR(kbuf);
3832 kmsg->fast_iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
3833 iov_iter_init(&kmsg->msg.msg_iter, READ, kmsg->iov,
3834 1, req->sr_msg.len);
3837 flags = req->sr_msg.msg_flags;
3838 if (flags & MSG_DONTWAIT)
3839 req->flags |= REQ_F_NOWAIT;
3840 else if (force_nonblock)
3841 flags |= MSG_DONTWAIT;
3843 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
3844 kmsg->uaddr, flags);
3845 if (force_nonblock && ret == -EAGAIN)
3846 return io_setup_async_msg(req, kmsg);
3847 if (ret == -ERESTARTSYS)
3851 if (kmsg && kmsg->iov != kmsg->fast_iov)
3853 req->flags &= ~REQ_F_NEED_CLEANUP;
3854 __io_cqring_add_event(req, ret, cflags);
3856 req_set_fail_links(req);
3861 static int io_recv(struct io_kiocb *req, bool force_nonblock)
3863 struct io_buffer *kbuf = NULL;
3864 struct socket *sock;
3865 int ret, cflags = 0;
3867 sock = sock_from_file(req->file, &ret);
3869 struct io_sr_msg *sr = &req->sr_msg;
3870 void __user *buf = sr->buf;
3875 kbuf = io_recv_buffer_select(req, &cflags, !force_nonblock);
3877 return PTR_ERR(kbuf);
3879 buf = u64_to_user_ptr(kbuf->addr);
3881 ret = import_single_range(READ, buf, sr->len, &iov,
3888 req->flags |= REQ_F_NEED_CLEANUP;
3889 msg.msg_name = NULL;
3890 msg.msg_control = NULL;
3891 msg.msg_controllen = 0;
3892 msg.msg_namelen = 0;
3893 msg.msg_iocb = NULL;
3896 flags = req->sr_msg.msg_flags;
3897 if (flags & MSG_DONTWAIT)
3898 req->flags |= REQ_F_NOWAIT;
3899 else if (force_nonblock)
3900 flags |= MSG_DONTWAIT;
3902 ret = sock_recvmsg(sock, &msg, flags);
3903 if (force_nonblock && ret == -EAGAIN)
3905 if (ret == -ERESTARTSYS)
3910 req->flags &= ~REQ_F_NEED_CLEANUP;
3911 __io_cqring_add_event(req, ret, cflags);
3913 req_set_fail_links(req);
3918 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3920 struct io_accept *accept = &req->accept;
3922 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3924 if (sqe->ioprio || sqe->len || sqe->buf_index)
3927 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3928 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3929 accept->flags = READ_ONCE(sqe->accept_flags);
3930 accept->nofile = rlimit(RLIMIT_NOFILE);
3934 static int io_accept(struct io_kiocb *req, bool force_nonblock)
3936 struct io_accept *accept = &req->accept;
3937 unsigned int file_flags = force_nonblock ? O_NONBLOCK : 0;
3940 if (req->file->f_flags & O_NONBLOCK)
3941 req->flags |= REQ_F_NOWAIT;
3943 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
3944 accept->addr_len, accept->flags,
3946 if (ret == -EAGAIN && force_nonblock)
3949 if (ret == -ERESTARTSYS)
3951 req_set_fail_links(req);
3953 io_cqring_add_event(req, ret);
3958 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3960 struct io_connect *conn = &req->connect;
3961 struct io_async_ctx *io = req->io;
3963 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3965 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
3968 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3969 conn->addr_len = READ_ONCE(sqe->addr2);
3974 return move_addr_to_kernel(conn->addr, conn->addr_len,
3975 &io->connect.address);
3978 static int io_connect(struct io_kiocb *req, bool force_nonblock)
3980 struct io_async_ctx __io, *io;
3981 unsigned file_flags;
3987 ret = move_addr_to_kernel(req->connect.addr,
3988 req->connect.addr_len,
3989 &__io.connect.address);
3995 file_flags = force_nonblock ? O_NONBLOCK : 0;
3997 ret = __sys_connect_file(req->file, &io->connect.address,
3998 req->connect.addr_len, file_flags);
3999 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
4002 if (io_alloc_async_ctx(req)) {
4006 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
4009 if (ret == -ERESTARTSYS)
4013 req_set_fail_links(req);
4014 io_cqring_add_event(req, ret);
4018 #else /* !CONFIG_NET */
4019 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4024 static int io_sendmsg(struct io_kiocb *req, bool force_nonblock)
4029 static int io_send(struct io_kiocb *req, bool force_nonblock)
4034 static int io_recvmsg_prep(struct io_kiocb *req,
4035 const struct io_uring_sqe *sqe)
4040 static int io_recvmsg(struct io_kiocb *req, bool force_nonblock)
4045 static int io_recv(struct io_kiocb *req, bool force_nonblock)
4050 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4055 static int io_accept(struct io_kiocb *req, bool force_nonblock)
4060 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4065 static int io_connect(struct io_kiocb *req, bool force_nonblock)
4069 #endif /* CONFIG_NET */
4071 struct io_poll_table {
4072 struct poll_table_struct pt;
4073 struct io_kiocb *req;
4077 static int io_req_task_work_add(struct io_kiocb *req, struct callback_head *cb)
4079 struct task_struct *tsk = req->task;
4080 struct io_ring_ctx *ctx = req->ctx;
4081 int ret, notify = TWA_RESUME;
4084 * SQPOLL kernel thread doesn't need notification, just a wakeup.
4085 * If we're not using an eventfd, then TWA_RESUME is always fine,
4086 * as we won't have dependencies between request completions for
4087 * other kernel wait conditions.
4089 if (ctx->flags & IORING_SETUP_SQPOLL)
4091 else if (ctx->cq_ev_fd)
4092 notify = TWA_SIGNAL;
4094 ret = task_work_add(tsk, cb, notify);
4096 wake_up_process(tsk);
4100 static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,
4101 __poll_t mask, task_work_func_t func)
4103 struct task_struct *tsk;
4106 /* for instances that support it check for an event match first: */
4107 if (mask && !(mask & poll->events))
4110 trace_io_uring_task_add(req->ctx, req->opcode, req->user_data, mask);
4112 list_del_init(&poll->wait.entry);
4116 init_task_work(&req->task_work, func);
4118 * If this fails, then the task is exiting. When a task exits, the
4119 * work gets canceled, so just cancel this request as well instead
4120 * of executing it. We can't safely execute it anyway, as we may not
4121 * have the needed state needed for it anyway.
4123 ret = io_req_task_work_add(req, &req->task_work);
4124 if (unlikely(ret)) {
4125 WRITE_ONCE(poll->canceled, true);
4126 tsk = io_wq_get_task(req->ctx->io_wq);
4127 task_work_add(tsk, &req->task_work, 0);
4128 wake_up_process(tsk);
4133 static bool io_poll_rewait(struct io_kiocb *req, struct io_poll_iocb *poll)
4134 __acquires(&req->ctx->completion_lock)
4136 struct io_ring_ctx *ctx = req->ctx;
4138 if (!req->result && !READ_ONCE(poll->canceled)) {
4139 struct poll_table_struct pt = { ._key = poll->events };
4141 req->result = vfs_poll(req->file, &pt) & poll->events;
4144 spin_lock_irq(&ctx->completion_lock);
4145 if (!req->result && !READ_ONCE(poll->canceled)) {
4146 add_wait_queue(poll->head, &poll->wait);
4153 static void io_poll_remove_double(struct io_kiocb *req)
4155 struct io_poll_iocb *poll = (struct io_poll_iocb *) req->io;
4157 lockdep_assert_held(&req->ctx->completion_lock);
4159 if (poll && poll->head) {
4160 struct wait_queue_head *head = poll->head;
4162 spin_lock(&head->lock);
4163 list_del_init(&poll->wait.entry);
4164 if (poll->wait.private)
4165 refcount_dec(&req->refs);
4167 spin_unlock(&head->lock);
4171 static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
4173 struct io_ring_ctx *ctx = req->ctx;
4175 io_poll_remove_double(req);
4176 req->poll.done = true;
4177 io_cqring_fill_event(req, error ? error : mangle_poll(mask));
4178 io_commit_cqring(ctx);
4181 static void io_poll_task_handler(struct io_kiocb *req, struct io_kiocb **nxt)
4183 struct io_ring_ctx *ctx = req->ctx;
4185 if (io_poll_rewait(req, &req->poll)) {
4186 spin_unlock_irq(&ctx->completion_lock);
4190 hash_del(&req->hash_node);
4191 io_poll_complete(req, req->result, 0);
4192 req->flags |= REQ_F_COMP_LOCKED;
4193 io_put_req_find_next(req, nxt);
4194 spin_unlock_irq(&ctx->completion_lock);
4196 io_cqring_ev_posted(ctx);
4199 static void io_poll_task_func(struct callback_head *cb)
4201 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
4202 struct io_kiocb *nxt = NULL;
4204 io_poll_task_handler(req, &nxt);
4206 struct io_ring_ctx *ctx = nxt->ctx;
4208 mutex_lock(&ctx->uring_lock);
4209 __io_queue_sqe(nxt, NULL);
4210 mutex_unlock(&ctx->uring_lock);
4214 static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,
4215 int sync, void *key)
4217 struct io_kiocb *req = wait->private;
4218 struct io_poll_iocb *poll = (struct io_poll_iocb *) req->io;
4219 __poll_t mask = key_to_poll(key);
4221 /* for instances that support it check for an event match first: */
4222 if (mask && !(mask & poll->events))
4225 if (req->poll.head) {
4228 spin_lock(&req->poll.head->lock);
4229 done = list_empty(&req->poll.wait.entry);
4231 list_del_init(&req->poll.wait.entry);
4232 spin_unlock(&req->poll.head->lock);
4234 __io_async_wake(req, poll, mask, io_poll_task_func);
4236 refcount_dec(&req->refs);
4240 static void io_init_poll_iocb(struct io_poll_iocb *poll, __poll_t events,
4241 wait_queue_func_t wake_func)
4245 poll->canceled = false;
4246 poll->events = events;
4247 INIT_LIST_HEAD(&poll->wait.entry);
4248 init_waitqueue_func_entry(&poll->wait, wake_func);
4251 static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
4252 struct wait_queue_head *head)
4254 struct io_kiocb *req = pt->req;
4257 * If poll->head is already set, it's because the file being polled
4258 * uses multiple waitqueues for poll handling (eg one for read, one
4259 * for write). Setup a separate io_poll_iocb if this happens.
4261 if (unlikely(poll->head)) {
4262 /* already have a 2nd entry, fail a third attempt */
4264 pt->error = -EINVAL;
4267 poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
4269 pt->error = -ENOMEM;
4272 io_init_poll_iocb(poll, req->poll.events, io_poll_double_wake);
4273 refcount_inc(&req->refs);
4274 poll->wait.private = req;
4275 req->io = (void *) poll;
4280 add_wait_queue(head, &poll->wait);
4283 static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
4284 struct poll_table_struct *p)
4286 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
4288 __io_queue_proc(&pt->req->apoll->poll, pt, head);
4291 static void io_sq_thread_drop_mm(struct io_ring_ctx *ctx)
4293 struct mm_struct *mm = current->mm;
4296 kthread_unuse_mm(mm);
4301 static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx,
4302 struct io_kiocb *req)
4304 if (io_op_defs[req->opcode].needs_mm && !current->mm) {
4305 if (unlikely(!mmget_not_zero(ctx->sqo_mm)))
4307 kthread_use_mm(ctx->sqo_mm);
4313 static void io_async_task_func(struct callback_head *cb)
4315 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
4316 struct async_poll *apoll = req->apoll;
4317 struct io_ring_ctx *ctx = req->ctx;
4318 bool canceled = false;
4320 trace_io_uring_task_run(req->ctx, req->opcode, req->user_data);
4322 if (io_poll_rewait(req, &apoll->poll)) {
4323 spin_unlock_irq(&ctx->completion_lock);
4327 /* If req is still hashed, it cannot have been canceled. Don't check. */
4328 if (hash_hashed(&req->hash_node)) {
4329 hash_del(&req->hash_node);
4331 canceled = READ_ONCE(apoll->poll.canceled);
4333 io_cqring_fill_event(req, -ECANCELED);
4334 io_commit_cqring(ctx);
4338 spin_unlock_irq(&ctx->completion_lock);
4340 /* restore ->work in case we need to retry again */
4341 if (req->flags & REQ_F_WORK_INITIALIZED)
4342 memcpy(&req->work, &apoll->work, sizeof(req->work));
4346 __set_current_state(TASK_RUNNING);
4347 if (io_sq_thread_acquire_mm(ctx, req)) {
4348 io_cqring_add_event(req, -EFAULT);
4351 mutex_lock(&ctx->uring_lock);
4352 __io_queue_sqe(req, NULL);
4353 mutex_unlock(&ctx->uring_lock);
4355 io_cqring_ev_posted(ctx);
4357 req_set_fail_links(req);
4358 io_double_put_req(req);
4362 static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
4365 struct io_kiocb *req = wait->private;
4366 struct io_poll_iocb *poll = &req->apoll->poll;
4368 trace_io_uring_poll_wake(req->ctx, req->opcode, req->user_data,
4371 return __io_async_wake(req, poll, key_to_poll(key), io_async_task_func);
4374 static void io_poll_req_insert(struct io_kiocb *req)
4376 struct io_ring_ctx *ctx = req->ctx;
4377 struct hlist_head *list;
4379 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
4380 hlist_add_head(&req->hash_node, list);
4383 static __poll_t __io_arm_poll_handler(struct io_kiocb *req,
4384 struct io_poll_iocb *poll,
4385 struct io_poll_table *ipt, __poll_t mask,
4386 wait_queue_func_t wake_func)
4387 __acquires(&ctx->completion_lock)
4389 struct io_ring_ctx *ctx = req->ctx;
4390 bool cancel = false;
4392 poll->file = req->file;
4393 io_init_poll_iocb(poll, mask, wake_func);
4394 poll->wait.private = req;
4396 ipt->pt._key = mask;
4398 ipt->error = -EINVAL;
4400 mask = vfs_poll(req->file, &ipt->pt) & poll->events;
4402 spin_lock_irq(&ctx->completion_lock);
4403 if (likely(poll->head)) {
4404 spin_lock(&poll->head->lock);
4405 if (unlikely(list_empty(&poll->wait.entry))) {
4411 if (mask || ipt->error)
4412 list_del_init(&poll->wait.entry);
4414 WRITE_ONCE(poll->canceled, true);
4415 else if (!poll->done) /* actually waiting for an event */
4416 io_poll_req_insert(req);
4417 spin_unlock(&poll->head->lock);
4423 static bool io_arm_poll_handler(struct io_kiocb *req)
4425 const struct io_op_def *def = &io_op_defs[req->opcode];
4426 struct io_ring_ctx *ctx = req->ctx;
4427 struct async_poll *apoll;
4428 struct io_poll_table ipt;
4432 if (!req->file || !file_can_poll(req->file))
4434 if (req->flags & (REQ_F_MUST_PUNT | REQ_F_POLLED))
4436 if (!def->pollin && !def->pollout)
4439 apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
4440 if (unlikely(!apoll))
4443 req->flags |= REQ_F_POLLED;
4444 if (req->flags & REQ_F_WORK_INITIALIZED)
4445 memcpy(&apoll->work, &req->work, sizeof(req->work));
4446 had_io = req->io != NULL;
4448 io_get_req_task(req);
4450 INIT_HLIST_NODE(&req->hash_node);
4454 mask |= POLLIN | POLLRDNORM;
4456 mask |= POLLOUT | POLLWRNORM;
4457 mask |= POLLERR | POLLPRI;
4459 ipt.pt._qproc = io_async_queue_proc;
4461 ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
4465 /* only remove double add if we did it here */
4467 io_poll_remove_double(req);
4468 spin_unlock_irq(&ctx->completion_lock);
4469 if (req->flags & REQ_F_WORK_INITIALIZED)
4470 memcpy(&req->work, &apoll->work, sizeof(req->work));
4474 spin_unlock_irq(&ctx->completion_lock);
4475 trace_io_uring_poll_arm(ctx, req->opcode, req->user_data, mask,
4476 apoll->poll.events);
4480 static bool __io_poll_remove_one(struct io_kiocb *req,
4481 struct io_poll_iocb *poll)
4483 bool do_complete = false;
4485 spin_lock(&poll->head->lock);
4486 WRITE_ONCE(poll->canceled, true);
4487 if (!list_empty(&poll->wait.entry)) {
4488 list_del_init(&poll->wait.entry);
4491 spin_unlock(&poll->head->lock);
4492 hash_del(&req->hash_node);
4496 static bool io_poll_remove_one(struct io_kiocb *req)
4500 if (req->opcode == IORING_OP_POLL_ADD) {
4501 io_poll_remove_double(req);
4502 do_complete = __io_poll_remove_one(req, &req->poll);
4504 struct async_poll *apoll = req->apoll;
4506 /* non-poll requests have submit ref still */
4507 do_complete = __io_poll_remove_one(req, &apoll->poll);
4511 * restore ->work because we will call
4512 * io_req_work_drop_env below when dropping the
4515 if (req->flags & REQ_F_WORK_INITIALIZED)
4516 memcpy(&req->work, &apoll->work,
4523 io_cqring_fill_event(req, -ECANCELED);
4524 io_commit_cqring(req->ctx);
4525 req->flags |= REQ_F_COMP_LOCKED;
4532 static void io_poll_remove_all(struct io_ring_ctx *ctx)
4534 struct hlist_node *tmp;
4535 struct io_kiocb *req;
4538 spin_lock_irq(&ctx->completion_lock);
4539 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
4540 struct hlist_head *list;
4542 list = &ctx->cancel_hash[i];
4543 hlist_for_each_entry_safe(req, tmp, list, hash_node)
4544 posted += io_poll_remove_one(req);
4546 spin_unlock_irq(&ctx->completion_lock);
4549 io_cqring_ev_posted(ctx);
4552 static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
4554 struct hlist_head *list;
4555 struct io_kiocb *req;
4557 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
4558 hlist_for_each_entry(req, list, hash_node) {
4559 if (sqe_addr != req->user_data)
4561 if (io_poll_remove_one(req))
4569 static int io_poll_remove_prep(struct io_kiocb *req,
4570 const struct io_uring_sqe *sqe)
4572 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4574 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
4578 req->poll.addr = READ_ONCE(sqe->addr);
4583 * Find a running poll command that matches one specified in sqe->addr,
4584 * and remove it if found.
4586 static int io_poll_remove(struct io_kiocb *req)
4588 struct io_ring_ctx *ctx = req->ctx;
4592 addr = req->poll.addr;
4593 spin_lock_irq(&ctx->completion_lock);
4594 ret = io_poll_cancel(ctx, addr);
4595 spin_unlock_irq(&ctx->completion_lock);
4597 io_cqring_add_event(req, ret);
4599 req_set_fail_links(req);
4604 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
4607 struct io_kiocb *req = wait->private;
4608 struct io_poll_iocb *poll = &req->poll;
4610 return __io_async_wake(req, poll, key_to_poll(key), io_poll_task_func);
4613 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
4614 struct poll_table_struct *p)
4616 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
4618 __io_queue_proc(&pt->req->poll, pt, head);
4621 static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4623 struct io_poll_iocb *poll = &req->poll;
4626 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4628 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
4633 events = READ_ONCE(sqe->poll_events);
4634 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
4636 io_get_req_task(req);
4640 static int io_poll_add(struct io_kiocb *req)
4642 struct io_poll_iocb *poll = &req->poll;
4643 struct io_ring_ctx *ctx = req->ctx;
4644 struct io_poll_table ipt;
4647 INIT_HLIST_NODE(&req->hash_node);
4648 INIT_LIST_HEAD(&req->list);
4649 ipt.pt._qproc = io_poll_queue_proc;
4651 mask = __io_arm_poll_handler(req, &req->poll, &ipt, poll->events,
4654 if (mask) { /* no async, we'd stolen it */
4656 io_poll_complete(req, mask, 0);
4658 spin_unlock_irq(&ctx->completion_lock);
4661 io_cqring_ev_posted(ctx);
4667 static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
4669 struct io_timeout_data *data = container_of(timer,
4670 struct io_timeout_data, timer);
4671 struct io_kiocb *req = data->req;
4672 struct io_ring_ctx *ctx = req->ctx;
4673 unsigned long flags;
4675 atomic_inc(&ctx->cq_timeouts);
4677 spin_lock_irqsave(&ctx->completion_lock, flags);
4679 * We could be racing with timeout deletion. If the list is empty,
4680 * then timeout lookup already found it and will be handling it.
4682 if (!list_empty(&req->list))
4683 list_del_init(&req->list);
4685 io_cqring_fill_event(req, -ETIME);
4686 io_commit_cqring(ctx);
4687 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4689 io_cqring_ev_posted(ctx);
4690 req_set_fail_links(req);
4692 return HRTIMER_NORESTART;
4695 static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
4697 struct io_kiocb *req;
4700 list_for_each_entry(req, &ctx->timeout_list, list) {
4701 if (user_data == req->user_data) {
4702 list_del_init(&req->list);
4711 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
4715 req_set_fail_links(req);
4716 io_cqring_fill_event(req, -ECANCELED);
4721 static int io_timeout_remove_prep(struct io_kiocb *req,
4722 const struct io_uring_sqe *sqe)
4724 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4726 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
4729 req->timeout.addr = READ_ONCE(sqe->addr);
4730 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
4731 if (req->timeout.flags)
4738 * Remove or update an existing timeout command
4740 static int io_timeout_remove(struct io_kiocb *req)
4742 struct io_ring_ctx *ctx = req->ctx;
4745 spin_lock_irq(&ctx->completion_lock);
4746 ret = io_timeout_cancel(ctx, req->timeout.addr);
4748 io_cqring_fill_event(req, ret);
4749 io_commit_cqring(ctx);
4750 spin_unlock_irq(&ctx->completion_lock);
4751 io_cqring_ev_posted(ctx);
4753 req_set_fail_links(req);
4758 static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4759 bool is_timeout_link)
4761 struct io_timeout_data *data;
4763 u32 off = READ_ONCE(sqe->off);
4765 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4767 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
4769 if (off && is_timeout_link)
4771 flags = READ_ONCE(sqe->timeout_flags);
4772 if (flags & ~IORING_TIMEOUT_ABS)
4775 req->timeout.off = off;
4777 if (!req->io && io_alloc_async_ctx(req))
4780 data = &req->io->timeout;
4782 req->flags |= REQ_F_TIMEOUT;
4784 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
4787 if (flags & IORING_TIMEOUT_ABS)
4788 data->mode = HRTIMER_MODE_ABS;
4790 data->mode = HRTIMER_MODE_REL;
4792 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
4796 static int io_timeout(struct io_kiocb *req)
4798 struct io_ring_ctx *ctx = req->ctx;
4799 struct io_timeout_data *data = &req->io->timeout;
4800 struct list_head *entry;
4801 u32 tail, off = req->timeout.off;
4803 spin_lock_irq(&ctx->completion_lock);
4806 * sqe->off holds how many events that need to occur for this
4807 * timeout event to be satisfied. If it isn't set, then this is
4808 * a pure timeout request, sequence isn't used.
4811 req->flags |= REQ_F_TIMEOUT_NOSEQ;
4812 entry = ctx->timeout_list.prev;
4816 tail = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
4817 req->timeout.target_seq = tail + off;
4820 * Insertion sort, ensuring the first entry in the list is always
4821 * the one we need first.
4823 list_for_each_prev(entry, &ctx->timeout_list) {
4824 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
4826 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
4828 /* nxt.seq is behind @tail, otherwise would've been completed */
4829 if (off >= nxt->timeout.target_seq - tail)
4833 list_add(&req->list, entry);
4834 data->timer.function = io_timeout_fn;
4835 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
4836 spin_unlock_irq(&ctx->completion_lock);
4840 static bool io_cancel_cb(struct io_wq_work *work, void *data)
4842 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
4844 return req->user_data == (unsigned long) data;
4847 static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
4849 enum io_wq_cancel cancel_ret;
4852 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr, false);
4853 switch (cancel_ret) {
4854 case IO_WQ_CANCEL_OK:
4857 case IO_WQ_CANCEL_RUNNING:
4860 case IO_WQ_CANCEL_NOTFOUND:
4868 static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
4869 struct io_kiocb *req, __u64 sqe_addr,
4872 unsigned long flags;
4875 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
4876 if (ret != -ENOENT) {
4877 spin_lock_irqsave(&ctx->completion_lock, flags);
4881 spin_lock_irqsave(&ctx->completion_lock, flags);
4882 ret = io_timeout_cancel(ctx, sqe_addr);
4885 ret = io_poll_cancel(ctx, sqe_addr);
4889 io_cqring_fill_event(req, ret);
4890 io_commit_cqring(ctx);
4891 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4892 io_cqring_ev_posted(ctx);
4895 req_set_fail_links(req);
4899 static int io_async_cancel_prep(struct io_kiocb *req,
4900 const struct io_uring_sqe *sqe)
4902 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4904 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
4908 req->cancel.addr = READ_ONCE(sqe->addr);
4912 static int io_async_cancel(struct io_kiocb *req)
4914 struct io_ring_ctx *ctx = req->ctx;
4916 io_async_find_and_cancel(ctx, req, req->cancel.addr, 0);
4920 static int io_files_update_prep(struct io_kiocb *req,
4921 const struct io_uring_sqe *sqe)
4923 if (sqe->flags || sqe->ioprio || sqe->rw_flags)
4926 req->files_update.offset = READ_ONCE(sqe->off);
4927 req->files_update.nr_args = READ_ONCE(sqe->len);
4928 if (!req->files_update.nr_args)
4930 req->files_update.arg = READ_ONCE(sqe->addr);
4934 static int io_files_update(struct io_kiocb *req, bool force_nonblock)
4936 struct io_ring_ctx *ctx = req->ctx;
4937 struct io_uring_files_update up;
4943 up.offset = req->files_update.offset;
4944 up.fds = req->files_update.arg;
4946 mutex_lock(&ctx->uring_lock);
4947 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
4948 mutex_unlock(&ctx->uring_lock);
4951 req_set_fail_links(req);
4952 io_cqring_add_event(req, ret);
4957 static int io_req_defer_prep(struct io_kiocb *req,
4958 const struct io_uring_sqe *sqe)
4965 io_req_init_async(req);
4967 if (io_op_defs[req->opcode].file_table) {
4968 ret = io_grab_files(req);
4973 io_req_work_grab_env(req, &io_op_defs[req->opcode]);
4975 switch (req->opcode) {
4978 case IORING_OP_READV:
4979 case IORING_OP_READ_FIXED:
4980 case IORING_OP_READ:
4981 ret = io_read_prep(req, sqe, true);
4983 case IORING_OP_WRITEV:
4984 case IORING_OP_WRITE_FIXED:
4985 case IORING_OP_WRITE:
4986 ret = io_write_prep(req, sqe, true);
4988 case IORING_OP_POLL_ADD:
4989 ret = io_poll_add_prep(req, sqe);
4991 case IORING_OP_POLL_REMOVE:
4992 ret = io_poll_remove_prep(req, sqe);
4994 case IORING_OP_FSYNC:
4995 ret = io_prep_fsync(req, sqe);
4997 case IORING_OP_SYNC_FILE_RANGE:
4998 ret = io_prep_sfr(req, sqe);
5000 case IORING_OP_SENDMSG:
5001 case IORING_OP_SEND:
5002 ret = io_sendmsg_prep(req, sqe);
5004 case IORING_OP_RECVMSG:
5005 case IORING_OP_RECV:
5006 ret = io_recvmsg_prep(req, sqe);
5008 case IORING_OP_CONNECT:
5009 ret = io_connect_prep(req, sqe);
5011 case IORING_OP_TIMEOUT:
5012 ret = io_timeout_prep(req, sqe, false);
5014 case IORING_OP_TIMEOUT_REMOVE:
5015 ret = io_timeout_remove_prep(req, sqe);
5017 case IORING_OP_ASYNC_CANCEL:
5018 ret = io_async_cancel_prep(req, sqe);
5020 case IORING_OP_LINK_TIMEOUT:
5021 ret = io_timeout_prep(req, sqe, true);
5023 case IORING_OP_ACCEPT:
5024 ret = io_accept_prep(req, sqe);
5026 case IORING_OP_FALLOCATE:
5027 ret = io_fallocate_prep(req, sqe);
5029 case IORING_OP_OPENAT:
5030 ret = io_openat_prep(req, sqe);
5032 case IORING_OP_CLOSE:
5033 ret = io_close_prep(req, sqe);
5035 case IORING_OP_FILES_UPDATE:
5036 ret = io_files_update_prep(req, sqe);
5038 case IORING_OP_STATX:
5039 ret = io_statx_prep(req, sqe);
5041 case IORING_OP_FADVISE:
5042 ret = io_fadvise_prep(req, sqe);
5044 case IORING_OP_MADVISE:
5045 ret = io_madvise_prep(req, sqe);
5047 case IORING_OP_OPENAT2:
5048 ret = io_openat2_prep(req, sqe);
5050 case IORING_OP_EPOLL_CTL:
5051 ret = io_epoll_ctl_prep(req, sqe);
5053 case IORING_OP_SPLICE:
5054 ret = io_splice_prep(req, sqe);
5056 case IORING_OP_PROVIDE_BUFFERS:
5057 ret = io_provide_buffers_prep(req, sqe);
5059 case IORING_OP_REMOVE_BUFFERS:
5060 ret = io_remove_buffers_prep(req, sqe);
5063 ret = io_tee_prep(req, sqe);
5066 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
5075 static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5077 struct io_ring_ctx *ctx = req->ctx;
5080 /* Still need defer if there is pending req in defer list. */
5081 if (!req_need_defer(req) && list_empty_careful(&ctx->defer_list))
5085 if (io_alloc_async_ctx(req))
5087 ret = io_req_defer_prep(req, sqe);
5092 spin_lock_irq(&ctx->completion_lock);
5093 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
5094 spin_unlock_irq(&ctx->completion_lock);
5098 trace_io_uring_defer(ctx, req, req->user_data);
5099 list_add_tail(&req->list, &ctx->defer_list);
5100 spin_unlock_irq(&ctx->completion_lock);
5101 return -EIOCBQUEUED;
5104 static void io_cleanup_req(struct io_kiocb *req)
5106 struct io_async_ctx *io = req->io;
5108 switch (req->opcode) {
5109 case IORING_OP_READV:
5110 case IORING_OP_READ_FIXED:
5111 case IORING_OP_READ:
5112 if (req->flags & REQ_F_BUFFER_SELECTED)
5113 kfree((void *)(unsigned long)req->rw.addr);
5115 case IORING_OP_WRITEV:
5116 case IORING_OP_WRITE_FIXED:
5117 case IORING_OP_WRITE:
5118 if (io->rw.iov != io->rw.fast_iov)
5121 case IORING_OP_RECVMSG:
5122 if (req->flags & REQ_F_BUFFER_SELECTED)
5123 kfree(req->sr_msg.kbuf);
5125 case IORING_OP_SENDMSG:
5126 if (io->msg.iov != io->msg.fast_iov)
5129 case IORING_OP_RECV:
5130 if (req->flags & REQ_F_BUFFER_SELECTED)
5131 kfree(req->sr_msg.kbuf);
5133 case IORING_OP_OPENAT:
5134 case IORING_OP_OPENAT2:
5136 case IORING_OP_SPLICE:
5138 io_put_file(req, req->splice.file_in,
5139 (req->splice.flags & SPLICE_F_FD_IN_FIXED));
5143 req->flags &= ~REQ_F_NEED_CLEANUP;
5146 static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5147 bool force_nonblock)
5149 struct io_ring_ctx *ctx = req->ctx;
5152 switch (req->opcode) {
5156 case IORING_OP_READV:
5157 case IORING_OP_READ_FIXED:
5158 case IORING_OP_READ:
5160 ret = io_read_prep(req, sqe, force_nonblock);
5164 ret = io_read(req, force_nonblock);
5166 case IORING_OP_WRITEV:
5167 case IORING_OP_WRITE_FIXED:
5168 case IORING_OP_WRITE:
5170 ret = io_write_prep(req, sqe, force_nonblock);
5174 ret = io_write(req, force_nonblock);
5176 case IORING_OP_FSYNC:
5178 ret = io_prep_fsync(req, sqe);
5182 ret = io_fsync(req, force_nonblock);
5184 case IORING_OP_POLL_ADD:
5186 ret = io_poll_add_prep(req, sqe);
5190 ret = io_poll_add(req);
5192 case IORING_OP_POLL_REMOVE:
5194 ret = io_poll_remove_prep(req, sqe);
5198 ret = io_poll_remove(req);
5200 case IORING_OP_SYNC_FILE_RANGE:
5202 ret = io_prep_sfr(req, sqe);
5206 ret = io_sync_file_range(req, force_nonblock);
5208 case IORING_OP_SENDMSG:
5209 case IORING_OP_SEND:
5211 ret = io_sendmsg_prep(req, sqe);
5215 if (req->opcode == IORING_OP_SENDMSG)
5216 ret = io_sendmsg(req, force_nonblock);
5218 ret = io_send(req, force_nonblock);
5220 case IORING_OP_RECVMSG:
5221 case IORING_OP_RECV:
5223 ret = io_recvmsg_prep(req, sqe);
5227 if (req->opcode == IORING_OP_RECVMSG)
5228 ret = io_recvmsg(req, force_nonblock);
5230 ret = io_recv(req, force_nonblock);
5232 case IORING_OP_TIMEOUT:
5234 ret = io_timeout_prep(req, sqe, false);
5238 ret = io_timeout(req);
5240 case IORING_OP_TIMEOUT_REMOVE:
5242 ret = io_timeout_remove_prep(req, sqe);
5246 ret = io_timeout_remove(req);
5248 case IORING_OP_ACCEPT:
5250 ret = io_accept_prep(req, sqe);
5254 ret = io_accept(req, force_nonblock);
5256 case IORING_OP_CONNECT:
5258 ret = io_connect_prep(req, sqe);
5262 ret = io_connect(req, force_nonblock);
5264 case IORING_OP_ASYNC_CANCEL:
5266 ret = io_async_cancel_prep(req, sqe);
5270 ret = io_async_cancel(req);
5272 case IORING_OP_FALLOCATE:
5274 ret = io_fallocate_prep(req, sqe);
5278 ret = io_fallocate(req, force_nonblock);
5280 case IORING_OP_OPENAT:
5282 ret = io_openat_prep(req, sqe);
5286 ret = io_openat(req, force_nonblock);
5288 case IORING_OP_CLOSE:
5290 ret = io_close_prep(req, sqe);
5294 ret = io_close(req, force_nonblock);
5296 case IORING_OP_FILES_UPDATE:
5298 ret = io_files_update_prep(req, sqe);
5302 ret = io_files_update(req, force_nonblock);
5304 case IORING_OP_STATX:
5306 ret = io_statx_prep(req, sqe);
5310 ret = io_statx(req, force_nonblock);
5312 case IORING_OP_FADVISE:
5314 ret = io_fadvise_prep(req, sqe);
5318 ret = io_fadvise(req, force_nonblock);
5320 case IORING_OP_MADVISE:
5322 ret = io_madvise_prep(req, sqe);
5326 ret = io_madvise(req, force_nonblock);
5328 case IORING_OP_OPENAT2:
5330 ret = io_openat2_prep(req, sqe);
5334 ret = io_openat2(req, force_nonblock);
5336 case IORING_OP_EPOLL_CTL:
5338 ret = io_epoll_ctl_prep(req, sqe);
5342 ret = io_epoll_ctl(req, force_nonblock);
5344 case IORING_OP_SPLICE:
5346 ret = io_splice_prep(req, sqe);
5350 ret = io_splice(req, force_nonblock);
5352 case IORING_OP_PROVIDE_BUFFERS:
5354 ret = io_provide_buffers_prep(req, sqe);
5358 ret = io_provide_buffers(req, force_nonblock);
5360 case IORING_OP_REMOVE_BUFFERS:
5362 ret = io_remove_buffers_prep(req, sqe);
5366 ret = io_remove_buffers(req, force_nonblock);
5370 ret = io_tee_prep(req, sqe);
5374 ret = io_tee(req, force_nonblock);
5384 /* If the op doesn't have a file, we're not polling for it */
5385 if ((ctx->flags & IORING_SETUP_IOPOLL) && req->file) {
5386 const bool in_async = io_wq_current_is_worker();
5388 /* workqueue context doesn't hold uring_lock, grab it now */
5390 mutex_lock(&ctx->uring_lock);
5392 io_iopoll_req_issued(req);
5395 mutex_unlock(&ctx->uring_lock);
5401 static void io_arm_async_linked_timeout(struct io_kiocb *req)
5403 struct io_kiocb *link;
5405 /* link head's timeout is queued in io_queue_async_work() */
5406 if (!(req->flags & REQ_F_QUEUE_TIMEOUT))
5409 link = list_first_entry(&req->link_list, struct io_kiocb, link_list);
5410 io_queue_linked_timeout(link);
5413 static void io_wq_submit_work(struct io_wq_work **workptr)
5415 struct io_wq_work *work = *workptr;
5416 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5419 io_arm_async_linked_timeout(req);
5421 /* if NO_CANCEL is set, we must still run the work */
5422 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
5423 IO_WQ_WORK_CANCEL) {
5429 ret = io_issue_sqe(req, NULL, false);
5431 * We can get EAGAIN for polled IO even though we're
5432 * forcing a sync submission from here, since we can't
5433 * wait for request slots on the block side.
5442 req_set_fail_links(req);
5443 io_cqring_add_event(req, ret);
5447 io_steal_work(req, workptr);
5450 static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
5453 struct fixed_file_table *table;
5455 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
5456 return table->files[index & IORING_FILE_TABLE_MASK];
5459 static int io_file_get(struct io_submit_state *state, struct io_kiocb *req,
5460 int fd, struct file **out_file, bool fixed)
5462 struct io_ring_ctx *ctx = req->ctx;
5466 if (unlikely(!ctx->file_data ||
5467 (unsigned) fd >= ctx->nr_user_files))
5469 fd = array_index_nospec(fd, ctx->nr_user_files);
5470 file = io_file_from_index(ctx, fd);
5472 req->fixed_file_refs = ctx->file_data->cur_refs;
5473 percpu_ref_get(req->fixed_file_refs);
5476 trace_io_uring_file_get(ctx, fd);
5477 file = __io_file_get(state, fd);
5480 if (file || io_op_defs[req->opcode].needs_file_no_error) {
5487 static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
5492 fixed = (req->flags & REQ_F_FIXED_FILE) != 0;
5493 if (unlikely(!fixed && io_async_submit(req->ctx)))
5496 return io_file_get(state, req, fd, &req->file, fixed);
5499 static int io_grab_files(struct io_kiocb *req)
5502 struct io_ring_ctx *ctx = req->ctx;
5504 if (req->work.files || (req->flags & REQ_F_NO_FILE_TABLE))
5506 if (!ctx->ring_file)
5510 spin_lock_irq(&ctx->inflight_lock);
5512 * We use the f_ops->flush() handler to ensure that we can flush
5513 * out work accessing these files if the fd is closed. Check if
5514 * the fd has changed since we started down this path, and disallow
5515 * this operation if it has.
5517 if (fcheck(ctx->ring_fd) == ctx->ring_file) {
5518 list_add(&req->inflight_entry, &ctx->inflight_list);
5519 req->flags |= REQ_F_INFLIGHT;
5520 req->work.files = current->files;
5523 spin_unlock_irq(&ctx->inflight_lock);
5529 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
5531 struct io_timeout_data *data = container_of(timer,
5532 struct io_timeout_data, timer);
5533 struct io_kiocb *req = data->req;
5534 struct io_ring_ctx *ctx = req->ctx;
5535 struct io_kiocb *prev = NULL;
5536 unsigned long flags;
5538 spin_lock_irqsave(&ctx->completion_lock, flags);
5541 * We don't expect the list to be empty, that will only happen if we
5542 * race with the completion of the linked work.
5544 if (!list_empty(&req->link_list)) {
5545 prev = list_entry(req->link_list.prev, struct io_kiocb,
5547 if (refcount_inc_not_zero(&prev->refs)) {
5548 list_del_init(&req->link_list);
5549 prev->flags &= ~REQ_F_LINK_TIMEOUT;
5554 spin_unlock_irqrestore(&ctx->completion_lock, flags);
5557 req_set_fail_links(prev);
5558 io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME);
5561 io_cqring_add_event(req, -ETIME);
5564 return HRTIMER_NORESTART;
5567 static void io_queue_linked_timeout(struct io_kiocb *req)
5569 struct io_ring_ctx *ctx = req->ctx;
5572 * If the list is now empty, then our linked request finished before
5573 * we got a chance to setup the timer
5575 spin_lock_irq(&ctx->completion_lock);
5576 if (!list_empty(&req->link_list)) {
5577 struct io_timeout_data *data = &req->io->timeout;
5579 data->timer.function = io_link_timeout_fn;
5580 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
5583 spin_unlock_irq(&ctx->completion_lock);
5585 /* drop submission reference */
5589 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
5591 struct io_kiocb *nxt;
5593 if (!(req->flags & REQ_F_LINK_HEAD))
5595 /* for polled retry, if flag is set, we already went through here */
5596 if (req->flags & REQ_F_POLLED)
5599 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
5601 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
5604 req->flags |= REQ_F_LINK_TIMEOUT;
5608 static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5610 struct io_kiocb *linked_timeout;
5611 struct io_kiocb *nxt;
5612 const struct cred *old_creds = NULL;
5616 linked_timeout = io_prep_linked_timeout(req);
5618 if ((req->flags & REQ_F_WORK_INITIALIZED) && req->work.creds &&
5619 req->work.creds != current_cred()) {
5621 revert_creds(old_creds);
5622 if (old_creds == req->work.creds)
5623 old_creds = NULL; /* restored original creds */
5625 old_creds = override_creds(req->work.creds);
5628 ret = io_issue_sqe(req, sqe, true);
5631 * We async punt it if the file wasn't marked NOWAIT, or if the file
5632 * doesn't support non-blocking read/write attempts
5634 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
5635 (req->flags & REQ_F_MUST_PUNT))) {
5636 if (io_arm_poll_handler(req)) {
5638 io_queue_linked_timeout(linked_timeout);
5642 io_req_init_async(req);
5644 if (io_op_defs[req->opcode].file_table) {
5645 ret = io_grab_files(req);
5651 * Queued up for async execution, worker will release
5652 * submit reference when the iocb is actually submitted.
5654 io_queue_async_work(req);
5660 /* drop submission reference */
5661 io_put_req_find_next(req, &nxt);
5663 if (linked_timeout) {
5665 io_queue_linked_timeout(linked_timeout);
5667 io_put_req(linked_timeout);
5670 /* and drop final reference, if we failed */
5672 io_cqring_add_event(req, ret);
5673 req_set_fail_links(req);
5679 if (req->flags & REQ_F_FORCE_ASYNC)
5685 revert_creds(old_creds);
5688 static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5692 ret = io_req_defer(req, sqe);
5694 if (ret != -EIOCBQUEUED) {
5696 io_cqring_add_event(req, ret);
5697 req_set_fail_links(req);
5698 io_double_put_req(req);
5700 } else if (req->flags & REQ_F_FORCE_ASYNC) {
5703 if (io_alloc_async_ctx(req))
5705 ret = io_req_defer_prep(req, sqe);
5706 if (unlikely(ret < 0))
5711 * Never try inline submit of IOSQE_ASYNC is set, go straight
5712 * to async execution.
5714 req->work.flags |= IO_WQ_WORK_CONCURRENT;
5715 io_queue_async_work(req);
5717 __io_queue_sqe(req, sqe);
5721 static inline void io_queue_link_head(struct io_kiocb *req)
5723 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
5724 io_cqring_add_event(req, -ECANCELED);
5725 io_double_put_req(req);
5727 io_queue_sqe(req, NULL);
5730 static int io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5731 struct io_kiocb **link)
5733 struct io_ring_ctx *ctx = req->ctx;
5737 * If we already have a head request, queue this one for async
5738 * submittal once the head completes. If we don't have a head but
5739 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
5740 * submitted sync once the chain is complete. If none of those
5741 * conditions are true (normal request), then just queue it.
5744 struct io_kiocb *head = *link;
5747 * Taking sequential execution of a link, draining both sides
5748 * of the link also fullfils IOSQE_IO_DRAIN semantics for all
5749 * requests in the link. So, it drains the head and the
5750 * next after the link request. The last one is done via
5751 * drain_next flag to persist the effect across calls.
5753 if (req->flags & REQ_F_IO_DRAIN) {
5754 head->flags |= REQ_F_IO_DRAIN;
5755 ctx->drain_next = 1;
5757 if (io_alloc_async_ctx(req))
5760 ret = io_req_defer_prep(req, sqe);
5762 /* fail even hard links since we don't submit */
5763 head->flags |= REQ_F_FAIL_LINK;
5766 trace_io_uring_link(ctx, req, head);
5767 list_add_tail(&req->link_list, &head->link_list);
5769 /* last request of a link, enqueue the link */
5770 if (!(req->flags & (REQ_F_LINK | REQ_F_HARDLINK))) {
5771 io_queue_link_head(head);
5775 if (unlikely(ctx->drain_next)) {
5776 req->flags |= REQ_F_IO_DRAIN;
5777 ctx->drain_next = 0;
5779 if (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {
5780 req->flags |= REQ_F_LINK_HEAD;
5781 INIT_LIST_HEAD(&req->link_list);
5783 if (io_alloc_async_ctx(req))
5786 ret = io_req_defer_prep(req, sqe);
5788 req->flags |= REQ_F_FAIL_LINK;
5791 io_queue_sqe(req, sqe);
5799 * Batched submission is done, ensure local IO is flushed out.
5801 static void io_submit_state_end(struct io_submit_state *state)
5803 blk_finish_plug(&state->plug);
5804 io_state_file_put(state);
5805 if (state->free_reqs)
5806 kmem_cache_free_bulk(req_cachep, state->free_reqs, state->reqs);
5810 * Start submission side cache.
5812 static void io_submit_state_start(struct io_submit_state *state,
5813 unsigned int max_ios)
5815 blk_start_plug(&state->plug);
5816 state->free_reqs = 0;
5818 state->ios_left = max_ios;
5821 static void io_commit_sqring(struct io_ring_ctx *ctx)
5823 struct io_rings *rings = ctx->rings;
5826 * Ensure any loads from the SQEs are done at this point,
5827 * since once we write the new head, the application could
5828 * write new data to them.
5830 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
5834 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
5835 * that is mapped by userspace. This means that care needs to be taken to
5836 * ensure that reads are stable, as we cannot rely on userspace always
5837 * being a good citizen. If members of the sqe are validated and then later
5838 * used, it's important that those reads are done through READ_ONCE() to
5839 * prevent a re-load down the line.
5841 static const struct io_uring_sqe *io_get_sqe(struct io_ring_ctx *ctx)
5843 u32 *sq_array = ctx->sq_array;
5847 * The cached sq head (or cq tail) serves two purposes:
5849 * 1) allows us to batch the cost of updating the user visible
5851 * 2) allows the kernel side to track the head on its own, even
5852 * though the application is the one updating it.
5854 head = READ_ONCE(sq_array[ctx->cached_sq_head & ctx->sq_mask]);
5855 if (likely(head < ctx->sq_entries))
5856 return &ctx->sq_sqes[head];
5858 /* drop invalid entries */
5859 ctx->cached_sq_dropped++;
5860 WRITE_ONCE(ctx->rings->sq_dropped, ctx->cached_sq_dropped);
5864 static inline void io_consume_sqe(struct io_ring_ctx *ctx)
5866 ctx->cached_sq_head++;
5869 #define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
5870 IOSQE_IO_HARDLINK | IOSQE_ASYNC | \
5871 IOSQE_BUFFER_SELECT)
5873 static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
5874 const struct io_uring_sqe *sqe,
5875 struct io_submit_state *state)
5877 unsigned int sqe_flags;
5881 * All io need record the previous position, if LINK vs DARIN,
5882 * it can be used to mark the position of the first IO in the
5885 req->sequence = ctx->cached_sq_head - ctx->cached_sq_dropped;
5886 req->opcode = READ_ONCE(sqe->opcode);
5887 req->user_data = READ_ONCE(sqe->user_data);
5892 /* one is dropped after submission, the other at completion */
5893 refcount_set(&req->refs, 2);
5894 req->task = current;
5897 if (unlikely(req->opcode >= IORING_OP_LAST))
5900 if (unlikely(io_sq_thread_acquire_mm(ctx, req)))
5903 sqe_flags = READ_ONCE(sqe->flags);
5904 /* enforce forwards compatibility on users */
5905 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS))
5908 if ((sqe_flags & IOSQE_BUFFER_SELECT) &&
5909 !io_op_defs[req->opcode].buffer_select)
5912 id = READ_ONCE(sqe->personality);
5914 io_req_init_async(req);
5915 req->work.creds = idr_find(&ctx->personality_idr, id);
5916 if (unlikely(!req->work.creds))
5918 get_cred(req->work.creds);
5921 /* same numerical values with corresponding REQ_F_*, safe to copy */
5922 req->flags |= sqe_flags;
5924 if (!io_op_defs[req->opcode].needs_file)
5927 return io_req_set_file(state, req, READ_ONCE(sqe->fd));
5930 static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
5931 struct file *ring_file, int ring_fd)
5933 struct io_submit_state state, *statep = NULL;
5934 struct io_kiocb *link = NULL;
5935 int i, submitted = 0;
5937 /* if we have a backlog and couldn't flush it all, return BUSY */
5938 if (test_bit(0, &ctx->sq_check_overflow)) {
5939 if (!list_empty(&ctx->cq_overflow_list) &&
5940 !io_cqring_overflow_flush(ctx, false))
5944 /* make sure SQ entry isn't read before tail */
5945 nr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));
5947 if (!percpu_ref_tryget_many(&ctx->refs, nr))
5950 if (nr > IO_PLUG_THRESHOLD) {
5951 io_submit_state_start(&state, nr);
5955 ctx->ring_fd = ring_fd;
5956 ctx->ring_file = ring_file;
5958 for (i = 0; i < nr; i++) {
5959 const struct io_uring_sqe *sqe;
5960 struct io_kiocb *req;
5963 sqe = io_get_sqe(ctx);
5964 if (unlikely(!sqe)) {
5965 io_consume_sqe(ctx);
5968 req = io_alloc_req(ctx, statep);
5969 if (unlikely(!req)) {
5971 submitted = -EAGAIN;
5975 err = io_init_req(ctx, req, sqe, statep);
5976 io_consume_sqe(ctx);
5977 /* will complete beyond this point, count as submitted */
5980 if (unlikely(err)) {
5982 io_cqring_add_event(req, err);
5983 io_double_put_req(req);
5987 trace_io_uring_submit_sqe(ctx, req->opcode, req->user_data,
5988 true, io_async_submit(ctx));
5989 err = io_submit_sqe(req, sqe, &link);
5994 if (unlikely(submitted != nr)) {
5995 int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
5997 percpu_ref_put_many(&ctx->refs, nr - ref_used);
6000 io_queue_link_head(link);
6002 io_submit_state_end(&state);
6004 /* Commit SQ ring head once we've consumed and submitted all SQEs */
6005 io_commit_sqring(ctx);
6010 static int io_sq_thread(void *data)
6012 struct io_ring_ctx *ctx = data;
6013 const struct cred *old_cred;
6015 unsigned long timeout;
6018 complete(&ctx->sq_thread_comp);
6020 old_cred = override_creds(ctx->creds);
6022 timeout = jiffies + ctx->sq_thread_idle;
6023 while (!kthread_should_park()) {
6024 unsigned int to_submit;
6026 if (!list_empty(&ctx->poll_list)) {
6027 unsigned nr_events = 0;
6029 mutex_lock(&ctx->uring_lock);
6030 if (!list_empty(&ctx->poll_list))
6031 io_iopoll_getevents(ctx, &nr_events, 0);
6033 timeout = jiffies + ctx->sq_thread_idle;
6034 mutex_unlock(&ctx->uring_lock);
6037 to_submit = io_sqring_entries(ctx);
6040 * If submit got -EBUSY, flag us as needing the application
6041 * to enter the kernel to reap and flush events.
6043 if (!to_submit || ret == -EBUSY || need_resched()) {
6045 * Drop cur_mm before scheduling, we can't hold it for
6046 * long periods (or over schedule()). Do this before
6047 * adding ourselves to the waitqueue, as the unuse/drop
6050 io_sq_thread_drop_mm(ctx);
6053 * We're polling. If we're within the defined idle
6054 * period, then let us spin without work before going
6055 * to sleep. The exception is if we got EBUSY doing
6056 * more IO, we should wait for the application to
6057 * reap events and wake us up.
6059 if (!list_empty(&ctx->poll_list) || need_resched() ||
6060 (!time_after(jiffies, timeout) && ret != -EBUSY &&
6061 !percpu_ref_is_dying(&ctx->refs))) {
6062 if (current->task_works)
6068 prepare_to_wait(&ctx->sqo_wait, &wait,
6069 TASK_INTERRUPTIBLE);
6072 * While doing polled IO, before going to sleep, we need
6073 * to check if there are new reqs added to poll_list, it
6074 * is because reqs may have been punted to io worker and
6075 * will be added to poll_list later, hence check the
6078 if ((ctx->flags & IORING_SETUP_IOPOLL) &&
6079 !list_empty_careful(&ctx->poll_list)) {
6080 finish_wait(&ctx->sqo_wait, &wait);
6084 /* Tell userspace we may need a wakeup call */
6085 spin_lock_irq(&ctx->completion_lock);
6086 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
6087 spin_unlock_irq(&ctx->completion_lock);
6089 to_submit = io_sqring_entries(ctx);
6090 if (!to_submit || ret == -EBUSY) {
6091 if (kthread_should_park()) {
6092 finish_wait(&ctx->sqo_wait, &wait);
6095 if (current->task_works) {
6097 finish_wait(&ctx->sqo_wait, &wait);
6100 if (signal_pending(current))
6101 flush_signals(current);
6103 finish_wait(&ctx->sqo_wait, &wait);
6105 spin_lock_irq(&ctx->completion_lock);
6106 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6107 spin_unlock_irq(&ctx->completion_lock);
6111 finish_wait(&ctx->sqo_wait, &wait);
6113 spin_lock_irq(&ctx->completion_lock);
6114 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6115 spin_unlock_irq(&ctx->completion_lock);
6118 mutex_lock(&ctx->uring_lock);
6119 if (likely(!percpu_ref_is_dying(&ctx->refs)))
6120 ret = io_submit_sqes(ctx, to_submit, NULL, -1);
6121 mutex_unlock(&ctx->uring_lock);
6122 timeout = jiffies + ctx->sq_thread_idle;
6125 if (current->task_works)
6128 io_sq_thread_drop_mm(ctx);
6129 revert_creds(old_cred);
6136 struct io_wait_queue {
6137 struct wait_queue_entry wq;
6138 struct io_ring_ctx *ctx;
6140 unsigned nr_timeouts;
6143 static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
6145 struct io_ring_ctx *ctx = iowq->ctx;
6148 * Wake up if we have enough events, or if a timeout occurred since we
6149 * started waiting. For timeouts, we always want to return to userspace,
6150 * regardless of event count.
6152 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
6153 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
6156 static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
6157 int wake_flags, void *key)
6159 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
6162 /* use noflush == true, as we can't safely rely on locking context */
6163 if (!io_should_wake(iowq, true))
6166 return autoremove_wake_function(curr, mode, wake_flags, key);
6170 * Wait until events become available, if we don't already have some. The
6171 * application must reap them itself, as they reside on the shared cq ring.
6173 static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
6174 const sigset_t __user *sig, size_t sigsz)
6176 struct io_wait_queue iowq = {
6179 .func = io_wake_function,
6180 .entry = LIST_HEAD_INIT(iowq.wq.entry),
6183 .to_wait = min_events,
6185 struct io_rings *rings = ctx->rings;
6189 if (io_cqring_events(ctx, false) >= min_events)
6191 if (!current->task_works)
6197 #ifdef CONFIG_COMPAT
6198 if (in_compat_syscall())
6199 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
6203 ret = set_user_sigmask(sig, sigsz);
6209 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
6210 trace_io_uring_cqring_wait(ctx, min_events);
6212 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
6213 TASK_INTERRUPTIBLE);
6214 /* make sure we run task_work before checking for signals */
6215 if (current->task_works)
6217 if (signal_pending(current)) {
6218 if (current->jobctl & JOBCTL_TASK_WORK) {
6219 spin_lock_irq(¤t->sighand->siglock);
6220 current->jobctl &= ~JOBCTL_TASK_WORK;
6221 recalc_sigpending();
6222 spin_unlock_irq(¤t->sighand->siglock);
6228 if (io_should_wake(&iowq, false))
6232 finish_wait(&ctx->wait, &iowq.wq);
6234 restore_saved_sigmask_unless(ret == -EINTR);
6236 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
6239 static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
6241 #if defined(CONFIG_UNIX)
6242 if (ctx->ring_sock) {
6243 struct sock *sock = ctx->ring_sock->sk;
6244 struct sk_buff *skb;
6246 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
6252 for (i = 0; i < ctx->nr_user_files; i++) {
6255 file = io_file_from_index(ctx, i);
6262 static void io_file_ref_kill(struct percpu_ref *ref)
6264 struct fixed_file_data *data;
6266 data = container_of(ref, struct fixed_file_data, refs);
6267 complete(&data->done);
6270 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
6272 struct fixed_file_data *data = ctx->file_data;
6273 struct fixed_file_ref_node *ref_node = NULL;
6274 unsigned nr_tables, i;
6279 spin_lock(&data->lock);
6280 if (!list_empty(&data->ref_list))
6281 ref_node = list_first_entry(&data->ref_list,
6282 struct fixed_file_ref_node, node);
6283 spin_unlock(&data->lock);
6285 percpu_ref_kill(&ref_node->refs);
6287 percpu_ref_kill(&data->refs);
6289 /* wait for all refs nodes to complete */
6290 flush_delayed_work(&ctx->file_put_work);
6291 wait_for_completion(&data->done);
6293 __io_sqe_files_unregister(ctx);
6294 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
6295 for (i = 0; i < nr_tables; i++)
6296 kfree(data->table[i].files);
6298 percpu_ref_exit(&data->refs);
6300 ctx->file_data = NULL;
6301 ctx->nr_user_files = 0;
6305 static void io_sq_thread_stop(struct io_ring_ctx *ctx)
6307 if (ctx->sqo_thread) {
6308 wait_for_completion(&ctx->sq_thread_comp);
6310 * The park is a bit of a work-around, without it we get
6311 * warning spews on shutdown with SQPOLL set and affinity
6312 * set to a single CPU.
6314 kthread_park(ctx->sqo_thread);
6315 kthread_stop(ctx->sqo_thread);
6316 ctx->sqo_thread = NULL;
6320 static void io_finish_async(struct io_ring_ctx *ctx)
6322 io_sq_thread_stop(ctx);
6325 io_wq_destroy(ctx->io_wq);
6330 #if defined(CONFIG_UNIX)
6332 * Ensure the UNIX gc is aware of our file set, so we are certain that
6333 * the io_uring can be safely unregistered on process exit, even if we have
6334 * loops in the file referencing.
6336 static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
6338 struct sock *sk = ctx->ring_sock->sk;
6339 struct scm_fp_list *fpl;
6340 struct sk_buff *skb;
6343 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
6347 skb = alloc_skb(0, GFP_KERNEL);
6356 fpl->user = get_uid(ctx->user);
6357 for (i = 0; i < nr; i++) {
6358 struct file *file = io_file_from_index(ctx, i + offset);
6362 fpl->fp[nr_files] = get_file(file);
6363 unix_inflight(fpl->user, fpl->fp[nr_files]);
6368 fpl->max = SCM_MAX_FD;
6369 fpl->count = nr_files;
6370 UNIXCB(skb).fp = fpl;
6371 skb->destructor = unix_destruct_scm;
6372 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
6373 skb_queue_head(&sk->sk_receive_queue, skb);
6375 for (i = 0; i < nr_files; i++)
6386 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
6387 * causes regular reference counting to break down. We rely on the UNIX
6388 * garbage collection to take care of this problem for us.
6390 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
6392 unsigned left, total;
6396 left = ctx->nr_user_files;
6398 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
6400 ret = __io_sqe_files_scm(ctx, this_files, total);
6404 total += this_files;
6410 while (total < ctx->nr_user_files) {
6411 struct file *file = io_file_from_index(ctx, total);
6421 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
6427 static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
6432 for (i = 0; i < nr_tables; i++) {
6433 struct fixed_file_table *table = &ctx->file_data->table[i];
6434 unsigned this_files;
6436 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
6437 table->files = kcalloc(this_files, sizeof(struct file *),
6441 nr_files -= this_files;
6447 for (i = 0; i < nr_tables; i++) {
6448 struct fixed_file_table *table = &ctx->file_data->table[i];
6449 kfree(table->files);
6454 static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
6456 #if defined(CONFIG_UNIX)
6457 struct sock *sock = ctx->ring_sock->sk;
6458 struct sk_buff_head list, *head = &sock->sk_receive_queue;
6459 struct sk_buff *skb;
6462 __skb_queue_head_init(&list);
6465 * Find the skb that holds this file in its SCM_RIGHTS. When found,
6466 * remove this entry and rearrange the file array.
6468 skb = skb_dequeue(head);
6470 struct scm_fp_list *fp;
6472 fp = UNIXCB(skb).fp;
6473 for (i = 0; i < fp->count; i++) {
6476 if (fp->fp[i] != file)
6479 unix_notinflight(fp->user, fp->fp[i]);
6480 left = fp->count - 1 - i;
6482 memmove(&fp->fp[i], &fp->fp[i + 1],
6483 left * sizeof(struct file *));
6490 __skb_queue_tail(&list, skb);
6500 __skb_queue_tail(&list, skb);
6502 skb = skb_dequeue(head);
6505 if (skb_peek(&list)) {
6506 spin_lock_irq(&head->lock);
6507 while ((skb = __skb_dequeue(&list)) != NULL)
6508 __skb_queue_tail(head, skb);
6509 spin_unlock_irq(&head->lock);
6516 struct io_file_put {
6517 struct list_head list;
6521 static void __io_file_put_work(struct fixed_file_ref_node *ref_node)
6523 struct fixed_file_data *file_data = ref_node->file_data;
6524 struct io_ring_ctx *ctx = file_data->ctx;
6525 struct io_file_put *pfile, *tmp;
6527 list_for_each_entry_safe(pfile, tmp, &ref_node->file_list, list) {
6528 list_del(&pfile->list);
6529 io_ring_file_put(ctx, pfile->file);
6533 spin_lock(&file_data->lock);
6534 list_del(&ref_node->node);
6535 spin_unlock(&file_data->lock);
6537 percpu_ref_exit(&ref_node->refs);
6539 percpu_ref_put(&file_data->refs);
6542 static void io_file_put_work(struct work_struct *work)
6544 struct io_ring_ctx *ctx;
6545 struct llist_node *node;
6547 ctx = container_of(work, struct io_ring_ctx, file_put_work.work);
6548 node = llist_del_all(&ctx->file_put_llist);
6551 struct fixed_file_ref_node *ref_node;
6552 struct llist_node *next = node->next;
6554 ref_node = llist_entry(node, struct fixed_file_ref_node, llist);
6555 __io_file_put_work(ref_node);
6560 static void io_file_data_ref_zero(struct percpu_ref *ref)
6562 struct fixed_file_ref_node *ref_node;
6563 struct io_ring_ctx *ctx;
6567 ref_node = container_of(ref, struct fixed_file_ref_node, refs);
6568 ctx = ref_node->file_data->ctx;
6570 if (percpu_ref_is_dying(&ctx->file_data->refs))
6573 first_add = llist_add(&ref_node->llist, &ctx->file_put_llist);
6575 mod_delayed_work(system_wq, &ctx->file_put_work, 0);
6577 queue_delayed_work(system_wq, &ctx->file_put_work, delay);
6580 static struct fixed_file_ref_node *alloc_fixed_file_ref_node(
6581 struct io_ring_ctx *ctx)
6583 struct fixed_file_ref_node *ref_node;
6585 ref_node = kzalloc(sizeof(*ref_node), GFP_KERNEL);
6587 return ERR_PTR(-ENOMEM);
6589 if (percpu_ref_init(&ref_node->refs, io_file_data_ref_zero,
6592 return ERR_PTR(-ENOMEM);
6594 INIT_LIST_HEAD(&ref_node->node);
6595 INIT_LIST_HEAD(&ref_node->file_list);
6596 ref_node->file_data = ctx->file_data;
6600 static void destroy_fixed_file_ref_node(struct fixed_file_ref_node *ref_node)
6602 percpu_ref_exit(&ref_node->refs);
6606 static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
6609 __s32 __user *fds = (__s32 __user *) arg;
6614 struct fixed_file_ref_node *ref_node;
6620 if (nr_args > IORING_MAX_FIXED_FILES)
6623 ctx->file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
6624 if (!ctx->file_data)
6626 ctx->file_data->ctx = ctx;
6627 init_completion(&ctx->file_data->done);
6628 INIT_LIST_HEAD(&ctx->file_data->ref_list);
6629 spin_lock_init(&ctx->file_data->lock);
6631 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
6632 ctx->file_data->table = kcalloc(nr_tables,
6633 sizeof(struct fixed_file_table),
6635 if (!ctx->file_data->table) {
6636 kfree(ctx->file_data);
6637 ctx->file_data = NULL;
6641 if (percpu_ref_init(&ctx->file_data->refs, io_file_ref_kill,
6642 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
6643 kfree(ctx->file_data->table);
6644 kfree(ctx->file_data);
6645 ctx->file_data = NULL;
6649 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
6650 percpu_ref_exit(&ctx->file_data->refs);
6651 kfree(ctx->file_data->table);
6652 kfree(ctx->file_data);
6653 ctx->file_data = NULL;
6657 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
6658 struct fixed_file_table *table;
6662 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
6664 /* allow sparse sets */
6670 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
6671 index = i & IORING_FILE_TABLE_MASK;
6679 * Don't allow io_uring instances to be registered. If UNIX
6680 * isn't enabled, then this causes a reference cycle and this
6681 * instance can never get freed. If UNIX is enabled we'll
6682 * handle it just fine, but there's still no point in allowing
6683 * a ring fd as it doesn't support regular read/write anyway.
6685 if (file->f_op == &io_uring_fops) {
6690 table->files[index] = file;
6694 for (i = 0; i < ctx->nr_user_files; i++) {
6695 file = io_file_from_index(ctx, i);
6699 for (i = 0; i < nr_tables; i++)
6700 kfree(ctx->file_data->table[i].files);
6702 percpu_ref_exit(&ctx->file_data->refs);
6703 kfree(ctx->file_data->table);
6704 kfree(ctx->file_data);
6705 ctx->file_data = NULL;
6706 ctx->nr_user_files = 0;
6710 ret = io_sqe_files_scm(ctx);
6712 io_sqe_files_unregister(ctx);
6716 ref_node = alloc_fixed_file_ref_node(ctx);
6717 if (IS_ERR(ref_node)) {
6718 io_sqe_files_unregister(ctx);
6719 return PTR_ERR(ref_node);
6722 ctx->file_data->cur_refs = &ref_node->refs;
6723 spin_lock(&ctx->file_data->lock);
6724 list_add(&ref_node->node, &ctx->file_data->ref_list);
6725 spin_unlock(&ctx->file_data->lock);
6726 percpu_ref_get(&ctx->file_data->refs);
6730 static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
6733 #if defined(CONFIG_UNIX)
6734 struct sock *sock = ctx->ring_sock->sk;
6735 struct sk_buff_head *head = &sock->sk_receive_queue;
6736 struct sk_buff *skb;
6739 * See if we can merge this file into an existing skb SCM_RIGHTS
6740 * file set. If there's no room, fall back to allocating a new skb
6741 * and filling it in.
6743 spin_lock_irq(&head->lock);
6744 skb = skb_peek(head);
6746 struct scm_fp_list *fpl = UNIXCB(skb).fp;
6748 if (fpl->count < SCM_MAX_FD) {
6749 __skb_unlink(skb, head);
6750 spin_unlock_irq(&head->lock);
6751 fpl->fp[fpl->count] = get_file(file);
6752 unix_inflight(fpl->user, fpl->fp[fpl->count]);
6754 spin_lock_irq(&head->lock);
6755 __skb_queue_head(head, skb);
6760 spin_unlock_irq(&head->lock);
6767 return __io_sqe_files_scm(ctx, 1, index);
6773 static int io_queue_file_removal(struct fixed_file_data *data,
6776 struct io_file_put *pfile;
6777 struct percpu_ref *refs = data->cur_refs;
6778 struct fixed_file_ref_node *ref_node;
6780 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
6784 ref_node = container_of(refs, struct fixed_file_ref_node, refs);
6786 list_add(&pfile->list, &ref_node->file_list);
6791 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
6792 struct io_uring_files_update *up,
6795 struct fixed_file_data *data = ctx->file_data;
6796 struct fixed_file_ref_node *ref_node;
6801 bool needs_switch = false;
6803 if (check_add_overflow(up->offset, nr_args, &done))
6805 if (done > ctx->nr_user_files)
6808 ref_node = alloc_fixed_file_ref_node(ctx);
6809 if (IS_ERR(ref_node))
6810 return PTR_ERR(ref_node);
6813 fds = u64_to_user_ptr(up->fds);
6815 struct fixed_file_table *table;
6819 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
6823 i = array_index_nospec(up->offset, ctx->nr_user_files);
6824 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
6825 index = i & IORING_FILE_TABLE_MASK;
6826 if (table->files[index]) {
6827 file = io_file_from_index(ctx, index);
6828 err = io_queue_file_removal(data, file);
6831 table->files[index] = NULL;
6832 needs_switch = true;
6841 * Don't allow io_uring instances to be registered. If
6842 * UNIX isn't enabled, then this causes a reference
6843 * cycle and this instance can never get freed. If UNIX
6844 * is enabled we'll handle it just fine, but there's
6845 * still no point in allowing a ring fd as it doesn't
6846 * support regular read/write anyway.
6848 if (file->f_op == &io_uring_fops) {
6853 table->files[index] = file;
6854 err = io_sqe_file_register(ctx, file, i);
6866 percpu_ref_kill(data->cur_refs);
6867 spin_lock(&data->lock);
6868 list_add(&ref_node->node, &data->ref_list);
6869 data->cur_refs = &ref_node->refs;
6870 spin_unlock(&data->lock);
6871 percpu_ref_get(&ctx->file_data->refs);
6873 destroy_fixed_file_ref_node(ref_node);
6875 return done ? done : err;
6878 static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
6881 struct io_uring_files_update up;
6883 if (!ctx->file_data)
6887 if (copy_from_user(&up, arg, sizeof(up)))
6892 return __io_sqe_files_update(ctx, &up, nr_args);
6895 static void io_free_work(struct io_wq_work *work)
6897 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
6899 /* Consider that io_steal_work() relies on this ref */
6903 static int io_init_wq_offload(struct io_ring_ctx *ctx,
6904 struct io_uring_params *p)
6906 struct io_wq_data data;
6908 struct io_ring_ctx *ctx_attach;
6909 unsigned int concurrency;
6912 data.user = ctx->user;
6913 data.free_work = io_free_work;
6914 data.do_work = io_wq_submit_work;
6916 if (!(p->flags & IORING_SETUP_ATTACH_WQ)) {
6917 /* Do QD, or 4 * CPUS, whatever is smallest */
6918 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
6920 ctx->io_wq = io_wq_create(concurrency, &data);
6921 if (IS_ERR(ctx->io_wq)) {
6922 ret = PTR_ERR(ctx->io_wq);
6928 f = fdget(p->wq_fd);
6932 if (f.file->f_op != &io_uring_fops) {
6937 ctx_attach = f.file->private_data;
6938 /* @io_wq is protected by holding the fd */
6939 if (!io_wq_get(ctx_attach->io_wq, &data)) {
6944 ctx->io_wq = ctx_attach->io_wq;
6950 static int io_sq_offload_start(struct io_ring_ctx *ctx,
6951 struct io_uring_params *p)
6955 mmgrab(current->mm);
6956 ctx->sqo_mm = current->mm;
6958 if (ctx->flags & IORING_SETUP_SQPOLL) {
6960 if (!capable(CAP_SYS_ADMIN))
6963 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
6964 if (!ctx->sq_thread_idle)
6965 ctx->sq_thread_idle = HZ;
6967 if (p->flags & IORING_SETUP_SQ_AFF) {
6968 int cpu = p->sq_thread_cpu;
6971 if (cpu >= nr_cpu_ids)
6973 if (!cpu_online(cpu))
6976 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
6980 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
6983 if (IS_ERR(ctx->sqo_thread)) {
6984 ret = PTR_ERR(ctx->sqo_thread);
6985 ctx->sqo_thread = NULL;
6988 wake_up_process(ctx->sqo_thread);
6989 } else if (p->flags & IORING_SETUP_SQ_AFF) {
6990 /* Can't have SQ_AFF without SQPOLL */
6995 ret = io_init_wq_offload(ctx, p);
7001 io_finish_async(ctx);
7002 mmdrop(ctx->sqo_mm);
7007 static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
7009 atomic_long_sub(nr_pages, &user->locked_vm);
7012 static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
7014 unsigned long page_limit, cur_pages, new_pages;
7016 /* Don't allow more pages than we can safely lock */
7017 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
7020 cur_pages = atomic_long_read(&user->locked_vm);
7021 new_pages = cur_pages + nr_pages;
7022 if (new_pages > page_limit)
7024 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
7025 new_pages) != cur_pages);
7030 static void io_mem_free(void *ptr)
7037 page = virt_to_head_page(ptr);
7038 if (put_page_testzero(page))
7039 free_compound_page(page);
7042 static void *io_mem_alloc(size_t size)
7044 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
7047 return (void *) __get_free_pages(gfp_flags, get_order(size));
7050 static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
7053 struct io_rings *rings;
7054 size_t off, sq_array_size;
7056 off = struct_size(rings, cqes, cq_entries);
7057 if (off == SIZE_MAX)
7061 off = ALIGN(off, SMP_CACHE_BYTES);
7066 sq_array_size = array_size(sizeof(u32), sq_entries);
7067 if (sq_array_size == SIZE_MAX)
7070 if (check_add_overflow(off, sq_array_size, &off))
7079 static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
7083 pages = (size_t)1 << get_order(
7084 rings_size(sq_entries, cq_entries, NULL));
7085 pages += (size_t)1 << get_order(
7086 array_size(sizeof(struct io_uring_sqe), sq_entries));
7091 static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
7095 if (!ctx->user_bufs)
7098 for (i = 0; i < ctx->nr_user_bufs; i++) {
7099 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
7101 for (j = 0; j < imu->nr_bvecs; j++)
7102 unpin_user_page(imu->bvec[j].bv_page);
7104 if (ctx->account_mem)
7105 io_unaccount_mem(ctx->user, imu->nr_bvecs);
7110 kfree(ctx->user_bufs);
7111 ctx->user_bufs = NULL;
7112 ctx->nr_user_bufs = 0;
7116 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
7117 void __user *arg, unsigned index)
7119 struct iovec __user *src;
7121 #ifdef CONFIG_COMPAT
7123 struct compat_iovec __user *ciovs;
7124 struct compat_iovec ciov;
7126 ciovs = (struct compat_iovec __user *) arg;
7127 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
7130 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
7131 dst->iov_len = ciov.iov_len;
7135 src = (struct iovec __user *) arg;
7136 if (copy_from_user(dst, &src[index], sizeof(*dst)))
7141 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
7144 struct vm_area_struct **vmas = NULL;
7145 struct page **pages = NULL;
7146 int i, j, got_pages = 0;
7151 if (!nr_args || nr_args > UIO_MAXIOV)
7154 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
7156 if (!ctx->user_bufs)
7159 for (i = 0; i < nr_args; i++) {
7160 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
7161 unsigned long off, start, end, ubuf;
7166 ret = io_copy_iov(ctx, &iov, arg, i);
7171 * Don't impose further limits on the size and buffer
7172 * constraints here, we'll -EINVAL later when IO is
7173 * submitted if they are wrong.
7176 if (!iov.iov_base || !iov.iov_len)
7179 /* arbitrary limit, but we need something */
7180 if (iov.iov_len > SZ_1G)
7183 ubuf = (unsigned long) iov.iov_base;
7184 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
7185 start = ubuf >> PAGE_SHIFT;
7186 nr_pages = end - start;
7188 if (ctx->account_mem) {
7189 ret = io_account_mem(ctx->user, nr_pages);
7195 if (!pages || nr_pages > got_pages) {
7198 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
7200 vmas = kvmalloc_array(nr_pages,
7201 sizeof(struct vm_area_struct *),
7203 if (!pages || !vmas) {
7205 if (ctx->account_mem)
7206 io_unaccount_mem(ctx->user, nr_pages);
7209 got_pages = nr_pages;
7212 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
7216 if (ctx->account_mem)
7217 io_unaccount_mem(ctx->user, nr_pages);
7222 mmap_read_lock(current->mm);
7223 pret = pin_user_pages(ubuf, nr_pages,
7224 FOLL_WRITE | FOLL_LONGTERM,
7226 if (pret == nr_pages) {
7227 /* don't support file backed memory */
7228 for (j = 0; j < nr_pages; j++) {
7229 struct vm_area_struct *vma = vmas[j];
7232 !is_file_hugepages(vma->vm_file)) {
7238 ret = pret < 0 ? pret : -EFAULT;
7240 mmap_read_unlock(current->mm);
7243 * if we did partial map, or found file backed vmas,
7244 * release any pages we did get
7247 unpin_user_pages(pages, pret);
7248 if (ctx->account_mem)
7249 io_unaccount_mem(ctx->user, nr_pages);
7254 off = ubuf & ~PAGE_MASK;
7256 for (j = 0; j < nr_pages; j++) {
7259 vec_len = min_t(size_t, size, PAGE_SIZE - off);
7260 imu->bvec[j].bv_page = pages[j];
7261 imu->bvec[j].bv_len = vec_len;
7262 imu->bvec[j].bv_offset = off;
7266 /* store original address for later verification */
7268 imu->len = iov.iov_len;
7269 imu->nr_bvecs = nr_pages;
7271 ctx->nr_user_bufs++;
7279 io_sqe_buffer_unregister(ctx);
7283 static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
7285 __s32 __user *fds = arg;
7291 if (copy_from_user(&fd, fds, sizeof(*fds)))
7294 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
7295 if (IS_ERR(ctx->cq_ev_fd)) {
7296 int ret = PTR_ERR(ctx->cq_ev_fd);
7297 ctx->cq_ev_fd = NULL;
7304 static int io_eventfd_unregister(struct io_ring_ctx *ctx)
7306 if (ctx->cq_ev_fd) {
7307 eventfd_ctx_put(ctx->cq_ev_fd);
7308 ctx->cq_ev_fd = NULL;
7315 static int __io_destroy_buffers(int id, void *p, void *data)
7317 struct io_ring_ctx *ctx = data;
7318 struct io_buffer *buf = p;
7320 __io_remove_buffers(ctx, buf, id, -1U);
7324 static void io_destroy_buffers(struct io_ring_ctx *ctx)
7326 idr_for_each(&ctx->io_buffer_idr, __io_destroy_buffers, ctx);
7327 idr_destroy(&ctx->io_buffer_idr);
7330 static void io_ring_ctx_free(struct io_ring_ctx *ctx)
7332 io_finish_async(ctx);
7334 mmdrop(ctx->sqo_mm);
7336 io_iopoll_reap_events(ctx);
7337 io_sqe_buffer_unregister(ctx);
7338 io_sqe_files_unregister(ctx);
7339 io_eventfd_unregister(ctx);
7340 io_destroy_buffers(ctx);
7341 idr_destroy(&ctx->personality_idr);
7343 #if defined(CONFIG_UNIX)
7344 if (ctx->ring_sock) {
7345 ctx->ring_sock->file = NULL; /* so that iput() is called */
7346 sock_release(ctx->ring_sock);
7350 io_mem_free(ctx->rings);
7351 io_mem_free(ctx->sq_sqes);
7353 percpu_ref_exit(&ctx->refs);
7354 free_uid(ctx->user);
7355 put_cred(ctx->creds);
7356 kfree(ctx->cancel_hash);
7357 kmem_cache_free(req_cachep, ctx->fallback_req);
7361 static __poll_t io_uring_poll(struct file *file, poll_table *wait)
7363 struct io_ring_ctx *ctx = file->private_data;
7366 poll_wait(file, &ctx->cq_wait, wait);
7368 * synchronizes with barrier from wq_has_sleeper call in
7372 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
7373 ctx->rings->sq_ring_entries)
7374 mask |= EPOLLOUT | EPOLLWRNORM;
7375 if (io_cqring_events(ctx, false))
7376 mask |= EPOLLIN | EPOLLRDNORM;
7381 static int io_uring_fasync(int fd, struct file *file, int on)
7383 struct io_ring_ctx *ctx = file->private_data;
7385 return fasync_helper(fd, file, on, &ctx->cq_fasync);
7388 static int io_remove_personalities(int id, void *p, void *data)
7390 struct io_ring_ctx *ctx = data;
7391 const struct cred *cred;
7393 cred = idr_remove(&ctx->personality_idr, id);
7399 static void io_ring_exit_work(struct work_struct *work)
7401 struct io_ring_ctx *ctx;
7403 ctx = container_of(work, struct io_ring_ctx, exit_work);
7405 io_cqring_overflow_flush(ctx, true);
7408 * If we're doing polled IO and end up having requests being
7409 * submitted async (out-of-line), then completions can come in while
7410 * we're waiting for refs to drop. We need to reap these manually,
7411 * as nobody else will be looking for them.
7413 while (!wait_for_completion_timeout(&ctx->ref_comp, HZ/20)) {
7414 io_iopoll_reap_events(ctx);
7416 io_cqring_overflow_flush(ctx, true);
7418 io_ring_ctx_free(ctx);
7421 static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
7423 mutex_lock(&ctx->uring_lock);
7424 percpu_ref_kill(&ctx->refs);
7425 mutex_unlock(&ctx->uring_lock);
7427 io_kill_timeouts(ctx);
7428 io_poll_remove_all(ctx);
7431 io_wq_cancel_all(ctx->io_wq);
7433 io_iopoll_reap_events(ctx);
7434 /* if we failed setting up the ctx, we might not have any rings */
7436 io_cqring_overflow_flush(ctx, true);
7437 idr_for_each(&ctx->personality_idr, io_remove_personalities, ctx);
7440 * Do this upfront, so we won't have a grace period where the ring
7441 * is closed but resources aren't reaped yet. This can cause
7442 * spurious failure in setting up a new ring.
7444 if (ctx->account_mem)
7445 io_unaccount_mem(ctx->user,
7446 ring_pages(ctx->sq_entries, ctx->cq_entries));
7448 INIT_WORK(&ctx->exit_work, io_ring_exit_work);
7449 queue_work(system_wq, &ctx->exit_work);
7452 static int io_uring_release(struct inode *inode, struct file *file)
7454 struct io_ring_ctx *ctx = file->private_data;
7456 file->private_data = NULL;
7457 io_ring_ctx_wait_and_kill(ctx);
7461 static bool io_wq_files_match(struct io_wq_work *work, void *data)
7463 struct files_struct *files = data;
7465 return work->files == files;
7468 static void io_uring_cancel_files(struct io_ring_ctx *ctx,
7469 struct files_struct *files)
7471 if (list_empty_careful(&ctx->inflight_list))
7474 /* cancel all at once, should be faster than doing it one by one*/
7475 io_wq_cancel_cb(ctx->io_wq, io_wq_files_match, files, true);
7477 while (!list_empty_careful(&ctx->inflight_list)) {
7478 struct io_kiocb *cancel_req = NULL, *req;
7481 spin_lock_irq(&ctx->inflight_lock);
7482 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
7483 if (req->work.files != files)
7485 /* req is being completed, ignore */
7486 if (!refcount_inc_not_zero(&req->refs))
7492 prepare_to_wait(&ctx->inflight_wait, &wait,
7493 TASK_UNINTERRUPTIBLE);
7494 spin_unlock_irq(&ctx->inflight_lock);
7496 /* We need to keep going until we don't find a matching req */
7500 if (cancel_req->flags & REQ_F_OVERFLOW) {
7501 spin_lock_irq(&ctx->completion_lock);
7502 list_del(&cancel_req->list);
7503 cancel_req->flags &= ~REQ_F_OVERFLOW;
7504 if (list_empty(&ctx->cq_overflow_list)) {
7505 clear_bit(0, &ctx->sq_check_overflow);
7506 clear_bit(0, &ctx->cq_check_overflow);
7507 ctx->rings->sq_flags &= ~IORING_SQ_CQ_OVERFLOW;
7509 spin_unlock_irq(&ctx->completion_lock);
7511 WRITE_ONCE(ctx->rings->cq_overflow,
7512 atomic_inc_return(&ctx->cached_cq_overflow));
7515 * Put inflight ref and overflow ref. If that's
7516 * all we had, then we're done with this request.
7518 if (refcount_sub_and_test(2, &cancel_req->refs)) {
7519 io_free_req(cancel_req);
7520 finish_wait(&ctx->inflight_wait, &wait);
7524 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
7525 io_put_req(cancel_req);
7529 finish_wait(&ctx->inflight_wait, &wait);
7533 static bool io_cancel_task_cb(struct io_wq_work *work, void *data)
7535 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
7536 struct task_struct *task = data;
7538 return req->task == task;
7541 static int io_uring_flush(struct file *file, void *data)
7543 struct io_ring_ctx *ctx = file->private_data;
7545 io_uring_cancel_files(ctx, data);
7548 * If the task is going away, cancel work it may have pending
7550 if (fatal_signal_pending(current) || (current->flags & PF_EXITING))
7551 io_wq_cancel_cb(ctx->io_wq, io_cancel_task_cb, current, true);
7556 static void *io_uring_validate_mmap_request(struct file *file,
7557 loff_t pgoff, size_t sz)
7559 struct io_ring_ctx *ctx = file->private_data;
7560 loff_t offset = pgoff << PAGE_SHIFT;
7565 case IORING_OFF_SQ_RING:
7566 case IORING_OFF_CQ_RING:
7569 case IORING_OFF_SQES:
7573 return ERR_PTR(-EINVAL);
7576 page = virt_to_head_page(ptr);
7577 if (sz > page_size(page))
7578 return ERR_PTR(-EINVAL);
7585 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
7587 size_t sz = vma->vm_end - vma->vm_start;
7591 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
7593 return PTR_ERR(ptr);
7595 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
7596 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
7599 #else /* !CONFIG_MMU */
7601 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
7603 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
7606 static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
7608 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
7611 static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
7612 unsigned long addr, unsigned long len,
7613 unsigned long pgoff, unsigned long flags)
7617 ptr = io_uring_validate_mmap_request(file, pgoff, len);
7619 return PTR_ERR(ptr);
7621 return (unsigned long) ptr;
7624 #endif /* !CONFIG_MMU */
7626 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
7627 u32, min_complete, u32, flags, const sigset_t __user *, sig,
7630 struct io_ring_ctx *ctx;
7635 if (current->task_works)
7638 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
7646 if (f.file->f_op != &io_uring_fops)
7650 ctx = f.file->private_data;
7651 if (!percpu_ref_tryget(&ctx->refs))
7655 * For SQ polling, the thread will do all submissions and completions.
7656 * Just return the requested submit count, and wake the thread if
7660 if (ctx->flags & IORING_SETUP_SQPOLL) {
7661 if (!list_empty_careful(&ctx->cq_overflow_list))
7662 io_cqring_overflow_flush(ctx, false);
7663 if (flags & IORING_ENTER_SQ_WAKEUP)
7664 wake_up(&ctx->sqo_wait);
7665 submitted = to_submit;
7666 } else if (to_submit) {
7667 mutex_lock(&ctx->uring_lock);
7668 submitted = io_submit_sqes(ctx, to_submit, f.file, fd);
7669 mutex_unlock(&ctx->uring_lock);
7671 if (submitted != to_submit)
7674 if (flags & IORING_ENTER_GETEVENTS) {
7675 unsigned nr_events = 0;
7677 min_complete = min(min_complete, ctx->cq_entries);
7680 * When SETUP_IOPOLL and SETUP_SQPOLL are both enabled, user
7681 * space applications don't need to do io completion events
7682 * polling again, they can rely on io_sq_thread to do polling
7683 * work, which can reduce cpu usage and uring_lock contention.
7685 if (ctx->flags & IORING_SETUP_IOPOLL &&
7686 !(ctx->flags & IORING_SETUP_SQPOLL)) {
7687 ret = io_iopoll_check(ctx, &nr_events, min_complete);
7689 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
7694 percpu_ref_put(&ctx->refs);
7697 return submitted ? submitted : ret;
7700 #ifdef CONFIG_PROC_FS
7701 static int io_uring_show_cred(int id, void *p, void *data)
7703 const struct cred *cred = p;
7704 struct seq_file *m = data;
7705 struct user_namespace *uns = seq_user_ns(m);
7706 struct group_info *gi;
7711 seq_printf(m, "%5d\n", id);
7712 seq_put_decimal_ull(m, "\tUid:\t", from_kuid_munged(uns, cred->uid));
7713 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->euid));
7714 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->suid));
7715 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->fsuid));
7716 seq_put_decimal_ull(m, "\n\tGid:\t", from_kgid_munged(uns, cred->gid));
7717 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->egid));
7718 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->sgid));
7719 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->fsgid));
7720 seq_puts(m, "\n\tGroups:\t");
7721 gi = cred->group_info;
7722 for (g = 0; g < gi->ngroups; g++) {
7723 seq_put_decimal_ull(m, g ? " " : "",
7724 from_kgid_munged(uns, gi->gid[g]));
7726 seq_puts(m, "\n\tCapEff:\t");
7727 cap = cred->cap_effective;
7728 CAP_FOR_EACH_U32(__capi)
7729 seq_put_hex_ll(m, NULL, cap.cap[CAP_LAST_U32 - __capi], 8);
7734 static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
7738 mutex_lock(&ctx->uring_lock);
7739 seq_printf(m, "UserFiles:\t%u\n", ctx->nr_user_files);
7740 for (i = 0; i < ctx->nr_user_files; i++) {
7741 struct fixed_file_table *table;
7744 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
7745 f = table->files[i & IORING_FILE_TABLE_MASK];
7747 seq_printf(m, "%5u: %s\n", i, file_dentry(f)->d_iname);
7749 seq_printf(m, "%5u: <none>\n", i);
7751 seq_printf(m, "UserBufs:\t%u\n", ctx->nr_user_bufs);
7752 for (i = 0; i < ctx->nr_user_bufs; i++) {
7753 struct io_mapped_ubuf *buf = &ctx->user_bufs[i];
7755 seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf,
7756 (unsigned int) buf->len);
7758 if (!idr_is_empty(&ctx->personality_idr)) {
7759 seq_printf(m, "Personalities:\n");
7760 idr_for_each(&ctx->personality_idr, io_uring_show_cred, m);
7762 seq_printf(m, "PollList:\n");
7763 spin_lock_irq(&ctx->completion_lock);
7764 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
7765 struct hlist_head *list = &ctx->cancel_hash[i];
7766 struct io_kiocb *req;
7768 hlist_for_each_entry(req, list, hash_node)
7769 seq_printf(m, " op=%d, task_works=%d\n", req->opcode,
7770 req->task->task_works != NULL);
7772 spin_unlock_irq(&ctx->completion_lock);
7773 mutex_unlock(&ctx->uring_lock);
7776 static void io_uring_show_fdinfo(struct seq_file *m, struct file *f)
7778 struct io_ring_ctx *ctx = f->private_data;
7780 if (percpu_ref_tryget(&ctx->refs)) {
7781 __io_uring_show_fdinfo(ctx, m);
7782 percpu_ref_put(&ctx->refs);
7787 static const struct file_operations io_uring_fops = {
7788 .release = io_uring_release,
7789 .flush = io_uring_flush,
7790 .mmap = io_uring_mmap,
7792 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
7793 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
7795 .poll = io_uring_poll,
7796 .fasync = io_uring_fasync,
7797 #ifdef CONFIG_PROC_FS
7798 .show_fdinfo = io_uring_show_fdinfo,
7802 static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
7803 struct io_uring_params *p)
7805 struct io_rings *rings;
7806 size_t size, sq_array_offset;
7808 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
7809 if (size == SIZE_MAX)
7812 rings = io_mem_alloc(size);
7817 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
7818 rings->sq_ring_mask = p->sq_entries - 1;
7819 rings->cq_ring_mask = p->cq_entries - 1;
7820 rings->sq_ring_entries = p->sq_entries;
7821 rings->cq_ring_entries = p->cq_entries;
7822 ctx->sq_mask = rings->sq_ring_mask;
7823 ctx->cq_mask = rings->cq_ring_mask;
7824 ctx->sq_entries = rings->sq_ring_entries;
7825 ctx->cq_entries = rings->cq_ring_entries;
7827 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
7828 if (size == SIZE_MAX) {
7829 io_mem_free(ctx->rings);
7834 ctx->sq_sqes = io_mem_alloc(size);
7835 if (!ctx->sq_sqes) {
7836 io_mem_free(ctx->rings);
7845 * Allocate an anonymous fd, this is what constitutes the application
7846 * visible backing of an io_uring instance. The application mmaps this
7847 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
7848 * we have to tie this fd to a socket for file garbage collection purposes.
7850 static int io_uring_get_fd(struct io_ring_ctx *ctx)
7855 #if defined(CONFIG_UNIX)
7856 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
7862 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
7866 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
7867 O_RDWR | O_CLOEXEC);
7870 ret = PTR_ERR(file);
7874 #if defined(CONFIG_UNIX)
7875 ctx->ring_sock->file = file;
7877 fd_install(ret, file);
7880 #if defined(CONFIG_UNIX)
7881 sock_release(ctx->ring_sock);
7882 ctx->ring_sock = NULL;
7887 static int io_uring_create(unsigned entries, struct io_uring_params *p,
7888 struct io_uring_params __user *params)
7890 struct user_struct *user = NULL;
7891 struct io_ring_ctx *ctx;
7897 if (entries > IORING_MAX_ENTRIES) {
7898 if (!(p->flags & IORING_SETUP_CLAMP))
7900 entries = IORING_MAX_ENTRIES;
7904 * Use twice as many entries for the CQ ring. It's possible for the
7905 * application to drive a higher depth than the size of the SQ ring,
7906 * since the sqes are only used at submission time. This allows for
7907 * some flexibility in overcommitting a bit. If the application has
7908 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
7909 * of CQ ring entries manually.
7911 p->sq_entries = roundup_pow_of_two(entries);
7912 if (p->flags & IORING_SETUP_CQSIZE) {
7914 * If IORING_SETUP_CQSIZE is set, we do the same roundup
7915 * to a power-of-two, if it isn't already. We do NOT impose
7916 * any cq vs sq ring sizing.
7918 if (p->cq_entries < p->sq_entries)
7920 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
7921 if (!(p->flags & IORING_SETUP_CLAMP))
7923 p->cq_entries = IORING_MAX_CQ_ENTRIES;
7925 p->cq_entries = roundup_pow_of_two(p->cq_entries);
7927 p->cq_entries = 2 * p->sq_entries;
7930 user = get_uid(current_user());
7931 account_mem = !capable(CAP_IPC_LOCK);
7934 ret = io_account_mem(user,
7935 ring_pages(p->sq_entries, p->cq_entries));
7942 ctx = io_ring_ctx_alloc(p);
7945 io_unaccount_mem(user, ring_pages(p->sq_entries,
7950 ctx->compat = in_compat_syscall();
7951 ctx->account_mem = account_mem;
7953 ctx->creds = get_current_cred();
7955 ret = io_allocate_scq_urings(ctx, p);
7959 ret = io_sq_offload_start(ctx, p);
7963 memset(&p->sq_off, 0, sizeof(p->sq_off));
7964 p->sq_off.head = offsetof(struct io_rings, sq.head);
7965 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
7966 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
7967 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
7968 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
7969 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
7970 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
7972 memset(&p->cq_off, 0, sizeof(p->cq_off));
7973 p->cq_off.head = offsetof(struct io_rings, cq.head);
7974 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
7975 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
7976 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
7977 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
7978 p->cq_off.cqes = offsetof(struct io_rings, cqes);
7979 p->cq_off.flags = offsetof(struct io_rings, cq_flags);
7981 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
7982 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS |
7983 IORING_FEAT_CUR_PERSONALITY | IORING_FEAT_FAST_POLL;
7985 if (copy_to_user(params, p, sizeof(*p))) {
7990 * Install ring fd as the very last thing, so we don't risk someone
7991 * having closed it before we finish setup
7993 ret = io_uring_get_fd(ctx);
7997 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
8000 io_ring_ctx_wait_and_kill(ctx);
8005 * Sets up an aio uring context, and returns the fd. Applications asks for a
8006 * ring size, we return the actual sq/cq ring sizes (among other things) in the
8007 * params structure passed in.
8009 static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
8011 struct io_uring_params p;
8014 if (copy_from_user(&p, params, sizeof(p)))
8016 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
8021 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
8022 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
8023 IORING_SETUP_CLAMP | IORING_SETUP_ATTACH_WQ))
8026 return io_uring_create(entries, &p, params);
8029 SYSCALL_DEFINE2(io_uring_setup, u32, entries,
8030 struct io_uring_params __user *, params)
8032 return io_uring_setup(entries, params);
8035 static int io_probe(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
8037 struct io_uring_probe *p;
8041 size = struct_size(p, ops, nr_args);
8042 if (size == SIZE_MAX)
8044 p = kzalloc(size, GFP_KERNEL);
8049 if (copy_from_user(p, arg, size))
8052 if (memchr_inv(p, 0, size))
8055 p->last_op = IORING_OP_LAST - 1;
8056 if (nr_args > IORING_OP_LAST)
8057 nr_args = IORING_OP_LAST;
8059 for (i = 0; i < nr_args; i++) {
8061 if (!io_op_defs[i].not_supported)
8062 p->ops[i].flags = IO_URING_OP_SUPPORTED;
8067 if (copy_to_user(arg, p, size))
8074 static int io_register_personality(struct io_ring_ctx *ctx)
8076 const struct cred *creds = get_current_cred();
8079 id = idr_alloc_cyclic(&ctx->personality_idr, (void *) creds, 1,
8080 USHRT_MAX, GFP_KERNEL);
8086 static int io_unregister_personality(struct io_ring_ctx *ctx, unsigned id)
8088 const struct cred *old_creds;
8090 old_creds = idr_remove(&ctx->personality_idr, id);
8092 put_cred(old_creds);
8099 static bool io_register_op_must_quiesce(int op)
8102 case IORING_UNREGISTER_FILES:
8103 case IORING_REGISTER_FILES_UPDATE:
8104 case IORING_REGISTER_PROBE:
8105 case IORING_REGISTER_PERSONALITY:
8106 case IORING_UNREGISTER_PERSONALITY:
8113 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
8114 void __user *arg, unsigned nr_args)
8115 __releases(ctx->uring_lock)
8116 __acquires(ctx->uring_lock)
8121 * We're inside the ring mutex, if the ref is already dying, then
8122 * someone else killed the ctx or is already going through
8123 * io_uring_register().
8125 if (percpu_ref_is_dying(&ctx->refs))
8128 if (io_register_op_must_quiesce(opcode)) {
8129 percpu_ref_kill(&ctx->refs);
8132 * Drop uring mutex before waiting for references to exit. If
8133 * another thread is currently inside io_uring_enter() it might
8134 * need to grab the uring_lock to make progress. If we hold it
8135 * here across the drain wait, then we can deadlock. It's safe
8136 * to drop the mutex here, since no new references will come in
8137 * after we've killed the percpu ref.
8139 mutex_unlock(&ctx->uring_lock);
8140 ret = wait_for_completion_interruptible(&ctx->ref_comp);
8141 mutex_lock(&ctx->uring_lock);
8143 percpu_ref_resurrect(&ctx->refs);
8150 case IORING_REGISTER_BUFFERS:
8151 ret = io_sqe_buffer_register(ctx, arg, nr_args);
8153 case IORING_UNREGISTER_BUFFERS:
8157 ret = io_sqe_buffer_unregister(ctx);
8159 case IORING_REGISTER_FILES:
8160 ret = io_sqe_files_register(ctx, arg, nr_args);
8162 case IORING_UNREGISTER_FILES:
8166 ret = io_sqe_files_unregister(ctx);
8168 case IORING_REGISTER_FILES_UPDATE:
8169 ret = io_sqe_files_update(ctx, arg, nr_args);
8171 case IORING_REGISTER_EVENTFD:
8172 case IORING_REGISTER_EVENTFD_ASYNC:
8176 ret = io_eventfd_register(ctx, arg);
8179 if (opcode == IORING_REGISTER_EVENTFD_ASYNC)
8180 ctx->eventfd_async = 1;
8182 ctx->eventfd_async = 0;
8184 case IORING_UNREGISTER_EVENTFD:
8188 ret = io_eventfd_unregister(ctx);
8190 case IORING_REGISTER_PROBE:
8192 if (!arg || nr_args > 256)
8194 ret = io_probe(ctx, arg, nr_args);
8196 case IORING_REGISTER_PERSONALITY:
8200 ret = io_register_personality(ctx);
8202 case IORING_UNREGISTER_PERSONALITY:
8206 ret = io_unregister_personality(ctx, nr_args);
8213 if (io_register_op_must_quiesce(opcode)) {
8214 /* bring the ctx back to life */
8215 percpu_ref_reinit(&ctx->refs);
8217 reinit_completion(&ctx->ref_comp);
8222 SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
8223 void __user *, arg, unsigned int, nr_args)
8225 struct io_ring_ctx *ctx;
8234 if (f.file->f_op != &io_uring_fops)
8237 ctx = f.file->private_data;
8239 mutex_lock(&ctx->uring_lock);
8240 ret = __io_uring_register(ctx, opcode, arg, nr_args);
8241 mutex_unlock(&ctx->uring_lock);
8242 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
8243 ctx->cq_ev_fd != NULL, ret);
8249 static int __init io_uring_init(void)
8251 #define __BUILD_BUG_VERIFY_ELEMENT(stype, eoffset, etype, ename) do { \
8252 BUILD_BUG_ON(offsetof(stype, ename) != eoffset); \
8253 BUILD_BUG_ON(sizeof(etype) != sizeof_field(stype, ename)); \
8256 #define BUILD_BUG_SQE_ELEM(eoffset, etype, ename) \
8257 __BUILD_BUG_VERIFY_ELEMENT(struct io_uring_sqe, eoffset, etype, ename)
8258 BUILD_BUG_ON(sizeof(struct io_uring_sqe) != 64);
8259 BUILD_BUG_SQE_ELEM(0, __u8, opcode);
8260 BUILD_BUG_SQE_ELEM(1, __u8, flags);
8261 BUILD_BUG_SQE_ELEM(2, __u16, ioprio);
8262 BUILD_BUG_SQE_ELEM(4, __s32, fd);
8263 BUILD_BUG_SQE_ELEM(8, __u64, off);
8264 BUILD_BUG_SQE_ELEM(8, __u64, addr2);
8265 BUILD_BUG_SQE_ELEM(16, __u64, addr);
8266 BUILD_BUG_SQE_ELEM(16, __u64, splice_off_in);
8267 BUILD_BUG_SQE_ELEM(24, __u32, len);
8268 BUILD_BUG_SQE_ELEM(28, __kernel_rwf_t, rw_flags);
8269 BUILD_BUG_SQE_ELEM(28, /* compat */ int, rw_flags);
8270 BUILD_BUG_SQE_ELEM(28, /* compat */ __u32, rw_flags);
8271 BUILD_BUG_SQE_ELEM(28, __u32, fsync_flags);
8272 BUILD_BUG_SQE_ELEM(28, __u16, poll_events);
8273 BUILD_BUG_SQE_ELEM(28, __u32, sync_range_flags);
8274 BUILD_BUG_SQE_ELEM(28, __u32, msg_flags);
8275 BUILD_BUG_SQE_ELEM(28, __u32, timeout_flags);
8276 BUILD_BUG_SQE_ELEM(28, __u32, accept_flags);
8277 BUILD_BUG_SQE_ELEM(28, __u32, cancel_flags);
8278 BUILD_BUG_SQE_ELEM(28, __u32, open_flags);
8279 BUILD_BUG_SQE_ELEM(28, __u32, statx_flags);
8280 BUILD_BUG_SQE_ELEM(28, __u32, fadvise_advice);
8281 BUILD_BUG_SQE_ELEM(28, __u32, splice_flags);
8282 BUILD_BUG_SQE_ELEM(32, __u64, user_data);
8283 BUILD_BUG_SQE_ELEM(40, __u16, buf_index);
8284 BUILD_BUG_SQE_ELEM(42, __u16, personality);
8285 BUILD_BUG_SQE_ELEM(44, __s32, splice_fd_in);
8287 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
8288 BUILD_BUG_ON(__REQ_F_LAST_BIT >= 8 * sizeof(int));
8289 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
8292 __initcall(io_uring_init);
projects / linux-2.6-microblaze.git / blob