1 // SPDX-License-Identifier: GPL-2.0
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
6 * A note on the read/write ordering memory barriers that are matched between
7 * the application and kernel side.
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
30 * Also see the examples in the liburing library:
32 * git://git.kernel.dk/liburing
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
39 * Copyright (C) 2018-2019 Jens Axboe
40 * Copyright (c) 2018-2019 Christoph Hellwig
42 #include <linux/kernel.h>
43 #include <linux/init.h>
44 #include <linux/errno.h>
45 #include <linux/syscalls.h>
46 #include <linux/compat.h>
47 #include <linux/refcount.h>
48 #include <linux/uio.h>
49 #include <linux/bits.h>
51 #include <linux/sched/signal.h>
53 #include <linux/file.h>
54 #include <linux/fdtable.h>
56 #include <linux/mman.h>
57 #include <linux/mmu_context.h>
58 #include <linux/percpu.h>
59 #include <linux/slab.h>
60 #include <linux/kthread.h>
61 #include <linux/blkdev.h>
62 #include <linux/bvec.h>
63 #include <linux/net.h>
65 #include <net/af_unix.h>
67 #include <linux/anon_inodes.h>
68 #include <linux/sched/mm.h>
69 #include <linux/uaccess.h>
70 #include <linux/nospec.h>
71 #include <linux/sizes.h>
72 #include <linux/hugetlb.h>
73 #include <linux/highmem.h>
74 #include <linux/namei.h>
75 #include <linux/fsnotify.h>
76 #include <linux/fadvise.h>
77 #include <linux/eventpoll.h>
78 #include <linux/fs_struct.h>
80 #define CREATE_TRACE_POINTS
81 #include <trace/events/io_uring.h>
83 #include <uapi/linux/io_uring.h>
88 #define IORING_MAX_ENTRIES 32768
89 #define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
92 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
94 #define IORING_FILE_TABLE_SHIFT 9
95 #define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
96 #define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
97 #define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
100 u32 head ____cacheline_aligned_in_smp;
101 u32 tail ____cacheline_aligned_in_smp;
105 * This data is shared with the application through the mmap at offsets
106 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
108 * The offsets to the member fields are published through struct
109 * io_sqring_offsets when calling io_uring_setup.
113 * Head and tail offsets into the ring; the offsets need to be
114 * masked to get valid indices.
116 * The kernel controls head of the sq ring and the tail of the cq ring,
117 * and the application controls tail of the sq ring and the head of the
120 struct io_uring sq, cq;
122 * Bitmasks to apply to head and tail offsets (constant, equals
125 u32 sq_ring_mask, cq_ring_mask;
126 /* Ring sizes (constant, power of 2) */
127 u32 sq_ring_entries, cq_ring_entries;
129 * Number of invalid entries dropped by the kernel due to
130 * invalid index stored in array
132 * Written by the kernel, shouldn't be modified by the
133 * application (i.e. get number of "new events" by comparing to
136 * After a new SQ head value was read by the application this
137 * counter includes all submissions that were dropped reaching
138 * the new SQ head (and possibly more).
144 * Written by the kernel, shouldn't be modified by the
147 * The application needs a full memory barrier before checking
148 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
152 * Number of completion events lost because the queue was full;
153 * this should be avoided by the application by making sure
154 * there are not more requests pending than there is space in
155 * the completion queue.
157 * Written by the kernel, shouldn't be modified by the
158 * application (i.e. get number of "new events" by comparing to
161 * As completion events come in out of order this counter is not
162 * ordered with any other data.
166 * Ring buffer of completion events.
168 * The kernel writes completion events fresh every time they are
169 * produced, so the application is allowed to modify pending
172 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
175 struct io_mapped_ubuf {
178 struct bio_vec *bvec;
179 unsigned int nr_bvecs;
182 struct fixed_file_table {
186 struct fixed_file_data {
187 struct fixed_file_table *table;
188 struct io_ring_ctx *ctx;
190 struct percpu_ref refs;
191 struct llist_head put_llist;
192 struct work_struct ref_work;
193 struct completion done;
199 struct percpu_ref refs;
200 } ____cacheline_aligned_in_smp;
204 unsigned int compat: 1;
205 unsigned int account_mem: 1;
206 unsigned int cq_overflow_flushed: 1;
207 unsigned int drain_next: 1;
208 unsigned int eventfd_async: 1;
211 * Ring buffer of indices into array of io_uring_sqe, which is
212 * mmapped by the application using the IORING_OFF_SQES offset.
214 * This indirection could e.g. be used to assign fixed
215 * io_uring_sqe entries to operations and only submit them to
216 * the queue when needed.
218 * The kernel modifies neither the indices array nor the entries
222 unsigned cached_sq_head;
225 unsigned sq_thread_idle;
226 unsigned cached_sq_dropped;
227 atomic_t cached_cq_overflow;
228 unsigned long sq_check_overflow;
230 struct list_head defer_list;
231 struct list_head timeout_list;
232 struct list_head cq_overflow_list;
234 wait_queue_head_t inflight_wait;
235 struct io_uring_sqe *sq_sqes;
236 } ____cacheline_aligned_in_smp;
238 struct io_rings *rings;
242 struct task_struct *sqo_thread; /* if using sq thread polling */
243 struct mm_struct *sqo_mm;
244 wait_queue_head_t sqo_wait;
247 * If used, fixed file set. Writers must ensure that ->refs is dead,
248 * readers must ensure that ->refs is alive as long as the file* is
249 * used. Only updated through io_uring_register(2).
251 struct fixed_file_data *file_data;
252 unsigned nr_user_files;
254 struct file *ring_file;
256 /* if used, fixed mapped user buffers */
257 unsigned nr_user_bufs;
258 struct io_mapped_ubuf *user_bufs;
260 struct user_struct *user;
262 const struct cred *creds;
264 /* 0 is for ctx quiesce/reinit/free, 1 is for sqo_thread started */
265 struct completion *completions;
267 /* if all else fails... */
268 struct io_kiocb *fallback_req;
270 #if defined(CONFIG_UNIX)
271 struct socket *ring_sock;
274 struct idr personality_idr;
277 unsigned cached_cq_tail;
280 atomic_t cq_timeouts;
281 unsigned long cq_check_overflow;
282 struct wait_queue_head cq_wait;
283 struct fasync_struct *cq_fasync;
284 struct eventfd_ctx *cq_ev_fd;
285 } ____cacheline_aligned_in_smp;
288 struct mutex uring_lock;
289 wait_queue_head_t wait;
290 } ____cacheline_aligned_in_smp;
293 spinlock_t completion_lock;
294 struct llist_head poll_llist;
297 * ->poll_list is protected by the ctx->uring_lock for
298 * io_uring instances that don't use IORING_SETUP_SQPOLL.
299 * For SQPOLL, only the single threaded io_sq_thread() will
300 * manipulate the list, hence no extra locking is needed there.
302 struct list_head poll_list;
303 struct hlist_head *cancel_hash;
304 unsigned cancel_hash_bits;
305 bool poll_multi_file;
307 spinlock_t inflight_lock;
308 struct list_head inflight_list;
309 } ____cacheline_aligned_in_smp;
313 * First field must be the file pointer in all the
314 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
316 struct io_poll_iocb {
319 struct wait_queue_head *head;
325 struct wait_queue_entry wait;
330 struct file *put_file;
334 struct io_timeout_data {
335 struct io_kiocb *req;
336 struct hrtimer timer;
337 struct timespec64 ts;
338 enum hrtimer_mode mode;
344 struct sockaddr __user *addr;
345 int __user *addr_len;
370 /* NOTE: kiocb has the file as the first member, so don't do it here */
378 struct sockaddr __user *addr;
385 struct user_msghdr __user *msg;
398 struct filename *filename;
399 struct statx __user *buffer;
403 struct io_files_update {
429 struct epoll_event event;
432 struct io_async_connect {
433 struct sockaddr_storage address;
436 struct io_async_msghdr {
437 struct iovec fast_iov[UIO_FASTIOV];
439 struct sockaddr __user *uaddr;
441 struct sockaddr_storage addr;
445 struct iovec fast_iov[UIO_FASTIOV];
451 struct io_async_ctx {
453 struct io_async_rw rw;
454 struct io_async_msghdr msg;
455 struct io_async_connect connect;
456 struct io_timeout_data timeout;
461 REQ_F_FIXED_FILE_BIT = IOSQE_FIXED_FILE_BIT,
462 REQ_F_IO_DRAIN_BIT = IOSQE_IO_DRAIN_BIT,
463 REQ_F_LINK_BIT = IOSQE_IO_LINK_BIT,
464 REQ_F_HARDLINK_BIT = IOSQE_IO_HARDLINK_BIT,
465 REQ_F_FORCE_ASYNC_BIT = IOSQE_ASYNC_BIT,
472 REQ_F_IOPOLL_COMPLETED_BIT,
473 REQ_F_LINK_TIMEOUT_BIT,
477 REQ_F_TIMEOUT_NOSEQ_BIT,
478 REQ_F_COMP_LOCKED_BIT,
479 REQ_F_NEED_CLEANUP_BIT,
485 REQ_F_FIXED_FILE = BIT(REQ_F_FIXED_FILE_BIT),
486 /* drain existing IO first */
487 REQ_F_IO_DRAIN = BIT(REQ_F_IO_DRAIN_BIT),
489 REQ_F_LINK = BIT(REQ_F_LINK_BIT),
490 /* doesn't sever on completion < 0 */
491 REQ_F_HARDLINK = BIT(REQ_F_HARDLINK_BIT),
493 REQ_F_FORCE_ASYNC = BIT(REQ_F_FORCE_ASYNC_BIT),
495 /* already grabbed next link */
496 REQ_F_LINK_NEXT = BIT(REQ_F_LINK_NEXT_BIT),
497 /* fail rest of links */
498 REQ_F_FAIL_LINK = BIT(REQ_F_FAIL_LINK_BIT),
499 /* on inflight list */
500 REQ_F_INFLIGHT = BIT(REQ_F_INFLIGHT_BIT),
501 /* read/write uses file position */
502 REQ_F_CUR_POS = BIT(REQ_F_CUR_POS_BIT),
503 /* must not punt to workers */
504 REQ_F_NOWAIT = BIT(REQ_F_NOWAIT_BIT),
505 /* polled IO has completed */
506 REQ_F_IOPOLL_COMPLETED = BIT(REQ_F_IOPOLL_COMPLETED_BIT),
507 /* has linked timeout */
508 REQ_F_LINK_TIMEOUT = BIT(REQ_F_LINK_TIMEOUT_BIT),
509 /* timeout request */
510 REQ_F_TIMEOUT = BIT(REQ_F_TIMEOUT_BIT),
512 REQ_F_ISREG = BIT(REQ_F_ISREG_BIT),
513 /* must be punted even for NONBLOCK */
514 REQ_F_MUST_PUNT = BIT(REQ_F_MUST_PUNT_BIT),
515 /* no timeout sequence */
516 REQ_F_TIMEOUT_NOSEQ = BIT(REQ_F_TIMEOUT_NOSEQ_BIT),
517 /* completion under lock */
518 REQ_F_COMP_LOCKED = BIT(REQ_F_COMP_LOCKED_BIT),
520 REQ_F_NEED_CLEANUP = BIT(REQ_F_NEED_CLEANUP_BIT),
521 /* in overflow list */
522 REQ_F_OVERFLOW = BIT(REQ_F_OVERFLOW_BIT),
526 * NOTE! Each of the iocb union members has the file pointer
527 * as the first entry in their struct definition. So you can
528 * access the file pointer through any of the sub-structs,
529 * or directly as just 'ki_filp' in this struct.
535 struct io_poll_iocb poll;
536 struct io_accept accept;
538 struct io_cancel cancel;
539 struct io_timeout timeout;
540 struct io_connect connect;
541 struct io_sr_msg sr_msg;
543 struct io_close close;
544 struct io_files_update files_update;
545 struct io_fadvise fadvise;
546 struct io_madvise madvise;
547 struct io_epoll epoll;
550 struct io_async_ctx *io;
552 * llist_node is only used for poll deferred completions
554 struct llist_node llist_node;
556 bool needs_fixed_file;
559 struct io_ring_ctx *ctx;
561 struct list_head list;
562 struct hlist_node hash_node;
564 struct list_head link_list;
571 struct list_head inflight_entry;
573 struct io_wq_work work;
576 #define IO_PLUG_THRESHOLD 2
577 #define IO_IOPOLL_BATCH 8
579 struct io_submit_state {
580 struct blk_plug plug;
583 * io_kiocb alloc cache
585 void *reqs[IO_IOPOLL_BATCH];
586 unsigned int free_reqs;
589 * File reference cache
593 unsigned int has_refs;
594 unsigned int used_refs;
595 unsigned int ios_left;
599 /* needs req->io allocated for deferral/async */
600 unsigned async_ctx : 1;
601 /* needs current->mm setup, does mm access */
602 unsigned needs_mm : 1;
603 /* needs req->file assigned */
604 unsigned needs_file : 1;
605 /* needs req->file assigned IFF fd is >= 0 */
606 unsigned fd_non_neg : 1;
607 /* hash wq insertion if file is a regular file */
608 unsigned hash_reg_file : 1;
609 /* unbound wq insertion if file is a non-regular file */
610 unsigned unbound_nonreg_file : 1;
611 /* opcode is not supported by this kernel */
612 unsigned not_supported : 1;
613 /* needs file table */
614 unsigned file_table : 1;
616 unsigned needs_fs : 1;
619 static const struct io_op_def io_op_defs[] = {
620 [IORING_OP_NOP] = {},
621 [IORING_OP_READV] = {
625 .unbound_nonreg_file = 1,
627 [IORING_OP_WRITEV] = {
632 .unbound_nonreg_file = 1,
634 [IORING_OP_FSYNC] = {
637 [IORING_OP_READ_FIXED] = {
639 .unbound_nonreg_file = 1,
641 [IORING_OP_WRITE_FIXED] = {
644 .unbound_nonreg_file = 1,
646 [IORING_OP_POLL_ADD] = {
648 .unbound_nonreg_file = 1,
650 [IORING_OP_POLL_REMOVE] = {},
651 [IORING_OP_SYNC_FILE_RANGE] = {
654 [IORING_OP_SENDMSG] = {
658 .unbound_nonreg_file = 1,
661 [IORING_OP_RECVMSG] = {
665 .unbound_nonreg_file = 1,
668 [IORING_OP_TIMEOUT] = {
672 [IORING_OP_TIMEOUT_REMOVE] = {},
673 [IORING_OP_ACCEPT] = {
676 .unbound_nonreg_file = 1,
679 [IORING_OP_ASYNC_CANCEL] = {},
680 [IORING_OP_LINK_TIMEOUT] = {
684 [IORING_OP_CONNECT] = {
688 .unbound_nonreg_file = 1,
690 [IORING_OP_FALLOCATE] = {
693 [IORING_OP_OPENAT] = {
699 [IORING_OP_CLOSE] = {
703 [IORING_OP_FILES_UPDATE] = {
707 [IORING_OP_STATX] = {
716 .unbound_nonreg_file = 1,
718 [IORING_OP_WRITE] = {
721 .unbound_nonreg_file = 1,
723 [IORING_OP_FADVISE] = {
726 [IORING_OP_MADVISE] = {
732 .unbound_nonreg_file = 1,
737 .unbound_nonreg_file = 1,
739 [IORING_OP_OPENAT2] = {
745 [IORING_OP_EPOLL_CTL] = {
746 .unbound_nonreg_file = 1,
751 static void io_wq_submit_work(struct io_wq_work **workptr);
752 static void io_cqring_fill_event(struct io_kiocb *req, long res);
753 static void io_put_req(struct io_kiocb *req);
754 static void __io_double_put_req(struct io_kiocb *req);
755 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
756 static void io_queue_linked_timeout(struct io_kiocb *req);
757 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
758 struct io_uring_files_update *ip,
760 static int io_grab_files(struct io_kiocb *req);
761 static void io_ring_file_ref_flush(struct fixed_file_data *data);
762 static void io_cleanup_req(struct io_kiocb *req);
764 static struct kmem_cache *req_cachep;
766 static const struct file_operations io_uring_fops;
768 struct sock *io_uring_get_socket(struct file *file)
770 #if defined(CONFIG_UNIX)
771 if (file->f_op == &io_uring_fops) {
772 struct io_ring_ctx *ctx = file->private_data;
774 return ctx->ring_sock->sk;
779 EXPORT_SYMBOL(io_uring_get_socket);
781 static void io_ring_ctx_ref_free(struct percpu_ref *ref)
783 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
785 complete(&ctx->completions[0]);
788 static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
790 struct io_ring_ctx *ctx;
793 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
797 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
798 if (!ctx->fallback_req)
801 ctx->completions = kmalloc(2 * sizeof(struct completion), GFP_KERNEL);
802 if (!ctx->completions)
806 * Use 5 bits less than the max cq entries, that should give us around
807 * 32 entries per hash list if totally full and uniformly spread.
809 hash_bits = ilog2(p->cq_entries);
813 ctx->cancel_hash_bits = hash_bits;
814 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
816 if (!ctx->cancel_hash)
818 __hash_init(ctx->cancel_hash, 1U << hash_bits);
820 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
821 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
824 ctx->flags = p->flags;
825 init_waitqueue_head(&ctx->cq_wait);
826 INIT_LIST_HEAD(&ctx->cq_overflow_list);
827 init_completion(&ctx->completions[0]);
828 init_completion(&ctx->completions[1]);
829 idr_init(&ctx->personality_idr);
830 mutex_init(&ctx->uring_lock);
831 init_waitqueue_head(&ctx->wait);
832 spin_lock_init(&ctx->completion_lock);
833 init_llist_head(&ctx->poll_llist);
834 INIT_LIST_HEAD(&ctx->poll_list);
835 INIT_LIST_HEAD(&ctx->defer_list);
836 INIT_LIST_HEAD(&ctx->timeout_list);
837 init_waitqueue_head(&ctx->inflight_wait);
838 spin_lock_init(&ctx->inflight_lock);
839 INIT_LIST_HEAD(&ctx->inflight_list);
842 if (ctx->fallback_req)
843 kmem_cache_free(req_cachep, ctx->fallback_req);
844 kfree(ctx->completions);
845 kfree(ctx->cancel_hash);
850 static inline bool __req_need_defer(struct io_kiocb *req)
852 struct io_ring_ctx *ctx = req->ctx;
854 return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
855 + atomic_read(&ctx->cached_cq_overflow);
858 static inline bool req_need_defer(struct io_kiocb *req)
860 if (unlikely(req->flags & REQ_F_IO_DRAIN))
861 return __req_need_defer(req);
866 static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)
868 struct io_kiocb *req;
870 req = list_first_entry_or_null(&ctx->defer_list, struct io_kiocb, list);
871 if (req && !req_need_defer(req)) {
872 list_del_init(&req->list);
879 static struct io_kiocb *io_get_timeout_req(struct io_ring_ctx *ctx)
881 struct io_kiocb *req;
883 req = list_first_entry_or_null(&ctx->timeout_list, struct io_kiocb, list);
885 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
887 if (!__req_need_defer(req)) {
888 list_del_init(&req->list);
896 static void __io_commit_cqring(struct io_ring_ctx *ctx)
898 struct io_rings *rings = ctx->rings;
900 /* order cqe stores with ring update */
901 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
903 if (wq_has_sleeper(&ctx->cq_wait)) {
904 wake_up_interruptible(&ctx->cq_wait);
905 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
909 static inline void io_req_work_grab_env(struct io_kiocb *req,
910 const struct io_op_def *def)
912 if (!req->work.mm && def->needs_mm) {
914 req->work.mm = current->mm;
916 if (!req->work.creds)
917 req->work.creds = get_current_cred();
918 if (!req->work.fs && def->needs_fs) {
919 spin_lock(¤t->fs->lock);
920 if (!current->fs->in_exec) {
921 req->work.fs = current->fs;
922 req->work.fs->users++;
924 req->work.flags |= IO_WQ_WORK_CANCEL;
926 spin_unlock(¤t->fs->lock);
928 if (!req->work.task_pid)
929 req->work.task_pid = task_pid_vnr(current);
932 static inline void io_req_work_drop_env(struct io_kiocb *req)
935 mmdrop(req->work.mm);
938 if (req->work.creds) {
939 put_cred(req->work.creds);
940 req->work.creds = NULL;
943 struct fs_struct *fs = req->work.fs;
945 spin_lock(&req->work.fs->lock);
948 spin_unlock(&req->work.fs->lock);
954 static inline bool io_prep_async_work(struct io_kiocb *req,
955 struct io_kiocb **link)
957 const struct io_op_def *def = &io_op_defs[req->opcode];
958 bool do_hashed = false;
960 if (req->flags & REQ_F_ISREG) {
961 if (def->hash_reg_file)
964 if (def->unbound_nonreg_file)
965 req->work.flags |= IO_WQ_WORK_UNBOUND;
968 io_req_work_grab_env(req, def);
970 *link = io_prep_linked_timeout(req);
974 static inline void io_queue_async_work(struct io_kiocb *req)
976 struct io_ring_ctx *ctx = req->ctx;
977 struct io_kiocb *link;
980 do_hashed = io_prep_async_work(req, &link);
982 trace_io_uring_queue_async_work(ctx, do_hashed, req, &req->work,
985 io_wq_enqueue(ctx->io_wq, &req->work);
987 io_wq_enqueue_hashed(ctx->io_wq, &req->work,
988 file_inode(req->file));
992 io_queue_linked_timeout(link);
995 static void io_kill_timeout(struct io_kiocb *req)
999 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
1001 atomic_inc(&req->ctx->cq_timeouts);
1002 list_del_init(&req->list);
1003 req->flags |= REQ_F_COMP_LOCKED;
1004 io_cqring_fill_event(req, 0);
1009 static void io_kill_timeouts(struct io_ring_ctx *ctx)
1011 struct io_kiocb *req, *tmp;
1013 spin_lock_irq(&ctx->completion_lock);
1014 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
1015 io_kill_timeout(req);
1016 spin_unlock_irq(&ctx->completion_lock);
1019 static void io_commit_cqring(struct io_ring_ctx *ctx)
1021 struct io_kiocb *req;
1023 while ((req = io_get_timeout_req(ctx)) != NULL)
1024 io_kill_timeout(req);
1026 __io_commit_cqring(ctx);
1028 while ((req = io_get_deferred_req(ctx)) != NULL)
1029 io_queue_async_work(req);
1032 static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
1034 struct io_rings *rings = ctx->rings;
1037 tail = ctx->cached_cq_tail;
1039 * writes to the cq entry need to come after reading head; the
1040 * control dependency is enough as we're using WRITE_ONCE to
1043 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
1046 ctx->cached_cq_tail++;
1047 return &rings->cqes[tail & ctx->cq_mask];
1050 static inline bool io_should_trigger_evfd(struct io_ring_ctx *ctx)
1054 if (!ctx->eventfd_async)
1056 return io_wq_current_is_worker() || in_interrupt();
1059 static void __io_cqring_ev_posted(struct io_ring_ctx *ctx, bool trigger_ev)
1061 if (waitqueue_active(&ctx->wait))
1062 wake_up(&ctx->wait);
1063 if (waitqueue_active(&ctx->sqo_wait))
1064 wake_up(&ctx->sqo_wait);
1066 eventfd_signal(ctx->cq_ev_fd, 1);
1069 static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
1071 __io_cqring_ev_posted(ctx, io_should_trigger_evfd(ctx));
1074 /* Returns true if there are no backlogged entries after the flush */
1075 static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1077 struct io_rings *rings = ctx->rings;
1078 struct io_uring_cqe *cqe;
1079 struct io_kiocb *req;
1080 unsigned long flags;
1084 if (list_empty_careful(&ctx->cq_overflow_list))
1086 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
1087 rings->cq_ring_entries))
1091 spin_lock_irqsave(&ctx->completion_lock, flags);
1093 /* if force is set, the ring is going away. always drop after that */
1095 ctx->cq_overflow_flushed = 1;
1098 while (!list_empty(&ctx->cq_overflow_list)) {
1099 cqe = io_get_cqring(ctx);
1103 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
1105 list_move(&req->list, &list);
1106 req->flags &= ~REQ_F_OVERFLOW;
1108 WRITE_ONCE(cqe->user_data, req->user_data);
1109 WRITE_ONCE(cqe->res, req->result);
1110 WRITE_ONCE(cqe->flags, 0);
1112 WRITE_ONCE(ctx->rings->cq_overflow,
1113 atomic_inc_return(&ctx->cached_cq_overflow));
1117 io_commit_cqring(ctx);
1119 clear_bit(0, &ctx->sq_check_overflow);
1120 clear_bit(0, &ctx->cq_check_overflow);
1122 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1123 io_cqring_ev_posted(ctx);
1125 while (!list_empty(&list)) {
1126 req = list_first_entry(&list, struct io_kiocb, list);
1127 list_del(&req->list);
1134 static void io_cqring_fill_event(struct io_kiocb *req, long res)
1136 struct io_ring_ctx *ctx = req->ctx;
1137 struct io_uring_cqe *cqe;
1139 trace_io_uring_complete(ctx, req->user_data, res);
1142 * If we can't get a cq entry, userspace overflowed the
1143 * submission (by quite a lot). Increment the overflow count in
1146 cqe = io_get_cqring(ctx);
1148 WRITE_ONCE(cqe->user_data, req->user_data);
1149 WRITE_ONCE(cqe->res, res);
1150 WRITE_ONCE(cqe->flags, 0);
1151 } else if (ctx->cq_overflow_flushed) {
1152 WRITE_ONCE(ctx->rings->cq_overflow,
1153 atomic_inc_return(&ctx->cached_cq_overflow));
1155 if (list_empty(&ctx->cq_overflow_list)) {
1156 set_bit(0, &ctx->sq_check_overflow);
1157 set_bit(0, &ctx->cq_check_overflow);
1159 req->flags |= REQ_F_OVERFLOW;
1160 refcount_inc(&req->refs);
1162 list_add_tail(&req->list, &ctx->cq_overflow_list);
1166 static void io_cqring_add_event(struct io_kiocb *req, long res)
1168 struct io_ring_ctx *ctx = req->ctx;
1169 unsigned long flags;
1171 spin_lock_irqsave(&ctx->completion_lock, flags);
1172 io_cqring_fill_event(req, res);
1173 io_commit_cqring(ctx);
1174 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1176 io_cqring_ev_posted(ctx);
1179 static inline bool io_is_fallback_req(struct io_kiocb *req)
1181 return req == (struct io_kiocb *)
1182 ((unsigned long) req->ctx->fallback_req & ~1UL);
1185 static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1187 struct io_kiocb *req;
1189 req = ctx->fallback_req;
1190 if (!test_and_set_bit_lock(0, (unsigned long *) ctx->fallback_req))
1196 static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
1197 struct io_submit_state *state)
1199 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
1200 struct io_kiocb *req;
1203 req = kmem_cache_alloc(req_cachep, gfp);
1206 } else if (!state->free_reqs) {
1210 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
1211 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1214 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1215 * retry single alloc to be on the safe side.
1217 if (unlikely(ret <= 0)) {
1218 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1219 if (!state->reqs[0])
1223 state->free_reqs = ret - 1;
1224 req = state->reqs[ret - 1];
1227 req = state->reqs[state->free_reqs];
1235 /* one is dropped after submission, the other at completion */
1236 refcount_set(&req->refs, 2);
1238 INIT_IO_WORK(&req->work, io_wq_submit_work);
1241 req = io_get_fallback_req(ctx);
1244 percpu_ref_put(&ctx->refs);
1248 static void __io_req_do_free(struct io_kiocb *req)
1250 if (likely(!io_is_fallback_req(req)))
1251 kmem_cache_free(req_cachep, req);
1253 clear_bit_unlock(0, (unsigned long *) req->ctx->fallback_req);
1256 static void __io_req_aux_free(struct io_kiocb *req)
1258 struct io_ring_ctx *ctx = req->ctx;
1260 if (req->flags & REQ_F_NEED_CLEANUP)
1261 io_cleanup_req(req);
1265 if (req->flags & REQ_F_FIXED_FILE)
1266 percpu_ref_put(&ctx->file_data->refs);
1271 io_req_work_drop_env(req);
1274 static void __io_free_req(struct io_kiocb *req)
1276 __io_req_aux_free(req);
1278 if (req->flags & REQ_F_INFLIGHT) {
1279 struct io_ring_ctx *ctx = req->ctx;
1280 unsigned long flags;
1282 spin_lock_irqsave(&ctx->inflight_lock, flags);
1283 list_del(&req->inflight_entry);
1284 if (waitqueue_active(&ctx->inflight_wait))
1285 wake_up(&ctx->inflight_wait);
1286 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1289 percpu_ref_put(&req->ctx->refs);
1290 __io_req_do_free(req);
1294 void *reqs[IO_IOPOLL_BATCH];
1299 static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
1301 int fixed_refs = rb->to_free;
1305 if (rb->need_iter) {
1306 int i, inflight = 0;
1307 unsigned long flags;
1310 for (i = 0; i < rb->to_free; i++) {
1311 struct io_kiocb *req = rb->reqs[i];
1313 if (req->flags & REQ_F_FIXED_FILE) {
1317 if (req->flags & REQ_F_INFLIGHT)
1319 __io_req_aux_free(req);
1324 spin_lock_irqsave(&ctx->inflight_lock, flags);
1325 for (i = 0; i < rb->to_free; i++) {
1326 struct io_kiocb *req = rb->reqs[i];
1328 if (req->flags & REQ_F_INFLIGHT) {
1329 list_del(&req->inflight_entry);
1334 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1336 if (waitqueue_active(&ctx->inflight_wait))
1337 wake_up(&ctx->inflight_wait);
1340 kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
1342 percpu_ref_put_many(&ctx->file_data->refs, fixed_refs);
1343 percpu_ref_put_many(&ctx->refs, rb->to_free);
1344 rb->to_free = rb->need_iter = 0;
1347 static bool io_link_cancel_timeout(struct io_kiocb *req)
1349 struct io_ring_ctx *ctx = req->ctx;
1352 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
1354 io_cqring_fill_event(req, -ECANCELED);
1355 io_commit_cqring(ctx);
1356 req->flags &= ~REQ_F_LINK;
1364 static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
1366 struct io_ring_ctx *ctx = req->ctx;
1367 bool wake_ev = false;
1369 /* Already got next link */
1370 if (req->flags & REQ_F_LINK_NEXT)
1374 * The list should never be empty when we are called here. But could
1375 * potentially happen if the chain is messed up, check to be on the
1378 while (!list_empty(&req->link_list)) {
1379 struct io_kiocb *nxt = list_first_entry(&req->link_list,
1380 struct io_kiocb, link_list);
1382 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
1383 (nxt->flags & REQ_F_TIMEOUT))) {
1384 list_del_init(&nxt->link_list);
1385 wake_ev |= io_link_cancel_timeout(nxt);
1386 req->flags &= ~REQ_F_LINK_TIMEOUT;
1390 list_del_init(&req->link_list);
1391 if (!list_empty(&nxt->link_list))
1392 nxt->flags |= REQ_F_LINK;
1397 req->flags |= REQ_F_LINK_NEXT;
1399 io_cqring_ev_posted(ctx);
1403 * Called if REQ_F_LINK is set, and we fail the head request
1405 static void io_fail_links(struct io_kiocb *req)
1407 struct io_ring_ctx *ctx = req->ctx;
1408 unsigned long flags;
1410 spin_lock_irqsave(&ctx->completion_lock, flags);
1412 while (!list_empty(&req->link_list)) {
1413 struct io_kiocb *link = list_first_entry(&req->link_list,
1414 struct io_kiocb, link_list);
1416 list_del_init(&link->link_list);
1417 trace_io_uring_fail_link(req, link);
1419 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
1420 link->opcode == IORING_OP_LINK_TIMEOUT) {
1421 io_link_cancel_timeout(link);
1423 io_cqring_fill_event(link, -ECANCELED);
1424 __io_double_put_req(link);
1426 req->flags &= ~REQ_F_LINK_TIMEOUT;
1429 io_commit_cqring(ctx);
1430 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1431 io_cqring_ev_posted(ctx);
1434 static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
1436 if (likely(!(req->flags & REQ_F_LINK)))
1440 * If LINK is set, we have dependent requests in this chain. If we
1441 * didn't fail this request, queue the first one up, moving any other
1442 * dependencies to the next request. In case of failure, fail the rest
1445 if (req->flags & REQ_F_FAIL_LINK) {
1447 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1448 REQ_F_LINK_TIMEOUT) {
1449 struct io_ring_ctx *ctx = req->ctx;
1450 unsigned long flags;
1453 * If this is a timeout link, we could be racing with the
1454 * timeout timer. Grab the completion lock for this case to
1455 * protect against that.
1457 spin_lock_irqsave(&ctx->completion_lock, flags);
1458 io_req_link_next(req, nxt);
1459 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1461 io_req_link_next(req, nxt);
1465 static void io_free_req(struct io_kiocb *req)
1467 struct io_kiocb *nxt = NULL;
1469 io_req_find_next(req, &nxt);
1473 io_queue_async_work(nxt);
1477 * Drop reference to request, return next in chain (if there is one) if this
1478 * was the last reference to this request.
1480 __attribute__((nonnull))
1481 static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
1483 if (refcount_dec_and_test(&req->refs)) {
1484 io_req_find_next(req, nxtptr);
1489 static void io_put_req(struct io_kiocb *req)
1491 if (refcount_dec_and_test(&req->refs))
1496 * Must only be used if we don't need to care about links, usually from
1497 * within the completion handling itself.
1499 static void __io_double_put_req(struct io_kiocb *req)
1501 /* drop both submit and complete references */
1502 if (refcount_sub_and_test(2, &req->refs))
1506 static void io_double_put_req(struct io_kiocb *req)
1508 /* drop both submit and complete references */
1509 if (refcount_sub_and_test(2, &req->refs))
1513 static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
1515 struct io_rings *rings = ctx->rings;
1517 if (test_bit(0, &ctx->cq_check_overflow)) {
1519 * noflush == true is from the waitqueue handler, just ensure
1520 * we wake up the task, and the next invocation will flush the
1521 * entries. We cannot safely to it from here.
1523 if (noflush && !list_empty(&ctx->cq_overflow_list))
1526 io_cqring_overflow_flush(ctx, false);
1529 /* See comment at the top of this file */
1531 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
1534 static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1536 struct io_rings *rings = ctx->rings;
1538 /* make sure SQ entry isn't read before tail */
1539 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1542 static inline bool io_req_multi_free(struct req_batch *rb, struct io_kiocb *req)
1544 if ((req->flags & REQ_F_LINK) || io_is_fallback_req(req))
1547 if (!(req->flags & REQ_F_FIXED_FILE) || req->io)
1550 rb->reqs[rb->to_free++] = req;
1551 if (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))
1552 io_free_req_many(req->ctx, rb);
1557 * Find and free completed poll iocbs
1559 static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1560 struct list_head *done)
1562 struct req_batch rb;
1563 struct io_kiocb *req;
1565 rb.to_free = rb.need_iter = 0;
1566 while (!list_empty(done)) {
1567 req = list_first_entry(done, struct io_kiocb, list);
1568 list_del(&req->list);
1570 io_cqring_fill_event(req, req->result);
1573 if (refcount_dec_and_test(&req->refs) &&
1574 !io_req_multi_free(&rb, req))
1578 io_commit_cqring(ctx);
1579 io_free_req_many(ctx, &rb);
1582 static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1585 struct io_kiocb *req, *tmp;
1591 * Only spin for completions if we don't have multiple devices hanging
1592 * off our complete list, and we're under the requested amount.
1594 spin = !ctx->poll_multi_file && *nr_events < min;
1597 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
1598 struct kiocb *kiocb = &req->rw.kiocb;
1601 * Move completed entries to our local list. If we find a
1602 * request that requires polling, break out and complete
1603 * the done list first, if we have entries there.
1605 if (req->flags & REQ_F_IOPOLL_COMPLETED) {
1606 list_move_tail(&req->list, &done);
1609 if (!list_empty(&done))
1612 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1621 if (!list_empty(&done))
1622 io_iopoll_complete(ctx, nr_events, &done);
1628 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
1629 * non-spinning poll check - we'll still enter the driver poll loop, but only
1630 * as a non-spinning completion check.
1632 static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1635 while (!list_empty(&ctx->poll_list) && !need_resched()) {
1638 ret = io_do_iopoll(ctx, nr_events, min);
1641 if (!min || *nr_events >= min)
1649 * We can't just wait for polled events to come to us, we have to actively
1650 * find and complete them.
1652 static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1654 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1657 mutex_lock(&ctx->uring_lock);
1658 while (!list_empty(&ctx->poll_list)) {
1659 unsigned int nr_events = 0;
1661 io_iopoll_getevents(ctx, &nr_events, 1);
1664 * Ensure we allow local-to-the-cpu processing to take place,
1665 * in this case we need to ensure that we reap all events.
1669 mutex_unlock(&ctx->uring_lock);
1672 static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1675 int iters = 0, ret = 0;
1678 * We disallow the app entering submit/complete with polling, but we
1679 * still need to lock the ring to prevent racing with polled issue
1680 * that got punted to a workqueue.
1682 mutex_lock(&ctx->uring_lock);
1687 * Don't enter poll loop if we already have events pending.
1688 * If we do, we can potentially be spinning for commands that
1689 * already triggered a CQE (eg in error).
1691 if (io_cqring_events(ctx, false))
1695 * If a submit got punted to a workqueue, we can have the
1696 * application entering polling for a command before it gets
1697 * issued. That app will hold the uring_lock for the duration
1698 * of the poll right here, so we need to take a breather every
1699 * now and then to ensure that the issue has a chance to add
1700 * the poll to the issued list. Otherwise we can spin here
1701 * forever, while the workqueue is stuck trying to acquire the
1704 if (!(++iters & 7)) {
1705 mutex_unlock(&ctx->uring_lock);
1706 mutex_lock(&ctx->uring_lock);
1709 if (*nr_events < min)
1710 tmin = min - *nr_events;
1712 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1716 } while (min && !*nr_events && !need_resched());
1718 mutex_unlock(&ctx->uring_lock);
1722 static void kiocb_end_write(struct io_kiocb *req)
1725 * Tell lockdep we inherited freeze protection from submission
1728 if (req->flags & REQ_F_ISREG) {
1729 struct inode *inode = file_inode(req->file);
1731 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
1733 file_end_write(req->file);
1736 static inline void req_set_fail_links(struct io_kiocb *req)
1738 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1739 req->flags |= REQ_F_FAIL_LINK;
1742 static void io_complete_rw_common(struct kiocb *kiocb, long res)
1744 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1746 if (kiocb->ki_flags & IOCB_WRITE)
1747 kiocb_end_write(req);
1749 if (res != req->result)
1750 req_set_fail_links(req);
1751 io_cqring_add_event(req, res);
1754 static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1756 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1758 io_complete_rw_common(kiocb, res);
1762 static struct io_kiocb *__io_complete_rw(struct kiocb *kiocb, long res)
1764 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1765 struct io_kiocb *nxt = NULL;
1767 io_complete_rw_common(kiocb, res);
1768 io_put_req_find_next(req, &nxt);
1773 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1775 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1777 if (kiocb->ki_flags & IOCB_WRITE)
1778 kiocb_end_write(req);
1780 if (res != req->result)
1781 req_set_fail_links(req);
1784 req->flags |= REQ_F_IOPOLL_COMPLETED;
1788 * After the iocb has been issued, it's safe to be found on the poll list.
1789 * Adding the kiocb to the list AFTER submission ensures that we don't
1790 * find it from a io_iopoll_getevents() thread before the issuer is done
1791 * accessing the kiocb cookie.
1793 static void io_iopoll_req_issued(struct io_kiocb *req)
1795 struct io_ring_ctx *ctx = req->ctx;
1798 * Track whether we have multiple files in our lists. This will impact
1799 * how we do polling eventually, not spinning if we're on potentially
1800 * different devices.
1802 if (list_empty(&ctx->poll_list)) {
1803 ctx->poll_multi_file = false;
1804 } else if (!ctx->poll_multi_file) {
1805 struct io_kiocb *list_req;
1807 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
1809 if (list_req->file != req->file)
1810 ctx->poll_multi_file = true;
1814 * For fast devices, IO may have already completed. If it has, add
1815 * it to the front so we find it first.
1817 if (req->flags & REQ_F_IOPOLL_COMPLETED)
1818 list_add(&req->list, &ctx->poll_list);
1820 list_add_tail(&req->list, &ctx->poll_list);
1822 if ((ctx->flags & IORING_SETUP_SQPOLL) &&
1823 wq_has_sleeper(&ctx->sqo_wait))
1824 wake_up(&ctx->sqo_wait);
1827 static void io_file_put(struct io_submit_state *state)
1830 int diff = state->has_refs - state->used_refs;
1833 fput_many(state->file, diff);
1839 * Get as many references to a file as we have IOs left in this submission,
1840 * assuming most submissions are for one file, or at least that each file
1841 * has more than one submission.
1843 static struct file *io_file_get(struct io_submit_state *state, int fd)
1849 if (state->fd == fd) {
1856 state->file = fget_many(fd, state->ios_left);
1861 state->has_refs = state->ios_left;
1862 state->used_refs = 1;
1868 * If we tracked the file through the SCM inflight mechanism, we could support
1869 * any file. For now, just ensure that anything potentially problematic is done
1872 static bool io_file_supports_async(struct file *file)
1874 umode_t mode = file_inode(file)->i_mode;
1876 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
1878 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
1884 static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1885 bool force_nonblock)
1887 struct io_ring_ctx *ctx = req->ctx;
1888 struct kiocb *kiocb = &req->rw.kiocb;
1892 if (S_ISREG(file_inode(req->file)->i_mode))
1893 req->flags |= REQ_F_ISREG;
1895 kiocb->ki_pos = READ_ONCE(sqe->off);
1896 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
1897 req->flags |= REQ_F_CUR_POS;
1898 kiocb->ki_pos = req->file->f_pos;
1900 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
1901 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
1902 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
1906 ioprio = READ_ONCE(sqe->ioprio);
1908 ret = ioprio_check_cap(ioprio);
1912 kiocb->ki_ioprio = ioprio;
1914 kiocb->ki_ioprio = get_current_ioprio();
1916 /* don't allow async punt if RWF_NOWAIT was requested */
1917 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
1918 (req->file->f_flags & O_NONBLOCK))
1919 req->flags |= REQ_F_NOWAIT;
1922 kiocb->ki_flags |= IOCB_NOWAIT;
1924 if (ctx->flags & IORING_SETUP_IOPOLL) {
1925 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
1926 !kiocb->ki_filp->f_op->iopoll)
1929 kiocb->ki_flags |= IOCB_HIPRI;
1930 kiocb->ki_complete = io_complete_rw_iopoll;
1933 if (kiocb->ki_flags & IOCB_HIPRI)
1935 kiocb->ki_complete = io_complete_rw;
1938 req->rw.addr = READ_ONCE(sqe->addr);
1939 req->rw.len = READ_ONCE(sqe->len);
1940 /* we own ->private, reuse it for the buffer index */
1941 req->rw.kiocb.private = (void *) (unsigned long)
1942 READ_ONCE(sqe->buf_index);
1946 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
1952 case -ERESTARTNOINTR:
1953 case -ERESTARTNOHAND:
1954 case -ERESTART_RESTARTBLOCK:
1956 * We can't just restart the syscall, since previously
1957 * submitted sqes may already be in progress. Just fail this
1963 kiocb->ki_complete(kiocb, ret, 0);
1967 static void kiocb_done(struct kiocb *kiocb, ssize_t ret, struct io_kiocb **nxt,
1970 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1972 if (req->flags & REQ_F_CUR_POS)
1973 req->file->f_pos = kiocb->ki_pos;
1974 if (in_async && ret >= 0 && kiocb->ki_complete == io_complete_rw)
1975 *nxt = __io_complete_rw(kiocb, ret);
1977 io_rw_done(kiocb, ret);
1980 static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
1981 struct iov_iter *iter)
1983 struct io_ring_ctx *ctx = req->ctx;
1984 size_t len = req->rw.len;
1985 struct io_mapped_ubuf *imu;
1986 unsigned index, buf_index;
1990 /* attempt to use fixed buffers without having provided iovecs */
1991 if (unlikely(!ctx->user_bufs))
1994 buf_index = (unsigned long) req->rw.kiocb.private;
1995 if (unlikely(buf_index >= ctx->nr_user_bufs))
1998 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
1999 imu = &ctx->user_bufs[index];
2000 buf_addr = req->rw.addr;
2003 if (buf_addr + len < buf_addr)
2005 /* not inside the mapped region */
2006 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
2010 * May not be a start of buffer, set size appropriately
2011 * and advance us to the beginning.
2013 offset = buf_addr - imu->ubuf;
2014 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
2018 * Don't use iov_iter_advance() here, as it's really slow for
2019 * using the latter parts of a big fixed buffer - it iterates
2020 * over each segment manually. We can cheat a bit here, because
2023 * 1) it's a BVEC iter, we set it up
2024 * 2) all bvecs are PAGE_SIZE in size, except potentially the
2025 * first and last bvec
2027 * So just find our index, and adjust the iterator afterwards.
2028 * If the offset is within the first bvec (or the whole first
2029 * bvec, just use iov_iter_advance(). This makes it easier
2030 * since we can just skip the first segment, which may not
2031 * be PAGE_SIZE aligned.
2033 const struct bio_vec *bvec = imu->bvec;
2035 if (offset <= bvec->bv_len) {
2036 iov_iter_advance(iter, offset);
2038 unsigned long seg_skip;
2040 /* skip first vec */
2041 offset -= bvec->bv_len;
2042 seg_skip = 1 + (offset >> PAGE_SHIFT);
2044 iter->bvec = bvec + seg_skip;
2045 iter->nr_segs -= seg_skip;
2046 iter->count -= bvec->bv_len + offset;
2047 iter->iov_offset = offset & ~PAGE_MASK;
2054 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
2055 struct iovec **iovec, struct iov_iter *iter)
2057 void __user *buf = u64_to_user_ptr(req->rw.addr);
2058 size_t sqe_len = req->rw.len;
2061 opcode = req->opcode;
2062 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
2064 return io_import_fixed(req, rw, iter);
2067 /* buffer index only valid with fixed read/write */
2068 if (req->rw.kiocb.private)
2071 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
2073 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
2075 return ret < 0 ? ret : sqe_len;
2079 struct io_async_rw *iorw = &req->io->rw;
2082 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
2083 if (iorw->iov == iorw->fast_iov)
2088 #ifdef CONFIG_COMPAT
2089 if (req->ctx->compat)
2090 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
2094 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
2098 * For files that don't have ->read_iter() and ->write_iter(), handle them
2099 * by looping over ->read() or ->write() manually.
2101 static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
2102 struct iov_iter *iter)
2107 * Don't support polled IO through this interface, and we can't
2108 * support non-blocking either. For the latter, this just causes
2109 * the kiocb to be handled from an async context.
2111 if (kiocb->ki_flags & IOCB_HIPRI)
2113 if (kiocb->ki_flags & IOCB_NOWAIT)
2116 while (iov_iter_count(iter)) {
2120 if (!iov_iter_is_bvec(iter)) {
2121 iovec = iov_iter_iovec(iter);
2123 /* fixed buffers import bvec */
2124 iovec.iov_base = kmap(iter->bvec->bv_page)
2126 iovec.iov_len = min(iter->count,
2127 iter->bvec->bv_len - iter->iov_offset);
2131 nr = file->f_op->read(file, iovec.iov_base,
2132 iovec.iov_len, &kiocb->ki_pos);
2134 nr = file->f_op->write(file, iovec.iov_base,
2135 iovec.iov_len, &kiocb->ki_pos);
2138 if (iov_iter_is_bvec(iter))
2139 kunmap(iter->bvec->bv_page);
2147 if (nr != iovec.iov_len)
2149 iov_iter_advance(iter, nr);
2155 static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
2156 struct iovec *iovec, struct iovec *fast_iov,
2157 struct iov_iter *iter)
2159 req->io->rw.nr_segs = iter->nr_segs;
2160 req->io->rw.size = io_size;
2161 req->io->rw.iov = iovec;
2162 if (!req->io->rw.iov) {
2163 req->io->rw.iov = req->io->rw.fast_iov;
2164 memcpy(req->io->rw.iov, fast_iov,
2165 sizeof(struct iovec) * iter->nr_segs);
2167 req->flags |= REQ_F_NEED_CLEANUP;
2171 static int io_alloc_async_ctx(struct io_kiocb *req)
2173 if (!io_op_defs[req->opcode].async_ctx)
2175 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
2176 return req->io == NULL;
2179 static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
2180 struct iovec *iovec, struct iovec *fast_iov,
2181 struct iov_iter *iter)
2183 if (!io_op_defs[req->opcode].async_ctx)
2186 if (io_alloc_async_ctx(req))
2189 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
2194 static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2195 bool force_nonblock)
2197 struct io_async_ctx *io;
2198 struct iov_iter iter;
2201 ret = io_prep_rw(req, sqe, force_nonblock);
2205 if (unlikely(!(req->file->f_mode & FMODE_READ)))
2208 /* either don't need iovec imported or already have it */
2209 if (!req->io || req->flags & REQ_F_NEED_CLEANUP)
2213 io->rw.iov = io->rw.fast_iov;
2215 ret = io_import_iovec(READ, req, &io->rw.iov, &iter);
2220 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2224 static int io_read(struct io_kiocb *req, struct io_kiocb **nxt,
2225 bool force_nonblock)
2227 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2228 struct kiocb *kiocb = &req->rw.kiocb;
2229 struct iov_iter iter;
2231 ssize_t io_size, ret;
2233 ret = io_import_iovec(READ, req, &iovec, &iter);
2237 /* Ensure we clear previously set non-block flag */
2238 if (!force_nonblock)
2239 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
2243 if (req->flags & REQ_F_LINK)
2244 req->result = io_size;
2247 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2248 * we know to async punt it even if it was opened O_NONBLOCK
2250 if (force_nonblock && !io_file_supports_async(req->file)) {
2251 req->flags |= REQ_F_MUST_PUNT;
2255 iov_count = iov_iter_count(&iter);
2256 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
2260 if (req->file->f_op->read_iter)
2261 ret2 = call_read_iter(req->file, kiocb, &iter);
2263 ret2 = loop_rw_iter(READ, req->file, kiocb, &iter);
2265 /* Catch -EAGAIN return for forced non-blocking submission */
2266 if (!force_nonblock || ret2 != -EAGAIN) {
2267 kiocb_done(kiocb, ret2, nxt, req->in_async);
2270 ret = io_setup_async_rw(req, io_size, iovec,
2271 inline_vecs, &iter);
2279 req->flags &= ~REQ_F_NEED_CLEANUP;
2283 static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2284 bool force_nonblock)
2286 struct io_async_ctx *io;
2287 struct iov_iter iter;
2290 ret = io_prep_rw(req, sqe, force_nonblock);
2294 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
2297 /* either don't need iovec imported or already have it */
2298 if (!req->io || req->flags & REQ_F_NEED_CLEANUP)
2302 io->rw.iov = io->rw.fast_iov;
2304 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter);
2309 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2313 static int io_write(struct io_kiocb *req, struct io_kiocb **nxt,
2314 bool force_nonblock)
2316 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2317 struct kiocb *kiocb = &req->rw.kiocb;
2318 struct iov_iter iter;
2320 ssize_t ret, io_size;
2322 ret = io_import_iovec(WRITE, req, &iovec, &iter);
2326 /* Ensure we clear previously set non-block flag */
2327 if (!force_nonblock)
2328 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
2332 if (req->flags & REQ_F_LINK)
2333 req->result = io_size;
2336 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2337 * we know to async punt it even if it was opened O_NONBLOCK
2339 if (force_nonblock && !io_file_supports_async(req->file)) {
2340 req->flags |= REQ_F_MUST_PUNT;
2344 /* file path doesn't support NOWAIT for non-direct_IO */
2345 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
2346 (req->flags & REQ_F_ISREG))
2349 iov_count = iov_iter_count(&iter);
2350 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
2355 * Open-code file_start_write here to grab freeze protection,
2356 * which will be released by another thread in
2357 * io_complete_rw(). Fool lockdep by telling it the lock got
2358 * released so that it doesn't complain about the held lock when
2359 * we return to userspace.
2361 if (req->flags & REQ_F_ISREG) {
2362 __sb_start_write(file_inode(req->file)->i_sb,
2363 SB_FREEZE_WRITE, true);
2364 __sb_writers_release(file_inode(req->file)->i_sb,
2367 kiocb->ki_flags |= IOCB_WRITE;
2369 if (req->file->f_op->write_iter)
2370 ret2 = call_write_iter(req->file, kiocb, &iter);
2372 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
2374 * Raw bdev writes will -EOPNOTSUPP for IOCB_NOWAIT. Just
2375 * retry them without IOCB_NOWAIT.
2377 if (ret2 == -EOPNOTSUPP && (kiocb->ki_flags & IOCB_NOWAIT))
2379 if (!force_nonblock || ret2 != -EAGAIN) {
2380 kiocb_done(kiocb, ret2, nxt, req->in_async);
2383 ret = io_setup_async_rw(req, io_size, iovec,
2384 inline_vecs, &iter);
2391 req->flags &= ~REQ_F_NEED_CLEANUP;
2397 * IORING_OP_NOP just posts a completion event, nothing else.
2399 static int io_nop(struct io_kiocb *req)
2401 struct io_ring_ctx *ctx = req->ctx;
2403 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2406 io_cqring_add_event(req, 0);
2411 static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2413 struct io_ring_ctx *ctx = req->ctx;
2418 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2420 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2423 req->sync.flags = READ_ONCE(sqe->fsync_flags);
2424 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
2427 req->sync.off = READ_ONCE(sqe->off);
2428 req->sync.len = READ_ONCE(sqe->len);
2432 static bool io_req_cancelled(struct io_kiocb *req)
2434 if (req->work.flags & IO_WQ_WORK_CANCEL) {
2435 req_set_fail_links(req);
2436 io_cqring_add_event(req, -ECANCELED);
2444 static void io_link_work_cb(struct io_wq_work **workptr)
2446 struct io_wq_work *work = *workptr;
2447 struct io_kiocb *link = work->data;
2449 io_queue_linked_timeout(link);
2450 work->func = io_wq_submit_work;
2453 static void io_wq_assign_next(struct io_wq_work **workptr, struct io_kiocb *nxt)
2455 struct io_kiocb *link;
2457 io_prep_async_work(nxt, &link);
2458 *workptr = &nxt->work;
2460 nxt->work.flags |= IO_WQ_WORK_CB;
2461 nxt->work.func = io_link_work_cb;
2462 nxt->work.data = link;
2466 static void io_fsync_finish(struct io_wq_work **workptr)
2468 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2469 loff_t end = req->sync.off + req->sync.len;
2470 struct io_kiocb *nxt = NULL;
2473 if (io_req_cancelled(req))
2476 ret = vfs_fsync_range(req->file, req->sync.off,
2477 end > 0 ? end : LLONG_MAX,
2478 req->sync.flags & IORING_FSYNC_DATASYNC);
2480 req_set_fail_links(req);
2481 io_cqring_add_event(req, ret);
2482 io_put_req_find_next(req, &nxt);
2484 io_wq_assign_next(workptr, nxt);
2487 static int io_fsync(struct io_kiocb *req, struct io_kiocb **nxt,
2488 bool force_nonblock)
2490 struct io_wq_work *work, *old_work;
2492 /* fsync always requires a blocking context */
2493 if (force_nonblock) {
2495 req->work.func = io_fsync_finish;
2499 work = old_work = &req->work;
2500 io_fsync_finish(&work);
2501 if (work && work != old_work)
2502 *nxt = container_of(work, struct io_kiocb, work);
2506 static void io_fallocate_finish(struct io_wq_work **workptr)
2508 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2509 struct io_kiocb *nxt = NULL;
2512 if (io_req_cancelled(req))
2515 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
2518 req_set_fail_links(req);
2519 io_cqring_add_event(req, ret);
2520 io_put_req_find_next(req, &nxt);
2522 io_wq_assign_next(workptr, nxt);
2525 static int io_fallocate_prep(struct io_kiocb *req,
2526 const struct io_uring_sqe *sqe)
2528 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
2531 req->sync.off = READ_ONCE(sqe->off);
2532 req->sync.len = READ_ONCE(sqe->addr);
2533 req->sync.mode = READ_ONCE(sqe->len);
2537 static int io_fallocate(struct io_kiocb *req, struct io_kiocb **nxt,
2538 bool force_nonblock)
2540 struct io_wq_work *work, *old_work;
2542 /* fallocate always requiring blocking context */
2543 if (force_nonblock) {
2545 req->work.func = io_fallocate_finish;
2549 work = old_work = &req->work;
2550 io_fallocate_finish(&work);
2551 if (work && work != old_work)
2552 *nxt = container_of(work, struct io_kiocb, work);
2557 static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2559 const char __user *fname;
2562 if (sqe->ioprio || sqe->buf_index)
2564 if (sqe->flags & IOSQE_FIXED_FILE)
2566 if (req->flags & REQ_F_NEED_CLEANUP)
2569 req->open.dfd = READ_ONCE(sqe->fd);
2570 req->open.how.mode = READ_ONCE(sqe->len);
2571 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2572 req->open.how.flags = READ_ONCE(sqe->open_flags);
2574 req->open.filename = getname(fname);
2575 if (IS_ERR(req->open.filename)) {
2576 ret = PTR_ERR(req->open.filename);
2577 req->open.filename = NULL;
2581 req->flags |= REQ_F_NEED_CLEANUP;
2585 static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2587 struct open_how __user *how;
2588 const char __user *fname;
2592 if (sqe->ioprio || sqe->buf_index)
2594 if (sqe->flags & IOSQE_FIXED_FILE)
2596 if (req->flags & REQ_F_NEED_CLEANUP)
2599 req->open.dfd = READ_ONCE(sqe->fd);
2600 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2601 how = u64_to_user_ptr(READ_ONCE(sqe->addr2));
2602 len = READ_ONCE(sqe->len);
2604 if (len < OPEN_HOW_SIZE_VER0)
2607 ret = copy_struct_from_user(&req->open.how, sizeof(req->open.how), how,
2612 if (!(req->open.how.flags & O_PATH) && force_o_largefile())
2613 req->open.how.flags |= O_LARGEFILE;
2615 req->open.filename = getname(fname);
2616 if (IS_ERR(req->open.filename)) {
2617 ret = PTR_ERR(req->open.filename);
2618 req->open.filename = NULL;
2622 req->flags |= REQ_F_NEED_CLEANUP;
2626 static int io_openat2(struct io_kiocb *req, struct io_kiocb **nxt,
2627 bool force_nonblock)
2629 struct open_flags op;
2636 ret = build_open_flags(&req->open.how, &op);
2640 ret = get_unused_fd_flags(req->open.how.flags);
2644 file = do_filp_open(req->open.dfd, req->open.filename, &op);
2647 ret = PTR_ERR(file);
2649 fsnotify_open(file);
2650 fd_install(ret, file);
2653 putname(req->open.filename);
2654 req->flags &= ~REQ_F_NEED_CLEANUP;
2656 req_set_fail_links(req);
2657 io_cqring_add_event(req, ret);
2658 io_put_req_find_next(req, nxt);
2662 static int io_openat(struct io_kiocb *req, struct io_kiocb **nxt,
2663 bool force_nonblock)
2665 req->open.how = build_open_how(req->open.how.flags, req->open.how.mode);
2666 return io_openat2(req, nxt, force_nonblock);
2669 static int io_epoll_ctl_prep(struct io_kiocb *req,
2670 const struct io_uring_sqe *sqe)
2672 #if defined(CONFIG_EPOLL)
2673 if (sqe->ioprio || sqe->buf_index)
2676 req->epoll.epfd = READ_ONCE(sqe->fd);
2677 req->epoll.op = READ_ONCE(sqe->len);
2678 req->epoll.fd = READ_ONCE(sqe->off);
2680 if (ep_op_has_event(req->epoll.op)) {
2681 struct epoll_event __user *ev;
2683 ev = u64_to_user_ptr(READ_ONCE(sqe->addr));
2684 if (copy_from_user(&req->epoll.event, ev, sizeof(*ev)))
2694 static int io_epoll_ctl(struct io_kiocb *req, struct io_kiocb **nxt,
2695 bool force_nonblock)
2697 #if defined(CONFIG_EPOLL)
2698 struct io_epoll *ie = &req->epoll;
2701 ret = do_epoll_ctl(ie->epfd, ie->op, ie->fd, &ie->event, force_nonblock);
2702 if (force_nonblock && ret == -EAGAIN)
2706 req_set_fail_links(req);
2707 io_cqring_add_event(req, ret);
2708 io_put_req_find_next(req, nxt);
2715 static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2717 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2718 if (sqe->ioprio || sqe->buf_index || sqe->off)
2721 req->madvise.addr = READ_ONCE(sqe->addr);
2722 req->madvise.len = READ_ONCE(sqe->len);
2723 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
2730 static int io_madvise(struct io_kiocb *req, struct io_kiocb **nxt,
2731 bool force_nonblock)
2733 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2734 struct io_madvise *ma = &req->madvise;
2740 ret = do_madvise(ma->addr, ma->len, ma->advice);
2742 req_set_fail_links(req);
2743 io_cqring_add_event(req, ret);
2744 io_put_req_find_next(req, nxt);
2751 static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2753 if (sqe->ioprio || sqe->buf_index || sqe->addr)
2756 req->fadvise.offset = READ_ONCE(sqe->off);
2757 req->fadvise.len = READ_ONCE(sqe->len);
2758 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
2762 static int io_fadvise(struct io_kiocb *req, struct io_kiocb **nxt,
2763 bool force_nonblock)
2765 struct io_fadvise *fa = &req->fadvise;
2768 if (force_nonblock) {
2769 switch (fa->advice) {
2770 case POSIX_FADV_NORMAL:
2771 case POSIX_FADV_RANDOM:
2772 case POSIX_FADV_SEQUENTIAL:
2779 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
2781 req_set_fail_links(req);
2782 io_cqring_add_event(req, ret);
2783 io_put_req_find_next(req, nxt);
2787 static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2789 const char __user *fname;
2790 unsigned lookup_flags;
2793 if (sqe->ioprio || sqe->buf_index)
2795 if (sqe->flags & IOSQE_FIXED_FILE)
2797 if (req->flags & REQ_F_NEED_CLEANUP)
2800 req->open.dfd = READ_ONCE(sqe->fd);
2801 req->open.mask = READ_ONCE(sqe->len);
2802 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2803 req->open.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
2804 req->open.how.flags = READ_ONCE(sqe->statx_flags);
2806 if (vfs_stat_set_lookup_flags(&lookup_flags, req->open.how.flags))
2809 req->open.filename = getname_flags(fname, lookup_flags, NULL);
2810 if (IS_ERR(req->open.filename)) {
2811 ret = PTR_ERR(req->open.filename);
2812 req->open.filename = NULL;
2816 req->flags |= REQ_F_NEED_CLEANUP;
2820 static int io_statx(struct io_kiocb *req, struct io_kiocb **nxt,
2821 bool force_nonblock)
2823 struct io_open *ctx = &req->open;
2824 unsigned lookup_flags;
2832 if (vfs_stat_set_lookup_flags(&lookup_flags, ctx->how.flags))
2836 /* filename_lookup() drops it, keep a reference */
2837 ctx->filename->refcnt++;
2839 ret = filename_lookup(ctx->dfd, ctx->filename, lookup_flags, &path,
2844 ret = vfs_getattr(&path, &stat, ctx->mask, ctx->how.flags);
2846 if (retry_estale(ret, lookup_flags)) {
2847 lookup_flags |= LOOKUP_REVAL;
2851 ret = cp_statx(&stat, ctx->buffer);
2853 putname(ctx->filename);
2854 req->flags &= ~REQ_F_NEED_CLEANUP;
2856 req_set_fail_links(req);
2857 io_cqring_add_event(req, ret);
2858 io_put_req_find_next(req, nxt);
2862 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2865 * If we queue this for async, it must not be cancellable. That would
2866 * leave the 'file' in an undeterminate state.
2868 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
2870 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
2871 sqe->rw_flags || sqe->buf_index)
2873 if (sqe->flags & IOSQE_FIXED_FILE)
2876 req->close.fd = READ_ONCE(sqe->fd);
2877 if (req->file->f_op == &io_uring_fops ||
2878 req->close.fd == req->ctx->ring_fd)
2884 /* only called when __close_fd_get_file() is done */
2885 static void __io_close_finish(struct io_kiocb *req, struct io_kiocb **nxt)
2889 ret = filp_close(req->close.put_file, req->work.files);
2891 req_set_fail_links(req);
2892 io_cqring_add_event(req, ret);
2893 fput(req->close.put_file);
2894 io_put_req_find_next(req, nxt);
2897 static void io_close_finish(struct io_wq_work **workptr)
2899 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2900 struct io_kiocb *nxt = NULL;
2902 /* not cancellable, don't do io_req_cancelled() */
2903 __io_close_finish(req, &nxt);
2905 io_wq_assign_next(workptr, nxt);
2908 static int io_close(struct io_kiocb *req, struct io_kiocb **nxt,
2909 bool force_nonblock)
2913 req->close.put_file = NULL;
2914 ret = __close_fd_get_file(req->close.fd, &req->close.put_file);
2918 /* if the file has a flush method, be safe and punt to async */
2919 if (req->close.put_file->f_op->flush && !io_wq_current_is_worker())
2923 * No ->flush(), safely close from here and just punt the
2924 * fput() to async context.
2926 __io_close_finish(req, nxt);
2929 req->work.func = io_close_finish;
2931 * Do manual async queue here to avoid grabbing files - we don't
2932 * need the files, and it'll cause io_close_finish() to close
2933 * the file again and cause a double CQE entry for this request
2935 io_queue_async_work(req);
2939 static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2941 struct io_ring_ctx *ctx = req->ctx;
2946 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2948 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2951 req->sync.off = READ_ONCE(sqe->off);
2952 req->sync.len = READ_ONCE(sqe->len);
2953 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
2957 static void io_sync_file_range_finish(struct io_wq_work **workptr)
2959 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2960 struct io_kiocb *nxt = NULL;
2963 if (io_req_cancelled(req))
2966 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
2969 req_set_fail_links(req);
2970 io_cqring_add_event(req, ret);
2971 io_put_req_find_next(req, &nxt);
2973 io_wq_assign_next(workptr, nxt);
2976 static int io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt,
2977 bool force_nonblock)
2979 struct io_wq_work *work, *old_work;
2981 /* sync_file_range always requires a blocking context */
2982 if (force_nonblock) {
2984 req->work.func = io_sync_file_range_finish;
2988 work = old_work = &req->work;
2989 io_sync_file_range_finish(&work);
2990 if (work && work != old_work)
2991 *nxt = container_of(work, struct io_kiocb, work);
2995 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2997 #if defined(CONFIG_NET)
2998 struct io_sr_msg *sr = &req->sr_msg;
2999 struct io_async_ctx *io = req->io;
3002 sr->msg_flags = READ_ONCE(sqe->msg_flags);
3003 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
3004 sr->len = READ_ONCE(sqe->len);
3006 #ifdef CONFIG_COMPAT
3007 if (req->ctx->compat)
3008 sr->msg_flags |= MSG_CMSG_COMPAT;
3011 if (!io || req->opcode == IORING_OP_SEND)
3013 /* iovec is already imported */
3014 if (req->flags & REQ_F_NEED_CLEANUP)
3017 io->msg.iov = io->msg.fast_iov;
3018 ret = sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
3021 req->flags |= REQ_F_NEED_CLEANUP;
3028 static int io_sendmsg(struct io_kiocb *req, struct io_kiocb **nxt,
3029 bool force_nonblock)
3031 #if defined(CONFIG_NET)
3032 struct io_async_msghdr *kmsg = NULL;
3033 struct socket *sock;
3036 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3039 sock = sock_from_file(req->file, &ret);
3041 struct io_async_ctx io;
3045 kmsg = &req->io->msg;
3046 kmsg->msg.msg_name = &req->io->msg.addr;
3047 /* if iov is set, it's allocated already */
3049 kmsg->iov = kmsg->fast_iov;
3050 kmsg->msg.msg_iter.iov = kmsg->iov;
3052 struct io_sr_msg *sr = &req->sr_msg;
3055 kmsg->msg.msg_name = &io.msg.addr;
3057 io.msg.iov = io.msg.fast_iov;
3058 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
3059 sr->msg_flags, &io.msg.iov);
3064 flags = req->sr_msg.msg_flags;
3065 if (flags & MSG_DONTWAIT)
3066 req->flags |= REQ_F_NOWAIT;
3067 else if (force_nonblock)
3068 flags |= MSG_DONTWAIT;
3070 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
3071 if (force_nonblock && ret == -EAGAIN) {
3074 if (io_alloc_async_ctx(req)) {
3075 if (kmsg->iov != kmsg->fast_iov)
3079 req->flags |= REQ_F_NEED_CLEANUP;
3080 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
3083 if (ret == -ERESTARTSYS)
3087 if (kmsg && kmsg->iov != kmsg->fast_iov)
3089 req->flags &= ~REQ_F_NEED_CLEANUP;
3090 io_cqring_add_event(req, ret);
3092 req_set_fail_links(req);
3093 io_put_req_find_next(req, nxt);
3100 static int io_send(struct io_kiocb *req, struct io_kiocb **nxt,
3101 bool force_nonblock)
3103 #if defined(CONFIG_NET)
3104 struct socket *sock;
3107 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3110 sock = sock_from_file(req->file, &ret);
3112 struct io_sr_msg *sr = &req->sr_msg;
3117 ret = import_single_range(WRITE, sr->buf, sr->len, &iov,
3122 msg.msg_name = NULL;
3123 msg.msg_control = NULL;
3124 msg.msg_controllen = 0;
3125 msg.msg_namelen = 0;
3127 flags = req->sr_msg.msg_flags;
3128 if (flags & MSG_DONTWAIT)
3129 req->flags |= REQ_F_NOWAIT;
3130 else if (force_nonblock)
3131 flags |= MSG_DONTWAIT;
3133 msg.msg_flags = flags;
3134 ret = sock_sendmsg(sock, &msg);
3135 if (force_nonblock && ret == -EAGAIN)
3137 if (ret == -ERESTARTSYS)
3141 io_cqring_add_event(req, ret);
3143 req_set_fail_links(req);
3144 io_put_req_find_next(req, nxt);
3151 static int io_recvmsg_prep(struct io_kiocb *req,
3152 const struct io_uring_sqe *sqe)
3154 #if defined(CONFIG_NET)
3155 struct io_sr_msg *sr = &req->sr_msg;
3156 struct io_async_ctx *io = req->io;
3159 sr->msg_flags = READ_ONCE(sqe->msg_flags);
3160 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
3161 sr->len = READ_ONCE(sqe->len);
3163 #ifdef CONFIG_COMPAT
3164 if (req->ctx->compat)
3165 sr->msg_flags |= MSG_CMSG_COMPAT;
3168 if (!io || req->opcode == IORING_OP_RECV)
3170 /* iovec is already imported */
3171 if (req->flags & REQ_F_NEED_CLEANUP)
3174 io->msg.iov = io->msg.fast_iov;
3175 ret = recvmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
3176 &io->msg.uaddr, &io->msg.iov);
3178 req->flags |= REQ_F_NEED_CLEANUP;
3185 static int io_recvmsg(struct io_kiocb *req, struct io_kiocb **nxt,
3186 bool force_nonblock)
3188 #if defined(CONFIG_NET)
3189 struct io_async_msghdr *kmsg = NULL;
3190 struct socket *sock;
3193 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3196 sock = sock_from_file(req->file, &ret);
3198 struct io_async_ctx io;
3202 kmsg = &req->io->msg;
3203 kmsg->msg.msg_name = &req->io->msg.addr;
3204 /* if iov is set, it's allocated already */
3206 kmsg->iov = kmsg->fast_iov;
3207 kmsg->msg.msg_iter.iov = kmsg->iov;
3209 struct io_sr_msg *sr = &req->sr_msg;
3212 kmsg->msg.msg_name = &io.msg.addr;
3214 io.msg.iov = io.msg.fast_iov;
3215 ret = recvmsg_copy_msghdr(&io.msg.msg, sr->msg,
3216 sr->msg_flags, &io.msg.uaddr,
3222 flags = req->sr_msg.msg_flags;
3223 if (flags & MSG_DONTWAIT)
3224 req->flags |= REQ_F_NOWAIT;
3225 else if (force_nonblock)
3226 flags |= MSG_DONTWAIT;
3228 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
3229 kmsg->uaddr, flags);
3230 if (force_nonblock && ret == -EAGAIN) {
3233 if (io_alloc_async_ctx(req)) {
3234 if (kmsg->iov != kmsg->fast_iov)
3238 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
3239 req->flags |= REQ_F_NEED_CLEANUP;
3242 if (ret == -ERESTARTSYS)
3246 if (kmsg && kmsg->iov != kmsg->fast_iov)
3248 req->flags &= ~REQ_F_NEED_CLEANUP;
3249 io_cqring_add_event(req, ret);
3251 req_set_fail_links(req);
3252 io_put_req_find_next(req, nxt);
3259 static int io_recv(struct io_kiocb *req, struct io_kiocb **nxt,
3260 bool force_nonblock)
3262 #if defined(CONFIG_NET)
3263 struct socket *sock;
3266 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3269 sock = sock_from_file(req->file, &ret);
3271 struct io_sr_msg *sr = &req->sr_msg;
3276 ret = import_single_range(READ, sr->buf, sr->len, &iov,
3281 msg.msg_name = NULL;
3282 msg.msg_control = NULL;
3283 msg.msg_controllen = 0;
3284 msg.msg_namelen = 0;
3285 msg.msg_iocb = NULL;
3288 flags = req->sr_msg.msg_flags;
3289 if (flags & MSG_DONTWAIT)
3290 req->flags |= REQ_F_NOWAIT;
3291 else if (force_nonblock)
3292 flags |= MSG_DONTWAIT;
3294 ret = sock_recvmsg(sock, &msg, flags);
3295 if (force_nonblock && ret == -EAGAIN)
3297 if (ret == -ERESTARTSYS)
3301 io_cqring_add_event(req, ret);
3303 req_set_fail_links(req);
3304 io_put_req_find_next(req, nxt);
3312 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3314 #if defined(CONFIG_NET)
3315 struct io_accept *accept = &req->accept;
3317 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3319 if (sqe->ioprio || sqe->len || sqe->buf_index)
3322 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3323 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3324 accept->flags = READ_ONCE(sqe->accept_flags);
3331 #if defined(CONFIG_NET)
3332 static int __io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
3333 bool force_nonblock)
3335 struct io_accept *accept = &req->accept;
3336 unsigned file_flags;
3339 file_flags = force_nonblock ? O_NONBLOCK : 0;
3340 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
3341 accept->addr_len, accept->flags);
3342 if (ret == -EAGAIN && force_nonblock)
3344 if (ret == -ERESTARTSYS)
3347 req_set_fail_links(req);
3348 io_cqring_add_event(req, ret);
3349 io_put_req_find_next(req, nxt);
3353 static void io_accept_finish(struct io_wq_work **workptr)
3355 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3356 struct io_kiocb *nxt = NULL;
3358 if (io_req_cancelled(req))
3360 __io_accept(req, &nxt, false);
3362 io_wq_assign_next(workptr, nxt);
3366 static int io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
3367 bool force_nonblock)
3369 #if defined(CONFIG_NET)
3372 ret = __io_accept(req, nxt, force_nonblock);
3373 if (ret == -EAGAIN && force_nonblock) {
3374 req->work.func = io_accept_finish;
3384 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3386 #if defined(CONFIG_NET)
3387 struct io_connect *conn = &req->connect;
3388 struct io_async_ctx *io = req->io;
3390 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3392 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
3395 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3396 conn->addr_len = READ_ONCE(sqe->addr2);
3401 return move_addr_to_kernel(conn->addr, conn->addr_len,
3402 &io->connect.address);
3408 static int io_connect(struct io_kiocb *req, struct io_kiocb **nxt,
3409 bool force_nonblock)
3411 #if defined(CONFIG_NET)
3412 struct io_async_ctx __io, *io;
3413 unsigned file_flags;
3419 ret = move_addr_to_kernel(req->connect.addr,
3420 req->connect.addr_len,
3421 &__io.connect.address);
3427 file_flags = force_nonblock ? O_NONBLOCK : 0;
3429 ret = __sys_connect_file(req->file, &io->connect.address,
3430 req->connect.addr_len, file_flags);
3431 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
3434 if (io_alloc_async_ctx(req)) {
3438 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
3441 if (ret == -ERESTARTSYS)
3445 req_set_fail_links(req);
3446 io_cqring_add_event(req, ret);
3447 io_put_req_find_next(req, nxt);
3454 static void io_poll_remove_one(struct io_kiocb *req)
3456 struct io_poll_iocb *poll = &req->poll;
3458 spin_lock(&poll->head->lock);
3459 WRITE_ONCE(poll->canceled, true);
3460 if (!list_empty(&poll->wait.entry)) {
3461 list_del_init(&poll->wait.entry);
3462 io_queue_async_work(req);
3464 spin_unlock(&poll->head->lock);
3465 hash_del(&req->hash_node);
3468 static void io_poll_remove_all(struct io_ring_ctx *ctx)
3470 struct hlist_node *tmp;
3471 struct io_kiocb *req;
3474 spin_lock_irq(&ctx->completion_lock);
3475 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
3476 struct hlist_head *list;
3478 list = &ctx->cancel_hash[i];
3479 hlist_for_each_entry_safe(req, tmp, list, hash_node)
3480 io_poll_remove_one(req);
3482 spin_unlock_irq(&ctx->completion_lock);
3485 static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
3487 struct hlist_head *list;
3488 struct io_kiocb *req;
3490 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
3491 hlist_for_each_entry(req, list, hash_node) {
3492 if (sqe_addr == req->user_data) {
3493 io_poll_remove_one(req);
3501 static int io_poll_remove_prep(struct io_kiocb *req,
3502 const struct io_uring_sqe *sqe)
3504 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3506 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
3510 req->poll.addr = READ_ONCE(sqe->addr);
3515 * Find a running poll command that matches one specified in sqe->addr,
3516 * and remove it if found.
3518 static int io_poll_remove(struct io_kiocb *req)
3520 struct io_ring_ctx *ctx = req->ctx;
3524 addr = req->poll.addr;
3525 spin_lock_irq(&ctx->completion_lock);
3526 ret = io_poll_cancel(ctx, addr);
3527 spin_unlock_irq(&ctx->completion_lock);
3529 io_cqring_add_event(req, ret);
3531 req_set_fail_links(req);
3536 static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
3538 struct io_ring_ctx *ctx = req->ctx;
3540 req->poll.done = true;
3542 io_cqring_fill_event(req, error);
3544 io_cqring_fill_event(req, mangle_poll(mask));
3545 io_commit_cqring(ctx);
3548 static void io_poll_complete_work(struct io_wq_work **workptr)
3550 struct io_wq_work *work = *workptr;
3551 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3552 struct io_poll_iocb *poll = &req->poll;
3553 struct poll_table_struct pt = { ._key = poll->events };
3554 struct io_ring_ctx *ctx = req->ctx;
3555 struct io_kiocb *nxt = NULL;
3559 if (work->flags & IO_WQ_WORK_CANCEL) {
3560 WRITE_ONCE(poll->canceled, true);
3562 } else if (READ_ONCE(poll->canceled)) {
3566 if (ret != -ECANCELED)
3567 mask = vfs_poll(poll->file, &pt) & poll->events;
3570 * Note that ->ki_cancel callers also delete iocb from active_reqs after
3571 * calling ->ki_cancel. We need the ctx_lock roundtrip here to
3572 * synchronize with them. In the cancellation case the list_del_init
3573 * itself is not actually needed, but harmless so we keep it in to
3574 * avoid further branches in the fast path.
3576 spin_lock_irq(&ctx->completion_lock);
3577 if (!mask && ret != -ECANCELED) {
3578 add_wait_queue(poll->head, &poll->wait);
3579 spin_unlock_irq(&ctx->completion_lock);
3582 hash_del(&req->hash_node);
3583 io_poll_complete(req, mask, ret);
3584 spin_unlock_irq(&ctx->completion_lock);
3586 io_cqring_ev_posted(ctx);
3589 req_set_fail_links(req);
3590 io_put_req_find_next(req, &nxt);
3592 io_wq_assign_next(workptr, nxt);
3595 static void __io_poll_flush(struct io_ring_ctx *ctx, struct llist_node *nodes)
3597 struct io_kiocb *req, *tmp;
3598 struct req_batch rb;
3600 rb.to_free = rb.need_iter = 0;
3601 spin_lock_irq(&ctx->completion_lock);
3602 llist_for_each_entry_safe(req, tmp, nodes, llist_node) {
3603 hash_del(&req->hash_node);
3604 io_poll_complete(req, req->result, 0);
3606 if (refcount_dec_and_test(&req->refs) &&
3607 !io_req_multi_free(&rb, req)) {
3608 req->flags |= REQ_F_COMP_LOCKED;
3612 spin_unlock_irq(&ctx->completion_lock);
3614 io_cqring_ev_posted(ctx);
3615 io_free_req_many(ctx, &rb);
3618 static void io_poll_flush(struct io_wq_work **workptr)
3620 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3621 struct llist_node *nodes;
3623 nodes = llist_del_all(&req->ctx->poll_llist);
3625 __io_poll_flush(req->ctx, nodes);
3628 static void io_poll_trigger_evfd(struct io_wq_work **workptr)
3630 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3632 eventfd_signal(req->ctx->cq_ev_fd, 1);
3636 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
3639 struct io_poll_iocb *poll = wait->private;
3640 struct io_kiocb *req = container_of(poll, struct io_kiocb, poll);
3641 struct io_ring_ctx *ctx = req->ctx;
3642 __poll_t mask = key_to_poll(key);
3644 /* for instances that support it check for an event match first: */
3645 if (mask && !(mask & poll->events))
3648 list_del_init(&poll->wait.entry);
3651 * Run completion inline if we can. We're using trylock here because
3652 * we are violating the completion_lock -> poll wq lock ordering.
3653 * If we have a link timeout we're going to need the completion_lock
3654 * for finalizing the request, mark us as having grabbed that already.
3657 unsigned long flags;
3659 if (llist_empty(&ctx->poll_llist) &&
3660 spin_trylock_irqsave(&ctx->completion_lock, flags)) {
3663 hash_del(&req->hash_node);
3664 io_poll_complete(req, mask, 0);
3666 trigger_ev = io_should_trigger_evfd(ctx);
3667 if (trigger_ev && eventfd_signal_count()) {
3669 req->work.func = io_poll_trigger_evfd;
3671 req->flags |= REQ_F_COMP_LOCKED;
3675 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3676 __io_cqring_ev_posted(ctx, trigger_ev);
3679 req->llist_node.next = NULL;
3680 /* if the list wasn't empty, we're done */
3681 if (!llist_add(&req->llist_node, &ctx->poll_llist))
3684 req->work.func = io_poll_flush;
3688 io_queue_async_work(req);
3693 struct io_poll_table {
3694 struct poll_table_struct pt;
3695 struct io_kiocb *req;
3699 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
3700 struct poll_table_struct *p)
3702 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
3704 if (unlikely(pt->req->poll.head)) {
3705 pt->error = -EINVAL;
3710 pt->req->poll.head = head;
3711 add_wait_queue(head, &pt->req->poll.wait);
3714 static void io_poll_req_insert(struct io_kiocb *req)
3716 struct io_ring_ctx *ctx = req->ctx;
3717 struct hlist_head *list;
3719 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
3720 hlist_add_head(&req->hash_node, list);
3723 static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3725 struct io_poll_iocb *poll = &req->poll;
3728 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3730 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
3735 events = READ_ONCE(sqe->poll_events);
3736 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
3740 static int io_poll_add(struct io_kiocb *req, struct io_kiocb **nxt)
3742 struct io_poll_iocb *poll = &req->poll;
3743 struct io_ring_ctx *ctx = req->ctx;
3744 struct io_poll_table ipt;
3745 bool cancel = false;
3748 INIT_IO_WORK(&req->work, io_poll_complete_work);
3749 INIT_HLIST_NODE(&req->hash_node);
3753 poll->canceled = false;
3755 ipt.pt._qproc = io_poll_queue_proc;
3756 ipt.pt._key = poll->events;
3758 ipt.error = -EINVAL; /* same as no support for IOCB_CMD_POLL */
3760 /* initialized the list so that we can do list_empty checks */
3761 INIT_LIST_HEAD(&poll->wait.entry);
3762 init_waitqueue_func_entry(&poll->wait, io_poll_wake);
3763 poll->wait.private = poll;
3765 INIT_LIST_HEAD(&req->list);
3767 mask = vfs_poll(poll->file, &ipt.pt) & poll->events;
3769 spin_lock_irq(&ctx->completion_lock);
3770 if (likely(poll->head)) {
3771 spin_lock(&poll->head->lock);
3772 if (unlikely(list_empty(&poll->wait.entry))) {
3778 if (mask || ipt.error)
3779 list_del_init(&poll->wait.entry);
3781 WRITE_ONCE(poll->canceled, true);
3782 else if (!poll->done) /* actually waiting for an event */
3783 io_poll_req_insert(req);
3784 spin_unlock(&poll->head->lock);
3786 if (mask) { /* no async, we'd stolen it */
3788 io_poll_complete(req, mask, 0);
3790 spin_unlock_irq(&ctx->completion_lock);
3793 io_cqring_ev_posted(ctx);
3794 io_put_req_find_next(req, nxt);
3799 static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
3801 struct io_timeout_data *data = container_of(timer,
3802 struct io_timeout_data, timer);
3803 struct io_kiocb *req = data->req;
3804 struct io_ring_ctx *ctx = req->ctx;
3805 unsigned long flags;
3807 atomic_inc(&ctx->cq_timeouts);
3809 spin_lock_irqsave(&ctx->completion_lock, flags);
3811 * We could be racing with timeout deletion. If the list is empty,
3812 * then timeout lookup already found it and will be handling it.
3814 if (!list_empty(&req->list)) {
3815 struct io_kiocb *prev;
3818 * Adjust the reqs sequence before the current one because it
3819 * will consume a slot in the cq_ring and the cq_tail
3820 * pointer will be increased, otherwise other timeout reqs may
3821 * return in advance without waiting for enough wait_nr.
3824 list_for_each_entry_continue_reverse(prev, &ctx->timeout_list, list)
3826 list_del_init(&req->list);
3829 io_cqring_fill_event(req, -ETIME);
3830 io_commit_cqring(ctx);
3831 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3833 io_cqring_ev_posted(ctx);
3834 req_set_fail_links(req);
3836 return HRTIMER_NORESTART;
3839 static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
3841 struct io_kiocb *req;
3844 list_for_each_entry(req, &ctx->timeout_list, list) {
3845 if (user_data == req->user_data) {
3846 list_del_init(&req->list);
3855 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
3859 req_set_fail_links(req);
3860 io_cqring_fill_event(req, -ECANCELED);
3865 static int io_timeout_remove_prep(struct io_kiocb *req,
3866 const struct io_uring_sqe *sqe)
3868 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3870 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
3873 req->timeout.addr = READ_ONCE(sqe->addr);
3874 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
3875 if (req->timeout.flags)
3882 * Remove or update an existing timeout command
3884 static int io_timeout_remove(struct io_kiocb *req)
3886 struct io_ring_ctx *ctx = req->ctx;
3889 spin_lock_irq(&ctx->completion_lock);
3890 ret = io_timeout_cancel(ctx, req->timeout.addr);
3892 io_cqring_fill_event(req, ret);
3893 io_commit_cqring(ctx);
3894 spin_unlock_irq(&ctx->completion_lock);
3895 io_cqring_ev_posted(ctx);
3897 req_set_fail_links(req);
3902 static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
3903 bool is_timeout_link)
3905 struct io_timeout_data *data;
3908 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3910 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
3912 if (sqe->off && is_timeout_link)
3914 flags = READ_ONCE(sqe->timeout_flags);
3915 if (flags & ~IORING_TIMEOUT_ABS)
3918 req->timeout.count = READ_ONCE(sqe->off);
3920 if (!req->io && io_alloc_async_ctx(req))
3923 data = &req->io->timeout;
3925 req->flags |= REQ_F_TIMEOUT;
3927 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
3930 if (flags & IORING_TIMEOUT_ABS)
3931 data->mode = HRTIMER_MODE_ABS;
3933 data->mode = HRTIMER_MODE_REL;
3935 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
3939 static int io_timeout(struct io_kiocb *req)
3942 struct io_ring_ctx *ctx = req->ctx;
3943 struct io_timeout_data *data;
3944 struct list_head *entry;
3947 data = &req->io->timeout;
3950 * sqe->off holds how many events that need to occur for this
3951 * timeout event to be satisfied. If it isn't set, then this is
3952 * a pure timeout request, sequence isn't used.
3954 count = req->timeout.count;
3956 req->flags |= REQ_F_TIMEOUT_NOSEQ;
3957 spin_lock_irq(&ctx->completion_lock);
3958 entry = ctx->timeout_list.prev;
3962 req->sequence = ctx->cached_sq_head + count - 1;
3963 data->seq_offset = count;
3966 * Insertion sort, ensuring the first entry in the list is always
3967 * the one we need first.
3969 spin_lock_irq(&ctx->completion_lock);
3970 list_for_each_prev(entry, &ctx->timeout_list) {
3971 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
3972 unsigned nxt_sq_head;
3973 long long tmp, tmp_nxt;
3974 u32 nxt_offset = nxt->io->timeout.seq_offset;
3976 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
3980 * Since cached_sq_head + count - 1 can overflow, use type long
3983 tmp = (long long)ctx->cached_sq_head + count - 1;
3984 nxt_sq_head = nxt->sequence - nxt_offset + 1;
3985 tmp_nxt = (long long)nxt_sq_head + nxt_offset - 1;
3988 * cached_sq_head may overflow, and it will never overflow twice
3989 * once there is some timeout req still be valid.
3991 if (ctx->cached_sq_head < nxt_sq_head)
3998 * Sequence of reqs after the insert one and itself should
3999 * be adjusted because each timeout req consumes a slot.
4004 req->sequence -= span;
4006 list_add(&req->list, entry);
4007 data->timer.function = io_timeout_fn;
4008 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
4009 spin_unlock_irq(&ctx->completion_lock);
4013 static bool io_cancel_cb(struct io_wq_work *work, void *data)
4015 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
4017 return req->user_data == (unsigned long) data;
4020 static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
4022 enum io_wq_cancel cancel_ret;
4025 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr);
4026 switch (cancel_ret) {
4027 case IO_WQ_CANCEL_OK:
4030 case IO_WQ_CANCEL_RUNNING:
4033 case IO_WQ_CANCEL_NOTFOUND:
4041 static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
4042 struct io_kiocb *req, __u64 sqe_addr,
4043 struct io_kiocb **nxt, int success_ret)
4045 unsigned long flags;
4048 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
4049 if (ret != -ENOENT) {
4050 spin_lock_irqsave(&ctx->completion_lock, flags);
4054 spin_lock_irqsave(&ctx->completion_lock, flags);
4055 ret = io_timeout_cancel(ctx, sqe_addr);
4058 ret = io_poll_cancel(ctx, sqe_addr);
4062 io_cqring_fill_event(req, ret);
4063 io_commit_cqring(ctx);
4064 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4065 io_cqring_ev_posted(ctx);
4068 req_set_fail_links(req);
4069 io_put_req_find_next(req, nxt);
4072 static int io_async_cancel_prep(struct io_kiocb *req,
4073 const struct io_uring_sqe *sqe)
4075 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4077 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
4081 req->cancel.addr = READ_ONCE(sqe->addr);
4085 static int io_async_cancel(struct io_kiocb *req, struct io_kiocb **nxt)
4087 struct io_ring_ctx *ctx = req->ctx;
4089 io_async_find_and_cancel(ctx, req, req->cancel.addr, nxt, 0);
4093 static int io_files_update_prep(struct io_kiocb *req,
4094 const struct io_uring_sqe *sqe)
4096 if (sqe->flags || sqe->ioprio || sqe->rw_flags)
4099 req->files_update.offset = READ_ONCE(sqe->off);
4100 req->files_update.nr_args = READ_ONCE(sqe->len);
4101 if (!req->files_update.nr_args)
4103 req->files_update.arg = READ_ONCE(sqe->addr);
4107 static int io_files_update(struct io_kiocb *req, bool force_nonblock)
4109 struct io_ring_ctx *ctx = req->ctx;
4110 struct io_uring_files_update up;
4116 up.offset = req->files_update.offset;
4117 up.fds = req->files_update.arg;
4119 mutex_lock(&ctx->uring_lock);
4120 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
4121 mutex_unlock(&ctx->uring_lock);
4124 req_set_fail_links(req);
4125 io_cqring_add_event(req, ret);
4130 static int io_req_defer_prep(struct io_kiocb *req,
4131 const struct io_uring_sqe *sqe)
4135 if (io_op_defs[req->opcode].file_table) {
4136 ret = io_grab_files(req);
4141 io_req_work_grab_env(req, &io_op_defs[req->opcode]);
4143 switch (req->opcode) {
4146 case IORING_OP_READV:
4147 case IORING_OP_READ_FIXED:
4148 case IORING_OP_READ:
4149 ret = io_read_prep(req, sqe, true);
4151 case IORING_OP_WRITEV:
4152 case IORING_OP_WRITE_FIXED:
4153 case IORING_OP_WRITE:
4154 ret = io_write_prep(req, sqe, true);
4156 case IORING_OP_POLL_ADD:
4157 ret = io_poll_add_prep(req, sqe);
4159 case IORING_OP_POLL_REMOVE:
4160 ret = io_poll_remove_prep(req, sqe);
4162 case IORING_OP_FSYNC:
4163 ret = io_prep_fsync(req, sqe);
4165 case IORING_OP_SYNC_FILE_RANGE:
4166 ret = io_prep_sfr(req, sqe);
4168 case IORING_OP_SENDMSG:
4169 case IORING_OP_SEND:
4170 ret = io_sendmsg_prep(req, sqe);
4172 case IORING_OP_RECVMSG:
4173 case IORING_OP_RECV:
4174 ret = io_recvmsg_prep(req, sqe);
4176 case IORING_OP_CONNECT:
4177 ret = io_connect_prep(req, sqe);
4179 case IORING_OP_TIMEOUT:
4180 ret = io_timeout_prep(req, sqe, false);
4182 case IORING_OP_TIMEOUT_REMOVE:
4183 ret = io_timeout_remove_prep(req, sqe);
4185 case IORING_OP_ASYNC_CANCEL:
4186 ret = io_async_cancel_prep(req, sqe);
4188 case IORING_OP_LINK_TIMEOUT:
4189 ret = io_timeout_prep(req, sqe, true);
4191 case IORING_OP_ACCEPT:
4192 ret = io_accept_prep(req, sqe);
4194 case IORING_OP_FALLOCATE:
4195 ret = io_fallocate_prep(req, sqe);
4197 case IORING_OP_OPENAT:
4198 ret = io_openat_prep(req, sqe);
4200 case IORING_OP_CLOSE:
4201 ret = io_close_prep(req, sqe);
4203 case IORING_OP_FILES_UPDATE:
4204 ret = io_files_update_prep(req, sqe);
4206 case IORING_OP_STATX:
4207 ret = io_statx_prep(req, sqe);
4209 case IORING_OP_FADVISE:
4210 ret = io_fadvise_prep(req, sqe);
4212 case IORING_OP_MADVISE:
4213 ret = io_madvise_prep(req, sqe);
4215 case IORING_OP_OPENAT2:
4216 ret = io_openat2_prep(req, sqe);
4218 case IORING_OP_EPOLL_CTL:
4219 ret = io_epoll_ctl_prep(req, sqe);
4222 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
4231 static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4233 struct io_ring_ctx *ctx = req->ctx;
4236 /* Still need defer if there is pending req in defer list. */
4237 if (!req_need_defer(req) && list_empty(&ctx->defer_list))
4240 if (!req->io && io_alloc_async_ctx(req))
4243 ret = io_req_defer_prep(req, sqe);
4247 spin_lock_irq(&ctx->completion_lock);
4248 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
4249 spin_unlock_irq(&ctx->completion_lock);
4253 trace_io_uring_defer(ctx, req, req->user_data);
4254 list_add_tail(&req->list, &ctx->defer_list);
4255 spin_unlock_irq(&ctx->completion_lock);
4256 return -EIOCBQUEUED;
4259 static void io_cleanup_req(struct io_kiocb *req)
4261 struct io_async_ctx *io = req->io;
4263 switch (req->opcode) {
4264 case IORING_OP_READV:
4265 case IORING_OP_READ_FIXED:
4266 case IORING_OP_READ:
4267 case IORING_OP_WRITEV:
4268 case IORING_OP_WRITE_FIXED:
4269 case IORING_OP_WRITE:
4270 if (io->rw.iov != io->rw.fast_iov)
4273 case IORING_OP_SENDMSG:
4274 case IORING_OP_RECVMSG:
4275 if (io->msg.iov != io->msg.fast_iov)
4278 case IORING_OP_OPENAT:
4279 case IORING_OP_OPENAT2:
4280 case IORING_OP_STATX:
4281 putname(req->open.filename);
4285 req->flags &= ~REQ_F_NEED_CLEANUP;
4288 static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4289 struct io_kiocb **nxt, bool force_nonblock)
4291 struct io_ring_ctx *ctx = req->ctx;
4294 switch (req->opcode) {
4298 case IORING_OP_READV:
4299 case IORING_OP_READ_FIXED:
4300 case IORING_OP_READ:
4302 ret = io_read_prep(req, sqe, force_nonblock);
4306 ret = io_read(req, nxt, force_nonblock);
4308 case IORING_OP_WRITEV:
4309 case IORING_OP_WRITE_FIXED:
4310 case IORING_OP_WRITE:
4312 ret = io_write_prep(req, sqe, force_nonblock);
4316 ret = io_write(req, nxt, force_nonblock);
4318 case IORING_OP_FSYNC:
4320 ret = io_prep_fsync(req, sqe);
4324 ret = io_fsync(req, nxt, force_nonblock);
4326 case IORING_OP_POLL_ADD:
4328 ret = io_poll_add_prep(req, sqe);
4332 ret = io_poll_add(req, nxt);
4334 case IORING_OP_POLL_REMOVE:
4336 ret = io_poll_remove_prep(req, sqe);
4340 ret = io_poll_remove(req);
4342 case IORING_OP_SYNC_FILE_RANGE:
4344 ret = io_prep_sfr(req, sqe);
4348 ret = io_sync_file_range(req, nxt, force_nonblock);
4350 case IORING_OP_SENDMSG:
4351 case IORING_OP_SEND:
4353 ret = io_sendmsg_prep(req, sqe);
4357 if (req->opcode == IORING_OP_SENDMSG)
4358 ret = io_sendmsg(req, nxt, force_nonblock);
4360 ret = io_send(req, nxt, force_nonblock);
4362 case IORING_OP_RECVMSG:
4363 case IORING_OP_RECV:
4365 ret = io_recvmsg_prep(req, sqe);
4369 if (req->opcode == IORING_OP_RECVMSG)
4370 ret = io_recvmsg(req, nxt, force_nonblock);
4372 ret = io_recv(req, nxt, force_nonblock);
4374 case IORING_OP_TIMEOUT:
4376 ret = io_timeout_prep(req, sqe, false);
4380 ret = io_timeout(req);
4382 case IORING_OP_TIMEOUT_REMOVE:
4384 ret = io_timeout_remove_prep(req, sqe);
4388 ret = io_timeout_remove(req);
4390 case IORING_OP_ACCEPT:
4392 ret = io_accept_prep(req, sqe);
4396 ret = io_accept(req, nxt, force_nonblock);
4398 case IORING_OP_CONNECT:
4400 ret = io_connect_prep(req, sqe);
4404 ret = io_connect(req, nxt, force_nonblock);
4406 case IORING_OP_ASYNC_CANCEL:
4408 ret = io_async_cancel_prep(req, sqe);
4412 ret = io_async_cancel(req, nxt);
4414 case IORING_OP_FALLOCATE:
4416 ret = io_fallocate_prep(req, sqe);
4420 ret = io_fallocate(req, nxt, force_nonblock);
4422 case IORING_OP_OPENAT:
4424 ret = io_openat_prep(req, sqe);
4428 ret = io_openat(req, nxt, force_nonblock);
4430 case IORING_OP_CLOSE:
4432 ret = io_close_prep(req, sqe);
4436 ret = io_close(req, nxt, force_nonblock);
4438 case IORING_OP_FILES_UPDATE:
4440 ret = io_files_update_prep(req, sqe);
4444 ret = io_files_update(req, force_nonblock);
4446 case IORING_OP_STATX:
4448 ret = io_statx_prep(req, sqe);
4452 ret = io_statx(req, nxt, force_nonblock);
4454 case IORING_OP_FADVISE:
4456 ret = io_fadvise_prep(req, sqe);
4460 ret = io_fadvise(req, nxt, force_nonblock);
4462 case IORING_OP_MADVISE:
4464 ret = io_madvise_prep(req, sqe);
4468 ret = io_madvise(req, nxt, force_nonblock);
4470 case IORING_OP_OPENAT2:
4472 ret = io_openat2_prep(req, sqe);
4476 ret = io_openat2(req, nxt, force_nonblock);
4478 case IORING_OP_EPOLL_CTL:
4480 ret = io_epoll_ctl_prep(req, sqe);
4484 ret = io_epoll_ctl(req, nxt, force_nonblock);
4494 if (ctx->flags & IORING_SETUP_IOPOLL) {
4495 const bool in_async = io_wq_current_is_worker();
4497 if (req->result == -EAGAIN)
4500 /* workqueue context doesn't hold uring_lock, grab it now */
4502 mutex_lock(&ctx->uring_lock);
4504 io_iopoll_req_issued(req);
4507 mutex_unlock(&ctx->uring_lock);
4513 static void io_wq_submit_work(struct io_wq_work **workptr)
4515 struct io_wq_work *work = *workptr;
4516 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
4517 struct io_kiocb *nxt = NULL;
4520 /* if NO_CANCEL is set, we must still run the work */
4521 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
4522 IO_WQ_WORK_CANCEL) {
4527 req->in_async = true;
4529 ret = io_issue_sqe(req, NULL, &nxt, false);
4531 * We can get EAGAIN for polled IO even though we're
4532 * forcing a sync submission from here, since we can't
4533 * wait for request slots on the block side.
4541 /* drop submission reference */
4545 req_set_fail_links(req);
4546 io_cqring_add_event(req, ret);
4550 /* if a dependent link is ready, pass it back */
4552 io_wq_assign_next(workptr, nxt);
4555 static int io_req_needs_file(struct io_kiocb *req, int fd)
4557 if (!io_op_defs[req->opcode].needs_file)
4559 if ((fd == -1 || fd == AT_FDCWD) && io_op_defs[req->opcode].fd_non_neg)
4564 static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
4567 struct fixed_file_table *table;
4569 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
4570 return table->files[index & IORING_FILE_TABLE_MASK];;
4573 static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
4574 const struct io_uring_sqe *sqe)
4576 struct io_ring_ctx *ctx = req->ctx;
4580 flags = READ_ONCE(sqe->flags);
4581 fd = READ_ONCE(sqe->fd);
4583 if (!io_req_needs_file(req, fd))
4586 if (flags & IOSQE_FIXED_FILE) {
4587 if (unlikely(!ctx->file_data ||
4588 (unsigned) fd >= ctx->nr_user_files))
4590 fd = array_index_nospec(fd, ctx->nr_user_files);
4591 req->file = io_file_from_index(ctx, fd);
4594 req->flags |= REQ_F_FIXED_FILE;
4595 percpu_ref_get(&ctx->file_data->refs);
4597 if (req->needs_fixed_file)
4599 trace_io_uring_file_get(ctx, fd);
4600 req->file = io_file_get(state, fd);
4601 if (unlikely(!req->file))
4608 static int io_grab_files(struct io_kiocb *req)
4611 struct io_ring_ctx *ctx = req->ctx;
4613 if (req->work.files)
4615 if (!ctx->ring_file)
4619 spin_lock_irq(&ctx->inflight_lock);
4621 * We use the f_ops->flush() handler to ensure that we can flush
4622 * out work accessing these files if the fd is closed. Check if
4623 * the fd has changed since we started down this path, and disallow
4624 * this operation if it has.
4626 if (fcheck(ctx->ring_fd) == ctx->ring_file) {
4627 list_add(&req->inflight_entry, &ctx->inflight_list);
4628 req->flags |= REQ_F_INFLIGHT;
4629 req->work.files = current->files;
4632 spin_unlock_irq(&ctx->inflight_lock);
4638 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
4640 struct io_timeout_data *data = container_of(timer,
4641 struct io_timeout_data, timer);
4642 struct io_kiocb *req = data->req;
4643 struct io_ring_ctx *ctx = req->ctx;
4644 struct io_kiocb *prev = NULL;
4645 unsigned long flags;
4647 spin_lock_irqsave(&ctx->completion_lock, flags);
4650 * We don't expect the list to be empty, that will only happen if we
4651 * race with the completion of the linked work.
4653 if (!list_empty(&req->link_list)) {
4654 prev = list_entry(req->link_list.prev, struct io_kiocb,
4656 if (refcount_inc_not_zero(&prev->refs)) {
4657 list_del_init(&req->link_list);
4658 prev->flags &= ~REQ_F_LINK_TIMEOUT;
4663 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4666 req_set_fail_links(prev);
4667 io_async_find_and_cancel(ctx, req, prev->user_data, NULL,
4671 io_cqring_add_event(req, -ETIME);
4674 return HRTIMER_NORESTART;
4677 static void io_queue_linked_timeout(struct io_kiocb *req)
4679 struct io_ring_ctx *ctx = req->ctx;
4682 * If the list is now empty, then our linked request finished before
4683 * we got a chance to setup the timer
4685 spin_lock_irq(&ctx->completion_lock);
4686 if (!list_empty(&req->link_list)) {
4687 struct io_timeout_data *data = &req->io->timeout;
4689 data->timer.function = io_link_timeout_fn;
4690 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
4693 spin_unlock_irq(&ctx->completion_lock);
4695 /* drop submission reference */
4699 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
4701 struct io_kiocb *nxt;
4703 if (!(req->flags & REQ_F_LINK))
4706 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
4708 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
4711 req->flags |= REQ_F_LINK_TIMEOUT;
4715 static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4717 struct io_kiocb *linked_timeout;
4718 struct io_kiocb *nxt = NULL;
4719 const struct cred *old_creds = NULL;
4723 linked_timeout = io_prep_linked_timeout(req);
4725 if (req->work.creds && req->work.creds != current_cred()) {
4727 revert_creds(old_creds);
4728 if (old_creds == req->work.creds)
4729 old_creds = NULL; /* restored original creds */
4731 old_creds = override_creds(req->work.creds);
4734 ret = io_issue_sqe(req, sqe, &nxt, true);
4737 * We async punt it if the file wasn't marked NOWAIT, or if the file
4738 * doesn't support non-blocking read/write attempts
4740 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
4741 (req->flags & REQ_F_MUST_PUNT))) {
4743 if (io_op_defs[req->opcode].file_table) {
4744 ret = io_grab_files(req);
4750 * Queued up for async execution, worker will release
4751 * submit reference when the iocb is actually submitted.
4753 io_queue_async_work(req);
4758 /* drop submission reference */
4759 io_put_req_find_next(req, &nxt);
4761 if (linked_timeout) {
4763 io_queue_linked_timeout(linked_timeout);
4765 io_put_req(linked_timeout);
4768 /* and drop final reference, if we failed */
4770 io_cqring_add_event(req, ret);
4771 req_set_fail_links(req);
4779 if (req->flags & REQ_F_FORCE_ASYNC)
4784 revert_creds(old_creds);
4787 static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4791 ret = io_req_defer(req, sqe);
4793 if (ret != -EIOCBQUEUED) {
4795 io_cqring_add_event(req, ret);
4796 req_set_fail_links(req);
4797 io_double_put_req(req);
4799 } else if (req->flags & REQ_F_FORCE_ASYNC) {
4800 ret = io_req_defer_prep(req, sqe);
4801 if (unlikely(ret < 0))
4804 * Never try inline submit of IOSQE_ASYNC is set, go straight
4805 * to async execution.
4807 req->work.flags |= IO_WQ_WORK_CONCURRENT;
4808 io_queue_async_work(req);
4810 __io_queue_sqe(req, sqe);
4814 static inline void io_queue_link_head(struct io_kiocb *req)
4816 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
4817 io_cqring_add_event(req, -ECANCELED);
4818 io_double_put_req(req);
4820 io_queue_sqe(req, NULL);
4823 #define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
4824 IOSQE_IO_HARDLINK | IOSQE_ASYNC)
4826 static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4827 struct io_submit_state *state, struct io_kiocb **link)
4829 struct io_ring_ctx *ctx = req->ctx;
4830 unsigned int sqe_flags;
4833 sqe_flags = READ_ONCE(sqe->flags);
4835 /* enforce forwards compatibility on users */
4836 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS)) {
4841 id = READ_ONCE(sqe->personality);
4843 req->work.creds = idr_find(&ctx->personality_idr, id);
4844 if (unlikely(!req->work.creds)) {
4848 get_cred(req->work.creds);
4851 /* same numerical values with corresponding REQ_F_*, safe to copy */
4852 req->flags |= sqe_flags & (IOSQE_IO_DRAIN|IOSQE_IO_HARDLINK|
4855 ret = io_req_set_file(state, req, sqe);
4856 if (unlikely(ret)) {
4858 io_cqring_add_event(req, ret);
4859 io_double_put_req(req);
4864 * If we already have a head request, queue this one for async
4865 * submittal once the head completes. If we don't have a head but
4866 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
4867 * submitted sync once the chain is complete. If none of those
4868 * conditions are true (normal request), then just queue it.
4871 struct io_kiocb *head = *link;
4874 * Taking sequential execution of a link, draining both sides
4875 * of the link also fullfils IOSQE_IO_DRAIN semantics for all
4876 * requests in the link. So, it drains the head and the
4877 * next after the link request. The last one is done via
4878 * drain_next flag to persist the effect across calls.
4880 if (sqe_flags & IOSQE_IO_DRAIN) {
4881 head->flags |= REQ_F_IO_DRAIN;
4882 ctx->drain_next = 1;
4884 if (io_alloc_async_ctx(req)) {
4889 ret = io_req_defer_prep(req, sqe);
4891 /* fail even hard links since we don't submit */
4892 head->flags |= REQ_F_FAIL_LINK;
4895 trace_io_uring_link(ctx, req, head);
4896 list_add_tail(&req->link_list, &head->link_list);
4898 /* last request of a link, enqueue the link */
4899 if (!(sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK))) {
4900 io_queue_link_head(head);
4904 if (unlikely(ctx->drain_next)) {
4905 req->flags |= REQ_F_IO_DRAIN;
4906 req->ctx->drain_next = 0;
4908 if (sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
4909 req->flags |= REQ_F_LINK;
4910 INIT_LIST_HEAD(&req->link_list);
4911 ret = io_req_defer_prep(req, sqe);
4913 req->flags |= REQ_F_FAIL_LINK;
4916 io_queue_sqe(req, sqe);
4924 * Batched submission is done, ensure local IO is flushed out.
4926 static void io_submit_state_end(struct io_submit_state *state)
4928 blk_finish_plug(&state->plug);
4930 if (state->free_reqs)
4931 kmem_cache_free_bulk(req_cachep, state->free_reqs, state->reqs);
4935 * Start submission side cache.
4937 static void io_submit_state_start(struct io_submit_state *state,
4938 unsigned int max_ios)
4940 blk_start_plug(&state->plug);
4941 state->free_reqs = 0;
4943 state->ios_left = max_ios;
4946 static void io_commit_sqring(struct io_ring_ctx *ctx)
4948 struct io_rings *rings = ctx->rings;
4951 * Ensure any loads from the SQEs are done at this point,
4952 * since once we write the new head, the application could
4953 * write new data to them.
4955 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
4959 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
4960 * that is mapped by userspace. This means that care needs to be taken to
4961 * ensure that reads are stable, as we cannot rely on userspace always
4962 * being a good citizen. If members of the sqe are validated and then later
4963 * used, it's important that those reads are done through READ_ONCE() to
4964 * prevent a re-load down the line.
4966 static bool io_get_sqring(struct io_ring_ctx *ctx, struct io_kiocb *req,
4967 const struct io_uring_sqe **sqe_ptr)
4969 u32 *sq_array = ctx->sq_array;
4973 * The cached sq head (or cq tail) serves two purposes:
4975 * 1) allows us to batch the cost of updating the user visible
4977 * 2) allows the kernel side to track the head on its own, even
4978 * though the application is the one updating it.
4980 head = READ_ONCE(sq_array[ctx->cached_sq_head & ctx->sq_mask]);
4981 if (likely(head < ctx->sq_entries)) {
4983 * All io need record the previous position, if LINK vs DARIN,
4984 * it can be used to mark the position of the first IO in the
4987 req->sequence = ctx->cached_sq_head;
4988 *sqe_ptr = &ctx->sq_sqes[head];
4989 req->opcode = READ_ONCE((*sqe_ptr)->opcode);
4990 req->user_data = READ_ONCE((*sqe_ptr)->user_data);
4991 ctx->cached_sq_head++;
4995 /* drop invalid entries */
4996 ctx->cached_sq_head++;
4997 ctx->cached_sq_dropped++;
4998 WRITE_ONCE(ctx->rings->sq_dropped, ctx->cached_sq_dropped);
5002 static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
5003 struct file *ring_file, int ring_fd,
5004 struct mm_struct **mm, bool async)
5006 struct io_submit_state state, *statep = NULL;
5007 struct io_kiocb *link = NULL;
5008 int i, submitted = 0;
5009 bool mm_fault = false;
5011 /* if we have a backlog and couldn't flush it all, return BUSY */
5012 if (test_bit(0, &ctx->sq_check_overflow)) {
5013 if (!list_empty(&ctx->cq_overflow_list) &&
5014 !io_cqring_overflow_flush(ctx, false))
5018 /* make sure SQ entry isn't read before tail */
5019 nr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));
5021 if (!percpu_ref_tryget_many(&ctx->refs, nr))
5024 if (nr > IO_PLUG_THRESHOLD) {
5025 io_submit_state_start(&state, nr);
5029 ctx->ring_fd = ring_fd;
5030 ctx->ring_file = ring_file;
5032 for (i = 0; i < nr; i++) {
5033 const struct io_uring_sqe *sqe;
5034 struct io_kiocb *req;
5037 req = io_get_req(ctx, statep);
5038 if (unlikely(!req)) {
5040 submitted = -EAGAIN;
5043 if (!io_get_sqring(ctx, req, &sqe)) {
5044 __io_req_do_free(req);
5048 /* will complete beyond this point, count as submitted */
5051 if (unlikely(req->opcode >= IORING_OP_LAST)) {
5054 io_cqring_add_event(req, err);
5055 io_double_put_req(req);
5059 if (io_op_defs[req->opcode].needs_mm && !*mm) {
5060 mm_fault = mm_fault || !mmget_not_zero(ctx->sqo_mm);
5061 if (unlikely(mm_fault)) {
5065 use_mm(ctx->sqo_mm);
5069 req->in_async = async;
5070 req->needs_fixed_file = async;
5071 trace_io_uring_submit_sqe(ctx, req->opcode, req->user_data,
5073 if (!io_submit_sqe(req, sqe, statep, &link))
5077 if (unlikely(submitted != nr)) {
5078 int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
5080 percpu_ref_put_many(&ctx->refs, nr - ref_used);
5083 io_queue_link_head(link);
5085 io_submit_state_end(&state);
5087 /* Commit SQ ring head once we've consumed and submitted all SQEs */
5088 io_commit_sqring(ctx);
5093 static int io_sq_thread(void *data)
5095 struct io_ring_ctx *ctx = data;
5096 struct mm_struct *cur_mm = NULL;
5097 const struct cred *old_cred;
5098 mm_segment_t old_fs;
5100 unsigned long timeout;
5103 complete(&ctx->completions[1]);
5107 old_cred = override_creds(ctx->creds);
5109 timeout = jiffies + ctx->sq_thread_idle;
5110 while (!kthread_should_park()) {
5111 unsigned int to_submit;
5113 if (!list_empty(&ctx->poll_list)) {
5114 unsigned nr_events = 0;
5116 mutex_lock(&ctx->uring_lock);
5117 if (!list_empty(&ctx->poll_list))
5118 io_iopoll_getevents(ctx, &nr_events, 0);
5120 timeout = jiffies + ctx->sq_thread_idle;
5121 mutex_unlock(&ctx->uring_lock);
5124 to_submit = io_sqring_entries(ctx);
5127 * If submit got -EBUSY, flag us as needing the application
5128 * to enter the kernel to reap and flush events.
5130 if (!to_submit || ret == -EBUSY) {
5132 * Drop cur_mm before scheduling, we can't hold it for
5133 * long periods (or over schedule()). Do this before
5134 * adding ourselves to the waitqueue, as the unuse/drop
5144 * We're polling. If we're within the defined idle
5145 * period, then let us spin without work before going
5146 * to sleep. The exception is if we got EBUSY doing
5147 * more IO, we should wait for the application to
5148 * reap events and wake us up.
5150 if (!list_empty(&ctx->poll_list) ||
5151 (!time_after(jiffies, timeout) && ret != -EBUSY &&
5152 !percpu_ref_is_dying(&ctx->refs))) {
5157 prepare_to_wait(&ctx->sqo_wait, &wait,
5158 TASK_INTERRUPTIBLE);
5161 * While doing polled IO, before going to sleep, we need
5162 * to check if there are new reqs added to poll_list, it
5163 * is because reqs may have been punted to io worker and
5164 * will be added to poll_list later, hence check the
5167 if ((ctx->flags & IORING_SETUP_IOPOLL) &&
5168 !list_empty_careful(&ctx->poll_list)) {
5169 finish_wait(&ctx->sqo_wait, &wait);
5173 /* Tell userspace we may need a wakeup call */
5174 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
5175 /* make sure to read SQ tail after writing flags */
5178 to_submit = io_sqring_entries(ctx);
5179 if (!to_submit || ret == -EBUSY) {
5180 if (kthread_should_park()) {
5181 finish_wait(&ctx->sqo_wait, &wait);
5184 if (signal_pending(current))
5185 flush_signals(current);
5187 finish_wait(&ctx->sqo_wait, &wait);
5189 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
5192 finish_wait(&ctx->sqo_wait, &wait);
5194 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
5197 mutex_lock(&ctx->uring_lock);
5198 ret = io_submit_sqes(ctx, to_submit, NULL, -1, &cur_mm, true);
5199 mutex_unlock(&ctx->uring_lock);
5200 timeout = jiffies + ctx->sq_thread_idle;
5208 revert_creds(old_cred);
5215 struct io_wait_queue {
5216 struct wait_queue_entry wq;
5217 struct io_ring_ctx *ctx;
5219 unsigned nr_timeouts;
5222 static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
5224 struct io_ring_ctx *ctx = iowq->ctx;
5227 * Wake up if we have enough events, or if a timeout occurred since we
5228 * started waiting. For timeouts, we always want to return to userspace,
5229 * regardless of event count.
5231 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
5232 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
5235 static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
5236 int wake_flags, void *key)
5238 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
5241 /* use noflush == true, as we can't safely rely on locking context */
5242 if (!io_should_wake(iowq, true))
5245 return autoremove_wake_function(curr, mode, wake_flags, key);
5249 * Wait until events become available, if we don't already have some. The
5250 * application must reap them itself, as they reside on the shared cq ring.
5252 static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
5253 const sigset_t __user *sig, size_t sigsz)
5255 struct io_wait_queue iowq = {
5258 .func = io_wake_function,
5259 .entry = LIST_HEAD_INIT(iowq.wq.entry),
5262 .to_wait = min_events,
5264 struct io_rings *rings = ctx->rings;
5267 if (io_cqring_events(ctx, false) >= min_events)
5271 #ifdef CONFIG_COMPAT
5272 if (in_compat_syscall())
5273 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
5277 ret = set_user_sigmask(sig, sigsz);
5283 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
5284 trace_io_uring_cqring_wait(ctx, min_events);
5286 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
5287 TASK_INTERRUPTIBLE);
5288 if (io_should_wake(&iowq, false))
5291 if (signal_pending(current)) {
5296 finish_wait(&ctx->wait, &iowq.wq);
5298 restore_saved_sigmask_unless(ret == -EINTR);
5300 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
5303 static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
5305 #if defined(CONFIG_UNIX)
5306 if (ctx->ring_sock) {
5307 struct sock *sock = ctx->ring_sock->sk;
5308 struct sk_buff *skb;
5310 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
5316 for (i = 0; i < ctx->nr_user_files; i++) {
5319 file = io_file_from_index(ctx, i);
5326 static void io_file_ref_kill(struct percpu_ref *ref)
5328 struct fixed_file_data *data;
5330 data = container_of(ref, struct fixed_file_data, refs);
5331 complete(&data->done);
5334 static void __io_file_ref_exit_and_free(struct rcu_head *rcu)
5336 struct fixed_file_data *data = container_of(rcu, struct fixed_file_data,
5338 percpu_ref_exit(&data->refs);
5342 static void io_file_ref_exit_and_free(struct rcu_head *rcu)
5345 * We need to order our exit+free call against the potentially
5346 * existing call_rcu() for switching to atomic. One way to do that
5347 * is to have this rcu callback queue the final put and free, as we
5348 * could otherwise have a pre-existing atomic switch complete _after_
5349 * the free callback we queued.
5351 call_rcu(rcu, __io_file_ref_exit_and_free);
5354 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
5356 struct fixed_file_data *data = ctx->file_data;
5357 unsigned nr_tables, i;
5362 percpu_ref_kill_and_confirm(&data->refs, io_file_ref_kill);
5363 flush_work(&data->ref_work);
5364 wait_for_completion(&data->done);
5365 io_ring_file_ref_flush(data);
5367 __io_sqe_files_unregister(ctx);
5368 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
5369 for (i = 0; i < nr_tables; i++)
5370 kfree(data->table[i].files);
5372 call_rcu(&data->rcu, io_file_ref_exit_and_free);
5373 ctx->file_data = NULL;
5374 ctx->nr_user_files = 0;
5378 static void io_sq_thread_stop(struct io_ring_ctx *ctx)
5380 if (ctx->sqo_thread) {
5381 wait_for_completion(&ctx->completions[1]);
5383 * The park is a bit of a work-around, without it we get
5384 * warning spews on shutdown with SQPOLL set and affinity
5385 * set to a single CPU.
5387 kthread_park(ctx->sqo_thread);
5388 kthread_stop(ctx->sqo_thread);
5389 ctx->sqo_thread = NULL;
5393 static void io_finish_async(struct io_ring_ctx *ctx)
5395 io_sq_thread_stop(ctx);
5398 io_wq_destroy(ctx->io_wq);
5403 #if defined(CONFIG_UNIX)
5405 * Ensure the UNIX gc is aware of our file set, so we are certain that
5406 * the io_uring can be safely unregistered on process exit, even if we have
5407 * loops in the file referencing.
5409 static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
5411 struct sock *sk = ctx->ring_sock->sk;
5412 struct scm_fp_list *fpl;
5413 struct sk_buff *skb;
5416 if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
5417 unsigned long inflight = ctx->user->unix_inflight + nr;
5419 if (inflight > task_rlimit(current, RLIMIT_NOFILE))
5423 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
5427 skb = alloc_skb(0, GFP_KERNEL);
5436 fpl->user = get_uid(ctx->user);
5437 for (i = 0; i < nr; i++) {
5438 struct file *file = io_file_from_index(ctx, i + offset);
5442 fpl->fp[nr_files] = get_file(file);
5443 unix_inflight(fpl->user, fpl->fp[nr_files]);
5448 fpl->max = SCM_MAX_FD;
5449 fpl->count = nr_files;
5450 UNIXCB(skb).fp = fpl;
5451 skb->destructor = unix_destruct_scm;
5452 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
5453 skb_queue_head(&sk->sk_receive_queue, skb);
5455 for (i = 0; i < nr_files; i++)
5466 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
5467 * causes regular reference counting to break down. We rely on the UNIX
5468 * garbage collection to take care of this problem for us.
5470 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
5472 unsigned left, total;
5476 left = ctx->nr_user_files;
5478 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
5480 ret = __io_sqe_files_scm(ctx, this_files, total);
5484 total += this_files;
5490 while (total < ctx->nr_user_files) {
5491 struct file *file = io_file_from_index(ctx, total);
5501 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
5507 static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
5512 for (i = 0; i < nr_tables; i++) {
5513 struct fixed_file_table *table = &ctx->file_data->table[i];
5514 unsigned this_files;
5516 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
5517 table->files = kcalloc(this_files, sizeof(struct file *),
5521 nr_files -= this_files;
5527 for (i = 0; i < nr_tables; i++) {
5528 struct fixed_file_table *table = &ctx->file_data->table[i];
5529 kfree(table->files);
5534 static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
5536 #if defined(CONFIG_UNIX)
5537 struct sock *sock = ctx->ring_sock->sk;
5538 struct sk_buff_head list, *head = &sock->sk_receive_queue;
5539 struct sk_buff *skb;
5542 __skb_queue_head_init(&list);
5545 * Find the skb that holds this file in its SCM_RIGHTS. When found,
5546 * remove this entry and rearrange the file array.
5548 skb = skb_dequeue(head);
5550 struct scm_fp_list *fp;
5552 fp = UNIXCB(skb).fp;
5553 for (i = 0; i < fp->count; i++) {
5556 if (fp->fp[i] != file)
5559 unix_notinflight(fp->user, fp->fp[i]);
5560 left = fp->count - 1 - i;
5562 memmove(&fp->fp[i], &fp->fp[i + 1],
5563 left * sizeof(struct file *));
5570 __skb_queue_tail(&list, skb);
5580 __skb_queue_tail(&list, skb);
5582 skb = skb_dequeue(head);
5585 if (skb_peek(&list)) {
5586 spin_lock_irq(&head->lock);
5587 while ((skb = __skb_dequeue(&list)) != NULL)
5588 __skb_queue_tail(head, skb);
5589 spin_unlock_irq(&head->lock);
5596 struct io_file_put {
5597 struct llist_node llist;
5599 struct completion *done;
5602 static void io_ring_file_ref_flush(struct fixed_file_data *data)
5604 struct io_file_put *pfile, *tmp;
5605 struct llist_node *node;
5607 while ((node = llist_del_all(&data->put_llist)) != NULL) {
5608 llist_for_each_entry_safe(pfile, tmp, node, llist) {
5609 io_ring_file_put(data->ctx, pfile->file);
5611 complete(pfile->done);
5618 static void io_ring_file_ref_switch(struct work_struct *work)
5620 struct fixed_file_data *data;
5622 data = container_of(work, struct fixed_file_data, ref_work);
5623 io_ring_file_ref_flush(data);
5624 percpu_ref_switch_to_percpu(&data->refs);
5627 static void io_file_data_ref_zero(struct percpu_ref *ref)
5629 struct fixed_file_data *data;
5631 data = container_of(ref, struct fixed_file_data, refs);
5634 * We can't safely switch from inside this context, punt to wq. If
5635 * the table ref is going away, the table is being unregistered.
5636 * Don't queue up the async work for that case, the caller will
5639 if (!percpu_ref_is_dying(&data->refs))
5640 queue_work(system_wq, &data->ref_work);
5643 static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
5646 __s32 __user *fds = (__s32 __user *) arg;
5656 if (nr_args > IORING_MAX_FIXED_FILES)
5659 ctx->file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
5660 if (!ctx->file_data)
5662 ctx->file_data->ctx = ctx;
5663 init_completion(&ctx->file_data->done);
5665 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
5666 ctx->file_data->table = kcalloc(nr_tables,
5667 sizeof(struct fixed_file_table),
5669 if (!ctx->file_data->table) {
5670 kfree(ctx->file_data);
5671 ctx->file_data = NULL;
5675 if (percpu_ref_init(&ctx->file_data->refs, io_file_data_ref_zero,
5676 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
5677 kfree(ctx->file_data->table);
5678 kfree(ctx->file_data);
5679 ctx->file_data = NULL;
5682 ctx->file_data->put_llist.first = NULL;
5683 INIT_WORK(&ctx->file_data->ref_work, io_ring_file_ref_switch);
5685 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
5686 percpu_ref_exit(&ctx->file_data->refs);
5687 kfree(ctx->file_data->table);
5688 kfree(ctx->file_data);
5689 ctx->file_data = NULL;
5693 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
5694 struct fixed_file_table *table;
5698 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
5700 /* allow sparse sets */
5706 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
5707 index = i & IORING_FILE_TABLE_MASK;
5715 * Don't allow io_uring instances to be registered. If UNIX
5716 * isn't enabled, then this causes a reference cycle and this
5717 * instance can never get freed. If UNIX is enabled we'll
5718 * handle it just fine, but there's still no point in allowing
5719 * a ring fd as it doesn't support regular read/write anyway.
5721 if (file->f_op == &io_uring_fops) {
5726 table->files[index] = file;
5730 for (i = 0; i < ctx->nr_user_files; i++) {
5731 file = io_file_from_index(ctx, i);
5735 for (i = 0; i < nr_tables; i++)
5736 kfree(ctx->file_data->table[i].files);
5738 kfree(ctx->file_data->table);
5739 kfree(ctx->file_data);
5740 ctx->file_data = NULL;
5741 ctx->nr_user_files = 0;
5745 ret = io_sqe_files_scm(ctx);
5747 io_sqe_files_unregister(ctx);
5752 static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
5755 #if defined(CONFIG_UNIX)
5756 struct sock *sock = ctx->ring_sock->sk;
5757 struct sk_buff_head *head = &sock->sk_receive_queue;
5758 struct sk_buff *skb;
5761 * See if we can merge this file into an existing skb SCM_RIGHTS
5762 * file set. If there's no room, fall back to allocating a new skb
5763 * and filling it in.
5765 spin_lock_irq(&head->lock);
5766 skb = skb_peek(head);
5768 struct scm_fp_list *fpl = UNIXCB(skb).fp;
5770 if (fpl->count < SCM_MAX_FD) {
5771 __skb_unlink(skb, head);
5772 spin_unlock_irq(&head->lock);
5773 fpl->fp[fpl->count] = get_file(file);
5774 unix_inflight(fpl->user, fpl->fp[fpl->count]);
5776 spin_lock_irq(&head->lock);
5777 __skb_queue_head(head, skb);
5782 spin_unlock_irq(&head->lock);
5789 return __io_sqe_files_scm(ctx, 1, index);
5795 static void io_atomic_switch(struct percpu_ref *ref)
5797 struct fixed_file_data *data;
5800 * Juggle reference to ensure we hit zero, if needed, so we can
5801 * switch back to percpu mode
5803 data = container_of(ref, struct fixed_file_data, refs);
5804 percpu_ref_put(&data->refs);
5805 percpu_ref_get(&data->refs);
5808 static bool io_queue_file_removal(struct fixed_file_data *data,
5811 struct io_file_put *pfile, pfile_stack;
5812 DECLARE_COMPLETION_ONSTACK(done);
5815 * If we fail allocating the struct we need for doing async reomval
5816 * of this file, just punt to sync and wait for it.
5818 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
5820 pfile = &pfile_stack;
5821 pfile->done = &done;
5825 llist_add(&pfile->llist, &data->put_llist);
5827 if (pfile == &pfile_stack) {
5828 percpu_ref_switch_to_atomic(&data->refs, io_atomic_switch);
5829 wait_for_completion(&done);
5830 flush_work(&data->ref_work);
5837 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
5838 struct io_uring_files_update *up,
5841 struct fixed_file_data *data = ctx->file_data;
5842 bool ref_switch = false;
5848 if (check_add_overflow(up->offset, nr_args, &done))
5850 if (done > ctx->nr_user_files)
5854 fds = u64_to_user_ptr(up->fds);
5856 struct fixed_file_table *table;
5860 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
5864 i = array_index_nospec(up->offset, ctx->nr_user_files);
5865 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
5866 index = i & IORING_FILE_TABLE_MASK;
5867 if (table->files[index]) {
5868 file = io_file_from_index(ctx, index);
5869 table->files[index] = NULL;
5870 if (io_queue_file_removal(data, file))
5880 * Don't allow io_uring instances to be registered. If
5881 * UNIX isn't enabled, then this causes a reference
5882 * cycle and this instance can never get freed. If UNIX
5883 * is enabled we'll handle it just fine, but there's
5884 * still no point in allowing a ring fd as it doesn't
5885 * support regular read/write anyway.
5887 if (file->f_op == &io_uring_fops) {
5892 table->files[index] = file;
5893 err = io_sqe_file_register(ctx, file, i);
5903 percpu_ref_switch_to_atomic(&data->refs, io_atomic_switch);
5905 return done ? done : err;
5907 static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
5910 struct io_uring_files_update up;
5912 if (!ctx->file_data)
5916 if (copy_from_user(&up, arg, sizeof(up)))
5921 return __io_sqe_files_update(ctx, &up, nr_args);
5924 static void io_put_work(struct io_wq_work *work)
5926 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5931 static void io_get_work(struct io_wq_work *work)
5933 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5935 refcount_inc(&req->refs);
5938 static int io_init_wq_offload(struct io_ring_ctx *ctx,
5939 struct io_uring_params *p)
5941 struct io_wq_data data;
5943 struct io_ring_ctx *ctx_attach;
5944 unsigned int concurrency;
5947 data.user = ctx->user;
5948 data.get_work = io_get_work;
5949 data.put_work = io_put_work;
5951 if (!(p->flags & IORING_SETUP_ATTACH_WQ)) {
5952 /* Do QD, or 4 * CPUS, whatever is smallest */
5953 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
5955 ctx->io_wq = io_wq_create(concurrency, &data);
5956 if (IS_ERR(ctx->io_wq)) {
5957 ret = PTR_ERR(ctx->io_wq);
5963 f = fdget(p->wq_fd);
5967 if (f.file->f_op != &io_uring_fops) {
5972 ctx_attach = f.file->private_data;
5973 /* @io_wq is protected by holding the fd */
5974 if (!io_wq_get(ctx_attach->io_wq, &data)) {
5979 ctx->io_wq = ctx_attach->io_wq;
5985 static int io_sq_offload_start(struct io_ring_ctx *ctx,
5986 struct io_uring_params *p)
5990 init_waitqueue_head(&ctx->sqo_wait);
5991 mmgrab(current->mm);
5992 ctx->sqo_mm = current->mm;
5994 if (ctx->flags & IORING_SETUP_SQPOLL) {
5996 if (!capable(CAP_SYS_ADMIN))
5999 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
6000 if (!ctx->sq_thread_idle)
6001 ctx->sq_thread_idle = HZ;
6003 if (p->flags & IORING_SETUP_SQ_AFF) {
6004 int cpu = p->sq_thread_cpu;
6007 if (cpu >= nr_cpu_ids)
6009 if (!cpu_online(cpu))
6012 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
6016 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
6019 if (IS_ERR(ctx->sqo_thread)) {
6020 ret = PTR_ERR(ctx->sqo_thread);
6021 ctx->sqo_thread = NULL;
6024 wake_up_process(ctx->sqo_thread);
6025 } else if (p->flags & IORING_SETUP_SQ_AFF) {
6026 /* Can't have SQ_AFF without SQPOLL */
6031 ret = io_init_wq_offload(ctx, p);
6037 io_finish_async(ctx);
6038 mmdrop(ctx->sqo_mm);
6043 static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
6045 atomic_long_sub(nr_pages, &user->locked_vm);
6048 static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
6050 unsigned long page_limit, cur_pages, new_pages;
6052 /* Don't allow more pages than we can safely lock */
6053 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
6056 cur_pages = atomic_long_read(&user->locked_vm);
6057 new_pages = cur_pages + nr_pages;
6058 if (new_pages > page_limit)
6060 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
6061 new_pages) != cur_pages);
6066 static void io_mem_free(void *ptr)
6073 page = virt_to_head_page(ptr);
6074 if (put_page_testzero(page))
6075 free_compound_page(page);
6078 static void *io_mem_alloc(size_t size)
6080 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
6083 return (void *) __get_free_pages(gfp_flags, get_order(size));
6086 static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
6089 struct io_rings *rings;
6090 size_t off, sq_array_size;
6092 off = struct_size(rings, cqes, cq_entries);
6093 if (off == SIZE_MAX)
6097 off = ALIGN(off, SMP_CACHE_BYTES);
6102 sq_array_size = array_size(sizeof(u32), sq_entries);
6103 if (sq_array_size == SIZE_MAX)
6106 if (check_add_overflow(off, sq_array_size, &off))
6115 static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
6119 pages = (size_t)1 << get_order(
6120 rings_size(sq_entries, cq_entries, NULL));
6121 pages += (size_t)1 << get_order(
6122 array_size(sizeof(struct io_uring_sqe), sq_entries));
6127 static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
6131 if (!ctx->user_bufs)
6134 for (i = 0; i < ctx->nr_user_bufs; i++) {
6135 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
6137 for (j = 0; j < imu->nr_bvecs; j++)
6138 unpin_user_page(imu->bvec[j].bv_page);
6140 if (ctx->account_mem)
6141 io_unaccount_mem(ctx->user, imu->nr_bvecs);
6146 kfree(ctx->user_bufs);
6147 ctx->user_bufs = NULL;
6148 ctx->nr_user_bufs = 0;
6152 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
6153 void __user *arg, unsigned index)
6155 struct iovec __user *src;
6157 #ifdef CONFIG_COMPAT
6159 struct compat_iovec __user *ciovs;
6160 struct compat_iovec ciov;
6162 ciovs = (struct compat_iovec __user *) arg;
6163 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
6166 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
6167 dst->iov_len = ciov.iov_len;
6171 src = (struct iovec __user *) arg;
6172 if (copy_from_user(dst, &src[index], sizeof(*dst)))
6177 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
6180 struct vm_area_struct **vmas = NULL;
6181 struct page **pages = NULL;
6182 int i, j, got_pages = 0;
6187 if (!nr_args || nr_args > UIO_MAXIOV)
6190 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
6192 if (!ctx->user_bufs)
6195 for (i = 0; i < nr_args; i++) {
6196 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
6197 unsigned long off, start, end, ubuf;
6202 ret = io_copy_iov(ctx, &iov, arg, i);
6207 * Don't impose further limits on the size and buffer
6208 * constraints here, we'll -EINVAL later when IO is
6209 * submitted if they are wrong.
6212 if (!iov.iov_base || !iov.iov_len)
6215 /* arbitrary limit, but we need something */
6216 if (iov.iov_len > SZ_1G)
6219 ubuf = (unsigned long) iov.iov_base;
6220 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
6221 start = ubuf >> PAGE_SHIFT;
6222 nr_pages = end - start;
6224 if (ctx->account_mem) {
6225 ret = io_account_mem(ctx->user, nr_pages);
6231 if (!pages || nr_pages > got_pages) {
6234 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
6236 vmas = kvmalloc_array(nr_pages,
6237 sizeof(struct vm_area_struct *),
6239 if (!pages || !vmas) {
6241 if (ctx->account_mem)
6242 io_unaccount_mem(ctx->user, nr_pages);
6245 got_pages = nr_pages;
6248 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
6252 if (ctx->account_mem)
6253 io_unaccount_mem(ctx->user, nr_pages);
6258 down_read(¤t->mm->mmap_sem);
6259 pret = pin_user_pages(ubuf, nr_pages,
6260 FOLL_WRITE | FOLL_LONGTERM,
6262 if (pret == nr_pages) {
6263 /* don't support file backed memory */
6264 for (j = 0; j < nr_pages; j++) {
6265 struct vm_area_struct *vma = vmas[j];
6268 !is_file_hugepages(vma->vm_file)) {
6274 ret = pret < 0 ? pret : -EFAULT;
6276 up_read(¤t->mm->mmap_sem);
6279 * if we did partial map, or found file backed vmas,
6280 * release any pages we did get
6283 unpin_user_pages(pages, pret);
6284 if (ctx->account_mem)
6285 io_unaccount_mem(ctx->user, nr_pages);
6290 off = ubuf & ~PAGE_MASK;
6292 for (j = 0; j < nr_pages; j++) {
6295 vec_len = min_t(size_t, size, PAGE_SIZE - off);
6296 imu->bvec[j].bv_page = pages[j];
6297 imu->bvec[j].bv_len = vec_len;
6298 imu->bvec[j].bv_offset = off;
6302 /* store original address for later verification */
6304 imu->len = iov.iov_len;
6305 imu->nr_bvecs = nr_pages;
6307 ctx->nr_user_bufs++;
6315 io_sqe_buffer_unregister(ctx);
6319 static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
6321 __s32 __user *fds = arg;
6327 if (copy_from_user(&fd, fds, sizeof(*fds)))
6330 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
6331 if (IS_ERR(ctx->cq_ev_fd)) {
6332 int ret = PTR_ERR(ctx->cq_ev_fd);
6333 ctx->cq_ev_fd = NULL;
6340 static int io_eventfd_unregister(struct io_ring_ctx *ctx)
6342 if (ctx->cq_ev_fd) {
6343 eventfd_ctx_put(ctx->cq_ev_fd);
6344 ctx->cq_ev_fd = NULL;
6351 static void io_ring_ctx_free(struct io_ring_ctx *ctx)
6353 io_finish_async(ctx);
6355 mmdrop(ctx->sqo_mm);
6357 io_iopoll_reap_events(ctx);
6358 io_sqe_buffer_unregister(ctx);
6359 io_sqe_files_unregister(ctx);
6360 io_eventfd_unregister(ctx);
6361 idr_destroy(&ctx->personality_idr);
6363 #if defined(CONFIG_UNIX)
6364 if (ctx->ring_sock) {
6365 ctx->ring_sock->file = NULL; /* so that iput() is called */
6366 sock_release(ctx->ring_sock);
6370 io_mem_free(ctx->rings);
6371 io_mem_free(ctx->sq_sqes);
6373 percpu_ref_exit(&ctx->refs);
6374 if (ctx->account_mem)
6375 io_unaccount_mem(ctx->user,
6376 ring_pages(ctx->sq_entries, ctx->cq_entries));
6377 free_uid(ctx->user);
6378 put_cred(ctx->creds);
6379 kfree(ctx->completions);
6380 kfree(ctx->cancel_hash);
6381 kmem_cache_free(req_cachep, ctx->fallback_req);
6385 static __poll_t io_uring_poll(struct file *file, poll_table *wait)
6387 struct io_ring_ctx *ctx = file->private_data;
6390 poll_wait(file, &ctx->cq_wait, wait);
6392 * synchronizes with barrier from wq_has_sleeper call in
6396 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
6397 ctx->rings->sq_ring_entries)
6398 mask |= EPOLLOUT | EPOLLWRNORM;
6399 if (io_cqring_events(ctx, false))
6400 mask |= EPOLLIN | EPOLLRDNORM;
6405 static int io_uring_fasync(int fd, struct file *file, int on)
6407 struct io_ring_ctx *ctx = file->private_data;
6409 return fasync_helper(fd, file, on, &ctx->cq_fasync);
6412 static int io_remove_personalities(int id, void *p, void *data)
6414 struct io_ring_ctx *ctx = data;
6415 const struct cred *cred;
6417 cred = idr_remove(&ctx->personality_idr, id);
6423 static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
6425 mutex_lock(&ctx->uring_lock);
6426 percpu_ref_kill(&ctx->refs);
6427 mutex_unlock(&ctx->uring_lock);
6430 * Wait for sq thread to idle, if we have one. It won't spin on new
6431 * work after we've killed the ctx ref above. This is important to do
6432 * before we cancel existing commands, as the thread could otherwise
6433 * be queueing new work post that. If that's work we need to cancel,
6434 * it could cause shutdown to hang.
6436 while (ctx->sqo_thread && !wq_has_sleeper(&ctx->sqo_wait))
6439 io_kill_timeouts(ctx);
6440 io_poll_remove_all(ctx);
6443 io_wq_cancel_all(ctx->io_wq);
6445 io_iopoll_reap_events(ctx);
6446 /* if we failed setting up the ctx, we might not have any rings */
6448 io_cqring_overflow_flush(ctx, true);
6449 idr_for_each(&ctx->personality_idr, io_remove_personalities, ctx);
6450 wait_for_completion(&ctx->completions[0]);
6451 io_ring_ctx_free(ctx);
6454 static int io_uring_release(struct inode *inode, struct file *file)
6456 struct io_ring_ctx *ctx = file->private_data;
6458 file->private_data = NULL;
6459 io_ring_ctx_wait_and_kill(ctx);
6463 static void io_uring_cancel_files(struct io_ring_ctx *ctx,
6464 struct files_struct *files)
6466 struct io_kiocb *req;
6469 while (!list_empty_careful(&ctx->inflight_list)) {
6470 struct io_kiocb *cancel_req = NULL;
6472 spin_lock_irq(&ctx->inflight_lock);
6473 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
6474 if (req->work.files != files)
6476 /* req is being completed, ignore */
6477 if (!refcount_inc_not_zero(&req->refs))
6483 prepare_to_wait(&ctx->inflight_wait, &wait,
6484 TASK_UNINTERRUPTIBLE);
6485 spin_unlock_irq(&ctx->inflight_lock);
6487 /* We need to keep going until we don't find a matching req */
6491 if (cancel_req->flags & REQ_F_OVERFLOW) {
6492 spin_lock_irq(&ctx->completion_lock);
6493 list_del(&cancel_req->list);
6494 cancel_req->flags &= ~REQ_F_OVERFLOW;
6495 if (list_empty(&ctx->cq_overflow_list)) {
6496 clear_bit(0, &ctx->sq_check_overflow);
6497 clear_bit(0, &ctx->cq_check_overflow);
6499 spin_unlock_irq(&ctx->completion_lock);
6501 WRITE_ONCE(ctx->rings->cq_overflow,
6502 atomic_inc_return(&ctx->cached_cq_overflow));
6505 * Put inflight ref and overflow ref. If that's
6506 * all we had, then we're done with this request.
6508 if (refcount_sub_and_test(2, &cancel_req->refs)) {
6509 io_put_req(cancel_req);
6514 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
6515 io_put_req(cancel_req);
6518 finish_wait(&ctx->inflight_wait, &wait);
6521 static int io_uring_flush(struct file *file, void *data)
6523 struct io_ring_ctx *ctx = file->private_data;
6525 io_uring_cancel_files(ctx, data);
6528 * If the task is going away, cancel work it may have pending
6530 if (fatal_signal_pending(current) || (current->flags & PF_EXITING))
6531 io_wq_cancel_pid(ctx->io_wq, task_pid_vnr(current));
6536 static void *io_uring_validate_mmap_request(struct file *file,
6537 loff_t pgoff, size_t sz)
6539 struct io_ring_ctx *ctx = file->private_data;
6540 loff_t offset = pgoff << PAGE_SHIFT;
6545 case IORING_OFF_SQ_RING:
6546 case IORING_OFF_CQ_RING:
6549 case IORING_OFF_SQES:
6553 return ERR_PTR(-EINVAL);
6556 page = virt_to_head_page(ptr);
6557 if (sz > page_size(page))
6558 return ERR_PTR(-EINVAL);
6565 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
6567 size_t sz = vma->vm_end - vma->vm_start;
6571 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
6573 return PTR_ERR(ptr);
6575 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
6576 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
6579 #else /* !CONFIG_MMU */
6581 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
6583 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
6586 static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
6588 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
6591 static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
6592 unsigned long addr, unsigned long len,
6593 unsigned long pgoff, unsigned long flags)
6597 ptr = io_uring_validate_mmap_request(file, pgoff, len);
6599 return PTR_ERR(ptr);
6601 return (unsigned long) ptr;
6604 #endif /* !CONFIG_MMU */
6606 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
6607 u32, min_complete, u32, flags, const sigset_t __user *, sig,
6610 struct io_ring_ctx *ctx;
6615 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
6623 if (f.file->f_op != &io_uring_fops)
6627 ctx = f.file->private_data;
6628 if (!percpu_ref_tryget(&ctx->refs))
6632 * For SQ polling, the thread will do all submissions and completions.
6633 * Just return the requested submit count, and wake the thread if
6637 if (ctx->flags & IORING_SETUP_SQPOLL) {
6638 if (!list_empty_careful(&ctx->cq_overflow_list))
6639 io_cqring_overflow_flush(ctx, false);
6640 if (flags & IORING_ENTER_SQ_WAKEUP)
6641 wake_up(&ctx->sqo_wait);
6642 submitted = to_submit;
6643 } else if (to_submit) {
6644 struct mm_struct *cur_mm;
6646 mutex_lock(&ctx->uring_lock);
6647 /* already have mm, so io_submit_sqes() won't try to grab it */
6648 cur_mm = ctx->sqo_mm;
6649 submitted = io_submit_sqes(ctx, to_submit, f.file, fd,
6651 mutex_unlock(&ctx->uring_lock);
6653 if (submitted != to_submit)
6656 if (flags & IORING_ENTER_GETEVENTS) {
6657 unsigned nr_events = 0;
6659 min_complete = min(min_complete, ctx->cq_entries);
6661 if (ctx->flags & IORING_SETUP_IOPOLL) {
6662 ret = io_iopoll_check(ctx, &nr_events, min_complete);
6664 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
6669 percpu_ref_put(&ctx->refs);
6672 return submitted ? submitted : ret;
6675 #ifdef CONFIG_PROC_FS
6676 static int io_uring_show_cred(int id, void *p, void *data)
6678 const struct cred *cred = p;
6679 struct seq_file *m = data;
6680 struct user_namespace *uns = seq_user_ns(m);
6681 struct group_info *gi;
6686 seq_printf(m, "%5d\n", id);
6687 seq_put_decimal_ull(m, "\tUid:\t", from_kuid_munged(uns, cred->uid));
6688 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->euid));
6689 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->suid));
6690 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->fsuid));
6691 seq_put_decimal_ull(m, "\n\tGid:\t", from_kgid_munged(uns, cred->gid));
6692 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->egid));
6693 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->sgid));
6694 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->fsgid));
6695 seq_puts(m, "\n\tGroups:\t");
6696 gi = cred->group_info;
6697 for (g = 0; g < gi->ngroups; g++) {
6698 seq_put_decimal_ull(m, g ? " " : "",
6699 from_kgid_munged(uns, gi->gid[g]));
6701 seq_puts(m, "\n\tCapEff:\t");
6702 cap = cred->cap_effective;
6703 CAP_FOR_EACH_U32(__capi)
6704 seq_put_hex_ll(m, NULL, cap.cap[CAP_LAST_U32 - __capi], 8);
6709 static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
6713 mutex_lock(&ctx->uring_lock);
6714 seq_printf(m, "UserFiles:\t%u\n", ctx->nr_user_files);
6715 for (i = 0; i < ctx->nr_user_files; i++) {
6716 struct fixed_file_table *table;
6719 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
6720 f = table->files[i & IORING_FILE_TABLE_MASK];
6722 seq_printf(m, "%5u: %s\n", i, file_dentry(f)->d_iname);
6724 seq_printf(m, "%5u: <none>\n", i);
6726 seq_printf(m, "UserBufs:\t%u\n", ctx->nr_user_bufs);
6727 for (i = 0; i < ctx->nr_user_bufs; i++) {
6728 struct io_mapped_ubuf *buf = &ctx->user_bufs[i];
6730 seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf,
6731 (unsigned int) buf->len);
6733 if (!idr_is_empty(&ctx->personality_idr)) {
6734 seq_printf(m, "Personalities:\n");
6735 idr_for_each(&ctx->personality_idr, io_uring_show_cred, m);
6737 mutex_unlock(&ctx->uring_lock);
6740 static void io_uring_show_fdinfo(struct seq_file *m, struct file *f)
6742 struct io_ring_ctx *ctx = f->private_data;
6744 if (percpu_ref_tryget(&ctx->refs)) {
6745 __io_uring_show_fdinfo(ctx, m);
6746 percpu_ref_put(&ctx->refs);
6751 static const struct file_operations io_uring_fops = {
6752 .release = io_uring_release,
6753 .flush = io_uring_flush,
6754 .mmap = io_uring_mmap,
6756 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
6757 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
6759 .poll = io_uring_poll,
6760 .fasync = io_uring_fasync,
6761 #ifdef CONFIG_PROC_FS
6762 .show_fdinfo = io_uring_show_fdinfo,
6766 static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
6767 struct io_uring_params *p)
6769 struct io_rings *rings;
6770 size_t size, sq_array_offset;
6772 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
6773 if (size == SIZE_MAX)
6776 rings = io_mem_alloc(size);
6781 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
6782 rings->sq_ring_mask = p->sq_entries - 1;
6783 rings->cq_ring_mask = p->cq_entries - 1;
6784 rings->sq_ring_entries = p->sq_entries;
6785 rings->cq_ring_entries = p->cq_entries;
6786 ctx->sq_mask = rings->sq_ring_mask;
6787 ctx->cq_mask = rings->cq_ring_mask;
6788 ctx->sq_entries = rings->sq_ring_entries;
6789 ctx->cq_entries = rings->cq_ring_entries;
6791 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
6792 if (size == SIZE_MAX) {
6793 io_mem_free(ctx->rings);
6798 ctx->sq_sqes = io_mem_alloc(size);
6799 if (!ctx->sq_sqes) {
6800 io_mem_free(ctx->rings);
6809 * Allocate an anonymous fd, this is what constitutes the application
6810 * visible backing of an io_uring instance. The application mmaps this
6811 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
6812 * we have to tie this fd to a socket for file garbage collection purposes.
6814 static int io_uring_get_fd(struct io_ring_ctx *ctx)
6819 #if defined(CONFIG_UNIX)
6820 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
6826 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
6830 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
6831 O_RDWR | O_CLOEXEC);
6834 ret = PTR_ERR(file);
6838 #if defined(CONFIG_UNIX)
6839 ctx->ring_sock->file = file;
6841 fd_install(ret, file);
6844 #if defined(CONFIG_UNIX)
6845 sock_release(ctx->ring_sock);
6846 ctx->ring_sock = NULL;
6851 static int io_uring_create(unsigned entries, struct io_uring_params *p)
6853 struct user_struct *user = NULL;
6854 struct io_ring_ctx *ctx;
6860 if (entries > IORING_MAX_ENTRIES) {
6861 if (!(p->flags & IORING_SETUP_CLAMP))
6863 entries = IORING_MAX_ENTRIES;
6867 * Use twice as many entries for the CQ ring. It's possible for the
6868 * application to drive a higher depth than the size of the SQ ring,
6869 * since the sqes are only used at submission time. This allows for
6870 * some flexibility in overcommitting a bit. If the application has
6871 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
6872 * of CQ ring entries manually.
6874 p->sq_entries = roundup_pow_of_two(entries);
6875 if (p->flags & IORING_SETUP_CQSIZE) {
6877 * If IORING_SETUP_CQSIZE is set, we do the same roundup
6878 * to a power-of-two, if it isn't already. We do NOT impose
6879 * any cq vs sq ring sizing.
6881 if (p->cq_entries < p->sq_entries)
6883 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
6884 if (!(p->flags & IORING_SETUP_CLAMP))
6886 p->cq_entries = IORING_MAX_CQ_ENTRIES;
6888 p->cq_entries = roundup_pow_of_two(p->cq_entries);
6890 p->cq_entries = 2 * p->sq_entries;
6893 user = get_uid(current_user());
6894 account_mem = !capable(CAP_IPC_LOCK);
6897 ret = io_account_mem(user,
6898 ring_pages(p->sq_entries, p->cq_entries));
6905 ctx = io_ring_ctx_alloc(p);
6908 io_unaccount_mem(user, ring_pages(p->sq_entries,
6913 ctx->compat = in_compat_syscall();
6914 ctx->account_mem = account_mem;
6916 ctx->creds = get_current_cred();
6918 ret = io_allocate_scq_urings(ctx, p);
6922 ret = io_sq_offload_start(ctx, p);
6926 memset(&p->sq_off, 0, sizeof(p->sq_off));
6927 p->sq_off.head = offsetof(struct io_rings, sq.head);
6928 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
6929 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
6930 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
6931 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
6932 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
6933 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
6935 memset(&p->cq_off, 0, sizeof(p->cq_off));
6936 p->cq_off.head = offsetof(struct io_rings, cq.head);
6937 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
6938 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
6939 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
6940 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
6941 p->cq_off.cqes = offsetof(struct io_rings, cqes);
6944 * Install ring fd as the very last thing, so we don't risk someone
6945 * having closed it before we finish setup
6947 ret = io_uring_get_fd(ctx);
6951 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
6952 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS |
6953 IORING_FEAT_CUR_PERSONALITY;
6954 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
6957 io_ring_ctx_wait_and_kill(ctx);
6962 * Sets up an aio uring context, and returns the fd. Applications asks for a
6963 * ring size, we return the actual sq/cq ring sizes (among other things) in the
6964 * params structure passed in.
6966 static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
6968 struct io_uring_params p;
6972 if (copy_from_user(&p, params, sizeof(p)))
6974 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
6979 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
6980 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
6981 IORING_SETUP_CLAMP | IORING_SETUP_ATTACH_WQ))
6984 ret = io_uring_create(entries, &p);
6988 if (copy_to_user(params, &p, sizeof(p)))
6994 SYSCALL_DEFINE2(io_uring_setup, u32, entries,
6995 struct io_uring_params __user *, params)
6997 return io_uring_setup(entries, params);
7000 static int io_probe(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
7002 struct io_uring_probe *p;
7006 size = struct_size(p, ops, nr_args);
7007 if (size == SIZE_MAX)
7009 p = kzalloc(size, GFP_KERNEL);
7014 if (copy_from_user(p, arg, size))
7017 if (memchr_inv(p, 0, size))
7020 p->last_op = IORING_OP_LAST - 1;
7021 if (nr_args > IORING_OP_LAST)
7022 nr_args = IORING_OP_LAST;
7024 for (i = 0; i < nr_args; i++) {
7026 if (!io_op_defs[i].not_supported)
7027 p->ops[i].flags = IO_URING_OP_SUPPORTED;
7032 if (copy_to_user(arg, p, size))
7039 static int io_register_personality(struct io_ring_ctx *ctx)
7041 const struct cred *creds = get_current_cred();
7044 id = idr_alloc_cyclic(&ctx->personality_idr, (void *) creds, 1,
7045 USHRT_MAX, GFP_KERNEL);
7051 static int io_unregister_personality(struct io_ring_ctx *ctx, unsigned id)
7053 const struct cred *old_creds;
7055 old_creds = idr_remove(&ctx->personality_idr, id);
7057 put_cred(old_creds);
7064 static bool io_register_op_must_quiesce(int op)
7067 case IORING_UNREGISTER_FILES:
7068 case IORING_REGISTER_FILES_UPDATE:
7069 case IORING_REGISTER_PROBE:
7070 case IORING_REGISTER_PERSONALITY:
7071 case IORING_UNREGISTER_PERSONALITY:
7078 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
7079 void __user *arg, unsigned nr_args)
7080 __releases(ctx->uring_lock)
7081 __acquires(ctx->uring_lock)
7086 * We're inside the ring mutex, if the ref is already dying, then
7087 * someone else killed the ctx or is already going through
7088 * io_uring_register().
7090 if (percpu_ref_is_dying(&ctx->refs))
7093 if (io_register_op_must_quiesce(opcode)) {
7094 percpu_ref_kill(&ctx->refs);
7097 * Drop uring mutex before waiting for references to exit. If
7098 * another thread is currently inside io_uring_enter() it might
7099 * need to grab the uring_lock to make progress. If we hold it
7100 * here across the drain wait, then we can deadlock. It's safe
7101 * to drop the mutex here, since no new references will come in
7102 * after we've killed the percpu ref.
7104 mutex_unlock(&ctx->uring_lock);
7105 ret = wait_for_completion_interruptible(&ctx->completions[0]);
7106 mutex_lock(&ctx->uring_lock);
7108 percpu_ref_resurrect(&ctx->refs);
7115 case IORING_REGISTER_BUFFERS:
7116 ret = io_sqe_buffer_register(ctx, arg, nr_args);
7118 case IORING_UNREGISTER_BUFFERS:
7122 ret = io_sqe_buffer_unregister(ctx);
7124 case IORING_REGISTER_FILES:
7125 ret = io_sqe_files_register(ctx, arg, nr_args);
7127 case IORING_UNREGISTER_FILES:
7131 ret = io_sqe_files_unregister(ctx);
7133 case IORING_REGISTER_FILES_UPDATE:
7134 ret = io_sqe_files_update(ctx, arg, nr_args);
7136 case IORING_REGISTER_EVENTFD:
7137 case IORING_REGISTER_EVENTFD_ASYNC:
7141 ret = io_eventfd_register(ctx, arg);
7144 if (opcode == IORING_REGISTER_EVENTFD_ASYNC)
7145 ctx->eventfd_async = 1;
7147 ctx->eventfd_async = 0;
7149 case IORING_UNREGISTER_EVENTFD:
7153 ret = io_eventfd_unregister(ctx);
7155 case IORING_REGISTER_PROBE:
7157 if (!arg || nr_args > 256)
7159 ret = io_probe(ctx, arg, nr_args);
7161 case IORING_REGISTER_PERSONALITY:
7165 ret = io_register_personality(ctx);
7167 case IORING_UNREGISTER_PERSONALITY:
7171 ret = io_unregister_personality(ctx, nr_args);
7178 if (io_register_op_must_quiesce(opcode)) {
7179 /* bring the ctx back to life */
7180 percpu_ref_reinit(&ctx->refs);
7182 reinit_completion(&ctx->completions[0]);
7187 SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
7188 void __user *, arg, unsigned int, nr_args)
7190 struct io_ring_ctx *ctx;
7199 if (f.file->f_op != &io_uring_fops)
7202 ctx = f.file->private_data;
7204 mutex_lock(&ctx->uring_lock);
7205 ret = __io_uring_register(ctx, opcode, arg, nr_args);
7206 mutex_unlock(&ctx->uring_lock);
7207 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
7208 ctx->cq_ev_fd != NULL, ret);
7214 static int __init io_uring_init(void)
7216 #define __BUILD_BUG_VERIFY_ELEMENT(stype, eoffset, etype, ename) do { \
7217 BUILD_BUG_ON(offsetof(stype, ename) != eoffset); \
7218 BUILD_BUG_ON(sizeof(etype) != sizeof_field(stype, ename)); \
7221 #define BUILD_BUG_SQE_ELEM(eoffset, etype, ename) \
7222 __BUILD_BUG_VERIFY_ELEMENT(struct io_uring_sqe, eoffset, etype, ename)
7223 BUILD_BUG_ON(sizeof(struct io_uring_sqe) != 64);
7224 BUILD_BUG_SQE_ELEM(0, __u8, opcode);
7225 BUILD_BUG_SQE_ELEM(1, __u8, flags);
7226 BUILD_BUG_SQE_ELEM(2, __u16, ioprio);
7227 BUILD_BUG_SQE_ELEM(4, __s32, fd);
7228 BUILD_BUG_SQE_ELEM(8, __u64, off);
7229 BUILD_BUG_SQE_ELEM(8, __u64, addr2);
7230 BUILD_BUG_SQE_ELEM(16, __u64, addr);
7231 BUILD_BUG_SQE_ELEM(24, __u32, len);
7232 BUILD_BUG_SQE_ELEM(28, __kernel_rwf_t, rw_flags);
7233 BUILD_BUG_SQE_ELEM(28, /* compat */ int, rw_flags);
7234 BUILD_BUG_SQE_ELEM(28, /* compat */ __u32, rw_flags);
7235 BUILD_BUG_SQE_ELEM(28, __u32, fsync_flags);
7236 BUILD_BUG_SQE_ELEM(28, __u16, poll_events);
7237 BUILD_BUG_SQE_ELEM(28, __u32, sync_range_flags);
7238 BUILD_BUG_SQE_ELEM(28, __u32, msg_flags);
7239 BUILD_BUG_SQE_ELEM(28, __u32, timeout_flags);
7240 BUILD_BUG_SQE_ELEM(28, __u32, accept_flags);
7241 BUILD_BUG_SQE_ELEM(28, __u32, cancel_flags);
7242 BUILD_BUG_SQE_ELEM(28, __u32, open_flags);
7243 BUILD_BUG_SQE_ELEM(28, __u32, statx_flags);
7244 BUILD_BUG_SQE_ELEM(28, __u32, fadvise_advice);
7245 BUILD_BUG_SQE_ELEM(32, __u64, user_data);
7246 BUILD_BUG_SQE_ELEM(40, __u16, buf_index);
7247 BUILD_BUG_SQE_ELEM(42, __u16, personality);
7249 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
7250 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
7253 __initcall(io_uring_init);
projects / linux-2.6-microblaze.git / blob