1 // SPDX-License-Identifier: GPL-2.0
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
6 * A note on the read/write ordering memory barriers that are matched between
7 * the application and kernel side.
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
30 * Also see the examples in the liburing library:
32 * git://git.kernel.dk/liburing
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
39 * Copyright (C) 2018-2019 Jens Axboe
40 * Copyright (c) 2018-2019 Christoph Hellwig
42 #include <linux/kernel.h>
43 #include <linux/init.h>
44 #include <linux/errno.h>
45 #include <linux/syscalls.h>
46 #include <linux/compat.h>
47 #include <net/compat.h>
48 #include <linux/refcount.h>
49 #include <linux/uio.h>
50 #include <linux/bits.h>
52 #include <linux/sched/signal.h>
54 #include <linux/file.h>
55 #include <linux/fdtable.h>
57 #include <linux/mman.h>
58 #include <linux/percpu.h>
59 #include <linux/slab.h>
60 #include <linux/kthread.h>
61 #include <linux/blkdev.h>
62 #include <linux/bvec.h>
63 #include <linux/net.h>
65 #include <net/af_unix.h>
67 #include <linux/anon_inodes.h>
68 #include <linux/sched/mm.h>
69 #include <linux/uaccess.h>
70 #include <linux/nospec.h>
71 #include <linux/sizes.h>
72 #include <linux/hugetlb.h>
73 #include <linux/highmem.h>
74 #include <linux/namei.h>
75 #include <linux/fsnotify.h>
76 #include <linux/fadvise.h>
77 #include <linux/eventpoll.h>
78 #include <linux/fs_struct.h>
79 #include <linux/splice.h>
80 #include <linux/task_work.h>
81 #include <linux/pagemap.h>
82 #include <linux/io_uring.h>
83 #include <linux/blk-cgroup.h>
84 #include <linux/audit.h>
86 #define CREATE_TRACE_POINTS
87 #include <trace/events/io_uring.h>
89 #include <uapi/linux/io_uring.h>
94 #define IORING_MAX_ENTRIES 32768
95 #define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
98 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
100 #define IORING_FILE_TABLE_SHIFT 9
101 #define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
102 #define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
103 #define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
104 #define IORING_MAX_RESTRICTIONS (IORING_RESTRICTION_LAST + \
105 IORING_REGISTER_LAST + IORING_OP_LAST)
108 u32 head ____cacheline_aligned_in_smp;
109 u32 tail ____cacheline_aligned_in_smp;
113 * This data is shared with the application through the mmap at offsets
114 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
116 * The offsets to the member fields are published through struct
117 * io_sqring_offsets when calling io_uring_setup.
121 * Head and tail offsets into the ring; the offsets need to be
122 * masked to get valid indices.
124 * The kernel controls head of the sq ring and the tail of the cq ring,
125 * and the application controls tail of the sq ring and the head of the
128 struct io_uring sq, cq;
130 * Bitmasks to apply to head and tail offsets (constant, equals
133 u32 sq_ring_mask, cq_ring_mask;
134 /* Ring sizes (constant, power of 2) */
135 u32 sq_ring_entries, cq_ring_entries;
137 * Number of invalid entries dropped by the kernel due to
138 * invalid index stored in array
140 * Written by the kernel, shouldn't be modified by the
141 * application (i.e. get number of "new events" by comparing to
144 * After a new SQ head value was read by the application this
145 * counter includes all submissions that were dropped reaching
146 * the new SQ head (and possibly more).
152 * Written by the kernel, shouldn't be modified by the
155 * The application needs a full memory barrier before checking
156 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
162 * Written by the application, shouldn't be modified by the
167 * Number of completion events lost because the queue was full;
168 * this should be avoided by the application by making sure
169 * there are not more requests pending than there is space in
170 * the completion queue.
172 * Written by the kernel, shouldn't be modified by the
173 * application (i.e. get number of "new events" by comparing to
176 * As completion events come in out of order this counter is not
177 * ordered with any other data.
181 * Ring buffer of completion events.
183 * The kernel writes completion events fresh every time they are
184 * produced, so the application is allowed to modify pending
187 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
190 struct io_mapped_ubuf {
193 struct bio_vec *bvec;
194 unsigned int nr_bvecs;
195 unsigned long acct_pages;
198 struct fixed_file_table {
202 struct fixed_file_ref_node {
203 struct percpu_ref refs;
204 struct list_head node;
205 struct list_head file_list;
206 struct fixed_file_data *file_data;
207 struct llist_node llist;
210 struct fixed_file_data {
211 struct fixed_file_table *table;
212 struct io_ring_ctx *ctx;
214 struct fixed_file_ref_node *node;
215 struct percpu_ref refs;
216 struct completion done;
217 struct list_head ref_list;
222 struct list_head list;
228 struct io_restriction {
229 DECLARE_BITMAP(register_op, IORING_REGISTER_LAST);
230 DECLARE_BITMAP(sqe_op, IORING_OP_LAST);
231 u8 sqe_flags_allowed;
232 u8 sqe_flags_required;
240 /* ctx's that are using this sqd */
241 struct list_head ctx_list;
242 struct list_head ctx_new_list;
243 struct mutex ctx_lock;
245 struct task_struct *thread;
246 struct wait_queue_head wait;
251 struct percpu_ref refs;
252 } ____cacheline_aligned_in_smp;
256 unsigned int compat: 1;
257 unsigned int limit_mem: 1;
258 unsigned int cq_overflow_flushed: 1;
259 unsigned int drain_next: 1;
260 unsigned int eventfd_async: 1;
261 unsigned int restricted: 1;
264 * Ring buffer of indices into array of io_uring_sqe, which is
265 * mmapped by the application using the IORING_OFF_SQES offset.
267 * This indirection could e.g. be used to assign fixed
268 * io_uring_sqe entries to operations and only submit them to
269 * the queue when needed.
271 * The kernel modifies neither the indices array nor the entries
275 unsigned cached_sq_head;
278 unsigned sq_thread_idle;
279 unsigned cached_sq_dropped;
280 unsigned cached_cq_overflow;
281 unsigned long sq_check_overflow;
283 struct list_head defer_list;
284 struct list_head timeout_list;
285 struct list_head cq_overflow_list;
287 wait_queue_head_t inflight_wait;
288 struct io_uring_sqe *sq_sqes;
289 } ____cacheline_aligned_in_smp;
291 struct io_rings *rings;
297 * For SQPOLL usage - we hold a reference to the parent task, so we
298 * have access to the ->files
300 struct task_struct *sqo_task;
302 /* Only used for accounting purposes */
303 struct mm_struct *mm_account;
305 #ifdef CONFIG_BLK_CGROUP
306 struct cgroup_subsys_state *sqo_blkcg_css;
309 struct io_sq_data *sq_data; /* if using sq thread polling */
311 struct wait_queue_head sqo_sq_wait;
312 struct wait_queue_entry sqo_wait_entry;
313 struct list_head sqd_list;
316 * If used, fixed file set. Writers must ensure that ->refs is dead,
317 * readers must ensure that ->refs is alive as long as the file* is
318 * used. Only updated through io_uring_register(2).
320 struct fixed_file_data *file_data;
321 unsigned nr_user_files;
323 /* if used, fixed mapped user buffers */
324 unsigned nr_user_bufs;
325 struct io_mapped_ubuf *user_bufs;
327 struct user_struct *user;
329 const struct cred *creds;
333 unsigned int sessionid;
336 struct completion ref_comp;
337 struct completion sq_thread_comp;
339 /* if all else fails... */
340 struct io_kiocb *fallback_req;
342 #if defined(CONFIG_UNIX)
343 struct socket *ring_sock;
346 struct idr io_buffer_idr;
348 struct idr personality_idr;
351 unsigned cached_cq_tail;
354 atomic_t cq_timeouts;
355 unsigned long cq_check_overflow;
356 struct wait_queue_head cq_wait;
357 struct fasync_struct *cq_fasync;
358 struct eventfd_ctx *cq_ev_fd;
359 } ____cacheline_aligned_in_smp;
362 struct mutex uring_lock;
363 wait_queue_head_t wait;
364 } ____cacheline_aligned_in_smp;
367 spinlock_t completion_lock;
370 * ->iopoll_list is protected by the ctx->uring_lock for
371 * io_uring instances that don't use IORING_SETUP_SQPOLL.
372 * For SQPOLL, only the single threaded io_sq_thread() will
373 * manipulate the list, hence no extra locking is needed there.
375 struct list_head iopoll_list;
376 struct hlist_head *cancel_hash;
377 unsigned cancel_hash_bits;
378 bool poll_multi_file;
380 spinlock_t inflight_lock;
381 struct list_head inflight_list;
382 } ____cacheline_aligned_in_smp;
384 struct delayed_work file_put_work;
385 struct llist_head file_put_llist;
387 struct work_struct exit_work;
388 struct io_restriction restrictions;
392 * First field must be the file pointer in all the
393 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
395 struct io_poll_iocb {
398 struct wait_queue_head *head;
404 struct wait_queue_entry wait;
409 struct file *put_file;
413 struct io_timeout_data {
414 struct io_kiocb *req;
415 struct hrtimer timer;
416 struct timespec64 ts;
417 enum hrtimer_mode mode;
422 struct sockaddr __user *addr;
423 int __user *addr_len;
425 unsigned long nofile;
445 struct list_head list;
448 struct io_timeout_rem {
454 /* NOTE: kiocb has the file as the first member, so don't do it here */
462 struct sockaddr __user *addr;
469 struct user_msghdr __user *umsg;
475 struct io_buffer *kbuf;
481 struct filename *filename;
483 unsigned long nofile;
486 struct io_files_update {
512 struct epoll_event event;
516 struct file *file_out;
517 struct file *file_in;
524 struct io_provide_buf {
538 const char __user *filename;
539 struct statx __user *buffer;
542 struct io_completion {
544 struct list_head list;
548 struct io_async_connect {
549 struct sockaddr_storage address;
552 struct io_async_msghdr {
553 struct iovec fast_iov[UIO_FASTIOV];
555 struct sockaddr __user *uaddr;
557 struct sockaddr_storage addr;
561 struct iovec fast_iov[UIO_FASTIOV];
562 const struct iovec *free_iovec;
563 struct iov_iter iter;
565 struct wait_page_queue wpq;
569 REQ_F_FIXED_FILE_BIT = IOSQE_FIXED_FILE_BIT,
570 REQ_F_IO_DRAIN_BIT = IOSQE_IO_DRAIN_BIT,
571 REQ_F_LINK_BIT = IOSQE_IO_LINK_BIT,
572 REQ_F_HARDLINK_BIT = IOSQE_IO_HARDLINK_BIT,
573 REQ_F_FORCE_ASYNC_BIT = IOSQE_ASYNC_BIT,
574 REQ_F_BUFFER_SELECT_BIT = IOSQE_BUFFER_SELECT_BIT,
581 REQ_F_LINK_TIMEOUT_BIT,
583 REQ_F_NEED_CLEANUP_BIT,
585 REQ_F_BUFFER_SELECTED_BIT,
586 REQ_F_NO_FILE_TABLE_BIT,
587 REQ_F_WORK_INITIALIZED_BIT,
588 REQ_F_LTIMEOUT_ACTIVE_BIT,
590 /* not a real bit, just to check we're not overflowing the space */
596 REQ_F_FIXED_FILE = BIT(REQ_F_FIXED_FILE_BIT),
597 /* drain existing IO first */
598 REQ_F_IO_DRAIN = BIT(REQ_F_IO_DRAIN_BIT),
600 REQ_F_LINK = BIT(REQ_F_LINK_BIT),
601 /* doesn't sever on completion < 0 */
602 REQ_F_HARDLINK = BIT(REQ_F_HARDLINK_BIT),
604 REQ_F_FORCE_ASYNC = BIT(REQ_F_FORCE_ASYNC_BIT),
605 /* IOSQE_BUFFER_SELECT */
606 REQ_F_BUFFER_SELECT = BIT(REQ_F_BUFFER_SELECT_BIT),
609 REQ_F_LINK_HEAD = BIT(REQ_F_LINK_HEAD_BIT),
610 /* fail rest of links */
611 REQ_F_FAIL_LINK = BIT(REQ_F_FAIL_LINK_BIT),
612 /* on inflight list */
613 REQ_F_INFLIGHT = BIT(REQ_F_INFLIGHT_BIT),
614 /* read/write uses file position */
615 REQ_F_CUR_POS = BIT(REQ_F_CUR_POS_BIT),
616 /* must not punt to workers */
617 REQ_F_NOWAIT = BIT(REQ_F_NOWAIT_BIT),
618 /* has or had linked timeout */
619 REQ_F_LINK_TIMEOUT = BIT(REQ_F_LINK_TIMEOUT_BIT),
621 REQ_F_ISREG = BIT(REQ_F_ISREG_BIT),
623 REQ_F_NEED_CLEANUP = BIT(REQ_F_NEED_CLEANUP_BIT),
624 /* already went through poll handler */
625 REQ_F_POLLED = BIT(REQ_F_POLLED_BIT),
626 /* buffer already selected */
627 REQ_F_BUFFER_SELECTED = BIT(REQ_F_BUFFER_SELECTED_BIT),
628 /* doesn't need file table for this request */
629 REQ_F_NO_FILE_TABLE = BIT(REQ_F_NO_FILE_TABLE_BIT),
630 /* io_wq_work is initialized */
631 REQ_F_WORK_INITIALIZED = BIT(REQ_F_WORK_INITIALIZED_BIT),
632 /* linked timeout is active, i.e. prepared by link's head */
633 REQ_F_LTIMEOUT_ACTIVE = BIT(REQ_F_LTIMEOUT_ACTIVE_BIT),
637 struct io_poll_iocb poll;
638 struct io_poll_iocb *double_poll;
642 * NOTE! Each of the iocb union members has the file pointer
643 * as the first entry in their struct definition. So you can
644 * access the file pointer through any of the sub-structs,
645 * or directly as just 'ki_filp' in this struct.
651 struct io_poll_iocb poll;
652 struct io_accept accept;
654 struct io_cancel cancel;
655 struct io_timeout timeout;
656 struct io_timeout_rem timeout_rem;
657 struct io_connect connect;
658 struct io_sr_msg sr_msg;
660 struct io_close close;
661 struct io_files_update files_update;
662 struct io_fadvise fadvise;
663 struct io_madvise madvise;
664 struct io_epoll epoll;
665 struct io_splice splice;
666 struct io_provide_buf pbuf;
667 struct io_statx statx;
668 /* use only after cleaning per-op data, see io_clean_op() */
669 struct io_completion compl;
672 /* opcode allocated if it needs to store data for async defer */
675 /* polled IO has completed */
681 struct io_ring_ctx *ctx;
684 struct task_struct *task;
687 struct list_head link_list;
690 * 1. used with ctx->iopoll_list with reads/writes
691 * 2. to track reqs with ->files (see io_op_def::file_table)
693 struct list_head inflight_entry;
695 struct percpu_ref *fixed_file_refs;
696 struct callback_head task_work;
697 /* for polled requests, i.e. IORING_OP_POLL_ADD and async armed poll */
698 struct hlist_node hash_node;
699 struct async_poll *apoll;
700 struct io_wq_work work;
703 struct io_defer_entry {
704 struct list_head list;
705 struct io_kiocb *req;
709 #define IO_IOPOLL_BATCH 8
711 struct io_comp_state {
713 struct list_head list;
714 struct io_ring_ctx *ctx;
717 struct io_submit_state {
718 struct blk_plug plug;
721 * io_kiocb alloc cache
723 void *reqs[IO_IOPOLL_BATCH];
724 unsigned int free_reqs;
727 * Batch completion logic
729 struct io_comp_state comp;
732 * File reference cache
736 unsigned int has_refs;
737 unsigned int ios_left;
741 /* needs req->file assigned */
742 unsigned needs_file : 1;
743 /* don't fail if file grab fails */
744 unsigned needs_file_no_error : 1;
745 /* hash wq insertion if file is a regular file */
746 unsigned hash_reg_file : 1;
747 /* unbound wq insertion if file is a non-regular file */
748 unsigned unbound_nonreg_file : 1;
749 /* opcode is not supported by this kernel */
750 unsigned not_supported : 1;
751 /* set if opcode supports polled "wait" */
753 unsigned pollout : 1;
754 /* op supports buffer selection */
755 unsigned buffer_select : 1;
756 /* must always have async data allocated */
757 unsigned needs_async_data : 1;
758 /* size of async data needed, if any */
759 unsigned short async_size;
763 static const struct io_op_def io_op_defs[] = {
764 [IORING_OP_NOP] = {},
765 [IORING_OP_READV] = {
767 .unbound_nonreg_file = 1,
770 .needs_async_data = 1,
771 .async_size = sizeof(struct io_async_rw),
772 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG,
774 [IORING_OP_WRITEV] = {
777 .unbound_nonreg_file = 1,
779 .needs_async_data = 1,
780 .async_size = sizeof(struct io_async_rw),
781 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG |
784 [IORING_OP_FSYNC] = {
786 .work_flags = IO_WQ_WORK_BLKCG,
788 [IORING_OP_READ_FIXED] = {
790 .unbound_nonreg_file = 1,
792 .async_size = sizeof(struct io_async_rw),
793 .work_flags = IO_WQ_WORK_BLKCG | IO_WQ_WORK_MM,
795 [IORING_OP_WRITE_FIXED] = {
798 .unbound_nonreg_file = 1,
800 .async_size = sizeof(struct io_async_rw),
801 .work_flags = IO_WQ_WORK_BLKCG | IO_WQ_WORK_FSIZE |
804 [IORING_OP_POLL_ADD] = {
806 .unbound_nonreg_file = 1,
808 [IORING_OP_POLL_REMOVE] = {},
809 [IORING_OP_SYNC_FILE_RANGE] = {
811 .work_flags = IO_WQ_WORK_BLKCG,
813 [IORING_OP_SENDMSG] = {
815 .unbound_nonreg_file = 1,
817 .needs_async_data = 1,
818 .async_size = sizeof(struct io_async_msghdr),
819 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG |
822 [IORING_OP_RECVMSG] = {
824 .unbound_nonreg_file = 1,
827 .needs_async_data = 1,
828 .async_size = sizeof(struct io_async_msghdr),
829 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG |
832 [IORING_OP_TIMEOUT] = {
833 .needs_async_data = 1,
834 .async_size = sizeof(struct io_timeout_data),
835 .work_flags = IO_WQ_WORK_MM,
837 [IORING_OP_TIMEOUT_REMOVE] = {},
838 [IORING_OP_ACCEPT] = {
840 .unbound_nonreg_file = 1,
842 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_FILES,
844 [IORING_OP_ASYNC_CANCEL] = {},
845 [IORING_OP_LINK_TIMEOUT] = {
846 .needs_async_data = 1,
847 .async_size = sizeof(struct io_timeout_data),
848 .work_flags = IO_WQ_WORK_MM,
850 [IORING_OP_CONNECT] = {
852 .unbound_nonreg_file = 1,
854 .needs_async_data = 1,
855 .async_size = sizeof(struct io_async_connect),
856 .work_flags = IO_WQ_WORK_MM,
858 [IORING_OP_FALLOCATE] = {
860 .work_flags = IO_WQ_WORK_BLKCG | IO_WQ_WORK_FSIZE,
862 [IORING_OP_OPENAT] = {
863 .work_flags = IO_WQ_WORK_FILES | IO_WQ_WORK_BLKCG |
866 [IORING_OP_CLOSE] = {
868 .needs_file_no_error = 1,
869 .work_flags = IO_WQ_WORK_FILES | IO_WQ_WORK_BLKCG,
871 [IORING_OP_FILES_UPDATE] = {
872 .work_flags = IO_WQ_WORK_FILES | IO_WQ_WORK_MM,
874 [IORING_OP_STATX] = {
875 .work_flags = IO_WQ_WORK_FILES | IO_WQ_WORK_MM |
876 IO_WQ_WORK_FS | IO_WQ_WORK_BLKCG,
880 .unbound_nonreg_file = 1,
883 .async_size = sizeof(struct io_async_rw),
884 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG,
886 [IORING_OP_WRITE] = {
888 .unbound_nonreg_file = 1,
890 .async_size = sizeof(struct io_async_rw),
891 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG |
894 [IORING_OP_FADVISE] = {
896 .work_flags = IO_WQ_WORK_BLKCG,
898 [IORING_OP_MADVISE] = {
899 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG,
903 .unbound_nonreg_file = 1,
905 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG,
909 .unbound_nonreg_file = 1,
912 .work_flags = IO_WQ_WORK_MM | IO_WQ_WORK_BLKCG,
914 [IORING_OP_OPENAT2] = {
915 .work_flags = IO_WQ_WORK_FILES | IO_WQ_WORK_FS |
918 [IORING_OP_EPOLL_CTL] = {
919 .unbound_nonreg_file = 1,
920 .work_flags = IO_WQ_WORK_FILES,
922 [IORING_OP_SPLICE] = {
925 .unbound_nonreg_file = 1,
926 .work_flags = IO_WQ_WORK_BLKCG,
928 [IORING_OP_PROVIDE_BUFFERS] = {},
929 [IORING_OP_REMOVE_BUFFERS] = {},
933 .unbound_nonreg_file = 1,
937 enum io_mem_account {
942 static void __io_complete_rw(struct io_kiocb *req, long res, long res2,
943 struct io_comp_state *cs);
944 static void io_cqring_fill_event(struct io_kiocb *req, long res);
945 static void io_put_req(struct io_kiocb *req);
946 static void io_put_req_deferred(struct io_kiocb *req, int nr);
947 static void io_double_put_req(struct io_kiocb *req);
948 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
949 static void __io_queue_linked_timeout(struct io_kiocb *req);
950 static void io_queue_linked_timeout(struct io_kiocb *req);
951 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
952 struct io_uring_files_update *ip,
954 static void __io_clean_op(struct io_kiocb *req);
955 static struct file *io_file_get(struct io_submit_state *state,
956 struct io_kiocb *req, int fd, bool fixed);
957 static void __io_queue_sqe(struct io_kiocb *req, struct io_comp_state *cs);
958 static void io_file_put_work(struct work_struct *work);
960 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
961 struct iovec **iovec, struct iov_iter *iter,
963 static int io_setup_async_rw(struct io_kiocb *req, const struct iovec *iovec,
964 const struct iovec *fast_iov,
965 struct iov_iter *iter, bool force);
967 static struct kmem_cache *req_cachep;
969 static const struct file_operations io_uring_fops;
971 struct sock *io_uring_get_socket(struct file *file)
973 #if defined(CONFIG_UNIX)
974 if (file->f_op == &io_uring_fops) {
975 struct io_ring_ctx *ctx = file->private_data;
977 return ctx->ring_sock->sk;
982 EXPORT_SYMBOL(io_uring_get_socket);
984 static inline void io_clean_op(struct io_kiocb *req)
986 if (req->flags & (REQ_F_NEED_CLEANUP | REQ_F_BUFFER_SELECTED |
991 static void io_sq_thread_drop_mm(void)
993 struct mm_struct *mm = current->mm;
996 kthread_unuse_mm(mm);
1002 static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx)
1004 struct mm_struct *mm;
1009 /* Should never happen */
1010 if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL)))
1013 task_lock(ctx->sqo_task);
1014 mm = ctx->sqo_task->mm;
1015 if (unlikely(!mm || !mmget_not_zero(mm)))
1017 task_unlock(ctx->sqo_task);
1027 static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx,
1028 struct io_kiocb *req)
1030 if (!(io_op_defs[req->opcode].work_flags & IO_WQ_WORK_MM))
1032 return __io_sq_thread_acquire_mm(ctx);
1035 static void io_sq_thread_associate_blkcg(struct io_ring_ctx *ctx,
1036 struct cgroup_subsys_state **cur_css)
1039 #ifdef CONFIG_BLK_CGROUP
1040 /* puts the old one when swapping */
1041 if (*cur_css != ctx->sqo_blkcg_css) {
1042 kthread_associate_blkcg(ctx->sqo_blkcg_css);
1043 *cur_css = ctx->sqo_blkcg_css;
1048 static void io_sq_thread_unassociate_blkcg(void)
1050 #ifdef CONFIG_BLK_CGROUP
1051 kthread_associate_blkcg(NULL);
1055 static inline void req_set_fail_links(struct io_kiocb *req)
1057 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1058 req->flags |= REQ_F_FAIL_LINK;
1062 * None of these are dereferenced, they are simply used to check if any of
1063 * them have changed. If we're under current and check they are still the
1064 * same, we're fine to grab references to them for actual out-of-line use.
1066 static void io_init_identity(struct io_identity *id)
1068 id->files = current->files;
1069 id->mm = current->mm;
1070 #ifdef CONFIG_BLK_CGROUP
1072 id->blkcg_css = blkcg_css();
1075 id->creds = current_cred();
1076 id->nsproxy = current->nsproxy;
1077 id->fs = current->fs;
1078 id->fsize = rlimit(RLIMIT_FSIZE);
1080 id->loginuid = current->loginuid;
1081 id->sessionid = current->sessionid;
1083 refcount_set(&id->count, 1);
1086 static inline void __io_req_init_async(struct io_kiocb *req)
1088 memset(&req->work, 0, sizeof(req->work));
1089 req->flags |= REQ_F_WORK_INITIALIZED;
1093 * Note: must call io_req_init_async() for the first time you
1094 * touch any members of io_wq_work.
1096 static inline void io_req_init_async(struct io_kiocb *req)
1098 struct io_uring_task *tctx = current->io_uring;
1100 if (req->flags & REQ_F_WORK_INITIALIZED)
1103 __io_req_init_async(req);
1105 /* Grab a ref if this isn't our static identity */
1106 req->work.identity = tctx->identity;
1107 if (tctx->identity != &tctx->__identity)
1108 refcount_inc(&req->work.identity->count);
1111 static inline bool io_async_submit(struct io_ring_ctx *ctx)
1113 return ctx->flags & IORING_SETUP_SQPOLL;
1116 static void io_ring_ctx_ref_free(struct percpu_ref *ref)
1118 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
1120 complete(&ctx->ref_comp);
1123 static inline bool io_is_timeout_noseq(struct io_kiocb *req)
1125 return !req->timeout.off;
1128 static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
1130 struct io_ring_ctx *ctx;
1133 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
1137 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
1138 if (!ctx->fallback_req)
1142 * Use 5 bits less than the max cq entries, that should give us around
1143 * 32 entries per hash list if totally full and uniformly spread.
1145 hash_bits = ilog2(p->cq_entries);
1149 ctx->cancel_hash_bits = hash_bits;
1150 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
1152 if (!ctx->cancel_hash)
1154 __hash_init(ctx->cancel_hash, 1U << hash_bits);
1156 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
1157 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
1160 ctx->flags = p->flags;
1161 init_waitqueue_head(&ctx->sqo_sq_wait);
1162 INIT_LIST_HEAD(&ctx->sqd_list);
1163 init_waitqueue_head(&ctx->cq_wait);
1164 INIT_LIST_HEAD(&ctx->cq_overflow_list);
1165 init_completion(&ctx->ref_comp);
1166 init_completion(&ctx->sq_thread_comp);
1167 idr_init(&ctx->io_buffer_idr);
1168 idr_init(&ctx->personality_idr);
1169 mutex_init(&ctx->uring_lock);
1170 init_waitqueue_head(&ctx->wait);
1171 spin_lock_init(&ctx->completion_lock);
1172 INIT_LIST_HEAD(&ctx->iopoll_list);
1173 INIT_LIST_HEAD(&ctx->defer_list);
1174 INIT_LIST_HEAD(&ctx->timeout_list);
1175 init_waitqueue_head(&ctx->inflight_wait);
1176 spin_lock_init(&ctx->inflight_lock);
1177 INIT_LIST_HEAD(&ctx->inflight_list);
1178 INIT_DELAYED_WORK(&ctx->file_put_work, io_file_put_work);
1179 init_llist_head(&ctx->file_put_llist);
1182 if (ctx->fallback_req)
1183 kmem_cache_free(req_cachep, ctx->fallback_req);
1184 kfree(ctx->cancel_hash);
1189 static bool req_need_defer(struct io_kiocb *req, u32 seq)
1191 if (unlikely(req->flags & REQ_F_IO_DRAIN)) {
1192 struct io_ring_ctx *ctx = req->ctx;
1194 return seq != ctx->cached_cq_tail
1195 + READ_ONCE(ctx->cached_cq_overflow);
1201 static void __io_commit_cqring(struct io_ring_ctx *ctx)
1203 struct io_rings *rings = ctx->rings;
1205 /* order cqe stores with ring update */
1206 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
1208 if (wq_has_sleeper(&ctx->cq_wait)) {
1209 wake_up_interruptible(&ctx->cq_wait);
1210 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
1214 static void io_put_identity(struct io_uring_task *tctx, struct io_kiocb *req)
1216 if (req->work.identity == &tctx->__identity)
1218 if (refcount_dec_and_test(&req->work.identity->count))
1219 kfree(req->work.identity);
1222 static void io_req_clean_work(struct io_kiocb *req)
1224 if (!(req->flags & REQ_F_WORK_INITIALIZED))
1227 req->flags &= ~REQ_F_WORK_INITIALIZED;
1229 if (req->work.flags & IO_WQ_WORK_MM) {
1230 mmdrop(req->work.identity->mm);
1231 req->work.flags &= ~IO_WQ_WORK_MM;
1233 #ifdef CONFIG_BLK_CGROUP
1234 if (req->work.flags & IO_WQ_WORK_BLKCG) {
1235 css_put(req->work.identity->blkcg_css);
1236 req->work.flags &= ~IO_WQ_WORK_BLKCG;
1239 if (req->work.flags & IO_WQ_WORK_CREDS) {
1240 put_cred(req->work.identity->creds);
1241 req->work.flags &= ~IO_WQ_WORK_CREDS;
1243 if (req->work.flags & IO_WQ_WORK_FS) {
1244 struct fs_struct *fs = req->work.identity->fs;
1246 spin_lock(&req->work.identity->fs->lock);
1249 spin_unlock(&req->work.identity->fs->lock);
1252 req->work.flags &= ~IO_WQ_WORK_FS;
1255 io_put_identity(req->task->io_uring, req);
1259 * Create a private copy of io_identity, since some fields don't match
1260 * the current context.
1262 static bool io_identity_cow(struct io_kiocb *req)
1264 struct io_uring_task *tctx = current->io_uring;
1265 const struct cred *creds = NULL;
1266 struct io_identity *id;
1268 if (req->work.flags & IO_WQ_WORK_CREDS)
1269 creds = req->work.identity->creds;
1271 id = kmemdup(req->work.identity, sizeof(*id), GFP_KERNEL);
1272 if (unlikely(!id)) {
1273 req->work.flags |= IO_WQ_WORK_CANCEL;
1278 * We can safely just re-init the creds we copied Either the field
1279 * matches the current one, or we haven't grabbed it yet. The only
1280 * exception is ->creds, through registered personalities, so handle
1281 * that one separately.
1283 io_init_identity(id);
1285 req->work.identity->creds = creds;
1287 /* add one for this request */
1288 refcount_inc(&id->count);
1290 /* drop old identity, assign new one. one ref for req, one for tctx */
1291 if (req->work.identity != tctx->identity &&
1292 refcount_sub_and_test(2, &req->work.identity->count))
1293 kfree(req->work.identity);
1295 req->work.identity = id;
1296 tctx->identity = id;
1300 static bool io_grab_identity(struct io_kiocb *req)
1302 const struct io_op_def *def = &io_op_defs[req->opcode];
1303 struct io_identity *id = req->work.identity;
1304 struct io_ring_ctx *ctx = req->ctx;
1306 if (def->work_flags & IO_WQ_WORK_FSIZE) {
1307 if (id->fsize != rlimit(RLIMIT_FSIZE))
1309 req->work.flags |= IO_WQ_WORK_FSIZE;
1312 if (!(req->work.flags & IO_WQ_WORK_FILES) &&
1313 (def->work_flags & IO_WQ_WORK_FILES) &&
1314 !(req->flags & REQ_F_NO_FILE_TABLE)) {
1315 if (id->files != current->files ||
1316 id->nsproxy != current->nsproxy)
1318 atomic_inc(&id->files->count);
1319 get_nsproxy(id->nsproxy);
1320 req->flags |= REQ_F_INFLIGHT;
1322 spin_lock_irq(&ctx->inflight_lock);
1323 list_add(&req->inflight_entry, &ctx->inflight_list);
1324 spin_unlock_irq(&ctx->inflight_lock);
1325 req->work.flags |= IO_WQ_WORK_FILES;
1327 #ifdef CONFIG_BLK_CGROUP
1328 if (!(req->work.flags & IO_WQ_WORK_BLKCG) &&
1329 (def->work_flags & IO_WQ_WORK_BLKCG)) {
1331 if (id->blkcg_css != blkcg_css()) {
1336 * This should be rare, either the cgroup is dying or the task
1337 * is moving cgroups. Just punt to root for the handful of ios.
1339 if (css_tryget_online(id->blkcg_css))
1340 req->work.flags |= IO_WQ_WORK_BLKCG;
1344 if (!(req->work.flags & IO_WQ_WORK_CREDS)) {
1345 if (id->creds != current_cred())
1347 get_cred(id->creds);
1348 req->work.flags |= IO_WQ_WORK_CREDS;
1351 if (!uid_eq(current->loginuid, id->loginuid) ||
1352 current->sessionid != id->sessionid)
1355 if (!(req->work.flags & IO_WQ_WORK_FS) &&
1356 (def->work_flags & IO_WQ_WORK_FS)) {
1357 if (current->fs != id->fs)
1359 spin_lock(&id->fs->lock);
1360 if (!id->fs->in_exec) {
1362 req->work.flags |= IO_WQ_WORK_FS;
1364 req->work.flags |= IO_WQ_WORK_CANCEL;
1366 spin_unlock(¤t->fs->lock);
1372 static void io_prep_async_work(struct io_kiocb *req)
1374 const struct io_op_def *def = &io_op_defs[req->opcode];
1375 struct io_ring_ctx *ctx = req->ctx;
1376 struct io_identity *id;
1378 io_req_init_async(req);
1379 id = req->work.identity;
1381 if (req->flags & REQ_F_FORCE_ASYNC)
1382 req->work.flags |= IO_WQ_WORK_CONCURRENT;
1384 if (req->flags & REQ_F_ISREG) {
1385 if (def->hash_reg_file || (ctx->flags & IORING_SETUP_IOPOLL))
1386 io_wq_hash_work(&req->work, file_inode(req->file));
1388 if (def->unbound_nonreg_file)
1389 req->work.flags |= IO_WQ_WORK_UNBOUND;
1392 /* ->mm can never change on us */
1393 if (!(req->work.flags & IO_WQ_WORK_MM) &&
1394 (def->work_flags & IO_WQ_WORK_MM)) {
1396 req->work.flags |= IO_WQ_WORK_MM;
1399 /* if we fail grabbing identity, we must COW, regrab, and retry */
1400 if (io_grab_identity(req))
1403 if (!io_identity_cow(req))
1406 /* can't fail at this point */
1407 if (!io_grab_identity(req))
1411 static void io_prep_async_link(struct io_kiocb *req)
1413 struct io_kiocb *cur;
1415 io_prep_async_work(req);
1416 if (req->flags & REQ_F_LINK_HEAD)
1417 list_for_each_entry(cur, &req->link_list, link_list)
1418 io_prep_async_work(cur);
1421 static struct io_kiocb *__io_queue_async_work(struct io_kiocb *req)
1423 struct io_ring_ctx *ctx = req->ctx;
1424 struct io_kiocb *link = io_prep_linked_timeout(req);
1426 trace_io_uring_queue_async_work(ctx, io_wq_is_hashed(&req->work), req,
1427 &req->work, req->flags);
1428 io_wq_enqueue(ctx->io_wq, &req->work);
1432 static void io_queue_async_work(struct io_kiocb *req)
1434 struct io_kiocb *link;
1436 /* init ->work of the whole link before punting */
1437 io_prep_async_link(req);
1438 link = __io_queue_async_work(req);
1441 io_queue_linked_timeout(link);
1444 static void io_kill_timeout(struct io_kiocb *req)
1446 struct io_timeout_data *io = req->async_data;
1449 ret = hrtimer_try_to_cancel(&io->timer);
1451 atomic_set(&req->ctx->cq_timeouts,
1452 atomic_read(&req->ctx->cq_timeouts) + 1);
1453 list_del_init(&req->timeout.list);
1454 io_cqring_fill_event(req, 0);
1455 io_put_req_deferred(req, 1);
1459 static bool io_task_match(struct io_kiocb *req, struct task_struct *tsk)
1461 struct io_ring_ctx *ctx = req->ctx;
1463 if (!tsk || req->task == tsk)
1465 if (ctx->flags & IORING_SETUP_SQPOLL) {
1466 if (ctx->sq_data && req->task == ctx->sq_data->thread)
1473 * Returns true if we found and killed one or more timeouts
1475 static bool io_kill_timeouts(struct io_ring_ctx *ctx, struct task_struct *tsk)
1477 struct io_kiocb *req, *tmp;
1480 spin_lock_irq(&ctx->completion_lock);
1481 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, timeout.list) {
1482 if (io_task_match(req, tsk)) {
1483 io_kill_timeout(req);
1487 spin_unlock_irq(&ctx->completion_lock);
1488 return canceled != 0;
1491 static void __io_queue_deferred(struct io_ring_ctx *ctx)
1494 struct io_defer_entry *de = list_first_entry(&ctx->defer_list,
1495 struct io_defer_entry, list);
1496 struct io_kiocb *link;
1498 if (req_need_defer(de->req, de->seq))
1500 list_del_init(&de->list);
1501 /* punt-init is done before queueing for defer */
1502 link = __io_queue_async_work(de->req);
1504 __io_queue_linked_timeout(link);
1505 /* drop submission reference */
1506 io_put_req_deferred(link, 1);
1509 } while (!list_empty(&ctx->defer_list));
1512 static void io_flush_timeouts(struct io_ring_ctx *ctx)
1514 while (!list_empty(&ctx->timeout_list)) {
1515 struct io_kiocb *req = list_first_entry(&ctx->timeout_list,
1516 struct io_kiocb, timeout.list);
1518 if (io_is_timeout_noseq(req))
1520 if (req->timeout.target_seq != ctx->cached_cq_tail
1521 - atomic_read(&ctx->cq_timeouts))
1524 list_del_init(&req->timeout.list);
1525 io_kill_timeout(req);
1529 static void io_commit_cqring(struct io_ring_ctx *ctx)
1531 io_flush_timeouts(ctx);
1532 __io_commit_cqring(ctx);
1534 if (unlikely(!list_empty(&ctx->defer_list)))
1535 __io_queue_deferred(ctx);
1538 static inline bool io_sqring_full(struct io_ring_ctx *ctx)
1540 struct io_rings *r = ctx->rings;
1542 return READ_ONCE(r->sq.tail) - ctx->cached_sq_head == r->sq_ring_entries;
1545 static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
1547 struct io_rings *rings = ctx->rings;
1550 tail = ctx->cached_cq_tail;
1552 * writes to the cq entry need to come after reading head; the
1553 * control dependency is enough as we're using WRITE_ONCE to
1556 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
1559 ctx->cached_cq_tail++;
1560 return &rings->cqes[tail & ctx->cq_mask];
1563 static inline bool io_should_trigger_evfd(struct io_ring_ctx *ctx)
1567 if (READ_ONCE(ctx->rings->cq_flags) & IORING_CQ_EVENTFD_DISABLED)
1569 if (!ctx->eventfd_async)
1571 return io_wq_current_is_worker();
1574 static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
1576 if (waitqueue_active(&ctx->wait))
1577 wake_up(&ctx->wait);
1578 if (ctx->sq_data && waitqueue_active(&ctx->sq_data->wait))
1579 wake_up(&ctx->sq_data->wait);
1580 if (io_should_trigger_evfd(ctx))
1581 eventfd_signal(ctx->cq_ev_fd, 1);
1584 static void io_cqring_mark_overflow(struct io_ring_ctx *ctx)
1586 if (list_empty(&ctx->cq_overflow_list)) {
1587 clear_bit(0, &ctx->sq_check_overflow);
1588 clear_bit(0, &ctx->cq_check_overflow);
1589 ctx->rings->sq_flags &= ~IORING_SQ_CQ_OVERFLOW;
1593 static inline bool io_match_files(struct io_kiocb *req,
1594 struct files_struct *files)
1598 if ((req->flags & REQ_F_WORK_INITIALIZED) &&
1599 (req->work.flags & IO_WQ_WORK_FILES))
1600 return req->work.identity->files == files;
1604 /* Returns true if there are no backlogged entries after the flush */
1605 static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force,
1606 struct task_struct *tsk,
1607 struct files_struct *files)
1609 struct io_rings *rings = ctx->rings;
1610 struct io_kiocb *req, *tmp;
1611 struct io_uring_cqe *cqe;
1612 unsigned long flags;
1616 if (list_empty_careful(&ctx->cq_overflow_list))
1618 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
1619 rings->cq_ring_entries))
1623 spin_lock_irqsave(&ctx->completion_lock, flags);
1625 /* if force is set, the ring is going away. always drop after that */
1627 ctx->cq_overflow_flushed = 1;
1630 list_for_each_entry_safe(req, tmp, &ctx->cq_overflow_list, compl.list) {
1631 if (tsk && req->task != tsk)
1633 if (!io_match_files(req, files))
1636 cqe = io_get_cqring(ctx);
1640 list_move(&req->compl.list, &list);
1642 WRITE_ONCE(cqe->user_data, req->user_data);
1643 WRITE_ONCE(cqe->res, req->result);
1644 WRITE_ONCE(cqe->flags, req->compl.cflags);
1646 ctx->cached_cq_overflow++;
1647 WRITE_ONCE(ctx->rings->cq_overflow,
1648 ctx->cached_cq_overflow);
1652 io_commit_cqring(ctx);
1653 io_cqring_mark_overflow(ctx);
1655 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1656 io_cqring_ev_posted(ctx);
1658 while (!list_empty(&list)) {
1659 req = list_first_entry(&list, struct io_kiocb, compl.list);
1660 list_del(&req->compl.list);
1667 static void __io_cqring_fill_event(struct io_kiocb *req, long res, long cflags)
1669 struct io_ring_ctx *ctx = req->ctx;
1670 struct io_uring_cqe *cqe;
1672 trace_io_uring_complete(ctx, req->user_data, res);
1675 * If we can't get a cq entry, userspace overflowed the
1676 * submission (by quite a lot). Increment the overflow count in
1679 cqe = io_get_cqring(ctx);
1681 WRITE_ONCE(cqe->user_data, req->user_data);
1682 WRITE_ONCE(cqe->res, res);
1683 WRITE_ONCE(cqe->flags, cflags);
1684 } else if (ctx->cq_overflow_flushed ||
1685 atomic_read(&req->task->io_uring->in_idle)) {
1687 * If we're in ring overflow flush mode, or in task cancel mode,
1688 * then we cannot store the request for later flushing, we need
1689 * to drop it on the floor.
1691 ctx->cached_cq_overflow++;
1692 WRITE_ONCE(ctx->rings->cq_overflow, ctx->cached_cq_overflow);
1694 if (list_empty(&ctx->cq_overflow_list)) {
1695 set_bit(0, &ctx->sq_check_overflow);
1696 set_bit(0, &ctx->cq_check_overflow);
1697 ctx->rings->sq_flags |= IORING_SQ_CQ_OVERFLOW;
1701 req->compl.cflags = cflags;
1702 refcount_inc(&req->refs);
1703 list_add_tail(&req->compl.list, &ctx->cq_overflow_list);
1707 static void io_cqring_fill_event(struct io_kiocb *req, long res)
1709 __io_cqring_fill_event(req, res, 0);
1712 static void io_cqring_add_event(struct io_kiocb *req, long res, long cflags)
1714 struct io_ring_ctx *ctx = req->ctx;
1715 unsigned long flags;
1717 spin_lock_irqsave(&ctx->completion_lock, flags);
1718 __io_cqring_fill_event(req, res, cflags);
1719 io_commit_cqring(ctx);
1720 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1722 io_cqring_ev_posted(ctx);
1725 static void io_submit_flush_completions(struct io_comp_state *cs)
1727 struct io_ring_ctx *ctx = cs->ctx;
1729 spin_lock_irq(&ctx->completion_lock);
1730 while (!list_empty(&cs->list)) {
1731 struct io_kiocb *req;
1733 req = list_first_entry(&cs->list, struct io_kiocb, compl.list);
1734 list_del(&req->compl.list);
1735 __io_cqring_fill_event(req, req->result, req->compl.cflags);
1738 * io_free_req() doesn't care about completion_lock unless one
1739 * of these flags is set. REQ_F_WORK_INITIALIZED is in the list
1740 * because of a potential deadlock with req->work.fs->lock
1742 if (req->flags & (REQ_F_FAIL_LINK|REQ_F_LINK_TIMEOUT
1743 |REQ_F_WORK_INITIALIZED)) {
1744 spin_unlock_irq(&ctx->completion_lock);
1746 spin_lock_irq(&ctx->completion_lock);
1751 io_commit_cqring(ctx);
1752 spin_unlock_irq(&ctx->completion_lock);
1754 io_cqring_ev_posted(ctx);
1758 static void __io_req_complete(struct io_kiocb *req, long res, unsigned cflags,
1759 struct io_comp_state *cs)
1762 io_cqring_add_event(req, res, cflags);
1767 req->compl.cflags = cflags;
1768 list_add_tail(&req->compl.list, &cs->list);
1770 io_submit_flush_completions(cs);
1774 static void io_req_complete(struct io_kiocb *req, long res)
1776 __io_req_complete(req, res, 0, NULL);
1779 static inline bool io_is_fallback_req(struct io_kiocb *req)
1781 return req == (struct io_kiocb *)
1782 ((unsigned long) req->ctx->fallback_req & ~1UL);
1785 static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1787 struct io_kiocb *req;
1789 req = ctx->fallback_req;
1790 if (!test_and_set_bit_lock(0, (unsigned long *) &ctx->fallback_req))
1796 static struct io_kiocb *io_alloc_req(struct io_ring_ctx *ctx,
1797 struct io_submit_state *state)
1799 if (!state->free_reqs) {
1800 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
1804 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
1805 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1808 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1809 * retry single alloc to be on the safe side.
1811 if (unlikely(ret <= 0)) {
1812 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1813 if (!state->reqs[0])
1817 state->free_reqs = ret;
1821 return state->reqs[state->free_reqs];
1823 return io_get_fallback_req(ctx);
1826 static inline void io_put_file(struct io_kiocb *req, struct file *file,
1830 percpu_ref_put(req->fixed_file_refs);
1835 static void io_dismantle_req(struct io_kiocb *req)
1839 if (req->async_data)
1840 kfree(req->async_data);
1842 io_put_file(req, req->file, (req->flags & REQ_F_FIXED_FILE));
1844 io_req_clean_work(req);
1847 static void __io_free_req(struct io_kiocb *req)
1849 struct io_uring_task *tctx = req->task->io_uring;
1850 struct io_ring_ctx *ctx = req->ctx;
1852 io_dismantle_req(req);
1854 percpu_counter_dec(&tctx->inflight);
1855 if (atomic_read(&tctx->in_idle))
1856 wake_up(&tctx->wait);
1857 put_task_struct(req->task);
1859 if (likely(!io_is_fallback_req(req)))
1860 kmem_cache_free(req_cachep, req);
1862 clear_bit_unlock(0, (unsigned long *) &ctx->fallback_req);
1863 percpu_ref_put(&ctx->refs);
1866 static void io_kill_linked_timeout(struct io_kiocb *req)
1868 struct io_ring_ctx *ctx = req->ctx;
1869 struct io_kiocb *link;
1870 bool cancelled = false;
1871 unsigned long flags;
1873 spin_lock_irqsave(&ctx->completion_lock, flags);
1874 link = list_first_entry_or_null(&req->link_list, struct io_kiocb,
1877 * Can happen if a linked timeout fired and link had been like
1878 * req -> link t-out -> link t-out [-> ...]
1880 if (link && (link->flags & REQ_F_LTIMEOUT_ACTIVE)) {
1881 struct io_timeout_data *io = link->async_data;
1884 list_del_init(&link->link_list);
1885 ret = hrtimer_try_to_cancel(&io->timer);
1887 io_cqring_fill_event(link, -ECANCELED);
1888 io_commit_cqring(ctx);
1892 req->flags &= ~REQ_F_LINK_TIMEOUT;
1893 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1896 io_cqring_ev_posted(ctx);
1901 static struct io_kiocb *io_req_link_next(struct io_kiocb *req)
1903 struct io_kiocb *nxt;
1906 * The list should never be empty when we are called here. But could
1907 * potentially happen if the chain is messed up, check to be on the
1910 if (unlikely(list_empty(&req->link_list)))
1913 nxt = list_first_entry(&req->link_list, struct io_kiocb, link_list);
1914 list_del_init(&req->link_list);
1915 if (!list_empty(&nxt->link_list))
1916 nxt->flags |= REQ_F_LINK_HEAD;
1921 * Called if REQ_F_LINK_HEAD is set, and we fail the head request
1923 static void io_fail_links(struct io_kiocb *req)
1925 struct io_ring_ctx *ctx = req->ctx;
1926 unsigned long flags;
1928 spin_lock_irqsave(&ctx->completion_lock, flags);
1929 while (!list_empty(&req->link_list)) {
1930 struct io_kiocb *link = list_first_entry(&req->link_list,
1931 struct io_kiocb, link_list);
1933 list_del_init(&link->link_list);
1934 trace_io_uring_fail_link(req, link);
1936 io_cqring_fill_event(link, -ECANCELED);
1939 * It's ok to free under spinlock as they're not linked anymore,
1940 * but avoid REQ_F_WORK_INITIALIZED because it may deadlock on
1943 if (link->flags & REQ_F_WORK_INITIALIZED)
1944 io_put_req_deferred(link, 2);
1946 io_double_put_req(link);
1949 io_commit_cqring(ctx);
1950 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1952 io_cqring_ev_posted(ctx);
1955 static struct io_kiocb *__io_req_find_next(struct io_kiocb *req)
1957 req->flags &= ~REQ_F_LINK_HEAD;
1958 if (req->flags & REQ_F_LINK_TIMEOUT)
1959 io_kill_linked_timeout(req);
1962 * If LINK is set, we have dependent requests in this chain. If we
1963 * didn't fail this request, queue the first one up, moving any other
1964 * dependencies to the next request. In case of failure, fail the rest
1967 if (likely(!(req->flags & REQ_F_FAIL_LINK)))
1968 return io_req_link_next(req);
1973 static struct io_kiocb *io_req_find_next(struct io_kiocb *req)
1975 if (likely(!(req->flags & REQ_F_LINK_HEAD)))
1977 return __io_req_find_next(req);
1980 static int io_req_task_work_add(struct io_kiocb *req, bool twa_signal_ok)
1982 struct task_struct *tsk = req->task;
1983 struct io_ring_ctx *ctx = req->ctx;
1984 enum task_work_notify_mode notify;
1987 if (tsk->flags & PF_EXITING)
1991 * SQPOLL kernel thread doesn't need notification, just a wakeup. For
1992 * all other cases, use TWA_SIGNAL unconditionally to ensure we're
1993 * processing task_work. There's no reliable way to tell if TWA_RESUME
1997 if (!(ctx->flags & IORING_SETUP_SQPOLL) && twa_signal_ok)
1998 notify = TWA_SIGNAL;
2000 ret = task_work_add(tsk, &req->task_work, notify);
2002 wake_up_process(tsk);
2007 static void __io_req_task_cancel(struct io_kiocb *req, int error)
2009 struct io_ring_ctx *ctx = req->ctx;
2011 spin_lock_irq(&ctx->completion_lock);
2012 io_cqring_fill_event(req, error);
2013 io_commit_cqring(ctx);
2014 spin_unlock_irq(&ctx->completion_lock);
2016 io_cqring_ev_posted(ctx);
2017 req_set_fail_links(req);
2018 io_double_put_req(req);
2021 static void io_req_task_cancel(struct callback_head *cb)
2023 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
2024 struct io_ring_ctx *ctx = req->ctx;
2026 __io_req_task_cancel(req, -ECANCELED);
2027 percpu_ref_put(&ctx->refs);
2030 static void __io_req_task_submit(struct io_kiocb *req)
2032 struct io_ring_ctx *ctx = req->ctx;
2034 if (!__io_sq_thread_acquire_mm(ctx)) {
2035 mutex_lock(&ctx->uring_lock);
2036 __io_queue_sqe(req, NULL);
2037 mutex_unlock(&ctx->uring_lock);
2039 __io_req_task_cancel(req, -EFAULT);
2043 static void io_req_task_submit(struct callback_head *cb)
2045 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
2046 struct io_ring_ctx *ctx = req->ctx;
2048 __io_req_task_submit(req);
2049 percpu_ref_put(&ctx->refs);
2052 static void io_req_task_queue(struct io_kiocb *req)
2056 init_task_work(&req->task_work, io_req_task_submit);
2057 percpu_ref_get(&req->ctx->refs);
2059 ret = io_req_task_work_add(req, true);
2060 if (unlikely(ret)) {
2061 struct task_struct *tsk;
2063 init_task_work(&req->task_work, io_req_task_cancel);
2064 tsk = io_wq_get_task(req->ctx->io_wq);
2065 task_work_add(tsk, &req->task_work, TWA_NONE);
2066 wake_up_process(tsk);
2070 static void io_queue_next(struct io_kiocb *req)
2072 struct io_kiocb *nxt = io_req_find_next(req);
2075 io_req_task_queue(nxt);
2078 static void io_free_req(struct io_kiocb *req)
2085 void *reqs[IO_IOPOLL_BATCH];
2088 struct task_struct *task;
2092 static inline void io_init_req_batch(struct req_batch *rb)
2099 static void __io_req_free_batch_flush(struct io_ring_ctx *ctx,
2100 struct req_batch *rb)
2102 kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
2103 percpu_ref_put_many(&ctx->refs, rb->to_free);
2107 static void io_req_free_batch_finish(struct io_ring_ctx *ctx,
2108 struct req_batch *rb)
2111 __io_req_free_batch_flush(ctx, rb);
2113 struct io_uring_task *tctx = rb->task->io_uring;
2115 percpu_counter_sub(&tctx->inflight, rb->task_refs);
2116 put_task_struct_many(rb->task, rb->task_refs);
2121 static void io_req_free_batch(struct req_batch *rb, struct io_kiocb *req)
2123 if (unlikely(io_is_fallback_req(req))) {
2127 if (req->flags & REQ_F_LINK_HEAD)
2130 if (req->task != rb->task) {
2132 struct io_uring_task *tctx = rb->task->io_uring;
2134 percpu_counter_sub(&tctx->inflight, rb->task_refs);
2135 put_task_struct_many(rb->task, rb->task_refs);
2137 rb->task = req->task;
2142 io_dismantle_req(req);
2143 rb->reqs[rb->to_free++] = req;
2144 if (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))
2145 __io_req_free_batch_flush(req->ctx, rb);
2149 * Drop reference to request, return next in chain (if there is one) if this
2150 * was the last reference to this request.
2152 static struct io_kiocb *io_put_req_find_next(struct io_kiocb *req)
2154 struct io_kiocb *nxt = NULL;
2156 if (refcount_dec_and_test(&req->refs)) {
2157 nxt = io_req_find_next(req);
2163 static void io_put_req(struct io_kiocb *req)
2165 if (refcount_dec_and_test(&req->refs))
2169 static void io_put_req_deferred_cb(struct callback_head *cb)
2171 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
2176 static void io_free_req_deferred(struct io_kiocb *req)
2180 init_task_work(&req->task_work, io_put_req_deferred_cb);
2181 ret = io_req_task_work_add(req, true);
2182 if (unlikely(ret)) {
2183 struct task_struct *tsk;
2185 tsk = io_wq_get_task(req->ctx->io_wq);
2186 task_work_add(tsk, &req->task_work, TWA_NONE);
2187 wake_up_process(tsk);
2191 static inline void io_put_req_deferred(struct io_kiocb *req, int refs)
2193 if (refcount_sub_and_test(refs, &req->refs))
2194 io_free_req_deferred(req);
2197 static struct io_wq_work *io_steal_work(struct io_kiocb *req)
2199 struct io_kiocb *nxt;
2202 * A ref is owned by io-wq in which context we're. So, if that's the
2203 * last one, it's safe to steal next work. False negatives are Ok,
2204 * it just will be re-punted async in io_put_work()
2206 if (refcount_read(&req->refs) != 1)
2209 nxt = io_req_find_next(req);
2210 return nxt ? &nxt->work : NULL;
2213 static void io_double_put_req(struct io_kiocb *req)
2215 /* drop both submit and complete references */
2216 if (refcount_sub_and_test(2, &req->refs))
2220 static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
2222 struct io_rings *rings = ctx->rings;
2224 if (test_bit(0, &ctx->cq_check_overflow)) {
2226 * noflush == true is from the waitqueue handler, just ensure
2227 * we wake up the task, and the next invocation will flush the
2228 * entries. We cannot safely to it from here.
2230 if (noflush && !list_empty(&ctx->cq_overflow_list))
2233 io_cqring_overflow_flush(ctx, false, NULL, NULL);
2236 /* See comment at the top of this file */
2238 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
2241 static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
2243 struct io_rings *rings = ctx->rings;
2245 /* make sure SQ entry isn't read before tail */
2246 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
2249 static unsigned int io_put_kbuf(struct io_kiocb *req, struct io_buffer *kbuf)
2251 unsigned int cflags;
2253 cflags = kbuf->bid << IORING_CQE_BUFFER_SHIFT;
2254 cflags |= IORING_CQE_F_BUFFER;
2255 req->flags &= ~REQ_F_BUFFER_SELECTED;
2260 static inline unsigned int io_put_rw_kbuf(struct io_kiocb *req)
2262 struct io_buffer *kbuf;
2264 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2265 return io_put_kbuf(req, kbuf);
2268 static inline bool io_run_task_work(void)
2271 * Not safe to run on exiting task, and the task_work handling will
2272 * not add work to such a task.
2274 if (unlikely(current->flags & PF_EXITING))
2276 if (current->task_works) {
2277 __set_current_state(TASK_RUNNING);
2285 static void io_iopoll_queue(struct list_head *again)
2287 struct io_kiocb *req;
2290 req = list_first_entry(again, struct io_kiocb, inflight_entry);
2291 list_del(&req->inflight_entry);
2292 __io_complete_rw(req, -EAGAIN, 0, NULL);
2293 } while (!list_empty(again));
2297 * Find and free completed poll iocbs
2299 static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
2300 struct list_head *done)
2302 struct req_batch rb;
2303 struct io_kiocb *req;
2306 /* order with ->result store in io_complete_rw_iopoll() */
2309 io_init_req_batch(&rb);
2310 while (!list_empty(done)) {
2313 req = list_first_entry(done, struct io_kiocb, inflight_entry);
2314 if (READ_ONCE(req->result) == -EAGAIN) {
2316 req->iopoll_completed = 0;
2317 list_move_tail(&req->inflight_entry, &again);
2320 list_del(&req->inflight_entry);
2322 if (req->flags & REQ_F_BUFFER_SELECTED)
2323 cflags = io_put_rw_kbuf(req);
2325 __io_cqring_fill_event(req, req->result, cflags);
2328 if (refcount_dec_and_test(&req->refs))
2329 io_req_free_batch(&rb, req);
2332 io_commit_cqring(ctx);
2333 if (ctx->flags & IORING_SETUP_SQPOLL)
2334 io_cqring_ev_posted(ctx);
2335 io_req_free_batch_finish(ctx, &rb);
2337 if (!list_empty(&again))
2338 io_iopoll_queue(&again);
2341 static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
2344 struct io_kiocb *req, *tmp;
2350 * Only spin for completions if we don't have multiple devices hanging
2351 * off our complete list, and we're under the requested amount.
2353 spin = !ctx->poll_multi_file && *nr_events < min;
2356 list_for_each_entry_safe(req, tmp, &ctx->iopoll_list, inflight_entry) {
2357 struct kiocb *kiocb = &req->rw.kiocb;
2360 * Move completed and retryable entries to our local lists.
2361 * If we find a request that requires polling, break out
2362 * and complete those lists first, if we have entries there.
2364 if (READ_ONCE(req->iopoll_completed)) {
2365 list_move_tail(&req->inflight_entry, &done);
2368 if (!list_empty(&done))
2371 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
2375 /* iopoll may have completed current req */
2376 if (READ_ONCE(req->iopoll_completed))
2377 list_move_tail(&req->inflight_entry, &done);
2384 if (!list_empty(&done))
2385 io_iopoll_complete(ctx, nr_events, &done);
2391 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
2392 * non-spinning poll check - we'll still enter the driver poll loop, but only
2393 * as a non-spinning completion check.
2395 static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
2398 while (!list_empty(&ctx->iopoll_list) && !need_resched()) {
2401 ret = io_do_iopoll(ctx, nr_events, min);
2404 if (*nr_events >= min)
2412 * We can't just wait for polled events to come to us, we have to actively
2413 * find and complete them.
2415 static void io_iopoll_try_reap_events(struct io_ring_ctx *ctx)
2417 if (!(ctx->flags & IORING_SETUP_IOPOLL))
2420 mutex_lock(&ctx->uring_lock);
2421 while (!list_empty(&ctx->iopoll_list)) {
2422 unsigned int nr_events = 0;
2424 io_do_iopoll(ctx, &nr_events, 0);
2426 /* let it sleep and repeat later if can't complete a request */
2430 * Ensure we allow local-to-the-cpu processing to take place,
2431 * in this case we need to ensure that we reap all events.
2432 * Also let task_work, etc. to progress by releasing the mutex
2434 if (need_resched()) {
2435 mutex_unlock(&ctx->uring_lock);
2437 mutex_lock(&ctx->uring_lock);
2440 mutex_unlock(&ctx->uring_lock);
2443 static int io_iopoll_check(struct io_ring_ctx *ctx, long min)
2445 unsigned int nr_events = 0;
2446 int iters = 0, ret = 0;
2449 * We disallow the app entering submit/complete with polling, but we
2450 * still need to lock the ring to prevent racing with polled issue
2451 * that got punted to a workqueue.
2453 mutex_lock(&ctx->uring_lock);
2456 * Don't enter poll loop if we already have events pending.
2457 * If we do, we can potentially be spinning for commands that
2458 * already triggered a CQE (eg in error).
2460 if (io_cqring_events(ctx, false))
2464 * If a submit got punted to a workqueue, we can have the
2465 * application entering polling for a command before it gets
2466 * issued. That app will hold the uring_lock for the duration
2467 * of the poll right here, so we need to take a breather every
2468 * now and then to ensure that the issue has a chance to add
2469 * the poll to the issued list. Otherwise we can spin here
2470 * forever, while the workqueue is stuck trying to acquire the
2473 if (!(++iters & 7)) {
2474 mutex_unlock(&ctx->uring_lock);
2476 mutex_lock(&ctx->uring_lock);
2479 ret = io_iopoll_getevents(ctx, &nr_events, min);
2483 } while (min && !nr_events && !need_resched());
2485 mutex_unlock(&ctx->uring_lock);
2489 static void kiocb_end_write(struct io_kiocb *req)
2492 * Tell lockdep we inherited freeze protection from submission
2495 if (req->flags & REQ_F_ISREG) {
2496 struct inode *inode = file_inode(req->file);
2498 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2500 file_end_write(req->file);
2503 static void io_complete_rw_common(struct kiocb *kiocb, long res,
2504 struct io_comp_state *cs)
2506 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2509 if (kiocb->ki_flags & IOCB_WRITE)
2510 kiocb_end_write(req);
2512 if (res != req->result)
2513 req_set_fail_links(req);
2514 if (req->flags & REQ_F_BUFFER_SELECTED)
2515 cflags = io_put_rw_kbuf(req);
2516 __io_req_complete(req, res, cflags, cs);
2520 static bool io_resubmit_prep(struct io_kiocb *req, int error)
2522 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2523 ssize_t ret = -ECANCELED;
2524 struct iov_iter iter;
2532 switch (req->opcode) {
2533 case IORING_OP_READV:
2534 case IORING_OP_READ_FIXED:
2535 case IORING_OP_READ:
2538 case IORING_OP_WRITEV:
2539 case IORING_OP_WRITE_FIXED:
2540 case IORING_OP_WRITE:
2544 printk_once(KERN_WARNING "io_uring: bad opcode in resubmit %d\n",
2549 if (!req->async_data) {
2550 ret = io_import_iovec(rw, req, &iovec, &iter, false);
2553 ret = io_setup_async_rw(req, iovec, inline_vecs, &iter, false);
2561 req_set_fail_links(req);
2562 io_req_complete(req, ret);
2567 static bool io_rw_reissue(struct io_kiocb *req, long res)
2570 umode_t mode = file_inode(req->file)->i_mode;
2573 if (!S_ISBLK(mode) && !S_ISREG(mode))
2575 if ((res != -EAGAIN && res != -EOPNOTSUPP) || io_wq_current_is_worker())
2578 ret = io_sq_thread_acquire_mm(req->ctx, req);
2580 if (io_resubmit_prep(req, ret)) {
2581 refcount_inc(&req->refs);
2582 io_queue_async_work(req);
2590 static void __io_complete_rw(struct io_kiocb *req, long res, long res2,
2591 struct io_comp_state *cs)
2593 if (!io_rw_reissue(req, res))
2594 io_complete_rw_common(&req->rw.kiocb, res, cs);
2597 static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
2599 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2601 __io_complete_rw(req, res, res2, NULL);
2604 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
2606 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2608 if (kiocb->ki_flags & IOCB_WRITE)
2609 kiocb_end_write(req);
2611 if (res != -EAGAIN && res != req->result)
2612 req_set_fail_links(req);
2614 WRITE_ONCE(req->result, res);
2615 /* order with io_poll_complete() checking ->result */
2617 WRITE_ONCE(req->iopoll_completed, 1);
2621 * After the iocb has been issued, it's safe to be found on the poll list.
2622 * Adding the kiocb to the list AFTER submission ensures that we don't
2623 * find it from a io_iopoll_getevents() thread before the issuer is done
2624 * accessing the kiocb cookie.
2626 static void io_iopoll_req_issued(struct io_kiocb *req)
2628 struct io_ring_ctx *ctx = req->ctx;
2631 * Track whether we have multiple files in our lists. This will impact
2632 * how we do polling eventually, not spinning if we're on potentially
2633 * different devices.
2635 if (list_empty(&ctx->iopoll_list)) {
2636 ctx->poll_multi_file = false;
2637 } else if (!ctx->poll_multi_file) {
2638 struct io_kiocb *list_req;
2640 list_req = list_first_entry(&ctx->iopoll_list, struct io_kiocb,
2642 if (list_req->file != req->file)
2643 ctx->poll_multi_file = true;
2647 * For fast devices, IO may have already completed. If it has, add
2648 * it to the front so we find it first.
2650 if (READ_ONCE(req->iopoll_completed))
2651 list_add(&req->inflight_entry, &ctx->iopoll_list);
2653 list_add_tail(&req->inflight_entry, &ctx->iopoll_list);
2655 if ((ctx->flags & IORING_SETUP_SQPOLL) &&
2656 wq_has_sleeper(&ctx->sq_data->wait))
2657 wake_up(&ctx->sq_data->wait);
2660 static void __io_state_file_put(struct io_submit_state *state)
2662 if (state->has_refs)
2663 fput_many(state->file, state->has_refs);
2667 static inline void io_state_file_put(struct io_submit_state *state)
2670 __io_state_file_put(state);
2674 * Get as many references to a file as we have IOs left in this submission,
2675 * assuming most submissions are for one file, or at least that each file
2676 * has more than one submission.
2678 static struct file *__io_file_get(struct io_submit_state *state, int fd)
2684 if (state->fd == fd) {
2688 __io_state_file_put(state);
2690 state->file = fget_many(fd, state->ios_left);
2695 state->has_refs = state->ios_left - 1;
2699 static bool io_bdev_nowait(struct block_device *bdev)
2702 return !bdev || blk_queue_nowait(bdev_get_queue(bdev));
2709 * If we tracked the file through the SCM inflight mechanism, we could support
2710 * any file. For now, just ensure that anything potentially problematic is done
2713 static bool io_file_supports_async(struct file *file, int rw)
2715 umode_t mode = file_inode(file)->i_mode;
2717 if (S_ISBLK(mode)) {
2718 if (io_bdev_nowait(file->f_inode->i_bdev))
2722 if (S_ISCHR(mode) || S_ISSOCK(mode))
2724 if (S_ISREG(mode)) {
2725 if (io_bdev_nowait(file->f_inode->i_sb->s_bdev) &&
2726 file->f_op != &io_uring_fops)
2731 /* any ->read/write should understand O_NONBLOCK */
2732 if (file->f_flags & O_NONBLOCK)
2735 if (!(file->f_mode & FMODE_NOWAIT))
2739 return file->f_op->read_iter != NULL;
2741 return file->f_op->write_iter != NULL;
2744 static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2746 struct io_ring_ctx *ctx = req->ctx;
2747 struct kiocb *kiocb = &req->rw.kiocb;
2751 if (S_ISREG(file_inode(req->file)->i_mode))
2752 req->flags |= REQ_F_ISREG;
2754 kiocb->ki_pos = READ_ONCE(sqe->off);
2755 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
2756 req->flags |= REQ_F_CUR_POS;
2757 kiocb->ki_pos = req->file->f_pos;
2759 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
2760 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
2761 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
2765 ioprio = READ_ONCE(sqe->ioprio);
2767 ret = ioprio_check_cap(ioprio);
2771 kiocb->ki_ioprio = ioprio;
2773 kiocb->ki_ioprio = get_current_ioprio();
2775 /* don't allow async punt if RWF_NOWAIT was requested */
2776 if (kiocb->ki_flags & IOCB_NOWAIT)
2777 req->flags |= REQ_F_NOWAIT;
2779 if (ctx->flags & IORING_SETUP_IOPOLL) {
2780 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
2781 !kiocb->ki_filp->f_op->iopoll)
2784 kiocb->ki_flags |= IOCB_HIPRI;
2785 kiocb->ki_complete = io_complete_rw_iopoll;
2786 req->iopoll_completed = 0;
2788 if (kiocb->ki_flags & IOCB_HIPRI)
2790 kiocb->ki_complete = io_complete_rw;
2793 req->rw.addr = READ_ONCE(sqe->addr);
2794 req->rw.len = READ_ONCE(sqe->len);
2795 req->buf_index = READ_ONCE(sqe->buf_index);
2799 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
2805 case -ERESTARTNOINTR:
2806 case -ERESTARTNOHAND:
2807 case -ERESTART_RESTARTBLOCK:
2809 * We can't just restart the syscall, since previously
2810 * submitted sqes may already be in progress. Just fail this
2816 kiocb->ki_complete(kiocb, ret, 0);
2820 static void kiocb_done(struct kiocb *kiocb, ssize_t ret,
2821 struct io_comp_state *cs)
2823 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2824 struct io_async_rw *io = req->async_data;
2826 /* add previously done IO, if any */
2827 if (io && io->bytes_done > 0) {
2829 ret = io->bytes_done;
2831 ret += io->bytes_done;
2834 if (req->flags & REQ_F_CUR_POS)
2835 req->file->f_pos = kiocb->ki_pos;
2836 if (ret >= 0 && kiocb->ki_complete == io_complete_rw)
2837 __io_complete_rw(req, ret, 0, cs);
2839 io_rw_done(kiocb, ret);
2842 static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
2843 struct iov_iter *iter)
2845 struct io_ring_ctx *ctx = req->ctx;
2846 size_t len = req->rw.len;
2847 struct io_mapped_ubuf *imu;
2848 u16 index, buf_index = req->buf_index;
2852 if (unlikely(buf_index >= ctx->nr_user_bufs))
2854 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
2855 imu = &ctx->user_bufs[index];
2856 buf_addr = req->rw.addr;
2859 if (buf_addr + len < buf_addr)
2861 /* not inside the mapped region */
2862 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
2866 * May not be a start of buffer, set size appropriately
2867 * and advance us to the beginning.
2869 offset = buf_addr - imu->ubuf;
2870 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
2874 * Don't use iov_iter_advance() here, as it's really slow for
2875 * using the latter parts of a big fixed buffer - it iterates
2876 * over each segment manually. We can cheat a bit here, because
2879 * 1) it's a BVEC iter, we set it up
2880 * 2) all bvecs are PAGE_SIZE in size, except potentially the
2881 * first and last bvec
2883 * So just find our index, and adjust the iterator afterwards.
2884 * If the offset is within the first bvec (or the whole first
2885 * bvec, just use iov_iter_advance(). This makes it easier
2886 * since we can just skip the first segment, which may not
2887 * be PAGE_SIZE aligned.
2889 const struct bio_vec *bvec = imu->bvec;
2891 if (offset <= bvec->bv_len) {
2892 iov_iter_advance(iter, offset);
2894 unsigned long seg_skip;
2896 /* skip first vec */
2897 offset -= bvec->bv_len;
2898 seg_skip = 1 + (offset >> PAGE_SHIFT);
2900 iter->bvec = bvec + seg_skip;
2901 iter->nr_segs -= seg_skip;
2902 iter->count -= bvec->bv_len + offset;
2903 iter->iov_offset = offset & ~PAGE_MASK;
2910 static void io_ring_submit_unlock(struct io_ring_ctx *ctx, bool needs_lock)
2913 mutex_unlock(&ctx->uring_lock);
2916 static void io_ring_submit_lock(struct io_ring_ctx *ctx, bool needs_lock)
2919 * "Normal" inline submissions always hold the uring_lock, since we
2920 * grab it from the system call. Same is true for the SQPOLL offload.
2921 * The only exception is when we've detached the request and issue it
2922 * from an async worker thread, grab the lock for that case.
2925 mutex_lock(&ctx->uring_lock);
2928 static struct io_buffer *io_buffer_select(struct io_kiocb *req, size_t *len,
2929 int bgid, struct io_buffer *kbuf,
2932 struct io_buffer *head;
2934 if (req->flags & REQ_F_BUFFER_SELECTED)
2937 io_ring_submit_lock(req->ctx, needs_lock);
2939 lockdep_assert_held(&req->ctx->uring_lock);
2941 head = idr_find(&req->ctx->io_buffer_idr, bgid);
2943 if (!list_empty(&head->list)) {
2944 kbuf = list_last_entry(&head->list, struct io_buffer,
2946 list_del(&kbuf->list);
2949 idr_remove(&req->ctx->io_buffer_idr, bgid);
2951 if (*len > kbuf->len)
2954 kbuf = ERR_PTR(-ENOBUFS);
2957 io_ring_submit_unlock(req->ctx, needs_lock);
2962 static void __user *io_rw_buffer_select(struct io_kiocb *req, size_t *len,
2965 struct io_buffer *kbuf;
2968 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2969 bgid = req->buf_index;
2970 kbuf = io_buffer_select(req, len, bgid, kbuf, needs_lock);
2973 req->rw.addr = (u64) (unsigned long) kbuf;
2974 req->flags |= REQ_F_BUFFER_SELECTED;
2975 return u64_to_user_ptr(kbuf->addr);
2978 #ifdef CONFIG_COMPAT
2979 static ssize_t io_compat_import(struct io_kiocb *req, struct iovec *iov,
2982 struct compat_iovec __user *uiov;
2983 compat_ssize_t clen;
2987 uiov = u64_to_user_ptr(req->rw.addr);
2988 if (!access_ok(uiov, sizeof(*uiov)))
2990 if (__get_user(clen, &uiov->iov_len))
2996 buf = io_rw_buffer_select(req, &len, needs_lock);
2998 return PTR_ERR(buf);
2999 iov[0].iov_base = buf;
3000 iov[0].iov_len = (compat_size_t) len;
3005 static ssize_t __io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
3008 struct iovec __user *uiov = u64_to_user_ptr(req->rw.addr);
3012 if (copy_from_user(iov, uiov, sizeof(*uiov)))
3015 len = iov[0].iov_len;
3018 buf = io_rw_buffer_select(req, &len, needs_lock);
3020 return PTR_ERR(buf);
3021 iov[0].iov_base = buf;
3022 iov[0].iov_len = len;
3026 static ssize_t io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
3029 if (req->flags & REQ_F_BUFFER_SELECTED) {
3030 struct io_buffer *kbuf;
3032 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
3033 iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
3034 iov[0].iov_len = kbuf->len;
3039 else if (req->rw.len > 1)
3042 #ifdef CONFIG_COMPAT
3043 if (req->ctx->compat)
3044 return io_compat_import(req, iov, needs_lock);
3047 return __io_iov_buffer_select(req, iov, needs_lock);
3050 static ssize_t __io_import_iovec(int rw, struct io_kiocb *req,
3051 struct iovec **iovec, struct iov_iter *iter,
3054 void __user *buf = u64_to_user_ptr(req->rw.addr);
3055 size_t sqe_len = req->rw.len;
3059 opcode = req->opcode;
3060 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
3062 return io_import_fixed(req, rw, iter);
3065 /* buffer index only valid with fixed read/write, or buffer select */
3066 if (req->buf_index && !(req->flags & REQ_F_BUFFER_SELECT))
3069 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
3070 if (req->flags & REQ_F_BUFFER_SELECT) {
3071 buf = io_rw_buffer_select(req, &sqe_len, needs_lock);
3073 return PTR_ERR(buf);
3074 req->rw.len = sqe_len;
3077 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
3079 return ret < 0 ? ret : sqe_len;
3082 if (req->flags & REQ_F_BUFFER_SELECT) {
3083 ret = io_iov_buffer_select(req, *iovec, needs_lock);
3085 ret = (*iovec)->iov_len;
3086 iov_iter_init(iter, rw, *iovec, 1, ret);
3092 return __import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter,
3096 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
3097 struct iovec **iovec, struct iov_iter *iter,
3100 struct io_async_rw *iorw = req->async_data;
3103 return __io_import_iovec(rw, req, iovec, iter, needs_lock);
3105 return iov_iter_count(&iorw->iter);
3108 static inline loff_t *io_kiocb_ppos(struct kiocb *kiocb)
3110 return (kiocb->ki_filp->f_mode & FMODE_STREAM) ? NULL : &kiocb->ki_pos;
3114 * For files that don't have ->read_iter() and ->write_iter(), handle them
3115 * by looping over ->read() or ->write() manually.
3117 static ssize_t loop_rw_iter(int rw, struct io_kiocb *req, struct iov_iter *iter)
3119 struct kiocb *kiocb = &req->rw.kiocb;
3120 struct file *file = req->file;
3124 * Don't support polled IO through this interface, and we can't
3125 * support non-blocking either. For the latter, this just causes
3126 * the kiocb to be handled from an async context.
3128 if (kiocb->ki_flags & IOCB_HIPRI)
3130 if (kiocb->ki_flags & IOCB_NOWAIT)
3133 while (iov_iter_count(iter)) {
3137 if (!iov_iter_is_bvec(iter)) {
3138 iovec = iov_iter_iovec(iter);
3140 iovec.iov_base = u64_to_user_ptr(req->rw.addr);
3141 iovec.iov_len = req->rw.len;
3145 nr = file->f_op->read(file, iovec.iov_base,
3146 iovec.iov_len, io_kiocb_ppos(kiocb));
3148 nr = file->f_op->write(file, iovec.iov_base,
3149 iovec.iov_len, io_kiocb_ppos(kiocb));
3158 if (nr != iovec.iov_len)
3162 iov_iter_advance(iter, nr);
3168 static void io_req_map_rw(struct io_kiocb *req, const struct iovec *iovec,
3169 const struct iovec *fast_iov, struct iov_iter *iter)
3171 struct io_async_rw *rw = req->async_data;
3173 memcpy(&rw->iter, iter, sizeof(*iter));
3174 rw->free_iovec = iovec;
3176 /* can only be fixed buffers, no need to do anything */
3177 if (iter->type == ITER_BVEC)
3180 unsigned iov_off = 0;
3182 rw->iter.iov = rw->fast_iov;
3183 if (iter->iov != fast_iov) {
3184 iov_off = iter->iov - fast_iov;
3185 rw->iter.iov += iov_off;
3187 if (rw->fast_iov != fast_iov)
3188 memcpy(rw->fast_iov + iov_off, fast_iov + iov_off,
3189 sizeof(struct iovec) * iter->nr_segs);
3191 req->flags |= REQ_F_NEED_CLEANUP;
3195 static inline int __io_alloc_async_data(struct io_kiocb *req)
3197 WARN_ON_ONCE(!io_op_defs[req->opcode].async_size);
3198 req->async_data = kmalloc(io_op_defs[req->opcode].async_size, GFP_KERNEL);
3199 return req->async_data == NULL;
3202 static int io_alloc_async_data(struct io_kiocb *req)
3204 if (!io_op_defs[req->opcode].needs_async_data)
3207 return __io_alloc_async_data(req);
3210 static int io_setup_async_rw(struct io_kiocb *req, const struct iovec *iovec,
3211 const struct iovec *fast_iov,
3212 struct iov_iter *iter, bool force)
3214 if (!force && !io_op_defs[req->opcode].needs_async_data)
3216 if (!req->async_data) {
3217 if (__io_alloc_async_data(req))
3220 io_req_map_rw(req, iovec, fast_iov, iter);
3225 static inline int io_rw_prep_async(struct io_kiocb *req, int rw)
3227 struct io_async_rw *iorw = req->async_data;
3228 struct iovec *iov = iorw->fast_iov;
3231 ret = __io_import_iovec(rw, req, &iov, &iorw->iter, false);
3232 if (unlikely(ret < 0))
3235 iorw->bytes_done = 0;
3236 iorw->free_iovec = iov;
3238 req->flags |= REQ_F_NEED_CLEANUP;
3242 static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3246 ret = io_prep_rw(req, sqe);
3250 if (unlikely(!(req->file->f_mode & FMODE_READ)))
3253 /* either don't need iovec imported or already have it */
3254 if (!req->async_data)
3256 return io_rw_prep_async(req, READ);
3260 * This is our waitqueue callback handler, registered through lock_page_async()
3261 * when we initially tried to do the IO with the iocb armed our waitqueue.
3262 * This gets called when the page is unlocked, and we generally expect that to
3263 * happen when the page IO is completed and the page is now uptodate. This will
3264 * queue a task_work based retry of the operation, attempting to copy the data
3265 * again. If the latter fails because the page was NOT uptodate, then we will
3266 * do a thread based blocking retry of the operation. That's the unexpected
3269 static int io_async_buf_func(struct wait_queue_entry *wait, unsigned mode,
3270 int sync, void *arg)
3272 struct wait_page_queue *wpq;
3273 struct io_kiocb *req = wait->private;
3274 struct wait_page_key *key = arg;
3277 wpq = container_of(wait, struct wait_page_queue, wait);
3279 if (!wake_page_match(wpq, key))
3282 req->rw.kiocb.ki_flags &= ~IOCB_WAITQ;
3283 list_del_init(&wait->entry);
3285 init_task_work(&req->task_work, io_req_task_submit);
3286 percpu_ref_get(&req->ctx->refs);
3288 /* submit ref gets dropped, acquire a new one */
3289 refcount_inc(&req->refs);
3290 ret = io_req_task_work_add(req, true);
3291 if (unlikely(ret)) {
3292 struct task_struct *tsk;
3294 /* queue just for cancelation */
3295 init_task_work(&req->task_work, io_req_task_cancel);
3296 tsk = io_wq_get_task(req->ctx->io_wq);
3297 task_work_add(tsk, &req->task_work, TWA_NONE);
3298 wake_up_process(tsk);
3304 * This controls whether a given IO request should be armed for async page
3305 * based retry. If we return false here, the request is handed to the async
3306 * worker threads for retry. If we're doing buffered reads on a regular file,
3307 * we prepare a private wait_page_queue entry and retry the operation. This
3308 * will either succeed because the page is now uptodate and unlocked, or it
3309 * will register a callback when the page is unlocked at IO completion. Through
3310 * that callback, io_uring uses task_work to setup a retry of the operation.
3311 * That retry will attempt the buffered read again. The retry will generally
3312 * succeed, or in rare cases where it fails, we then fall back to using the
3313 * async worker threads for a blocking retry.
3315 static bool io_rw_should_retry(struct io_kiocb *req)
3317 struct io_async_rw *rw = req->async_data;
3318 struct wait_page_queue *wait = &rw->wpq;
3319 struct kiocb *kiocb = &req->rw.kiocb;
3321 /* never retry for NOWAIT, we just complete with -EAGAIN */
3322 if (req->flags & REQ_F_NOWAIT)
3325 /* Only for buffered IO */
3326 if (kiocb->ki_flags & (IOCB_DIRECT | IOCB_HIPRI))
3330 * just use poll if we can, and don't attempt if the fs doesn't
3331 * support callback based unlocks
3333 if (file_can_poll(req->file) || !(req->file->f_mode & FMODE_BUF_RASYNC))
3336 wait->wait.func = io_async_buf_func;
3337 wait->wait.private = req;
3338 wait->wait.flags = 0;
3339 INIT_LIST_HEAD(&wait->wait.entry);
3340 kiocb->ki_flags |= IOCB_WAITQ;
3341 kiocb->ki_flags &= ~IOCB_NOWAIT;
3342 kiocb->ki_waitq = wait;
3346 static int io_iter_do_read(struct io_kiocb *req, struct iov_iter *iter)
3348 if (req->file->f_op->read_iter)
3349 return call_read_iter(req->file, &req->rw.kiocb, iter);
3350 else if (req->file->f_op->read)
3351 return loop_rw_iter(READ, req, iter);
3356 static int io_read(struct io_kiocb *req, bool force_nonblock,
3357 struct io_comp_state *cs)
3359 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
3360 struct kiocb *kiocb = &req->rw.kiocb;
3361 struct iov_iter __iter, *iter = &__iter;
3362 struct io_async_rw *rw = req->async_data;
3363 ssize_t io_size, ret, ret2;
3370 ret = io_import_iovec(READ, req, &iovec, iter, !force_nonblock);
3373 iov_count = iov_iter_count(iter);
3375 req->result = io_size;
3378 /* Ensure we clear previously set non-block flag */
3379 if (!force_nonblock)
3380 kiocb->ki_flags &= ~IOCB_NOWAIT;
3382 kiocb->ki_flags |= IOCB_NOWAIT;
3385 /* If the file doesn't support async, just async punt */
3386 no_async = force_nonblock && !io_file_supports_async(req->file, READ);
3390 ret = rw_verify_area(READ, req->file, io_kiocb_ppos(kiocb), iov_count);
3394 ret = io_iter_do_read(req, iter);
3398 } else if (ret == -EIOCBQUEUED) {
3401 } else if (ret == -EAGAIN) {
3402 /* IOPOLL retry should happen for io-wq threads */
3403 if (!force_nonblock && !(req->ctx->flags & IORING_SETUP_IOPOLL))
3405 /* no retry on NONBLOCK marked file */
3406 if (req->file->f_flags & O_NONBLOCK)
3408 /* some cases will consume bytes even on error returns */
3409 iov_iter_revert(iter, iov_count - iov_iter_count(iter));
3412 } else if (ret < 0) {
3413 /* make sure -ERESTARTSYS -> -EINTR is done */
3417 /* read it all, or we did blocking attempt. no retry. */
3418 if (!iov_iter_count(iter) || !force_nonblock ||
3419 (req->file->f_flags & O_NONBLOCK))
3424 ret2 = io_setup_async_rw(req, iovec, inline_vecs, iter, true);
3431 rw = req->async_data;
3432 /* it's copied and will be cleaned with ->io */
3434 /* now use our persistent iterator, if we aren't already */
3437 rw->bytes_done += ret;
3438 /* if we can retry, do so with the callbacks armed */
3439 if (!io_rw_should_retry(req)) {
3440 kiocb->ki_flags &= ~IOCB_WAITQ;
3445 * Now retry read with the IOCB_WAITQ parts set in the iocb. If we
3446 * get -EIOCBQUEUED, then we'll get a notification when the desired
3447 * page gets unlocked. We can also get a partial read here, and if we
3448 * do, then just retry at the new offset.
3450 ret = io_iter_do_read(req, iter);
3451 if (ret == -EIOCBQUEUED) {
3454 } else if (ret > 0 && ret < io_size) {
3455 /* we got some bytes, but not all. retry. */
3459 kiocb_done(kiocb, ret, cs);
3462 /* it's reportedly faster than delegating the null check to kfree() */
3468 static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3472 ret = io_prep_rw(req, sqe);
3476 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
3479 /* either don't need iovec imported or already have it */
3480 if (!req->async_data)
3482 return io_rw_prep_async(req, WRITE);
3485 static int io_write(struct io_kiocb *req, bool force_nonblock,
3486 struct io_comp_state *cs)
3488 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
3489 struct kiocb *kiocb = &req->rw.kiocb;
3490 struct iov_iter __iter, *iter = &__iter;
3491 struct io_async_rw *rw = req->async_data;
3493 ssize_t ret, ret2, io_size;
3498 ret = io_import_iovec(WRITE, req, &iovec, iter, !force_nonblock);
3501 iov_count = iov_iter_count(iter);
3503 req->result = io_size;
3505 /* Ensure we clear previously set non-block flag */
3506 if (!force_nonblock)
3507 kiocb->ki_flags &= ~IOCB_NOWAIT;
3509 kiocb->ki_flags |= IOCB_NOWAIT;
3511 /* If the file doesn't support async, just async punt */
3512 if (force_nonblock && !io_file_supports_async(req->file, WRITE))
3515 /* file path doesn't support NOWAIT for non-direct_IO */
3516 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
3517 (req->flags & REQ_F_ISREG))
3520 ret = rw_verify_area(WRITE, req->file, io_kiocb_ppos(kiocb), iov_count);
3525 * Open-code file_start_write here to grab freeze protection,
3526 * which will be released by another thread in
3527 * io_complete_rw(). Fool lockdep by telling it the lock got
3528 * released so that it doesn't complain about the held lock when
3529 * we return to userspace.
3531 if (req->flags & REQ_F_ISREG) {
3532 __sb_start_write(file_inode(req->file)->i_sb,
3533 SB_FREEZE_WRITE, true);
3534 __sb_writers_release(file_inode(req->file)->i_sb,
3537 kiocb->ki_flags |= IOCB_WRITE;
3539 if (req->file->f_op->write_iter)
3540 ret2 = call_write_iter(req->file, kiocb, iter);
3541 else if (req->file->f_op->write)
3542 ret2 = loop_rw_iter(WRITE, req, iter);
3547 * Raw bdev writes will return -EOPNOTSUPP for IOCB_NOWAIT. Just
3548 * retry them without IOCB_NOWAIT.
3550 if (ret2 == -EOPNOTSUPP && (kiocb->ki_flags & IOCB_NOWAIT))
3552 /* no retry on NONBLOCK marked file */
3553 if (ret2 == -EAGAIN && (req->file->f_flags & O_NONBLOCK))
3555 if (!force_nonblock || ret2 != -EAGAIN) {
3556 /* IOPOLL retry should happen for io-wq threads */
3557 if ((req->ctx->flags & IORING_SETUP_IOPOLL) && ret2 == -EAGAIN)
3560 kiocb_done(kiocb, ret2, cs);
3563 /* some cases will consume bytes even on error returns */
3564 iov_iter_revert(iter, iov_count - iov_iter_count(iter));
3565 ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
3570 /* it's reportedly faster than delegating the null check to kfree() */
3576 static int __io_splice_prep(struct io_kiocb *req,
3577 const struct io_uring_sqe *sqe)
3579 struct io_splice* sp = &req->splice;
3580 unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL;
3582 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3586 sp->len = READ_ONCE(sqe->len);
3587 sp->flags = READ_ONCE(sqe->splice_flags);
3589 if (unlikely(sp->flags & ~valid_flags))
3592 sp->file_in = io_file_get(NULL, req, READ_ONCE(sqe->splice_fd_in),
3593 (sp->flags & SPLICE_F_FD_IN_FIXED));
3596 req->flags |= REQ_F_NEED_CLEANUP;
3598 if (!S_ISREG(file_inode(sp->file_in)->i_mode)) {
3600 * Splice operation will be punted aync, and here need to
3601 * modify io_wq_work.flags, so initialize io_wq_work firstly.
3603 io_req_init_async(req);
3604 req->work.flags |= IO_WQ_WORK_UNBOUND;
3610 static int io_tee_prep(struct io_kiocb *req,
3611 const struct io_uring_sqe *sqe)
3613 if (READ_ONCE(sqe->splice_off_in) || READ_ONCE(sqe->off))
3615 return __io_splice_prep(req, sqe);
3618 static int io_tee(struct io_kiocb *req, bool force_nonblock)
3620 struct io_splice *sp = &req->splice;
3621 struct file *in = sp->file_in;
3622 struct file *out = sp->file_out;
3623 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
3629 ret = do_tee(in, out, sp->len, flags);
3631 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
3632 req->flags &= ~REQ_F_NEED_CLEANUP;
3635 req_set_fail_links(req);
3636 io_req_complete(req, ret);
3640 static int io_splice_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3642 struct io_splice* sp = &req->splice;
3644 sp->off_in = READ_ONCE(sqe->splice_off_in);
3645 sp->off_out = READ_ONCE(sqe->off);
3646 return __io_splice_prep(req, sqe);
3649 static int io_splice(struct io_kiocb *req, bool force_nonblock)
3651 struct io_splice *sp = &req->splice;
3652 struct file *in = sp->file_in;
3653 struct file *out = sp->file_out;
3654 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
3655 loff_t *poff_in, *poff_out;
3661 poff_in = (sp->off_in == -1) ? NULL : &sp->off_in;
3662 poff_out = (sp->off_out == -1) ? NULL : &sp->off_out;
3665 ret = do_splice(in, poff_in, out, poff_out, sp->len, flags);
3667 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
3668 req->flags &= ~REQ_F_NEED_CLEANUP;
3671 req_set_fail_links(req);
3672 io_req_complete(req, ret);
3677 * IORING_OP_NOP just posts a completion event, nothing else.
3679 static int io_nop(struct io_kiocb *req, struct io_comp_state *cs)
3681 struct io_ring_ctx *ctx = req->ctx;
3683 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3686 __io_req_complete(req, 0, 0, cs);
3690 static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3692 struct io_ring_ctx *ctx = req->ctx;
3697 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3699 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
3702 req->sync.flags = READ_ONCE(sqe->fsync_flags);
3703 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
3706 req->sync.off = READ_ONCE(sqe->off);
3707 req->sync.len = READ_ONCE(sqe->len);
3711 static int io_fsync(struct io_kiocb *req, bool force_nonblock)
3713 loff_t end = req->sync.off + req->sync.len;
3716 /* fsync always requires a blocking context */
3720 ret = vfs_fsync_range(req->file, req->sync.off,
3721 end > 0 ? end : LLONG_MAX,
3722 req->sync.flags & IORING_FSYNC_DATASYNC);
3724 req_set_fail_links(req);
3725 io_req_complete(req, ret);
3729 static int io_fallocate_prep(struct io_kiocb *req,
3730 const struct io_uring_sqe *sqe)
3732 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
3734 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3737 req->sync.off = READ_ONCE(sqe->off);
3738 req->sync.len = READ_ONCE(sqe->addr);
3739 req->sync.mode = READ_ONCE(sqe->len);
3743 static int io_fallocate(struct io_kiocb *req, bool force_nonblock)
3747 /* fallocate always requiring blocking context */
3750 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
3753 req_set_fail_links(req);
3754 io_req_complete(req, ret);
3758 static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3760 const char __user *fname;
3763 if (unlikely(sqe->ioprio || sqe->buf_index))
3765 if (unlikely(req->flags & REQ_F_FIXED_FILE))
3768 /* open.how should be already initialised */
3769 if (!(req->open.how.flags & O_PATH) && force_o_largefile())
3770 req->open.how.flags |= O_LARGEFILE;
3772 req->open.dfd = READ_ONCE(sqe->fd);
3773 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
3774 req->open.filename = getname(fname);
3775 if (IS_ERR(req->open.filename)) {
3776 ret = PTR_ERR(req->open.filename);
3777 req->open.filename = NULL;
3780 req->open.nofile = rlimit(RLIMIT_NOFILE);
3781 req->flags |= REQ_F_NEED_CLEANUP;
3785 static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3789 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3791 mode = READ_ONCE(sqe->len);
3792 flags = READ_ONCE(sqe->open_flags);
3793 req->open.how = build_open_how(flags, mode);
3794 return __io_openat_prep(req, sqe);
3797 static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3799 struct open_how __user *how;
3803 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3805 how = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3806 len = READ_ONCE(sqe->len);
3807 if (len < OPEN_HOW_SIZE_VER0)
3810 ret = copy_struct_from_user(&req->open.how, sizeof(req->open.how), how,
3815 return __io_openat_prep(req, sqe);
3818 static int io_openat2(struct io_kiocb *req, bool force_nonblock)
3820 struct open_flags op;
3827 ret = build_open_flags(&req->open.how, &op);
3831 ret = __get_unused_fd_flags(req->open.how.flags, req->open.nofile);
3835 file = do_filp_open(req->open.dfd, req->open.filename, &op);
3838 ret = PTR_ERR(file);
3840 fsnotify_open(file);
3841 fd_install(ret, file);
3844 putname(req->open.filename);
3845 req->flags &= ~REQ_F_NEED_CLEANUP;
3847 req_set_fail_links(req);
3848 io_req_complete(req, ret);
3852 static int io_openat(struct io_kiocb *req, bool force_nonblock)
3854 return io_openat2(req, force_nonblock);
3857 static int io_remove_buffers_prep(struct io_kiocb *req,
3858 const struct io_uring_sqe *sqe)
3860 struct io_provide_buf *p = &req->pbuf;
3863 if (sqe->ioprio || sqe->rw_flags || sqe->addr || sqe->len || sqe->off)
3866 tmp = READ_ONCE(sqe->fd);
3867 if (!tmp || tmp > USHRT_MAX)
3870 memset(p, 0, sizeof(*p));
3872 p->bgid = READ_ONCE(sqe->buf_group);
3876 static int __io_remove_buffers(struct io_ring_ctx *ctx, struct io_buffer *buf,
3877 int bgid, unsigned nbufs)
3881 /* shouldn't happen */
3885 /* the head kbuf is the list itself */
3886 while (!list_empty(&buf->list)) {
3887 struct io_buffer *nxt;
3889 nxt = list_first_entry(&buf->list, struct io_buffer, list);
3890 list_del(&nxt->list);
3897 idr_remove(&ctx->io_buffer_idr, bgid);
3902 static int io_remove_buffers(struct io_kiocb *req, bool force_nonblock,
3903 struct io_comp_state *cs)
3905 struct io_provide_buf *p = &req->pbuf;
3906 struct io_ring_ctx *ctx = req->ctx;
3907 struct io_buffer *head;
3910 io_ring_submit_lock(ctx, !force_nonblock);
3912 lockdep_assert_held(&ctx->uring_lock);
3915 head = idr_find(&ctx->io_buffer_idr, p->bgid);
3917 ret = __io_remove_buffers(ctx, head, p->bgid, p->nbufs);
3919 io_ring_submit_lock(ctx, !force_nonblock);
3921 req_set_fail_links(req);
3922 __io_req_complete(req, ret, 0, cs);
3926 static int io_provide_buffers_prep(struct io_kiocb *req,
3927 const struct io_uring_sqe *sqe)
3929 struct io_provide_buf *p = &req->pbuf;
3932 if (sqe->ioprio || sqe->rw_flags)
3935 tmp = READ_ONCE(sqe->fd);
3936 if (!tmp || tmp > USHRT_MAX)
3939 p->addr = READ_ONCE(sqe->addr);
3940 p->len = READ_ONCE(sqe->len);
3942 if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
3945 p->bgid = READ_ONCE(sqe->buf_group);
3946 tmp = READ_ONCE(sqe->off);
3947 if (tmp > USHRT_MAX)
3953 static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head)
3955 struct io_buffer *buf;
3956 u64 addr = pbuf->addr;
3957 int i, bid = pbuf->bid;
3959 for (i = 0; i < pbuf->nbufs; i++) {
3960 buf = kmalloc(sizeof(*buf), GFP_KERNEL);
3965 buf->len = pbuf->len;
3970 INIT_LIST_HEAD(&buf->list);
3973 list_add_tail(&buf->list, &(*head)->list);
3977 return i ? i : -ENOMEM;
3980 static int io_provide_buffers(struct io_kiocb *req, bool force_nonblock,
3981 struct io_comp_state *cs)
3983 struct io_provide_buf *p = &req->pbuf;
3984 struct io_ring_ctx *ctx = req->ctx;
3985 struct io_buffer *head, *list;
3988 io_ring_submit_lock(ctx, !force_nonblock);
3990 lockdep_assert_held(&ctx->uring_lock);
3992 list = head = idr_find(&ctx->io_buffer_idr, p->bgid);
3994 ret = io_add_buffers(p, &head);
3999 ret = idr_alloc(&ctx->io_buffer_idr, head, p->bgid, p->bgid + 1,
4002 __io_remove_buffers(ctx, head, p->bgid, -1U);
4007 io_ring_submit_unlock(ctx, !force_nonblock);
4009 req_set_fail_links(req);
4010 __io_req_complete(req, ret, 0, cs);
4014 static int io_epoll_ctl_prep(struct io_kiocb *req,
4015 const struct io_uring_sqe *sqe)
4017 #if defined(CONFIG_EPOLL)
4018 if (sqe->ioprio || sqe->buf_index)
4020 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL)))
4023 req->epoll.epfd = READ_ONCE(sqe->fd);
4024 req->epoll.op = READ_ONCE(sqe->len);
4025 req->epoll.fd = READ_ONCE(sqe->off);
4027 if (ep_op_has_event(req->epoll.op)) {
4028 struct epoll_event __user *ev;
4030 ev = u64_to_user_ptr(READ_ONCE(sqe->addr));
4031 if (copy_from_user(&req->epoll.event, ev, sizeof(*ev)))
4041 static int io_epoll_ctl(struct io_kiocb *req, bool force_nonblock,
4042 struct io_comp_state *cs)
4044 #if defined(CONFIG_EPOLL)
4045 struct io_epoll *ie = &req->epoll;
4048 ret = do_epoll_ctl(ie->epfd, ie->op, ie->fd, &ie->event, force_nonblock);
4049 if (force_nonblock && ret == -EAGAIN)
4053 req_set_fail_links(req);
4054 __io_req_complete(req, ret, 0, cs);
4061 static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4063 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
4064 if (sqe->ioprio || sqe->buf_index || sqe->off)
4066 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4069 req->madvise.addr = READ_ONCE(sqe->addr);
4070 req->madvise.len = READ_ONCE(sqe->len);
4071 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
4078 static int io_madvise(struct io_kiocb *req, bool force_nonblock)
4080 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
4081 struct io_madvise *ma = &req->madvise;
4087 ret = do_madvise(current->mm, ma->addr, ma->len, ma->advice);
4089 req_set_fail_links(req);
4090 io_req_complete(req, ret);
4097 static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4099 if (sqe->ioprio || sqe->buf_index || sqe->addr)
4101 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4104 req->fadvise.offset = READ_ONCE(sqe->off);
4105 req->fadvise.len = READ_ONCE(sqe->len);
4106 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
4110 static int io_fadvise(struct io_kiocb *req, bool force_nonblock)
4112 struct io_fadvise *fa = &req->fadvise;
4115 if (force_nonblock) {
4116 switch (fa->advice) {
4117 case POSIX_FADV_NORMAL:
4118 case POSIX_FADV_RANDOM:
4119 case POSIX_FADV_SEQUENTIAL:
4126 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
4128 req_set_fail_links(req);
4129 io_req_complete(req, ret);
4133 static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4135 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL)))
4137 if (sqe->ioprio || sqe->buf_index)
4139 if (req->flags & REQ_F_FIXED_FILE)
4142 req->statx.dfd = READ_ONCE(sqe->fd);
4143 req->statx.mask = READ_ONCE(sqe->len);
4144 req->statx.filename = u64_to_user_ptr(READ_ONCE(sqe->addr));
4145 req->statx.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4146 req->statx.flags = READ_ONCE(sqe->statx_flags);
4151 static int io_statx(struct io_kiocb *req, bool force_nonblock)
4153 struct io_statx *ctx = &req->statx;
4156 if (force_nonblock) {
4157 /* only need file table for an actual valid fd */
4158 if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD)
4159 req->flags |= REQ_F_NO_FILE_TABLE;
4163 ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
4167 req_set_fail_links(req);
4168 io_req_complete(req, ret);
4172 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4175 * If we queue this for async, it must not be cancellable. That would
4176 * leave the 'file' in an undeterminate state, and here need to modify
4177 * io_wq_work.flags, so initialize io_wq_work firstly.
4179 io_req_init_async(req);
4180 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
4182 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
4184 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
4185 sqe->rw_flags || sqe->buf_index)
4187 if (req->flags & REQ_F_FIXED_FILE)
4190 req->close.fd = READ_ONCE(sqe->fd);
4191 if ((req->file && req->file->f_op == &io_uring_fops))
4194 req->close.put_file = NULL;
4198 static int io_close(struct io_kiocb *req, bool force_nonblock,
4199 struct io_comp_state *cs)
4201 struct io_close *close = &req->close;
4204 /* might be already done during nonblock submission */
4205 if (!close->put_file) {
4206 ret = __close_fd_get_file(close->fd, &close->put_file);
4208 return (ret == -ENOENT) ? -EBADF : ret;
4211 /* if the file has a flush method, be safe and punt to async */
4212 if (close->put_file->f_op->flush && force_nonblock) {
4213 /* was never set, but play safe */
4214 req->flags &= ~REQ_F_NOWAIT;
4215 /* avoid grabbing files - we don't need the files */
4216 req->flags |= REQ_F_NO_FILE_TABLE;
4220 /* No ->flush() or already async, safely close from here */
4221 ret = filp_close(close->put_file, req->work.identity->files);
4223 req_set_fail_links(req);
4224 fput(close->put_file);
4225 close->put_file = NULL;
4226 __io_req_complete(req, ret, 0, cs);
4230 static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4232 struct io_ring_ctx *ctx = req->ctx;
4237 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
4239 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
4242 req->sync.off = READ_ONCE(sqe->off);
4243 req->sync.len = READ_ONCE(sqe->len);
4244 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
4248 static int io_sync_file_range(struct io_kiocb *req, bool force_nonblock)
4252 /* sync_file_range always requires a blocking context */
4256 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
4259 req_set_fail_links(req);
4260 io_req_complete(req, ret);
4264 #if defined(CONFIG_NET)
4265 static int io_setup_async_msg(struct io_kiocb *req,
4266 struct io_async_msghdr *kmsg)
4268 struct io_async_msghdr *async_msg = req->async_data;
4272 if (io_alloc_async_data(req)) {
4273 if (kmsg->iov != kmsg->fast_iov)
4277 async_msg = req->async_data;
4278 req->flags |= REQ_F_NEED_CLEANUP;
4279 memcpy(async_msg, kmsg, sizeof(*kmsg));
4283 static int io_sendmsg_copy_hdr(struct io_kiocb *req,
4284 struct io_async_msghdr *iomsg)
4286 iomsg->iov = iomsg->fast_iov;
4287 iomsg->msg.msg_name = &iomsg->addr;
4288 return sendmsg_copy_msghdr(&iomsg->msg, req->sr_msg.umsg,
4289 req->sr_msg.msg_flags, &iomsg->iov);
4292 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4294 struct io_async_msghdr *async_msg = req->async_data;
4295 struct io_sr_msg *sr = &req->sr_msg;
4298 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4301 sr->msg_flags = READ_ONCE(sqe->msg_flags);
4302 sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
4303 sr->len = READ_ONCE(sqe->len);
4305 #ifdef CONFIG_COMPAT
4306 if (req->ctx->compat)
4307 sr->msg_flags |= MSG_CMSG_COMPAT;
4310 if (!async_msg || !io_op_defs[req->opcode].needs_async_data)
4312 ret = io_sendmsg_copy_hdr(req, async_msg);
4314 req->flags |= REQ_F_NEED_CLEANUP;
4318 static int io_sendmsg(struct io_kiocb *req, bool force_nonblock,
4319 struct io_comp_state *cs)
4321 struct io_async_msghdr iomsg, *kmsg;
4322 struct socket *sock;
4326 sock = sock_from_file(req->file, &ret);
4327 if (unlikely(!sock))
4330 if (req->async_data) {
4331 kmsg = req->async_data;
4332 kmsg->msg.msg_name = &kmsg->addr;
4333 /* if iov is set, it's allocated already */
4335 kmsg->iov = kmsg->fast_iov;
4336 kmsg->msg.msg_iter.iov = kmsg->iov;
4338 ret = io_sendmsg_copy_hdr(req, &iomsg);
4344 flags = req->sr_msg.msg_flags;
4345 if (flags & MSG_DONTWAIT)
4346 req->flags |= REQ_F_NOWAIT;
4347 else if (force_nonblock)
4348 flags |= MSG_DONTWAIT;
4350 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
4351 if (force_nonblock && ret == -EAGAIN)
4352 return io_setup_async_msg(req, kmsg);
4353 if (ret == -ERESTARTSYS)
4356 if (kmsg->iov != kmsg->fast_iov)
4358 req->flags &= ~REQ_F_NEED_CLEANUP;
4360 req_set_fail_links(req);
4361 __io_req_complete(req, ret, 0, cs);
4365 static int io_send(struct io_kiocb *req, bool force_nonblock,
4366 struct io_comp_state *cs)
4368 struct io_sr_msg *sr = &req->sr_msg;
4371 struct socket *sock;
4375 sock = sock_from_file(req->file, &ret);
4376 if (unlikely(!sock))
4379 ret = import_single_range(WRITE, sr->buf, sr->len, &iov, &msg.msg_iter);
4383 msg.msg_name = NULL;
4384 msg.msg_control = NULL;
4385 msg.msg_controllen = 0;
4386 msg.msg_namelen = 0;
4388 flags = req->sr_msg.msg_flags;
4389 if (flags & MSG_DONTWAIT)
4390 req->flags |= REQ_F_NOWAIT;
4391 else if (force_nonblock)
4392 flags |= MSG_DONTWAIT;
4394 msg.msg_flags = flags;
4395 ret = sock_sendmsg(sock, &msg);
4396 if (force_nonblock && ret == -EAGAIN)
4398 if (ret == -ERESTARTSYS)
4402 req_set_fail_links(req);
4403 __io_req_complete(req, ret, 0, cs);
4407 static int __io_recvmsg_copy_hdr(struct io_kiocb *req,
4408 struct io_async_msghdr *iomsg)
4410 struct io_sr_msg *sr = &req->sr_msg;
4411 struct iovec __user *uiov;
4415 ret = __copy_msghdr_from_user(&iomsg->msg, sr->umsg,
4416 &iomsg->uaddr, &uiov, &iov_len);
4420 if (req->flags & REQ_F_BUFFER_SELECT) {
4423 if (copy_from_user(iomsg->iov, uiov, sizeof(*uiov)))
4425 sr->len = iomsg->iov[0].iov_len;
4426 iov_iter_init(&iomsg->msg.msg_iter, READ, iomsg->iov, 1,
4430 ret = __import_iovec(READ, uiov, iov_len, UIO_FASTIOV,
4431 &iomsg->iov, &iomsg->msg.msg_iter,
4440 #ifdef CONFIG_COMPAT
4441 static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req,
4442 struct io_async_msghdr *iomsg)
4444 struct compat_msghdr __user *msg_compat;
4445 struct io_sr_msg *sr = &req->sr_msg;
4446 struct compat_iovec __user *uiov;
4451 msg_compat = (struct compat_msghdr __user *) sr->umsg;
4452 ret = __get_compat_msghdr(&iomsg->msg, msg_compat, &iomsg->uaddr,
4457 uiov = compat_ptr(ptr);
4458 if (req->flags & REQ_F_BUFFER_SELECT) {
4459 compat_ssize_t clen;
4463 if (!access_ok(uiov, sizeof(*uiov)))
4465 if (__get_user(clen, &uiov->iov_len))
4469 sr->len = iomsg->iov[0].iov_len;
4472 ret = __import_iovec(READ, (struct iovec __user *)uiov, len,
4473 UIO_FASTIOV, &iomsg->iov,
4474 &iomsg->msg.msg_iter, true);
4483 static int io_recvmsg_copy_hdr(struct io_kiocb *req,
4484 struct io_async_msghdr *iomsg)
4486 iomsg->msg.msg_name = &iomsg->addr;
4487 iomsg->iov = iomsg->fast_iov;
4489 #ifdef CONFIG_COMPAT
4490 if (req->ctx->compat)
4491 return __io_compat_recvmsg_copy_hdr(req, iomsg);
4494 return __io_recvmsg_copy_hdr(req, iomsg);
4497 static struct io_buffer *io_recv_buffer_select(struct io_kiocb *req,
4500 struct io_sr_msg *sr = &req->sr_msg;
4501 struct io_buffer *kbuf;
4503 kbuf = io_buffer_select(req, &sr->len, sr->bgid, sr->kbuf, needs_lock);
4508 req->flags |= REQ_F_BUFFER_SELECTED;
4512 static inline unsigned int io_put_recv_kbuf(struct io_kiocb *req)
4514 return io_put_kbuf(req, req->sr_msg.kbuf);
4517 static int io_recvmsg_prep(struct io_kiocb *req,
4518 const struct io_uring_sqe *sqe)
4520 struct io_async_msghdr *async_msg = req->async_data;
4521 struct io_sr_msg *sr = &req->sr_msg;
4524 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4527 sr->msg_flags = READ_ONCE(sqe->msg_flags);
4528 sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
4529 sr->len = READ_ONCE(sqe->len);
4530 sr->bgid = READ_ONCE(sqe->buf_group);
4532 #ifdef CONFIG_COMPAT
4533 if (req->ctx->compat)
4534 sr->msg_flags |= MSG_CMSG_COMPAT;
4537 if (!async_msg || !io_op_defs[req->opcode].needs_async_data)
4539 ret = io_recvmsg_copy_hdr(req, async_msg);
4541 req->flags |= REQ_F_NEED_CLEANUP;
4545 static int io_recvmsg(struct io_kiocb *req, bool force_nonblock,
4546 struct io_comp_state *cs)
4548 struct io_async_msghdr iomsg, *kmsg;
4549 struct socket *sock;
4550 struct io_buffer *kbuf;
4552 int ret, cflags = 0;
4554 sock = sock_from_file(req->file, &ret);
4555 if (unlikely(!sock))
4558 if (req->async_data) {
4559 kmsg = req->async_data;
4560 kmsg->msg.msg_name = &kmsg->addr;
4561 /* if iov is set, it's allocated already */
4563 kmsg->iov = kmsg->fast_iov;
4564 kmsg->msg.msg_iter.iov = kmsg->iov;
4566 ret = io_recvmsg_copy_hdr(req, &iomsg);
4572 if (req->flags & REQ_F_BUFFER_SELECT) {
4573 kbuf = io_recv_buffer_select(req, !force_nonblock);
4575 return PTR_ERR(kbuf);
4576 kmsg->fast_iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
4577 iov_iter_init(&kmsg->msg.msg_iter, READ, kmsg->iov,
4578 1, req->sr_msg.len);
4581 flags = req->sr_msg.msg_flags;
4582 if (flags & MSG_DONTWAIT)
4583 req->flags |= REQ_F_NOWAIT;
4584 else if (force_nonblock)
4585 flags |= MSG_DONTWAIT;
4587 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.umsg,
4588 kmsg->uaddr, flags);
4589 if (force_nonblock && ret == -EAGAIN)
4590 return io_setup_async_msg(req, kmsg);
4591 if (ret == -ERESTARTSYS)
4594 if (req->flags & REQ_F_BUFFER_SELECTED)
4595 cflags = io_put_recv_kbuf(req);
4596 if (kmsg->iov != kmsg->fast_iov)
4598 req->flags &= ~REQ_F_NEED_CLEANUP;
4600 req_set_fail_links(req);
4601 __io_req_complete(req, ret, cflags, cs);
4605 static int io_recv(struct io_kiocb *req, bool force_nonblock,
4606 struct io_comp_state *cs)
4608 struct io_buffer *kbuf;
4609 struct io_sr_msg *sr = &req->sr_msg;
4611 void __user *buf = sr->buf;
4612 struct socket *sock;
4615 int ret, cflags = 0;
4617 sock = sock_from_file(req->file, &ret);
4618 if (unlikely(!sock))
4621 if (req->flags & REQ_F_BUFFER_SELECT) {
4622 kbuf = io_recv_buffer_select(req, !force_nonblock);
4624 return PTR_ERR(kbuf);
4625 buf = u64_to_user_ptr(kbuf->addr);
4628 ret = import_single_range(READ, buf, sr->len, &iov, &msg.msg_iter);
4632 msg.msg_name = NULL;
4633 msg.msg_control = NULL;
4634 msg.msg_controllen = 0;
4635 msg.msg_namelen = 0;
4636 msg.msg_iocb = NULL;
4639 flags = req->sr_msg.msg_flags;
4640 if (flags & MSG_DONTWAIT)
4641 req->flags |= REQ_F_NOWAIT;
4642 else if (force_nonblock)
4643 flags |= MSG_DONTWAIT;
4645 ret = sock_recvmsg(sock, &msg, flags);
4646 if (force_nonblock && ret == -EAGAIN)
4648 if (ret == -ERESTARTSYS)
4651 if (req->flags & REQ_F_BUFFER_SELECTED)
4652 cflags = io_put_recv_kbuf(req);
4654 req_set_fail_links(req);
4655 __io_req_complete(req, ret, cflags, cs);
4659 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4661 struct io_accept *accept = &req->accept;
4663 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
4665 if (sqe->ioprio || sqe->len || sqe->buf_index)
4668 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
4669 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4670 accept->flags = READ_ONCE(sqe->accept_flags);
4671 accept->nofile = rlimit(RLIMIT_NOFILE);
4675 static int io_accept(struct io_kiocb *req, bool force_nonblock,
4676 struct io_comp_state *cs)
4678 struct io_accept *accept = &req->accept;
4679 unsigned int file_flags = force_nonblock ? O_NONBLOCK : 0;
4682 if (req->file->f_flags & O_NONBLOCK)
4683 req->flags |= REQ_F_NOWAIT;
4685 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
4686 accept->addr_len, accept->flags,
4688 if (ret == -EAGAIN && force_nonblock)
4691 if (ret == -ERESTARTSYS)
4693 req_set_fail_links(req);
4695 __io_req_complete(req, ret, 0, cs);
4699 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4701 struct io_connect *conn = &req->connect;
4702 struct io_async_connect *io = req->async_data;
4704 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
4706 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
4709 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
4710 conn->addr_len = READ_ONCE(sqe->addr2);
4715 return move_addr_to_kernel(conn->addr, conn->addr_len,
4719 static int io_connect(struct io_kiocb *req, bool force_nonblock,
4720 struct io_comp_state *cs)
4722 struct io_async_connect __io, *io;
4723 unsigned file_flags;
4726 if (req->async_data) {
4727 io = req->async_data;
4729 ret = move_addr_to_kernel(req->connect.addr,
4730 req->connect.addr_len,
4737 file_flags = force_nonblock ? O_NONBLOCK : 0;
4739 ret = __sys_connect_file(req->file, &io->address,
4740 req->connect.addr_len, file_flags);
4741 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
4742 if (req->async_data)
4744 if (io_alloc_async_data(req)) {
4748 io = req->async_data;
4749 memcpy(req->async_data, &__io, sizeof(__io));
4752 if (ret == -ERESTARTSYS)
4756 req_set_fail_links(req);
4757 __io_req_complete(req, ret, 0, cs);
4760 #else /* !CONFIG_NET */
4761 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4766 static int io_sendmsg(struct io_kiocb *req, bool force_nonblock,
4767 struct io_comp_state *cs)
4772 static int io_send(struct io_kiocb *req, bool force_nonblock,
4773 struct io_comp_state *cs)
4778 static int io_recvmsg_prep(struct io_kiocb *req,
4779 const struct io_uring_sqe *sqe)
4784 static int io_recvmsg(struct io_kiocb *req, bool force_nonblock,
4785 struct io_comp_state *cs)
4790 static int io_recv(struct io_kiocb *req, bool force_nonblock,
4791 struct io_comp_state *cs)
4796 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4801 static int io_accept(struct io_kiocb *req, bool force_nonblock,
4802 struct io_comp_state *cs)
4807 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4812 static int io_connect(struct io_kiocb *req, bool force_nonblock,
4813 struct io_comp_state *cs)
4817 #endif /* CONFIG_NET */
4819 struct io_poll_table {
4820 struct poll_table_struct pt;
4821 struct io_kiocb *req;
4825 static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,
4826 __poll_t mask, task_work_func_t func)
4831 /* for instances that support it check for an event match first: */
4832 if (mask && !(mask & poll->events))
4835 trace_io_uring_task_add(req->ctx, req->opcode, req->user_data, mask);
4837 list_del_init(&poll->wait.entry);
4840 init_task_work(&req->task_work, func);
4841 percpu_ref_get(&req->ctx->refs);
4844 * If we using the signalfd wait_queue_head for this wakeup, then
4845 * it's not safe to use TWA_SIGNAL as we could be recursing on the
4846 * tsk->sighand->siglock on doing the wakeup. Should not be needed
4847 * either, as the normal wakeup will suffice.
4849 twa_signal_ok = (poll->head != &req->task->sighand->signalfd_wqh);
4852 * If this fails, then the task is exiting. When a task exits, the
4853 * work gets canceled, so just cancel this request as well instead
4854 * of executing it. We can't safely execute it anyway, as we may not
4855 * have the needed state needed for it anyway.
4857 ret = io_req_task_work_add(req, twa_signal_ok);
4858 if (unlikely(ret)) {
4859 struct task_struct *tsk;
4861 WRITE_ONCE(poll->canceled, true);
4862 tsk = io_wq_get_task(req->ctx->io_wq);
4863 task_work_add(tsk, &req->task_work, TWA_NONE);
4864 wake_up_process(tsk);
4869 static bool io_poll_rewait(struct io_kiocb *req, struct io_poll_iocb *poll)
4870 __acquires(&req->ctx->completion_lock)
4872 struct io_ring_ctx *ctx = req->ctx;
4874 if (!req->result && !READ_ONCE(poll->canceled)) {
4875 struct poll_table_struct pt = { ._key = poll->events };
4877 req->result = vfs_poll(req->file, &pt) & poll->events;
4880 spin_lock_irq(&ctx->completion_lock);
4881 if (!req->result && !READ_ONCE(poll->canceled)) {
4882 add_wait_queue(poll->head, &poll->wait);
4889 static struct io_poll_iocb *io_poll_get_double(struct io_kiocb *req)
4891 /* pure poll stashes this in ->async_data, poll driven retry elsewhere */
4892 if (req->opcode == IORING_OP_POLL_ADD)
4893 return req->async_data;
4894 return req->apoll->double_poll;
4897 static struct io_poll_iocb *io_poll_get_single(struct io_kiocb *req)
4899 if (req->opcode == IORING_OP_POLL_ADD)
4901 return &req->apoll->poll;
4904 static void io_poll_remove_double(struct io_kiocb *req)
4906 struct io_poll_iocb *poll = io_poll_get_double(req);
4908 lockdep_assert_held(&req->ctx->completion_lock);
4910 if (poll && poll->head) {
4911 struct wait_queue_head *head = poll->head;
4913 spin_lock(&head->lock);
4914 list_del_init(&poll->wait.entry);
4915 if (poll->wait.private)
4916 refcount_dec(&req->refs);
4918 spin_unlock(&head->lock);
4922 static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
4924 struct io_ring_ctx *ctx = req->ctx;
4926 io_poll_remove_double(req);
4927 req->poll.done = true;
4928 io_cqring_fill_event(req, error ? error : mangle_poll(mask));
4929 io_commit_cqring(ctx);
4932 static void io_poll_task_func(struct callback_head *cb)
4934 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
4935 struct io_ring_ctx *ctx = req->ctx;
4936 struct io_kiocb *nxt;
4938 if (io_poll_rewait(req, &req->poll)) {
4939 spin_unlock_irq(&ctx->completion_lock);
4941 hash_del(&req->hash_node);
4942 io_poll_complete(req, req->result, 0);
4943 spin_unlock_irq(&ctx->completion_lock);
4945 nxt = io_put_req_find_next(req);
4946 io_cqring_ev_posted(ctx);
4948 __io_req_task_submit(nxt);
4951 percpu_ref_put(&ctx->refs);
4954 static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,
4955 int sync, void *key)
4957 struct io_kiocb *req = wait->private;
4958 struct io_poll_iocb *poll = io_poll_get_single(req);
4959 __poll_t mask = key_to_poll(key);
4961 /* for instances that support it check for an event match first: */
4962 if (mask && !(mask & poll->events))
4965 list_del_init(&wait->entry);
4967 if (poll && poll->head) {
4970 spin_lock(&poll->head->lock);
4971 done = list_empty(&poll->wait.entry);
4973 list_del_init(&poll->wait.entry);
4974 /* make sure double remove sees this as being gone */
4975 wait->private = NULL;
4976 spin_unlock(&poll->head->lock);
4978 /* use wait func handler, so it matches the rq type */
4979 poll->wait.func(&poll->wait, mode, sync, key);
4982 refcount_dec(&req->refs);
4986 static void io_init_poll_iocb(struct io_poll_iocb *poll, __poll_t events,
4987 wait_queue_func_t wake_func)
4991 poll->canceled = false;
4992 poll->events = events;
4993 INIT_LIST_HEAD(&poll->wait.entry);
4994 init_waitqueue_func_entry(&poll->wait, wake_func);
4997 static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
4998 struct wait_queue_head *head,
4999 struct io_poll_iocb **poll_ptr)
5001 struct io_kiocb *req = pt->req;
5004 * If poll->head is already set, it's because the file being polled
5005 * uses multiple waitqueues for poll handling (eg one for read, one
5006 * for write). Setup a separate io_poll_iocb if this happens.
5008 if (unlikely(poll->head)) {
5009 struct io_poll_iocb *poll_one = poll;
5011 /* already have a 2nd entry, fail a third attempt */
5013 pt->error = -EINVAL;
5016 poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
5018 pt->error = -ENOMEM;
5021 io_init_poll_iocb(poll, poll_one->events, io_poll_double_wake);
5022 refcount_inc(&req->refs);
5023 poll->wait.private = req;
5030 if (poll->events & EPOLLEXCLUSIVE)
5031 add_wait_queue_exclusive(head, &poll->wait);
5033 add_wait_queue(head, &poll->wait);
5036 static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
5037 struct poll_table_struct *p)
5039 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
5040 struct async_poll *apoll = pt->req->apoll;
5042 __io_queue_proc(&apoll->poll, pt, head, &apoll->double_poll);
5045 static void io_async_task_func(struct callback_head *cb)
5047 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
5048 struct async_poll *apoll = req->apoll;
5049 struct io_ring_ctx *ctx = req->ctx;
5051 trace_io_uring_task_run(req->ctx, req->opcode, req->user_data);
5053 if (io_poll_rewait(req, &apoll->poll)) {
5054 spin_unlock_irq(&ctx->completion_lock);
5055 percpu_ref_put(&ctx->refs);
5059 /* If req is still hashed, it cannot have been canceled. Don't check. */
5060 if (hash_hashed(&req->hash_node))
5061 hash_del(&req->hash_node);
5063 io_poll_remove_double(req);
5064 spin_unlock_irq(&ctx->completion_lock);
5066 if (!READ_ONCE(apoll->poll.canceled))
5067 __io_req_task_submit(req);
5069 __io_req_task_cancel(req, -ECANCELED);
5071 percpu_ref_put(&ctx->refs);
5072 kfree(apoll->double_poll);
5076 static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
5079 struct io_kiocb *req = wait->private;
5080 struct io_poll_iocb *poll = &req->apoll->poll;
5082 trace_io_uring_poll_wake(req->ctx, req->opcode, req->user_data,
5085 return __io_async_wake(req, poll, key_to_poll(key), io_async_task_func);
5088 static void io_poll_req_insert(struct io_kiocb *req)
5090 struct io_ring_ctx *ctx = req->ctx;
5091 struct hlist_head *list;
5093 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
5094 hlist_add_head(&req->hash_node, list);
5097 static __poll_t __io_arm_poll_handler(struct io_kiocb *req,
5098 struct io_poll_iocb *poll,
5099 struct io_poll_table *ipt, __poll_t mask,
5100 wait_queue_func_t wake_func)
5101 __acquires(&ctx->completion_lock)
5103 struct io_ring_ctx *ctx = req->ctx;
5104 bool cancel = false;
5106 INIT_HLIST_NODE(&req->hash_node);
5107 io_init_poll_iocb(poll, mask, wake_func);
5108 poll->file = req->file;
5109 poll->wait.private = req;
5111 ipt->pt._key = mask;
5113 ipt->error = -EINVAL;
5115 mask = vfs_poll(req->file, &ipt->pt) & poll->events;
5117 spin_lock_irq(&ctx->completion_lock);
5118 if (likely(poll->head)) {
5119 spin_lock(&poll->head->lock);
5120 if (unlikely(list_empty(&poll->wait.entry))) {
5126 if (mask || ipt->error)
5127 list_del_init(&poll->wait.entry);
5129 WRITE_ONCE(poll->canceled, true);
5130 else if (!poll->done) /* actually waiting for an event */
5131 io_poll_req_insert(req);
5132 spin_unlock(&poll->head->lock);
5138 static bool io_arm_poll_handler(struct io_kiocb *req)
5140 const struct io_op_def *def = &io_op_defs[req->opcode];
5141 struct io_ring_ctx *ctx = req->ctx;
5142 struct async_poll *apoll;
5143 struct io_poll_table ipt;
5147 if (!req->file || !file_can_poll(req->file))
5149 if (req->flags & REQ_F_POLLED)
5153 else if (def->pollout)
5157 /* if we can't nonblock try, then no point in arming a poll handler */
5158 if (!io_file_supports_async(req->file, rw))
5161 apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
5162 if (unlikely(!apoll))
5164 apoll->double_poll = NULL;
5166 req->flags |= REQ_F_POLLED;
5171 mask |= POLLIN | POLLRDNORM;
5173 mask |= POLLOUT | POLLWRNORM;
5175 /* If reading from MSG_ERRQUEUE using recvmsg, ignore POLLIN */
5176 if ((req->opcode == IORING_OP_RECVMSG) &&
5177 (req->sr_msg.msg_flags & MSG_ERRQUEUE))
5180 mask |= POLLERR | POLLPRI;
5182 ipt.pt._qproc = io_async_queue_proc;
5184 ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
5186 if (ret || ipt.error) {
5187 io_poll_remove_double(req);
5188 spin_unlock_irq(&ctx->completion_lock);
5189 kfree(apoll->double_poll);
5193 spin_unlock_irq(&ctx->completion_lock);
5194 trace_io_uring_poll_arm(ctx, req->opcode, req->user_data, mask,
5195 apoll->poll.events);
5199 static bool __io_poll_remove_one(struct io_kiocb *req,
5200 struct io_poll_iocb *poll)
5202 bool do_complete = false;
5204 spin_lock(&poll->head->lock);
5205 WRITE_ONCE(poll->canceled, true);
5206 if (!list_empty(&poll->wait.entry)) {
5207 list_del_init(&poll->wait.entry);
5210 spin_unlock(&poll->head->lock);
5211 hash_del(&req->hash_node);
5215 static bool io_poll_remove_one(struct io_kiocb *req)
5219 io_poll_remove_double(req);
5221 if (req->opcode == IORING_OP_POLL_ADD) {
5222 do_complete = __io_poll_remove_one(req, &req->poll);
5224 struct async_poll *apoll = req->apoll;
5226 /* non-poll requests have submit ref still */
5227 do_complete = __io_poll_remove_one(req, &apoll->poll);
5230 kfree(apoll->double_poll);
5236 io_cqring_fill_event(req, -ECANCELED);
5237 io_commit_cqring(req->ctx);
5238 req_set_fail_links(req);
5239 io_put_req_deferred(req, 1);
5246 * Returns true if we found and killed one or more poll requests
5248 static bool io_poll_remove_all(struct io_ring_ctx *ctx, struct task_struct *tsk)
5250 struct hlist_node *tmp;
5251 struct io_kiocb *req;
5254 spin_lock_irq(&ctx->completion_lock);
5255 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
5256 struct hlist_head *list;
5258 list = &ctx->cancel_hash[i];
5259 hlist_for_each_entry_safe(req, tmp, list, hash_node) {
5260 if (io_task_match(req, tsk))
5261 posted += io_poll_remove_one(req);
5264 spin_unlock_irq(&ctx->completion_lock);
5267 io_cqring_ev_posted(ctx);
5272 static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
5274 struct hlist_head *list;
5275 struct io_kiocb *req;
5277 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
5278 hlist_for_each_entry(req, list, hash_node) {
5279 if (sqe_addr != req->user_data)
5281 if (io_poll_remove_one(req))
5289 static int io_poll_remove_prep(struct io_kiocb *req,
5290 const struct io_uring_sqe *sqe)
5292 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5294 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
5298 req->poll.addr = READ_ONCE(sqe->addr);
5303 * Find a running poll command that matches one specified in sqe->addr,
5304 * and remove it if found.
5306 static int io_poll_remove(struct io_kiocb *req)
5308 struct io_ring_ctx *ctx = req->ctx;
5312 addr = req->poll.addr;
5313 spin_lock_irq(&ctx->completion_lock);
5314 ret = io_poll_cancel(ctx, addr);
5315 spin_unlock_irq(&ctx->completion_lock);
5318 req_set_fail_links(req);
5319 io_req_complete(req, ret);
5323 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
5326 struct io_kiocb *req = wait->private;
5327 struct io_poll_iocb *poll = &req->poll;
5329 return __io_async_wake(req, poll, key_to_poll(key), io_poll_task_func);
5332 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
5333 struct poll_table_struct *p)
5335 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
5337 __io_queue_proc(&pt->req->poll, pt, head, (struct io_poll_iocb **) &pt->req->async_data);
5340 static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5342 struct io_poll_iocb *poll = &req->poll;
5345 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5347 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
5350 events = READ_ONCE(sqe->poll32_events);
5352 events = swahw32(events);
5354 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP |
5355 (events & EPOLLEXCLUSIVE);
5359 static int io_poll_add(struct io_kiocb *req)
5361 struct io_poll_iocb *poll = &req->poll;
5362 struct io_ring_ctx *ctx = req->ctx;
5363 struct io_poll_table ipt;
5366 ipt.pt._qproc = io_poll_queue_proc;
5368 mask = __io_arm_poll_handler(req, &req->poll, &ipt, poll->events,
5371 if (mask) { /* no async, we'd stolen it */
5373 io_poll_complete(req, mask, 0);
5375 spin_unlock_irq(&ctx->completion_lock);
5378 io_cqring_ev_posted(ctx);
5384 static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
5386 struct io_timeout_data *data = container_of(timer,
5387 struct io_timeout_data, timer);
5388 struct io_kiocb *req = data->req;
5389 struct io_ring_ctx *ctx = req->ctx;
5390 unsigned long flags;
5392 spin_lock_irqsave(&ctx->completion_lock, flags);
5393 list_del_init(&req->timeout.list);
5394 atomic_set(&req->ctx->cq_timeouts,
5395 atomic_read(&req->ctx->cq_timeouts) + 1);
5397 io_cqring_fill_event(req, -ETIME);
5398 io_commit_cqring(ctx);
5399 spin_unlock_irqrestore(&ctx->completion_lock, flags);
5401 io_cqring_ev_posted(ctx);
5402 req_set_fail_links(req);
5404 return HRTIMER_NORESTART;
5407 static int __io_timeout_cancel(struct io_kiocb *req)
5409 struct io_timeout_data *io = req->async_data;
5412 ret = hrtimer_try_to_cancel(&io->timer);
5415 list_del_init(&req->timeout.list);
5417 req_set_fail_links(req);
5418 io_cqring_fill_event(req, -ECANCELED);
5419 io_put_req_deferred(req, 1);
5423 static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
5425 struct io_kiocb *req;
5428 list_for_each_entry(req, &ctx->timeout_list, timeout.list) {
5429 if (user_data == req->user_data) {
5438 return __io_timeout_cancel(req);
5441 static int io_timeout_remove_prep(struct io_kiocb *req,
5442 const struct io_uring_sqe *sqe)
5444 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5446 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
5448 if (sqe->ioprio || sqe->buf_index || sqe->len || sqe->timeout_flags)
5451 req->timeout_rem.addr = READ_ONCE(sqe->addr);
5456 * Remove or update an existing timeout command
5458 static int io_timeout_remove(struct io_kiocb *req)
5460 struct io_ring_ctx *ctx = req->ctx;
5463 spin_lock_irq(&ctx->completion_lock);
5464 ret = io_timeout_cancel(ctx, req->timeout_rem.addr);
5466 io_cqring_fill_event(req, ret);
5467 io_commit_cqring(ctx);
5468 spin_unlock_irq(&ctx->completion_lock);
5469 io_cqring_ev_posted(ctx);
5471 req_set_fail_links(req);
5476 static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5477 bool is_timeout_link)
5479 struct io_timeout_data *data;
5481 u32 off = READ_ONCE(sqe->off);
5483 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5485 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
5487 if (off && is_timeout_link)
5489 flags = READ_ONCE(sqe->timeout_flags);
5490 if (flags & ~IORING_TIMEOUT_ABS)
5493 req->timeout.off = off;
5495 if (!req->async_data && io_alloc_async_data(req))
5498 data = req->async_data;
5501 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5504 if (flags & IORING_TIMEOUT_ABS)
5505 data->mode = HRTIMER_MODE_ABS;
5507 data->mode = HRTIMER_MODE_REL;
5509 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
5513 static int io_timeout(struct io_kiocb *req)
5515 struct io_ring_ctx *ctx = req->ctx;
5516 struct io_timeout_data *data = req->async_data;
5517 struct list_head *entry;
5518 u32 tail, off = req->timeout.off;
5520 spin_lock_irq(&ctx->completion_lock);
5523 * sqe->off holds how many events that need to occur for this
5524 * timeout event to be satisfied. If it isn't set, then this is
5525 * a pure timeout request, sequence isn't used.
5527 if (io_is_timeout_noseq(req)) {
5528 entry = ctx->timeout_list.prev;
5532 tail = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
5533 req->timeout.target_seq = tail + off;
5536 * Insertion sort, ensuring the first entry in the list is always
5537 * the one we need first.
5539 list_for_each_prev(entry, &ctx->timeout_list) {
5540 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb,
5543 if (io_is_timeout_noseq(nxt))
5545 /* nxt.seq is behind @tail, otherwise would've been completed */
5546 if (off >= nxt->timeout.target_seq - tail)
5550 list_add(&req->timeout.list, entry);
5551 data->timer.function = io_timeout_fn;
5552 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5553 spin_unlock_irq(&ctx->completion_lock);
5557 static bool io_cancel_cb(struct io_wq_work *work, void *data)
5559 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5561 return req->user_data == (unsigned long) data;
5564 static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
5566 enum io_wq_cancel cancel_ret;
5569 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr, false);
5570 switch (cancel_ret) {
5571 case IO_WQ_CANCEL_OK:
5574 case IO_WQ_CANCEL_RUNNING:
5577 case IO_WQ_CANCEL_NOTFOUND:
5585 static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
5586 struct io_kiocb *req, __u64 sqe_addr,
5589 unsigned long flags;
5592 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
5593 if (ret != -ENOENT) {
5594 spin_lock_irqsave(&ctx->completion_lock, flags);
5598 spin_lock_irqsave(&ctx->completion_lock, flags);
5599 ret = io_timeout_cancel(ctx, sqe_addr);
5602 ret = io_poll_cancel(ctx, sqe_addr);
5606 io_cqring_fill_event(req, ret);
5607 io_commit_cqring(ctx);
5608 spin_unlock_irqrestore(&ctx->completion_lock, flags);
5609 io_cqring_ev_posted(ctx);
5612 req_set_fail_links(req);
5616 static int io_async_cancel_prep(struct io_kiocb *req,
5617 const struct io_uring_sqe *sqe)
5619 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5621 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
5623 if (sqe->ioprio || sqe->off || sqe->len || sqe->cancel_flags)
5626 req->cancel.addr = READ_ONCE(sqe->addr);
5630 static int io_async_cancel(struct io_kiocb *req)
5632 struct io_ring_ctx *ctx = req->ctx;
5634 io_async_find_and_cancel(ctx, req, req->cancel.addr, 0);
5638 static int io_files_update_prep(struct io_kiocb *req,
5639 const struct io_uring_sqe *sqe)
5641 if (unlikely(req->ctx->flags & IORING_SETUP_SQPOLL))
5643 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
5645 if (sqe->ioprio || sqe->rw_flags)
5648 req->files_update.offset = READ_ONCE(sqe->off);
5649 req->files_update.nr_args = READ_ONCE(sqe->len);
5650 if (!req->files_update.nr_args)
5652 req->files_update.arg = READ_ONCE(sqe->addr);
5656 static int io_files_update(struct io_kiocb *req, bool force_nonblock,
5657 struct io_comp_state *cs)
5659 struct io_ring_ctx *ctx = req->ctx;
5660 struct io_uring_files_update up;
5666 up.offset = req->files_update.offset;
5667 up.fds = req->files_update.arg;
5669 mutex_lock(&ctx->uring_lock);
5670 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
5671 mutex_unlock(&ctx->uring_lock);
5674 req_set_fail_links(req);
5675 __io_req_complete(req, ret, 0, cs);
5679 static int io_req_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5681 switch (req->opcode) {
5684 case IORING_OP_READV:
5685 case IORING_OP_READ_FIXED:
5686 case IORING_OP_READ:
5687 return io_read_prep(req, sqe);
5688 case IORING_OP_WRITEV:
5689 case IORING_OP_WRITE_FIXED:
5690 case IORING_OP_WRITE:
5691 return io_write_prep(req, sqe);
5692 case IORING_OP_POLL_ADD:
5693 return io_poll_add_prep(req, sqe);
5694 case IORING_OP_POLL_REMOVE:
5695 return io_poll_remove_prep(req, sqe);
5696 case IORING_OP_FSYNC:
5697 return io_prep_fsync(req, sqe);
5698 case IORING_OP_SYNC_FILE_RANGE:
5699 return io_prep_sfr(req, sqe);
5700 case IORING_OP_SENDMSG:
5701 case IORING_OP_SEND:
5702 return io_sendmsg_prep(req, sqe);
5703 case IORING_OP_RECVMSG:
5704 case IORING_OP_RECV:
5705 return io_recvmsg_prep(req, sqe);
5706 case IORING_OP_CONNECT:
5707 return io_connect_prep(req, sqe);
5708 case IORING_OP_TIMEOUT:
5709 return io_timeout_prep(req, sqe, false);
5710 case IORING_OP_TIMEOUT_REMOVE:
5711 return io_timeout_remove_prep(req, sqe);
5712 case IORING_OP_ASYNC_CANCEL:
5713 return io_async_cancel_prep(req, sqe);
5714 case IORING_OP_LINK_TIMEOUT:
5715 return io_timeout_prep(req, sqe, true);
5716 case IORING_OP_ACCEPT:
5717 return io_accept_prep(req, sqe);
5718 case IORING_OP_FALLOCATE:
5719 return io_fallocate_prep(req, sqe);
5720 case IORING_OP_OPENAT:
5721 return io_openat_prep(req, sqe);
5722 case IORING_OP_CLOSE:
5723 return io_close_prep(req, sqe);
5724 case IORING_OP_FILES_UPDATE:
5725 return io_files_update_prep(req, sqe);
5726 case IORING_OP_STATX:
5727 return io_statx_prep(req, sqe);
5728 case IORING_OP_FADVISE:
5729 return io_fadvise_prep(req, sqe);
5730 case IORING_OP_MADVISE:
5731 return io_madvise_prep(req, sqe);
5732 case IORING_OP_OPENAT2:
5733 return io_openat2_prep(req, sqe);
5734 case IORING_OP_EPOLL_CTL:
5735 return io_epoll_ctl_prep(req, sqe);
5736 case IORING_OP_SPLICE:
5737 return io_splice_prep(req, sqe);
5738 case IORING_OP_PROVIDE_BUFFERS:
5739 return io_provide_buffers_prep(req, sqe);
5740 case IORING_OP_REMOVE_BUFFERS:
5741 return io_remove_buffers_prep(req, sqe);
5743 return io_tee_prep(req, sqe);
5746 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
5751 static int io_req_defer_prep(struct io_kiocb *req,
5752 const struct io_uring_sqe *sqe)
5756 if (io_alloc_async_data(req))
5758 return io_req_prep(req, sqe);
5761 static u32 io_get_sequence(struct io_kiocb *req)
5763 struct io_kiocb *pos;
5764 struct io_ring_ctx *ctx = req->ctx;
5765 u32 total_submitted, nr_reqs = 1;
5767 if (req->flags & REQ_F_LINK_HEAD)
5768 list_for_each_entry(pos, &req->link_list, link_list)
5771 total_submitted = ctx->cached_sq_head - ctx->cached_sq_dropped;
5772 return total_submitted - nr_reqs;
5775 static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5777 struct io_ring_ctx *ctx = req->ctx;
5778 struct io_defer_entry *de;
5782 /* Still need defer if there is pending req in defer list. */
5783 if (likely(list_empty_careful(&ctx->defer_list) &&
5784 !(req->flags & REQ_F_IO_DRAIN)))
5787 seq = io_get_sequence(req);
5788 /* Still a chance to pass the sequence check */
5789 if (!req_need_defer(req, seq) && list_empty_careful(&ctx->defer_list))
5792 if (!req->async_data) {
5793 ret = io_req_defer_prep(req, sqe);
5797 io_prep_async_link(req);
5798 de = kmalloc(sizeof(*de), GFP_KERNEL);
5802 spin_lock_irq(&ctx->completion_lock);
5803 if (!req_need_defer(req, seq) && list_empty(&ctx->defer_list)) {
5804 spin_unlock_irq(&ctx->completion_lock);
5806 io_queue_async_work(req);
5807 return -EIOCBQUEUED;
5810 trace_io_uring_defer(ctx, req, req->user_data);
5813 list_add_tail(&de->list, &ctx->defer_list);
5814 spin_unlock_irq(&ctx->completion_lock);
5815 return -EIOCBQUEUED;
5818 static void io_req_drop_files(struct io_kiocb *req)
5820 struct io_ring_ctx *ctx = req->ctx;
5821 unsigned long flags;
5823 spin_lock_irqsave(&ctx->inflight_lock, flags);
5824 list_del(&req->inflight_entry);
5825 if (waitqueue_active(&ctx->inflight_wait))
5826 wake_up(&ctx->inflight_wait);
5827 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
5828 req->flags &= ~REQ_F_INFLIGHT;
5829 put_files_struct(req->work.identity->files);
5830 put_nsproxy(req->work.identity->nsproxy);
5831 req->work.flags &= ~IO_WQ_WORK_FILES;
5834 static void __io_clean_op(struct io_kiocb *req)
5836 if (req->flags & REQ_F_BUFFER_SELECTED) {
5837 switch (req->opcode) {
5838 case IORING_OP_READV:
5839 case IORING_OP_READ_FIXED:
5840 case IORING_OP_READ:
5841 kfree((void *)(unsigned long)req->rw.addr);
5843 case IORING_OP_RECVMSG:
5844 case IORING_OP_RECV:
5845 kfree(req->sr_msg.kbuf);
5848 req->flags &= ~REQ_F_BUFFER_SELECTED;
5851 if (req->flags & REQ_F_NEED_CLEANUP) {
5852 switch (req->opcode) {
5853 case IORING_OP_READV:
5854 case IORING_OP_READ_FIXED:
5855 case IORING_OP_READ:
5856 case IORING_OP_WRITEV:
5857 case IORING_OP_WRITE_FIXED:
5858 case IORING_OP_WRITE: {
5859 struct io_async_rw *io = req->async_data;
5861 kfree(io->free_iovec);
5864 case IORING_OP_RECVMSG:
5865 case IORING_OP_SENDMSG: {
5866 struct io_async_msghdr *io = req->async_data;
5867 if (io->iov != io->fast_iov)
5871 case IORING_OP_SPLICE:
5873 io_put_file(req, req->splice.file_in,
5874 (req->splice.flags & SPLICE_F_FD_IN_FIXED));
5876 case IORING_OP_OPENAT:
5877 case IORING_OP_OPENAT2:
5878 if (req->open.filename)
5879 putname(req->open.filename);
5882 req->flags &= ~REQ_F_NEED_CLEANUP;
5885 if (req->flags & REQ_F_INFLIGHT)
5886 io_req_drop_files(req);
5889 static int io_issue_sqe(struct io_kiocb *req, bool force_nonblock,
5890 struct io_comp_state *cs)
5892 struct io_ring_ctx *ctx = req->ctx;
5895 switch (req->opcode) {
5897 ret = io_nop(req, cs);
5899 case IORING_OP_READV:
5900 case IORING_OP_READ_FIXED:
5901 case IORING_OP_READ:
5902 ret = io_read(req, force_nonblock, cs);
5904 case IORING_OP_WRITEV:
5905 case IORING_OP_WRITE_FIXED:
5906 case IORING_OP_WRITE:
5907 ret = io_write(req, force_nonblock, cs);
5909 case IORING_OP_FSYNC:
5910 ret = io_fsync(req, force_nonblock);
5912 case IORING_OP_POLL_ADD:
5913 ret = io_poll_add(req);
5915 case IORING_OP_POLL_REMOVE:
5916 ret = io_poll_remove(req);
5918 case IORING_OP_SYNC_FILE_RANGE:
5919 ret = io_sync_file_range(req, force_nonblock);
5921 case IORING_OP_SENDMSG:
5922 ret = io_sendmsg(req, force_nonblock, cs);
5924 case IORING_OP_SEND:
5925 ret = io_send(req, force_nonblock, cs);
5927 case IORING_OP_RECVMSG:
5928 ret = io_recvmsg(req, force_nonblock, cs);
5930 case IORING_OP_RECV:
5931 ret = io_recv(req, force_nonblock, cs);
5933 case IORING_OP_TIMEOUT:
5934 ret = io_timeout(req);
5936 case IORING_OP_TIMEOUT_REMOVE:
5937 ret = io_timeout_remove(req);
5939 case IORING_OP_ACCEPT:
5940 ret = io_accept(req, force_nonblock, cs);
5942 case IORING_OP_CONNECT:
5943 ret = io_connect(req, force_nonblock, cs);
5945 case IORING_OP_ASYNC_CANCEL:
5946 ret = io_async_cancel(req);
5948 case IORING_OP_FALLOCATE:
5949 ret = io_fallocate(req, force_nonblock);
5951 case IORING_OP_OPENAT:
5952 ret = io_openat(req, force_nonblock);
5954 case IORING_OP_CLOSE:
5955 ret = io_close(req, force_nonblock, cs);
5957 case IORING_OP_FILES_UPDATE:
5958 ret = io_files_update(req, force_nonblock, cs);
5960 case IORING_OP_STATX:
5961 ret = io_statx(req, force_nonblock);
5963 case IORING_OP_FADVISE:
5964 ret = io_fadvise(req, force_nonblock);
5966 case IORING_OP_MADVISE:
5967 ret = io_madvise(req, force_nonblock);
5969 case IORING_OP_OPENAT2:
5970 ret = io_openat2(req, force_nonblock);
5972 case IORING_OP_EPOLL_CTL:
5973 ret = io_epoll_ctl(req, force_nonblock, cs);
5975 case IORING_OP_SPLICE:
5976 ret = io_splice(req, force_nonblock);
5978 case IORING_OP_PROVIDE_BUFFERS:
5979 ret = io_provide_buffers(req, force_nonblock, cs);
5981 case IORING_OP_REMOVE_BUFFERS:
5982 ret = io_remove_buffers(req, force_nonblock, cs);
5985 ret = io_tee(req, force_nonblock);
5995 /* If the op doesn't have a file, we're not polling for it */
5996 if ((ctx->flags & IORING_SETUP_IOPOLL) && req->file) {
5997 const bool in_async = io_wq_current_is_worker();
5999 /* workqueue context doesn't hold uring_lock, grab it now */
6001 mutex_lock(&ctx->uring_lock);
6003 io_iopoll_req_issued(req);
6006 mutex_unlock(&ctx->uring_lock);
6012 static struct io_wq_work *io_wq_submit_work(struct io_wq_work *work)
6014 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
6015 struct io_kiocb *timeout;
6018 timeout = io_prep_linked_timeout(req);
6020 io_queue_linked_timeout(timeout);
6022 /* if NO_CANCEL is set, we must still run the work */
6023 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
6024 IO_WQ_WORK_CANCEL) {
6030 ret = io_issue_sqe(req, false, NULL);
6032 * We can get EAGAIN for polled IO even though we're
6033 * forcing a sync submission from here, since we can't
6034 * wait for request slots on the block side.
6043 req_set_fail_links(req);
6044 io_req_complete(req, ret);
6047 return io_steal_work(req);
6050 static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
6053 struct fixed_file_table *table;
6055 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
6056 return table->files[index & IORING_FILE_TABLE_MASK];
6059 static struct file *io_file_get(struct io_submit_state *state,
6060 struct io_kiocb *req, int fd, bool fixed)
6062 struct io_ring_ctx *ctx = req->ctx;
6066 if (unlikely((unsigned int)fd >= ctx->nr_user_files))
6068 fd = array_index_nospec(fd, ctx->nr_user_files);
6069 file = io_file_from_index(ctx, fd);
6071 req->fixed_file_refs = &ctx->file_data->node->refs;
6072 percpu_ref_get(req->fixed_file_refs);
6075 trace_io_uring_file_get(ctx, fd);
6076 file = __io_file_get(state, fd);
6082 static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
6087 fixed = (req->flags & REQ_F_FIXED_FILE) != 0;
6088 if (unlikely(!fixed && io_async_submit(req->ctx)))
6091 req->file = io_file_get(state, req, fd, fixed);
6092 if (req->file || io_op_defs[req->opcode].needs_file_no_error)
6097 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
6099 struct io_timeout_data *data = container_of(timer,
6100 struct io_timeout_data, timer);
6101 struct io_kiocb *req = data->req;
6102 struct io_ring_ctx *ctx = req->ctx;
6103 struct io_kiocb *prev = NULL;
6104 unsigned long flags;
6106 spin_lock_irqsave(&ctx->completion_lock, flags);
6109 * We don't expect the list to be empty, that will only happen if we
6110 * race with the completion of the linked work.
6112 if (!list_empty(&req->link_list)) {
6113 prev = list_entry(req->link_list.prev, struct io_kiocb,
6115 if (refcount_inc_not_zero(&prev->refs))
6116 list_del_init(&req->link_list);
6121 spin_unlock_irqrestore(&ctx->completion_lock, flags);
6124 req_set_fail_links(prev);
6125 io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME);
6128 io_req_complete(req, -ETIME);
6130 return HRTIMER_NORESTART;
6133 static void __io_queue_linked_timeout(struct io_kiocb *req)
6136 * If the list is now empty, then our linked request finished before
6137 * we got a chance to setup the timer
6139 if (!list_empty(&req->link_list)) {
6140 struct io_timeout_data *data = req->async_data;
6142 data->timer.function = io_link_timeout_fn;
6143 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
6148 static void io_queue_linked_timeout(struct io_kiocb *req)
6150 struct io_ring_ctx *ctx = req->ctx;
6152 spin_lock_irq(&ctx->completion_lock);
6153 __io_queue_linked_timeout(req);
6154 spin_unlock_irq(&ctx->completion_lock);
6156 /* drop submission reference */
6160 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
6162 struct io_kiocb *nxt;
6164 if (!(req->flags & REQ_F_LINK_HEAD))
6166 if (req->flags & REQ_F_LINK_TIMEOUT)
6169 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
6171 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
6174 nxt->flags |= REQ_F_LTIMEOUT_ACTIVE;
6175 req->flags |= REQ_F_LINK_TIMEOUT;
6179 static void __io_queue_sqe(struct io_kiocb *req, struct io_comp_state *cs)
6181 struct io_kiocb *linked_timeout;
6182 const struct cred *old_creds = NULL;
6186 linked_timeout = io_prep_linked_timeout(req);
6188 if ((req->flags & REQ_F_WORK_INITIALIZED) &&
6189 (req->work.flags & IO_WQ_WORK_CREDS) &&
6190 req->work.identity->creds != current_cred()) {
6192 revert_creds(old_creds);
6193 if (old_creds == req->work.identity->creds)
6194 old_creds = NULL; /* restored original creds */
6196 old_creds = override_creds(req->work.identity->creds);
6199 ret = io_issue_sqe(req, true, cs);
6202 * We async punt it if the file wasn't marked NOWAIT, or if the file
6203 * doesn't support non-blocking read/write attempts
6205 if (ret == -EAGAIN && !(req->flags & REQ_F_NOWAIT)) {
6206 if (!io_arm_poll_handler(req)) {
6208 * Queued up for async execution, worker will release
6209 * submit reference when the iocb is actually submitted.
6211 io_queue_async_work(req);
6215 io_queue_linked_timeout(linked_timeout);
6216 } else if (likely(!ret)) {
6217 /* drop submission reference */
6218 req = io_put_req_find_next(req);
6220 io_queue_linked_timeout(linked_timeout);
6223 if (!(req->flags & REQ_F_FORCE_ASYNC))
6225 io_queue_async_work(req);
6228 /* un-prep timeout, so it'll be killed as any other linked */
6229 req->flags &= ~REQ_F_LINK_TIMEOUT;
6230 req_set_fail_links(req);
6232 io_req_complete(req, ret);
6236 revert_creds(old_creds);
6239 static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
6240 struct io_comp_state *cs)
6244 ret = io_req_defer(req, sqe);
6246 if (ret != -EIOCBQUEUED) {
6248 req_set_fail_links(req);
6250 io_req_complete(req, ret);
6252 } else if (req->flags & REQ_F_FORCE_ASYNC) {
6253 if (!req->async_data) {
6254 ret = io_req_defer_prep(req, sqe);
6258 io_queue_async_work(req);
6261 ret = io_req_prep(req, sqe);
6265 __io_queue_sqe(req, cs);
6269 static inline void io_queue_link_head(struct io_kiocb *req,
6270 struct io_comp_state *cs)
6272 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
6274 io_req_complete(req, -ECANCELED);
6276 io_queue_sqe(req, NULL, cs);
6279 static int io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
6280 struct io_kiocb **link, struct io_comp_state *cs)
6282 struct io_ring_ctx *ctx = req->ctx;
6286 * If we already have a head request, queue this one for async
6287 * submittal once the head completes. If we don't have a head but
6288 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
6289 * submitted sync once the chain is complete. If none of those
6290 * conditions are true (normal request), then just queue it.
6293 struct io_kiocb *head = *link;
6296 * Taking sequential execution of a link, draining both sides
6297 * of the link also fullfils IOSQE_IO_DRAIN semantics for all
6298 * requests in the link. So, it drains the head and the
6299 * next after the link request. The last one is done via
6300 * drain_next flag to persist the effect across calls.
6302 if (req->flags & REQ_F_IO_DRAIN) {
6303 head->flags |= REQ_F_IO_DRAIN;
6304 ctx->drain_next = 1;
6306 ret = io_req_defer_prep(req, sqe);
6307 if (unlikely(ret)) {
6308 /* fail even hard links since we don't submit */
6309 head->flags |= REQ_F_FAIL_LINK;
6312 trace_io_uring_link(ctx, req, head);
6313 list_add_tail(&req->link_list, &head->link_list);
6315 /* last request of a link, enqueue the link */
6316 if (!(req->flags & (REQ_F_LINK | REQ_F_HARDLINK))) {
6317 io_queue_link_head(head, cs);
6321 if (unlikely(ctx->drain_next)) {
6322 req->flags |= REQ_F_IO_DRAIN;
6323 ctx->drain_next = 0;
6325 if (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {
6326 req->flags |= REQ_F_LINK_HEAD;
6327 INIT_LIST_HEAD(&req->link_list);
6329 ret = io_req_defer_prep(req, sqe);
6331 req->flags |= REQ_F_FAIL_LINK;
6334 io_queue_sqe(req, sqe, cs);
6342 * Batched submission is done, ensure local IO is flushed out.
6344 static void io_submit_state_end(struct io_submit_state *state)
6346 if (!list_empty(&state->comp.list))
6347 io_submit_flush_completions(&state->comp);
6348 blk_finish_plug(&state->plug);
6349 io_state_file_put(state);
6350 if (state->free_reqs)
6351 kmem_cache_free_bulk(req_cachep, state->free_reqs, state->reqs);
6355 * Start submission side cache.
6357 static void io_submit_state_start(struct io_submit_state *state,
6358 struct io_ring_ctx *ctx, unsigned int max_ios)
6360 blk_start_plug(&state->plug);
6362 INIT_LIST_HEAD(&state->comp.list);
6363 state->comp.ctx = ctx;
6364 state->free_reqs = 0;
6366 state->ios_left = max_ios;
6369 static void io_commit_sqring(struct io_ring_ctx *ctx)
6371 struct io_rings *rings = ctx->rings;
6374 * Ensure any loads from the SQEs are done at this point,
6375 * since once we write the new head, the application could
6376 * write new data to them.
6378 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
6382 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
6383 * that is mapped by userspace. This means that care needs to be taken to
6384 * ensure that reads are stable, as we cannot rely on userspace always
6385 * being a good citizen. If members of the sqe are validated and then later
6386 * used, it's important that those reads are done through READ_ONCE() to
6387 * prevent a re-load down the line.
6389 static const struct io_uring_sqe *io_get_sqe(struct io_ring_ctx *ctx)
6391 u32 *sq_array = ctx->sq_array;
6395 * The cached sq head (or cq tail) serves two purposes:
6397 * 1) allows us to batch the cost of updating the user visible
6399 * 2) allows the kernel side to track the head on its own, even
6400 * though the application is the one updating it.
6402 head = READ_ONCE(sq_array[ctx->cached_sq_head & ctx->sq_mask]);
6403 if (likely(head < ctx->sq_entries))
6404 return &ctx->sq_sqes[head];
6406 /* drop invalid entries */
6407 ctx->cached_sq_dropped++;
6408 WRITE_ONCE(ctx->rings->sq_dropped, ctx->cached_sq_dropped);
6412 static inline void io_consume_sqe(struct io_ring_ctx *ctx)
6414 ctx->cached_sq_head++;
6418 * Check SQE restrictions (opcode and flags).
6420 * Returns 'true' if SQE is allowed, 'false' otherwise.
6422 static inline bool io_check_restriction(struct io_ring_ctx *ctx,
6423 struct io_kiocb *req,
6424 unsigned int sqe_flags)
6426 if (!ctx->restricted)
6429 if (!test_bit(req->opcode, ctx->restrictions.sqe_op))
6432 if ((sqe_flags & ctx->restrictions.sqe_flags_required) !=
6433 ctx->restrictions.sqe_flags_required)
6436 if (sqe_flags & ~(ctx->restrictions.sqe_flags_allowed |
6437 ctx->restrictions.sqe_flags_required))
6443 #define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
6444 IOSQE_IO_HARDLINK | IOSQE_ASYNC | \
6445 IOSQE_BUFFER_SELECT)
6447 static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
6448 const struct io_uring_sqe *sqe,
6449 struct io_submit_state *state)
6451 unsigned int sqe_flags;
6454 req->opcode = READ_ONCE(sqe->opcode);
6455 req->user_data = READ_ONCE(sqe->user_data);
6456 req->async_data = NULL;
6460 /* one is dropped after submission, the other at completion */
6461 refcount_set(&req->refs, 2);
6462 req->task = current;
6465 if (unlikely(req->opcode >= IORING_OP_LAST))
6468 if (unlikely(io_sq_thread_acquire_mm(ctx, req)))
6471 sqe_flags = READ_ONCE(sqe->flags);
6472 /* enforce forwards compatibility on users */
6473 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS))
6476 if (unlikely(!io_check_restriction(ctx, req, sqe_flags)))
6479 if ((sqe_flags & IOSQE_BUFFER_SELECT) &&
6480 !io_op_defs[req->opcode].buffer_select)
6483 id = READ_ONCE(sqe->personality);
6485 struct io_identity *iod;
6487 iod = idr_find(&ctx->personality_idr, id);
6490 refcount_inc(&iod->count);
6492 __io_req_init_async(req);
6493 get_cred(iod->creds);
6494 req->work.identity = iod;
6495 req->work.flags |= IO_WQ_WORK_CREDS;
6498 /* same numerical values with corresponding REQ_F_*, safe to copy */
6499 req->flags |= sqe_flags;
6501 if (!io_op_defs[req->opcode].needs_file)
6504 ret = io_req_set_file(state, req, READ_ONCE(sqe->fd));
6509 static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr)
6511 struct io_submit_state state;
6512 struct io_kiocb *link = NULL;
6513 int i, submitted = 0;
6515 /* if we have a backlog and couldn't flush it all, return BUSY */
6516 if (test_bit(0, &ctx->sq_check_overflow)) {
6517 if (!list_empty(&ctx->cq_overflow_list) &&
6518 !io_cqring_overflow_flush(ctx, false, NULL, NULL))
6522 /* make sure SQ entry isn't read before tail */
6523 nr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));
6525 if (!percpu_ref_tryget_many(&ctx->refs, nr))
6528 percpu_counter_add(¤t->io_uring->inflight, nr);
6529 refcount_add(nr, ¤t->usage);
6531 io_submit_state_start(&state, ctx, nr);
6533 for (i = 0; i < nr; i++) {
6534 const struct io_uring_sqe *sqe;
6535 struct io_kiocb *req;
6538 sqe = io_get_sqe(ctx);
6539 if (unlikely(!sqe)) {
6540 io_consume_sqe(ctx);
6543 req = io_alloc_req(ctx, &state);
6544 if (unlikely(!req)) {
6546 submitted = -EAGAIN;
6549 io_consume_sqe(ctx);
6550 /* will complete beyond this point, count as submitted */
6553 err = io_init_req(ctx, req, sqe, &state);
6554 if (unlikely(err)) {
6557 io_req_complete(req, err);
6561 trace_io_uring_submit_sqe(ctx, req->opcode, req->user_data,
6562 true, io_async_submit(ctx));
6563 err = io_submit_sqe(req, sqe, &link, &state.comp);
6568 if (unlikely(submitted != nr)) {
6569 int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
6570 struct io_uring_task *tctx = current->io_uring;
6571 int unused = nr - ref_used;
6573 percpu_ref_put_many(&ctx->refs, unused);
6574 percpu_counter_sub(&tctx->inflight, unused);
6575 put_task_struct_many(current, unused);
6578 io_queue_link_head(link, &state.comp);
6579 io_submit_state_end(&state);
6581 /* Commit SQ ring head once we've consumed and submitted all SQEs */
6582 io_commit_sqring(ctx);
6587 static inline void io_ring_set_wakeup_flag(struct io_ring_ctx *ctx)
6589 /* Tell userspace we may need a wakeup call */
6590 spin_lock_irq(&ctx->completion_lock);
6591 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
6592 spin_unlock_irq(&ctx->completion_lock);
6595 static inline void io_ring_clear_wakeup_flag(struct io_ring_ctx *ctx)
6597 spin_lock_irq(&ctx->completion_lock);
6598 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6599 spin_unlock_irq(&ctx->completion_lock);
6602 static int io_sq_wake_function(struct wait_queue_entry *wqe, unsigned mode,
6603 int sync, void *key)
6605 struct io_ring_ctx *ctx = container_of(wqe, struct io_ring_ctx, sqo_wait_entry);
6608 ret = autoremove_wake_function(wqe, mode, sync, key);
6610 unsigned long flags;
6612 spin_lock_irqsave(&ctx->completion_lock, flags);
6613 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6614 spin_unlock_irqrestore(&ctx->completion_lock, flags);
6625 static enum sq_ret __io_sq_thread(struct io_ring_ctx *ctx,
6626 unsigned long start_jiffies, bool cap_entries)
6628 unsigned long timeout = start_jiffies + ctx->sq_thread_idle;
6629 struct io_sq_data *sqd = ctx->sq_data;
6630 unsigned int to_submit;
6634 if (!list_empty(&ctx->iopoll_list)) {
6635 unsigned nr_events = 0;
6637 mutex_lock(&ctx->uring_lock);
6638 if (!list_empty(&ctx->iopoll_list) && !need_resched())
6639 io_do_iopoll(ctx, &nr_events, 0);
6640 mutex_unlock(&ctx->uring_lock);
6643 to_submit = io_sqring_entries(ctx);
6646 * If submit got -EBUSY, flag us as needing the application
6647 * to enter the kernel to reap and flush events.
6649 if (!to_submit || ret == -EBUSY || need_resched()) {
6651 * Drop cur_mm before scheduling, we can't hold it for
6652 * long periods (or over schedule()). Do this before
6653 * adding ourselves to the waitqueue, as the unuse/drop
6656 io_sq_thread_drop_mm();
6659 * We're polling. If we're within the defined idle
6660 * period, then let us spin without work before going
6661 * to sleep. The exception is if we got EBUSY doing
6662 * more IO, we should wait for the application to
6663 * reap events and wake us up.
6665 if (!list_empty(&ctx->iopoll_list) || need_resched() ||
6666 (!time_after(jiffies, timeout) && ret != -EBUSY &&
6667 !percpu_ref_is_dying(&ctx->refs)))
6670 prepare_to_wait(&sqd->wait, &ctx->sqo_wait_entry,
6671 TASK_INTERRUPTIBLE);
6674 * While doing polled IO, before going to sleep, we need
6675 * to check if there are new reqs added to iopoll_list,
6676 * it is because reqs may have been punted to io worker
6677 * and will be added to iopoll_list later, hence check
6678 * the iopoll_list again.
6680 if ((ctx->flags & IORING_SETUP_IOPOLL) &&
6681 !list_empty_careful(&ctx->iopoll_list)) {
6682 finish_wait(&sqd->wait, &ctx->sqo_wait_entry);
6686 to_submit = io_sqring_entries(ctx);
6687 if (!to_submit || ret == -EBUSY)
6691 finish_wait(&sqd->wait, &ctx->sqo_wait_entry);
6692 io_ring_clear_wakeup_flag(ctx);
6694 /* if we're handling multiple rings, cap submit size for fairness */
6695 if (cap_entries && to_submit > 8)
6698 mutex_lock(&ctx->uring_lock);
6699 if (likely(!percpu_ref_is_dying(&ctx->refs)))
6700 ret = io_submit_sqes(ctx, to_submit);
6701 mutex_unlock(&ctx->uring_lock);
6703 if (!io_sqring_full(ctx) && wq_has_sleeper(&ctx->sqo_sq_wait))
6704 wake_up(&ctx->sqo_sq_wait);
6706 return SQT_DID_WORK;
6709 static void io_sqd_init_new(struct io_sq_data *sqd)
6711 struct io_ring_ctx *ctx;
6713 while (!list_empty(&sqd->ctx_new_list)) {
6714 ctx = list_first_entry(&sqd->ctx_new_list, struct io_ring_ctx, sqd_list);
6715 init_wait(&ctx->sqo_wait_entry);
6716 ctx->sqo_wait_entry.func = io_sq_wake_function;
6717 list_move_tail(&ctx->sqd_list, &sqd->ctx_list);
6718 complete(&ctx->sq_thread_comp);
6722 static int io_sq_thread(void *data)
6724 struct cgroup_subsys_state *cur_css = NULL;
6725 const struct cred *old_cred = NULL;
6726 struct io_sq_data *sqd = data;
6727 struct io_ring_ctx *ctx;
6728 unsigned long start_jiffies;
6730 start_jiffies = jiffies;
6731 while (!kthread_should_stop()) {
6732 enum sq_ret ret = 0;
6736 * Any changes to the sqd lists are synchronized through the
6737 * kthread parking. This synchronizes the thread vs users,
6738 * the users are synchronized on the sqd->ctx_lock.
6740 if (kthread_should_park())
6743 if (unlikely(!list_empty(&sqd->ctx_new_list)))
6744 io_sqd_init_new(sqd);
6746 cap_entries = !list_is_singular(&sqd->ctx_list);
6748 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
6749 if (current->cred != ctx->creds) {
6751 revert_creds(old_cred);
6752 old_cred = override_creds(ctx->creds);
6754 io_sq_thread_associate_blkcg(ctx, &cur_css);
6756 current->loginuid = ctx->loginuid;
6757 current->sessionid = ctx->sessionid;
6760 ret |= __io_sq_thread(ctx, start_jiffies, cap_entries);
6762 io_sq_thread_drop_mm();
6765 if (ret & SQT_SPIN) {
6768 } else if (ret == SQT_IDLE) {
6769 if (kthread_should_park())
6771 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
6772 io_ring_set_wakeup_flag(ctx);
6774 start_jiffies = jiffies;
6775 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
6776 io_ring_clear_wakeup_flag(ctx);
6783 io_sq_thread_unassociate_blkcg();
6785 revert_creds(old_cred);
6792 struct io_wait_queue {
6793 struct wait_queue_entry wq;
6794 struct io_ring_ctx *ctx;
6796 unsigned nr_timeouts;
6799 static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
6801 struct io_ring_ctx *ctx = iowq->ctx;
6804 * Wake up if we have enough events, or if a timeout occurred since we
6805 * started waiting. For timeouts, we always want to return to userspace,
6806 * regardless of event count.
6808 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
6809 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
6812 static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
6813 int wake_flags, void *key)
6815 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
6818 /* use noflush == true, as we can't safely rely on locking context */
6819 if (!io_should_wake(iowq, true))
6822 return autoremove_wake_function(curr, mode, wake_flags, key);
6825 static int io_run_task_work_sig(void)
6827 if (io_run_task_work())
6829 if (!signal_pending(current))
6831 if (current->jobctl & JOBCTL_TASK_WORK) {
6832 spin_lock_irq(¤t->sighand->siglock);
6833 current->jobctl &= ~JOBCTL_TASK_WORK;
6834 recalc_sigpending();
6835 spin_unlock_irq(¤t->sighand->siglock);
6842 * Wait until events become available, if we don't already have some. The
6843 * application must reap them itself, as they reside on the shared cq ring.
6845 static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
6846 const sigset_t __user *sig, size_t sigsz)
6848 struct io_wait_queue iowq = {
6851 .func = io_wake_function,
6852 .entry = LIST_HEAD_INIT(iowq.wq.entry),
6855 .to_wait = min_events,
6857 struct io_rings *rings = ctx->rings;
6861 if (io_cqring_events(ctx, false) >= min_events)
6863 if (!io_run_task_work())
6868 #ifdef CONFIG_COMPAT
6869 if (in_compat_syscall())
6870 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
6874 ret = set_user_sigmask(sig, sigsz);
6880 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
6881 trace_io_uring_cqring_wait(ctx, min_events);
6883 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
6884 TASK_INTERRUPTIBLE);
6885 /* make sure we run task_work before checking for signals */
6886 ret = io_run_task_work_sig();
6891 if (io_should_wake(&iowq, false))
6895 finish_wait(&ctx->wait, &iowq.wq);
6897 restore_saved_sigmask_unless(ret == -EINTR);
6899 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
6902 static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
6904 #if defined(CONFIG_UNIX)
6905 if (ctx->ring_sock) {
6906 struct sock *sock = ctx->ring_sock->sk;
6907 struct sk_buff *skb;
6909 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
6915 for (i = 0; i < ctx->nr_user_files; i++) {
6918 file = io_file_from_index(ctx, i);
6925 static void io_file_ref_kill(struct percpu_ref *ref)
6927 struct fixed_file_data *data;
6929 data = container_of(ref, struct fixed_file_data, refs);
6930 complete(&data->done);
6933 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
6935 struct fixed_file_data *data = ctx->file_data;
6936 struct fixed_file_ref_node *ref_node = NULL;
6937 unsigned nr_tables, i;
6942 spin_lock(&data->lock);
6943 if (!list_empty(&data->ref_list))
6944 ref_node = list_first_entry(&data->ref_list,
6945 struct fixed_file_ref_node, node);
6946 spin_unlock(&data->lock);
6948 percpu_ref_kill(&ref_node->refs);
6950 percpu_ref_kill(&data->refs);
6952 /* wait for all refs nodes to complete */
6953 flush_delayed_work(&ctx->file_put_work);
6954 wait_for_completion(&data->done);
6956 __io_sqe_files_unregister(ctx);
6957 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
6958 for (i = 0; i < nr_tables; i++)
6959 kfree(data->table[i].files);
6961 percpu_ref_exit(&data->refs);
6963 ctx->file_data = NULL;
6964 ctx->nr_user_files = 0;
6968 static void io_put_sq_data(struct io_sq_data *sqd)
6970 if (refcount_dec_and_test(&sqd->refs)) {
6972 * The park is a bit of a work-around, without it we get
6973 * warning spews on shutdown with SQPOLL set and affinity
6974 * set to a single CPU.
6977 kthread_park(sqd->thread);
6978 kthread_stop(sqd->thread);
6985 static struct io_sq_data *io_attach_sq_data(struct io_uring_params *p)
6987 struct io_ring_ctx *ctx_attach;
6988 struct io_sq_data *sqd;
6991 f = fdget(p->wq_fd);
6993 return ERR_PTR(-ENXIO);
6994 if (f.file->f_op != &io_uring_fops) {
6996 return ERR_PTR(-EINVAL);
6999 ctx_attach = f.file->private_data;
7000 sqd = ctx_attach->sq_data;
7003 return ERR_PTR(-EINVAL);
7006 refcount_inc(&sqd->refs);
7011 static struct io_sq_data *io_get_sq_data(struct io_uring_params *p)
7013 struct io_sq_data *sqd;
7015 if (p->flags & IORING_SETUP_ATTACH_WQ)
7016 return io_attach_sq_data(p);
7018 sqd = kzalloc(sizeof(*sqd), GFP_KERNEL);
7020 return ERR_PTR(-ENOMEM);
7022 refcount_set(&sqd->refs, 1);
7023 INIT_LIST_HEAD(&sqd->ctx_list);
7024 INIT_LIST_HEAD(&sqd->ctx_new_list);
7025 mutex_init(&sqd->ctx_lock);
7026 mutex_init(&sqd->lock);
7027 init_waitqueue_head(&sqd->wait);
7031 static void io_sq_thread_unpark(struct io_sq_data *sqd)
7032 __releases(&sqd->lock)
7036 kthread_unpark(sqd->thread);
7037 mutex_unlock(&sqd->lock);
7040 static void io_sq_thread_park(struct io_sq_data *sqd)
7041 __acquires(&sqd->lock)
7045 mutex_lock(&sqd->lock);
7046 kthread_park(sqd->thread);
7049 static void io_sq_thread_stop(struct io_ring_ctx *ctx)
7051 struct io_sq_data *sqd = ctx->sq_data;
7056 * We may arrive here from the error branch in
7057 * io_sq_offload_create() where the kthread is created
7058 * without being waked up, thus wake it up now to make
7059 * sure the wait will complete.
7061 wake_up_process(sqd->thread);
7062 wait_for_completion(&ctx->sq_thread_comp);
7064 io_sq_thread_park(sqd);
7067 mutex_lock(&sqd->ctx_lock);
7068 list_del(&ctx->sqd_list);
7069 mutex_unlock(&sqd->ctx_lock);
7072 finish_wait(&sqd->wait, &ctx->sqo_wait_entry);
7073 io_sq_thread_unpark(sqd);
7076 io_put_sq_data(sqd);
7077 ctx->sq_data = NULL;
7081 static void io_finish_async(struct io_ring_ctx *ctx)
7083 io_sq_thread_stop(ctx);
7086 io_wq_destroy(ctx->io_wq);
7091 #if defined(CONFIG_UNIX)
7093 * Ensure the UNIX gc is aware of our file set, so we are certain that
7094 * the io_uring can be safely unregistered on process exit, even if we have
7095 * loops in the file referencing.
7097 static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
7099 struct sock *sk = ctx->ring_sock->sk;
7100 struct scm_fp_list *fpl;
7101 struct sk_buff *skb;
7104 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
7108 skb = alloc_skb(0, GFP_KERNEL);
7117 fpl->user = get_uid(ctx->user);
7118 for (i = 0; i < nr; i++) {
7119 struct file *file = io_file_from_index(ctx, i + offset);
7123 fpl->fp[nr_files] = get_file(file);
7124 unix_inflight(fpl->user, fpl->fp[nr_files]);
7129 fpl->max = SCM_MAX_FD;
7130 fpl->count = nr_files;
7131 UNIXCB(skb).fp = fpl;
7132 skb->destructor = unix_destruct_scm;
7133 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
7134 skb_queue_head(&sk->sk_receive_queue, skb);
7136 for (i = 0; i < nr_files; i++)
7147 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
7148 * causes regular reference counting to break down. We rely on the UNIX
7149 * garbage collection to take care of this problem for us.
7151 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
7153 unsigned left, total;
7157 left = ctx->nr_user_files;
7159 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
7161 ret = __io_sqe_files_scm(ctx, this_files, total);
7165 total += this_files;
7171 while (total < ctx->nr_user_files) {
7172 struct file *file = io_file_from_index(ctx, total);
7182 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
7188 static int io_sqe_alloc_file_tables(struct fixed_file_data *file_data,
7189 unsigned nr_tables, unsigned nr_files)
7193 for (i = 0; i < nr_tables; i++) {
7194 struct fixed_file_table *table = &file_data->table[i];
7195 unsigned this_files;
7197 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
7198 table->files = kcalloc(this_files, sizeof(struct file *),
7202 nr_files -= this_files;
7208 for (i = 0; i < nr_tables; i++) {
7209 struct fixed_file_table *table = &file_data->table[i];
7210 kfree(table->files);
7215 static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
7217 #if defined(CONFIG_UNIX)
7218 struct sock *sock = ctx->ring_sock->sk;
7219 struct sk_buff_head list, *head = &sock->sk_receive_queue;
7220 struct sk_buff *skb;
7223 __skb_queue_head_init(&list);
7226 * Find the skb that holds this file in its SCM_RIGHTS. When found,
7227 * remove this entry and rearrange the file array.
7229 skb = skb_dequeue(head);
7231 struct scm_fp_list *fp;
7233 fp = UNIXCB(skb).fp;
7234 for (i = 0; i < fp->count; i++) {
7237 if (fp->fp[i] != file)
7240 unix_notinflight(fp->user, fp->fp[i]);
7241 left = fp->count - 1 - i;
7243 memmove(&fp->fp[i], &fp->fp[i + 1],
7244 left * sizeof(struct file *));
7251 __skb_queue_tail(&list, skb);
7261 __skb_queue_tail(&list, skb);
7263 skb = skb_dequeue(head);
7266 if (skb_peek(&list)) {
7267 spin_lock_irq(&head->lock);
7268 while ((skb = __skb_dequeue(&list)) != NULL)
7269 __skb_queue_tail(head, skb);
7270 spin_unlock_irq(&head->lock);
7277 struct io_file_put {
7278 struct list_head list;
7282 static void __io_file_put_work(struct fixed_file_ref_node *ref_node)
7284 struct fixed_file_data *file_data = ref_node->file_data;
7285 struct io_ring_ctx *ctx = file_data->ctx;
7286 struct io_file_put *pfile, *tmp;
7288 list_for_each_entry_safe(pfile, tmp, &ref_node->file_list, list) {
7289 list_del(&pfile->list);
7290 io_ring_file_put(ctx, pfile->file);
7294 spin_lock(&file_data->lock);
7295 list_del(&ref_node->node);
7296 spin_unlock(&file_data->lock);
7298 percpu_ref_exit(&ref_node->refs);
7300 percpu_ref_put(&file_data->refs);
7303 static void io_file_put_work(struct work_struct *work)
7305 struct io_ring_ctx *ctx;
7306 struct llist_node *node;
7308 ctx = container_of(work, struct io_ring_ctx, file_put_work.work);
7309 node = llist_del_all(&ctx->file_put_llist);
7312 struct fixed_file_ref_node *ref_node;
7313 struct llist_node *next = node->next;
7315 ref_node = llist_entry(node, struct fixed_file_ref_node, llist);
7316 __io_file_put_work(ref_node);
7321 static void io_file_data_ref_zero(struct percpu_ref *ref)
7323 struct fixed_file_ref_node *ref_node;
7324 struct io_ring_ctx *ctx;
7328 ref_node = container_of(ref, struct fixed_file_ref_node, refs);
7329 ctx = ref_node->file_data->ctx;
7331 if (percpu_ref_is_dying(&ctx->file_data->refs))
7334 first_add = llist_add(&ref_node->llist, &ctx->file_put_llist);
7336 mod_delayed_work(system_wq, &ctx->file_put_work, 0);
7338 queue_delayed_work(system_wq, &ctx->file_put_work, delay);
7341 static struct fixed_file_ref_node *alloc_fixed_file_ref_node(
7342 struct io_ring_ctx *ctx)
7344 struct fixed_file_ref_node *ref_node;
7346 ref_node = kzalloc(sizeof(*ref_node), GFP_KERNEL);
7348 return ERR_PTR(-ENOMEM);
7350 if (percpu_ref_init(&ref_node->refs, io_file_data_ref_zero,
7353 return ERR_PTR(-ENOMEM);
7355 INIT_LIST_HEAD(&ref_node->node);
7356 INIT_LIST_HEAD(&ref_node->file_list);
7357 ref_node->file_data = ctx->file_data;
7361 static void destroy_fixed_file_ref_node(struct fixed_file_ref_node *ref_node)
7363 percpu_ref_exit(&ref_node->refs);
7367 static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
7370 __s32 __user *fds = (__s32 __user *) arg;
7371 unsigned nr_tables, i;
7373 int fd, ret = -ENOMEM;
7374 struct fixed_file_ref_node *ref_node;
7375 struct fixed_file_data *file_data;
7381 if (nr_args > IORING_MAX_FIXED_FILES)
7384 file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
7387 file_data->ctx = ctx;
7388 init_completion(&file_data->done);
7389 INIT_LIST_HEAD(&file_data->ref_list);
7390 spin_lock_init(&file_data->lock);
7392 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
7393 file_data->table = kcalloc(nr_tables, sizeof(*file_data->table),
7395 if (!file_data->table)
7398 if (percpu_ref_init(&file_data->refs, io_file_ref_kill,
7399 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
7402 if (io_sqe_alloc_file_tables(file_data, nr_tables, nr_args))
7404 ctx->file_data = file_data;
7406 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
7407 struct fixed_file_table *table;
7410 if (copy_from_user(&fd, &fds[i], sizeof(fd))) {
7414 /* allow sparse sets */
7424 * Don't allow io_uring instances to be registered. If UNIX
7425 * isn't enabled, then this causes a reference cycle and this
7426 * instance can never get freed. If UNIX is enabled we'll
7427 * handle it just fine, but there's still no point in allowing
7428 * a ring fd as it doesn't support regular read/write anyway.
7430 if (file->f_op == &io_uring_fops) {
7434 table = &file_data->table[i >> IORING_FILE_TABLE_SHIFT];
7435 index = i & IORING_FILE_TABLE_MASK;
7436 table->files[index] = file;
7439 ret = io_sqe_files_scm(ctx);
7441 io_sqe_files_unregister(ctx);
7445 ref_node = alloc_fixed_file_ref_node(ctx);
7446 if (IS_ERR(ref_node)) {
7447 io_sqe_files_unregister(ctx);
7448 return PTR_ERR(ref_node);
7451 file_data->node = ref_node;
7452 spin_lock(&file_data->lock);
7453 list_add(&ref_node->node, &file_data->ref_list);
7454 spin_unlock(&file_data->lock);
7455 percpu_ref_get(&file_data->refs);
7458 for (i = 0; i < ctx->nr_user_files; i++) {
7459 file = io_file_from_index(ctx, i);
7463 for (i = 0; i < nr_tables; i++)
7464 kfree(file_data->table[i].files);
7465 ctx->nr_user_files = 0;
7467 percpu_ref_exit(&file_data->refs);
7469 kfree(file_data->table);
7471 ctx->file_data = NULL;
7475 static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
7478 #if defined(CONFIG_UNIX)
7479 struct sock *sock = ctx->ring_sock->sk;
7480 struct sk_buff_head *head = &sock->sk_receive_queue;
7481 struct sk_buff *skb;
7484 * See if we can merge this file into an existing skb SCM_RIGHTS
7485 * file set. If there's no room, fall back to allocating a new skb
7486 * and filling it in.
7488 spin_lock_irq(&head->lock);
7489 skb = skb_peek(head);
7491 struct scm_fp_list *fpl = UNIXCB(skb).fp;
7493 if (fpl->count < SCM_MAX_FD) {
7494 __skb_unlink(skb, head);
7495 spin_unlock_irq(&head->lock);
7496 fpl->fp[fpl->count] = get_file(file);
7497 unix_inflight(fpl->user, fpl->fp[fpl->count]);
7499 spin_lock_irq(&head->lock);
7500 __skb_queue_head(head, skb);
7505 spin_unlock_irq(&head->lock);
7512 return __io_sqe_files_scm(ctx, 1, index);
7518 static int io_queue_file_removal(struct fixed_file_data *data,
7521 struct io_file_put *pfile;
7522 struct fixed_file_ref_node *ref_node = data->node;
7524 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
7529 list_add(&pfile->list, &ref_node->file_list);
7534 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
7535 struct io_uring_files_update *up,
7538 struct fixed_file_data *data = ctx->file_data;
7539 struct fixed_file_ref_node *ref_node;
7544 bool needs_switch = false;
7546 if (check_add_overflow(up->offset, nr_args, &done))
7548 if (done > ctx->nr_user_files)
7551 ref_node = alloc_fixed_file_ref_node(ctx);
7552 if (IS_ERR(ref_node))
7553 return PTR_ERR(ref_node);
7556 fds = u64_to_user_ptr(up->fds);
7558 struct fixed_file_table *table;
7562 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
7566 i = array_index_nospec(up->offset, ctx->nr_user_files);
7567 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
7568 index = i & IORING_FILE_TABLE_MASK;
7569 if (table->files[index]) {
7570 file = table->files[index];
7571 err = io_queue_file_removal(data, file);
7574 table->files[index] = NULL;
7575 needs_switch = true;
7584 * Don't allow io_uring instances to be registered. If
7585 * UNIX isn't enabled, then this causes a reference
7586 * cycle and this instance can never get freed. If UNIX
7587 * is enabled we'll handle it just fine, but there's
7588 * still no point in allowing a ring fd as it doesn't
7589 * support regular read/write anyway.
7591 if (file->f_op == &io_uring_fops) {
7596 table->files[index] = file;
7597 err = io_sqe_file_register(ctx, file, i);
7599 table->files[index] = NULL;
7610 percpu_ref_kill(&data->node->refs);
7611 spin_lock(&data->lock);
7612 list_add(&ref_node->node, &data->ref_list);
7613 data->node = ref_node;
7614 spin_unlock(&data->lock);
7615 percpu_ref_get(&ctx->file_data->refs);
7617 destroy_fixed_file_ref_node(ref_node);
7619 return done ? done : err;
7622 static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
7625 struct io_uring_files_update up;
7627 if (!ctx->file_data)
7631 if (copy_from_user(&up, arg, sizeof(up)))
7636 return __io_sqe_files_update(ctx, &up, nr_args);
7639 static void io_free_work(struct io_wq_work *work)
7641 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
7643 /* Consider that io_steal_work() relies on this ref */
7647 static int io_init_wq_offload(struct io_ring_ctx *ctx,
7648 struct io_uring_params *p)
7650 struct io_wq_data data;
7652 struct io_ring_ctx *ctx_attach;
7653 unsigned int concurrency;
7656 data.user = ctx->user;
7657 data.free_work = io_free_work;
7658 data.do_work = io_wq_submit_work;
7660 if (!(p->flags & IORING_SETUP_ATTACH_WQ)) {
7661 /* Do QD, or 4 * CPUS, whatever is smallest */
7662 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
7664 ctx->io_wq = io_wq_create(concurrency, &data);
7665 if (IS_ERR(ctx->io_wq)) {
7666 ret = PTR_ERR(ctx->io_wq);
7672 f = fdget(p->wq_fd);
7676 if (f.file->f_op != &io_uring_fops) {
7681 ctx_attach = f.file->private_data;
7682 /* @io_wq is protected by holding the fd */
7683 if (!io_wq_get(ctx_attach->io_wq, &data)) {
7688 ctx->io_wq = ctx_attach->io_wq;
7694 static int io_uring_alloc_task_context(struct task_struct *task)
7696 struct io_uring_task *tctx;
7699 tctx = kmalloc(sizeof(*tctx), GFP_KERNEL);
7700 if (unlikely(!tctx))
7703 ret = percpu_counter_init(&tctx->inflight, 0, GFP_KERNEL);
7704 if (unlikely(ret)) {
7710 init_waitqueue_head(&tctx->wait);
7712 atomic_set(&tctx->in_idle, 0);
7713 tctx->sqpoll = false;
7714 io_init_identity(&tctx->__identity);
7715 tctx->identity = &tctx->__identity;
7716 task->io_uring = tctx;
7720 void __io_uring_free(struct task_struct *tsk)
7722 struct io_uring_task *tctx = tsk->io_uring;
7724 WARN_ON_ONCE(!xa_empty(&tctx->xa));
7725 WARN_ON_ONCE(refcount_read(&tctx->identity->count) != 1);
7726 if (tctx->identity != &tctx->__identity)
7727 kfree(tctx->identity);
7728 percpu_counter_destroy(&tctx->inflight);
7730 tsk->io_uring = NULL;
7733 static int io_sq_offload_create(struct io_ring_ctx *ctx,
7734 struct io_uring_params *p)
7738 if (ctx->flags & IORING_SETUP_SQPOLL) {
7739 struct io_sq_data *sqd;
7742 if (!capable(CAP_SYS_ADMIN))
7745 sqd = io_get_sq_data(p);
7752 io_sq_thread_park(sqd);
7753 mutex_lock(&sqd->ctx_lock);
7754 list_add(&ctx->sqd_list, &sqd->ctx_new_list);
7755 mutex_unlock(&sqd->ctx_lock);
7756 io_sq_thread_unpark(sqd);
7758 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
7759 if (!ctx->sq_thread_idle)
7760 ctx->sq_thread_idle = HZ;
7765 if (p->flags & IORING_SETUP_SQ_AFF) {
7766 int cpu = p->sq_thread_cpu;
7769 if (cpu >= nr_cpu_ids)
7771 if (!cpu_online(cpu))
7774 sqd->thread = kthread_create_on_cpu(io_sq_thread, sqd,
7775 cpu, "io_uring-sq");
7777 sqd->thread = kthread_create(io_sq_thread, sqd,
7780 if (IS_ERR(sqd->thread)) {
7781 ret = PTR_ERR(sqd->thread);
7785 ret = io_uring_alloc_task_context(sqd->thread);
7788 } else if (p->flags & IORING_SETUP_SQ_AFF) {
7789 /* Can't have SQ_AFF without SQPOLL */
7795 ret = io_init_wq_offload(ctx, p);
7801 io_finish_async(ctx);
7805 static void io_sq_offload_start(struct io_ring_ctx *ctx)
7807 struct io_sq_data *sqd = ctx->sq_data;
7809 if ((ctx->flags & IORING_SETUP_SQPOLL) && sqd->thread)
7810 wake_up_process(sqd->thread);
7813 static inline void __io_unaccount_mem(struct user_struct *user,
7814 unsigned long nr_pages)
7816 atomic_long_sub(nr_pages, &user->locked_vm);
7819 static inline int __io_account_mem(struct user_struct *user,
7820 unsigned long nr_pages)
7822 unsigned long page_limit, cur_pages, new_pages;
7824 /* Don't allow more pages than we can safely lock */
7825 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
7828 cur_pages = atomic_long_read(&user->locked_vm);
7829 new_pages = cur_pages + nr_pages;
7830 if (new_pages > page_limit)
7832 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
7833 new_pages) != cur_pages);
7838 static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages,
7839 enum io_mem_account acct)
7842 __io_unaccount_mem(ctx->user, nr_pages);
7844 if (ctx->mm_account) {
7845 if (acct == ACCT_LOCKED)
7846 ctx->mm_account->locked_vm -= nr_pages;
7847 else if (acct == ACCT_PINNED)
7848 atomic64_sub(nr_pages, &ctx->mm_account->pinned_vm);
7852 static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages,
7853 enum io_mem_account acct)
7857 if (ctx->limit_mem) {
7858 ret = __io_account_mem(ctx->user, nr_pages);
7863 if (ctx->mm_account) {
7864 if (acct == ACCT_LOCKED)
7865 ctx->mm_account->locked_vm += nr_pages;
7866 else if (acct == ACCT_PINNED)
7867 atomic64_add(nr_pages, &ctx->mm_account->pinned_vm);
7873 static void io_mem_free(void *ptr)
7880 page = virt_to_head_page(ptr);
7881 if (put_page_testzero(page))
7882 free_compound_page(page);
7885 static void *io_mem_alloc(size_t size)
7887 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
7890 return (void *) __get_free_pages(gfp_flags, get_order(size));
7893 static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
7896 struct io_rings *rings;
7897 size_t off, sq_array_size;
7899 off = struct_size(rings, cqes, cq_entries);
7900 if (off == SIZE_MAX)
7904 off = ALIGN(off, SMP_CACHE_BYTES);
7912 sq_array_size = array_size(sizeof(u32), sq_entries);
7913 if (sq_array_size == SIZE_MAX)
7916 if (check_add_overflow(off, sq_array_size, &off))
7922 static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
7926 pages = (size_t)1 << get_order(
7927 rings_size(sq_entries, cq_entries, NULL));
7928 pages += (size_t)1 << get_order(
7929 array_size(sizeof(struct io_uring_sqe), sq_entries));
7934 static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
7938 if (!ctx->user_bufs)
7941 for (i = 0; i < ctx->nr_user_bufs; i++) {
7942 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
7944 for (j = 0; j < imu->nr_bvecs; j++)
7945 unpin_user_page(imu->bvec[j].bv_page);
7947 if (imu->acct_pages)
7948 io_unaccount_mem(ctx, imu->acct_pages, ACCT_PINNED);
7953 kfree(ctx->user_bufs);
7954 ctx->user_bufs = NULL;
7955 ctx->nr_user_bufs = 0;
7959 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
7960 void __user *arg, unsigned index)
7962 struct iovec __user *src;
7964 #ifdef CONFIG_COMPAT
7966 struct compat_iovec __user *ciovs;
7967 struct compat_iovec ciov;
7969 ciovs = (struct compat_iovec __user *) arg;
7970 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
7973 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
7974 dst->iov_len = ciov.iov_len;
7978 src = (struct iovec __user *) arg;
7979 if (copy_from_user(dst, &src[index], sizeof(*dst)))
7985 * Not super efficient, but this is just a registration time. And we do cache
7986 * the last compound head, so generally we'll only do a full search if we don't
7989 * We check if the given compound head page has already been accounted, to
7990 * avoid double accounting it. This allows us to account the full size of the
7991 * page, not just the constituent pages of a huge page.
7993 static bool headpage_already_acct(struct io_ring_ctx *ctx, struct page **pages,
7994 int nr_pages, struct page *hpage)
7998 /* check current page array */
7999 for (i = 0; i < nr_pages; i++) {
8000 if (!PageCompound(pages[i]))
8002 if (compound_head(pages[i]) == hpage)
8006 /* check previously registered pages */
8007 for (i = 0; i < ctx->nr_user_bufs; i++) {
8008 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
8010 for (j = 0; j < imu->nr_bvecs; j++) {
8011 if (!PageCompound(imu->bvec[j].bv_page))
8013 if (compound_head(imu->bvec[j].bv_page) == hpage)
8021 static int io_buffer_account_pin(struct io_ring_ctx *ctx, struct page **pages,
8022 int nr_pages, struct io_mapped_ubuf *imu,
8023 struct page **last_hpage)
8027 for (i = 0; i < nr_pages; i++) {
8028 if (!PageCompound(pages[i])) {
8033 hpage = compound_head(pages[i]);
8034 if (hpage == *last_hpage)
8036 *last_hpage = hpage;
8037 if (headpage_already_acct(ctx, pages, i, hpage))
8039 imu->acct_pages += page_size(hpage) >> PAGE_SHIFT;
8043 if (!imu->acct_pages)
8046 ret = io_account_mem(ctx, imu->acct_pages, ACCT_PINNED);
8048 imu->acct_pages = 0;
8052 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
8055 struct vm_area_struct **vmas = NULL;
8056 struct page **pages = NULL;
8057 struct page *last_hpage = NULL;
8058 int i, j, got_pages = 0;
8063 if (!nr_args || nr_args > UIO_MAXIOV)
8066 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
8068 if (!ctx->user_bufs)
8071 for (i = 0; i < nr_args; i++) {
8072 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
8073 unsigned long off, start, end, ubuf;
8078 ret = io_copy_iov(ctx, &iov, arg, i);
8083 * Don't impose further limits on the size and buffer
8084 * constraints here, we'll -EINVAL later when IO is
8085 * submitted if they are wrong.
8088 if (!iov.iov_base || !iov.iov_len)
8091 /* arbitrary limit, but we need something */
8092 if (iov.iov_len > SZ_1G)
8095 ubuf = (unsigned long) iov.iov_base;
8096 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
8097 start = ubuf >> PAGE_SHIFT;
8098 nr_pages = end - start;
8101 if (!pages || nr_pages > got_pages) {
8104 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
8106 vmas = kvmalloc_array(nr_pages,
8107 sizeof(struct vm_area_struct *),
8109 if (!pages || !vmas) {
8113 got_pages = nr_pages;
8116 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
8123 mmap_read_lock(current->mm);
8124 pret = pin_user_pages(ubuf, nr_pages,
8125 FOLL_WRITE | FOLL_LONGTERM,
8127 if (pret == nr_pages) {
8128 /* don't support file backed memory */
8129 for (j = 0; j < nr_pages; j++) {
8130 struct vm_area_struct *vma = vmas[j];
8133 !is_file_hugepages(vma->vm_file)) {
8139 ret = pret < 0 ? pret : -EFAULT;
8141 mmap_read_unlock(current->mm);
8144 * if we did partial map, or found file backed vmas,
8145 * release any pages we did get
8148 unpin_user_pages(pages, pret);
8153 ret = io_buffer_account_pin(ctx, pages, pret, imu, &last_hpage);
8155 unpin_user_pages(pages, pret);
8160 off = ubuf & ~PAGE_MASK;
8162 for (j = 0; j < nr_pages; j++) {
8165 vec_len = min_t(size_t, size, PAGE_SIZE - off);
8166 imu->bvec[j].bv_page = pages[j];
8167 imu->bvec[j].bv_len = vec_len;
8168 imu->bvec[j].bv_offset = off;
8172 /* store original address for later verification */
8174 imu->len = iov.iov_len;
8175 imu->nr_bvecs = nr_pages;
8177 ctx->nr_user_bufs++;
8185 io_sqe_buffer_unregister(ctx);
8189 static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
8191 __s32 __user *fds = arg;
8197 if (copy_from_user(&fd, fds, sizeof(*fds)))
8200 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
8201 if (IS_ERR(ctx->cq_ev_fd)) {
8202 int ret = PTR_ERR(ctx->cq_ev_fd);
8203 ctx->cq_ev_fd = NULL;
8210 static int io_eventfd_unregister(struct io_ring_ctx *ctx)
8212 if (ctx->cq_ev_fd) {
8213 eventfd_ctx_put(ctx->cq_ev_fd);
8214 ctx->cq_ev_fd = NULL;
8221 static int __io_destroy_buffers(int id, void *p, void *data)
8223 struct io_ring_ctx *ctx = data;
8224 struct io_buffer *buf = p;
8226 __io_remove_buffers(ctx, buf, id, -1U);
8230 static void io_destroy_buffers(struct io_ring_ctx *ctx)
8232 idr_for_each(&ctx->io_buffer_idr, __io_destroy_buffers, ctx);
8233 idr_destroy(&ctx->io_buffer_idr);
8236 static void io_ring_ctx_free(struct io_ring_ctx *ctx)
8238 io_finish_async(ctx);
8239 io_sqe_buffer_unregister(ctx);
8241 if (ctx->sqo_task) {
8242 put_task_struct(ctx->sqo_task);
8243 ctx->sqo_task = NULL;
8244 mmdrop(ctx->mm_account);
8245 ctx->mm_account = NULL;
8248 #ifdef CONFIG_BLK_CGROUP
8249 if (ctx->sqo_blkcg_css)
8250 css_put(ctx->sqo_blkcg_css);
8253 io_sqe_files_unregister(ctx);
8254 io_eventfd_unregister(ctx);
8255 io_destroy_buffers(ctx);
8256 idr_destroy(&ctx->personality_idr);
8258 #if defined(CONFIG_UNIX)
8259 if (ctx->ring_sock) {
8260 ctx->ring_sock->file = NULL; /* so that iput() is called */
8261 sock_release(ctx->ring_sock);
8265 io_mem_free(ctx->rings);
8266 io_mem_free(ctx->sq_sqes);
8268 percpu_ref_exit(&ctx->refs);
8269 free_uid(ctx->user);
8270 put_cred(ctx->creds);
8271 kfree(ctx->cancel_hash);
8272 kmem_cache_free(req_cachep, ctx->fallback_req);
8276 static __poll_t io_uring_poll(struct file *file, poll_table *wait)
8278 struct io_ring_ctx *ctx = file->private_data;
8281 poll_wait(file, &ctx->cq_wait, wait);
8283 * synchronizes with barrier from wq_has_sleeper call in
8287 if (!io_sqring_full(ctx))
8288 mask |= EPOLLOUT | EPOLLWRNORM;
8289 if (io_cqring_events(ctx, false))
8290 mask |= EPOLLIN | EPOLLRDNORM;
8295 static int io_uring_fasync(int fd, struct file *file, int on)
8297 struct io_ring_ctx *ctx = file->private_data;
8299 return fasync_helper(fd, file, on, &ctx->cq_fasync);
8302 static int io_remove_personalities(int id, void *p, void *data)
8304 struct io_ring_ctx *ctx = data;
8305 struct io_identity *iod;
8307 iod = idr_remove(&ctx->personality_idr, id);
8309 put_cred(iod->creds);
8310 if (refcount_dec_and_test(&iod->count))
8316 static void io_ring_exit_work(struct work_struct *work)
8318 struct io_ring_ctx *ctx = container_of(work, struct io_ring_ctx,
8322 * If we're doing polled IO and end up having requests being
8323 * submitted async (out-of-line), then completions can come in while
8324 * we're waiting for refs to drop. We need to reap these manually,
8325 * as nobody else will be looking for them.
8329 io_cqring_overflow_flush(ctx, true, NULL, NULL);
8330 io_iopoll_try_reap_events(ctx);
8331 } while (!wait_for_completion_timeout(&ctx->ref_comp, HZ/20));
8332 io_ring_ctx_free(ctx);
8335 static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
8337 mutex_lock(&ctx->uring_lock);
8338 percpu_ref_kill(&ctx->refs);
8339 mutex_unlock(&ctx->uring_lock);
8341 io_kill_timeouts(ctx, NULL);
8342 io_poll_remove_all(ctx, NULL);
8345 io_wq_cancel_all(ctx->io_wq);
8347 /* if we failed setting up the ctx, we might not have any rings */
8349 io_cqring_overflow_flush(ctx, true, NULL, NULL);
8350 io_iopoll_try_reap_events(ctx);
8351 idr_for_each(&ctx->personality_idr, io_remove_personalities, ctx);
8354 * Do this upfront, so we won't have a grace period where the ring
8355 * is closed but resources aren't reaped yet. This can cause
8356 * spurious failure in setting up a new ring.
8358 io_unaccount_mem(ctx, ring_pages(ctx->sq_entries, ctx->cq_entries),
8361 INIT_WORK(&ctx->exit_work, io_ring_exit_work);
8363 * Use system_unbound_wq to avoid spawning tons of event kworkers
8364 * if we're exiting a ton of rings at the same time. It just adds
8365 * noise and overhead, there's no discernable change in runtime
8366 * over using system_wq.
8368 queue_work(system_unbound_wq, &ctx->exit_work);
8371 static int io_uring_release(struct inode *inode, struct file *file)
8373 struct io_ring_ctx *ctx = file->private_data;
8375 file->private_data = NULL;
8376 io_ring_ctx_wait_and_kill(ctx);
8380 static bool io_wq_files_match(struct io_wq_work *work, void *data)
8382 struct files_struct *files = data;
8384 return !files || ((work->flags & IO_WQ_WORK_FILES) &&
8385 work->identity->files == files);
8389 * Returns true if 'preq' is the link parent of 'req'
8391 static bool io_match_link(struct io_kiocb *preq, struct io_kiocb *req)
8393 struct io_kiocb *link;
8395 if (!(preq->flags & REQ_F_LINK_HEAD))
8398 list_for_each_entry(link, &preq->link_list, link_list) {
8406 static bool io_match_link_files(struct io_kiocb *req,
8407 struct files_struct *files)
8409 struct io_kiocb *link;
8411 if (io_match_files(req, files))
8413 if (req->flags & REQ_F_LINK_HEAD) {
8414 list_for_each_entry(link, &req->link_list, link_list) {
8415 if (io_match_files(link, files))
8423 * We're looking to cancel 'req' because it's holding on to our files, but
8424 * 'req' could be a link to another request. See if it is, and cancel that
8425 * parent request if so.
8427 static bool io_poll_remove_link(struct io_ring_ctx *ctx, struct io_kiocb *req)
8429 struct hlist_node *tmp;
8430 struct io_kiocb *preq;
8434 spin_lock_irq(&ctx->completion_lock);
8435 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
8436 struct hlist_head *list;
8438 list = &ctx->cancel_hash[i];
8439 hlist_for_each_entry_safe(preq, tmp, list, hash_node) {
8440 found = io_match_link(preq, req);
8442 io_poll_remove_one(preq);
8447 spin_unlock_irq(&ctx->completion_lock);
8451 static bool io_timeout_remove_link(struct io_ring_ctx *ctx,
8452 struct io_kiocb *req)
8454 struct io_kiocb *preq;
8457 spin_lock_irq(&ctx->completion_lock);
8458 list_for_each_entry(preq, &ctx->timeout_list, timeout.list) {
8459 found = io_match_link(preq, req);
8461 __io_timeout_cancel(preq);
8465 spin_unlock_irq(&ctx->completion_lock);
8469 static bool io_cancel_link_cb(struct io_wq_work *work, void *data)
8471 return io_match_link(container_of(work, struct io_kiocb, work), data);
8474 static void io_attempt_cancel(struct io_ring_ctx *ctx, struct io_kiocb *req)
8476 enum io_wq_cancel cret;
8478 /* cancel this particular work, if it's running */
8479 cret = io_wq_cancel_work(ctx->io_wq, &req->work);
8480 if (cret != IO_WQ_CANCEL_NOTFOUND)
8483 /* find links that hold this pending, cancel those */
8484 cret = io_wq_cancel_cb(ctx->io_wq, io_cancel_link_cb, req, true);
8485 if (cret != IO_WQ_CANCEL_NOTFOUND)
8488 /* if we have a poll link holding this pending, cancel that */
8489 if (io_poll_remove_link(ctx, req))
8492 /* final option, timeout link is holding this req pending */
8493 io_timeout_remove_link(ctx, req);
8496 static void io_cancel_defer_files(struct io_ring_ctx *ctx,
8497 struct files_struct *files)
8499 struct io_defer_entry *de = NULL;
8502 spin_lock_irq(&ctx->completion_lock);
8503 list_for_each_entry_reverse(de, &ctx->defer_list, list) {
8504 if (io_match_link_files(de->req, files)) {
8505 list_cut_position(&list, &ctx->defer_list, &de->list);
8509 spin_unlock_irq(&ctx->completion_lock);
8511 while (!list_empty(&list)) {
8512 de = list_first_entry(&list, struct io_defer_entry, list);
8513 list_del_init(&de->list);
8514 req_set_fail_links(de->req);
8515 io_put_req(de->req);
8516 io_req_complete(de->req, -ECANCELED);
8522 * Returns true if we found and killed one or more files pinning requests
8524 static bool io_uring_cancel_files(struct io_ring_ctx *ctx,
8525 struct files_struct *files)
8527 if (list_empty_careful(&ctx->inflight_list))
8530 io_cancel_defer_files(ctx, files);
8531 /* cancel all at once, should be faster than doing it one by one*/
8532 io_wq_cancel_cb(ctx->io_wq, io_wq_files_match, files, true);
8534 while (!list_empty_careful(&ctx->inflight_list)) {
8535 struct io_kiocb *cancel_req = NULL, *req;
8538 spin_lock_irq(&ctx->inflight_lock);
8539 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
8540 if (files && (req->work.flags & IO_WQ_WORK_FILES) &&
8541 req->work.identity->files != files)
8543 /* req is being completed, ignore */
8544 if (!refcount_inc_not_zero(&req->refs))
8550 prepare_to_wait(&ctx->inflight_wait, &wait,
8551 TASK_UNINTERRUPTIBLE);
8552 spin_unlock_irq(&ctx->inflight_lock);
8554 /* We need to keep going until we don't find a matching req */
8557 /* cancel this request, or head link requests */
8558 io_attempt_cancel(ctx, cancel_req);
8559 io_put_req(cancel_req);
8560 /* cancellations _may_ trigger task work */
8563 finish_wait(&ctx->inflight_wait, &wait);
8569 static bool io_cancel_task_cb(struct io_wq_work *work, void *data)
8571 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
8572 struct task_struct *task = data;
8574 return io_task_match(req, task);
8577 static bool __io_uring_cancel_task_requests(struct io_ring_ctx *ctx,
8578 struct task_struct *task,
8579 struct files_struct *files)
8583 ret = io_uring_cancel_files(ctx, files);
8585 enum io_wq_cancel cret;
8587 cret = io_wq_cancel_cb(ctx->io_wq, io_cancel_task_cb, task, true);
8588 if (cret != IO_WQ_CANCEL_NOTFOUND)
8591 /* SQPOLL thread does its own polling */
8592 if (!(ctx->flags & IORING_SETUP_SQPOLL)) {
8593 while (!list_empty_careful(&ctx->iopoll_list)) {
8594 io_iopoll_try_reap_events(ctx);
8599 ret |= io_poll_remove_all(ctx, task);
8600 ret |= io_kill_timeouts(ctx, task);
8607 * We need to iteratively cancel requests, in case a request has dependent
8608 * hard links. These persist even for failure of cancelations, hence keep
8609 * looping until none are found.
8611 static void io_uring_cancel_task_requests(struct io_ring_ctx *ctx,
8612 struct files_struct *files)
8614 struct task_struct *task = current;
8616 if ((ctx->flags & IORING_SETUP_SQPOLL) && ctx->sq_data) {
8617 task = ctx->sq_data->thread;
8618 atomic_inc(&task->io_uring->in_idle);
8619 io_sq_thread_park(ctx->sq_data);
8622 io_cqring_overflow_flush(ctx, true, task, files);
8624 while (__io_uring_cancel_task_requests(ctx, task, files)) {
8629 if ((ctx->flags & IORING_SETUP_SQPOLL) && ctx->sq_data) {
8630 atomic_dec(&task->io_uring->in_idle);
8632 * If the files that are going away are the ones in the thread
8633 * identity, clear them out.
8635 if (task->io_uring->identity->files == files)
8636 task->io_uring->identity->files = NULL;
8637 io_sq_thread_unpark(ctx->sq_data);
8642 * Note that this task has used io_uring. We use it for cancelation purposes.
8644 static int io_uring_add_task_file(struct io_ring_ctx *ctx, struct file *file)
8646 struct io_uring_task *tctx = current->io_uring;
8648 if (unlikely(!tctx)) {
8651 ret = io_uring_alloc_task_context(current);
8654 tctx = current->io_uring;
8656 if (tctx->last != file) {
8657 void *old = xa_load(&tctx->xa, (unsigned long)file);
8661 xa_store(&tctx->xa, (unsigned long)file, file, GFP_KERNEL);
8667 * This is race safe in that the task itself is doing this, hence it
8668 * cannot be going through the exit/cancel paths at the same time.
8669 * This cannot be modified while exit/cancel is running.
8671 if (!tctx->sqpoll && (ctx->flags & IORING_SETUP_SQPOLL))
8672 tctx->sqpoll = true;
8678 * Remove this io_uring_file -> task mapping.
8680 static void io_uring_del_task_file(struct file *file)
8682 struct io_uring_task *tctx = current->io_uring;
8684 if (tctx->last == file)
8686 file = xa_erase(&tctx->xa, (unsigned long)file);
8692 * Drop task note for this file if we're the only ones that hold it after
8695 static void io_uring_attempt_task_drop(struct file *file)
8697 if (!current->io_uring)
8700 * fput() is pending, will be 2 if the only other ref is our potential
8701 * task file note. If the task is exiting, drop regardless of count.
8703 if (fatal_signal_pending(current) || (current->flags & PF_EXITING) ||
8704 atomic_long_read(&file->f_count) == 2)
8705 io_uring_del_task_file(file);
8708 void __io_uring_files_cancel(struct files_struct *files)
8710 struct io_uring_task *tctx = current->io_uring;
8712 unsigned long index;
8714 /* make sure overflow events are dropped */
8715 atomic_inc(&tctx->in_idle);
8717 xa_for_each(&tctx->xa, index, file) {
8718 struct io_ring_ctx *ctx = file->private_data;
8720 io_uring_cancel_task_requests(ctx, files);
8722 io_uring_del_task_file(file);
8725 atomic_dec(&tctx->in_idle);
8728 static s64 tctx_inflight(struct io_uring_task *tctx)
8730 unsigned long index;
8734 inflight = percpu_counter_sum(&tctx->inflight);
8739 * If we have SQPOLL rings, then we need to iterate and find them, and
8740 * add the pending count for those.
8742 xa_for_each(&tctx->xa, index, file) {
8743 struct io_ring_ctx *ctx = file->private_data;
8745 if (ctx->flags & IORING_SETUP_SQPOLL) {
8746 struct io_uring_task *__tctx = ctx->sqo_task->io_uring;
8748 inflight += percpu_counter_sum(&__tctx->inflight);
8756 * Find any io_uring fd that this task has registered or done IO on, and cancel
8759 void __io_uring_task_cancel(void)
8761 struct io_uring_task *tctx = current->io_uring;
8765 /* make sure overflow events are dropped */
8766 atomic_inc(&tctx->in_idle);
8769 /* read completions before cancelations */
8770 inflight = tctx_inflight(tctx);
8773 __io_uring_files_cancel(NULL);
8775 prepare_to_wait(&tctx->wait, &wait, TASK_UNINTERRUPTIBLE);
8778 * If we've seen completions, retry. This avoids a race where
8779 * a completion comes in before we did prepare_to_wait().
8781 if (inflight != tctx_inflight(tctx))
8786 finish_wait(&tctx->wait, &wait);
8787 atomic_dec(&tctx->in_idle);
8790 static int io_uring_flush(struct file *file, void *data)
8792 io_uring_attempt_task_drop(file);
8796 static void *io_uring_validate_mmap_request(struct file *file,
8797 loff_t pgoff, size_t sz)
8799 struct io_ring_ctx *ctx = file->private_data;
8800 loff_t offset = pgoff << PAGE_SHIFT;
8805 case IORING_OFF_SQ_RING:
8806 case IORING_OFF_CQ_RING:
8809 case IORING_OFF_SQES:
8813 return ERR_PTR(-EINVAL);
8816 page = virt_to_head_page(ptr);
8817 if (sz > page_size(page))
8818 return ERR_PTR(-EINVAL);
8825 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
8827 size_t sz = vma->vm_end - vma->vm_start;
8831 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
8833 return PTR_ERR(ptr);
8835 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
8836 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
8839 #else /* !CONFIG_MMU */
8841 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
8843 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
8846 static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
8848 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
8851 static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
8852 unsigned long addr, unsigned long len,
8853 unsigned long pgoff, unsigned long flags)
8857 ptr = io_uring_validate_mmap_request(file, pgoff, len);
8859 return PTR_ERR(ptr);
8861 return (unsigned long) ptr;
8864 #endif /* !CONFIG_MMU */
8866 static void io_sqpoll_wait_sq(struct io_ring_ctx *ctx)
8871 if (!io_sqring_full(ctx))
8874 prepare_to_wait(&ctx->sqo_sq_wait, &wait, TASK_INTERRUPTIBLE);
8876 if (!io_sqring_full(ctx))
8880 } while (!signal_pending(current));
8882 finish_wait(&ctx->sqo_sq_wait, &wait);
8885 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
8886 u32, min_complete, u32, flags, const sigset_t __user *, sig,
8889 struct io_ring_ctx *ctx;
8896 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP |
8897 IORING_ENTER_SQ_WAIT))
8905 if (f.file->f_op != &io_uring_fops)
8909 ctx = f.file->private_data;
8910 if (!percpu_ref_tryget(&ctx->refs))
8914 if (ctx->flags & IORING_SETUP_R_DISABLED)
8918 * For SQ polling, the thread will do all submissions and completions.
8919 * Just return the requested submit count, and wake the thread if
8923 if (ctx->flags & IORING_SETUP_SQPOLL) {
8924 if (!list_empty_careful(&ctx->cq_overflow_list))
8925 io_cqring_overflow_flush(ctx, false, NULL, NULL);
8926 if (flags & IORING_ENTER_SQ_WAKEUP)
8927 wake_up(&ctx->sq_data->wait);
8928 if (flags & IORING_ENTER_SQ_WAIT)
8929 io_sqpoll_wait_sq(ctx);
8930 submitted = to_submit;
8931 } else if (to_submit) {
8932 ret = io_uring_add_task_file(ctx, f.file);
8935 mutex_lock(&ctx->uring_lock);
8936 submitted = io_submit_sqes(ctx, to_submit);
8937 mutex_unlock(&ctx->uring_lock);
8939 if (submitted != to_submit)
8942 if (flags & IORING_ENTER_GETEVENTS) {
8943 min_complete = min(min_complete, ctx->cq_entries);
8946 * When SETUP_IOPOLL and SETUP_SQPOLL are both enabled, user
8947 * space applications don't need to do io completion events
8948 * polling again, they can rely on io_sq_thread to do polling
8949 * work, which can reduce cpu usage and uring_lock contention.
8951 if (ctx->flags & IORING_SETUP_IOPOLL &&
8952 !(ctx->flags & IORING_SETUP_SQPOLL)) {
8953 ret = io_iopoll_check(ctx, min_complete);
8955 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
8960 percpu_ref_put(&ctx->refs);
8963 return submitted ? submitted : ret;
8966 #ifdef CONFIG_PROC_FS
8967 static int io_uring_show_cred(int id, void *p, void *data)
8969 const struct cred *cred = p;
8970 struct seq_file *m = data;
8971 struct user_namespace *uns = seq_user_ns(m);
8972 struct group_info *gi;
8977 seq_printf(m, "%5d\n", id);
8978 seq_put_decimal_ull(m, "\tUid:\t", from_kuid_munged(uns, cred->uid));
8979 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->euid));
8980 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->suid));
8981 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->fsuid));
8982 seq_put_decimal_ull(m, "\n\tGid:\t", from_kgid_munged(uns, cred->gid));
8983 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->egid));
8984 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->sgid));
8985 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->fsgid));
8986 seq_puts(m, "\n\tGroups:\t");
8987 gi = cred->group_info;
8988 for (g = 0; g < gi->ngroups; g++) {
8989 seq_put_decimal_ull(m, g ? " " : "",
8990 from_kgid_munged(uns, gi->gid[g]));
8992 seq_puts(m, "\n\tCapEff:\t");
8993 cap = cred->cap_effective;
8994 CAP_FOR_EACH_U32(__capi)
8995 seq_put_hex_ll(m, NULL, cap.cap[CAP_LAST_U32 - __capi], 8);
9000 static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
9002 struct io_sq_data *sq = NULL;
9007 * Avoid ABBA deadlock between the seq lock and the io_uring mutex,
9008 * since fdinfo case grabs it in the opposite direction of normal use
9009 * cases. If we fail to get the lock, we just don't iterate any
9010 * structures that could be going away outside the io_uring mutex.
9012 has_lock = mutex_trylock(&ctx->uring_lock);
9014 if (has_lock && (ctx->flags & IORING_SETUP_SQPOLL))
9017 seq_printf(m, "SqThread:\t%d\n", sq ? task_pid_nr(sq->thread) : -1);
9018 seq_printf(m, "SqThreadCpu:\t%d\n", sq ? task_cpu(sq->thread) : -1);
9019 seq_printf(m, "UserFiles:\t%u\n", ctx->nr_user_files);
9020 for (i = 0; has_lock && i < ctx->nr_user_files; i++) {
9021 struct fixed_file_table *table;
9024 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
9025 f = table->files[i & IORING_FILE_TABLE_MASK];
9027 seq_printf(m, "%5u: %s\n", i, file_dentry(f)->d_iname);
9029 seq_printf(m, "%5u: <none>\n", i);
9031 seq_printf(m, "UserBufs:\t%u\n", ctx->nr_user_bufs);
9032 for (i = 0; has_lock && i < ctx->nr_user_bufs; i++) {
9033 struct io_mapped_ubuf *buf = &ctx->user_bufs[i];
9035 seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf,
9036 (unsigned int) buf->len);
9038 if (has_lock && !idr_is_empty(&ctx->personality_idr)) {
9039 seq_printf(m, "Personalities:\n");
9040 idr_for_each(&ctx->personality_idr, io_uring_show_cred, m);
9042 seq_printf(m, "PollList:\n");
9043 spin_lock_irq(&ctx->completion_lock);
9044 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
9045 struct hlist_head *list = &ctx->cancel_hash[i];
9046 struct io_kiocb *req;
9048 hlist_for_each_entry(req, list, hash_node)
9049 seq_printf(m, " op=%d, task_works=%d\n", req->opcode,
9050 req->task->task_works != NULL);
9052 spin_unlock_irq(&ctx->completion_lock);
9054 mutex_unlock(&ctx->uring_lock);
9057 static void io_uring_show_fdinfo(struct seq_file *m, struct file *f)
9059 struct io_ring_ctx *ctx = f->private_data;
9061 if (percpu_ref_tryget(&ctx->refs)) {
9062 __io_uring_show_fdinfo(ctx, m);
9063 percpu_ref_put(&ctx->refs);
9068 static const struct file_operations io_uring_fops = {
9069 .release = io_uring_release,
9070 .flush = io_uring_flush,
9071 .mmap = io_uring_mmap,
9073 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
9074 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
9076 .poll = io_uring_poll,
9077 .fasync = io_uring_fasync,
9078 #ifdef CONFIG_PROC_FS
9079 .show_fdinfo = io_uring_show_fdinfo,
9083 static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
9084 struct io_uring_params *p)
9086 struct io_rings *rings;
9087 size_t size, sq_array_offset;
9089 /* make sure these are sane, as we already accounted them */
9090 ctx->sq_entries = p->sq_entries;
9091 ctx->cq_entries = p->cq_entries;
9093 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
9094 if (size == SIZE_MAX)
9097 rings = io_mem_alloc(size);
9102 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
9103 rings->sq_ring_mask = p->sq_entries - 1;
9104 rings->cq_ring_mask = p->cq_entries - 1;
9105 rings->sq_ring_entries = p->sq_entries;
9106 rings->cq_ring_entries = p->cq_entries;
9107 ctx->sq_mask = rings->sq_ring_mask;
9108 ctx->cq_mask = rings->cq_ring_mask;
9110 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
9111 if (size == SIZE_MAX) {
9112 io_mem_free(ctx->rings);
9117 ctx->sq_sqes = io_mem_alloc(size);
9118 if (!ctx->sq_sqes) {
9119 io_mem_free(ctx->rings);
9128 * Allocate an anonymous fd, this is what constitutes the application
9129 * visible backing of an io_uring instance. The application mmaps this
9130 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
9131 * we have to tie this fd to a socket for file garbage collection purposes.
9133 static int io_uring_get_fd(struct io_ring_ctx *ctx)
9138 #if defined(CONFIG_UNIX)
9139 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
9145 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
9149 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
9150 O_RDWR | O_CLOEXEC);
9154 ret = PTR_ERR(file);
9158 #if defined(CONFIG_UNIX)
9159 ctx->ring_sock->file = file;
9161 if (unlikely(io_uring_add_task_file(ctx, file))) {
9162 file = ERR_PTR(-ENOMEM);
9165 fd_install(ret, file);
9168 #if defined(CONFIG_UNIX)
9169 sock_release(ctx->ring_sock);
9170 ctx->ring_sock = NULL;
9175 static int io_uring_create(unsigned entries, struct io_uring_params *p,
9176 struct io_uring_params __user *params)
9178 struct user_struct *user = NULL;
9179 struct io_ring_ctx *ctx;
9185 if (entries > IORING_MAX_ENTRIES) {
9186 if (!(p->flags & IORING_SETUP_CLAMP))
9188 entries = IORING_MAX_ENTRIES;
9192 * Use twice as many entries for the CQ ring. It's possible for the
9193 * application to drive a higher depth than the size of the SQ ring,
9194 * since the sqes are only used at submission time. This allows for
9195 * some flexibility in overcommitting a bit. If the application has
9196 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
9197 * of CQ ring entries manually.
9199 p->sq_entries = roundup_pow_of_two(entries);
9200 if (p->flags & IORING_SETUP_CQSIZE) {
9202 * If IORING_SETUP_CQSIZE is set, we do the same roundup
9203 * to a power-of-two, if it isn't already. We do NOT impose
9204 * any cq vs sq ring sizing.
9206 if (p->cq_entries < p->sq_entries)
9208 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
9209 if (!(p->flags & IORING_SETUP_CLAMP))
9211 p->cq_entries = IORING_MAX_CQ_ENTRIES;
9213 p->cq_entries = roundup_pow_of_two(p->cq_entries);
9215 p->cq_entries = 2 * p->sq_entries;
9218 user = get_uid(current_user());
9219 limit_mem = !capable(CAP_IPC_LOCK);
9222 ret = __io_account_mem(user,
9223 ring_pages(p->sq_entries, p->cq_entries));
9230 ctx = io_ring_ctx_alloc(p);
9233 __io_unaccount_mem(user, ring_pages(p->sq_entries,
9238 ctx->compat = in_compat_syscall();
9240 ctx->creds = get_current_cred();
9242 ctx->loginuid = current->loginuid;
9243 ctx->sessionid = current->sessionid;
9245 ctx->sqo_task = get_task_struct(current);
9248 * This is just grabbed for accounting purposes. When a process exits,
9249 * the mm is exited and dropped before the files, hence we need to hang
9250 * on to this mm purely for the purposes of being able to unaccount
9251 * memory (locked/pinned vm). It's not used for anything else.
9253 mmgrab(current->mm);
9254 ctx->mm_account = current->mm;
9256 #ifdef CONFIG_BLK_CGROUP
9258 * The sq thread will belong to the original cgroup it was inited in.
9259 * If the cgroup goes offline (e.g. disabling the io controller), then
9260 * issued bios will be associated with the closest cgroup later in the
9264 ctx->sqo_blkcg_css = blkcg_css();
9265 ret = css_tryget_online(ctx->sqo_blkcg_css);
9268 /* don't init against a dying cgroup, have the user try again */
9269 ctx->sqo_blkcg_css = NULL;
9276 * Account memory _before_ installing the file descriptor. Once
9277 * the descriptor is installed, it can get closed at any time. Also
9278 * do this before hitting the general error path, as ring freeing
9279 * will un-account as well.
9281 io_account_mem(ctx, ring_pages(p->sq_entries, p->cq_entries),
9283 ctx->limit_mem = limit_mem;
9285 ret = io_allocate_scq_urings(ctx, p);
9289 ret = io_sq_offload_create(ctx, p);
9293 if (!(p->flags & IORING_SETUP_R_DISABLED))
9294 io_sq_offload_start(ctx);
9296 memset(&p->sq_off, 0, sizeof(p->sq_off));
9297 p->sq_off.head = offsetof(struct io_rings, sq.head);
9298 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
9299 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
9300 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
9301 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
9302 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
9303 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
9305 memset(&p->cq_off, 0, sizeof(p->cq_off));
9306 p->cq_off.head = offsetof(struct io_rings, cq.head);
9307 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
9308 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
9309 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
9310 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
9311 p->cq_off.cqes = offsetof(struct io_rings, cqes);
9312 p->cq_off.flags = offsetof(struct io_rings, cq_flags);
9314 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
9315 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS |
9316 IORING_FEAT_CUR_PERSONALITY | IORING_FEAT_FAST_POLL |
9317 IORING_FEAT_POLL_32BITS;
9319 if (copy_to_user(params, p, sizeof(*p))) {
9325 * Install ring fd as the very last thing, so we don't risk someone
9326 * having closed it before we finish setup
9328 ret = io_uring_get_fd(ctx);
9332 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
9335 io_ring_ctx_wait_and_kill(ctx);
9340 * Sets up an aio uring context, and returns the fd. Applications asks for a
9341 * ring size, we return the actual sq/cq ring sizes (among other things) in the
9342 * params structure passed in.
9344 static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
9346 struct io_uring_params p;
9349 if (copy_from_user(&p, params, sizeof(p)))
9351 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
9356 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
9357 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
9358 IORING_SETUP_CLAMP | IORING_SETUP_ATTACH_WQ |
9359 IORING_SETUP_R_DISABLED))
9362 return io_uring_create(entries, &p, params);
9365 SYSCALL_DEFINE2(io_uring_setup, u32, entries,
9366 struct io_uring_params __user *, params)
9368 return io_uring_setup(entries, params);
9371 static int io_probe(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
9373 struct io_uring_probe *p;
9377 size = struct_size(p, ops, nr_args);
9378 if (size == SIZE_MAX)
9380 p = kzalloc(size, GFP_KERNEL);
9385 if (copy_from_user(p, arg, size))
9388 if (memchr_inv(p, 0, size))
9391 p->last_op = IORING_OP_LAST - 1;
9392 if (nr_args > IORING_OP_LAST)
9393 nr_args = IORING_OP_LAST;
9395 for (i = 0; i < nr_args; i++) {
9397 if (!io_op_defs[i].not_supported)
9398 p->ops[i].flags = IO_URING_OP_SUPPORTED;
9403 if (copy_to_user(arg, p, size))
9410 static int io_register_personality(struct io_ring_ctx *ctx)
9412 struct io_identity *id;
9415 id = kmalloc(sizeof(*id), GFP_KERNEL);
9419 io_init_identity(id);
9420 id->creds = get_current_cred();
9422 ret = idr_alloc_cyclic(&ctx->personality_idr, id, 1, USHRT_MAX, GFP_KERNEL);
9424 put_cred(id->creds);
9430 static int io_unregister_personality(struct io_ring_ctx *ctx, unsigned id)
9432 struct io_identity *iod;
9434 iod = idr_remove(&ctx->personality_idr, id);
9436 put_cred(iod->creds);
9437 if (refcount_dec_and_test(&iod->count))
9445 static int io_register_restrictions(struct io_ring_ctx *ctx, void __user *arg,
9446 unsigned int nr_args)
9448 struct io_uring_restriction *res;
9452 /* Restrictions allowed only if rings started disabled */
9453 if (!(ctx->flags & IORING_SETUP_R_DISABLED))
9456 /* We allow only a single restrictions registration */
9457 if (ctx->restrictions.registered)
9460 if (!arg || nr_args > IORING_MAX_RESTRICTIONS)
9463 size = array_size(nr_args, sizeof(*res));
9464 if (size == SIZE_MAX)
9467 res = memdup_user(arg, size);
9469 return PTR_ERR(res);
9473 for (i = 0; i < nr_args; i++) {
9474 switch (res[i].opcode) {
9475 case IORING_RESTRICTION_REGISTER_OP:
9476 if (res[i].register_op >= IORING_REGISTER_LAST) {
9481 __set_bit(res[i].register_op,
9482 ctx->restrictions.register_op);
9484 case IORING_RESTRICTION_SQE_OP:
9485 if (res[i].sqe_op >= IORING_OP_LAST) {
9490 __set_bit(res[i].sqe_op, ctx->restrictions.sqe_op);
9492 case IORING_RESTRICTION_SQE_FLAGS_ALLOWED:
9493 ctx->restrictions.sqe_flags_allowed = res[i].sqe_flags;
9495 case IORING_RESTRICTION_SQE_FLAGS_REQUIRED:
9496 ctx->restrictions.sqe_flags_required = res[i].sqe_flags;
9505 /* Reset all restrictions if an error happened */
9507 memset(&ctx->restrictions, 0, sizeof(ctx->restrictions));
9509 ctx->restrictions.registered = true;
9515 static int io_register_enable_rings(struct io_ring_ctx *ctx)
9517 if (!(ctx->flags & IORING_SETUP_R_DISABLED))
9520 if (ctx->restrictions.registered)
9521 ctx->restricted = 1;
9523 ctx->flags &= ~IORING_SETUP_R_DISABLED;
9525 io_sq_offload_start(ctx);
9530 static bool io_register_op_must_quiesce(int op)
9533 case IORING_UNREGISTER_FILES:
9534 case IORING_REGISTER_FILES_UPDATE:
9535 case IORING_REGISTER_PROBE:
9536 case IORING_REGISTER_PERSONALITY:
9537 case IORING_UNREGISTER_PERSONALITY:
9544 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
9545 void __user *arg, unsigned nr_args)
9546 __releases(ctx->uring_lock)
9547 __acquires(ctx->uring_lock)
9552 * We're inside the ring mutex, if the ref is already dying, then
9553 * someone else killed the ctx or is already going through
9554 * io_uring_register().
9556 if (percpu_ref_is_dying(&ctx->refs))
9559 if (io_register_op_must_quiesce(opcode)) {
9560 percpu_ref_kill(&ctx->refs);
9563 * Drop uring mutex before waiting for references to exit. If
9564 * another thread is currently inside io_uring_enter() it might
9565 * need to grab the uring_lock to make progress. If we hold it
9566 * here across the drain wait, then we can deadlock. It's safe
9567 * to drop the mutex here, since no new references will come in
9568 * after we've killed the percpu ref.
9570 mutex_unlock(&ctx->uring_lock);
9572 ret = wait_for_completion_interruptible(&ctx->ref_comp);
9575 ret = io_run_task_work_sig();
9580 mutex_lock(&ctx->uring_lock);
9583 percpu_ref_resurrect(&ctx->refs);
9588 if (ctx->restricted) {
9589 if (opcode >= IORING_REGISTER_LAST) {
9594 if (!test_bit(opcode, ctx->restrictions.register_op)) {
9601 case IORING_REGISTER_BUFFERS:
9602 ret = io_sqe_buffer_register(ctx, arg, nr_args);
9604 case IORING_UNREGISTER_BUFFERS:
9608 ret = io_sqe_buffer_unregister(ctx);
9610 case IORING_REGISTER_FILES:
9611 ret = io_sqe_files_register(ctx, arg, nr_args);
9613 case IORING_UNREGISTER_FILES:
9617 ret = io_sqe_files_unregister(ctx);
9619 case IORING_REGISTER_FILES_UPDATE:
9620 ret = io_sqe_files_update(ctx, arg, nr_args);
9622 case IORING_REGISTER_EVENTFD:
9623 case IORING_REGISTER_EVENTFD_ASYNC:
9627 ret = io_eventfd_register(ctx, arg);
9630 if (opcode == IORING_REGISTER_EVENTFD_ASYNC)
9631 ctx->eventfd_async = 1;
9633 ctx->eventfd_async = 0;
9635 case IORING_UNREGISTER_EVENTFD:
9639 ret = io_eventfd_unregister(ctx);
9641 case IORING_REGISTER_PROBE:
9643 if (!arg || nr_args > 256)
9645 ret = io_probe(ctx, arg, nr_args);
9647 case IORING_REGISTER_PERSONALITY:
9651 ret = io_register_personality(ctx);
9653 case IORING_UNREGISTER_PERSONALITY:
9657 ret = io_unregister_personality(ctx, nr_args);
9659 case IORING_REGISTER_ENABLE_RINGS:
9663 ret = io_register_enable_rings(ctx);
9665 case IORING_REGISTER_RESTRICTIONS:
9666 ret = io_register_restrictions(ctx, arg, nr_args);
9674 if (io_register_op_must_quiesce(opcode)) {
9675 /* bring the ctx back to life */
9676 percpu_ref_reinit(&ctx->refs);
9678 reinit_completion(&ctx->ref_comp);
9683 SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
9684 void __user *, arg, unsigned int, nr_args)
9686 struct io_ring_ctx *ctx;
9695 if (f.file->f_op != &io_uring_fops)
9698 ctx = f.file->private_data;
9700 mutex_lock(&ctx->uring_lock);
9701 ret = __io_uring_register(ctx, opcode, arg, nr_args);
9702 mutex_unlock(&ctx->uring_lock);
9703 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
9704 ctx->cq_ev_fd != NULL, ret);
9710 static int __init io_uring_init(void)
9712 #define __BUILD_BUG_VERIFY_ELEMENT(stype, eoffset, etype, ename) do { \
9713 BUILD_BUG_ON(offsetof(stype, ename) != eoffset); \
9714 BUILD_BUG_ON(sizeof(etype) != sizeof_field(stype, ename)); \
9717 #define BUILD_BUG_SQE_ELEM(eoffset, etype, ename) \
9718 __BUILD_BUG_VERIFY_ELEMENT(struct io_uring_sqe, eoffset, etype, ename)
9719 BUILD_BUG_ON(sizeof(struct io_uring_sqe) != 64);
9720 BUILD_BUG_SQE_ELEM(0, __u8, opcode);
9721 BUILD_BUG_SQE_ELEM(1, __u8, flags);
9722 BUILD_BUG_SQE_ELEM(2, __u16, ioprio);
9723 BUILD_BUG_SQE_ELEM(4, __s32, fd);
9724 BUILD_BUG_SQE_ELEM(8, __u64, off);
9725 BUILD_BUG_SQE_ELEM(8, __u64, addr2);
9726 BUILD_BUG_SQE_ELEM(16, __u64, addr);
9727 BUILD_BUG_SQE_ELEM(16, __u64, splice_off_in);
9728 BUILD_BUG_SQE_ELEM(24, __u32, len);
9729 BUILD_BUG_SQE_ELEM(28, __kernel_rwf_t, rw_flags);
9730 BUILD_BUG_SQE_ELEM(28, /* compat */ int, rw_flags);
9731 BUILD_BUG_SQE_ELEM(28, /* compat */ __u32, rw_flags);
9732 BUILD_BUG_SQE_ELEM(28, __u32, fsync_flags);
9733 BUILD_BUG_SQE_ELEM(28, /* compat */ __u16, poll_events);
9734 BUILD_BUG_SQE_ELEM(28, __u32, poll32_events);
9735 BUILD_BUG_SQE_ELEM(28, __u32, sync_range_flags);
9736 BUILD_BUG_SQE_ELEM(28, __u32, msg_flags);
9737 BUILD_BUG_SQE_ELEM(28, __u32, timeout_flags);
9738 BUILD_BUG_SQE_ELEM(28, __u32, accept_flags);
9739 BUILD_BUG_SQE_ELEM(28, __u32, cancel_flags);
9740 BUILD_BUG_SQE_ELEM(28, __u32, open_flags);
9741 BUILD_BUG_SQE_ELEM(28, __u32, statx_flags);
9742 BUILD_BUG_SQE_ELEM(28, __u32, fadvise_advice);
9743 BUILD_BUG_SQE_ELEM(28, __u32, splice_flags);
9744 BUILD_BUG_SQE_ELEM(32, __u64, user_data);
9745 BUILD_BUG_SQE_ELEM(40, __u16, buf_index);
9746 BUILD_BUG_SQE_ELEM(42, __u16, personality);
9747 BUILD_BUG_SQE_ELEM(44, __s32, splice_fd_in);
9749 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
9750 BUILD_BUG_ON(__REQ_F_LAST_BIT >= 8 * sizeof(int));
9751 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
9754 __initcall(io_uring_init);
projects / linux-2.6-microblaze.git / blob