Commit | Line | Data |
---|---|---|
2b188cc1 JA |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* | |
3 | * Shared application/kernel submission and completion ring pairs, for | |
4 | * supporting fast/efficient IO. | |
5 | * | |
6 | * A note on the read/write ordering memory barriers that are matched between | |
7 | * the application and kernel side. When the application reads the CQ ring | |
8 | * tail, it must use an appropriate smp_rmb() to order with the smp_wmb() | |
9 | * the kernel uses after writing the tail. Failure to do so could cause a | |
10 | * delay in when the application notices that completion events available. | |
11 | * This isn't a fatal condition. Likewise, the application must use an | |
12 | * appropriate smp_wmb() both before writing the SQ tail, and after writing | |
13 | * the SQ tail. The first one orders the sqe writes with the tail write, and | |
14 | * the latter is paired with the smp_rmb() the kernel will issue before | |
15 | * reading the SQ tail on submission. | |
16 | * | |
17 | * Also see the examples in the liburing library: | |
18 | * | |
19 | * git://git.kernel.dk/liburing | |
20 | * | |
21 | * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens | |
22 | * from data shared between the kernel and application. This is done both | |
23 | * for ordering purposes, but also to ensure that once a value is loaded from | |
24 | * data that the application could potentially modify, it remains stable. | |
25 | * | |
26 | * Copyright (C) 2018-2019 Jens Axboe | |
c992fe29 | 27 | * Copyright (c) 2018-2019 Christoph Hellwig |
2b188cc1 JA |
28 | */ |
29 | #include <linux/kernel.h> | |
30 | #include <linux/init.h> | |
31 | #include <linux/errno.h> | |
32 | #include <linux/syscalls.h> | |
33 | #include <linux/compat.h> | |
34 | #include <linux/refcount.h> | |
35 | #include <linux/uio.h> | |
36 | ||
37 | #include <linux/sched/signal.h> | |
38 | #include <linux/fs.h> | |
39 | #include <linux/file.h> | |
40 | #include <linux/fdtable.h> | |
41 | #include <linux/mm.h> | |
42 | #include <linux/mman.h> | |
43 | #include <linux/mmu_context.h> | |
44 | #include <linux/percpu.h> | |
45 | #include <linux/slab.h> | |
46 | #include <linux/workqueue.h> | |
47 | #include <linux/blkdev.h> | |
48 | #include <linux/net.h> | |
49 | #include <net/sock.h> | |
50 | #include <net/af_unix.h> | |
51 | #include <linux/anon_inodes.h> | |
52 | #include <linux/sched/mm.h> | |
53 | #include <linux/uaccess.h> | |
54 | #include <linux/nospec.h> | |
55 | ||
56 | #include <uapi/linux/io_uring.h> | |
57 | ||
58 | #include "internal.h" | |
59 | ||
60 | #define IORING_MAX_ENTRIES 4096 | |
61 | ||
62 | struct io_uring { | |
63 | u32 head ____cacheline_aligned_in_smp; | |
64 | u32 tail ____cacheline_aligned_in_smp; | |
65 | }; | |
66 | ||
67 | struct io_sq_ring { | |
68 | struct io_uring r; | |
69 | u32 ring_mask; | |
70 | u32 ring_entries; | |
71 | u32 dropped; | |
72 | u32 flags; | |
73 | u32 array[]; | |
74 | }; | |
75 | ||
76 | struct io_cq_ring { | |
77 | struct io_uring r; | |
78 | u32 ring_mask; | |
79 | u32 ring_entries; | |
80 | u32 overflow; | |
81 | struct io_uring_cqe cqes[]; | |
82 | }; | |
83 | ||
84 | struct io_ring_ctx { | |
85 | struct { | |
86 | struct percpu_ref refs; | |
87 | } ____cacheline_aligned_in_smp; | |
88 | ||
89 | struct { | |
90 | unsigned int flags; | |
91 | bool compat; | |
92 | bool account_mem; | |
93 | ||
94 | /* SQ ring */ | |
95 | struct io_sq_ring *sq_ring; | |
96 | unsigned cached_sq_head; | |
97 | unsigned sq_entries; | |
98 | unsigned sq_mask; | |
99 | struct io_uring_sqe *sq_sqes; | |
100 | } ____cacheline_aligned_in_smp; | |
101 | ||
102 | /* IO offload */ | |
103 | struct workqueue_struct *sqo_wq; | |
104 | struct mm_struct *sqo_mm; | |
105 | ||
106 | struct { | |
107 | /* CQ ring */ | |
108 | struct io_cq_ring *cq_ring; | |
109 | unsigned cached_cq_tail; | |
110 | unsigned cq_entries; | |
111 | unsigned cq_mask; | |
112 | struct wait_queue_head cq_wait; | |
113 | struct fasync_struct *cq_fasync; | |
114 | } ____cacheline_aligned_in_smp; | |
115 | ||
116 | struct user_struct *user; | |
117 | ||
118 | struct completion ctx_done; | |
119 | ||
120 | struct { | |
121 | struct mutex uring_lock; | |
122 | wait_queue_head_t wait; | |
123 | } ____cacheline_aligned_in_smp; | |
124 | ||
125 | struct { | |
126 | spinlock_t completion_lock; | |
def596e9 JA |
127 | bool poll_multi_file; |
128 | /* | |
129 | * ->poll_list is protected by the ctx->uring_lock for | |
130 | * io_uring instances that don't use IORING_SETUP_SQPOLL. | |
131 | * For SQPOLL, only the single threaded io_sq_thread() will | |
132 | * manipulate the list, hence no extra locking is needed there. | |
133 | */ | |
134 | struct list_head poll_list; | |
2b188cc1 JA |
135 | } ____cacheline_aligned_in_smp; |
136 | ||
137 | #if defined(CONFIG_UNIX) | |
138 | struct socket *ring_sock; | |
139 | #endif | |
140 | }; | |
141 | ||
142 | struct sqe_submit { | |
143 | const struct io_uring_sqe *sqe; | |
144 | unsigned short index; | |
145 | bool has_user; | |
def596e9 | 146 | bool needs_lock; |
2b188cc1 JA |
147 | }; |
148 | ||
149 | struct io_kiocb { | |
150 | struct kiocb rw; | |
151 | ||
152 | struct sqe_submit submit; | |
153 | ||
154 | struct io_ring_ctx *ctx; | |
155 | struct list_head list; | |
156 | unsigned int flags; | |
157 | #define REQ_F_FORCE_NONBLOCK 1 /* inline submission attempt */ | |
def596e9 | 158 | #define REQ_F_IOPOLL_COMPLETED 2 /* polled IO has completed */ |
2b188cc1 | 159 | u64 user_data; |
def596e9 | 160 | u64 error; |
2b188cc1 JA |
161 | |
162 | struct work_struct work; | |
163 | }; | |
164 | ||
165 | #define IO_PLUG_THRESHOLD 2 | |
def596e9 | 166 | #define IO_IOPOLL_BATCH 8 |
2b188cc1 | 167 | |
9a56a232 JA |
168 | struct io_submit_state { |
169 | struct blk_plug plug; | |
170 | ||
171 | /* | |
172 | * File reference cache | |
173 | */ | |
174 | struct file *file; | |
175 | unsigned int fd; | |
176 | unsigned int has_refs; | |
177 | unsigned int used_refs; | |
178 | unsigned int ios_left; | |
179 | }; | |
180 | ||
2b188cc1 JA |
181 | static struct kmem_cache *req_cachep; |
182 | ||
183 | static const struct file_operations io_uring_fops; | |
184 | ||
185 | struct sock *io_uring_get_socket(struct file *file) | |
186 | { | |
187 | #if defined(CONFIG_UNIX) | |
188 | if (file->f_op == &io_uring_fops) { | |
189 | struct io_ring_ctx *ctx = file->private_data; | |
190 | ||
191 | return ctx->ring_sock->sk; | |
192 | } | |
193 | #endif | |
194 | return NULL; | |
195 | } | |
196 | EXPORT_SYMBOL(io_uring_get_socket); | |
197 | ||
198 | static void io_ring_ctx_ref_free(struct percpu_ref *ref) | |
199 | { | |
200 | struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs); | |
201 | ||
202 | complete(&ctx->ctx_done); | |
203 | } | |
204 | ||
205 | static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p) | |
206 | { | |
207 | struct io_ring_ctx *ctx; | |
208 | ||
209 | ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); | |
210 | if (!ctx) | |
211 | return NULL; | |
212 | ||
213 | if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free, 0, GFP_KERNEL)) { | |
214 | kfree(ctx); | |
215 | return NULL; | |
216 | } | |
217 | ||
218 | ctx->flags = p->flags; | |
219 | init_waitqueue_head(&ctx->cq_wait); | |
220 | init_completion(&ctx->ctx_done); | |
221 | mutex_init(&ctx->uring_lock); | |
222 | init_waitqueue_head(&ctx->wait); | |
223 | spin_lock_init(&ctx->completion_lock); | |
def596e9 | 224 | INIT_LIST_HEAD(&ctx->poll_list); |
2b188cc1 JA |
225 | return ctx; |
226 | } | |
227 | ||
228 | static void io_commit_cqring(struct io_ring_ctx *ctx) | |
229 | { | |
230 | struct io_cq_ring *ring = ctx->cq_ring; | |
231 | ||
232 | if (ctx->cached_cq_tail != READ_ONCE(ring->r.tail)) { | |
233 | /* order cqe stores with ring update */ | |
234 | smp_store_release(&ring->r.tail, ctx->cached_cq_tail); | |
235 | ||
236 | /* | |
237 | * Write sider barrier of tail update, app has read side. See | |
238 | * comment at the top of this file. | |
239 | */ | |
240 | smp_wmb(); | |
241 | ||
242 | if (wq_has_sleeper(&ctx->cq_wait)) { | |
243 | wake_up_interruptible(&ctx->cq_wait); | |
244 | kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN); | |
245 | } | |
246 | } | |
247 | } | |
248 | ||
249 | static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx) | |
250 | { | |
251 | struct io_cq_ring *ring = ctx->cq_ring; | |
252 | unsigned tail; | |
253 | ||
254 | tail = ctx->cached_cq_tail; | |
255 | /* See comment at the top of the file */ | |
256 | smp_rmb(); | |
257 | if (tail + 1 == READ_ONCE(ring->r.head)) | |
258 | return NULL; | |
259 | ||
260 | ctx->cached_cq_tail++; | |
261 | return &ring->cqes[tail & ctx->cq_mask]; | |
262 | } | |
263 | ||
264 | static void io_cqring_fill_event(struct io_ring_ctx *ctx, u64 ki_user_data, | |
265 | long res, unsigned ev_flags) | |
266 | { | |
267 | struct io_uring_cqe *cqe; | |
268 | ||
269 | /* | |
270 | * If we can't get a cq entry, userspace overflowed the | |
271 | * submission (by quite a lot). Increment the overflow count in | |
272 | * the ring. | |
273 | */ | |
274 | cqe = io_get_cqring(ctx); | |
275 | if (cqe) { | |
276 | WRITE_ONCE(cqe->user_data, ki_user_data); | |
277 | WRITE_ONCE(cqe->res, res); | |
278 | WRITE_ONCE(cqe->flags, ev_flags); | |
279 | } else { | |
280 | unsigned overflow = READ_ONCE(ctx->cq_ring->overflow); | |
281 | ||
282 | WRITE_ONCE(ctx->cq_ring->overflow, overflow + 1); | |
283 | } | |
284 | } | |
285 | ||
286 | static void io_cqring_add_event(struct io_ring_ctx *ctx, u64 ki_user_data, | |
287 | long res, unsigned ev_flags) | |
288 | { | |
289 | unsigned long flags; | |
290 | ||
291 | spin_lock_irqsave(&ctx->completion_lock, flags); | |
292 | io_cqring_fill_event(ctx, ki_user_data, res, ev_flags); | |
293 | io_commit_cqring(ctx); | |
294 | spin_unlock_irqrestore(&ctx->completion_lock, flags); | |
295 | ||
296 | if (waitqueue_active(&ctx->wait)) | |
297 | wake_up(&ctx->wait); | |
298 | } | |
299 | ||
300 | static void io_ring_drop_ctx_refs(struct io_ring_ctx *ctx, unsigned refs) | |
301 | { | |
302 | percpu_ref_put_many(&ctx->refs, refs); | |
303 | ||
304 | if (waitqueue_active(&ctx->wait)) | |
305 | wake_up(&ctx->wait); | |
306 | } | |
307 | ||
308 | static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx) | |
309 | { | |
310 | struct io_kiocb *req; | |
311 | ||
312 | if (!percpu_ref_tryget(&ctx->refs)) | |
313 | return NULL; | |
314 | ||
315 | req = kmem_cache_alloc(req_cachep, __GFP_NOWARN); | |
316 | if (req) { | |
317 | req->ctx = ctx; | |
318 | req->flags = 0; | |
319 | return req; | |
320 | } | |
321 | ||
322 | io_ring_drop_ctx_refs(ctx, 1); | |
323 | return NULL; | |
324 | } | |
325 | ||
def596e9 JA |
326 | static void io_free_req_many(struct io_ring_ctx *ctx, void **reqs, int *nr) |
327 | { | |
328 | if (*nr) { | |
329 | kmem_cache_free_bulk(req_cachep, *nr, reqs); | |
330 | io_ring_drop_ctx_refs(ctx, *nr); | |
331 | *nr = 0; | |
332 | } | |
333 | } | |
334 | ||
2b188cc1 JA |
335 | static void io_free_req(struct io_kiocb *req) |
336 | { | |
337 | io_ring_drop_ctx_refs(req->ctx, 1); | |
338 | kmem_cache_free(req_cachep, req); | |
339 | } | |
340 | ||
def596e9 JA |
341 | /* |
342 | * Find and free completed poll iocbs | |
343 | */ | |
344 | static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events, | |
345 | struct list_head *done) | |
346 | { | |
347 | void *reqs[IO_IOPOLL_BATCH]; | |
9a56a232 JA |
348 | int file_count, to_free; |
349 | struct file *file = NULL; | |
def596e9 | 350 | struct io_kiocb *req; |
def596e9 | 351 | |
9a56a232 | 352 | file_count = to_free = 0; |
def596e9 JA |
353 | while (!list_empty(done)) { |
354 | req = list_first_entry(done, struct io_kiocb, list); | |
355 | list_del(&req->list); | |
356 | ||
357 | io_cqring_fill_event(ctx, req->user_data, req->error, 0); | |
358 | ||
359 | reqs[to_free++] = req; | |
360 | (*nr_events)++; | |
361 | ||
9a56a232 JA |
362 | /* |
363 | * Batched puts of the same file, to avoid dirtying the | |
364 | * file usage count multiple times, if avoidable. | |
365 | */ | |
366 | if (!file) { | |
367 | file = req->rw.ki_filp; | |
368 | file_count = 1; | |
369 | } else if (file == req->rw.ki_filp) { | |
370 | file_count++; | |
371 | } else { | |
372 | fput_many(file, file_count); | |
373 | file = req->rw.ki_filp; | |
374 | file_count = 1; | |
375 | } | |
376 | ||
def596e9 JA |
377 | if (to_free == ARRAY_SIZE(reqs)) |
378 | io_free_req_many(ctx, reqs, &to_free); | |
379 | } | |
380 | io_commit_cqring(ctx); | |
381 | ||
9a56a232 JA |
382 | if (file) |
383 | fput_many(file, file_count); | |
def596e9 JA |
384 | io_free_req_many(ctx, reqs, &to_free); |
385 | } | |
386 | ||
387 | static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events, | |
388 | long min) | |
389 | { | |
390 | struct io_kiocb *req, *tmp; | |
391 | LIST_HEAD(done); | |
392 | bool spin; | |
393 | int ret; | |
394 | ||
395 | /* | |
396 | * Only spin for completions if we don't have multiple devices hanging | |
397 | * off our complete list, and we're under the requested amount. | |
398 | */ | |
399 | spin = !ctx->poll_multi_file && *nr_events < min; | |
400 | ||
401 | ret = 0; | |
402 | list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) { | |
403 | struct kiocb *kiocb = &req->rw; | |
404 | ||
405 | /* | |
406 | * Move completed entries to our local list. If we find a | |
407 | * request that requires polling, break out and complete | |
408 | * the done list first, if we have entries there. | |
409 | */ | |
410 | if (req->flags & REQ_F_IOPOLL_COMPLETED) { | |
411 | list_move_tail(&req->list, &done); | |
412 | continue; | |
413 | } | |
414 | if (!list_empty(&done)) | |
415 | break; | |
416 | ||
417 | ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin); | |
418 | if (ret < 0) | |
419 | break; | |
420 | ||
421 | if (ret && spin) | |
422 | spin = false; | |
423 | ret = 0; | |
424 | } | |
425 | ||
426 | if (!list_empty(&done)) | |
427 | io_iopoll_complete(ctx, nr_events, &done); | |
428 | ||
429 | return ret; | |
430 | } | |
431 | ||
432 | /* | |
433 | * Poll for a mininum of 'min' events. Note that if min == 0 we consider that a | |
434 | * non-spinning poll check - we'll still enter the driver poll loop, but only | |
435 | * as a non-spinning completion check. | |
436 | */ | |
437 | static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events, | |
438 | long min) | |
439 | { | |
440 | while (!list_empty(&ctx->poll_list)) { | |
441 | int ret; | |
442 | ||
443 | ret = io_do_iopoll(ctx, nr_events, min); | |
444 | if (ret < 0) | |
445 | return ret; | |
446 | if (!min || *nr_events >= min) | |
447 | return 0; | |
448 | } | |
449 | ||
450 | return 1; | |
451 | } | |
452 | ||
453 | /* | |
454 | * We can't just wait for polled events to come to us, we have to actively | |
455 | * find and complete them. | |
456 | */ | |
457 | static void io_iopoll_reap_events(struct io_ring_ctx *ctx) | |
458 | { | |
459 | if (!(ctx->flags & IORING_SETUP_IOPOLL)) | |
460 | return; | |
461 | ||
462 | mutex_lock(&ctx->uring_lock); | |
463 | while (!list_empty(&ctx->poll_list)) { | |
464 | unsigned int nr_events = 0; | |
465 | ||
466 | io_iopoll_getevents(ctx, &nr_events, 1); | |
467 | } | |
468 | mutex_unlock(&ctx->uring_lock); | |
469 | } | |
470 | ||
471 | static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events, | |
472 | long min) | |
473 | { | |
474 | int ret = 0; | |
475 | ||
476 | do { | |
477 | int tmin = 0; | |
478 | ||
479 | if (*nr_events < min) | |
480 | tmin = min - *nr_events; | |
481 | ||
482 | ret = io_iopoll_getevents(ctx, nr_events, tmin); | |
483 | if (ret <= 0) | |
484 | break; | |
485 | ret = 0; | |
486 | } while (min && !*nr_events && !need_resched()); | |
487 | ||
488 | return ret; | |
489 | } | |
490 | ||
2b188cc1 JA |
491 | static void kiocb_end_write(struct kiocb *kiocb) |
492 | { | |
493 | if (kiocb->ki_flags & IOCB_WRITE) { | |
494 | struct inode *inode = file_inode(kiocb->ki_filp); | |
495 | ||
496 | /* | |
497 | * Tell lockdep we inherited freeze protection from submission | |
498 | * thread. | |
499 | */ | |
500 | if (S_ISREG(inode->i_mode)) | |
501 | __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE); | |
502 | file_end_write(kiocb->ki_filp); | |
503 | } | |
504 | } | |
505 | ||
506 | static void io_complete_rw(struct kiocb *kiocb, long res, long res2) | |
507 | { | |
508 | struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw); | |
509 | ||
510 | kiocb_end_write(kiocb); | |
511 | ||
512 | fput(kiocb->ki_filp); | |
513 | io_cqring_add_event(req->ctx, req->user_data, res, 0); | |
514 | io_free_req(req); | |
515 | } | |
516 | ||
def596e9 JA |
517 | static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2) |
518 | { | |
519 | struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw); | |
520 | ||
521 | kiocb_end_write(kiocb); | |
522 | ||
523 | req->error = res; | |
524 | if (res != -EAGAIN) | |
525 | req->flags |= REQ_F_IOPOLL_COMPLETED; | |
526 | } | |
527 | ||
528 | /* | |
529 | * After the iocb has been issued, it's safe to be found on the poll list. | |
530 | * Adding the kiocb to the list AFTER submission ensures that we don't | |
531 | * find it from a io_iopoll_getevents() thread before the issuer is done | |
532 | * accessing the kiocb cookie. | |
533 | */ | |
534 | static void io_iopoll_req_issued(struct io_kiocb *req) | |
535 | { | |
536 | struct io_ring_ctx *ctx = req->ctx; | |
537 | ||
538 | /* | |
539 | * Track whether we have multiple files in our lists. This will impact | |
540 | * how we do polling eventually, not spinning if we're on potentially | |
541 | * different devices. | |
542 | */ | |
543 | if (list_empty(&ctx->poll_list)) { | |
544 | ctx->poll_multi_file = false; | |
545 | } else if (!ctx->poll_multi_file) { | |
546 | struct io_kiocb *list_req; | |
547 | ||
548 | list_req = list_first_entry(&ctx->poll_list, struct io_kiocb, | |
549 | list); | |
550 | if (list_req->rw.ki_filp != req->rw.ki_filp) | |
551 | ctx->poll_multi_file = true; | |
552 | } | |
553 | ||
554 | /* | |
555 | * For fast devices, IO may have already completed. If it has, add | |
556 | * it to the front so we find it first. | |
557 | */ | |
558 | if (req->flags & REQ_F_IOPOLL_COMPLETED) | |
559 | list_add(&req->list, &ctx->poll_list); | |
560 | else | |
561 | list_add_tail(&req->list, &ctx->poll_list); | |
562 | } | |
563 | ||
9a56a232 JA |
564 | static void io_file_put(struct io_submit_state *state, struct file *file) |
565 | { | |
566 | if (!state) { | |
567 | fput(file); | |
568 | } else if (state->file) { | |
569 | int diff = state->has_refs - state->used_refs; | |
570 | ||
571 | if (diff) | |
572 | fput_many(state->file, diff); | |
573 | state->file = NULL; | |
574 | } | |
575 | } | |
576 | ||
577 | /* | |
578 | * Get as many references to a file as we have IOs left in this submission, | |
579 | * assuming most submissions are for one file, or at least that each file | |
580 | * has more than one submission. | |
581 | */ | |
582 | static struct file *io_file_get(struct io_submit_state *state, int fd) | |
583 | { | |
584 | if (!state) | |
585 | return fget(fd); | |
586 | ||
587 | if (state->file) { | |
588 | if (state->fd == fd) { | |
589 | state->used_refs++; | |
590 | state->ios_left--; | |
591 | return state->file; | |
592 | } | |
593 | io_file_put(state, NULL); | |
594 | } | |
595 | state->file = fget_many(fd, state->ios_left); | |
596 | if (!state->file) | |
597 | return NULL; | |
598 | ||
599 | state->fd = fd; | |
600 | state->has_refs = state->ios_left; | |
601 | state->used_refs = 1; | |
602 | state->ios_left--; | |
603 | return state->file; | |
604 | } | |
605 | ||
2b188cc1 JA |
606 | /* |
607 | * If we tracked the file through the SCM inflight mechanism, we could support | |
608 | * any file. For now, just ensure that anything potentially problematic is done | |
609 | * inline. | |
610 | */ | |
611 | static bool io_file_supports_async(struct file *file) | |
612 | { | |
613 | umode_t mode = file_inode(file)->i_mode; | |
614 | ||
615 | if (S_ISBLK(mode) || S_ISCHR(mode)) | |
616 | return true; | |
617 | if (S_ISREG(mode) && file->f_op != &io_uring_fops) | |
618 | return true; | |
619 | ||
620 | return false; | |
621 | } | |
622 | ||
623 | static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe, | |
9a56a232 | 624 | bool force_nonblock, struct io_submit_state *state) |
2b188cc1 | 625 | { |
def596e9 | 626 | struct io_ring_ctx *ctx = req->ctx; |
2b188cc1 JA |
627 | struct kiocb *kiocb = &req->rw; |
628 | unsigned ioprio; | |
629 | int fd, ret; | |
630 | ||
631 | /* For -EAGAIN retry, everything is already prepped */ | |
632 | if (kiocb->ki_filp) | |
633 | return 0; | |
634 | ||
635 | fd = READ_ONCE(sqe->fd); | |
9a56a232 | 636 | kiocb->ki_filp = io_file_get(state, fd); |
2b188cc1 JA |
637 | if (unlikely(!kiocb->ki_filp)) |
638 | return -EBADF; | |
639 | if (force_nonblock && !io_file_supports_async(kiocb->ki_filp)) | |
640 | force_nonblock = false; | |
641 | kiocb->ki_pos = READ_ONCE(sqe->off); | |
642 | kiocb->ki_flags = iocb_flags(kiocb->ki_filp); | |
643 | kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp)); | |
644 | ||
645 | ioprio = READ_ONCE(sqe->ioprio); | |
646 | if (ioprio) { | |
647 | ret = ioprio_check_cap(ioprio); | |
648 | if (ret) | |
649 | goto out_fput; | |
650 | ||
651 | kiocb->ki_ioprio = ioprio; | |
652 | } else | |
653 | kiocb->ki_ioprio = get_current_ioprio(); | |
654 | ||
655 | ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags)); | |
656 | if (unlikely(ret)) | |
657 | goto out_fput; | |
658 | if (force_nonblock) { | |
659 | kiocb->ki_flags |= IOCB_NOWAIT; | |
660 | req->flags |= REQ_F_FORCE_NONBLOCK; | |
661 | } | |
def596e9 JA |
662 | if (ctx->flags & IORING_SETUP_IOPOLL) { |
663 | ret = -EOPNOTSUPP; | |
664 | if (!(kiocb->ki_flags & IOCB_DIRECT) || | |
665 | !kiocb->ki_filp->f_op->iopoll) | |
666 | goto out_fput; | |
2b188cc1 | 667 | |
def596e9 JA |
668 | req->error = 0; |
669 | kiocb->ki_flags |= IOCB_HIPRI; | |
670 | kiocb->ki_complete = io_complete_rw_iopoll; | |
671 | } else { | |
672 | if (kiocb->ki_flags & IOCB_HIPRI) { | |
673 | ret = -EINVAL; | |
674 | goto out_fput; | |
675 | } | |
676 | kiocb->ki_complete = io_complete_rw; | |
677 | } | |
2b188cc1 JA |
678 | return 0; |
679 | out_fput: | |
9a56a232 JA |
680 | /* in case of error, we didn't use this file reference. drop it. */ |
681 | if (state) | |
682 | state->used_refs--; | |
683 | io_file_put(state, kiocb->ki_filp); | |
2b188cc1 JA |
684 | return ret; |
685 | } | |
686 | ||
687 | static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret) | |
688 | { | |
689 | switch (ret) { | |
690 | case -EIOCBQUEUED: | |
691 | break; | |
692 | case -ERESTARTSYS: | |
693 | case -ERESTARTNOINTR: | |
694 | case -ERESTARTNOHAND: | |
695 | case -ERESTART_RESTARTBLOCK: | |
696 | /* | |
697 | * We can't just restart the syscall, since previously | |
698 | * submitted sqes may already be in progress. Just fail this | |
699 | * IO with EINTR. | |
700 | */ | |
701 | ret = -EINTR; | |
702 | /* fall through */ | |
703 | default: | |
704 | kiocb->ki_complete(kiocb, ret, 0); | |
705 | } | |
706 | } | |
707 | ||
708 | static int io_import_iovec(struct io_ring_ctx *ctx, int rw, | |
709 | const struct sqe_submit *s, struct iovec **iovec, | |
710 | struct iov_iter *iter) | |
711 | { | |
712 | const struct io_uring_sqe *sqe = s->sqe; | |
713 | void __user *buf = u64_to_user_ptr(READ_ONCE(sqe->addr)); | |
714 | size_t sqe_len = READ_ONCE(sqe->len); | |
715 | ||
716 | if (!s->has_user) | |
717 | return -EFAULT; | |
718 | ||
719 | #ifdef CONFIG_COMPAT | |
720 | if (ctx->compat) | |
721 | return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV, | |
722 | iovec, iter); | |
723 | #endif | |
724 | ||
725 | return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter); | |
726 | } | |
727 | ||
728 | static ssize_t io_read(struct io_kiocb *req, const struct sqe_submit *s, | |
9a56a232 | 729 | bool force_nonblock, struct io_submit_state *state) |
2b188cc1 JA |
730 | { |
731 | struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs; | |
732 | struct kiocb *kiocb = &req->rw; | |
733 | struct iov_iter iter; | |
734 | struct file *file; | |
735 | ssize_t ret; | |
736 | ||
9a56a232 | 737 | ret = io_prep_rw(req, s->sqe, force_nonblock, state); |
2b188cc1 JA |
738 | if (ret) |
739 | return ret; | |
740 | file = kiocb->ki_filp; | |
741 | ||
742 | ret = -EBADF; | |
743 | if (unlikely(!(file->f_mode & FMODE_READ))) | |
744 | goto out_fput; | |
745 | ret = -EINVAL; | |
746 | if (unlikely(!file->f_op->read_iter)) | |
747 | goto out_fput; | |
748 | ||
749 | ret = io_import_iovec(req->ctx, READ, s, &iovec, &iter); | |
750 | if (ret) | |
751 | goto out_fput; | |
752 | ||
753 | ret = rw_verify_area(READ, file, &kiocb->ki_pos, iov_iter_count(&iter)); | |
754 | if (!ret) { | |
755 | ssize_t ret2; | |
756 | ||
757 | /* Catch -EAGAIN return for forced non-blocking submission */ | |
758 | ret2 = call_read_iter(file, kiocb, &iter); | |
759 | if (!force_nonblock || ret2 != -EAGAIN) | |
760 | io_rw_done(kiocb, ret2); | |
761 | else | |
762 | ret = -EAGAIN; | |
763 | } | |
764 | kfree(iovec); | |
765 | out_fput: | |
766 | /* Hold on to the file for -EAGAIN */ | |
767 | if (unlikely(ret && ret != -EAGAIN)) | |
768 | fput(file); | |
769 | return ret; | |
770 | } | |
771 | ||
772 | static ssize_t io_write(struct io_kiocb *req, const struct sqe_submit *s, | |
9a56a232 | 773 | bool force_nonblock, struct io_submit_state *state) |
2b188cc1 JA |
774 | { |
775 | struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs; | |
776 | struct kiocb *kiocb = &req->rw; | |
777 | struct iov_iter iter; | |
778 | struct file *file; | |
779 | ssize_t ret; | |
780 | ||
9a56a232 | 781 | ret = io_prep_rw(req, s->sqe, force_nonblock, state); |
2b188cc1 JA |
782 | if (ret) |
783 | return ret; | |
784 | /* Hold on to the file for -EAGAIN */ | |
785 | if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT)) | |
786 | return -EAGAIN; | |
787 | ||
788 | ret = -EBADF; | |
789 | file = kiocb->ki_filp; | |
790 | if (unlikely(!(file->f_mode & FMODE_WRITE))) | |
791 | goto out_fput; | |
792 | ret = -EINVAL; | |
793 | if (unlikely(!file->f_op->write_iter)) | |
794 | goto out_fput; | |
795 | ||
796 | ret = io_import_iovec(req->ctx, WRITE, s, &iovec, &iter); | |
797 | if (ret) | |
798 | goto out_fput; | |
799 | ||
800 | ret = rw_verify_area(WRITE, file, &kiocb->ki_pos, | |
801 | iov_iter_count(&iter)); | |
802 | if (!ret) { | |
803 | /* | |
804 | * Open-code file_start_write here to grab freeze protection, | |
805 | * which will be released by another thread in | |
806 | * io_complete_rw(). Fool lockdep by telling it the lock got | |
807 | * released so that it doesn't complain about the held lock when | |
808 | * we return to userspace. | |
809 | */ | |
810 | if (S_ISREG(file_inode(file)->i_mode)) { | |
811 | __sb_start_write(file_inode(file)->i_sb, | |
812 | SB_FREEZE_WRITE, true); | |
813 | __sb_writers_release(file_inode(file)->i_sb, | |
814 | SB_FREEZE_WRITE); | |
815 | } | |
816 | kiocb->ki_flags |= IOCB_WRITE; | |
817 | io_rw_done(kiocb, call_write_iter(file, kiocb, &iter)); | |
818 | } | |
819 | kfree(iovec); | |
820 | out_fput: | |
821 | if (unlikely(ret)) | |
822 | fput(file); | |
823 | return ret; | |
824 | } | |
825 | ||
826 | /* | |
827 | * IORING_OP_NOP just posts a completion event, nothing else. | |
828 | */ | |
829 | static int io_nop(struct io_kiocb *req, u64 user_data) | |
830 | { | |
831 | struct io_ring_ctx *ctx = req->ctx; | |
832 | long err = 0; | |
833 | ||
def596e9 JA |
834 | if (unlikely(ctx->flags & IORING_SETUP_IOPOLL)) |
835 | return -EINVAL; | |
836 | ||
2b188cc1 JA |
837 | /* |
838 | * Twilight zone - it's possible that someone issued an opcode that | |
839 | * has a file attached, then got -EAGAIN on submission, and changed | |
840 | * the sqe before we retried it from async context. Avoid dropping | |
841 | * a file reference for this malicious case, and flag the error. | |
842 | */ | |
843 | if (req->rw.ki_filp) { | |
844 | err = -EBADF; | |
845 | fput(req->rw.ki_filp); | |
846 | } | |
847 | io_cqring_add_event(ctx, user_data, err, 0); | |
848 | io_free_req(req); | |
849 | return 0; | |
850 | } | |
851 | ||
c992fe29 CH |
852 | static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe) |
853 | { | |
854 | int fd; | |
855 | ||
856 | /* Prep already done */ | |
857 | if (req->rw.ki_filp) | |
858 | return 0; | |
859 | ||
def596e9 JA |
860 | if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL)) |
861 | return -EINVAL; | |
c992fe29 CH |
862 | if (unlikely(sqe->addr || sqe->ioprio)) |
863 | return -EINVAL; | |
864 | ||
865 | fd = READ_ONCE(sqe->fd); | |
866 | req->rw.ki_filp = fget(fd); | |
867 | if (unlikely(!req->rw.ki_filp)) | |
868 | return -EBADF; | |
869 | ||
870 | return 0; | |
871 | } | |
872 | ||
873 | static int io_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe, | |
874 | bool force_nonblock) | |
875 | { | |
876 | loff_t sqe_off = READ_ONCE(sqe->off); | |
877 | loff_t sqe_len = READ_ONCE(sqe->len); | |
878 | loff_t end = sqe_off + sqe_len; | |
879 | unsigned fsync_flags; | |
880 | int ret; | |
881 | ||
882 | fsync_flags = READ_ONCE(sqe->fsync_flags); | |
883 | if (unlikely(fsync_flags & ~IORING_FSYNC_DATASYNC)) | |
884 | return -EINVAL; | |
885 | ||
886 | ret = io_prep_fsync(req, sqe); | |
887 | if (ret) | |
888 | return ret; | |
889 | ||
890 | /* fsync always requires a blocking context */ | |
891 | if (force_nonblock) | |
892 | return -EAGAIN; | |
893 | ||
894 | ret = vfs_fsync_range(req->rw.ki_filp, sqe_off, | |
895 | end > 0 ? end : LLONG_MAX, | |
896 | fsync_flags & IORING_FSYNC_DATASYNC); | |
897 | ||
898 | fput(req->rw.ki_filp); | |
899 | io_cqring_add_event(req->ctx, sqe->user_data, ret, 0); | |
900 | io_free_req(req); | |
901 | return 0; | |
902 | } | |
903 | ||
2b188cc1 | 904 | static int __io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, |
9a56a232 JA |
905 | const struct sqe_submit *s, bool force_nonblock, |
906 | struct io_submit_state *state) | |
2b188cc1 JA |
907 | { |
908 | ssize_t ret; | |
909 | int opcode; | |
910 | ||
911 | if (unlikely(s->index >= ctx->sq_entries)) | |
912 | return -EINVAL; | |
913 | req->user_data = READ_ONCE(s->sqe->user_data); | |
914 | ||
915 | opcode = READ_ONCE(s->sqe->opcode); | |
916 | switch (opcode) { | |
917 | case IORING_OP_NOP: | |
918 | ret = io_nop(req, req->user_data); | |
919 | break; | |
920 | case IORING_OP_READV: | |
9a56a232 | 921 | ret = io_read(req, s, force_nonblock, state); |
2b188cc1 JA |
922 | break; |
923 | case IORING_OP_WRITEV: | |
9a56a232 | 924 | ret = io_write(req, s, force_nonblock, state); |
2b188cc1 | 925 | break; |
c992fe29 CH |
926 | case IORING_OP_FSYNC: |
927 | ret = io_fsync(req, s->sqe, force_nonblock); | |
928 | break; | |
2b188cc1 JA |
929 | default: |
930 | ret = -EINVAL; | |
931 | break; | |
932 | } | |
933 | ||
def596e9 JA |
934 | if (ret) |
935 | return ret; | |
936 | ||
937 | if (ctx->flags & IORING_SETUP_IOPOLL) { | |
938 | if (req->error == -EAGAIN) | |
939 | return -EAGAIN; | |
940 | ||
941 | /* workqueue context doesn't hold uring_lock, grab it now */ | |
942 | if (s->needs_lock) | |
943 | mutex_lock(&ctx->uring_lock); | |
944 | io_iopoll_req_issued(req); | |
945 | if (s->needs_lock) | |
946 | mutex_unlock(&ctx->uring_lock); | |
947 | } | |
948 | ||
949 | return 0; | |
2b188cc1 JA |
950 | } |
951 | ||
952 | static void io_sq_wq_submit_work(struct work_struct *work) | |
953 | { | |
954 | struct io_kiocb *req = container_of(work, struct io_kiocb, work); | |
955 | struct sqe_submit *s = &req->submit; | |
956 | const struct io_uring_sqe *sqe = s->sqe; | |
957 | struct io_ring_ctx *ctx = req->ctx; | |
958 | mm_segment_t old_fs = get_fs(); | |
959 | int ret; | |
960 | ||
961 | /* Ensure we clear previously set forced non-block flag */ | |
962 | req->flags &= ~REQ_F_FORCE_NONBLOCK; | |
963 | req->rw.ki_flags &= ~IOCB_NOWAIT; | |
964 | ||
965 | if (!mmget_not_zero(ctx->sqo_mm)) { | |
966 | ret = -EFAULT; | |
967 | goto err; | |
968 | } | |
969 | ||
970 | use_mm(ctx->sqo_mm); | |
971 | set_fs(USER_DS); | |
972 | s->has_user = true; | |
def596e9 | 973 | s->needs_lock = true; |
2b188cc1 | 974 | |
def596e9 | 975 | do { |
9a56a232 | 976 | ret = __io_submit_sqe(ctx, req, s, false, NULL); |
def596e9 JA |
977 | /* |
978 | * We can get EAGAIN for polled IO even though we're forcing | |
979 | * a sync submission from here, since we can't wait for | |
980 | * request slots on the block side. | |
981 | */ | |
982 | if (ret != -EAGAIN) | |
983 | break; | |
984 | cond_resched(); | |
985 | } while (1); | |
2b188cc1 JA |
986 | |
987 | set_fs(old_fs); | |
988 | unuse_mm(ctx->sqo_mm); | |
989 | mmput(ctx->sqo_mm); | |
990 | err: | |
991 | if (ret) { | |
992 | io_cqring_add_event(ctx, sqe->user_data, ret, 0); | |
993 | io_free_req(req); | |
994 | } | |
995 | ||
996 | /* async context always use a copy of the sqe */ | |
997 | kfree(sqe); | |
998 | } | |
999 | ||
9a56a232 JA |
1000 | static int io_submit_sqe(struct io_ring_ctx *ctx, struct sqe_submit *s, |
1001 | struct io_submit_state *state) | |
2b188cc1 JA |
1002 | { |
1003 | struct io_kiocb *req; | |
1004 | ssize_t ret; | |
1005 | ||
1006 | /* enforce forwards compatibility on users */ | |
1007 | if (unlikely(s->sqe->flags)) | |
1008 | return -EINVAL; | |
1009 | ||
1010 | req = io_get_req(ctx); | |
1011 | if (unlikely(!req)) | |
1012 | return -EAGAIN; | |
1013 | ||
1014 | req->rw.ki_filp = NULL; | |
1015 | ||
9a56a232 | 1016 | ret = __io_submit_sqe(ctx, req, s, true, state); |
2b188cc1 JA |
1017 | if (ret == -EAGAIN) { |
1018 | struct io_uring_sqe *sqe_copy; | |
1019 | ||
1020 | sqe_copy = kmalloc(sizeof(*sqe_copy), GFP_KERNEL); | |
1021 | if (sqe_copy) { | |
1022 | memcpy(sqe_copy, s->sqe, sizeof(*sqe_copy)); | |
1023 | s->sqe = sqe_copy; | |
1024 | ||
1025 | memcpy(&req->submit, s, sizeof(*s)); | |
1026 | INIT_WORK(&req->work, io_sq_wq_submit_work); | |
1027 | queue_work(ctx->sqo_wq, &req->work); | |
1028 | ret = 0; | |
1029 | } | |
1030 | } | |
1031 | if (ret) | |
1032 | io_free_req(req); | |
1033 | ||
1034 | return ret; | |
1035 | } | |
1036 | ||
9a56a232 JA |
1037 | /* |
1038 | * Batched submission is done, ensure local IO is flushed out. | |
1039 | */ | |
1040 | static void io_submit_state_end(struct io_submit_state *state) | |
1041 | { | |
1042 | blk_finish_plug(&state->plug); | |
1043 | io_file_put(state, NULL); | |
1044 | } | |
1045 | ||
1046 | /* | |
1047 | * Start submission side cache. | |
1048 | */ | |
1049 | static void io_submit_state_start(struct io_submit_state *state, | |
1050 | struct io_ring_ctx *ctx, unsigned max_ios) | |
1051 | { | |
1052 | blk_start_plug(&state->plug); | |
1053 | state->file = NULL; | |
1054 | state->ios_left = max_ios; | |
1055 | } | |
1056 | ||
2b188cc1 JA |
1057 | static void io_commit_sqring(struct io_ring_ctx *ctx) |
1058 | { | |
1059 | struct io_sq_ring *ring = ctx->sq_ring; | |
1060 | ||
1061 | if (ctx->cached_sq_head != READ_ONCE(ring->r.head)) { | |
1062 | /* | |
1063 | * Ensure any loads from the SQEs are done at this point, | |
1064 | * since once we write the new head, the application could | |
1065 | * write new data to them. | |
1066 | */ | |
1067 | smp_store_release(&ring->r.head, ctx->cached_sq_head); | |
1068 | ||
1069 | /* | |
1070 | * write side barrier of head update, app has read side. See | |
1071 | * comment at the top of this file | |
1072 | */ | |
1073 | smp_wmb(); | |
1074 | } | |
1075 | } | |
1076 | ||
1077 | /* | |
1078 | * Undo last io_get_sqring() | |
1079 | */ | |
1080 | static void io_drop_sqring(struct io_ring_ctx *ctx) | |
1081 | { | |
1082 | ctx->cached_sq_head--; | |
1083 | } | |
1084 | ||
1085 | /* | |
1086 | * Fetch an sqe, if one is available. Note that s->sqe will point to memory | |
1087 | * that is mapped by userspace. This means that care needs to be taken to | |
1088 | * ensure that reads are stable, as we cannot rely on userspace always | |
1089 | * being a good citizen. If members of the sqe are validated and then later | |
1090 | * used, it's important that those reads are done through READ_ONCE() to | |
1091 | * prevent a re-load down the line. | |
1092 | */ | |
1093 | static bool io_get_sqring(struct io_ring_ctx *ctx, struct sqe_submit *s) | |
1094 | { | |
1095 | struct io_sq_ring *ring = ctx->sq_ring; | |
1096 | unsigned head; | |
1097 | ||
1098 | /* | |
1099 | * The cached sq head (or cq tail) serves two purposes: | |
1100 | * | |
1101 | * 1) allows us to batch the cost of updating the user visible | |
1102 | * head updates. | |
1103 | * 2) allows the kernel side to track the head on its own, even | |
1104 | * though the application is the one updating it. | |
1105 | */ | |
1106 | head = ctx->cached_sq_head; | |
1107 | /* See comment at the top of this file */ | |
1108 | smp_rmb(); | |
1109 | if (head == READ_ONCE(ring->r.tail)) | |
1110 | return false; | |
1111 | ||
1112 | head = READ_ONCE(ring->array[head & ctx->sq_mask]); | |
1113 | if (head < ctx->sq_entries) { | |
1114 | s->index = head; | |
1115 | s->sqe = &ctx->sq_sqes[head]; | |
1116 | ctx->cached_sq_head++; | |
1117 | return true; | |
1118 | } | |
1119 | ||
1120 | /* drop invalid entries */ | |
1121 | ctx->cached_sq_head++; | |
1122 | ring->dropped++; | |
1123 | /* See comment at the top of this file */ | |
1124 | smp_wmb(); | |
1125 | return false; | |
1126 | } | |
1127 | ||
1128 | static int io_ring_submit(struct io_ring_ctx *ctx, unsigned int to_submit) | |
1129 | { | |
9a56a232 | 1130 | struct io_submit_state state, *statep = NULL; |
2b188cc1 | 1131 | int i, ret = 0, submit = 0; |
2b188cc1 | 1132 | |
9a56a232 JA |
1133 | if (to_submit > IO_PLUG_THRESHOLD) { |
1134 | io_submit_state_start(&state, ctx, to_submit); | |
1135 | statep = &state; | |
1136 | } | |
2b188cc1 JA |
1137 | |
1138 | for (i = 0; i < to_submit; i++) { | |
1139 | struct sqe_submit s; | |
1140 | ||
1141 | if (!io_get_sqring(ctx, &s)) | |
1142 | break; | |
1143 | ||
1144 | s.has_user = true; | |
def596e9 JA |
1145 | s.needs_lock = false; |
1146 | ||
9a56a232 | 1147 | ret = io_submit_sqe(ctx, &s, statep); |
2b188cc1 JA |
1148 | if (ret) { |
1149 | io_drop_sqring(ctx); | |
1150 | break; | |
1151 | } | |
1152 | ||
1153 | submit++; | |
1154 | } | |
1155 | io_commit_sqring(ctx); | |
1156 | ||
9a56a232 JA |
1157 | if (statep) |
1158 | io_submit_state_end(statep); | |
2b188cc1 JA |
1159 | |
1160 | return submit ? submit : ret; | |
1161 | } | |
1162 | ||
1163 | static unsigned io_cqring_events(struct io_cq_ring *ring) | |
1164 | { | |
1165 | return READ_ONCE(ring->r.tail) - READ_ONCE(ring->r.head); | |
1166 | } | |
1167 | ||
1168 | /* | |
1169 | * Wait until events become available, if we don't already have some. The | |
1170 | * application must reap them itself, as they reside on the shared cq ring. | |
1171 | */ | |
1172 | static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events, | |
1173 | const sigset_t __user *sig, size_t sigsz) | |
1174 | { | |
1175 | struct io_cq_ring *ring = ctx->cq_ring; | |
1176 | sigset_t ksigmask, sigsaved; | |
1177 | DEFINE_WAIT(wait); | |
1178 | int ret; | |
1179 | ||
1180 | /* See comment at the top of this file */ | |
1181 | smp_rmb(); | |
1182 | if (io_cqring_events(ring) >= min_events) | |
1183 | return 0; | |
1184 | ||
1185 | if (sig) { | |
1186 | ret = set_user_sigmask(sig, &ksigmask, &sigsaved, sigsz); | |
1187 | if (ret) | |
1188 | return ret; | |
1189 | } | |
1190 | ||
1191 | do { | |
1192 | prepare_to_wait(&ctx->wait, &wait, TASK_INTERRUPTIBLE); | |
1193 | ||
1194 | ret = 0; | |
1195 | /* See comment at the top of this file */ | |
1196 | smp_rmb(); | |
1197 | if (io_cqring_events(ring) >= min_events) | |
1198 | break; | |
1199 | ||
1200 | schedule(); | |
1201 | ||
1202 | ret = -EINTR; | |
1203 | if (signal_pending(current)) | |
1204 | break; | |
1205 | } while (1); | |
1206 | ||
1207 | finish_wait(&ctx->wait, &wait); | |
1208 | ||
1209 | if (sig) | |
1210 | restore_user_sigmask(sig, &sigsaved); | |
1211 | ||
1212 | return READ_ONCE(ring->r.head) == READ_ONCE(ring->r.tail) ? ret : 0; | |
1213 | } | |
1214 | ||
1215 | static int io_sq_offload_start(struct io_ring_ctx *ctx) | |
1216 | { | |
1217 | int ret; | |
1218 | ||
1219 | mmgrab(current->mm); | |
1220 | ctx->sqo_mm = current->mm; | |
1221 | ||
1222 | /* Do QD, or 2 * CPUS, whatever is smallest */ | |
1223 | ctx->sqo_wq = alloc_workqueue("io_ring-wq", WQ_UNBOUND | WQ_FREEZABLE, | |
1224 | min(ctx->sq_entries - 1, 2 * num_online_cpus())); | |
1225 | if (!ctx->sqo_wq) { | |
1226 | ret = -ENOMEM; | |
1227 | goto err; | |
1228 | } | |
1229 | ||
1230 | return 0; | |
1231 | err: | |
1232 | mmdrop(ctx->sqo_mm); | |
1233 | ctx->sqo_mm = NULL; | |
1234 | return ret; | |
1235 | } | |
1236 | ||
1237 | static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages) | |
1238 | { | |
1239 | atomic_long_sub(nr_pages, &user->locked_vm); | |
1240 | } | |
1241 | ||
1242 | static int io_account_mem(struct user_struct *user, unsigned long nr_pages) | |
1243 | { | |
1244 | unsigned long page_limit, cur_pages, new_pages; | |
1245 | ||
1246 | /* Don't allow more pages than we can safely lock */ | |
1247 | page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; | |
1248 | ||
1249 | do { | |
1250 | cur_pages = atomic_long_read(&user->locked_vm); | |
1251 | new_pages = cur_pages + nr_pages; | |
1252 | if (new_pages > page_limit) | |
1253 | return -ENOMEM; | |
1254 | } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages, | |
1255 | new_pages) != cur_pages); | |
1256 | ||
1257 | return 0; | |
1258 | } | |
1259 | ||
1260 | static void io_mem_free(void *ptr) | |
1261 | { | |
1262 | struct page *page = virt_to_head_page(ptr); | |
1263 | ||
1264 | if (put_page_testzero(page)) | |
1265 | free_compound_page(page); | |
1266 | } | |
1267 | ||
1268 | static void *io_mem_alloc(size_t size) | |
1269 | { | |
1270 | gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP | | |
1271 | __GFP_NORETRY; | |
1272 | ||
1273 | return (void *) __get_free_pages(gfp_flags, get_order(size)); | |
1274 | } | |
1275 | ||
1276 | static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries) | |
1277 | { | |
1278 | struct io_sq_ring *sq_ring; | |
1279 | struct io_cq_ring *cq_ring; | |
1280 | size_t bytes; | |
1281 | ||
1282 | bytes = struct_size(sq_ring, array, sq_entries); | |
1283 | bytes += array_size(sizeof(struct io_uring_sqe), sq_entries); | |
1284 | bytes += struct_size(cq_ring, cqes, cq_entries); | |
1285 | ||
1286 | return (bytes + PAGE_SIZE - 1) / PAGE_SIZE; | |
1287 | } | |
1288 | ||
1289 | static void io_ring_ctx_free(struct io_ring_ctx *ctx) | |
1290 | { | |
1291 | if (ctx->sqo_wq) | |
1292 | destroy_workqueue(ctx->sqo_wq); | |
1293 | if (ctx->sqo_mm) | |
1294 | mmdrop(ctx->sqo_mm); | |
def596e9 JA |
1295 | |
1296 | io_iopoll_reap_events(ctx); | |
1297 | ||
2b188cc1 JA |
1298 | #if defined(CONFIG_UNIX) |
1299 | if (ctx->ring_sock) | |
1300 | sock_release(ctx->ring_sock); | |
1301 | #endif | |
1302 | ||
1303 | io_mem_free(ctx->sq_ring); | |
1304 | io_mem_free(ctx->sq_sqes); | |
1305 | io_mem_free(ctx->cq_ring); | |
1306 | ||
1307 | percpu_ref_exit(&ctx->refs); | |
1308 | if (ctx->account_mem) | |
1309 | io_unaccount_mem(ctx->user, | |
1310 | ring_pages(ctx->sq_entries, ctx->cq_entries)); | |
1311 | free_uid(ctx->user); | |
1312 | kfree(ctx); | |
1313 | } | |
1314 | ||
1315 | static __poll_t io_uring_poll(struct file *file, poll_table *wait) | |
1316 | { | |
1317 | struct io_ring_ctx *ctx = file->private_data; | |
1318 | __poll_t mask = 0; | |
1319 | ||
1320 | poll_wait(file, &ctx->cq_wait, wait); | |
1321 | /* See comment at the top of this file */ | |
1322 | smp_rmb(); | |
1323 | if (READ_ONCE(ctx->sq_ring->r.tail) + 1 != ctx->cached_sq_head) | |
1324 | mask |= EPOLLOUT | EPOLLWRNORM; | |
1325 | if (READ_ONCE(ctx->cq_ring->r.head) != ctx->cached_cq_tail) | |
1326 | mask |= EPOLLIN | EPOLLRDNORM; | |
1327 | ||
1328 | return mask; | |
1329 | } | |
1330 | ||
1331 | static int io_uring_fasync(int fd, struct file *file, int on) | |
1332 | { | |
1333 | struct io_ring_ctx *ctx = file->private_data; | |
1334 | ||
1335 | return fasync_helper(fd, file, on, &ctx->cq_fasync); | |
1336 | } | |
1337 | ||
1338 | static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx) | |
1339 | { | |
1340 | mutex_lock(&ctx->uring_lock); | |
1341 | percpu_ref_kill(&ctx->refs); | |
1342 | mutex_unlock(&ctx->uring_lock); | |
1343 | ||
def596e9 | 1344 | io_iopoll_reap_events(ctx); |
2b188cc1 JA |
1345 | wait_for_completion(&ctx->ctx_done); |
1346 | io_ring_ctx_free(ctx); | |
1347 | } | |
1348 | ||
1349 | static int io_uring_release(struct inode *inode, struct file *file) | |
1350 | { | |
1351 | struct io_ring_ctx *ctx = file->private_data; | |
1352 | ||
1353 | file->private_data = NULL; | |
1354 | io_ring_ctx_wait_and_kill(ctx); | |
1355 | return 0; | |
1356 | } | |
1357 | ||
1358 | static int io_uring_mmap(struct file *file, struct vm_area_struct *vma) | |
1359 | { | |
1360 | loff_t offset = (loff_t) vma->vm_pgoff << PAGE_SHIFT; | |
1361 | unsigned long sz = vma->vm_end - vma->vm_start; | |
1362 | struct io_ring_ctx *ctx = file->private_data; | |
1363 | unsigned long pfn; | |
1364 | struct page *page; | |
1365 | void *ptr; | |
1366 | ||
1367 | switch (offset) { | |
1368 | case IORING_OFF_SQ_RING: | |
1369 | ptr = ctx->sq_ring; | |
1370 | break; | |
1371 | case IORING_OFF_SQES: | |
1372 | ptr = ctx->sq_sqes; | |
1373 | break; | |
1374 | case IORING_OFF_CQ_RING: | |
1375 | ptr = ctx->cq_ring; | |
1376 | break; | |
1377 | default: | |
1378 | return -EINVAL; | |
1379 | } | |
1380 | ||
1381 | page = virt_to_head_page(ptr); | |
1382 | if (sz > (PAGE_SIZE << compound_order(page))) | |
1383 | return -EINVAL; | |
1384 | ||
1385 | pfn = virt_to_phys(ptr) >> PAGE_SHIFT; | |
1386 | return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot); | |
1387 | } | |
1388 | ||
1389 | SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit, | |
1390 | u32, min_complete, u32, flags, const sigset_t __user *, sig, | |
1391 | size_t, sigsz) | |
1392 | { | |
1393 | struct io_ring_ctx *ctx; | |
1394 | long ret = -EBADF; | |
1395 | int submitted = 0; | |
1396 | struct fd f; | |
1397 | ||
1398 | if (flags & ~IORING_ENTER_GETEVENTS) | |
1399 | return -EINVAL; | |
1400 | ||
1401 | f = fdget(fd); | |
1402 | if (!f.file) | |
1403 | return -EBADF; | |
1404 | ||
1405 | ret = -EOPNOTSUPP; | |
1406 | if (f.file->f_op != &io_uring_fops) | |
1407 | goto out_fput; | |
1408 | ||
1409 | ret = -ENXIO; | |
1410 | ctx = f.file->private_data; | |
1411 | if (!percpu_ref_tryget(&ctx->refs)) | |
1412 | goto out_fput; | |
1413 | ||
1414 | ret = 0; | |
1415 | if (to_submit) { | |
1416 | to_submit = min(to_submit, ctx->sq_entries); | |
1417 | ||
1418 | mutex_lock(&ctx->uring_lock); | |
1419 | submitted = io_ring_submit(ctx, to_submit); | |
1420 | mutex_unlock(&ctx->uring_lock); | |
1421 | ||
1422 | if (submitted < 0) | |
1423 | goto out_ctx; | |
1424 | } | |
1425 | if (flags & IORING_ENTER_GETEVENTS) { | |
def596e9 JA |
1426 | unsigned nr_events = 0; |
1427 | ||
2b188cc1 JA |
1428 | min_complete = min(min_complete, ctx->cq_entries); |
1429 | ||
1430 | /* | |
1431 | * The application could have included the 'to_submit' count | |
1432 | * in how many events it wanted to wait for. If we failed to | |
1433 | * submit the desired count, we may need to adjust the number | |
1434 | * of events to poll/wait for. | |
1435 | */ | |
1436 | if (submitted < to_submit) | |
1437 | min_complete = min_t(unsigned, submitted, min_complete); | |
1438 | ||
def596e9 JA |
1439 | if (ctx->flags & IORING_SETUP_IOPOLL) { |
1440 | mutex_lock(&ctx->uring_lock); | |
1441 | ret = io_iopoll_check(ctx, &nr_events, min_complete); | |
1442 | mutex_unlock(&ctx->uring_lock); | |
1443 | } else { | |
1444 | ret = io_cqring_wait(ctx, min_complete, sig, sigsz); | |
1445 | } | |
2b188cc1 JA |
1446 | } |
1447 | ||
1448 | out_ctx: | |
1449 | io_ring_drop_ctx_refs(ctx, 1); | |
1450 | out_fput: | |
1451 | fdput(f); | |
1452 | return submitted ? submitted : ret; | |
1453 | } | |
1454 | ||
1455 | static const struct file_operations io_uring_fops = { | |
1456 | .release = io_uring_release, | |
1457 | .mmap = io_uring_mmap, | |
1458 | .poll = io_uring_poll, | |
1459 | .fasync = io_uring_fasync, | |
1460 | }; | |
1461 | ||
1462 | static int io_allocate_scq_urings(struct io_ring_ctx *ctx, | |
1463 | struct io_uring_params *p) | |
1464 | { | |
1465 | struct io_sq_ring *sq_ring; | |
1466 | struct io_cq_ring *cq_ring; | |
1467 | size_t size; | |
1468 | ||
1469 | sq_ring = io_mem_alloc(struct_size(sq_ring, array, p->sq_entries)); | |
1470 | if (!sq_ring) | |
1471 | return -ENOMEM; | |
1472 | ||
1473 | ctx->sq_ring = sq_ring; | |
1474 | sq_ring->ring_mask = p->sq_entries - 1; | |
1475 | sq_ring->ring_entries = p->sq_entries; | |
1476 | ctx->sq_mask = sq_ring->ring_mask; | |
1477 | ctx->sq_entries = sq_ring->ring_entries; | |
1478 | ||
1479 | size = array_size(sizeof(struct io_uring_sqe), p->sq_entries); | |
1480 | if (size == SIZE_MAX) | |
1481 | return -EOVERFLOW; | |
1482 | ||
1483 | ctx->sq_sqes = io_mem_alloc(size); | |
1484 | if (!ctx->sq_sqes) { | |
1485 | io_mem_free(ctx->sq_ring); | |
1486 | return -ENOMEM; | |
1487 | } | |
1488 | ||
1489 | cq_ring = io_mem_alloc(struct_size(cq_ring, cqes, p->cq_entries)); | |
1490 | if (!cq_ring) { | |
1491 | io_mem_free(ctx->sq_ring); | |
1492 | io_mem_free(ctx->sq_sqes); | |
1493 | return -ENOMEM; | |
1494 | } | |
1495 | ||
1496 | ctx->cq_ring = cq_ring; | |
1497 | cq_ring->ring_mask = p->cq_entries - 1; | |
1498 | cq_ring->ring_entries = p->cq_entries; | |
1499 | ctx->cq_mask = cq_ring->ring_mask; | |
1500 | ctx->cq_entries = cq_ring->ring_entries; | |
1501 | return 0; | |
1502 | } | |
1503 | ||
1504 | /* | |
1505 | * Allocate an anonymous fd, this is what constitutes the application | |
1506 | * visible backing of an io_uring instance. The application mmaps this | |
1507 | * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled, | |
1508 | * we have to tie this fd to a socket for file garbage collection purposes. | |
1509 | */ | |
1510 | static int io_uring_get_fd(struct io_ring_ctx *ctx) | |
1511 | { | |
1512 | struct file *file; | |
1513 | int ret; | |
1514 | ||
1515 | #if defined(CONFIG_UNIX) | |
1516 | ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP, | |
1517 | &ctx->ring_sock); | |
1518 | if (ret) | |
1519 | return ret; | |
1520 | #endif | |
1521 | ||
1522 | ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC); | |
1523 | if (ret < 0) | |
1524 | goto err; | |
1525 | ||
1526 | file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx, | |
1527 | O_RDWR | O_CLOEXEC); | |
1528 | if (IS_ERR(file)) { | |
1529 | put_unused_fd(ret); | |
1530 | ret = PTR_ERR(file); | |
1531 | goto err; | |
1532 | } | |
1533 | ||
1534 | #if defined(CONFIG_UNIX) | |
1535 | ctx->ring_sock->file = file; | |
1536 | #endif | |
1537 | fd_install(ret, file); | |
1538 | return ret; | |
1539 | err: | |
1540 | #if defined(CONFIG_UNIX) | |
1541 | sock_release(ctx->ring_sock); | |
1542 | ctx->ring_sock = NULL; | |
1543 | #endif | |
1544 | return ret; | |
1545 | } | |
1546 | ||
1547 | static int io_uring_create(unsigned entries, struct io_uring_params *p) | |
1548 | { | |
1549 | struct user_struct *user = NULL; | |
1550 | struct io_ring_ctx *ctx; | |
1551 | bool account_mem; | |
1552 | int ret; | |
1553 | ||
1554 | if (!entries || entries > IORING_MAX_ENTRIES) | |
1555 | return -EINVAL; | |
1556 | ||
1557 | /* | |
1558 | * Use twice as many entries for the CQ ring. It's possible for the | |
1559 | * application to drive a higher depth than the size of the SQ ring, | |
1560 | * since the sqes are only used at submission time. This allows for | |
1561 | * some flexibility in overcommitting a bit. | |
1562 | */ | |
1563 | p->sq_entries = roundup_pow_of_two(entries); | |
1564 | p->cq_entries = 2 * p->sq_entries; | |
1565 | ||
1566 | user = get_uid(current_user()); | |
1567 | account_mem = !capable(CAP_IPC_LOCK); | |
1568 | ||
1569 | if (account_mem) { | |
1570 | ret = io_account_mem(user, | |
1571 | ring_pages(p->sq_entries, p->cq_entries)); | |
1572 | if (ret) { | |
1573 | free_uid(user); | |
1574 | return ret; | |
1575 | } | |
1576 | } | |
1577 | ||
1578 | ctx = io_ring_ctx_alloc(p); | |
1579 | if (!ctx) { | |
1580 | if (account_mem) | |
1581 | io_unaccount_mem(user, ring_pages(p->sq_entries, | |
1582 | p->cq_entries)); | |
1583 | free_uid(user); | |
1584 | return -ENOMEM; | |
1585 | } | |
1586 | ctx->compat = in_compat_syscall(); | |
1587 | ctx->account_mem = account_mem; | |
1588 | ctx->user = user; | |
1589 | ||
1590 | ret = io_allocate_scq_urings(ctx, p); | |
1591 | if (ret) | |
1592 | goto err; | |
1593 | ||
1594 | ret = io_sq_offload_start(ctx); | |
1595 | if (ret) | |
1596 | goto err; | |
1597 | ||
1598 | ret = io_uring_get_fd(ctx); | |
1599 | if (ret < 0) | |
1600 | goto err; | |
1601 | ||
1602 | memset(&p->sq_off, 0, sizeof(p->sq_off)); | |
1603 | p->sq_off.head = offsetof(struct io_sq_ring, r.head); | |
1604 | p->sq_off.tail = offsetof(struct io_sq_ring, r.tail); | |
1605 | p->sq_off.ring_mask = offsetof(struct io_sq_ring, ring_mask); | |
1606 | p->sq_off.ring_entries = offsetof(struct io_sq_ring, ring_entries); | |
1607 | p->sq_off.flags = offsetof(struct io_sq_ring, flags); | |
1608 | p->sq_off.dropped = offsetof(struct io_sq_ring, dropped); | |
1609 | p->sq_off.array = offsetof(struct io_sq_ring, array); | |
1610 | ||
1611 | memset(&p->cq_off, 0, sizeof(p->cq_off)); | |
1612 | p->cq_off.head = offsetof(struct io_cq_ring, r.head); | |
1613 | p->cq_off.tail = offsetof(struct io_cq_ring, r.tail); | |
1614 | p->cq_off.ring_mask = offsetof(struct io_cq_ring, ring_mask); | |
1615 | p->cq_off.ring_entries = offsetof(struct io_cq_ring, ring_entries); | |
1616 | p->cq_off.overflow = offsetof(struct io_cq_ring, overflow); | |
1617 | p->cq_off.cqes = offsetof(struct io_cq_ring, cqes); | |
1618 | return ret; | |
1619 | err: | |
1620 | io_ring_ctx_wait_and_kill(ctx); | |
1621 | return ret; | |
1622 | } | |
1623 | ||
1624 | /* | |
1625 | * Sets up an aio uring context, and returns the fd. Applications asks for a | |
1626 | * ring size, we return the actual sq/cq ring sizes (among other things) in the | |
1627 | * params structure passed in. | |
1628 | */ | |
1629 | static long io_uring_setup(u32 entries, struct io_uring_params __user *params) | |
1630 | { | |
1631 | struct io_uring_params p; | |
1632 | long ret; | |
1633 | int i; | |
1634 | ||
1635 | if (copy_from_user(&p, params, sizeof(p))) | |
1636 | return -EFAULT; | |
1637 | for (i = 0; i < ARRAY_SIZE(p.resv); i++) { | |
1638 | if (p.resv[i]) | |
1639 | return -EINVAL; | |
1640 | } | |
1641 | ||
def596e9 | 1642 | if (p.flags & ~IORING_SETUP_IOPOLL) |
2b188cc1 JA |
1643 | return -EINVAL; |
1644 | ||
1645 | ret = io_uring_create(entries, &p); | |
1646 | if (ret < 0) | |
1647 | return ret; | |
1648 | ||
1649 | if (copy_to_user(params, &p, sizeof(p))) | |
1650 | return -EFAULT; | |
1651 | ||
1652 | return ret; | |
1653 | } | |
1654 | ||
1655 | SYSCALL_DEFINE2(io_uring_setup, u32, entries, | |
1656 | struct io_uring_params __user *, params) | |
1657 | { | |
1658 | return io_uring_setup(entries, params); | |
1659 | } | |
1660 | ||
1661 | static int __init io_uring_init(void) | |
1662 | { | |
1663 | req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC); | |
1664 | return 0; | |
1665 | }; | |
1666 | __initcall(io_uring_init); |