1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
5 #include <linux/file.h>
7 #include <linux/slab.h>
8 #include <linux/namei.h>
9 #include <linux/poll.h>
10 #include <linux/vmalloc.h>
11 #include <linux/io_uring.h>
13 #include <uapi/linux/io_uring.h>
19 #define IO_BUFFER_LIST_BUF_PER_PAGE (PAGE_SIZE / sizeof(struct io_uring_buf))
21 /* BIDs are addressed by a 16-bit field in a CQE */
22 #define MAX_BIDS_PER_BGID (1 << 16)
24 struct kmem_cache *io_buf_cachep;
26 struct io_provide_buf {
36 struct hlist_node list;
42 static inline struct io_buffer_list *__io_buffer_get_list(struct io_ring_ctx *ctx,
45 return xa_load(&ctx->io_bl_xa, bgid);
48 static inline struct io_buffer_list *io_buffer_get_list(struct io_ring_ctx *ctx,
51 lockdep_assert_held(&ctx->uring_lock);
53 return __io_buffer_get_list(ctx, bgid);
56 static int io_buffer_add_list(struct io_ring_ctx *ctx,
57 struct io_buffer_list *bl, unsigned int bgid)
60 * Store buffer group ID and finally mark the list as visible.
61 * The normal lookup doesn't care about the visibility as we're
62 * always under the ->uring_lock, but the RCU lookup from mmap does.
65 atomic_set(&bl->refs, 1);
66 return xa_err(xa_store(&ctx->io_bl_xa, bgid, bl, GFP_KERNEL));
69 bool io_kbuf_recycle_legacy(struct io_kiocb *req, unsigned issue_flags)
71 struct io_ring_ctx *ctx = req->ctx;
72 struct io_buffer_list *bl;
73 struct io_buffer *buf;
75 io_ring_submit_lock(ctx, issue_flags);
78 bl = io_buffer_get_list(ctx, buf->bgid);
79 list_add(&buf->list, &bl->buf_list);
80 req->flags &= ~REQ_F_BUFFER_SELECTED;
81 req->buf_index = buf->bgid;
83 io_ring_submit_unlock(ctx, issue_flags);
87 void __io_put_kbuf(struct io_kiocb *req, unsigned issue_flags)
90 * We can add this buffer back to two lists:
92 * 1) The io_buffers_cache list. This one is protected by the
93 * ctx->uring_lock. If we already hold this lock, add back to this
94 * list as we can grab it from issue as well.
95 * 2) The io_buffers_comp list. This one is protected by the
96 * ctx->completion_lock.
98 * We migrate buffers from the comp_list to the issue cache list
101 if (issue_flags & IO_URING_F_UNLOCKED) {
102 struct io_ring_ctx *ctx = req->ctx;
104 spin_lock(&ctx->completion_lock);
105 __io_put_kbuf_list(req, &ctx->io_buffers_comp);
106 spin_unlock(&ctx->completion_lock);
108 lockdep_assert_held(&req->ctx->uring_lock);
110 __io_put_kbuf_list(req, &req->ctx->io_buffers_cache);
114 static void __user *io_provided_buffer_select(struct io_kiocb *req, size_t *len,
115 struct io_buffer_list *bl)
117 if (!list_empty(&bl->buf_list)) {
118 struct io_buffer *kbuf;
120 kbuf = list_first_entry(&bl->buf_list, struct io_buffer, list);
121 list_del(&kbuf->list);
122 if (*len == 0 || *len > kbuf->len)
124 if (list_empty(&bl->buf_list))
125 req->flags |= REQ_F_BL_EMPTY;
126 req->flags |= REQ_F_BUFFER_SELECTED;
128 req->buf_index = kbuf->bid;
129 return u64_to_user_ptr(kbuf->addr);
134 static void __user *io_ring_buffer_select(struct io_kiocb *req, size_t *len,
135 struct io_buffer_list *bl,
136 unsigned int issue_flags)
138 struct io_uring_buf_ring *br = bl->buf_ring;
139 __u16 tail, head = bl->head;
140 struct io_uring_buf *buf;
142 tail = smp_load_acquire(&br->tail);
143 if (unlikely(tail == head))
146 if (head + 1 == tail)
147 req->flags |= REQ_F_BL_EMPTY;
150 buf = &br->bufs[head];
151 if (*len == 0 || *len > buf->len)
153 req->flags |= REQ_F_BUFFER_RING;
155 req->buf_index = buf->bid;
157 if (issue_flags & IO_URING_F_UNLOCKED || !io_file_can_poll(req)) {
159 * If we came in unlocked, we have no choice but to consume the
160 * buffer here, otherwise nothing ensures that the buffer won't
161 * get used by others. This does mean it'll be pinned until the
162 * IO completes, coming in unlocked means we're being called from
163 * io-wq context and there may be further retries in async hybrid
164 * mode. For the locked case, the caller must call commit when
165 * the transfer completes (or if we get -EAGAIN and must poll of
168 req->buf_list = NULL;
171 return u64_to_user_ptr(buf->addr);
174 void __user *io_buffer_select(struct io_kiocb *req, size_t *len,
175 unsigned int issue_flags)
177 struct io_ring_ctx *ctx = req->ctx;
178 struct io_buffer_list *bl;
179 void __user *ret = NULL;
181 io_ring_submit_lock(req->ctx, issue_flags);
183 bl = io_buffer_get_list(ctx, req->buf_index);
186 ret = io_ring_buffer_select(req, len, bl, issue_flags);
188 ret = io_provided_buffer_select(req, len, bl);
190 io_ring_submit_unlock(req->ctx, issue_flags);
195 * Mark the given mapped range as free for reuse
197 static void io_kbuf_mark_free(struct io_ring_ctx *ctx, struct io_buffer_list *bl)
199 struct io_buf_free *ibf;
201 hlist_for_each_entry(ibf, &ctx->io_buf_list, list) {
202 if (bl->buf_ring == ibf->mem) {
208 /* can't happen... */
212 static int __io_remove_buffers(struct io_ring_ctx *ctx,
213 struct io_buffer_list *bl, unsigned nbufs)
217 /* shouldn't happen */
221 if (bl->is_buf_ring) {
222 i = bl->buf_ring->tail - bl->head;
225 * io_kbuf_list_free() will free the page(s) at
228 io_kbuf_mark_free(ctx, bl);
231 } else if (bl->buf_nr_pages) {
234 for (j = 0; j < bl->buf_nr_pages; j++)
235 unpin_user_page(bl->buf_pages[j]);
236 kvfree(bl->buf_pages);
237 vunmap(bl->buf_ring);
238 bl->buf_pages = NULL;
239 bl->buf_nr_pages = 0;
241 /* make sure it's seen as empty */
242 INIT_LIST_HEAD(&bl->buf_list);
247 /* protects io_buffers_cache */
248 lockdep_assert_held(&ctx->uring_lock);
250 while (!list_empty(&bl->buf_list)) {
251 struct io_buffer *nxt;
253 nxt = list_first_entry(&bl->buf_list, struct io_buffer, list);
254 list_move(&nxt->list, &ctx->io_buffers_cache);
263 void io_put_bl(struct io_ring_ctx *ctx, struct io_buffer_list *bl)
265 if (atomic_dec_and_test(&bl->refs)) {
266 __io_remove_buffers(ctx, bl, -1U);
271 void io_destroy_buffers(struct io_ring_ctx *ctx)
273 struct io_buffer_list *bl;
274 struct list_head *item, *tmp;
275 struct io_buffer *buf;
278 xa_for_each(&ctx->io_bl_xa, index, bl) {
279 xa_erase(&ctx->io_bl_xa, bl->bgid);
284 * Move deferred locked entries to cache before pruning
286 spin_lock(&ctx->completion_lock);
287 if (!list_empty(&ctx->io_buffers_comp))
288 list_splice_init(&ctx->io_buffers_comp, &ctx->io_buffers_cache);
289 spin_unlock(&ctx->completion_lock);
291 list_for_each_safe(item, tmp, &ctx->io_buffers_cache) {
292 buf = list_entry(item, struct io_buffer, list);
293 kmem_cache_free(io_buf_cachep, buf);
297 int io_remove_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
299 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
302 if (sqe->rw_flags || sqe->addr || sqe->len || sqe->off ||
306 tmp = READ_ONCE(sqe->fd);
307 if (!tmp || tmp > MAX_BIDS_PER_BGID)
310 memset(p, 0, sizeof(*p));
312 p->bgid = READ_ONCE(sqe->buf_group);
316 int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
318 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
319 struct io_ring_ctx *ctx = req->ctx;
320 struct io_buffer_list *bl;
323 io_ring_submit_lock(ctx, issue_flags);
326 bl = io_buffer_get_list(ctx, p->bgid);
329 /* can't use provide/remove buffers command on mapped buffers */
330 if (!bl->is_buf_ring)
331 ret = __io_remove_buffers(ctx, bl, p->nbufs);
333 io_ring_submit_unlock(ctx, issue_flags);
336 io_req_set_res(req, ret, 0);
340 int io_provide_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
342 unsigned long size, tmp_check;
343 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
346 if (sqe->rw_flags || sqe->splice_fd_in)
349 tmp = READ_ONCE(sqe->fd);
350 if (!tmp || tmp > MAX_BIDS_PER_BGID)
353 p->addr = READ_ONCE(sqe->addr);
354 p->len = READ_ONCE(sqe->len);
356 if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
359 if (check_add_overflow((unsigned long)p->addr, size, &tmp_check))
362 size = (unsigned long)p->len * p->nbufs;
363 if (!access_ok(u64_to_user_ptr(p->addr), size))
366 p->bgid = READ_ONCE(sqe->buf_group);
367 tmp = READ_ONCE(sqe->off);
370 if (tmp + p->nbufs > MAX_BIDS_PER_BGID)
376 #define IO_BUFFER_ALLOC_BATCH 64
378 static int io_refill_buffer_cache(struct io_ring_ctx *ctx)
380 struct io_buffer *bufs[IO_BUFFER_ALLOC_BATCH];
384 * Completions that don't happen inline (eg not under uring_lock) will
385 * add to ->io_buffers_comp. If we don't have any free buffers, check
386 * the completion list and splice those entries first.
388 if (!list_empty_careful(&ctx->io_buffers_comp)) {
389 spin_lock(&ctx->completion_lock);
390 if (!list_empty(&ctx->io_buffers_comp)) {
391 list_splice_init(&ctx->io_buffers_comp,
392 &ctx->io_buffers_cache);
393 spin_unlock(&ctx->completion_lock);
396 spin_unlock(&ctx->completion_lock);
400 * No free buffers and no completion entries either. Allocate a new
401 * batch of buffer entries and add those to our freelist.
404 allocated = kmem_cache_alloc_bulk(io_buf_cachep, GFP_KERNEL_ACCOUNT,
405 ARRAY_SIZE(bufs), (void **) bufs);
406 if (unlikely(!allocated)) {
408 * Bulk alloc is all-or-nothing. If we fail to get a batch,
409 * retry single alloc to be on the safe side.
411 bufs[0] = kmem_cache_alloc(io_buf_cachep, GFP_KERNEL);
418 list_add_tail(&bufs[--allocated]->list, &ctx->io_buffers_cache);
423 static int io_add_buffers(struct io_ring_ctx *ctx, struct io_provide_buf *pbuf,
424 struct io_buffer_list *bl)
426 struct io_buffer *buf;
427 u64 addr = pbuf->addr;
428 int i, bid = pbuf->bid;
430 for (i = 0; i < pbuf->nbufs; i++) {
431 if (list_empty(&ctx->io_buffers_cache) &&
432 io_refill_buffer_cache(ctx))
434 buf = list_first_entry(&ctx->io_buffers_cache, struct io_buffer,
436 list_move_tail(&buf->list, &bl->buf_list);
438 buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT);
440 buf->bgid = pbuf->bgid;
446 return i ? 0 : -ENOMEM;
449 int io_provide_buffers(struct io_kiocb *req, unsigned int issue_flags)
451 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
452 struct io_ring_ctx *ctx = req->ctx;
453 struct io_buffer_list *bl;
456 io_ring_submit_lock(ctx, issue_flags);
458 bl = io_buffer_get_list(ctx, p->bgid);
460 bl = kzalloc(sizeof(*bl), GFP_KERNEL_ACCOUNT);
465 INIT_LIST_HEAD(&bl->buf_list);
466 ret = io_buffer_add_list(ctx, bl, p->bgid);
469 * Doesn't need rcu free as it was never visible, but
470 * let's keep it consistent throughout.
476 /* can't add buffers via this command for a mapped buffer ring */
477 if (bl->is_buf_ring) {
482 ret = io_add_buffers(ctx, p, bl);
484 io_ring_submit_unlock(ctx, issue_flags);
488 io_req_set_res(req, ret, 0);
492 static int io_pin_pbuf_ring(struct io_uring_buf_reg *reg,
493 struct io_buffer_list *bl)
495 struct io_uring_buf_ring *br = NULL;
496 int nr_pages, ret, i;
499 pages = io_pin_pages(reg->ring_addr,
500 flex_array_size(br, bufs, reg->ring_entries),
503 return PTR_ERR(pages);
505 br = vmap(pages, nr_pages, VM_MAP, PAGE_KERNEL);
513 * On platforms that have specific aliasing requirements, SHM_COLOUR
514 * is set and we must guarantee that the kernel and user side align
515 * nicely. We cannot do that if IOU_PBUF_RING_MMAP isn't set and
516 * the application mmap's the provided ring buffer. Fail the request
517 * if we, by chance, don't end up with aligned addresses. The app
518 * should use IOU_PBUF_RING_MMAP instead, and liburing will handle
519 * this transparently.
521 if ((reg->ring_addr | (unsigned long) br) & (SHM_COLOUR - 1)) {
526 bl->buf_pages = pages;
527 bl->buf_nr_pages = nr_pages;
533 for (i = 0; i < nr_pages; i++)
534 unpin_user_page(pages[i]);
541 * See if we have a suitable region that we can reuse, rather than allocate
542 * both a new io_buf_free and mem region again. We leave it on the list as
543 * even a reused entry will need freeing at ring release.
545 static struct io_buf_free *io_lookup_buf_free_entry(struct io_ring_ctx *ctx,
548 struct io_buf_free *ibf, *best = NULL;
551 hlist_for_each_entry(ibf, &ctx->io_buf_list, list) {
554 if (ibf->inuse || ibf->size < ring_size)
556 dist = ibf->size - ring_size;
557 if (!best || dist < best_dist) {
568 static int io_alloc_pbuf_ring(struct io_ring_ctx *ctx,
569 struct io_uring_buf_reg *reg,
570 struct io_buffer_list *bl)
572 struct io_buf_free *ibf;
576 ring_size = reg->ring_entries * sizeof(struct io_uring_buf_ring);
578 /* Reuse existing entry, if we can */
579 ibf = io_lookup_buf_free_entry(ctx, ring_size);
581 ptr = io_mem_alloc(ring_size);
585 /* Allocate and store deferred free entry */
586 ibf = kmalloc(sizeof(*ibf), GFP_KERNEL_ACCOUNT);
592 ibf->size = ring_size;
593 hlist_add_head(&ibf->list, &ctx->io_buf_list);
596 bl->buf_ring = ibf->mem;
602 int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
604 struct io_uring_buf_reg reg;
605 struct io_buffer_list *bl, *free_bl = NULL;
608 lockdep_assert_held(&ctx->uring_lock);
610 if (copy_from_user(®, arg, sizeof(reg)))
613 if (reg.resv[0] || reg.resv[1] || reg.resv[2])
615 if (reg.flags & ~IOU_PBUF_RING_MMAP)
617 if (!(reg.flags & IOU_PBUF_RING_MMAP)) {
620 if (reg.ring_addr & ~PAGE_MASK)
627 if (!is_power_of_2(reg.ring_entries))
630 /* cannot disambiguate full vs empty due to head/tail size */
631 if (reg.ring_entries >= 65536)
634 bl = io_buffer_get_list(ctx, reg.bgid);
636 /* if mapped buffer ring OR classic exists, don't allow */
637 if (bl->is_buf_ring || !list_empty(&bl->buf_list))
640 free_bl = bl = kzalloc(sizeof(*bl), GFP_KERNEL);
645 if (!(reg.flags & IOU_PBUF_RING_MMAP))
646 ret = io_pin_pbuf_ring(®, bl);
648 ret = io_alloc_pbuf_ring(ctx, ®, bl);
651 bl->nr_entries = reg.ring_entries;
652 bl->mask = reg.ring_entries - 1;
654 io_buffer_add_list(ctx, bl, reg.bgid);
658 kfree_rcu(free_bl, rcu);
662 int io_unregister_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
664 struct io_uring_buf_reg reg;
665 struct io_buffer_list *bl;
667 lockdep_assert_held(&ctx->uring_lock);
669 if (copy_from_user(®, arg, sizeof(reg)))
671 if (reg.resv[0] || reg.resv[1] || reg.resv[2])
676 bl = io_buffer_get_list(ctx, reg.bgid);
679 if (!bl->is_buf_ring)
682 xa_erase(&ctx->io_bl_xa, bl->bgid);
687 int io_register_pbuf_status(struct io_ring_ctx *ctx, void __user *arg)
689 struct io_uring_buf_status buf_status;
690 struct io_buffer_list *bl;
693 if (copy_from_user(&buf_status, arg, sizeof(buf_status)))
696 for (i = 0; i < ARRAY_SIZE(buf_status.resv); i++)
697 if (buf_status.resv[i])
700 bl = io_buffer_get_list(ctx, buf_status.buf_group);
703 if (!bl->is_buf_ring)
706 buf_status.head = bl->head;
707 if (copy_to_user(arg, &buf_status, sizeof(buf_status)))
713 struct io_buffer_list *io_pbuf_get_bl(struct io_ring_ctx *ctx,
716 struct io_buffer_list *bl;
720 * We have to be a bit careful here - we're inside mmap and cannot grab
721 * the uring_lock. This means the buffer_list could be simultaneously
722 * going away, if someone is trying to be sneaky. Look it up under rcu
723 * so we know it's not going away, and attempt to grab a reference to
724 * it. If the ref is already zero, then fail the mapping. If successful,
725 * the caller will call io_put_bl() to drop the the reference at at the
726 * end. This may then safely free the buffer_list (and drop the pages)
727 * at that point, vm_insert_pages() would've already grabbed the
728 * necessary vma references.
731 bl = xa_load(&ctx->io_bl_xa, bgid);
732 /* must be a mmap'able buffer ring and have pages */
734 if (bl && bl->is_mmap)
735 ret = atomic_inc_not_zero(&bl->refs);
741 return ERR_PTR(-EINVAL);
745 * Called at or after ->release(), free the mmap'ed buffers that we used
746 * for memory mapped provided buffer rings.
748 void io_kbuf_mmap_list_free(struct io_ring_ctx *ctx)
750 struct io_buf_free *ibf;
751 struct hlist_node *tmp;
753 hlist_for_each_entry_safe(ibf, tmp, &ctx->io_buf_list, list) {
754 hlist_del(&ibf->list);
755 io_mem_free(ibf->mem);