projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
fs: make build_open_flags() available internally
[linux-block.git] / fs / io_uring.c
CommitLineData
2b188cc1
JA		 1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
5 *
6 * A note on the read/write ordering memory barriers that are matched between
1e84b97b
SB		 7 * the application and kernel side.
8 *
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
16 * CQ entries.
17 *
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
23 * head will do).
24 *
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
28 * between.
2b188cc1
JA		 29 *
30 * Also see the examples in the liburing library:
31 *
32 * git://git.kernel.dk/liburing
33 *
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
38 *
39 * Copyright (C) 2018-2019 Jens Axboe
c992fe29 40 * Copyright (c) 2018-2019 Christoph Hellwig
2b188cc1
JA		 41 */
42#include <linux/kernel.h>
43#include <linux/init.h>
44#include <linux/errno.h>
45#include <linux/syscalls.h>
46#include <linux/compat.h>
47#include <linux/refcount.h>
48#include <linux/uio.h>
49
50#include <linux/sched/signal.h>
51#include <linux/fs.h>
52#include <linux/file.h>
53#include <linux/fdtable.h>
54#include <linux/mm.h>
55#include <linux/mman.h>
56#include <linux/mmu_context.h>
57#include <linux/percpu.h>
58#include <linux/slab.h>
6c271ce2 59#include <linux/kthread.h>
2b188cc1 60#include <linux/blkdev.h>
edafccee 61#include <linux/bvec.h>
2b188cc1
JA		 62#include <linux/net.h>
63#include <net/sock.h>
64#include <net/af_unix.h>
6b06314c 65#include <net/scm.h>
2b188cc1
JA		 66#include <linux/anon_inodes.h>
67#include <linux/sched/mm.h>
68#include <linux/uaccess.h>
69#include <linux/nospec.h>
edafccee
JA		 70#include <linux/sizes.h>
71#include <linux/hugetlb.h>
aa4c3967 72#include <linux/highmem.h>
2b188cc1 73
c826bd7a
DD		 74#define CREATE_TRACE_POINTS
75#include <trace/events/io_uring.h>
76
2b188cc1
JA		 77#include <uapi/linux/io_uring.h>
78
79#include "internal.h"
561fb04a 80#include "io-wq.h"
2b188cc1 81
5277deaa 82#define IORING_MAX_ENTRIES 32768
33a107f0 83#define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
65e19f54
JA		 84
85/*
86 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
87 */
88#define IORING_FILE_TABLE_SHIFT 9
89#define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
90#define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
91#define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
2b188cc1
JA		 92
93struct io_uring {
94 u32 head ____cacheline_aligned_in_smp;
95 u32 tail ____cacheline_aligned_in_smp;
96};
97
1e84b97b 98/*
75b28aff
HV		 99 * This data is shared with the application through the mmap at offsets
100 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
1e84b97b
SB		 101 *
102 * The offsets to the member fields are published through struct
103 * io_sqring_offsets when calling io_uring_setup.
104 */
75b28aff 105struct io_rings {
1e84b97b
SB		 106 /*
107 * Head and tail offsets into the ring; the offsets need to be
108 * masked to get valid indices.
109 *
75b28aff
HV		 110 * The kernel controls head of the sq ring and the tail of the cq ring,
111 * and the application controls tail of the sq ring and the head of the
112 * cq ring.
1e84b97b 113 */
75b28aff 114 struct io_uring sq, cq;
1e84b97b 115 /*
75b28aff 116 * Bitmasks to apply to head and tail offsets (constant, equals
1e84b97b
SB		 117 * ring_entries - 1)
118 */
75b28aff
HV		 119 u32 sq_ring_mask, cq_ring_mask;
120 /* Ring sizes (constant, power of 2) */
121 u32 sq_ring_entries, cq_ring_entries;
1e84b97b
SB		 122 /*
123 * Number of invalid entries dropped by the kernel due to
124 * invalid index stored in array
125 *
126 * Written by the kernel, shouldn't be modified by the
127 * application (i.e. get number of "new events" by comparing to
128 * cached value).
129 *
130 * After a new SQ head value was read by the application this
131 * counter includes all submissions that were dropped reaching
132 * the new SQ head (and possibly more).
133 */
75b28aff 134 u32 sq_dropped;
1e84b97b
SB		 135 /*
136 * Runtime flags
137 *
138 * Written by the kernel, shouldn't be modified by the
139 * application.
140 *
141 * The application needs a full memory barrier before checking
142 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
143 */
75b28aff 144 u32 sq_flags;
1e84b97b
SB		 145 /*
146 * Number of completion events lost because the queue was full;
147 * this should be avoided by the application by making sure
0b4295b5 148 * there are not more requests pending than there is space in
1e84b97b
SB		 149 * the completion queue.
150 *
151 * Written by the kernel, shouldn't be modified by the
152 * application (i.e. get number of "new events" by comparing to
153 * cached value).
154 *
155 * As completion events come in out of order this counter is not
156 * ordered with any other data.
157 */
75b28aff 158 u32 cq_overflow;
1e84b97b
SB		 159 /*
160 * Ring buffer of completion events.
161 *
162 * The kernel writes completion events fresh every time they are
163 * produced, so the application is allowed to modify pending
164 * entries.
165 */
75b28aff 166 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
2b188cc1
JA		 167};
168
edafccee
JA		 169struct io_mapped_ubuf {
170 u64 ubuf;
171 size_t len;
172 struct bio_vec *bvec;
173 unsigned int nr_bvecs;
174};
175
65e19f54
JA		 176struct fixed_file_table {
177 struct file **files;
31b51510
JA		 178};
179
2b188cc1
JA		 180struct io_ring_ctx {
181 struct {
182 struct percpu_ref refs;
183 } ____cacheline_aligned_in_smp;
184
185 struct {
186 unsigned int flags;
187 bool compat;
188 bool account_mem;
1d7bb1d5 189 bool cq_overflow_flushed;
1b4a51b6 190 bool drain_next;
2b188cc1 191
75b28aff
HV		 192 /*
193 * Ring buffer of indices into array of io_uring_sqe, which is
194 * mmapped by the application using the IORING_OFF_SQES offset.
195 *
196 * This indirection could e.g. be used to assign fixed
197 * io_uring_sqe entries to operations and only submit them to
198 * the queue when needed.
199 *
200 * The kernel modifies neither the indices array nor the entries
201 * array.
202 */
203 u32 *sq_array;
2b188cc1
JA		 204 unsigned cached_sq_head;
205 unsigned sq_entries;
206 unsigned sq_mask;
6c271ce2 207 unsigned sq_thread_idle;
498ccd9e 208 unsigned cached_sq_dropped;
206aefde 209 atomic_t cached_cq_overflow;
2b188cc1 210 struct io_uring_sqe *sq_sqes;
de0617e4
JA		 211
212 struct list_head defer_list;
5262f567 213 struct list_head timeout_list;
1d7bb1d5 214 struct list_head cq_overflow_list;
fcb323cc
JA		 215
216 wait_queue_head_t inflight_wait;
2b188cc1
JA		 217 } ____cacheline_aligned_in_smp;
218
206aefde
JA		 219 struct io_rings *rings;
220
2b188cc1 221 /* IO offload */
561fb04a 222 struct io_wq *io_wq;
6c271ce2 223 struct task_struct *sqo_thread; /* if using sq thread polling */
2b188cc1 224 struct mm_struct *sqo_mm;
6c271ce2 225 wait_queue_head_t sqo_wait;
75b28aff 226
6b06314c
JA		 227 /*
228 * If used, fixed file set. Writers must ensure that ->refs is dead,
229 * readers must ensure that ->refs is alive as long as the file* is
230 * used. Only updated through io_uring_register(2).
231 */
65e19f54 232 struct fixed_file_table *file_table;
6b06314c
JA		 233 unsigned nr_user_files;
234
edafccee
JA		 235 /* if used, fixed mapped user buffers */
236 unsigned nr_user_bufs;
237 struct io_mapped_ubuf *user_bufs;
238
2b188cc1
JA		 239 struct user_struct *user;
240
0b8c0ec7 241 const struct cred *creds;
181e448d 242
206aefde
JA		 243 /* 0 is for ctx quiesce/reinit/free, 1 is for sqo_thread started */
244 struct completion *completions;
245
0ddf92e8
JA		 246 /* if all else fails... */
247 struct io_kiocb *fallback_req;
248
206aefde
JA		 249#if defined(CONFIG_UNIX)
250 struct socket *ring_sock;
251#endif
252
253 struct {
254 unsigned cached_cq_tail;
255 unsigned cq_entries;
256 unsigned cq_mask;
257 atomic_t cq_timeouts;
258 struct wait_queue_head cq_wait;
259 struct fasync_struct *cq_fasync;
260 struct eventfd_ctx *cq_ev_fd;
261 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 262
263 struct {
264 struct mutex uring_lock;
265 wait_queue_head_t wait;
266 } ____cacheline_aligned_in_smp;
267
268 struct {
269 spinlock_t completion_lock;
def596e9
JA		 270 bool poll_multi_file;
271 /*
272 * ->poll_list is protected by the ctx->uring_lock for
273 * io_uring instances that don't use IORING_SETUP_SQPOLL.
274 * For SQPOLL, only the single threaded io_sq_thread() will
275 * manipulate the list, hence no extra locking is needed there.
276 */
277 struct list_head poll_list;
78076bb6
JA		 278 struct hlist_head *cancel_hash;
279 unsigned cancel_hash_bits;
31b51510 280
fcb323cc
JA		 281 spinlock_t inflight_lock;
282 struct list_head inflight_list;
2b188cc1 283 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 284};
285
09bb8394
JA		 286/*
287 * First field must be the file pointer in all the
288 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
289 */
221c5eb2
JA		 290struct io_poll_iocb {
291 struct file *file;
0969e783
JA		 292 union {
293 struct wait_queue_head *head;
294 u64 addr;
295 };
221c5eb2 296 __poll_t events;
8c838788 297 bool done;
221c5eb2 298 bool canceled;
392edb45 299 struct wait_queue_entry wait;
221c5eb2
JA		 300};
301
ad8a48ac
JA		 302struct io_timeout_data {
303 struct io_kiocb *req;
304 struct hrtimer timer;
305 struct timespec64 ts;
306 enum hrtimer_mode mode;
cc42e0ac 307 u32 seq_offset;
ad8a48ac
JA		 308};
309
8ed8d3c3
JA		 310struct io_accept {
311 struct file *file;
312 struct sockaddr __user *addr;
313 int __user *addr_len;
314 int flags;
315};
316
317struct io_sync {
318 struct file *file;
319 loff_t len;
320 loff_t off;
321 int flags;
d63d1b5e 322 int mode;
8ed8d3c3
JA		 323};
324
fbf23849
JA		 325struct io_cancel {
326 struct file *file;
327 u64 addr;
328};
329
b29472ee
JA		 330struct io_timeout {
331 struct file *file;
332 u64 addr;
333 int flags;
26a61679 334 unsigned count;
b29472ee
JA		 335};
336
9adbd45d
JA		 337struct io_rw {
338 /* NOTE: kiocb has the file as the first member, so don't do it here */
339 struct kiocb kiocb;
340 u64 addr;
341 u64 len;
342};
343
3fbb51c1
JA		 344struct io_connect {
345 struct file *file;
346 struct sockaddr __user *addr;
347 int addr_len;
348};
349
e47293fd
JA		 350struct io_sr_msg {
351 struct file *file;
352 struct user_msghdr __user *msg;
353 int msg_flags;
354};
355
f499a021
JA		 356struct io_async_connect {
357 struct sockaddr_storage address;
358};
359
03b1230c
JA		 360struct io_async_msghdr {
361 struct iovec fast_iov[UIO_FASTIOV];
362 struct iovec *iov;
363 struct sockaddr __user *uaddr;
364 struct msghdr msg;
365};
366
f67676d1
JA		 367struct io_async_rw {
368 struct iovec fast_iov[UIO_FASTIOV];
369 struct iovec *iov;
370 ssize_t nr_segs;
371 ssize_t size;
372};
373
1a6b74fc 374struct io_async_ctx {
f67676d1
JA		 375 union {
376 struct io_async_rw rw;
03b1230c 377 struct io_async_msghdr msg;
f499a021 378 struct io_async_connect connect;
2d28390a 379 struct io_timeout_data timeout;
f67676d1 380 };
1a6b74fc
JA		 381};
382
09bb8394
JA		 383/*
384 * NOTE! Each of the iocb union members has the file pointer
385 * as the first entry in their struct definition. So you can
386 * access the file pointer through any of the sub-structs,
387 * or directly as just 'ki_filp' in this struct.
388 */
2b188cc1 389struct io_kiocb {
221c5eb2 390 union {
09bb8394 391 struct file *file;
9adbd45d 392 struct io_rw rw;
221c5eb2 393 struct io_poll_iocb poll;
8ed8d3c3
JA		 394 struct io_accept accept;
395 struct io_sync sync;
fbf23849 396 struct io_cancel cancel;
b29472ee 397 struct io_timeout timeout;
3fbb51c1 398 struct io_connect connect;
e47293fd 399 struct io_sr_msg sr_msg;
221c5eb2 400 };
2b188cc1 401
1a6b74fc 402 struct io_async_ctx *io;
cf6fd4bd
PB		 403 struct file *ring_file;
404 int ring_fd;
405 bool has_user;
406 bool in_async;
407 bool needs_fixed_file;
d625c6ee 408 u8 opcode;
2b188cc1
JA		 409
410 struct io_ring_ctx *ctx;
eac406c6
JA		 411 union {
412 struct list_head list;
78076bb6 413 struct hlist_node hash_node;
eac406c6 414 };
9e645e11 415 struct list_head link_list;
2b188cc1 416 unsigned int flags;
c16361c1 417 refcount_t refs;
8449eeda 418#define REQ_F_NOWAIT 1 /* must not punt to workers */
def596e9 419#define REQ_F_IOPOLL_COMPLETED 2 /* polled IO has completed */
6b06314c 420#define REQ_F_FIXED_FILE 4 /* ctx owns file */
4d7dd462 421#define REQ_F_LINK_NEXT 8 /* already grabbed next link */
e2033e33
SB		 422#define REQ_F_IO_DRAIN 16 /* drain existing IO first */
423#define REQ_F_IO_DRAINED 32 /* drain done */
9e645e11 424#define REQ_F_LINK 64 /* linked sqes */
2665abfd 425#define REQ_F_LINK_TIMEOUT 128 /* has linked timeout */
f7b76ac9 426#define REQ_F_FAIL_LINK 256 /* fail rest of links */
1b4a51b6 427#define REQ_F_DRAIN_LINK 512 /* link should be fully drained */
5262f567 428#define REQ_F_TIMEOUT 1024 /* timeout request */
491381ce
JA		 429#define REQ_F_ISREG 2048 /* regular file */
430#define REQ_F_MUST_PUNT 4096 /* must be punted even for NONBLOCK */
93bd25bb 431#define REQ_F_TIMEOUT_NOSEQ 8192 /* no timeout sequence */
fb4b3d3f
LT		 432#define REQ_F_INFLIGHT 16384 /* on inflight list */
433#define REQ_F_COMP_LOCKED 32768 /* completion under lock */
4e88d6e7 434#define REQ_F_HARDLINK 65536 /* doesn't sever on completion < 0 */
2b188cc1 435 u64 user_data;
9e645e11 436 u32 result;
de0617e4 437 u32 sequence;
2b188cc1 438
fcb323cc
JA		 439 struct list_head inflight_entry;
440
561fb04a 441 struct io_wq_work work;
2b188cc1
JA		 442};
443
444#define IO_PLUG_THRESHOLD 2
def596e9 445#define IO_IOPOLL_BATCH 8
2b188cc1 446
9a56a232
JA		 447struct io_submit_state {
448 struct blk_plug plug;
449
2579f913
JA		 450 /*
451 * io_kiocb alloc cache
452 */
453 void *reqs[IO_IOPOLL_BATCH];
454 unsigned int free_reqs;
455 unsigned int cur_req;
456
9a56a232
JA		 457 /*
458 * File reference cache
459 */
460 struct file *file;
461 unsigned int fd;
462 unsigned int has_refs;
463 unsigned int used_refs;
464 unsigned int ios_left;
465};
466
561fb04a 467static void io_wq_submit_work(struct io_wq_work **workptr);
78e19bbe 468static void io_cqring_fill_event(struct io_kiocb *req, long res);
4fe2c963 469static void __io_free_req(struct io_kiocb *req);
ec9c02ad 470static void io_put_req(struct io_kiocb *req);
78e19bbe 471static void io_double_put_req(struct io_kiocb *req);
978db57e 472static void __io_double_put_req(struct io_kiocb *req);
94ae5e77
JA		 473static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
474static void io_queue_linked_timeout(struct io_kiocb *req);
de0617e4 475
2b188cc1
JA		 476static struct kmem_cache *req_cachep;
477
478static const struct file_operations io_uring_fops;
479
480struct sock *io_uring_get_socket(struct file *file)
481{
482#if defined(CONFIG_UNIX)
483 if (file->f_op == &io_uring_fops) {
484 struct io_ring_ctx *ctx = file->private_data;
485
486 return ctx->ring_sock->sk;
487 }
488#endif
489 return NULL;
490}
491EXPORT_SYMBOL(io_uring_get_socket);
492
493static void io_ring_ctx_ref_free(struct percpu_ref *ref)
494{
495 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
496
206aefde 497 complete(&ctx->completions[0]);
2b188cc1
JA		 498}
499
500static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
501{
502 struct io_ring_ctx *ctx;
78076bb6 503 int hash_bits;
2b188cc1
JA		 504
505 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
506 if (!ctx)
507 return NULL;
508
0ddf92e8
JA		 509 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
510 if (!ctx->fallback_req)
511 goto err;
512
206aefde
JA		 513 ctx->completions = kmalloc(2 * sizeof(struct completion), GFP_KERNEL);
514 if (!ctx->completions)
515 goto err;
516
78076bb6
JA		 517 /*
518 * Use 5 bits less than the max cq entries, that should give us around
519 * 32 entries per hash list if totally full and uniformly spread.
520 */
521 hash_bits = ilog2(p->cq_entries);
522 hash_bits -= 5;
523 if (hash_bits <= 0)
524 hash_bits = 1;
525 ctx->cancel_hash_bits = hash_bits;
526 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
527 GFP_KERNEL);
528 if (!ctx->cancel_hash)
529 goto err;
530 __hash_init(ctx->cancel_hash, 1U << hash_bits);
531
21482896 532 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
206aefde
JA		 533 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
534 goto err;
2b188cc1
JA		 535
536 ctx->flags = p->flags;
537 init_waitqueue_head(&ctx->cq_wait);
1d7bb1d5 538 INIT_LIST_HEAD(&ctx->cq_overflow_list);
206aefde
JA		 539 init_completion(&ctx->completions[0]);
540 init_completion(&ctx->completions[1]);
2b188cc1
JA		 541 mutex_init(&ctx->uring_lock);
542 init_waitqueue_head(&ctx->wait);
543 spin_lock_init(&ctx->completion_lock);
def596e9 544 INIT_LIST_HEAD(&ctx->poll_list);
de0617e4 545 INIT_LIST_HEAD(&ctx->defer_list);
5262f567 546 INIT_LIST_HEAD(&ctx->timeout_list);
fcb323cc
JA		 547 init_waitqueue_head(&ctx->inflight_wait);
548 spin_lock_init(&ctx->inflight_lock);
549 INIT_LIST_HEAD(&ctx->inflight_list);
2b188cc1 550 return ctx;
206aefde 551err:
0ddf92e8
JA		 552 if (ctx->fallback_req)
553 kmem_cache_free(req_cachep, ctx->fallback_req);
206aefde 554 kfree(ctx->completions);
78076bb6 555 kfree(ctx->cancel_hash);
206aefde
JA		 556 kfree(ctx);
557 return NULL;
2b188cc1
JA		 558}
559
9d858b21 560static inline bool __req_need_defer(struct io_kiocb *req)
7adf4eaf 561{
a197f664
JL		 562 struct io_ring_ctx *ctx = req->ctx;
563
498ccd9e
JA		 564 return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
565 + atomic_read(&ctx->cached_cq_overflow);
7adf4eaf
JA		 566}
567
9d858b21 568static inline bool req_need_defer(struct io_kiocb *req)
de0617e4 569{
9d858b21
BL		 570 if ((req->flags & (REQ_F_IO_DRAIN|REQ_F_IO_DRAINED)) == REQ_F_IO_DRAIN)
571 return __req_need_defer(req);
de0617e4 572
9d858b21 573 return false;
de0617e4
JA		 574}
575
7adf4eaf 576static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)
de0617e4
JA		 577{
578 struct io_kiocb *req;
579
7adf4eaf 580 req = list_first_entry_or_null(&ctx->defer_list, struct io_kiocb, list);
9d858b21 581 if (req && !req_need_defer(req)) {
de0617e4
JA		 582 list_del_init(&req->list);
583 return req;
584 }
585
586 return NULL;
587}
588
5262f567
JA		 589static struct io_kiocb *io_get_timeout_req(struct io_ring_ctx *ctx)
590{
7adf4eaf
JA		 591 struct io_kiocb *req;
592
593 req = list_first_entry_or_null(&ctx->timeout_list, struct io_kiocb, list);
93bd25bb
JA		 594 if (req) {
595 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
596 return NULL;
fb4b3d3f 597 if (!__req_need_defer(req)) {
93bd25bb
JA		 598 list_del_init(&req->list);
599 return req;
600 }
7adf4eaf
JA		 601 }
602
603 return NULL;
5262f567
JA		 604}
605
de0617e4 606static void __io_commit_cqring(struct io_ring_ctx *ctx)
2b188cc1 607{
75b28aff 608 struct io_rings *rings = ctx->rings;
2b188cc1 609
75b28aff 610 if (ctx->cached_cq_tail != READ_ONCE(rings->cq.tail)) {
2b188cc1 611 /* order cqe stores with ring update */
75b28aff 612 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
2b188cc1 613
2b188cc1
JA		 614 if (wq_has_sleeper(&ctx->cq_wait)) {
615 wake_up_interruptible(&ctx->cq_wait);
616 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
617 }
618 }
619}
620
d625c6ee 621static inline bool io_req_needs_user(struct io_kiocb *req)
18d9be1a 622{
d625c6ee
JA		 623 return !(req->opcode == IORING_OP_READ_FIXED ||
624 req->opcode == IORING_OP_WRITE_FIXED);
561fb04a
JA		 625}
626
94ae5e77
JA		 627static inline bool io_prep_async_work(struct io_kiocb *req,
628 struct io_kiocb **link)
18d9be1a 629{
561fb04a 630 bool do_hashed = false;
54a91f3b 631
3529d8c2
JA		 632 switch (req->opcode) {
633 case IORING_OP_WRITEV:
634 case IORING_OP_WRITE_FIXED:
635 /* only regular files should be hashed for writes */
636 if (req->flags & REQ_F_ISREG)
637 do_hashed = true;
638 /* fall-through */
639 case IORING_OP_READV:
640 case IORING_OP_READ_FIXED:
641 case IORING_OP_SENDMSG:
642 case IORING_OP_RECVMSG:
643 case IORING_OP_ACCEPT:
644 case IORING_OP_POLL_ADD:
645 case IORING_OP_CONNECT:
646 /*
647 * We know REQ_F_ISREG is not set on some of these
648 * opcodes, but this enables us to keep the check in
649 * just one place.
650 */
651 if (!(req->flags & REQ_F_ISREG))
652 req->work.flags |= IO_WQ_WORK_UNBOUND;
653 break;
54a91f3b 654 }
3529d8c2
JA		 655 if (io_req_needs_user(req))
656 req->work.flags |= IO_WQ_WORK_NEEDS_USER;
54a91f3b 657
94ae5e77 658 *link = io_prep_linked_timeout(req);
561fb04a
JA		 659 return do_hashed;
660}
661
a197f664 662static inline void io_queue_async_work(struct io_kiocb *req)
561fb04a 663{
a197f664 664 struct io_ring_ctx *ctx = req->ctx;
94ae5e77
JA		 665 struct io_kiocb *link;
666 bool do_hashed;
667
668 do_hashed = io_prep_async_work(req, &link);
561fb04a
JA		 669
670 trace_io_uring_queue_async_work(ctx, do_hashed, req, &req->work,
671 req->flags);
672 if (!do_hashed) {
673 io_wq_enqueue(ctx->io_wq, &req->work);
674 } else {
675 io_wq_enqueue_hashed(ctx->io_wq, &req->work,
676 file_inode(req->file));
677 }
94ae5e77
JA		 678
679 if (link)
680 io_queue_linked_timeout(link);
18d9be1a
JA		 681}
682
5262f567
JA		 683static void io_kill_timeout(struct io_kiocb *req)
684{
685 int ret;
686
2d28390a 687 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
5262f567
JA		 688 if (ret != -1) {
689 atomic_inc(&req->ctx->cq_timeouts);
842f9612 690 list_del_init(&req->list);
78e19bbe 691 io_cqring_fill_event(req, 0);
ec9c02ad 692 io_put_req(req);
5262f567
JA		 693 }
694}
695
696static void io_kill_timeouts(struct io_ring_ctx *ctx)
697{
698 struct io_kiocb *req, *tmp;
699
700 spin_lock_irq(&ctx->completion_lock);
701 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
702 io_kill_timeout(req);
703 spin_unlock_irq(&ctx->completion_lock);
704}
705
de0617e4
JA		 706static void io_commit_cqring(struct io_ring_ctx *ctx)
707{
708 struct io_kiocb *req;
709
5262f567
JA		 710 while ((req = io_get_timeout_req(ctx)) != NULL)
711 io_kill_timeout(req);
712
de0617e4
JA		 713 __io_commit_cqring(ctx);
714
715 while ((req = io_get_deferred_req(ctx)) != NULL) {
716 req->flags |= REQ_F_IO_DRAINED;
a197f664 717 io_queue_async_work(req);
de0617e4
JA		 718 }
719}
720
2b188cc1
JA		 721static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
722{
75b28aff 723 struct io_rings *rings = ctx->rings;
2b188cc1
JA		 724 unsigned tail;
725
726 tail = ctx->cached_cq_tail;
115e12e5
SB		 727 /*
728 * writes to the cq entry need to come after reading head; the
729 * control dependency is enough as we're using WRITE_ONCE to
730 * fill the cq entry
731 */
75b28aff 732 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
2b188cc1
JA		 733 return NULL;
734
735 ctx->cached_cq_tail++;
75b28aff 736 return &rings->cqes[tail & ctx->cq_mask];
2b188cc1
JA		 737}
738
1d7bb1d5
JA		 739static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
740{
741 if (waitqueue_active(&ctx->wait))
742 wake_up(&ctx->wait);
743 if (waitqueue_active(&ctx->sqo_wait))
744 wake_up(&ctx->sqo_wait);
745 if (ctx->cq_ev_fd)
746 eventfd_signal(ctx->cq_ev_fd, 1);
747}
748
c4a2ed72
JA		 749/* Returns true if there are no backlogged entries after the flush */
750static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1d7bb1d5
JA		 751{
752 struct io_rings *rings = ctx->rings;
753 struct io_uring_cqe *cqe;
754 struct io_kiocb *req;
755 unsigned long flags;
756 LIST_HEAD(list);
757
758 if (!force) {
759 if (list_empty_careful(&ctx->cq_overflow_list))
c4a2ed72 760 return true;
1d7bb1d5
JA		 761 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
762 rings->cq_ring_entries))
c4a2ed72 763 return false;
1d7bb1d5
JA		 764 }
765
766 spin_lock_irqsave(&ctx->completion_lock, flags);
767
768 /* if force is set, the ring is going away. always drop after that */
769 if (force)
770 ctx->cq_overflow_flushed = true;
771
c4a2ed72 772 cqe = NULL;
1d7bb1d5
JA		 773 while (!list_empty(&ctx->cq_overflow_list)) {
774 cqe = io_get_cqring(ctx);
775 if (!cqe && !force)
776 break;
777
778 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
779 list);
780 list_move(&req->list, &list);
781 if (cqe) {
782 WRITE_ONCE(cqe->user_data, req->user_data);
783 WRITE_ONCE(cqe->res, req->result);
784 WRITE_ONCE(cqe->flags, 0);
785 } else {
786 WRITE_ONCE(ctx->rings->cq_overflow,
787 atomic_inc_return(&ctx->cached_cq_overflow));
788 }
789 }
790
791 io_commit_cqring(ctx);
792 spin_unlock_irqrestore(&ctx->completion_lock, flags);
793 io_cqring_ev_posted(ctx);
794
795 while (!list_empty(&list)) {
796 req = list_first_entry(&list, struct io_kiocb, list);
797 list_del(&req->list);
ec9c02ad 798 io_put_req(req);
1d7bb1d5 799 }
c4a2ed72
JA		 800
801 return cqe != NULL;
1d7bb1d5
JA		 802}
803
78e19bbe 804static void io_cqring_fill_event(struct io_kiocb *req, long res)
2b188cc1 805{
78e19bbe 806 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 807 struct io_uring_cqe *cqe;
808
78e19bbe 809 trace_io_uring_complete(ctx, req->user_data, res);
51c3ff62 810
2b188cc1
JA		 811 /*
812 * If we can't get a cq entry, userspace overflowed the
813 * submission (by quite a lot). Increment the overflow count in
814 * the ring.
815 */
816 cqe = io_get_cqring(ctx);
1d7bb1d5 817 if (likely(cqe)) {
78e19bbe 818 WRITE_ONCE(cqe->user_data, req->user_data);
2b188cc1 819 WRITE_ONCE(cqe->res, res);
c71ffb67 820 WRITE_ONCE(cqe->flags, 0);
1d7bb1d5 821 } else if (ctx->cq_overflow_flushed) {
498ccd9e
JA		 822 WRITE_ONCE(ctx->rings->cq_overflow,
823 atomic_inc_return(&ctx->cached_cq_overflow));
1d7bb1d5
JA		 824 } else {
825 refcount_inc(&req->refs);
826 req->result = res;
827 list_add_tail(&req->list, &ctx->cq_overflow_list);
2b188cc1
JA		 828 }
829}
830
78e19bbe 831static void io_cqring_add_event(struct io_kiocb *req, long res)
2b188cc1 832{
78e19bbe 833 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 834 unsigned long flags;
835
836 spin_lock_irqsave(&ctx->completion_lock, flags);
78e19bbe 837 io_cqring_fill_event(req, res);
2b188cc1
JA		 838 io_commit_cqring(ctx);
839 spin_unlock_irqrestore(&ctx->completion_lock, flags);
840
8c838788 841 io_cqring_ev_posted(ctx);
2b188cc1
JA		 842}
843
0ddf92e8
JA		 844static inline bool io_is_fallback_req(struct io_kiocb *req)
845{
846 return req == (struct io_kiocb *)
847 ((unsigned long) req->ctx->fallback_req & ~1UL);
848}
849
850static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
851{
852 struct io_kiocb *req;
853
854 req = ctx->fallback_req;
855 if (!test_and_set_bit_lock(0, (unsigned long *) ctx->fallback_req))
856 return req;
857
858 return NULL;
859}
860
2579f913
JA		 861static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
862 struct io_submit_state *state)
2b188cc1 863{
fd6fab2c 864 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
2b188cc1
JA		 865 struct io_kiocb *req;
866
867 if (!percpu_ref_tryget(&ctx->refs))
868 return NULL;
869
2579f913 870 if (!state) {
fd6fab2c 871 req = kmem_cache_alloc(req_cachep, gfp);
2579f913 872 if (unlikely(!req))
0ddf92e8 873 goto fallback;
2579f913
JA		 874 } else if (!state->free_reqs) {
875 size_t sz;
876 int ret;
877
878 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
fd6fab2c
JA		 879 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
880
881 /*
882 * Bulk alloc is all-or-nothing. If we fail to get a batch,
883 * retry single alloc to be on the safe side.
884 */
885 if (unlikely(ret <= 0)) {
886 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
887 if (!state->reqs[0])
0ddf92e8 888 goto fallback;
fd6fab2c
JA		 889 ret = 1;
890 }
2579f913
JA		 891 state->free_reqs = ret - 1;
892 state->cur_req = 1;
893 req = state->reqs[0];
894 } else {
895 req = state->reqs[state->cur_req];
896 state->free_reqs--;
897 state->cur_req++;
2b188cc1
JA		 898 }
899
0ddf92e8 900got_it:
1a6b74fc 901 req->io = NULL;
cf6fd4bd 902 req->ring_file = NULL;
60c112b0 903 req->file = NULL;
2579f913
JA		 904 req->ctx = ctx;
905 req->flags = 0;
e65ef56d
JA		 906 /* one is dropped after submission, the other at completion */
907 refcount_set(&req->refs, 2);
9e645e11 908 req->result = 0;
561fb04a 909 INIT_IO_WORK(&req->work, io_wq_submit_work);
2579f913 910 return req;
0ddf92e8
JA		 911fallback:
912 req = io_get_fallback_req(ctx);
913 if (req)
914 goto got_it;
6805b32e 915 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 916 return NULL;
917}
918
def596e9
JA		 919static void io_free_req_many(struct io_ring_ctx *ctx, void **reqs, int *nr)
920{
921 if (*nr) {
922 kmem_cache_free_bulk(req_cachep, *nr, reqs);
6805b32e 923 percpu_ref_put_many(&ctx->refs, *nr);
def596e9
JA		 924 *nr = 0;
925 }
926}
927
9e645e11 928static void __io_free_req(struct io_kiocb *req)
2b188cc1 929{
fcb323cc
JA		 930 struct io_ring_ctx *ctx = req->ctx;
931
1a6b74fc
JA		 932 if (req->io)
933 kfree(req->io);
09bb8394
JA		 934 if (req->file && !(req->flags & REQ_F_FIXED_FILE))
935 fput(req->file);
fcb323cc
JA		 936 if (req->flags & REQ_F_INFLIGHT) {
937 unsigned long flags;
938
939 spin_lock_irqsave(&ctx->inflight_lock, flags);
940 list_del(&req->inflight_entry);
941 if (waitqueue_active(&ctx->inflight_wait))
942 wake_up(&ctx->inflight_wait);
943 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
944 }
945 percpu_ref_put(&ctx->refs);
0ddf92e8
JA		 946 if (likely(!io_is_fallback_req(req)))
947 kmem_cache_free(req_cachep, req);
948 else
949 clear_bit_unlock(0, (unsigned long *) ctx->fallback_req);
e65ef56d
JA		 950}
951
a197f664 952static bool io_link_cancel_timeout(struct io_kiocb *req)
2665abfd 953{
a197f664 954 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 955 int ret;
956
2d28390a 957 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
2665abfd 958 if (ret != -1) {
78e19bbe 959 io_cqring_fill_event(req, -ECANCELED);
2665abfd
JA		 960 io_commit_cqring(ctx);
961 req->flags &= ~REQ_F_LINK;
ec9c02ad 962 io_put_req(req);
2665abfd
JA		 963 return true;
964 }
965
966 return false;
e65ef56d
JA		 967}
968
ba816ad6 969static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
9e645e11 970{
2665abfd 971 struct io_ring_ctx *ctx = req->ctx;
2665abfd 972 bool wake_ev = false;
9e645e11 973
4d7dd462
JA		 974 /* Already got next link */
975 if (req->flags & REQ_F_LINK_NEXT)
976 return;
977
9e645e11
JA		 978 /*
979 * The list should never be empty when we are called here. But could
980 * potentially happen if the chain is messed up, check to be on the
981 * safe side.
982 */
4493233e
PB		 983 while (!list_empty(&req->link_list)) {
984 struct io_kiocb *nxt = list_first_entry(&req->link_list,
985 struct io_kiocb, link_list);
94ae5e77 986
4493233e
PB		 987 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
988 (nxt->flags & REQ_F_TIMEOUT))) {
989 list_del_init(&nxt->link_list);
94ae5e77 990 wake_ev |= io_link_cancel_timeout(nxt);
94ae5e77
JA		 991 req->flags &= ~REQ_F_LINK_TIMEOUT;
992 continue;
993 }
9e645e11 994
4493233e
PB		 995 list_del_init(&req->link_list);
996 if (!list_empty(&nxt->link_list))
997 nxt->flags |= REQ_F_LINK;
b18fdf71 998 *nxtptr = nxt;
94ae5e77 999 break;
9e645e11 1000 }
2665abfd 1001
4d7dd462 1002 req->flags |= REQ_F_LINK_NEXT;
2665abfd
JA		 1003 if (wake_ev)
1004 io_cqring_ev_posted(ctx);
9e645e11
JA		 1005}
1006
1007/*
1008 * Called if REQ_F_LINK is set, and we fail the head request
1009 */
1010static void io_fail_links(struct io_kiocb *req)
1011{
2665abfd 1012 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 1013 unsigned long flags;
1014
1015 spin_lock_irqsave(&ctx->completion_lock, flags);
9e645e11
JA		 1016
1017 while (!list_empty(&req->link_list)) {
4493233e
PB		 1018 struct io_kiocb *link = list_first_entry(&req->link_list,
1019 struct io_kiocb, link_list);
9e645e11 1020
4493233e 1021 list_del_init(&link->link_list);
c826bd7a 1022 trace_io_uring_fail_link(req, link);
2665abfd
JA		 1023
1024 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
d625c6ee 1025 link->opcode == IORING_OP_LINK_TIMEOUT) {
a197f664 1026 io_link_cancel_timeout(link);
2665abfd 1027 } else {
78e19bbe 1028 io_cqring_fill_event(link, -ECANCELED);
978db57e 1029 __io_double_put_req(link);
2665abfd 1030 }
5d960724 1031 req->flags &= ~REQ_F_LINK_TIMEOUT;
9e645e11 1032 }
2665abfd
JA		 1033
1034 io_commit_cqring(ctx);
1035 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1036 io_cqring_ev_posted(ctx);
9e645e11
JA		 1037}
1038
4d7dd462 1039static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
9e645e11 1040{
4d7dd462 1041 if (likely(!(req->flags & REQ_F_LINK)))
2665abfd 1042 return;
2665abfd 1043
9e645e11
JA		 1044 /*
1045 * If LINK is set, we have dependent requests in this chain. If we
1046 * didn't fail this request, queue the first one up, moving any other
1047 * dependencies to the next request. In case of failure, fail the rest
1048 * of the chain.
1049 */
2665abfd
JA		 1050 if (req->flags & REQ_F_FAIL_LINK) {
1051 io_fail_links(req);
7c9e7f0f
JA		 1052 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1053 REQ_F_LINK_TIMEOUT) {
2665abfd
JA		 1054 struct io_ring_ctx *ctx = req->ctx;
1055 unsigned long flags;
1056
1057 /*
1058 * If this is a timeout link, we could be racing with the
1059 * timeout timer. Grab the completion lock for this case to
7c9e7f0f 1060 * protect against that.
2665abfd
JA		 1061 */
1062 spin_lock_irqsave(&ctx->completion_lock, flags);
1063 io_req_link_next(req, nxt);
1064 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1065 } else {
1066 io_req_link_next(req, nxt);
9e645e11 1067 }
4d7dd462 1068}
9e645e11 1069
c69f8dbe
JL		 1070static void io_free_req(struct io_kiocb *req)
1071{
944e58bf
PB		 1072 struct io_kiocb *nxt = NULL;
1073
1074 io_req_find_next(req, &nxt);
70cf9f32 1075 __io_free_req(req);
944e58bf
PB		 1076
1077 if (nxt)
1078 io_queue_async_work(nxt);
c69f8dbe
JL		 1079}
1080
ba816ad6
JA		 1081/*
1082 * Drop reference to request, return next in chain (if there is one) if this
1083 * was the last reference to this request.
1084 */
f9bd67f6 1085__attribute__((nonnull))
ec9c02ad 1086static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
e65ef56d 1087{
f9bd67f6 1088 io_req_find_next(req, nxtptr);
4d7dd462 1089
e65ef56d 1090 if (refcount_dec_and_test(&req->refs))
4d7dd462 1091 __io_free_req(req);
2b188cc1
JA		 1092}
1093
e65ef56d
JA		 1094static void io_put_req(struct io_kiocb *req)
1095{
1096 if (refcount_dec_and_test(&req->refs))
1097 io_free_req(req);
2b188cc1
JA		 1098}
1099
978db57e
JA		 1100/*
1101 * Must only be used if we don't need to care about links, usually from
1102 * within the completion handling itself.
1103 */
1104static void __io_double_put_req(struct io_kiocb *req)
78e19bbe
JA		 1105{
1106 /* drop both submit and complete references */
1107 if (refcount_sub_and_test(2, &req->refs))
1108 __io_free_req(req);
1109}
1110
978db57e
JA		 1111static void io_double_put_req(struct io_kiocb *req)
1112{
1113 /* drop both submit and complete references */
1114 if (refcount_sub_and_test(2, &req->refs))
1115 io_free_req(req);
1116}
1117
1d7bb1d5 1118static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
a3a0e43f 1119{
84f97dc2
JA		 1120 struct io_rings *rings = ctx->rings;
1121
1d7bb1d5
JA		 1122 /*
1123 * noflush == true is from the waitqueue handler, just ensure we wake
1124 * up the task, and the next invocation will flush the entries. We
1125 * cannot safely to it from here.
1126 */
1127 if (noflush && !list_empty(&ctx->cq_overflow_list))
1128 return -1U;
1129
1130 io_cqring_overflow_flush(ctx, false);
1131
a3a0e43f
JA		 1132 /* See comment at the top of this file */
1133 smp_rmb();
75b28aff 1134 return READ_ONCE(rings->cq.tail) - READ_ONCE(rings->cq.head);
a3a0e43f
JA		 1135}
1136
fb5ccc98
PB		 1137static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1138{
1139 struct io_rings *rings = ctx->rings;
1140
1141 /* make sure SQ entry isn't read before tail */
1142 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1143}
1144
def596e9
JA		 1145/*
1146 * Find and free completed poll iocbs
1147 */
1148static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1149 struct list_head *done)
1150{
1151 void *reqs[IO_IOPOLL_BATCH];
1152 struct io_kiocb *req;
09bb8394 1153 int to_free;
def596e9 1154
09bb8394 1155 to_free = 0;
def596e9
JA		 1156 while (!list_empty(done)) {
1157 req = list_first_entry(done, struct io_kiocb, list);
1158 list_del(&req->list);
1159
78e19bbe 1160 io_cqring_fill_event(req, req->result);
def596e9
JA		 1161 (*nr_events)++;
1162
09bb8394
JA		 1163 if (refcount_dec_and_test(&req->refs)) {
1164 /* If we're not using fixed files, we have to pair the
1165 * completion part with the file put. Use regular
1166 * completions for those, only batch free for fixed
9e645e11 1167 * file and non-linked commands.
09bb8394 1168 */
1a6b74fc
JA		 1169 if (((req->flags & (REQ_F_FIXED_FILE|REQ_F_LINK)) ==
1170 REQ_F_FIXED_FILE) && !io_is_fallback_req(req) &&
1171 !req->io) {
09bb8394
JA		 1172 reqs[to_free++] = req;
1173 if (to_free == ARRAY_SIZE(reqs))
1174 io_free_req_many(ctx, reqs, &to_free);
6b06314c 1175 } else {
09bb8394 1176 io_free_req(req);
6b06314c 1177 }
9a56a232 1178 }
def596e9 1179 }
def596e9 1180
09bb8394 1181 io_commit_cqring(ctx);
def596e9
JA		 1182 io_free_req_many(ctx, reqs, &to_free);
1183}
1184
1185static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1186 long min)
1187{
1188 struct io_kiocb *req, *tmp;
1189 LIST_HEAD(done);
1190 bool spin;
1191 int ret;
1192
1193 /*
1194 * Only spin for completions if we don't have multiple devices hanging
1195 * off our complete list, and we're under the requested amount.
1196 */
1197 spin = !ctx->poll_multi_file && *nr_events < min;
1198
1199 ret = 0;
1200 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
9adbd45d 1201 struct kiocb *kiocb = &req->rw.kiocb;
def596e9
JA		 1202
1203 /*
1204 * Move completed entries to our local list. If we find a
1205 * request that requires polling, break out and complete
1206 * the done list first, if we have entries there.
1207 */
1208 if (req->flags & REQ_F_IOPOLL_COMPLETED) {
1209 list_move_tail(&req->list, &done);
1210 continue;
1211 }
1212 if (!list_empty(&done))
1213 break;
1214
1215 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1216 if (ret < 0)
1217 break;
1218
1219 if (ret && spin)
1220 spin = false;
1221 ret = 0;
1222 }
1223
1224 if (!list_empty(&done))
1225 io_iopoll_complete(ctx, nr_events, &done);
1226
1227 return ret;
1228}
1229
1230/*
d195a66e 1231 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
def596e9
JA		 1232 * non-spinning poll check - we'll still enter the driver poll loop, but only
1233 * as a non-spinning completion check.
1234 */
1235static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1236 long min)
1237{
08f5439f 1238 while (!list_empty(&ctx->poll_list) && !need_resched()) {
def596e9
JA		 1239 int ret;
1240
1241 ret = io_do_iopoll(ctx, nr_events, min);
1242 if (ret < 0)
1243 return ret;
1244 if (!min || *nr_events >= min)
1245 return 0;
1246 }
1247
1248 return 1;
1249}
1250
1251/*
1252 * We can't just wait for polled events to come to us, we have to actively
1253 * find and complete them.
1254 */
1255static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1256{
1257 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1258 return;
1259
1260 mutex_lock(&ctx->uring_lock);
1261 while (!list_empty(&ctx->poll_list)) {
1262 unsigned int nr_events = 0;
1263
1264 io_iopoll_getevents(ctx, &nr_events, 1);
08f5439f
JA		 1265
1266 /*
1267 * Ensure we allow local-to-the-cpu processing to take place,
1268 * in this case we need to ensure that we reap all events.
1269 */
1270 cond_resched();
def596e9
JA		 1271 }
1272 mutex_unlock(&ctx->uring_lock);
1273}
1274
2b2ed975
JA		 1275static int __io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1276 long min)
def596e9 1277{
2b2ed975 1278 int iters = 0, ret = 0;
500f9fba 1279
def596e9
JA		 1280 do {
1281 int tmin = 0;
1282
a3a0e43f
JA		 1283 /*
1284 * Don't enter poll loop if we already have events pending.
1285 * If we do, we can potentially be spinning for commands that
1286 * already triggered a CQE (eg in error).
1287 */
1d7bb1d5 1288 if (io_cqring_events(ctx, false))
a3a0e43f
JA		 1289 break;
1290
500f9fba
JA		 1291 /*
1292 * If a submit got punted to a workqueue, we can have the
1293 * application entering polling for a command before it gets
1294 * issued. That app will hold the uring_lock for the duration
1295 * of the poll right here, so we need to take a breather every
1296 * now and then to ensure that the issue has a chance to add
1297 * the poll to the issued list. Otherwise we can spin here
1298 * forever, while the workqueue is stuck trying to acquire the
1299 * very same mutex.
1300 */
1301 if (!(++iters & 7)) {
1302 mutex_unlock(&ctx->uring_lock);
1303 mutex_lock(&ctx->uring_lock);
1304 }
1305
def596e9
JA		 1306 if (*nr_events < min)
1307 tmin = min - *nr_events;
1308
1309 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1310 if (ret <= 0)
1311 break;
1312 ret = 0;
1313 } while (min && !*nr_events && !need_resched());
1314
2b2ed975
JA		 1315 return ret;
1316}
1317
1318static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1319 long min)
1320{
1321 int ret;
1322
1323 /*
1324 * We disallow the app entering submit/complete with polling, but we
1325 * still need to lock the ring to prevent racing with polled issue
1326 * that got punted to a workqueue.
1327 */
1328 mutex_lock(&ctx->uring_lock);
1329 ret = __io_iopoll_check(ctx, nr_events, min);
500f9fba 1330 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 1331 return ret;
1332}
1333
491381ce 1334static void kiocb_end_write(struct io_kiocb *req)
2b188cc1 1335{
491381ce
JA		 1336 /*
1337 * Tell lockdep we inherited freeze protection from submission
1338 * thread.
1339 */
1340 if (req->flags & REQ_F_ISREG) {
1341 struct inode *inode = file_inode(req->file);
2b188cc1 1342
491381ce 1343 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2b188cc1 1344 }
491381ce 1345 file_end_write(req->file);
2b188cc1
JA		 1346}
1347
4e88d6e7
JA		 1348static inline void req_set_fail_links(struct io_kiocb *req)
1349{
1350 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1351 req->flags |= REQ_F_FAIL_LINK;
1352}
1353
ba816ad6 1354static void io_complete_rw_common(struct kiocb *kiocb, long res)
2b188cc1 1355{
9adbd45d 1356 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2b188cc1 1357
491381ce
JA		 1358 if (kiocb->ki_flags & IOCB_WRITE)
1359 kiocb_end_write(req);
2b188cc1 1360
4e88d6e7
JA		 1361 if (res != req->result)
1362 req_set_fail_links(req);
78e19bbe 1363 io_cqring_add_event(req, res);
ba816ad6
JA		 1364}
1365
1366static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1367{
9adbd45d 1368 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ba816ad6
JA		 1369
1370 io_complete_rw_common(kiocb, res);
e65ef56d 1371 io_put_req(req);
2b188cc1
JA		 1372}
1373
ba816ad6
JA		 1374static struct io_kiocb *__io_complete_rw(struct kiocb *kiocb, long res)
1375{
9adbd45d 1376 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ec9c02ad 1377 struct io_kiocb *nxt = NULL;
ba816ad6
JA		 1378
1379 io_complete_rw_common(kiocb, res);
ec9c02ad
JL		 1380 io_put_req_find_next(req, &nxt);
1381
1382 return nxt;
2b188cc1
JA		 1383}
1384
def596e9
JA		 1385static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1386{
9adbd45d 1387 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
def596e9 1388
491381ce
JA		 1389 if (kiocb->ki_flags & IOCB_WRITE)
1390 kiocb_end_write(req);
def596e9 1391
4e88d6e7
JA		 1392 if (res != req->result)
1393 req_set_fail_links(req);
9e645e11 1394 req->result = res;
def596e9
JA		 1395 if (res != -EAGAIN)
1396 req->flags |= REQ_F_IOPOLL_COMPLETED;
1397}
1398
1399/*
1400 * After the iocb has been issued, it's safe to be found on the poll list.
1401 * Adding the kiocb to the list AFTER submission ensures that we don't
1402 * find it from a io_iopoll_getevents() thread before the issuer is done
1403 * accessing the kiocb cookie.
1404 */
1405static void io_iopoll_req_issued(struct io_kiocb *req)
1406{
1407 struct io_ring_ctx *ctx = req->ctx;
1408
1409 /*
1410 * Track whether we have multiple files in our lists. This will impact
1411 * how we do polling eventually, not spinning if we're on potentially
1412 * different devices.
1413 */
1414 if (list_empty(&ctx->poll_list)) {
1415 ctx->poll_multi_file = false;
1416 } else if (!ctx->poll_multi_file) {
1417 struct io_kiocb *list_req;
1418
1419 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
1420 list);
9adbd45d 1421 if (list_req->file != req->file)
def596e9
JA		 1422 ctx->poll_multi_file = true;
1423 }
1424
1425 /*
1426 * For fast devices, IO may have already completed. If it has, add
1427 * it to the front so we find it first.
1428 */
1429 if (req->flags & REQ_F_IOPOLL_COMPLETED)
1430 list_add(&req->list, &ctx->poll_list);
1431 else
1432 list_add_tail(&req->list, &ctx->poll_list);
1433}
1434
3d6770fb 1435static void io_file_put(struct io_submit_state *state)
9a56a232 1436{
3d6770fb 1437 if (state->file) {
9a56a232
JA		 1438 int diff = state->has_refs - state->used_refs;
1439
1440 if (diff)
1441 fput_many(state->file, diff);
1442 state->file = NULL;
1443 }
1444}
1445
1446/*
1447 * Get as many references to a file as we have IOs left in this submission,
1448 * assuming most submissions are for one file, or at least that each file
1449 * has more than one submission.
1450 */
1451static struct file *io_file_get(struct io_submit_state *state, int fd)
1452{
1453 if (!state)
1454 return fget(fd);
1455
1456 if (state->file) {
1457 if (state->fd == fd) {
1458 state->used_refs++;
1459 state->ios_left--;
1460 return state->file;
1461 }
3d6770fb 1462 io_file_put(state);
9a56a232
JA		 1463 }
1464 state->file = fget_many(fd, state->ios_left);
1465 if (!state->file)
1466 return NULL;
1467
1468 state->fd = fd;
1469 state->has_refs = state->ios_left;
1470 state->used_refs = 1;
1471 state->ios_left--;
1472 return state->file;
1473}
1474
2b188cc1
JA		 1475/*
1476 * If we tracked the file through the SCM inflight mechanism, we could support
1477 * any file. For now, just ensure that anything potentially problematic is done
1478 * inline.
1479 */
1480static bool io_file_supports_async(struct file *file)
1481{
1482 umode_t mode = file_inode(file)->i_mode;
1483
10d59345 1484 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
2b188cc1
JA		 1485 return true;
1486 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
1487 return true;
1488
1489 return false;
1490}
1491
3529d8c2
JA		 1492static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1493 bool force_nonblock)
2b188cc1 1494{
def596e9 1495 struct io_ring_ctx *ctx = req->ctx;
9adbd45d 1496 struct kiocb *kiocb = &req->rw.kiocb;
09bb8394
JA		 1497 unsigned ioprio;
1498 int ret;
2b188cc1 1499
09bb8394
JA		 1500 if (!req->file)
1501 return -EBADF;
2b188cc1 1502
491381ce
JA		 1503 if (S_ISREG(file_inode(req->file)->i_mode))
1504 req->flags |= REQ_F_ISREG;
1505
2b188cc1
JA		 1506 kiocb->ki_pos = READ_ONCE(sqe->off);
1507 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
1508 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
1509
1510 ioprio = READ_ONCE(sqe->ioprio);
1511 if (ioprio) {
1512 ret = ioprio_check_cap(ioprio);
1513 if (ret)
09bb8394 1514 return ret;
2b188cc1
JA		 1515
1516 kiocb->ki_ioprio = ioprio;
1517 } else
1518 kiocb->ki_ioprio = get_current_ioprio();
1519
1520 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
1521 if (unlikely(ret))
09bb8394 1522 return ret;
8449eeda
SB		 1523
1524 /* don't allow async punt if RWF_NOWAIT was requested */
491381ce
JA		 1525 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
1526 (req->file->f_flags & O_NONBLOCK))
8449eeda
SB		 1527 req->flags |= REQ_F_NOWAIT;
1528
1529 if (force_nonblock)
2b188cc1 1530 kiocb->ki_flags |= IOCB_NOWAIT;
8449eeda 1531
def596e9 1532 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9
JA		 1533 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
1534 !kiocb->ki_filp->f_op->iopoll)
09bb8394 1535 return -EOPNOTSUPP;
2b188cc1 1536
def596e9
JA		 1537 kiocb->ki_flags |= IOCB_HIPRI;
1538 kiocb->ki_complete = io_complete_rw_iopoll;
6873e0bd 1539 req->result = 0;
def596e9 1540 } else {
09bb8394
JA		 1541 if (kiocb->ki_flags & IOCB_HIPRI)
1542 return -EINVAL;
def596e9
JA		 1543 kiocb->ki_complete = io_complete_rw;
1544 }
9adbd45d 1545
3529d8c2
JA		 1546 req->rw.addr = READ_ONCE(sqe->addr);
1547 req->rw.len = READ_ONCE(sqe->len);
9adbd45d
JA		 1548 /* we own ->private, reuse it for the buffer index */
1549 req->rw.kiocb.private = (void *) (unsigned long)
3529d8c2 1550 READ_ONCE(sqe->buf_index);
2b188cc1 1551 return 0;
2b188cc1
JA		 1552}
1553
1554static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
1555{
1556 switch (ret) {
1557 case -EIOCBQUEUED:
1558 break;
1559 case -ERESTARTSYS:
1560 case -ERESTARTNOINTR:
1561 case -ERESTARTNOHAND:
1562 case -ERESTART_RESTARTBLOCK:
1563 /*
1564 * We can't just restart the syscall, since previously
1565 * submitted sqes may already be in progress. Just fail this
1566 * IO with EINTR.
1567 */
1568 ret = -EINTR;
1569 /* fall through */
1570 default:
1571 kiocb->ki_complete(kiocb, ret, 0);
1572 }
1573}
1574
ba816ad6
JA		 1575static void kiocb_done(struct kiocb *kiocb, ssize_t ret, struct io_kiocb **nxt,
1576 bool in_async)
1577{
f9bd67f6 1578 if (in_async && ret >= 0 && kiocb->ki_complete == io_complete_rw)
ba816ad6
JA		 1579 *nxt = __io_complete_rw(kiocb, ret);
1580 else
1581 io_rw_done(kiocb, ret);
1582}
1583
9adbd45d 1584static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
7d009165 1585 struct iov_iter *iter)
edafccee 1586{
9adbd45d
JA		 1587 struct io_ring_ctx *ctx = req->ctx;
1588 size_t len = req->rw.len;
edafccee
JA		 1589 struct io_mapped_ubuf *imu;
1590 unsigned index, buf_index;
1591 size_t offset;
1592 u64 buf_addr;
1593
1594 /* attempt to use fixed buffers without having provided iovecs */
1595 if (unlikely(!ctx->user_bufs))
1596 return -EFAULT;
1597
9adbd45d 1598 buf_index = (unsigned long) req->rw.kiocb.private;
edafccee
JA		 1599 if (unlikely(buf_index >= ctx->nr_user_bufs))
1600 return -EFAULT;
1601
1602 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
1603 imu = &ctx->user_bufs[index];
9adbd45d 1604 buf_addr = req->rw.addr;
edafccee
JA		 1605
1606 /* overflow */
1607 if (buf_addr + len < buf_addr)
1608 return -EFAULT;
1609 /* not inside the mapped region */
1610 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
1611 return -EFAULT;
1612
1613 /*
1614 * May not be a start of buffer, set size appropriately
1615 * and advance us to the beginning.
1616 */
1617 offset = buf_addr - imu->ubuf;
1618 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
bd11b3a3
JA		 1619
1620 if (offset) {
1621 /*
1622 * Don't use iov_iter_advance() here, as it's really slow for
1623 * using the latter parts of a big fixed buffer - it iterates
1624 * over each segment manually. We can cheat a bit here, because
1625 * we know that:
1626 *
1627 * 1) it's a BVEC iter, we set it up
1628 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1629 * first and last bvec
1630 *
1631 * So just find our index, and adjust the iterator afterwards.
1632 * If the offset is within the first bvec (or the whole first
1633 * bvec, just use iov_iter_advance(). This makes it easier
1634 * since we can just skip the first segment, which may not
1635 * be PAGE_SIZE aligned.
1636 */
1637 const struct bio_vec *bvec = imu->bvec;
1638
1639 if (offset <= bvec->bv_len) {
1640 iov_iter_advance(iter, offset);
1641 } else {
1642 unsigned long seg_skip;
1643
1644 /* skip first vec */
1645 offset -= bvec->bv_len;
1646 seg_skip = 1 + (offset >> PAGE_SHIFT);
1647
1648 iter->bvec = bvec + seg_skip;
1649 iter->nr_segs -= seg_skip;
99c79f66 1650 iter->count -= bvec->bv_len + offset;
bd11b3a3 1651 iter->iov_offset = offset & ~PAGE_MASK;
bd11b3a3
JA		 1652 }
1653 }
1654
5e559561 1655 return len;
edafccee
JA		 1656}
1657
cf6fd4bd
PB		 1658static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
1659 struct iovec **iovec, struct iov_iter *iter)
2b188cc1 1660{
9adbd45d
JA		 1661 void __user *buf = u64_to_user_ptr(req->rw.addr);
1662 size_t sqe_len = req->rw.len;
edafccee
JA		 1663 u8 opcode;
1664
d625c6ee 1665 opcode = req->opcode;
7d009165 1666 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
edafccee 1667 *iovec = NULL;
9adbd45d 1668 return io_import_fixed(req, rw, iter);
edafccee 1669 }
2b188cc1 1670
9adbd45d
JA		 1671 /* buffer index only valid with fixed read/write */
1672 if (req->rw.kiocb.private)
1673 return -EINVAL;
1674
f67676d1
JA		 1675 if (req->io) {
1676 struct io_async_rw *iorw = &req->io->rw;
1677
1678 *iovec = iorw->iov;
1679 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
1680 if (iorw->iov == iorw->fast_iov)
1681 *iovec = NULL;
1682 return iorw->size;
1683 }
1684
cf6fd4bd 1685 if (!req->has_user)
2b188cc1
JA		 1686 return -EFAULT;
1687
1688#ifdef CONFIG_COMPAT
cf6fd4bd 1689 if (req->ctx->compat)
2b188cc1
JA		 1690 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
1691 iovec, iter);
1692#endif
1693
1694 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
1695}
1696
31b51510 1697/*
32960613
JA		 1698 * For files that don't have ->read_iter() and ->write_iter(), handle them
1699 * by looping over ->read() or ->write() manually.
31b51510 1700 */
32960613
JA		 1701static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
1702 struct iov_iter *iter)
1703{
1704 ssize_t ret = 0;
1705
1706 /*
1707 * Don't support polled IO through this interface, and we can't
1708 * support non-blocking either. For the latter, this just causes
1709 * the kiocb to be handled from an async context.
1710 */
1711 if (kiocb->ki_flags & IOCB_HIPRI)
1712 return -EOPNOTSUPP;
1713 if (kiocb->ki_flags & IOCB_NOWAIT)
1714 return -EAGAIN;
1715
1716 while (iov_iter_count(iter)) {
311ae9e1 1717 struct iovec iovec;
32960613
JA		 1718 ssize_t nr;
1719
311ae9e1
PB		 1720 if (!iov_iter_is_bvec(iter)) {
1721 iovec = iov_iter_iovec(iter);
1722 } else {
1723 /* fixed buffers import bvec */
1724 iovec.iov_base = kmap(iter->bvec->bv_page)
1725 + iter->iov_offset;
1726 iovec.iov_len = min(iter->count,
1727 iter->bvec->bv_len - iter->iov_offset);
1728 }
1729
32960613
JA		 1730 if (rw == READ) {
1731 nr = file->f_op->read(file, iovec.iov_base,
1732 iovec.iov_len, &kiocb->ki_pos);
1733 } else {
1734 nr = file->f_op->write(file, iovec.iov_base,
1735 iovec.iov_len, &kiocb->ki_pos);
1736 }
1737
311ae9e1
PB		 1738 if (iov_iter_is_bvec(iter))
1739 kunmap(iter->bvec->bv_page);
1740
32960613
JA		 1741 if (nr < 0) {
1742 if (!ret)
1743 ret = nr;
1744 break;
1745 }
1746 ret += nr;
1747 if (nr != iovec.iov_len)
1748 break;
1749 iov_iter_advance(iter, nr);
1750 }
1751
1752 return ret;
1753}
1754
b7bb4f7d 1755static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
f67676d1
JA		 1756 struct iovec *iovec, struct iovec *fast_iov,
1757 struct iov_iter *iter)
1758{
1759 req->io->rw.nr_segs = iter->nr_segs;
1760 req->io->rw.size = io_size;
1761 req->io->rw.iov = iovec;
1762 if (!req->io->rw.iov) {
1763 req->io->rw.iov = req->io->rw.fast_iov;
1764 memcpy(req->io->rw.iov, fast_iov,
1765 sizeof(struct iovec) * iter->nr_segs);
1766 }
1767}
1768
b7bb4f7d 1769static int io_alloc_async_ctx(struct io_kiocb *req)
f67676d1
JA		 1770{
1771 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
06b76d44 1772 return req->io == NULL;
b7bb4f7d
JA		 1773}
1774
1775static void io_rw_async(struct io_wq_work **workptr)
1776{
1777 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
1778 struct iovec *iov = NULL;
1779
1780 if (req->io->rw.iov != req->io->rw.fast_iov)
1781 iov = req->io->rw.iov;
1782 io_wq_submit_work(workptr);
1783 kfree(iov);
1784}
1785
1786static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
1787 struct iovec *iovec, struct iovec *fast_iov,
1788 struct iov_iter *iter)
1789{
74566df3
JA		 1790 if (req->opcode == IORING_OP_READ_FIXED ||
1791 req->opcode == IORING_OP_WRITE_FIXED)
1792 return 0;
b7bb4f7d
JA		 1793 if (!req->io && io_alloc_async_ctx(req))
1794 return -ENOMEM;
1795
1796 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
1797 req->work.func = io_rw_async;
1798 return 0;
f67676d1
JA		 1799}
1800
3529d8c2
JA		 1801static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1802 bool force_nonblock)
f67676d1 1803{
3529d8c2
JA		 1804 struct io_async_ctx *io;
1805 struct iov_iter iter;
f67676d1
JA		 1806 ssize_t ret;
1807
3529d8c2
JA		 1808 ret = io_prep_rw(req, sqe, force_nonblock);
1809 if (ret)
1810 return ret;
f67676d1 1811
3529d8c2
JA		 1812 if (unlikely(!(req->file->f_mode & FMODE_READ)))
1813 return -EBADF;
f67676d1 1814
3529d8c2
JA		 1815 if (!req->io)
1816 return 0;
1817
1818 io = req->io;
1819 io->rw.iov = io->rw.fast_iov;
1820 req->io = NULL;
1821 ret = io_import_iovec(READ, req, &io->rw.iov, &iter);
1822 req->io = io;
1823 if (ret < 0)
1824 return ret;
1825
1826 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
1827 return 0;
f67676d1
JA		 1828}
1829
267bc904 1830static int io_read(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 1831 bool force_nonblock)
2b188cc1
JA		 1832{
1833 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 1834 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 1835 struct iov_iter iter;
31b51510 1836 size_t iov_count;
f67676d1 1837 ssize_t io_size, ret;
2b188cc1 1838
3529d8c2 1839 ret = io_import_iovec(READ, req, &iovec, &iter);
06b76d44
JA		 1840 if (ret < 0)
1841 return ret;
2b188cc1 1842
fd6c2e4c
JA		 1843 /* Ensure we clear previously set non-block flag */
1844 if (!force_nonblock)
9adbd45d 1845 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 1846
797f3f53 1847 req->result = 0;
f67676d1 1848 io_size = ret;
9e645e11 1849 if (req->flags & REQ_F_LINK)
f67676d1
JA		 1850 req->result = io_size;
1851
1852 /*
1853 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
1854 * we know to async punt it even if it was opened O_NONBLOCK
1855 */
9adbd45d 1856 if (force_nonblock && !io_file_supports_async(req->file)) {
f67676d1
JA		 1857 req->flags |= REQ_F_MUST_PUNT;
1858 goto copy_iov;
1859 }
9e645e11 1860
31b51510 1861 iov_count = iov_iter_count(&iter);
9adbd45d 1862 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
2b188cc1
JA		 1863 if (!ret) {
1864 ssize_t ret2;
1865
9adbd45d
JA		 1866 if (req->file->f_op->read_iter)
1867 ret2 = call_read_iter(req->file, kiocb, &iter);
32960613 1868 else
9adbd45d 1869 ret2 = loop_rw_iter(READ, req->file, kiocb, &iter);
32960613 1870
9d93a3f5 1871 /* Catch -EAGAIN return for forced non-blocking submission */
f67676d1 1872 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 1873 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 1874 } else {
1875copy_iov:
b7bb4f7d 1876 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 1877 inline_vecs, &iter);
1878 if (ret)
1879 goto out_free;
1880 return -EAGAIN;
1881 }
2b188cc1 1882 }
f67676d1 1883out_free:
b7bb4f7d
JA		 1884 if (!io_wq_current_is_worker())
1885 kfree(iovec);
2b188cc1
JA		 1886 return ret;
1887}
1888
3529d8c2
JA		 1889static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1890 bool force_nonblock)
f67676d1 1891{
3529d8c2
JA		 1892 struct io_async_ctx *io;
1893 struct iov_iter iter;
f67676d1
JA		 1894 ssize_t ret;
1895
3529d8c2
JA		 1896 ret = io_prep_rw(req, sqe, force_nonblock);
1897 if (ret)
1898 return ret;
f67676d1 1899
3529d8c2
JA		 1900 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
1901 return -EBADF;
f67676d1 1902
3529d8c2
JA		 1903 if (!req->io)
1904 return 0;
1905
1906 io = req->io;
1907 io->rw.iov = io->rw.fast_iov;
1908 req->io = NULL;
1909 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter);
1910 req->io = io;
1911 if (ret < 0)
1912 return ret;
1913
1914 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
1915 return 0;
f67676d1
JA		 1916}
1917
267bc904 1918static int io_write(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 1919 bool force_nonblock)
2b188cc1
JA		 1920{
1921 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 1922 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 1923 struct iov_iter iter;
31b51510 1924 size_t iov_count;
f67676d1 1925 ssize_t ret, io_size;
2b188cc1 1926
3529d8c2 1927 ret = io_import_iovec(WRITE, req, &iovec, &iter);
06b76d44
JA		 1928 if (ret < 0)
1929 return ret;
2b188cc1 1930
fd6c2e4c
JA		 1931 /* Ensure we clear previously set non-block flag */
1932 if (!force_nonblock)
9adbd45d 1933 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 1934
797f3f53 1935 req->result = 0;
f67676d1 1936 io_size = ret;
9e645e11 1937 if (req->flags & REQ_F_LINK)
f67676d1 1938 req->result = io_size;
9e645e11 1939
f67676d1
JA		 1940 /*
1941 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
1942 * we know to async punt it even if it was opened O_NONBLOCK
1943 */
1944 if (force_nonblock && !io_file_supports_async(req->file)) {
1945 req->flags |= REQ_F_MUST_PUNT;
1946 goto copy_iov;
1947 }
31b51510 1948
10d59345
JA		 1949 /* file path doesn't support NOWAIT for non-direct_IO */
1950 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
1951 (req->flags & REQ_F_ISREG))
f67676d1 1952 goto copy_iov;
31b51510 1953
f67676d1 1954 iov_count = iov_iter_count(&iter);
9adbd45d 1955 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
2b188cc1 1956 if (!ret) {
9bf7933f
RP		 1957 ssize_t ret2;
1958
2b188cc1
JA		 1959 /*
1960 * Open-code file_start_write here to grab freeze protection,
1961 * which will be released by another thread in
1962 * io_complete_rw(). Fool lockdep by telling it the lock got
1963 * released so that it doesn't complain about the held lock when
1964 * we return to userspace.
1965 */
491381ce 1966 if (req->flags & REQ_F_ISREG) {
9adbd45d 1967 __sb_start_write(file_inode(req->file)->i_sb,
2b188cc1 1968 SB_FREEZE_WRITE, true);
9adbd45d 1969 __sb_writers_release(file_inode(req->file)->i_sb,
2b188cc1
JA		 1970 SB_FREEZE_WRITE);
1971 }
1972 kiocb->ki_flags |= IOCB_WRITE;
9bf7933f 1973
9adbd45d
JA		 1974 if (req->file->f_op->write_iter)
1975 ret2 = call_write_iter(req->file, kiocb, &iter);
32960613 1976 else
9adbd45d 1977 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
f67676d1 1978 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 1979 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 1980 } else {
1981copy_iov:
b7bb4f7d 1982 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 1983 inline_vecs, &iter);
1984 if (ret)
1985 goto out_free;
1986 return -EAGAIN;
1987 }
2b188cc1 1988 }
31b51510 1989out_free:
b7bb4f7d
JA		 1990 if (!io_wq_current_is_worker())
1991 kfree(iovec);
2b188cc1
JA		 1992 return ret;
1993}
1994
1995/*
1996 * IORING_OP_NOP just posts a completion event, nothing else.
1997 */
78e19bbe 1998static int io_nop(struct io_kiocb *req)
2b188cc1
JA		 1999{
2000 struct io_ring_ctx *ctx = req->ctx;
2b188cc1 2001
def596e9
JA		 2002 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2003 return -EINVAL;
2004
78e19bbe 2005 io_cqring_add_event(req, 0);
e65ef56d 2006 io_put_req(req);
2b188cc1
JA		 2007 return 0;
2008}
2009
3529d8c2 2010static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
c992fe29 2011{
6b06314c 2012 struct io_ring_ctx *ctx = req->ctx;
c992fe29 2013
09bb8394
JA		 2014 if (!req->file)
2015 return -EBADF;
c992fe29 2016
6b06314c 2017 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
def596e9 2018 return -EINVAL;
edafccee 2019 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
c992fe29
CH		 2020 return -EINVAL;
2021
8ed8d3c3
JA		 2022 req->sync.flags = READ_ONCE(sqe->fsync_flags);
2023 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
2024 return -EINVAL;
2025
2026 req->sync.off = READ_ONCE(sqe->off);
2027 req->sync.len = READ_ONCE(sqe->len);
c992fe29
CH		 2028 return 0;
2029}
2030
8ed8d3c3
JA		 2031static bool io_req_cancelled(struct io_kiocb *req)
2032{
2033 if (req->work.flags & IO_WQ_WORK_CANCEL) {
2034 req_set_fail_links(req);
2035 io_cqring_add_event(req, -ECANCELED);
2036 io_put_req(req);
2037 return true;
2038 }
2039
2040 return false;
2041}
2042
78912934
JA		 2043static void io_link_work_cb(struct io_wq_work **workptr)
2044{
2045 struct io_wq_work *work = *workptr;
2046 struct io_kiocb *link = work->data;
2047
2048 io_queue_linked_timeout(link);
2049 work->func = io_wq_submit_work;
2050}
2051
2052static void io_wq_assign_next(struct io_wq_work **workptr, struct io_kiocb *nxt)
2053{
2054 struct io_kiocb *link;
2055
2056 io_prep_async_work(nxt, &link);
2057 *workptr = &nxt->work;
2058 if (link) {
2059 nxt->work.flags |= IO_WQ_WORK_CB;
2060 nxt->work.func = io_link_work_cb;
2061 nxt->work.data = link;
2062 }
2063}
2064
8ed8d3c3
JA		 2065static void io_fsync_finish(struct io_wq_work **workptr)
2066{
2067 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2068 loff_t end = req->sync.off + req->sync.len;
2069 struct io_kiocb *nxt = NULL;
2070 int ret;
2071
2072 if (io_req_cancelled(req))
2073 return;
2074
9adbd45d 2075 ret = vfs_fsync_range(req->file, req->sync.off,
8ed8d3c3
JA		 2076 end > 0 ? end : LLONG_MAX,
2077 req->sync.flags & IORING_FSYNC_DATASYNC);
2078 if (ret < 0)
2079 req_set_fail_links(req);
2080 io_cqring_add_event(req, ret);
2081 io_put_req_find_next(req, &nxt);
2082 if (nxt)
78912934 2083 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 2084}
2085
fc4df999
JA		 2086static int io_fsync(struct io_kiocb *req, struct io_kiocb **nxt,
2087 bool force_nonblock)
c992fe29 2088{
8ed8d3c3 2089 struct io_wq_work *work, *old_work;
c992fe29
CH		 2090
2091 /* fsync always requires a blocking context */
8ed8d3c3
JA		 2092 if (force_nonblock) {
2093 io_put_req(req);
2094 req->work.func = io_fsync_finish;
c992fe29 2095 return -EAGAIN;
8ed8d3c3 2096 }
c992fe29 2097
8ed8d3c3
JA		 2098 work = old_work = &req->work;
2099 io_fsync_finish(&work);
2100 if (work && work != old_work)
2101 *nxt = container_of(work, struct io_kiocb, work);
c992fe29
CH		 2102 return 0;
2103}
2104
d63d1b5e
JA		 2105static void io_fallocate_finish(struct io_wq_work **workptr)
2106{
2107 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2108 struct io_kiocb *nxt = NULL;
2109 int ret;
2110
2111 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
2112 req->sync.len);
2113 if (ret < 0)
2114 req_set_fail_links(req);
2115 io_cqring_add_event(req, ret);
2116 io_put_req_find_next(req, &nxt);
2117 if (nxt)
2118 io_wq_assign_next(workptr, nxt);
2119}
2120
2121static int io_fallocate_prep(struct io_kiocb *req,
2122 const struct io_uring_sqe *sqe)
2123{
2124 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
2125 return -EINVAL;
2126
2127 req->sync.off = READ_ONCE(sqe->off);
2128 req->sync.len = READ_ONCE(sqe->addr);
2129 req->sync.mode = READ_ONCE(sqe->len);
2130 return 0;
2131}
2132
2133static int io_fallocate(struct io_kiocb *req, struct io_kiocb **nxt,
2134 bool force_nonblock)
2135{
2136 struct io_wq_work *work, *old_work;
2137
2138 /* fallocate always requiring blocking context */
2139 if (force_nonblock) {
2140 io_put_req(req);
2141 req->work.func = io_fallocate_finish;
2142 return -EAGAIN;
2143 }
2144
2145 work = old_work = &req->work;
2146 io_fallocate_finish(&work);
2147 if (work && work != old_work)
2148 *nxt = container_of(work, struct io_kiocb, work);
2149
2150 return 0;
2151}
2152
3529d8c2 2153static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5d17b4a4
JA		 2154{
2155 struct io_ring_ctx *ctx = req->ctx;
5d17b4a4
JA		 2156
2157 if (!req->file)
2158 return -EBADF;
5d17b4a4
JA		 2159
2160 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2161 return -EINVAL;
2162 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2163 return -EINVAL;
2164
8ed8d3c3
JA		 2165 req->sync.off = READ_ONCE(sqe->off);
2166 req->sync.len = READ_ONCE(sqe->len);
2167 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
8ed8d3c3
JA		 2168 return 0;
2169}
2170
2171static void io_sync_file_range_finish(struct io_wq_work **workptr)
2172{
2173 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2174 struct io_kiocb *nxt = NULL;
2175 int ret;
2176
2177 if (io_req_cancelled(req))
2178 return;
2179
9adbd45d 2180 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
8ed8d3c3
JA		 2181 req->sync.flags);
2182 if (ret < 0)
2183 req_set_fail_links(req);
2184 io_cqring_add_event(req, ret);
2185 io_put_req_find_next(req, &nxt);
2186 if (nxt)
78912934 2187 io_wq_assign_next(workptr, nxt);
5d17b4a4
JA		 2188}
2189
fc4df999 2190static int io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt,
5d17b4a4
JA		 2191 bool force_nonblock)
2192{
8ed8d3c3 2193 struct io_wq_work *work, *old_work;
5d17b4a4
JA		 2194
2195 /* sync_file_range always requires a blocking context */
8ed8d3c3
JA		 2196 if (force_nonblock) {
2197 io_put_req(req);
2198 req->work.func = io_sync_file_range_finish;
5d17b4a4 2199 return -EAGAIN;
8ed8d3c3 2200 }
5d17b4a4 2201
8ed8d3c3
JA		 2202 work = old_work = &req->work;
2203 io_sync_file_range_finish(&work);
2204 if (work && work != old_work)
2205 *nxt = container_of(work, struct io_kiocb, work);
5d17b4a4
JA		 2206 return 0;
2207}
2208
b7bb4f7d
JA		 2209#if defined(CONFIG_NET)
2210static void io_sendrecv_async(struct io_wq_work **workptr)
2211{
2212 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2213 struct iovec *iov = NULL;
2214
2215 if (req->io->rw.iov != req->io->rw.fast_iov)
2216 iov = req->io->msg.iov;
2217 io_wq_submit_work(workptr);
2218 kfree(iov);
2219}
2220#endif
2221
3529d8c2 2222static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
03b1230c 2223{
0fa03c62 2224#if defined(CONFIG_NET)
e47293fd 2225 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2 2226 struct io_async_ctx *io = req->io;
03b1230c 2227
e47293fd
JA		 2228 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2229 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
3529d8c2
JA		 2230
2231 if (!io)
2232 return 0;
2233
d9688565 2234 io->msg.iov = io->msg.fast_iov;
3529d8c2 2235 return sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 2236 &io->msg.iov);
03b1230c 2237#else
e47293fd 2238 return -EOPNOTSUPP;
03b1230c
JA		 2239#endif
2240}
2241
fc4df999
JA		 2242static int io_sendmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2243 bool force_nonblock)
aa1fa28f 2244{
03b1230c 2245#if defined(CONFIG_NET)
0b416c3e 2246 struct io_async_msghdr *kmsg = NULL;
0fa03c62
JA		 2247 struct socket *sock;
2248 int ret;
2249
2250 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2251 return -EINVAL;
2252
2253 sock = sock_from_file(req->file, &ret);
2254 if (sock) {
b7bb4f7d 2255 struct io_async_ctx io;
03b1230c 2256 struct sockaddr_storage addr;
0fa03c62
JA		 2257 unsigned flags;
2258
03b1230c 2259 if (req->io) {
0b416c3e
JA		 2260 kmsg = &req->io->msg;
2261 kmsg->msg.msg_name = &addr;
2262 /* if iov is set, it's allocated already */
2263 if (!kmsg->iov)
2264 kmsg->iov = kmsg->fast_iov;
2265 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 2266 } else {
3529d8c2
JA		 2267 struct io_sr_msg *sr = &req->sr_msg;
2268
0b416c3e
JA		 2269 kmsg = &io.msg;
2270 kmsg->msg.msg_name = &addr;
3529d8c2
JA		 2271
2272 io.msg.iov = io.msg.fast_iov;
2273 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
2274 sr->msg_flags, &io.msg.iov);
03b1230c 2275 if (ret)
3529d8c2 2276 return ret;
03b1230c 2277 }
0fa03c62 2278
e47293fd
JA		 2279 flags = req->sr_msg.msg_flags;
2280 if (flags & MSG_DONTWAIT)
2281 req->flags |= REQ_F_NOWAIT;
2282 else if (force_nonblock)
2283 flags |= MSG_DONTWAIT;
2284
0b416c3e 2285 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
03b1230c 2286 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 2287 if (req->io)
2288 return -EAGAIN;
2289 if (io_alloc_async_ctx(req))
2290 return -ENOMEM;
2291 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2292 req->work.func = io_sendrecv_async;
0b416c3e 2293 return -EAGAIN;
03b1230c 2294 }
441cdbd5
JA		 2295 if (ret == -ERESTARTSYS)
2296 ret = -EINTR;
0fa03c62
JA		 2297 }
2298
b7bb4f7d 2299 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 2300 kfree(kmsg->iov);
78e19bbe 2301 io_cqring_add_event(req, ret);
4e88d6e7
JA		 2302 if (ret < 0)
2303 req_set_fail_links(req);
ec9c02ad 2304 io_put_req_find_next(req, nxt);
5d17b4a4 2305 return 0;
03b1230c
JA		 2306#else
2307 return -EOPNOTSUPP;
aa1fa28f 2308#endif
03b1230c 2309}
aa1fa28f 2310
3529d8c2
JA		 2311static int io_recvmsg_prep(struct io_kiocb *req,
2312 const struct io_uring_sqe *sqe)
aa1fa28f
JA		 2313{
2314#if defined(CONFIG_NET)
e47293fd 2315 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2
JA		 2316 struct io_async_ctx *io = req->io;
2317
2318 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2319 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
06b76d44 2320
3529d8c2 2321 if (!io)
06b76d44 2322 return 0;
03b1230c 2323
d9688565 2324 io->msg.iov = io->msg.fast_iov;
3529d8c2 2325 return recvmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 2326 &io->msg.uaddr, &io->msg.iov);
aa1fa28f 2327#else
e47293fd 2328 return -EOPNOTSUPP;
aa1fa28f
JA		 2329#endif
2330}
2331
fc4df999
JA		 2332static int io_recvmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2333 bool force_nonblock)
aa1fa28f
JA		 2334{
2335#if defined(CONFIG_NET)
0b416c3e 2336 struct io_async_msghdr *kmsg = NULL;
03b1230c
JA		 2337 struct socket *sock;
2338 int ret;
2339
2340 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2341 return -EINVAL;
2342
2343 sock = sock_from_file(req->file, &ret);
2344 if (sock) {
b7bb4f7d 2345 struct io_async_ctx io;
03b1230c 2346 struct sockaddr_storage addr;
03b1230c
JA		 2347 unsigned flags;
2348
03b1230c 2349 if (req->io) {
0b416c3e
JA		 2350 kmsg = &req->io->msg;
2351 kmsg->msg.msg_name = &addr;
2352 /* if iov is set, it's allocated already */
2353 if (!kmsg->iov)
2354 kmsg->iov = kmsg->fast_iov;
2355 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 2356 } else {
3529d8c2
JA		 2357 struct io_sr_msg *sr = &req->sr_msg;
2358
0b416c3e
JA		 2359 kmsg = &io.msg;
2360 kmsg->msg.msg_name = &addr;
3529d8c2
JA		 2361
2362 io.msg.iov = io.msg.fast_iov;
2363 ret = recvmsg_copy_msghdr(&io.msg.msg, sr->msg,
2364 sr->msg_flags, &io.msg.uaddr,
2365 &io.msg.iov);
03b1230c 2366 if (ret)
3529d8c2 2367 return ret;
03b1230c
JA		 2368 }
2369
e47293fd
JA		 2370 flags = req->sr_msg.msg_flags;
2371 if (flags & MSG_DONTWAIT)
2372 req->flags |= REQ_F_NOWAIT;
2373 else if (force_nonblock)
2374 flags |= MSG_DONTWAIT;
2375
2376 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
2377 kmsg->uaddr, flags);
03b1230c 2378 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 2379 if (req->io)
2380 return -EAGAIN;
2381 if (io_alloc_async_ctx(req))
2382 return -ENOMEM;
2383 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2384 req->work.func = io_sendrecv_async;
0b416c3e 2385 return -EAGAIN;
03b1230c
JA		 2386 }
2387 if (ret == -ERESTARTSYS)
2388 ret = -EINTR;
2389 }
2390
b7bb4f7d 2391 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 2392 kfree(kmsg->iov);
03b1230c 2393 io_cqring_add_event(req, ret);
4e88d6e7
JA		 2394 if (ret < 0)
2395 req_set_fail_links(req);
03b1230c
JA		 2396 io_put_req_find_next(req, nxt);
2397 return 0;
0fa03c62
JA		 2398#else
2399 return -EOPNOTSUPP;
2400#endif
2401}
5d17b4a4 2402
3529d8c2 2403static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
17f2fe35
JA		 2404{
2405#if defined(CONFIG_NET)
8ed8d3c3
JA		 2406 struct io_accept *accept = &req->accept;
2407
17f2fe35
JA		 2408 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
2409 return -EINVAL;
8042d6ce 2410 if (sqe->ioprio || sqe->len || sqe->buf_index)
17f2fe35
JA		 2411 return -EINVAL;
2412
d55e5f5b
JA		 2413 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
2414 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
8ed8d3c3 2415 accept->flags = READ_ONCE(sqe->accept_flags);
8ed8d3c3
JA		 2416 return 0;
2417#else
2418 return -EOPNOTSUPP;
2419#endif
2420}
17f2fe35 2421
8ed8d3c3
JA		 2422#if defined(CONFIG_NET)
2423static int __io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2424 bool force_nonblock)
2425{
2426 struct io_accept *accept = &req->accept;
2427 unsigned file_flags;
2428 int ret;
2429
2430 file_flags = force_nonblock ? O_NONBLOCK : 0;
2431 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
2432 accept->addr_len, accept->flags);
2433 if (ret == -EAGAIN && force_nonblock)
17f2fe35 2434 return -EAGAIN;
8e3cca12
JA		 2435 if (ret == -ERESTARTSYS)
2436 ret = -EINTR;
4e88d6e7
JA		 2437 if (ret < 0)
2438 req_set_fail_links(req);
78e19bbe 2439 io_cqring_add_event(req, ret);
ec9c02ad 2440 io_put_req_find_next(req, nxt);
17f2fe35 2441 return 0;
8ed8d3c3
JA		 2442}
2443
2444static void io_accept_finish(struct io_wq_work **workptr)
2445{
2446 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2447 struct io_kiocb *nxt = NULL;
2448
2449 if (io_req_cancelled(req))
2450 return;
2451 __io_accept(req, &nxt, false);
2452 if (nxt)
78912934 2453 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 2454}
2455#endif
2456
2457static int io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2458 bool force_nonblock)
2459{
2460#if defined(CONFIG_NET)
2461 int ret;
2462
8ed8d3c3
JA		 2463 ret = __io_accept(req, nxt, force_nonblock);
2464 if (ret == -EAGAIN && force_nonblock) {
2465 req->work.func = io_accept_finish;
2466 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2467 io_put_req(req);
2468 return -EAGAIN;
2469 }
2470 return 0;
0fa03c62
JA		 2471#else
2472 return -EOPNOTSUPP;
2473#endif
2474}
5d17b4a4 2475
3529d8c2 2476static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
f499a021
JA		 2477{
2478#if defined(CONFIG_NET)
3529d8c2
JA		 2479 struct io_connect *conn = &req->connect;
2480 struct io_async_ctx *io = req->io;
f499a021 2481
3fbb51c1
JA		 2482 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
2483 return -EINVAL;
2484 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
2485 return -EINVAL;
2486
3529d8c2
JA		 2487 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
2488 conn->addr_len = READ_ONCE(sqe->addr2);
2489
2490 if (!io)
2491 return 0;
2492
2493 return move_addr_to_kernel(conn->addr, conn->addr_len,
3fbb51c1 2494 &io->connect.address);
f499a021 2495#else
3fbb51c1 2496 return -EOPNOTSUPP;
f499a021
JA		 2497#endif
2498}
2499
fc4df999
JA		 2500static int io_connect(struct io_kiocb *req, struct io_kiocb **nxt,
2501 bool force_nonblock)
f8e85cf2
JA		 2502{
2503#if defined(CONFIG_NET)
f499a021 2504 struct io_async_ctx __io, *io;
f8e85cf2 2505 unsigned file_flags;
3fbb51c1 2506 int ret;
f8e85cf2 2507
f499a021
JA		 2508 if (req->io) {
2509 io = req->io;
2510 } else {
3529d8c2
JA		 2511 ret = move_addr_to_kernel(req->connect.addr,
2512 req->connect.addr_len,
2513 &__io.connect.address);
f499a021
JA		 2514 if (ret)
2515 goto out;
2516 io = &__io;
2517 }
2518
3fbb51c1
JA		 2519 file_flags = force_nonblock ? O_NONBLOCK : 0;
2520
2521 ret = __sys_connect_file(req->file, &io->connect.address,
2522 req->connect.addr_len, file_flags);
87f80d62 2523 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
b7bb4f7d
JA		 2524 if (req->io)
2525 return -EAGAIN;
2526 if (io_alloc_async_ctx(req)) {
f499a021
JA		 2527 ret = -ENOMEM;
2528 goto out;
2529 }
b7bb4f7d 2530 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
f8e85cf2 2531 return -EAGAIN;
f499a021 2532 }
f8e85cf2
JA		 2533 if (ret == -ERESTARTSYS)
2534 ret = -EINTR;
f499a021 2535out:
4e88d6e7
JA		 2536 if (ret < 0)
2537 req_set_fail_links(req);
f8e85cf2
JA		 2538 io_cqring_add_event(req, ret);
2539 io_put_req_find_next(req, nxt);
2540 return 0;
2541#else
2542 return -EOPNOTSUPP;
2543#endif
2544}
2545
221c5eb2
JA		 2546static void io_poll_remove_one(struct io_kiocb *req)
2547{
2548 struct io_poll_iocb *poll = &req->poll;
2549
2550 spin_lock(&poll->head->lock);
2551 WRITE_ONCE(poll->canceled, true);
392edb45
JA		 2552 if (!list_empty(&poll->wait.entry)) {
2553 list_del_init(&poll->wait.entry);
a197f664 2554 io_queue_async_work(req);
221c5eb2
JA		 2555 }
2556 spin_unlock(&poll->head->lock);
78076bb6 2557 hash_del(&req->hash_node);
221c5eb2
JA		 2558}
2559
2560static void io_poll_remove_all(struct io_ring_ctx *ctx)
2561{
78076bb6 2562 struct hlist_node *tmp;
221c5eb2 2563 struct io_kiocb *req;
78076bb6 2564 int i;
221c5eb2
JA		 2565
2566 spin_lock_irq(&ctx->completion_lock);
78076bb6
JA		 2567 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
2568 struct hlist_head *list;
2569
2570 list = &ctx->cancel_hash[i];
2571 hlist_for_each_entry_safe(req, tmp, list, hash_node)
2572 io_poll_remove_one(req);
221c5eb2
JA		 2573 }
2574 spin_unlock_irq(&ctx->completion_lock);
2575}
2576
47f46768
JA		 2577static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
2578{
78076bb6 2579 struct hlist_head *list;
47f46768
JA		 2580 struct io_kiocb *req;
2581
78076bb6
JA		 2582 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
2583 hlist_for_each_entry(req, list, hash_node) {
2584 if (sqe_addr == req->user_data) {
eac406c6
JA		 2585 io_poll_remove_one(req);
2586 return 0;
2587 }
47f46768
JA		 2588 }
2589
2590 return -ENOENT;
2591}
2592
3529d8c2
JA		 2593static int io_poll_remove_prep(struct io_kiocb *req,
2594 const struct io_uring_sqe *sqe)
0969e783 2595{
0969e783
JA		 2596 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2597 return -EINVAL;
2598 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
2599 sqe->poll_events)
2600 return -EINVAL;
2601
2602 req->poll.addr = READ_ONCE(sqe->addr);
0969e783
JA		 2603 return 0;
2604}
2605
221c5eb2
JA		 2606/*
2607 * Find a running poll command that matches one specified in sqe->addr,
2608 * and remove it if found.
2609 */
fc4df999 2610static int io_poll_remove(struct io_kiocb *req)
221c5eb2
JA		 2611{
2612 struct io_ring_ctx *ctx = req->ctx;
0969e783 2613 u64 addr;
47f46768 2614 int ret;
221c5eb2 2615
0969e783 2616 addr = req->poll.addr;
221c5eb2 2617 spin_lock_irq(&ctx->completion_lock);
0969e783 2618 ret = io_poll_cancel(ctx, addr);
221c5eb2
JA		 2619 spin_unlock_irq(&ctx->completion_lock);
2620
78e19bbe 2621 io_cqring_add_event(req, ret);
4e88d6e7
JA		 2622 if (ret < 0)
2623 req_set_fail_links(req);
e65ef56d 2624 io_put_req(req);
221c5eb2
JA		 2625 return 0;
2626}
2627
b0dd8a41 2628static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
221c5eb2 2629{
a197f664
JL		 2630 struct io_ring_ctx *ctx = req->ctx;
2631
8c838788 2632 req->poll.done = true;
b0dd8a41
JA		 2633 if (error)
2634 io_cqring_fill_event(req, error);
2635 else
2636 io_cqring_fill_event(req, mangle_poll(mask));
8c838788 2637 io_commit_cqring(ctx);
221c5eb2
JA		 2638}
2639
561fb04a 2640static void io_poll_complete_work(struct io_wq_work **workptr)
221c5eb2 2641{
561fb04a 2642 struct io_wq_work *work = *workptr;
221c5eb2
JA		 2643 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
2644 struct io_poll_iocb *poll = &req->poll;
2645 struct poll_table_struct pt = { ._key = poll->events };
2646 struct io_ring_ctx *ctx = req->ctx;
89723d0b 2647 struct io_kiocb *nxt = NULL;
221c5eb2 2648 __poll_t mask = 0;
b0dd8a41 2649 int ret = 0;
221c5eb2 2650
b0dd8a41 2651 if (work->flags & IO_WQ_WORK_CANCEL) {
561fb04a 2652 WRITE_ONCE(poll->canceled, true);
b0dd8a41
JA		 2653 ret = -ECANCELED;
2654 } else if (READ_ONCE(poll->canceled)) {
2655 ret = -ECANCELED;
2656 }
561fb04a 2657
b0dd8a41 2658 if (ret != -ECANCELED)
221c5eb2
JA		 2659 mask = vfs_poll(poll->file, &pt) & poll->events;
2660
2661 /*
2662 * Note that ->ki_cancel callers also delete iocb from active_reqs after
2663 * calling ->ki_cancel. We need the ctx_lock roundtrip here to
2664 * synchronize with them. In the cancellation case the list_del_init
2665 * itself is not actually needed, but harmless so we keep it in to
2666 * avoid further branches in the fast path.
2667 */
2668 spin_lock_irq(&ctx->completion_lock);
b0dd8a41 2669 if (!mask && ret != -ECANCELED) {
392edb45 2670 add_wait_queue(poll->head, &poll->wait);
221c5eb2
JA		 2671 spin_unlock_irq(&ctx->completion_lock);
2672 return;
2673 }
78076bb6 2674 hash_del(&req->hash_node);
b0dd8a41 2675 io_poll_complete(req, mask, ret);
221c5eb2
JA		 2676 spin_unlock_irq(&ctx->completion_lock);
2677
8c838788 2678 io_cqring_ev_posted(ctx);
89723d0b 2679
4e88d6e7
JA		 2680 if (ret < 0)
2681 req_set_fail_links(req);
ec9c02ad 2682 io_put_req_find_next(req, &nxt);
89723d0b 2683 if (nxt)
78912934 2684 io_wq_assign_next(workptr, nxt);
221c5eb2
JA		 2685}
2686
2687static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
2688 void *key)
2689{
e944475e 2690 struct io_poll_iocb *poll = wait->private;
221c5eb2
JA		 2691 struct io_kiocb *req = container_of(poll, struct io_kiocb, poll);
2692 struct io_ring_ctx *ctx = req->ctx;
2693 __poll_t mask = key_to_poll(key);
8c838788 2694 unsigned long flags;
221c5eb2
JA		 2695
2696 /* for instances that support it check for an event match first: */
8c838788
JA		 2697 if (mask && !(mask & poll->events))
2698 return 0;
221c5eb2 2699
392edb45 2700 list_del_init(&poll->wait.entry);
221c5eb2 2701
7c9e7f0f
JA		 2702 /*
2703 * Run completion inline if we can. We're using trylock here because
2704 * we are violating the completion_lock -> poll wq lock ordering.
2705 * If we have a link timeout we're going to need the completion_lock
2706 * for finalizing the request, mark us as having grabbed that already.
2707 */
8c838788 2708 if (mask && spin_trylock_irqsave(&ctx->completion_lock, flags)) {
78076bb6 2709 hash_del(&req->hash_node);
b0dd8a41 2710 io_poll_complete(req, mask, 0);
7c9e7f0f
JA		 2711 req->flags |= REQ_F_COMP_LOCKED;
2712 io_put_req(req);
8c838788 2713 spin_unlock_irqrestore(&ctx->completion_lock, flags);
221c5eb2 2714
8c838788 2715 io_cqring_ev_posted(ctx);
8c838788 2716 } else {
a197f664 2717 io_queue_async_work(req);
221c5eb2
JA		 2718 }
2719
221c5eb2
JA		 2720 return 1;
2721}
2722
2723struct io_poll_table {
2724 struct poll_table_struct pt;
2725 struct io_kiocb *req;
2726 int error;
2727};
2728
2729static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
2730 struct poll_table_struct *p)
2731{
2732 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
2733
2734 if (unlikely(pt->req->poll.head)) {
2735 pt->error = -EINVAL;
2736 return;
2737 }
2738
2739 pt->error = 0;
2740 pt->req->poll.head = head;
392edb45 2741 add_wait_queue(head, &pt->req->poll.wait);
221c5eb2
JA		 2742}
2743
eac406c6
JA		 2744static void io_poll_req_insert(struct io_kiocb *req)
2745{
2746 struct io_ring_ctx *ctx = req->ctx;
78076bb6
JA		 2747 struct hlist_head *list;
2748
2749 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
2750 hlist_add_head(&req->hash_node, list);
eac406c6
JA		 2751}
2752
3529d8c2 2753static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
221c5eb2
JA		 2754{
2755 struct io_poll_iocb *poll = &req->poll;
221c5eb2 2756 u16 events;
221c5eb2
JA		 2757
2758 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2759 return -EINVAL;
2760 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
2761 return -EINVAL;
09bb8394
JA		 2762 if (!poll->file)
2763 return -EBADF;
221c5eb2 2764
221c5eb2
JA		 2765 events = READ_ONCE(sqe->poll_events);
2766 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
0969e783
JA		 2767 return 0;
2768}
2769
2770static int io_poll_add(struct io_kiocb *req, struct io_kiocb **nxt)
2771{
2772 struct io_poll_iocb *poll = &req->poll;
2773 struct io_ring_ctx *ctx = req->ctx;
2774 struct io_poll_table ipt;
2775 bool cancel = false;
2776 __poll_t mask;
0969e783
JA		 2777
2778 INIT_IO_WORK(&req->work, io_poll_complete_work);
78076bb6 2779 INIT_HLIST_NODE(&req->hash_node);
221c5eb2 2780
221c5eb2 2781 poll->head = NULL;
8c838788 2782 poll->done = false;
221c5eb2
JA		 2783 poll->canceled = false;
2784
2785 ipt.pt._qproc = io_poll_queue_proc;
2786 ipt.pt._key = poll->events;
2787 ipt.req = req;
2788 ipt.error = -EINVAL; /* same as no support for IOCB_CMD_POLL */
2789
2790 /* initialized the list so that we can do list_empty checks */
392edb45
JA		 2791 INIT_LIST_HEAD(&poll->wait.entry);
2792 init_waitqueue_func_entry(&poll->wait, io_poll_wake);
2793 poll->wait.private = poll;
221c5eb2 2794
36703247
JA		 2795 INIT_LIST_HEAD(&req->list);
2796
221c5eb2 2797 mask = vfs_poll(poll->file, &ipt.pt) & poll->events;
221c5eb2
JA		 2798
2799 spin_lock_irq(&ctx->completion_lock);
8c838788
JA		 2800 if (likely(poll->head)) {
2801 spin_lock(&poll->head->lock);
392edb45 2802 if (unlikely(list_empty(&poll->wait.entry))) {
8c838788
JA		 2803 if (ipt.error)
2804 cancel = true;
2805 ipt.error = 0;
2806 mask = 0;
2807 }
2808 if (mask || ipt.error)
392edb45 2809 list_del_init(&poll->wait.entry);
8c838788
JA		 2810 else if (cancel)
2811 WRITE_ONCE(poll->canceled, true);
2812 else if (!poll->done) /* actually waiting for an event */
eac406c6 2813 io_poll_req_insert(req);
8c838788
JA		 2814 spin_unlock(&poll->head->lock);
2815 }
2816 if (mask) { /* no async, we'd stolen it */
221c5eb2 2817 ipt.error = 0;
b0dd8a41 2818 io_poll_complete(req, mask, 0);
221c5eb2 2819 }
221c5eb2
JA		 2820 spin_unlock_irq(&ctx->completion_lock);
2821
8c838788
JA		 2822 if (mask) {
2823 io_cqring_ev_posted(ctx);
ec9c02ad 2824 io_put_req_find_next(req, nxt);
221c5eb2 2825 }
8c838788 2826 return ipt.error;
221c5eb2
JA		 2827}
2828
5262f567
JA		 2829static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
2830{
ad8a48ac
JA		 2831 struct io_timeout_data *data = container_of(timer,
2832 struct io_timeout_data, timer);
2833 struct io_kiocb *req = data->req;
2834 struct io_ring_ctx *ctx = req->ctx;
5262f567
JA		 2835 unsigned long flags;
2836
5262f567
JA		 2837 atomic_inc(&ctx->cq_timeouts);
2838
2839 spin_lock_irqsave(&ctx->completion_lock, flags);
ef03681a 2840 /*
11365043
JA		 2841 * We could be racing with timeout deletion. If the list is empty,
2842 * then timeout lookup already found it and will be handling it.
ef03681a 2843 */
842f9612 2844 if (!list_empty(&req->list)) {
11365043 2845 struct io_kiocb *prev;
5262f567 2846
11365043
JA		 2847 /*
2848 * Adjust the reqs sequence before the current one because it
d195a66e 2849 * will consume a slot in the cq_ring and the cq_tail
11365043
JA		 2850 * pointer will be increased, otherwise other timeout reqs may
2851 * return in advance without waiting for enough wait_nr.
2852 */
2853 prev = req;
2854 list_for_each_entry_continue_reverse(prev, &ctx->timeout_list, list)
2855 prev->sequence++;
11365043 2856 list_del_init(&req->list);
11365043 2857 }
5262f567 2858
78e19bbe 2859 io_cqring_fill_event(req, -ETIME);
5262f567
JA		 2860 io_commit_cqring(ctx);
2861 spin_unlock_irqrestore(&ctx->completion_lock, flags);
2862
2863 io_cqring_ev_posted(ctx);
4e88d6e7 2864 req_set_fail_links(req);
5262f567
JA		 2865 io_put_req(req);
2866 return HRTIMER_NORESTART;
2867}
2868
47f46768
JA		 2869static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
2870{
2871 struct io_kiocb *req;
2872 int ret = -ENOENT;
2873
2874 list_for_each_entry(req, &ctx->timeout_list, list) {
2875 if (user_data == req->user_data) {
2876 list_del_init(&req->list);
2877 ret = 0;
2878 break;
2879 }
2880 }
2881
2882 if (ret == -ENOENT)
2883 return ret;
2884
2d28390a 2885 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
47f46768
JA		 2886 if (ret == -1)
2887 return -EALREADY;
2888
4e88d6e7 2889 req_set_fail_links(req);
47f46768
JA		 2890 io_cqring_fill_event(req, -ECANCELED);
2891 io_put_req(req);
2892 return 0;
2893}
2894
3529d8c2
JA		 2895static int io_timeout_remove_prep(struct io_kiocb *req,
2896 const struct io_uring_sqe *sqe)
b29472ee 2897{
b29472ee
JA		 2898 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2899 return -EINVAL;
2900 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
2901 return -EINVAL;
2902
2903 req->timeout.addr = READ_ONCE(sqe->addr);
2904 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
2905 if (req->timeout.flags)
2906 return -EINVAL;
2907
b29472ee
JA		 2908 return 0;
2909}
2910
11365043
JA		 2911/*
2912 * Remove or update an existing timeout command
2913 */
fc4df999 2914static int io_timeout_remove(struct io_kiocb *req)
11365043
JA		 2915{
2916 struct io_ring_ctx *ctx = req->ctx;
47f46768 2917 int ret;
11365043 2918
11365043 2919 spin_lock_irq(&ctx->completion_lock);
b29472ee 2920 ret = io_timeout_cancel(ctx, req->timeout.addr);
11365043 2921
47f46768 2922 io_cqring_fill_event(req, ret);
11365043
JA		 2923 io_commit_cqring(ctx);
2924 spin_unlock_irq(&ctx->completion_lock);
5262f567 2925 io_cqring_ev_posted(ctx);
4e88d6e7
JA		 2926 if (ret < 0)
2927 req_set_fail_links(req);
ec9c02ad 2928 io_put_req(req);
11365043 2929 return 0;
5262f567
JA		 2930}
2931
3529d8c2 2932static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2d28390a 2933 bool is_timeout_link)
5262f567 2934{
ad8a48ac 2935 struct io_timeout_data *data;
a41525ab 2936 unsigned flags;
5262f567 2937
ad8a48ac 2938 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5262f567 2939 return -EINVAL;
ad8a48ac 2940 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
a41525ab 2941 return -EINVAL;
2d28390a
JA		 2942 if (sqe->off && is_timeout_link)
2943 return -EINVAL;
a41525ab
JA		 2944 flags = READ_ONCE(sqe->timeout_flags);
2945 if (flags & ~IORING_TIMEOUT_ABS)
5262f567 2946 return -EINVAL;
bdf20073 2947
26a61679
JA		 2948 req->timeout.count = READ_ONCE(sqe->off);
2949
3529d8c2 2950 if (!req->io && io_alloc_async_ctx(req))
26a61679
JA		 2951 return -ENOMEM;
2952
2953 data = &req->io->timeout;
ad8a48ac 2954 data->req = req;
ad8a48ac
JA		 2955 req->flags |= REQ_F_TIMEOUT;
2956
2957 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5262f567
JA		 2958 return -EFAULT;
2959
11365043 2960 if (flags & IORING_TIMEOUT_ABS)
ad8a48ac 2961 data->mode = HRTIMER_MODE_ABS;
11365043 2962 else
ad8a48ac 2963 data->mode = HRTIMER_MODE_REL;
11365043 2964
ad8a48ac
JA		 2965 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
2966 return 0;
2967}
2968
fc4df999 2969static int io_timeout(struct io_kiocb *req)
ad8a48ac
JA		 2970{
2971 unsigned count;
2972 struct io_ring_ctx *ctx = req->ctx;
2973 struct io_timeout_data *data;
2974 struct list_head *entry;
2975 unsigned span = 0;
ad8a48ac 2976
2d28390a 2977 data = &req->io->timeout;
93bd25bb 2978
5262f567
JA		 2979 /*
2980 * sqe->off holds how many events that need to occur for this
93bd25bb
JA		 2981 * timeout event to be satisfied. If it isn't set, then this is
2982 * a pure timeout request, sequence isn't used.
5262f567 2983 */
26a61679 2984 count = req->timeout.count;
93bd25bb
JA		 2985 if (!count) {
2986 req->flags |= REQ_F_TIMEOUT_NOSEQ;
2987 spin_lock_irq(&ctx->completion_lock);
2988 entry = ctx->timeout_list.prev;
2989 goto add;
2990 }
5262f567
JA		 2991
2992 req->sequence = ctx->cached_sq_head + count - 1;
2d28390a 2993 data->seq_offset = count;
5262f567
JA		 2994
2995 /*
2996 * Insertion sort, ensuring the first entry in the list is always
2997 * the one we need first.
2998 */
5262f567
JA		 2999 spin_lock_irq(&ctx->completion_lock);
3000 list_for_each_prev(entry, &ctx->timeout_list) {
3001 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
5da0fb1a 3002 unsigned nxt_sq_head;
3003 long long tmp, tmp_nxt;
2d28390a 3004 u32 nxt_offset = nxt->io->timeout.seq_offset;
5262f567 3005
93bd25bb
JA		 3006 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
3007 continue;
3008
5da0fb1a 3009 /*
3010 * Since cached_sq_head + count - 1 can overflow, use type long
3011 * long to store it.
3012 */
3013 tmp = (long long)ctx->cached_sq_head + count - 1;
cc42e0ac
PB		 3014 nxt_sq_head = nxt->sequence - nxt_offset + 1;
3015 tmp_nxt = (long long)nxt_sq_head + nxt_offset - 1;
5da0fb1a 3016
3017 /*
3018 * cached_sq_head may overflow, and it will never overflow twice
3019 * once there is some timeout req still be valid.
3020 */
3021 if (ctx->cached_sq_head < nxt_sq_head)
8b07a65a 3022 tmp += UINT_MAX;
5da0fb1a 3023
a1f58ba4 3024 if (tmp > tmp_nxt)
5262f567 3025 break;
a1f58ba4 3026
3027 /*
3028 * Sequence of reqs after the insert one and itself should
3029 * be adjusted because each timeout req consumes a slot.
3030 */
3031 span++;
3032 nxt->sequence++;
5262f567 3033 }
a1f58ba4 3034 req->sequence -= span;
93bd25bb 3035add:
5262f567 3036 list_add(&req->list, entry);
ad8a48ac
JA		 3037 data->timer.function = io_timeout_fn;
3038 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5262f567 3039 spin_unlock_irq(&ctx->completion_lock);
5262f567
JA		 3040 return 0;
3041}
5262f567 3042
62755e35
JA		 3043static bool io_cancel_cb(struct io_wq_work *work, void *data)
3044{
3045 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3046
3047 return req->user_data == (unsigned long) data;
3048}
3049
e977d6d3 3050static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
62755e35 3051{
62755e35 3052 enum io_wq_cancel cancel_ret;
62755e35
JA		 3053 int ret = 0;
3054
62755e35
JA		 3055 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr);
3056 switch (cancel_ret) {
3057 case IO_WQ_CANCEL_OK:
3058 ret = 0;
3059 break;
3060 case IO_WQ_CANCEL_RUNNING:
3061 ret = -EALREADY;
3062 break;
3063 case IO_WQ_CANCEL_NOTFOUND:
3064 ret = -ENOENT;
3065 break;
3066 }
3067
e977d6d3
JA		 3068 return ret;
3069}
3070
47f46768
JA		 3071static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
3072 struct io_kiocb *req, __u64 sqe_addr,
b0dd8a41 3073 struct io_kiocb **nxt, int success_ret)
47f46768
JA		 3074{
3075 unsigned long flags;
3076 int ret;
3077
3078 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
3079 if (ret != -ENOENT) {
3080 spin_lock_irqsave(&ctx->completion_lock, flags);
3081 goto done;
3082 }
3083
3084 spin_lock_irqsave(&ctx->completion_lock, flags);
3085 ret = io_timeout_cancel(ctx, sqe_addr);
3086 if (ret != -ENOENT)
3087 goto done;
3088 ret = io_poll_cancel(ctx, sqe_addr);
3089done:
b0dd8a41
JA		 3090 if (!ret)
3091 ret = success_ret;
47f46768
JA		 3092 io_cqring_fill_event(req, ret);
3093 io_commit_cqring(ctx);
3094 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3095 io_cqring_ev_posted(ctx);
3096
4e88d6e7
JA		 3097 if (ret < 0)
3098 req_set_fail_links(req);
47f46768
JA		 3099 io_put_req_find_next(req, nxt);
3100}
3101
3529d8c2
JA		 3102static int io_async_cancel_prep(struct io_kiocb *req,
3103 const struct io_uring_sqe *sqe)
e977d6d3 3104{
fbf23849 3105 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
e977d6d3
JA		 3106 return -EINVAL;
3107 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
3108 sqe->cancel_flags)
3109 return -EINVAL;
3110
fbf23849
JA		 3111 req->cancel.addr = READ_ONCE(sqe->addr);
3112 return 0;
3113}
3114
3115static int io_async_cancel(struct io_kiocb *req, struct io_kiocb **nxt)
3116{
3117 struct io_ring_ctx *ctx = req->ctx;
fbf23849
JA		 3118
3119 io_async_find_and_cancel(ctx, req, req->cancel.addr, nxt, 0);
5262f567
JA		 3120 return 0;
3121}
3122
3529d8c2
JA		 3123static int io_req_defer_prep(struct io_kiocb *req,
3124 const struct io_uring_sqe *sqe)
f67676d1 3125{
e781573e 3126 ssize_t ret = 0;
f67676d1 3127
d625c6ee 3128 switch (req->opcode) {
e781573e
JA		 3129 case IORING_OP_NOP:
3130 break;
f67676d1
JA		 3131 case IORING_OP_READV:
3132 case IORING_OP_READ_FIXED:
3529d8c2 3133 ret = io_read_prep(req, sqe, true);
f67676d1
JA		 3134 break;
3135 case IORING_OP_WRITEV:
3136 case IORING_OP_WRITE_FIXED:
3529d8c2 3137 ret = io_write_prep(req, sqe, true);
f67676d1 3138 break;
0969e783 3139 case IORING_OP_POLL_ADD:
3529d8c2 3140 ret = io_poll_add_prep(req, sqe);
0969e783
JA		 3141 break;
3142 case IORING_OP_POLL_REMOVE:
3529d8c2 3143 ret = io_poll_remove_prep(req, sqe);
0969e783 3144 break;
8ed8d3c3 3145 case IORING_OP_FSYNC:
3529d8c2 3146 ret = io_prep_fsync(req, sqe);
8ed8d3c3
JA		 3147 break;
3148 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2 3149 ret = io_prep_sfr(req, sqe);
8ed8d3c3 3150 break;
03b1230c 3151 case IORING_OP_SENDMSG:
3529d8c2 3152 ret = io_sendmsg_prep(req, sqe);
03b1230c
JA		 3153 break;
3154 case IORING_OP_RECVMSG:
3529d8c2 3155 ret = io_recvmsg_prep(req, sqe);
03b1230c 3156 break;
f499a021 3157 case IORING_OP_CONNECT:
3529d8c2 3158 ret = io_connect_prep(req, sqe);
f499a021 3159 break;
2d28390a 3160 case IORING_OP_TIMEOUT:
3529d8c2 3161 ret = io_timeout_prep(req, sqe, false);
b7bb4f7d 3162 break;
b29472ee 3163 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2 3164 ret = io_timeout_remove_prep(req, sqe);
b29472ee 3165 break;
fbf23849 3166 case IORING_OP_ASYNC_CANCEL:
3529d8c2 3167 ret = io_async_cancel_prep(req, sqe);
fbf23849 3168 break;
2d28390a 3169 case IORING_OP_LINK_TIMEOUT:
3529d8c2 3170 ret = io_timeout_prep(req, sqe, true);
b7bb4f7d 3171 break;
8ed8d3c3 3172 case IORING_OP_ACCEPT:
3529d8c2 3173 ret = io_accept_prep(req, sqe);
8ed8d3c3 3174 break;
d63d1b5e
JA		 3175 case IORING_OP_FALLOCATE:
3176 ret = io_fallocate_prep(req, sqe);
3177 break;
f67676d1 3178 default:
e781573e
JA		 3179 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
3180 req->opcode);
3181 ret = -EINVAL;
b7bb4f7d 3182 break;
f67676d1
JA		 3183 }
3184
b7bb4f7d 3185 return ret;
f67676d1
JA		 3186}
3187
3529d8c2 3188static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
de0617e4 3189{
a197f664 3190 struct io_ring_ctx *ctx = req->ctx;
f67676d1 3191 int ret;
de0617e4 3192
9d858b21
BL		 3193 /* Still need defer if there is pending req in defer list. */
3194 if (!req_need_defer(req) && list_empty(&ctx->defer_list))
de0617e4
JA		 3195 return 0;
3196
3529d8c2 3197 if (!req->io && io_alloc_async_ctx(req))
de0617e4
JA		 3198 return -EAGAIN;
3199
3529d8c2 3200 ret = io_req_defer_prep(req, sqe);
b7bb4f7d 3201 if (ret < 0)
2d28390a 3202 return ret;
2d28390a 3203
de0617e4 3204 spin_lock_irq(&ctx->completion_lock);
9d858b21 3205 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
de0617e4 3206 spin_unlock_irq(&ctx->completion_lock);
de0617e4
JA		 3207 return 0;
3208 }
3209
915967f6 3210 trace_io_uring_defer(ctx, req, req->user_data);
de0617e4
JA		 3211 list_add_tail(&req->list, &ctx->defer_list);
3212 spin_unlock_irq(&ctx->completion_lock);
3213 return -EIOCBQUEUED;
3214}
3215
3529d8c2
JA		 3216static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
3217 struct io_kiocb **nxt, bool force_nonblock)
2b188cc1 3218{
a197f664 3219 struct io_ring_ctx *ctx = req->ctx;
d625c6ee 3220 int ret;
2b188cc1 3221
d625c6ee 3222 switch (req->opcode) {
2b188cc1 3223 case IORING_OP_NOP:
78e19bbe 3224 ret = io_nop(req);
2b188cc1
JA		 3225 break;
3226 case IORING_OP_READV:
edafccee 3227 case IORING_OP_READ_FIXED:
3529d8c2
JA		 3228 if (sqe) {
3229 ret = io_read_prep(req, sqe, force_nonblock);
3230 if (ret < 0)
3231 break;
3232 }
267bc904 3233 ret = io_read(req, nxt, force_nonblock);
edafccee 3234 break;
3529d8c2 3235 case IORING_OP_WRITEV:
edafccee 3236 case IORING_OP_WRITE_FIXED:
3529d8c2
JA		 3237 if (sqe) {
3238 ret = io_write_prep(req, sqe, force_nonblock);
3239 if (ret < 0)
3240 break;
3241 }
267bc904 3242 ret = io_write(req, nxt, force_nonblock);
2b188cc1 3243 break;
c992fe29 3244 case IORING_OP_FSYNC:
3529d8c2
JA		 3245 if (sqe) {
3246 ret = io_prep_fsync(req, sqe);
3247 if (ret < 0)
3248 break;
3249 }
fc4df999 3250 ret = io_fsync(req, nxt, force_nonblock);
c992fe29 3251 break;
221c5eb2 3252 case IORING_OP_POLL_ADD:
3529d8c2
JA		 3253 if (sqe) {
3254 ret = io_poll_add_prep(req, sqe);
3255 if (ret)
3256 break;
3257 }
fc4df999 3258 ret = io_poll_add(req, nxt);
221c5eb2
JA		 3259 break;
3260 case IORING_OP_POLL_REMOVE:
3529d8c2
JA		 3261 if (sqe) {
3262 ret = io_poll_remove_prep(req, sqe);
3263 if (ret < 0)
3264 break;
3265 }
fc4df999 3266 ret = io_poll_remove(req);
221c5eb2 3267 break;
5d17b4a4 3268 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2
JA		 3269 if (sqe) {
3270 ret = io_prep_sfr(req, sqe);
3271 if (ret < 0)
3272 break;
3273 }
fc4df999 3274 ret = io_sync_file_range(req, nxt, force_nonblock);
5d17b4a4 3275 break;
0fa03c62 3276 case IORING_OP_SENDMSG:
3529d8c2
JA		 3277 if (sqe) {
3278 ret = io_sendmsg_prep(req, sqe);
3279 if (ret < 0)
3280 break;
3281 }
fc4df999 3282 ret = io_sendmsg(req, nxt, force_nonblock);
0fa03c62 3283 break;
aa1fa28f 3284 case IORING_OP_RECVMSG:
3529d8c2
JA		 3285 if (sqe) {
3286 ret = io_recvmsg_prep(req, sqe);
3287 if (ret)
3288 break;
3289 }
fc4df999 3290 ret = io_recvmsg(req, nxt, force_nonblock);
aa1fa28f 3291 break;
5262f567 3292 case IORING_OP_TIMEOUT:
3529d8c2
JA		 3293 if (sqe) {
3294 ret = io_timeout_prep(req, sqe, false);
3295 if (ret)
3296 break;
3297 }
fc4df999 3298 ret = io_timeout(req);
5262f567 3299 break;
11365043 3300 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2
JA		 3301 if (sqe) {
3302 ret = io_timeout_remove_prep(req, sqe);
3303 if (ret)
3304 break;
3305 }
fc4df999 3306 ret = io_timeout_remove(req);
11365043 3307 break;
17f2fe35 3308 case IORING_OP_ACCEPT:
3529d8c2
JA		 3309 if (sqe) {
3310 ret = io_accept_prep(req, sqe);
3311 if (ret)
3312 break;
3313 }
fc4df999 3314 ret = io_accept(req, nxt, force_nonblock);
17f2fe35 3315 break;
f8e85cf2 3316 case IORING_OP_CONNECT:
3529d8c2
JA		 3317 if (sqe) {
3318 ret = io_connect_prep(req, sqe);
3319 if (ret)
3320 break;
3321 }
fc4df999 3322 ret = io_connect(req, nxt, force_nonblock);
f8e85cf2 3323 break;
62755e35 3324 case IORING_OP_ASYNC_CANCEL:
3529d8c2
JA		 3325 if (sqe) {
3326 ret = io_async_cancel_prep(req, sqe);
3327 if (ret)
3328 break;
3329 }
fc4df999 3330 ret = io_async_cancel(req, nxt);
62755e35 3331 break;
d63d1b5e
JA		 3332 case IORING_OP_FALLOCATE:
3333 if (sqe) {
3334 ret = io_fallocate_prep(req, sqe);
3335 if (ret)
3336 break;
3337 }
3338 ret = io_fallocate(req, nxt, force_nonblock);
3339 break;
2b188cc1
JA		 3340 default:
3341 ret = -EINVAL;
3342 break;
3343 }
3344
def596e9
JA		 3345 if (ret)
3346 return ret;
3347
3348 if (ctx->flags & IORING_SETUP_IOPOLL) {
11ba820b
JA		 3349 const bool in_async = io_wq_current_is_worker();
3350
9e645e11 3351 if (req->result == -EAGAIN)
def596e9
JA		 3352 return -EAGAIN;
3353
11ba820b
JA		 3354 /* workqueue context doesn't hold uring_lock, grab it now */
3355 if (in_async)
3356 mutex_lock(&ctx->uring_lock);
3357
def596e9 3358 io_iopoll_req_issued(req);
11ba820b
JA		 3359
3360 if (in_async)
3361 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 3362 }
3363
3364 return 0;
2b188cc1
JA		 3365}
3366
561fb04a 3367static void io_wq_submit_work(struct io_wq_work **workptr)
2b188cc1 3368{
561fb04a 3369 struct io_wq_work *work = *workptr;
2b188cc1 3370 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
561fb04a
JA		 3371 struct io_kiocb *nxt = NULL;
3372 int ret = 0;
2b188cc1 3373
561fb04a
JA		 3374 if (work->flags & IO_WQ_WORK_CANCEL)
3375 ret = -ECANCELED;
31b51510 3376
561fb04a 3377 if (!ret) {
cf6fd4bd
PB		 3378 req->has_user = (work->flags & IO_WQ_WORK_HAS_MM) != 0;
3379 req->in_async = true;
561fb04a 3380 do {
3529d8c2 3381 ret = io_issue_sqe(req, NULL, &nxt, false);
561fb04a
JA		 3382 /*
3383 * We can get EAGAIN for polled IO even though we're
3384 * forcing a sync submission from here, since we can't
3385 * wait for request slots on the block side.
3386 */
3387 if (ret != -EAGAIN)
3388 break;
3389 cond_resched();
3390 } while (1);
3391 }
31b51510 3392
561fb04a 3393 /* drop submission reference */
ec9c02ad 3394 io_put_req(req);
817869d2 3395
561fb04a 3396 if (ret) {
4e88d6e7 3397 req_set_fail_links(req);
78e19bbe 3398 io_cqring_add_event(req, ret);
817869d2 3399 io_put_req(req);
edafccee 3400 }
2b188cc1 3401
561fb04a 3402 /* if a dependent link is ready, pass it back */
78912934
JA		 3403 if (!ret && nxt)
3404 io_wq_assign_next(workptr, nxt);
2b188cc1
JA		 3405}
3406
9e3aa61a
JA		 3407static bool io_req_op_valid(int op)
3408{
3409 return op >= IORING_OP_NOP && op < IORING_OP_LAST;
3410}
3411
d625c6ee 3412static int io_req_needs_file(struct io_kiocb *req)
09bb8394 3413{
d625c6ee 3414 switch (req->opcode) {
09bb8394
JA		 3415 case IORING_OP_NOP:
3416 case IORING_OP_POLL_REMOVE:
5683e540 3417 case IORING_OP_TIMEOUT:
a320e9fa
PB		 3418 case IORING_OP_TIMEOUT_REMOVE:
3419 case IORING_OP_ASYNC_CANCEL:
3420 case IORING_OP_LINK_TIMEOUT:
9e3aa61a 3421 return 0;
09bb8394 3422 default:
d625c6ee 3423 if (io_req_op_valid(req->opcode))
9e3aa61a
JA		 3424 return 1;
3425 return -EINVAL;
09bb8394
JA		 3426 }
3427}
3428
65e19f54
JA		 3429static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
3430 int index)
3431{
3432 struct fixed_file_table *table;
3433
3434 table = &ctx->file_table[index >> IORING_FILE_TABLE_SHIFT];
3435 return table->files[index & IORING_FILE_TABLE_MASK];
3436}
3437
3529d8c2
JA		 3438static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
3439 const struct io_uring_sqe *sqe)
09bb8394 3440{
a197f664 3441 struct io_ring_ctx *ctx = req->ctx;
09bb8394 3442 unsigned flags;
9e3aa61a 3443 int fd, ret;
09bb8394 3444
3529d8c2
JA		 3445 flags = READ_ONCE(sqe->flags);
3446 fd = READ_ONCE(sqe->fd);
09bb8394 3447
4fe2c963 3448 if (flags & IOSQE_IO_DRAIN)
de0617e4 3449 req->flags |= REQ_F_IO_DRAIN;
de0617e4 3450
d625c6ee 3451 ret = io_req_needs_file(req);
9e3aa61a
JA		 3452 if (ret <= 0)
3453 return ret;
09bb8394
JA		 3454
3455 if (flags & IOSQE_FIXED_FILE) {
65e19f54 3456 if (unlikely(!ctx->file_table ||
09bb8394
JA		 3457 (unsigned) fd >= ctx->nr_user_files))
3458 return -EBADF;
b7620121 3459 fd = array_index_nospec(fd, ctx->nr_user_files);
65e19f54
JA		 3460 req->file = io_file_from_index(ctx, fd);
3461 if (!req->file)
08a45173 3462 return -EBADF;
09bb8394
JA		 3463 req->flags |= REQ_F_FIXED_FILE;
3464 } else {
cf6fd4bd 3465 if (req->needs_fixed_file)
09bb8394 3466 return -EBADF;
c826bd7a 3467 trace_io_uring_file_get(ctx, fd);
09bb8394
JA		 3468 req->file = io_file_get(state, fd);
3469 if (unlikely(!req->file))
3470 return -EBADF;
3471 }
3472
3473 return 0;
3474}
3475
a197f664 3476static int io_grab_files(struct io_kiocb *req)
fcb323cc
JA		 3477{
3478 int ret = -EBADF;
a197f664 3479 struct io_ring_ctx *ctx = req->ctx;
fcb323cc
JA		 3480
3481 rcu_read_lock();
3482 spin_lock_irq(&ctx->inflight_lock);
3483 /*
3484 * We use the f_ops->flush() handler to ensure that we can flush
3485 * out work accessing these files if the fd is closed. Check if
3486 * the fd has changed since we started down this path, and disallow
3487 * this operation if it has.
3488 */
cf6fd4bd 3489 if (fcheck(req->ring_fd) == req->ring_file) {
fcb323cc
JA		 3490 list_add(&req->inflight_entry, &ctx->inflight_list);
3491 req->flags |= REQ_F_INFLIGHT;
3492 req->work.files = current->files;
3493 ret = 0;
3494 }
3495 spin_unlock_irq(&ctx->inflight_lock);
3496 rcu_read_unlock();
3497
3498 return ret;
3499}
3500
2665abfd 3501static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
2b188cc1 3502{
ad8a48ac
JA		 3503 struct io_timeout_data *data = container_of(timer,
3504 struct io_timeout_data, timer);
3505 struct io_kiocb *req = data->req;
2665abfd
JA		 3506 struct io_ring_ctx *ctx = req->ctx;
3507 struct io_kiocb *prev = NULL;
3508 unsigned long flags;
2665abfd
JA		 3509
3510 spin_lock_irqsave(&ctx->completion_lock, flags);
3511
3512 /*
3513 * We don't expect the list to be empty, that will only happen if we
3514 * race with the completion of the linked work.
3515 */
4493233e
PB		 3516 if (!list_empty(&req->link_list)) {
3517 prev = list_entry(req->link_list.prev, struct io_kiocb,
3518 link_list);
5d960724 3519 if (refcount_inc_not_zero(&prev->refs)) {
4493233e 3520 list_del_init(&req->link_list);
5d960724
JA		 3521 prev->flags &= ~REQ_F_LINK_TIMEOUT;
3522 } else
76a46e06 3523 prev = NULL;
2665abfd
JA		 3524 }
3525
3526 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3527
3528 if (prev) {
4e88d6e7 3529 req_set_fail_links(prev);
b0dd8a41
JA		 3530 io_async_find_and_cancel(ctx, req, prev->user_data, NULL,
3531 -ETIME);
76a46e06 3532 io_put_req(prev);
47f46768
JA		 3533 } else {
3534 io_cqring_add_event(req, -ETIME);
3535 io_put_req(req);
2665abfd 3536 }
2665abfd
JA		 3537 return HRTIMER_NORESTART;
3538}
3539
ad8a48ac 3540static void io_queue_linked_timeout(struct io_kiocb *req)
2665abfd 3541{
76a46e06 3542 struct io_ring_ctx *ctx = req->ctx;
2665abfd 3543
76a46e06
JA		 3544 /*
3545 * If the list is now empty, then our linked request finished before
3546 * we got a chance to setup the timer
3547 */
3548 spin_lock_irq(&ctx->completion_lock);
4493233e 3549 if (!list_empty(&req->link_list)) {
2d28390a 3550 struct io_timeout_data *data = &req->io->timeout;
94ae5e77 3551
ad8a48ac
JA		 3552 data->timer.function = io_link_timeout_fn;
3553 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
3554 data->mode);
2665abfd 3555 }
76a46e06 3556 spin_unlock_irq(&ctx->completion_lock);
2665abfd 3557
2665abfd 3558 /* drop submission reference */
76a46e06
JA		 3559 io_put_req(req);
3560}
2665abfd 3561
ad8a48ac 3562static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
2665abfd
JA		 3563{
3564 struct io_kiocb *nxt;
3565
3566 if (!(req->flags & REQ_F_LINK))
3567 return NULL;
3568
4493233e
PB		 3569 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
3570 link_list);
d625c6ee 3571 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
76a46e06 3572 return NULL;
2665abfd 3573
76a46e06 3574 req->flags |= REQ_F_LINK_TIMEOUT;
76a46e06 3575 return nxt;
2665abfd
JA		 3576}
3577
3529d8c2 3578static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2b188cc1 3579{
4a0a7a18 3580 struct io_kiocb *linked_timeout;
f9bd67f6 3581 struct io_kiocb *nxt = NULL;
e0c5c576 3582 int ret;
2b188cc1 3583
4a0a7a18
JA		 3584again:
3585 linked_timeout = io_prep_linked_timeout(req);
3586
3529d8c2 3587 ret = io_issue_sqe(req, sqe, &nxt, true);
491381ce
JA		 3588
3589 /*
3590 * We async punt it if the file wasn't marked NOWAIT, or if the file
3591 * doesn't support non-blocking read/write attempts
3592 */
3593 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
3594 (req->flags & REQ_F_MUST_PUNT))) {
bbad27b2
PB		 3595 if (req->work.flags & IO_WQ_WORK_NEEDS_FILES) {
3596 ret = io_grab_files(req);
3597 if (ret)
3598 goto err;
2b188cc1 3599 }
bbad27b2
PB		 3600
3601 /*
3602 * Queued up for async execution, worker will release
3603 * submit reference when the iocb is actually submitted.
3604 */
3605 io_queue_async_work(req);
4a0a7a18 3606 goto done_req;
2b188cc1 3607 }
e65ef56d 3608
fcb323cc 3609err:
76a46e06 3610 /* drop submission reference */
ec9c02ad 3611 io_put_req(req);
e65ef56d 3612
f9bd67f6 3613 if (linked_timeout) {
76a46e06 3614 if (!ret)
f9bd67f6 3615 io_queue_linked_timeout(linked_timeout);
76a46e06 3616 else
f9bd67f6 3617 io_put_req(linked_timeout);
76a46e06
JA		 3618 }
3619
e65ef56d 3620 /* and drop final reference, if we failed */
9e645e11 3621 if (ret) {
78e19bbe 3622 io_cqring_add_event(req, ret);
4e88d6e7 3623 req_set_fail_links(req);
e65ef56d 3624 io_put_req(req);
9e645e11 3625 }
4a0a7a18
JA		 3626done_req:
3627 if (nxt) {
3628 req = nxt;
3629 nxt = NULL;
3630 goto again;
3631 }
2b188cc1
JA		 3632}
3633
3529d8c2 3634static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4fe2c963
JL		 3635{
3636 int ret;
3637
1b4a51b6
PB		 3638 if (unlikely(req->ctx->drain_next)) {
3639 req->flags |= REQ_F_IO_DRAIN;
3640 req->ctx->drain_next = false;
3641 }
3642 req->ctx->drain_next = (req->flags & REQ_F_DRAIN_LINK);
3643
3529d8c2 3644 ret = io_req_defer(req, sqe);
4fe2c963
JL		 3645 if (ret) {
3646 if (ret != -EIOCBQUEUED) {
78e19bbe 3647 io_cqring_add_event(req, ret);
4e88d6e7 3648 req_set_fail_links(req);
78e19bbe 3649 io_double_put_req(req);
4fe2c963 3650 }
0e0702da 3651 } else
3529d8c2 3652 __io_queue_sqe(req, sqe);
4fe2c963
JL		 3653}
3654
1b4a51b6 3655static inline void io_queue_link_head(struct io_kiocb *req)
4fe2c963 3656{
94ae5e77 3657 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
1b4a51b6
PB		 3658 io_cqring_add_event(req, -ECANCELED);
3659 io_double_put_req(req);
3660 } else
3529d8c2 3661 io_queue_sqe(req, NULL);
4fe2c963
JL		 3662}
3663
4e88d6e7
JA		 3664#define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
3665 IOSQE_IO_HARDLINK)
9e645e11 3666
3529d8c2
JA		 3667static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
3668 struct io_submit_state *state, struct io_kiocb **link)
9e645e11 3669{
a197f664 3670 struct io_ring_ctx *ctx = req->ctx;
9e645e11
JA		 3671 int ret;
3672
3673 /* enforce forwards compatibility on users */
3529d8c2 3674 if (unlikely(sqe->flags & ~SQE_VALID_FLAGS)) {
9e645e11 3675 ret = -EINVAL;
196be95c 3676 goto err_req;
9e645e11
JA		 3677 }
3678
3529d8c2 3679 ret = io_req_set_file(state, req, sqe);
9e645e11
JA		 3680 if (unlikely(ret)) {
3681err_req:
78e19bbe
JA		 3682 io_cqring_add_event(req, ret);
3683 io_double_put_req(req);
2e6e1fde 3684 return false;
9e645e11
JA		 3685 }
3686
9e645e11
JA		 3687 /*
3688 * If we already have a head request, queue this one for async
3689 * submittal once the head completes. If we don't have a head but
3690 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
3691 * submitted sync once the chain is complete. If none of those
3692 * conditions are true (normal request), then just queue it.
3693 */
3694 if (*link) {
3695 struct io_kiocb *prev = *link;
3696
3529d8c2 3697 if (sqe->flags & IOSQE_IO_DRAIN)
1b4a51b6
PB		 3698 (*link)->flags |= REQ_F_DRAIN_LINK | REQ_F_IO_DRAIN;
3699
3529d8c2 3700 if (sqe->flags & IOSQE_IO_HARDLINK)
4e88d6e7
JA		 3701 req->flags |= REQ_F_HARDLINK;
3702
b7bb4f7d 3703 if (io_alloc_async_ctx(req)) {
9e645e11
JA		 3704 ret = -EAGAIN;
3705 goto err_req;
3706 }
3707
3529d8c2 3708 ret = io_req_defer_prep(req, sqe);
2d28390a 3709 if (ret) {
4e88d6e7 3710 /* fail even hard links since we don't submit */
2d28390a 3711 prev->flags |= REQ_F_FAIL_LINK;
f67676d1 3712 goto err_req;
2d28390a 3713 }
c826bd7a 3714 trace_io_uring_link(ctx, req, prev);
4493233e 3715 list_add_tail(&req->link_list, &prev->link_list);
3529d8c2 3716 } else if (sqe->flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
9e645e11 3717 req->flags |= REQ_F_LINK;
3529d8c2 3718 if (sqe->flags & IOSQE_IO_HARDLINK)
4e88d6e7 3719 req->flags |= REQ_F_HARDLINK;
9e645e11 3720
9e645e11 3721 INIT_LIST_HEAD(&req->link_list);
3529d8c2
JA		 3722 ret = io_req_defer_prep(req, sqe);
3723 if (ret)
3724 req->flags |= REQ_F_FAIL_LINK;
9e645e11
JA		 3725 *link = req;
3726 } else {
3529d8c2 3727 io_queue_sqe(req, sqe);
9e645e11 3728 }
2e6e1fde
PB		 3729
3730 return true;
9e645e11
JA		 3731}
3732
9a56a232
JA		 3733/*
3734 * Batched submission is done, ensure local IO is flushed out.
3735 */
3736static void io_submit_state_end(struct io_submit_state *state)
3737{
3738 blk_finish_plug(&state->plug);
3d6770fb 3739 io_file_put(state);
2579f913
JA		 3740 if (state->free_reqs)
3741 kmem_cache_free_bulk(req_cachep, state->free_reqs,
3742 &state->reqs[state->cur_req]);
9a56a232
JA		 3743}
3744
3745/*
3746 * Start submission side cache.
3747 */
3748static void io_submit_state_start(struct io_submit_state *state,
22efde59 3749 unsigned int max_ios)
9a56a232
JA		 3750{
3751 blk_start_plug(&state->plug);
2579f913 3752 state->free_reqs = 0;
9a56a232
JA		 3753 state->file = NULL;
3754 state->ios_left = max_ios;
3755}
3756
2b188cc1
JA		 3757static void io_commit_sqring(struct io_ring_ctx *ctx)
3758{
75b28aff 3759 struct io_rings *rings = ctx->rings;
2b188cc1 3760
75b28aff 3761 if (ctx->cached_sq_head != READ_ONCE(rings->sq.head)) {
2b188cc1
JA		 3762 /*
3763 * Ensure any loads from the SQEs are done at this point,
3764 * since once we write the new head, the application could
3765 * write new data to them.
3766 */
75b28aff 3767 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
2b188cc1
JA		 3768 }
3769}
3770
2b188cc1 3771/*
3529d8c2 3772 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
2b188cc1
JA		 3773 * that is mapped by userspace. This means that care needs to be taken to
3774 * ensure that reads are stable, as we cannot rely on userspace always
3775 * being a good citizen. If members of the sqe are validated and then later
3776 * used, it's important that those reads are done through READ_ONCE() to
3777 * prevent a re-load down the line.
3778 */
3529d8c2
JA		 3779static bool io_get_sqring(struct io_ring_ctx *ctx, struct io_kiocb *req,
3780 const struct io_uring_sqe **sqe_ptr)
2b188cc1 3781{
75b28aff
HV		 3782 struct io_rings *rings = ctx->rings;
3783 u32 *sq_array = ctx->sq_array;
2b188cc1
JA		 3784 unsigned head;
3785
3786 /*
3787 * The cached sq head (or cq tail) serves two purposes:
3788 *
3789 * 1) allows us to batch the cost of updating the user visible
3790 * head updates.
3791 * 2) allows the kernel side to track the head on its own, even
3792 * though the application is the one updating it.
3793 */
3794 head = ctx->cached_sq_head;
e523a29c 3795 /* make sure SQ entry isn't read before tail */
9835d6fa 3796 if (unlikely(head == smp_load_acquire(&rings->sq.tail)))
2b188cc1
JA		 3797 return false;
3798
75b28aff 3799 head = READ_ONCE(sq_array[head & ctx->sq_mask]);
9835d6fa 3800 if (likely(head < ctx->sq_entries)) {
cf6fd4bd
PB		 3801 /*
3802 * All io need record the previous position, if LINK vs DARIN,
3803 * it can be used to mark the position of the first IO in the
3804 * link list.
3805 */
3806 req->sequence = ctx->cached_sq_head;
3529d8c2
JA		 3807 *sqe_ptr = &ctx->sq_sqes[head];
3808 req->opcode = READ_ONCE((*sqe_ptr)->opcode);
3809 req->user_data = READ_ONCE((*sqe_ptr)->user_data);
2b188cc1
JA		 3810 ctx->cached_sq_head++;
3811 return true;
3812 }
3813
3814 /* drop invalid entries */
3815 ctx->cached_sq_head++;
498ccd9e
JA		 3816 ctx->cached_sq_dropped++;
3817 WRITE_ONCE(rings->sq_dropped, ctx->cached_sq_dropped);
2b188cc1
JA		 3818 return false;
3819}
3820
fb5ccc98 3821static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
ae9428ca
PB		 3822 struct file *ring_file, int ring_fd,
3823 struct mm_struct **mm, bool async)
6c271ce2
JA		 3824{
3825 struct io_submit_state state, *statep = NULL;
9e645e11 3826 struct io_kiocb *link = NULL;
9e645e11 3827 int i, submitted = 0;
95a1b3ff 3828 bool mm_fault = false;
6c271ce2 3829
c4a2ed72
JA		 3830 /* if we have a backlog and couldn't flush it all, return BUSY */
3831 if (!list_empty(&ctx->cq_overflow_list) &&
3832 !io_cqring_overflow_flush(ctx, false))
1d7bb1d5 3833 return -EBUSY;
6c271ce2
JA		 3834
3835 if (nr > IO_PLUG_THRESHOLD) {
22efde59 3836 io_submit_state_start(&state, nr);
6c271ce2
JA		 3837 statep = &state;
3838 }
3839
3840 for (i = 0; i < nr; i++) {
3529d8c2 3841 const struct io_uring_sqe *sqe;
196be95c 3842 struct io_kiocb *req;
50585b9a 3843 unsigned int sqe_flags;
fb5ccc98 3844
196be95c
PB		 3845 req = io_get_req(ctx, statep);
3846 if (unlikely(!req)) {
3847 if (!submitted)
3848 submitted = -EAGAIN;
fb5ccc98 3849 break;
196be95c 3850 }
3529d8c2 3851 if (!io_get_sqring(ctx, req, &sqe)) {
196be95c
PB		 3852 __io_free_req(req);
3853 break;
3854 }
fb5ccc98 3855
d625c6ee 3856 if (io_req_needs_user(req) && !*mm) {
95a1b3ff
PB		 3857 mm_fault = mm_fault || !mmget_not_zero(ctx->sqo_mm);
3858 if (!mm_fault) {
3859 use_mm(ctx->sqo_mm);
3860 *mm = ctx->sqo_mm;
3861 }
9e645e11 3862 }
9e645e11 3863
2e6e1fde 3864 submitted++;
3529d8c2 3865 sqe_flags = sqe->flags;
50585b9a 3866
cf6fd4bd
PB		 3867 req->ring_file = ring_file;
3868 req->ring_fd = ring_fd;
3869 req->has_user = *mm != NULL;
3870 req->in_async = async;
3871 req->needs_fixed_file = async;
d625c6ee 3872 trace_io_uring_submit_sqe(ctx, req->user_data, true, async);
3529d8c2 3873 if (!io_submit_sqe(req, sqe, statep, &link))
2e6e1fde 3874 break;
e5eb6366
PB		 3875 /*
3876 * If previous wasn't linked and we have a linked command,
3877 * that's the end of the chain. Submit the previous link.
3878 */
ffbb8d6b 3879 if (!(sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) && link) {
1b4a51b6 3880 io_queue_link_head(link);
e5eb6366 3881 link = NULL;
6c271ce2 3882 }
6c271ce2
JA		 3883 }
3884
9e645e11 3885 if (link)
1b4a51b6 3886 io_queue_link_head(link);
6c271ce2
JA		 3887 if (statep)
3888 io_submit_state_end(&state);
3889
ae9428ca
PB		 3890 /* Commit SQ ring head once we've consumed and submitted all SQEs */
3891 io_commit_sqring(ctx);
3892
6c271ce2
JA		 3893 return submitted;
3894}
3895
3896static int io_sq_thread(void *data)
3897{
6c271ce2
JA		 3898 struct io_ring_ctx *ctx = data;
3899 struct mm_struct *cur_mm = NULL;
181e448d 3900 const struct cred *old_cred;
6c271ce2
JA		 3901 mm_segment_t old_fs;
3902 DEFINE_WAIT(wait);
3903 unsigned inflight;
3904 unsigned long timeout;
c1edbf5f 3905 int ret;
6c271ce2 3906
206aefde 3907 complete(&ctx->completions[1]);
a4c0b3de 3908
6c271ce2
JA		 3909 old_fs = get_fs();
3910 set_fs(USER_DS);
181e448d 3911 old_cred = override_creds(ctx->creds);
6c271ce2 3912
c1edbf5f 3913 ret = timeout = inflight = 0;
2bbcd6d3 3914 while (!kthread_should_park()) {
fb5ccc98 3915 unsigned int to_submit;
6c271ce2
JA		 3916
3917 if (inflight) {
3918 unsigned nr_events = 0;
3919
3920 if (ctx->flags & IORING_SETUP_IOPOLL) {
2b2ed975
JA		 3921 /*
3922 * inflight is the count of the maximum possible
3923 * entries we submitted, but it can be smaller
3924 * if we dropped some of them. If we don't have
3925 * poll entries available, then we know that we
3926 * have nothing left to poll for. Reset the
3927 * inflight count to zero in that case.
3928 */
3929 mutex_lock(&ctx->uring_lock);
3930 if (!list_empty(&ctx->poll_list))
3931 __io_iopoll_check(ctx, &nr_events, 0);
3932 else
3933 inflight = 0;
3934 mutex_unlock(&ctx->uring_lock);
6c271ce2
JA		 3935 } else {
3936 /*
3937 * Normal IO, just pretend everything completed.
3938 * We don't have to poll completions for that.
3939 */
3940 nr_events = inflight;
3941 }
3942
3943 inflight -= nr_events;
3944 if (!inflight)
3945 timeout = jiffies + ctx->sq_thread_idle;
3946 }
3947
fb5ccc98 3948 to_submit = io_sqring_entries(ctx);
c1edbf5f
JA		 3949
3950 /*
3951 * If submit got -EBUSY, flag us as needing the application
3952 * to enter the kernel to reap and flush events.
3953 */
3954 if (!to_submit || ret == -EBUSY) {
6c271ce2
JA		 3955 /*
3956 * We're polling. If we're within the defined idle
3957 * period, then let us spin without work before going
c1edbf5f
JA		 3958 * to sleep. The exception is if we got EBUSY doing
3959 * more IO, we should wait for the application to
3960 * reap events and wake us up.
6c271ce2 3961 */
c1edbf5f
JA		 3962 if (inflight ||
3963 (!time_after(jiffies, timeout) && ret != -EBUSY)) {
9831a90c 3964 cond_resched();
6c271ce2
JA		 3965 continue;
3966 }
3967
3968 /*
3969 * Drop cur_mm before scheduling, we can't hold it for
3970 * long periods (or over schedule()). Do this before
3971 * adding ourselves to the waitqueue, as the unuse/drop
3972 * may sleep.
3973 */
3974 if (cur_mm) {
3975 unuse_mm(cur_mm);
3976 mmput(cur_mm);
3977 cur_mm = NULL;
3978 }
3979
3980 prepare_to_wait(&ctx->sqo_wait, &wait,
3981 TASK_INTERRUPTIBLE);
3982
3983 /* Tell userspace we may need a wakeup call */
75b28aff 3984 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
0d7bae69
SB		 3985 /* make sure to read SQ tail after writing flags */
3986 smp_mb();
6c271ce2 3987
fb5ccc98 3988 to_submit = io_sqring_entries(ctx);
c1edbf5f 3989 if (!to_submit || ret == -EBUSY) {
2bbcd6d3 3990 if (kthread_should_park()) {
6c271ce2
JA		 3991 finish_wait(&ctx->sqo_wait, &wait);
3992 break;
3993 }
3994 if (signal_pending(current))
3995 flush_signals(current);
3996 schedule();
3997 finish_wait(&ctx->sqo_wait, &wait);
3998
75b28aff 3999 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 4000 continue;
4001 }
4002 finish_wait(&ctx->sqo_wait, &wait);
4003
75b28aff 4004 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 4005 }
4006
fb5ccc98 4007 to_submit = min(to_submit, ctx->sq_entries);
8a4955ff 4008 mutex_lock(&ctx->uring_lock);
1d7bb1d5 4009 ret = io_submit_sqes(ctx, to_submit, NULL, -1, &cur_mm, true);
8a4955ff 4010 mutex_unlock(&ctx->uring_lock);
1d7bb1d5
JA		 4011 if (ret > 0)
4012 inflight += ret;
6c271ce2
JA		 4013 }
4014
4015 set_fs(old_fs);
4016 if (cur_mm) {
4017 unuse_mm(cur_mm);
4018 mmput(cur_mm);
4019 }
181e448d 4020 revert_creds(old_cred);
06058632 4021
2bbcd6d3 4022 kthread_parkme();
06058632 4023
6c271ce2
JA		 4024 return 0;
4025}
4026
bda52162
JA		 4027struct io_wait_queue {
4028 struct wait_queue_entry wq;
4029 struct io_ring_ctx *ctx;
4030 unsigned to_wait;
4031 unsigned nr_timeouts;
4032};
4033
1d7bb1d5 4034static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
bda52162
JA		 4035{
4036 struct io_ring_ctx *ctx = iowq->ctx;
4037
4038 /*
d195a66e 4039 * Wake up if we have enough events, or if a timeout occurred since we
bda52162
JA		 4040 * started waiting. For timeouts, we always want to return to userspace,
4041 * regardless of event count.
4042 */
1d7bb1d5 4043 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
bda52162
JA		 4044 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
4045}
4046
4047static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
4048 int wake_flags, void *key)
4049{
4050 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
4051 wq);
4052
1d7bb1d5
JA		 4053 /* use noflush == true, as we can't safely rely on locking context */
4054 if (!io_should_wake(iowq, true))
bda52162
JA		 4055 return -1;
4056
4057 return autoremove_wake_function(curr, mode, wake_flags, key);
4058}
4059
2b188cc1
JA		 4060/*
4061 * Wait until events become available, if we don't already have some. The
4062 * application must reap them itself, as they reside on the shared cq ring.
4063 */
4064static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
4065 const sigset_t __user *sig, size_t sigsz)
4066{
bda52162
JA		 4067 struct io_wait_queue iowq = {
4068 .wq = {
4069 .private = current,
4070 .func = io_wake_function,
4071 .entry = LIST_HEAD_INIT(iowq.wq.entry),
4072 },
4073 .ctx = ctx,
4074 .to_wait = min_events,
4075 };
75b28aff 4076 struct io_rings *rings = ctx->rings;
e9ffa5c2 4077 int ret = 0;
2b188cc1 4078
1d7bb1d5 4079 if (io_cqring_events(ctx, false) >= min_events)
2b188cc1
JA		 4080 return 0;
4081
4082 if (sig) {
9e75ad5d
AB		 4083#ifdef CONFIG_COMPAT
4084 if (in_compat_syscall())
4085 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
b772434b 4086 sigsz);
9e75ad5d
AB		 4087 else
4088#endif
b772434b 4089 ret = set_user_sigmask(sig, sigsz);
9e75ad5d 4090
2b188cc1
JA		 4091 if (ret)
4092 return ret;
4093 }
4094
bda52162 4095 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
c826bd7a 4096 trace_io_uring_cqring_wait(ctx, min_events);
bda52162
JA		 4097 do {
4098 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
4099 TASK_INTERRUPTIBLE);
1d7bb1d5 4100 if (io_should_wake(&iowq, false))
bda52162
JA		 4101 break;
4102 schedule();
4103 if (signal_pending(current)) {
e9ffa5c2 4104 ret = -EINTR;
bda52162
JA		 4105 break;
4106 }
4107 } while (1);
4108 finish_wait(&ctx->wait, &iowq.wq);
4109
e9ffa5c2 4110 restore_saved_sigmask_unless(ret == -EINTR);
2b188cc1 4111
75b28aff 4112 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
2b188cc1
JA		 4113}
4114
6b06314c
JA		 4115static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
4116{
4117#if defined(CONFIG_UNIX)
4118 if (ctx->ring_sock) {
4119 struct sock *sock = ctx->ring_sock->sk;
4120 struct sk_buff *skb;
4121
4122 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
4123 kfree_skb(skb);
4124 }
4125#else
4126 int i;
4127
65e19f54
JA		 4128 for (i = 0; i < ctx->nr_user_files; i++) {
4129 struct file *file;
4130
4131 file = io_file_from_index(ctx, i);
4132 if (file)
4133 fput(file);
4134 }
6b06314c
JA		 4135#endif
4136}
4137
4138static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
4139{
65e19f54
JA		 4140 unsigned nr_tables, i;
4141
4142 if (!ctx->file_table)
6b06314c
JA		 4143 return -ENXIO;
4144
4145 __io_sqe_files_unregister(ctx);
65e19f54
JA		 4146 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
4147 for (i = 0; i < nr_tables; i++)
4148 kfree(ctx->file_table[i].files);
4149 kfree(ctx->file_table);
4150 ctx->file_table = NULL;
6b06314c
JA		 4151 ctx->nr_user_files = 0;
4152 return 0;
4153}
4154
6c271ce2
JA		 4155static void io_sq_thread_stop(struct io_ring_ctx *ctx)
4156{
4157 if (ctx->sqo_thread) {
206aefde 4158 wait_for_completion(&ctx->completions[1]);
2bbcd6d3
RP		 4159 /*
4160 * The park is a bit of a work-around, without it we get
4161 * warning spews on shutdown with SQPOLL set and affinity
4162 * set to a single CPU.
4163 */
06058632 4164 kthread_park(ctx->sqo_thread);
6c271ce2
JA		 4165 kthread_stop(ctx->sqo_thread);
4166 ctx->sqo_thread = NULL;
4167 }
4168}
4169
6b06314c
JA		 4170static void io_finish_async(struct io_ring_ctx *ctx)
4171{
6c271ce2
JA		 4172 io_sq_thread_stop(ctx);
4173
561fb04a
JA		 4174 if (ctx->io_wq) {
4175 io_wq_destroy(ctx->io_wq);
4176 ctx->io_wq = NULL;
6b06314c
JA		 4177 }
4178}
4179
4180#if defined(CONFIG_UNIX)
4181static void io_destruct_skb(struct sk_buff *skb)
4182{
4183 struct io_ring_ctx *ctx = skb->sk->sk_user_data;
8a997340 4184
561fb04a
JA		 4185 if (ctx->io_wq)
4186 io_wq_flush(ctx->io_wq);
6b06314c 4187
6b06314c
JA		 4188 unix_destruct_scm(skb);
4189}
4190
4191/*
4192 * Ensure the UNIX gc is aware of our file set, so we are certain that
4193 * the io_uring can be safely unregistered on process exit, even if we have
4194 * loops in the file referencing.
4195 */
4196static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
4197{
4198 struct sock *sk = ctx->ring_sock->sk;
4199 struct scm_fp_list *fpl;
4200 struct sk_buff *skb;
08a45173 4201 int i, nr_files;
6b06314c
JA		 4202
4203 if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
4204 unsigned long inflight = ctx->user->unix_inflight + nr;
4205
4206 if (inflight > task_rlimit(current, RLIMIT_NOFILE))
4207 return -EMFILE;
4208 }
4209
4210 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
4211 if (!fpl)
4212 return -ENOMEM;
4213
4214 skb = alloc_skb(0, GFP_KERNEL);
4215 if (!skb) {
4216 kfree(fpl);
4217 return -ENOMEM;
4218 }
4219
4220 skb->sk = sk;
6b06314c 4221
08a45173 4222 nr_files = 0;
6b06314c
JA		 4223 fpl->user = get_uid(ctx->user);
4224 for (i = 0; i < nr; i++) {
65e19f54
JA		 4225 struct file *file = io_file_from_index(ctx, i + offset);
4226
4227 if (!file)
08a45173 4228 continue;
65e19f54 4229 fpl->fp[nr_files] = get_file(file);
08a45173
JA		 4230 unix_inflight(fpl->user, fpl->fp[nr_files]);
4231 nr_files++;
6b06314c
JA		 4232 }
4233
08a45173
JA		 4234 if (nr_files) {
4235 fpl->max = SCM_MAX_FD;
4236 fpl->count = nr_files;
4237 UNIXCB(skb).fp = fpl;
4238 skb->destructor = io_destruct_skb;
4239 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
4240 skb_queue_head(&sk->sk_receive_queue, skb);
6b06314c 4241
08a45173
JA		 4242 for (i = 0; i < nr_files; i++)
4243 fput(fpl->fp[i]);
4244 } else {
4245 kfree_skb(skb);
4246 kfree(fpl);
4247 }
6b06314c
JA		 4248
4249 return 0;
4250}
4251
4252/*
4253 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
4254 * causes regular reference counting to break down. We rely on the UNIX
4255 * garbage collection to take care of this problem for us.
4256 */
4257static int io_sqe_files_scm(struct io_ring_ctx *ctx)
4258{
4259 unsigned left, total;
4260 int ret = 0;
4261
4262 total = 0;
4263 left = ctx->nr_user_files;
4264 while (left) {
4265 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
6b06314c
JA		 4266
4267 ret = __io_sqe_files_scm(ctx, this_files, total);
4268 if (ret)
4269 break;
4270 left -= this_files;
4271 total += this_files;
4272 }
4273
4274 if (!ret)
4275 return 0;
4276
4277 while (total < ctx->nr_user_files) {
65e19f54
JA		 4278 struct file *file = io_file_from_index(ctx, total);
4279
4280 if (file)
4281 fput(file);
6b06314c
JA		 4282 total++;
4283 }
4284
4285 return ret;
4286}
4287#else
4288static int io_sqe_files_scm(struct io_ring_ctx *ctx)
4289{
4290 return 0;
4291}
4292#endif
4293
65e19f54
JA		 4294static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
4295 unsigned nr_files)
4296{
4297 int i;
4298
4299 for (i = 0; i < nr_tables; i++) {
4300 struct fixed_file_table *table = &ctx->file_table[i];
4301 unsigned this_files;
4302
4303 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
4304 table->files = kcalloc(this_files, sizeof(struct file *),
4305 GFP_KERNEL);
4306 if (!table->files)
4307 break;
4308 nr_files -= this_files;
4309 }
4310
4311 if (i == nr_tables)
4312 return 0;
4313
4314 for (i = 0; i < nr_tables; i++) {
4315 struct fixed_file_table *table = &ctx->file_table[i];
4316 kfree(table->files);
4317 }
4318 return 1;
4319}
4320
6b06314c
JA		 4321static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
4322 unsigned nr_args)
4323{
4324 __s32 __user *fds = (__s32 __user *) arg;
65e19f54 4325 unsigned nr_tables;
6b06314c
JA		 4326 int fd, ret = 0;
4327 unsigned i;
4328
65e19f54 4329 if (ctx->file_table)
6b06314c
JA		 4330 return -EBUSY;
4331 if (!nr_args)
4332 return -EINVAL;
4333 if (nr_args > IORING_MAX_FIXED_FILES)
4334 return -EMFILE;
4335
65e19f54
JA		 4336 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
4337 ctx->file_table = kcalloc(nr_tables, sizeof(struct fixed_file_table),
4338 GFP_KERNEL);
4339 if (!ctx->file_table)
6b06314c
JA		 4340 return -ENOMEM;
4341
65e19f54
JA		 4342 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
4343 kfree(ctx->file_table);
46568e9b 4344 ctx->file_table = NULL;
65e19f54
JA		 4345 return -ENOMEM;
4346 }
4347
08a45173 4348 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
65e19f54
JA		 4349 struct fixed_file_table *table;
4350 unsigned index;
4351
6b06314c
JA		 4352 ret = -EFAULT;
4353 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
4354 break;
08a45173
JA		 4355 /* allow sparse sets */
4356 if (fd == -1) {
4357 ret = 0;
4358 continue;
4359 }
6b06314c 4360
65e19f54
JA		 4361 table = &ctx->file_table[i >> IORING_FILE_TABLE_SHIFT];
4362 index = i & IORING_FILE_TABLE_MASK;
4363 table->files[index] = fget(fd);
6b06314c
JA		 4364
4365 ret = -EBADF;
65e19f54 4366 if (!table->files[index])
6b06314c
JA		 4367 break;
4368 /*
4369 * Don't allow io_uring instances to be registered. If UNIX
4370 * isn't enabled, then this causes a reference cycle and this
4371 * instance can never get freed. If UNIX is enabled we'll
4372 * handle it just fine, but there's still no point in allowing
4373 * a ring fd as it doesn't support regular read/write anyway.
4374 */
65e19f54
JA		 4375 if (table->files[index]->f_op == &io_uring_fops) {
4376 fput(table->files[index]);
6b06314c
JA		 4377 break;
4378 }
6b06314c
JA		 4379 ret = 0;
4380 }
4381
4382 if (ret) {
65e19f54
JA		 4383 for (i = 0; i < ctx->nr_user_files; i++) {
4384 struct file *file;
6b06314c 4385
65e19f54
JA		 4386 file = io_file_from_index(ctx, i);
4387 if (file)
4388 fput(file);
4389 }
4390 for (i = 0; i < nr_tables; i++)
4391 kfree(ctx->file_table[i].files);
6b06314c 4392
65e19f54
JA		 4393 kfree(ctx->file_table);
4394 ctx->file_table = NULL;
6b06314c
JA		 4395 ctx->nr_user_files = 0;
4396 return ret;
4397 }
4398
4399 ret = io_sqe_files_scm(ctx);
4400 if (ret)
4401 io_sqe_files_unregister(ctx);
4402
4403 return ret;
4404}
4405
c3a31e60
JA		 4406static void io_sqe_file_unregister(struct io_ring_ctx *ctx, int index)
4407{
4408#if defined(CONFIG_UNIX)
65e19f54 4409 struct file *file = io_file_from_index(ctx, index);
c3a31e60
JA		 4410 struct sock *sock = ctx->ring_sock->sk;
4411 struct sk_buff_head list, *head = &sock->sk_receive_queue;
4412 struct sk_buff *skb;
4413 int i;
4414
4415 __skb_queue_head_init(&list);
4416
4417 /*
4418 * Find the skb that holds this file in its SCM_RIGHTS. When found,
4419 * remove this entry and rearrange the file array.
4420 */
4421 skb = skb_dequeue(head);
4422 while (skb) {
4423 struct scm_fp_list *fp;
4424
4425 fp = UNIXCB(skb).fp;
4426 for (i = 0; i < fp->count; i++) {
4427 int left;
4428
4429 if (fp->fp[i] != file)
4430 continue;
4431
4432 unix_notinflight(fp->user, fp->fp[i]);
4433 left = fp->count - 1 - i;
4434 if (left) {
4435 memmove(&fp->fp[i], &fp->fp[i + 1],
4436 left * sizeof(struct file *));
4437 }
4438 fp->count--;
4439 if (!fp->count) {
4440 kfree_skb(skb);
4441 skb = NULL;
4442 } else {
4443 __skb_queue_tail(&list, skb);
4444 }
4445 fput(file);
4446 file = NULL;
4447 break;
4448 }
4449
4450 if (!file)
4451 break;
4452
4453 __skb_queue_tail(&list, skb);
4454
4455 skb = skb_dequeue(head);
4456 }
4457
4458 if (skb_peek(&list)) {
4459 spin_lock_irq(&head->lock);
4460 while ((skb = __skb_dequeue(&list)) != NULL)
4461 __skb_queue_tail(head, skb);
4462 spin_unlock_irq(&head->lock);
4463 }
4464#else
65e19f54 4465 fput(io_file_from_index(ctx, index));
c3a31e60
JA		 4466#endif
4467}
4468
4469static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
4470 int index)
4471{
4472#if defined(CONFIG_UNIX)
4473 struct sock *sock = ctx->ring_sock->sk;
4474 struct sk_buff_head *head = &sock->sk_receive_queue;
4475 struct sk_buff *skb;
4476
4477 /*
4478 * See if we can merge this file into an existing skb SCM_RIGHTS
4479 * file set. If there's no room, fall back to allocating a new skb
4480 * and filling it in.
4481 */
4482 spin_lock_irq(&head->lock);
4483 skb = skb_peek(head);
4484 if (skb) {
4485 struct scm_fp_list *fpl = UNIXCB(skb).fp;
4486
4487 if (fpl->count < SCM_MAX_FD) {
4488 __skb_unlink(skb, head);
4489 spin_unlock_irq(&head->lock);
4490 fpl->fp[fpl->count] = get_file(file);
4491 unix_inflight(fpl->user, fpl->fp[fpl->count]);
4492 fpl->count++;
4493 spin_lock_irq(&head->lock);
4494 __skb_queue_head(head, skb);
4495 } else {
4496 skb = NULL;
4497 }
4498 }
4499 spin_unlock_irq(&head->lock);
4500
4501 if (skb) {
4502 fput(file);
4503 return 0;
4504 }
4505
4506 return __io_sqe_files_scm(ctx, 1, index);
4507#else
4508 return 0;
4509#endif
4510}
4511
4512static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
4513 unsigned nr_args)
4514{
4515 struct io_uring_files_update up;
4516 __s32 __user *fds;
4517 int fd, i, err;
4518 __u32 done;
4519
65e19f54 4520 if (!ctx->file_table)
c3a31e60
JA		 4521 return -ENXIO;
4522 if (!nr_args)
4523 return -EINVAL;
4524 if (copy_from_user(&up, arg, sizeof(up)))
4525 return -EFAULT;
1292e972
ES		 4526 if (up.resv)
4527 return -EINVAL;
c3a31e60
JA		 4528 if (check_add_overflow(up.offset, nr_args, &done))
4529 return -EOVERFLOW;
4530 if (done > ctx->nr_user_files)
4531 return -EINVAL;
4532
4533 done = 0;
1292e972 4534 fds = u64_to_user_ptr(up.fds);
c3a31e60 4535 while (nr_args) {
65e19f54
JA		 4536 struct fixed_file_table *table;
4537 unsigned index;
4538
c3a31e60
JA		 4539 err = 0;
4540 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
4541 err = -EFAULT;
4542 break;
4543 }
4544 i = array_index_nospec(up.offset, ctx->nr_user_files);
65e19f54
JA		 4545 table = &ctx->file_table[i >> IORING_FILE_TABLE_SHIFT];
4546 index = i & IORING_FILE_TABLE_MASK;
4547 if (table->files[index]) {
c3a31e60 4548 io_sqe_file_unregister(ctx, i);
65e19f54 4549 table->files[index] = NULL;
c3a31e60
JA		 4550 }
4551 if (fd != -1) {
4552 struct file *file;
4553
4554 file = fget(fd);
4555 if (!file) {
4556 err = -EBADF;
4557 break;
4558 }
4559 /*
4560 * Don't allow io_uring instances to be registered. If
4561 * UNIX isn't enabled, then this causes a reference
4562 * cycle and this instance can never get freed. If UNIX
4563 * is enabled we'll handle it just fine, but there's
4564 * still no point in allowing a ring fd as it doesn't
4565 * support regular read/write anyway.
4566 */
4567 if (file->f_op == &io_uring_fops) {
4568 fput(file);
4569 err = -EBADF;
4570 break;
4571 }
65e19f54 4572 table->files[index] = file;
c3a31e60
JA		 4573 err = io_sqe_file_register(ctx, file, i);
4574 if (err)
4575 break;
4576 }
4577 nr_args--;
4578 done++;
4579 up.offset++;
4580 }
4581
4582 return done ? done : err;
4583}
4584
7d723065
JA		 4585static void io_put_work(struct io_wq_work *work)
4586{
4587 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
4588
4589 io_put_req(req);
4590}
4591
4592static void io_get_work(struct io_wq_work *work)
4593{
4594 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
4595
4596 refcount_inc(&req->refs);
4597}
4598
6c271ce2
JA		 4599static int io_sq_offload_start(struct io_ring_ctx *ctx,
4600 struct io_uring_params *p)
2b188cc1 4601{
576a347b 4602 struct io_wq_data data;
561fb04a 4603 unsigned concurrency;
2b188cc1
JA		 4604 int ret;
4605
6c271ce2 4606 init_waitqueue_head(&ctx->sqo_wait);
2b188cc1
JA		 4607 mmgrab(current->mm);
4608 ctx->sqo_mm = current->mm;
4609
6c271ce2 4610 if (ctx->flags & IORING_SETUP_SQPOLL) {
3ec482d1
JA		 4611 ret = -EPERM;
4612 if (!capable(CAP_SYS_ADMIN))
4613 goto err;
4614
917257da
JA		 4615 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
4616 if (!ctx->sq_thread_idle)
4617 ctx->sq_thread_idle = HZ;
4618
6c271ce2 4619 if (p->flags & IORING_SETUP_SQ_AFF) {
44a9bd18 4620 int cpu = p->sq_thread_cpu;
6c271ce2 4621
917257da 4622 ret = -EINVAL;
44a9bd18
JA		 4623 if (cpu >= nr_cpu_ids)
4624 goto err;
7889f44d 4625 if (!cpu_online(cpu))
917257da
JA		 4626 goto err;
4627
6c271ce2
JA		 4628 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
4629 ctx, cpu,
4630 "io_uring-sq");
4631 } else {
4632 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
4633 "io_uring-sq");
4634 }
4635 if (IS_ERR(ctx->sqo_thread)) {
4636 ret = PTR_ERR(ctx->sqo_thread);
4637 ctx->sqo_thread = NULL;
4638 goto err;
4639 }
4640 wake_up_process(ctx->sqo_thread);
4641 } else if (p->flags & IORING_SETUP_SQ_AFF) {
4642 /* Can't have SQ_AFF without SQPOLL */
4643 ret = -EINVAL;
4644 goto err;
4645 }
4646
576a347b
JA		 4647 data.mm = ctx->sqo_mm;
4648 data.user = ctx->user;
181e448d 4649 data.creds = ctx->creds;
576a347b
JA		 4650 data.get_work = io_get_work;
4651 data.put_work = io_put_work;
4652
561fb04a
JA		 4653 /* Do QD, or 4 * CPUS, whatever is smallest */
4654 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
576a347b 4655 ctx->io_wq = io_wq_create(concurrency, &data);
975c99a5
JA		 4656 if (IS_ERR(ctx->io_wq)) {
4657 ret = PTR_ERR(ctx->io_wq);
4658 ctx->io_wq = NULL;
2b188cc1
JA		 4659 goto err;
4660 }
4661
4662 return 0;
4663err:
54a91f3b 4664 io_finish_async(ctx);
2b188cc1
JA		 4665 mmdrop(ctx->sqo_mm);
4666 ctx->sqo_mm = NULL;
4667 return ret;
4668}
4669
4670static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
4671{
4672 atomic_long_sub(nr_pages, &user->locked_vm);
4673}
4674
4675static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
4676{
4677 unsigned long page_limit, cur_pages, new_pages;
4678
4679 /* Don't allow more pages than we can safely lock */
4680 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
4681
4682 do {
4683 cur_pages = atomic_long_read(&user->locked_vm);
4684 new_pages = cur_pages + nr_pages;
4685 if (new_pages > page_limit)
4686 return -ENOMEM;
4687 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
4688 new_pages) != cur_pages);
4689
4690 return 0;
4691}
4692
4693static void io_mem_free(void *ptr)
4694{
52e04ef4
MR		 4695 struct page *page;
4696
4697 if (!ptr)
4698 return;
2b188cc1 4699
52e04ef4 4700 page = virt_to_head_page(ptr);
2b188cc1
JA		 4701 if (put_page_testzero(page))
4702 free_compound_page(page);
4703}
4704
4705static void *io_mem_alloc(size_t size)
4706{
4707 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
4708 __GFP_NORETRY;
4709
4710 return (void *) __get_free_pages(gfp_flags, get_order(size));
4711}
4712
75b28aff
HV		 4713static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
4714 size_t *sq_offset)
4715{
4716 struct io_rings *rings;
4717 size_t off, sq_array_size;
4718
4719 off = struct_size(rings, cqes, cq_entries);
4720 if (off == SIZE_MAX)
4721 return SIZE_MAX;
4722
4723#ifdef CONFIG_SMP
4724 off = ALIGN(off, SMP_CACHE_BYTES);
4725 if (off == 0)
4726 return SIZE_MAX;
4727#endif
4728
4729 sq_array_size = array_size(sizeof(u32), sq_entries);
4730 if (sq_array_size == SIZE_MAX)
4731 return SIZE_MAX;
4732
4733 if (check_add_overflow(off, sq_array_size, &off))
4734 return SIZE_MAX;
4735
4736 if (sq_offset)
4737 *sq_offset = off;
4738
4739 return off;
4740}
4741
2b188cc1
JA		 4742static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
4743{
75b28aff 4744 size_t pages;
2b188cc1 4745
75b28aff
HV		 4746 pages = (size_t)1 << get_order(
4747 rings_size(sq_entries, cq_entries, NULL));
4748 pages += (size_t)1 << get_order(
4749 array_size(sizeof(struct io_uring_sqe), sq_entries));
2b188cc1 4750
75b28aff 4751 return pages;
2b188cc1
JA		 4752}
4753
edafccee
JA		 4754static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
4755{
4756 int i, j;
4757
4758 if (!ctx->user_bufs)
4759 return -ENXIO;
4760
4761 for (i = 0; i < ctx->nr_user_bufs; i++) {
4762 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
4763
4764 for (j = 0; j < imu->nr_bvecs; j++)
27c4d3a3 4765 put_user_page(imu->bvec[j].bv_page);
edafccee
JA		 4766
4767 if (ctx->account_mem)
4768 io_unaccount_mem(ctx->user, imu->nr_bvecs);
d4ef6475 4769 kvfree(imu->bvec);
edafccee
JA		 4770 imu->nr_bvecs = 0;
4771 }
4772
4773 kfree(ctx->user_bufs);
4774 ctx->user_bufs = NULL;
4775 ctx->nr_user_bufs = 0;
4776 return 0;
4777}
4778
4779static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
4780 void __user *arg, unsigned index)
4781{
4782 struct iovec __user *src;
4783
4784#ifdef CONFIG_COMPAT
4785 if (ctx->compat) {
4786 struct compat_iovec __user *ciovs;
4787 struct compat_iovec ciov;
4788
4789 ciovs = (struct compat_iovec __user *) arg;
4790 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
4791 return -EFAULT;
4792
d55e5f5b 4793 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
edafccee
JA		 4794 dst->iov_len = ciov.iov_len;
4795 return 0;
4796 }
4797#endif
4798 src = (struct iovec __user *) arg;
4799 if (copy_from_user(dst, &src[index], sizeof(*dst)))
4800 return -EFAULT;
4801 return 0;
4802}
4803
4804static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
4805 unsigned nr_args)
4806{
4807 struct vm_area_struct **vmas = NULL;
4808 struct page **pages = NULL;
4809 int i, j, got_pages = 0;
4810 int ret = -EINVAL;
4811
4812 if (ctx->user_bufs)
4813 return -EBUSY;
4814 if (!nr_args || nr_args > UIO_MAXIOV)
4815 return -EINVAL;
4816
4817 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
4818 GFP_KERNEL);
4819 if (!ctx->user_bufs)
4820 return -ENOMEM;
4821
4822 for (i = 0; i < nr_args; i++) {
4823 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
4824 unsigned long off, start, end, ubuf;
4825 int pret, nr_pages;
4826 struct iovec iov;
4827 size_t size;
4828
4829 ret = io_copy_iov(ctx, &iov, arg, i);
4830 if (ret)
a278682d 4831 goto err;
edafccee
JA		 4832
4833 /*
4834 * Don't impose further limits on the size and buffer
4835 * constraints here, we'll -EINVAL later when IO is
4836 * submitted if they are wrong.
4837 */
4838 ret = -EFAULT;
4839 if (!iov.iov_base || !iov.iov_len)
4840 goto err;
4841
4842 /* arbitrary limit, but we need something */
4843 if (iov.iov_len > SZ_1G)
4844 goto err;
4845
4846 ubuf = (unsigned long) iov.iov_base;
4847 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
4848 start = ubuf >> PAGE_SHIFT;
4849 nr_pages = end - start;
4850
4851 if (ctx->account_mem) {
4852 ret = io_account_mem(ctx->user, nr_pages);
4853 if (ret)
4854 goto err;
4855 }
4856
4857 ret = 0;
4858 if (!pages || nr_pages > got_pages) {
4859 kfree(vmas);
4860 kfree(pages);
d4ef6475 4861 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
edafccee 4862 GFP_KERNEL);
d4ef6475 4863 vmas = kvmalloc_array(nr_pages,
edafccee
JA		 4864 sizeof(struct vm_area_struct *),
4865 GFP_KERNEL);
4866 if (!pages || !vmas) {
4867 ret = -ENOMEM;
4868 if (ctx->account_mem)
4869 io_unaccount_mem(ctx->user, nr_pages);
4870 goto err;
4871 }
4872 got_pages = nr_pages;
4873 }
4874
d4ef6475 4875 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
edafccee
JA		 4876 GFP_KERNEL);
4877 ret = -ENOMEM;
4878 if (!imu->bvec) {
4879 if (ctx->account_mem)
4880 io_unaccount_mem(ctx->user, nr_pages);
4881 goto err;
4882 }
4883
4884 ret = 0;
4885 down_read(&current->mm->mmap_sem);
932f4a63
IW		 4886 pret = get_user_pages(ubuf, nr_pages,
4887 FOLL_WRITE | FOLL_LONGTERM,
4888 pages, vmas);
edafccee
JA		 4889 if (pret == nr_pages) {
4890 /* don't support file backed memory */
4891 for (j = 0; j < nr_pages; j++) {
4892 struct vm_area_struct *vma = vmas[j];
4893
4894 if (vma->vm_file &&
4895 !is_file_hugepages(vma->vm_file)) {
4896 ret = -EOPNOTSUPP;
4897 break;
4898 }
4899 }
4900 } else {
4901 ret = pret < 0 ? pret : -EFAULT;
4902 }
4903 up_read(&current->mm->mmap_sem);
4904 if (ret) {
4905 /*
4906 * if we did partial map, or found file backed vmas,
4907 * release any pages we did get
4908 */
27c4d3a3
JH		 4909 if (pret > 0)
4910 put_user_pages(pages, pret);
edafccee
JA		 4911 if (ctx->account_mem)
4912 io_unaccount_mem(ctx->user, nr_pages);
d4ef6475 4913 kvfree(imu->bvec);
edafccee
JA		 4914 goto err;
4915 }
4916
4917 off = ubuf & ~PAGE_MASK;
4918 size = iov.iov_len;
4919 for (j = 0; j < nr_pages; j++) {
4920 size_t vec_len;
4921
4922 vec_len = min_t(size_t, size, PAGE_SIZE - off);
4923 imu->bvec[j].bv_page = pages[j];
4924 imu->bvec[j].bv_len = vec_len;
4925 imu->bvec[j].bv_offset = off;
4926 off = 0;
4927 size -= vec_len;
4928 }
4929 /* store original address for later verification */
4930 imu->ubuf = ubuf;
4931 imu->len = iov.iov_len;
4932 imu->nr_bvecs = nr_pages;
4933
4934 ctx->nr_user_bufs++;
4935 }
d4ef6475
MR		 4936 kvfree(pages);
4937 kvfree(vmas);
edafccee
JA		 4938 return 0;
4939err:
d4ef6475
MR		 4940 kvfree(pages);
4941 kvfree(vmas);
edafccee
JA		 4942 io_sqe_buffer_unregister(ctx);
4943 return ret;
4944}
4945
9b402849
JA		 4946static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
4947{
4948 __s32 __user *fds = arg;
4949 int fd;
4950
4951 if (ctx->cq_ev_fd)
4952 return -EBUSY;
4953
4954 if (copy_from_user(&fd, fds, sizeof(*fds)))
4955 return -EFAULT;
4956
4957 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
4958 if (IS_ERR(ctx->cq_ev_fd)) {
4959 int ret = PTR_ERR(ctx->cq_ev_fd);
4960 ctx->cq_ev_fd = NULL;
4961 return ret;
4962 }
4963
4964 return 0;
4965}
4966
4967static int io_eventfd_unregister(struct io_ring_ctx *ctx)
4968{
4969 if (ctx->cq_ev_fd) {
4970 eventfd_ctx_put(ctx->cq_ev_fd);
4971 ctx->cq_ev_fd = NULL;
4972 return 0;
4973 }
4974
4975 return -ENXIO;
4976}
4977
2b188cc1
JA		 4978static void io_ring_ctx_free(struct io_ring_ctx *ctx)
4979{
6b06314c 4980 io_finish_async(ctx);
2b188cc1
JA		 4981 if (ctx->sqo_mm)
4982 mmdrop(ctx->sqo_mm);
def596e9
JA		 4983
4984 io_iopoll_reap_events(ctx);
edafccee 4985 io_sqe_buffer_unregister(ctx);
6b06314c 4986 io_sqe_files_unregister(ctx);
9b402849 4987 io_eventfd_unregister(ctx);
def596e9 4988
2b188cc1 4989#if defined(CONFIG_UNIX)
355e8d26
EB		 4990 if (ctx->ring_sock) {
4991 ctx->ring_sock->file = NULL; /* so that iput() is called */
2b188cc1 4992 sock_release(ctx->ring_sock);
355e8d26 4993 }
2b188cc1
JA		 4994#endif
4995
75b28aff 4996 io_mem_free(ctx->rings);
2b188cc1 4997 io_mem_free(ctx->sq_sqes);
2b188cc1
JA		 4998
4999 percpu_ref_exit(&ctx->refs);
5000 if (ctx->account_mem)
5001 io_unaccount_mem(ctx->user,
5002 ring_pages(ctx->sq_entries, ctx->cq_entries));
5003 free_uid(ctx->user);
181e448d 5004 put_cred(ctx->creds);
206aefde 5005 kfree(ctx->completions);
78076bb6 5006 kfree(ctx->cancel_hash);
0ddf92e8 5007 kmem_cache_free(req_cachep, ctx->fallback_req);
2b188cc1
JA		 5008 kfree(ctx);
5009}
5010
5011static __poll_t io_uring_poll(struct file *file, poll_table *wait)
5012{
5013 struct io_ring_ctx *ctx = file->private_data;
5014 __poll_t mask = 0;
5015
5016 poll_wait(file, &ctx->cq_wait, wait);
4f7067c3
SB		 5017 /*
5018 * synchronizes with barrier from wq_has_sleeper call in
5019 * io_commit_cqring
5020 */
2b188cc1 5021 smp_rmb();
75b28aff
HV		 5022 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
5023 ctx->rings->sq_ring_entries)
2b188cc1 5024 mask |= EPOLLOUT | EPOLLWRNORM;
daa5de54 5025 if (READ_ONCE(ctx->rings->cq.head) != ctx->cached_cq_tail)
2b188cc1
JA		 5026 mask |= EPOLLIN | EPOLLRDNORM;
5027
5028 return mask;
5029}
5030
5031static int io_uring_fasync(int fd, struct file *file, int on)
5032{
5033 struct io_ring_ctx *ctx = file->private_data;
5034
5035 return fasync_helper(fd, file, on, &ctx->cq_fasync);
5036}
5037
5038static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
5039{
5040 mutex_lock(&ctx->uring_lock);
5041 percpu_ref_kill(&ctx->refs);
5042 mutex_unlock(&ctx->uring_lock);
5043
5262f567 5044 io_kill_timeouts(ctx);
221c5eb2 5045 io_poll_remove_all(ctx);
561fb04a
JA		 5046
5047 if (ctx->io_wq)
5048 io_wq_cancel_all(ctx->io_wq);
5049
def596e9 5050 io_iopoll_reap_events(ctx);
15dff286
JA		 5051 /* if we failed setting up the ctx, we might not have any rings */
5052 if (ctx->rings)
5053 io_cqring_overflow_flush(ctx, true);
206aefde 5054 wait_for_completion(&ctx->completions[0]);
2b188cc1
JA		 5055 io_ring_ctx_free(ctx);
5056}
5057
5058static int io_uring_release(struct inode *inode, struct file *file)
5059{
5060 struct io_ring_ctx *ctx = file->private_data;
5061
5062 file->private_data = NULL;
5063 io_ring_ctx_wait_and_kill(ctx);
5064 return 0;
5065}
5066
fcb323cc
JA		 5067static void io_uring_cancel_files(struct io_ring_ctx *ctx,
5068 struct files_struct *files)
5069{
5070 struct io_kiocb *req;
5071 DEFINE_WAIT(wait);
5072
5073 while (!list_empty_careful(&ctx->inflight_list)) {
768134d4 5074 struct io_kiocb *cancel_req = NULL;
fcb323cc
JA		 5075
5076 spin_lock_irq(&ctx->inflight_lock);
5077 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
768134d4
JA		 5078 if (req->work.files != files)
5079 continue;
5080 /* req is being completed, ignore */
5081 if (!refcount_inc_not_zero(&req->refs))
5082 continue;
5083 cancel_req = req;
5084 break;
fcb323cc 5085 }
768134d4 5086 if (cancel_req)
fcb323cc 5087 prepare_to_wait(&ctx->inflight_wait, &wait,
768134d4 5088 TASK_UNINTERRUPTIBLE);
fcb323cc
JA		 5089 spin_unlock_irq(&ctx->inflight_lock);
5090
768134d4
JA		 5091 /* We need to keep going until we don't find a matching req */
5092 if (!cancel_req)
fcb323cc 5093 break;
2f6d9b9d
BL		 5094
5095 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
5096 io_put_req(cancel_req);
fcb323cc
JA		 5097 schedule();
5098 }
768134d4 5099 finish_wait(&ctx->inflight_wait, &wait);
fcb323cc
JA		 5100}
5101
5102static int io_uring_flush(struct file *file, void *data)
5103{
5104 struct io_ring_ctx *ctx = file->private_data;
5105
5106 io_uring_cancel_files(ctx, data);
1d7bb1d5
JA		 5107 if (fatal_signal_pending(current) || (current->flags & PF_EXITING)) {
5108 io_cqring_overflow_flush(ctx, true);
fcb323cc 5109 io_wq_cancel_all(ctx->io_wq);
1d7bb1d5 5110 }
fcb323cc
JA		 5111 return 0;
5112}
5113
6c5c240e
RP		 5114static void *io_uring_validate_mmap_request(struct file *file,
5115 loff_t pgoff, size_t sz)
2b188cc1 5116{
2b188cc1 5117 struct io_ring_ctx *ctx = file->private_data;
6c5c240e 5118 loff_t offset = pgoff << PAGE_SHIFT;
2b188cc1
JA		 5119 struct page *page;
5120 void *ptr;
5121
5122 switch (offset) {
5123 case IORING_OFF_SQ_RING:
75b28aff
HV		 5124 case IORING_OFF_CQ_RING:
5125 ptr = ctx->rings;
2b188cc1
JA		 5126 break;
5127 case IORING_OFF_SQES:
5128 ptr = ctx->sq_sqes;
5129 break;
2b188cc1 5130 default:
6c5c240e 5131 return ERR_PTR(-EINVAL);
2b188cc1
JA		 5132 }
5133
5134 page = virt_to_head_page(ptr);
a50b854e 5135 if (sz > page_size(page))
6c5c240e
RP		 5136 return ERR_PTR(-EINVAL);
5137
5138 return ptr;
5139}
5140
5141#ifdef CONFIG_MMU
5142
5143static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5144{
5145 size_t sz = vma->vm_end - vma->vm_start;
5146 unsigned long pfn;
5147 void *ptr;
5148
5149 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
5150 if (IS_ERR(ptr))
5151 return PTR_ERR(ptr);
2b188cc1
JA		 5152
5153 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
5154 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
5155}
5156
6c5c240e
RP		 5157#else /* !CONFIG_MMU */
5158
5159static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5160{
5161 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
5162}
5163
5164static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
5165{
5166 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
5167}
5168
5169static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
5170 unsigned long addr, unsigned long len,
5171 unsigned long pgoff, unsigned long flags)
5172{
5173 void *ptr;
5174
5175 ptr = io_uring_validate_mmap_request(file, pgoff, len);
5176 if (IS_ERR(ptr))
5177 return PTR_ERR(ptr);
5178
5179 return (unsigned long) ptr;
5180}
5181
5182#endif /* !CONFIG_MMU */
5183
2b188cc1
JA		 5184SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
5185 u32, min_complete, u32, flags, const sigset_t __user *, sig,
5186 size_t, sigsz)
5187{
5188 struct io_ring_ctx *ctx;
5189 long ret = -EBADF;
5190 int submitted = 0;
5191 struct fd f;
5192
6c271ce2 5193 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
2b188cc1
JA		 5194 return -EINVAL;
5195
5196 f = fdget(fd);
5197 if (!f.file)
5198 return -EBADF;
5199
5200 ret = -EOPNOTSUPP;
5201 if (f.file->f_op != &io_uring_fops)
5202 goto out_fput;
5203
5204 ret = -ENXIO;
5205 ctx = f.file->private_data;
5206 if (!percpu_ref_tryget(&ctx->refs))
5207 goto out_fput;
5208
6c271ce2
JA		 5209 /*
5210 * For SQ polling, the thread will do all submissions and completions.
5211 * Just return the requested submit count, and wake the thread if
5212 * we were asked to.
5213 */
b2a9eada 5214 ret = 0;
6c271ce2 5215 if (ctx->flags & IORING_SETUP_SQPOLL) {
c1edbf5f
JA		 5216 if (!list_empty_careful(&ctx->cq_overflow_list))
5217 io_cqring_overflow_flush(ctx, false);
6c271ce2
JA		 5218 if (flags & IORING_ENTER_SQ_WAKEUP)
5219 wake_up(&ctx->sqo_wait);
5220 submitted = to_submit;
b2a9eada 5221 } else if (to_submit) {
ae9428ca 5222 struct mm_struct *cur_mm;
2b188cc1 5223
44d28279
JA		 5224 if (current->mm != ctx->sqo_mm ||
5225 current_cred() != ctx->creds) {
5226 ret = -EPERM;
5227 goto out;
5228 }
5229
ae9428ca 5230 to_submit = min(to_submit, ctx->sq_entries);
2b188cc1 5231 mutex_lock(&ctx->uring_lock);
ae9428ca
PB		 5232 /* already have mm, so io_submit_sqes() won't try to grab it */
5233 cur_mm = ctx->sqo_mm;
5234 submitted = io_submit_sqes(ctx, to_submit, f.file, fd,
5235 &cur_mm, false);
2b188cc1 5236 mutex_unlock(&ctx->uring_lock);
7c504e65
PB		 5237
5238 if (submitted != to_submit)
5239 goto out;
2b188cc1
JA		 5240 }
5241 if (flags & IORING_ENTER_GETEVENTS) {
def596e9
JA		 5242 unsigned nr_events = 0;
5243
2b188cc1
JA		 5244 min_complete = min(min_complete, ctx->cq_entries);
5245
def596e9 5246 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9 5247 ret = io_iopoll_check(ctx, &nr_events, min_complete);
def596e9
JA		 5248 } else {
5249 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
5250 }
2b188cc1
JA		 5251 }
5252
7c504e65 5253out:
6805b32e 5254 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 5255out_fput:
5256 fdput(f);
5257 return submitted ? submitted : ret;
5258}
5259
5260static const struct file_operations io_uring_fops = {
5261 .release = io_uring_release,
fcb323cc 5262 .flush = io_uring_flush,
2b188cc1 5263 .mmap = io_uring_mmap,
6c5c240e
RP		 5264#ifndef CONFIG_MMU
5265 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
5266 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
5267#endif
2b188cc1
JA		 5268 .poll = io_uring_poll,
5269 .fasync = io_uring_fasync,
5270};
5271
5272static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
5273 struct io_uring_params *p)
5274{
75b28aff
HV		 5275 struct io_rings *rings;
5276 size_t size, sq_array_offset;
2b188cc1 5277
75b28aff
HV		 5278 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
5279 if (size == SIZE_MAX)
5280 return -EOVERFLOW;
5281
5282 rings = io_mem_alloc(size);
5283 if (!rings)
2b188cc1
JA		 5284 return -ENOMEM;
5285
75b28aff
HV		 5286 ctx->rings = rings;
5287 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
5288 rings->sq_ring_mask = p->sq_entries - 1;
5289 rings->cq_ring_mask = p->cq_entries - 1;
5290 rings->sq_ring_entries = p->sq_entries;
5291 rings->cq_ring_entries = p->cq_entries;
5292 ctx->sq_mask = rings->sq_ring_mask;
5293 ctx->cq_mask = rings->cq_ring_mask;
5294 ctx->sq_entries = rings->sq_ring_entries;
5295 ctx->cq_entries = rings->cq_ring_entries;
2b188cc1
JA		 5296
5297 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
eb065d30
JA		 5298 if (size == SIZE_MAX) {
5299 io_mem_free(ctx->rings);
5300 ctx->rings = NULL;
2b188cc1 5301 return -EOVERFLOW;
eb065d30 5302 }
2b188cc1
JA		 5303
5304 ctx->sq_sqes = io_mem_alloc(size);
eb065d30
JA		 5305 if (!ctx->sq_sqes) {
5306 io_mem_free(ctx->rings);
5307 ctx->rings = NULL;
2b188cc1 5308 return -ENOMEM;
eb065d30 5309 }
2b188cc1 5310
2b188cc1
JA		 5311 return 0;
5312}
5313
5314/*
5315 * Allocate an anonymous fd, this is what constitutes the application
5316 * visible backing of an io_uring instance. The application mmaps this
5317 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
5318 * we have to tie this fd to a socket for file garbage collection purposes.
5319 */
5320static int io_uring_get_fd(struct io_ring_ctx *ctx)
5321{
5322 struct file *file;
5323 int ret;
5324
5325#if defined(CONFIG_UNIX)
5326 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
5327 &ctx->ring_sock);
5328 if (ret)
5329 return ret;
5330#endif
5331
5332 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
5333 if (ret < 0)
5334 goto err;
5335
5336 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
5337 O_RDWR | O_CLOEXEC);
5338 if (IS_ERR(file)) {
5339 put_unused_fd(ret);
5340 ret = PTR_ERR(file);
5341 goto err;
5342 }
5343
5344#if defined(CONFIG_UNIX)
5345 ctx->ring_sock->file = file;
6b06314c 5346 ctx->ring_sock->sk->sk_user_data = ctx;
2b188cc1
JA		 5347#endif
5348 fd_install(ret, file);
5349 return ret;
5350err:
5351#if defined(CONFIG_UNIX)
5352 sock_release(ctx->ring_sock);
5353 ctx->ring_sock = NULL;
5354#endif
5355 return ret;
5356}
5357
5358static int io_uring_create(unsigned entries, struct io_uring_params *p)
5359{
5360 struct user_struct *user = NULL;
5361 struct io_ring_ctx *ctx;
5362 bool account_mem;
5363 int ret;
5364
5365 if (!entries || entries > IORING_MAX_ENTRIES)
5366 return -EINVAL;
5367
5368 /*
5369 * Use twice as many entries for the CQ ring. It's possible for the
5370 * application to drive a higher depth than the size of the SQ ring,
5371 * since the sqes are only used at submission time. This allows for
33a107f0
JA		 5372 * some flexibility in overcommitting a bit. If the application has
5373 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
5374 * of CQ ring entries manually.
2b188cc1
JA		 5375 */
5376 p->sq_entries = roundup_pow_of_two(entries);
33a107f0
JA		 5377 if (p->flags & IORING_SETUP_CQSIZE) {
5378 /*
5379 * If IORING_SETUP_CQSIZE is set, we do the same roundup
5380 * to a power-of-two, if it isn't already. We do NOT impose
5381 * any cq vs sq ring sizing.
5382 */
5383 if (p->cq_entries < p->sq_entries || p->cq_entries > IORING_MAX_CQ_ENTRIES)
5384 return -EINVAL;
5385 p->cq_entries = roundup_pow_of_two(p->cq_entries);
5386 } else {
5387 p->cq_entries = 2 * p->sq_entries;
5388 }
2b188cc1
JA		 5389
5390 user = get_uid(current_user());
5391 account_mem = !capable(CAP_IPC_LOCK);
5392
5393 if (account_mem) {
5394 ret = io_account_mem(user,
5395 ring_pages(p->sq_entries, p->cq_entries));
5396 if (ret) {
5397 free_uid(user);
5398 return ret;
5399 }
5400 }
5401
5402 ctx = io_ring_ctx_alloc(p);
5403 if (!ctx) {
5404 if (account_mem)
5405 io_unaccount_mem(user, ring_pages(p->sq_entries,
5406 p->cq_entries));
5407 free_uid(user);
5408 return -ENOMEM;
5409 }
5410 ctx->compat = in_compat_syscall();
5411 ctx->account_mem = account_mem;
5412 ctx->user = user;
0b8c0ec7 5413 ctx->creds = get_current_cred();
2b188cc1
JA		 5414
5415 ret = io_allocate_scq_urings(ctx, p);
5416 if (ret)
5417 goto err;
5418
6c271ce2 5419 ret = io_sq_offload_start(ctx, p);
2b188cc1
JA		 5420 if (ret)
5421 goto err;
5422
2b188cc1 5423 memset(&p->sq_off, 0, sizeof(p->sq_off));
75b28aff
HV		 5424 p->sq_off.head = offsetof(struct io_rings, sq.head);
5425 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
5426 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
5427 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
5428 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
5429 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
5430 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
2b188cc1
JA		 5431
5432 memset(&p->cq_off, 0, sizeof(p->cq_off));
75b28aff
HV		 5433 p->cq_off.head = offsetof(struct io_rings, cq.head);
5434 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
5435 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
5436 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
5437 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
5438 p->cq_off.cqes = offsetof(struct io_rings, cqes);
ac90f249 5439
044c1ab3
JA		 5440 /*
5441 * Install ring fd as the very last thing, so we don't risk someone
5442 * having closed it before we finish setup
5443 */
5444 ret = io_uring_get_fd(ctx);
5445 if (ret < 0)
5446 goto err;
5447
da8c9690
JA		 5448 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
5449 IORING_FEAT_SUBMIT_STABLE;
c826bd7a 5450 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
2b188cc1
JA		 5451 return ret;
5452err:
5453 io_ring_ctx_wait_and_kill(ctx);
5454 return ret;
5455}
5456
5457/*
5458 * Sets up an aio uring context, and returns the fd. Applications asks for a
5459 * ring size, we return the actual sq/cq ring sizes (among other things) in the
5460 * params structure passed in.
5461 */
5462static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
5463{
5464 struct io_uring_params p;
5465 long ret;
5466 int i;
5467
5468 if (copy_from_user(&p, params, sizeof(p)))
5469 return -EFAULT;
5470 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
5471 if (p.resv[i])
5472 return -EINVAL;
5473 }
5474
6c271ce2 5475 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
33a107f0 5476 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE))
2b188cc1
JA		 5477 return -EINVAL;
5478
5479 ret = io_uring_create(entries, &p);
5480 if (ret < 0)
5481 return ret;
5482
5483 if (copy_to_user(params, &p, sizeof(p)))
5484 return -EFAULT;
5485
5486 return ret;
5487}
5488
5489SYSCALL_DEFINE2(io_uring_setup, u32, entries,
5490 struct io_uring_params __user *, params)
5491{
5492 return io_uring_setup(entries, params);
5493}
5494
edafccee
JA		 5495static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
5496 void __user *arg, unsigned nr_args)
b19062a5
JA		 5497 __releases(ctx->uring_lock)
5498 __acquires(ctx->uring_lock)
edafccee
JA		 5499{
5500 int ret;
5501
35fa71a0
JA		 5502 /*
5503 * We're inside the ring mutex, if the ref is already dying, then
5504 * someone else killed the ctx or is already going through
5505 * io_uring_register().
5506 */
5507 if (percpu_ref_is_dying(&ctx->refs))
5508 return -ENXIO;
5509
edafccee 5510 percpu_ref_kill(&ctx->refs);
b19062a5
JA		 5511
5512 /*
5513 * Drop uring mutex before waiting for references to exit. If another
5514 * thread is currently inside io_uring_enter() it might need to grab
5515 * the uring_lock to make progress. If we hold it here across the drain
5516 * wait, then we can deadlock. It's safe to drop the mutex here, since
5517 * no new references will come in after we've killed the percpu ref.
5518 */
5519 mutex_unlock(&ctx->uring_lock);
206aefde 5520 wait_for_completion(&ctx->completions[0]);
b19062a5 5521 mutex_lock(&ctx->uring_lock);
edafccee
JA		 5522
5523 switch (opcode) {
5524 case IORING_REGISTER_BUFFERS:
5525 ret = io_sqe_buffer_register(ctx, arg, nr_args);
5526 break;
5527 case IORING_UNREGISTER_BUFFERS:
5528 ret = -EINVAL;
5529 if (arg || nr_args)
5530 break;
5531 ret = io_sqe_buffer_unregister(ctx);
5532 break;
6b06314c
JA		 5533 case IORING_REGISTER_FILES:
5534 ret = io_sqe_files_register(ctx, arg, nr_args);
5535 break;
5536 case IORING_UNREGISTER_FILES:
5537 ret = -EINVAL;
5538 if (arg || nr_args)
5539 break;
5540 ret = io_sqe_files_unregister(ctx);
5541 break;
c3a31e60
JA		 5542 case IORING_REGISTER_FILES_UPDATE:
5543 ret = io_sqe_files_update(ctx, arg, nr_args);
5544 break;
9b402849
JA		 5545 case IORING_REGISTER_EVENTFD:
5546 ret = -EINVAL;
5547 if (nr_args != 1)
5548 break;
5549 ret = io_eventfd_register(ctx, arg);
5550 break;
5551 case IORING_UNREGISTER_EVENTFD:
5552 ret = -EINVAL;
5553 if (arg || nr_args)
5554 break;
5555 ret = io_eventfd_unregister(ctx);
5556 break;
edafccee
JA		 5557 default:
5558 ret = -EINVAL;
5559 break;
5560 }
5561
5562 /* bring the ctx back to life */
206aefde 5563 reinit_completion(&ctx->completions[0]);
edafccee
JA		 5564 percpu_ref_reinit(&ctx->refs);
5565 return ret;
5566}
5567
5568SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
5569 void __user *, arg, unsigned int, nr_args)
5570{
5571 struct io_ring_ctx *ctx;
5572 long ret = -EBADF;
5573 struct fd f;
5574
5575 f = fdget(fd);
5576 if (!f.file)
5577 return -EBADF;
5578
5579 ret = -EOPNOTSUPP;
5580 if (f.file->f_op != &io_uring_fops)
5581 goto out_fput;
5582
5583 ctx = f.file->private_data;
5584
5585 mutex_lock(&ctx->uring_lock);
5586 ret = __io_uring_register(ctx, opcode, arg, nr_args);
5587 mutex_unlock(&ctx->uring_lock);
c826bd7a
DD		 5588 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
5589 ctx->cq_ev_fd != NULL, ret);
edafccee
JA		 5590out_fput:
5591 fdput(f);
5592 return ret;
5593}
5594
2b188cc1
JA		 5595static int __init io_uring_init(void)
5596{
5597 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
5598 return 0;
5599};
5600__initcall(io_uring_init);
Linux 6.x block layer and io_uring tree(s)