projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
io_uring: change io_ring_ctx bool fields into bit fields
[linux-block.git] / fs / io_uring.c
CommitLineData
2b188cc1
JA		 1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
5 *
6 * A note on the read/write ordering memory barriers that are matched between
1e84b97b
SB		 7 * the application and kernel side.
8 *
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
16 * CQ entries.
17 *
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
23 * head will do).
24 *
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
28 * between.
2b188cc1
JA		 29 *
30 * Also see the examples in the liburing library:
31 *
32 * git://git.kernel.dk/liburing
33 *
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
38 *
39 * Copyright (C) 2018-2019 Jens Axboe
c992fe29 40 * Copyright (c) 2018-2019 Christoph Hellwig
2b188cc1
JA		 41 */
42#include <linux/kernel.h>
43#include <linux/init.h>
44#include <linux/errno.h>
45#include <linux/syscalls.h>
46#include <linux/compat.h>
47#include <linux/refcount.h>
48#include <linux/uio.h>
49
50#include <linux/sched/signal.h>
51#include <linux/fs.h>
52#include <linux/file.h>
53#include <linux/fdtable.h>
54#include <linux/mm.h>
55#include <linux/mman.h>
56#include <linux/mmu_context.h>
57#include <linux/percpu.h>
58#include <linux/slab.h>
6c271ce2 59#include <linux/kthread.h>
2b188cc1 60#include <linux/blkdev.h>
edafccee 61#include <linux/bvec.h>
2b188cc1
JA		 62#include <linux/net.h>
63#include <net/sock.h>
64#include <net/af_unix.h>
6b06314c 65#include <net/scm.h>
2b188cc1
JA		 66#include <linux/anon_inodes.h>
67#include <linux/sched/mm.h>
68#include <linux/uaccess.h>
69#include <linux/nospec.h>
edafccee
JA		 70#include <linux/sizes.h>
71#include <linux/hugetlb.h>
aa4c3967 72#include <linux/highmem.h>
15b71abe
JA		 73#include <linux/namei.h>
74#include <linux/fsnotify.h>
4840e418 75#include <linux/fadvise.h>
2b188cc1 76
c826bd7a
DD		 77#define CREATE_TRACE_POINTS
78#include <trace/events/io_uring.h>
79
2b188cc1
JA		 80#include <uapi/linux/io_uring.h>
81
82#include "internal.h"
561fb04a 83#include "io-wq.h"
2b188cc1 84
5277deaa 85#define IORING_MAX_ENTRIES 32768
33a107f0 86#define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
65e19f54
JA		 87
88/*
89 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
90 */
91#define IORING_FILE_TABLE_SHIFT 9
92#define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
93#define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
94#define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
2b188cc1
JA		 95
96struct io_uring {
97 u32 head ____cacheline_aligned_in_smp;
98 u32 tail ____cacheline_aligned_in_smp;
99};
100
1e84b97b 101/*
75b28aff
HV		 102 * This data is shared with the application through the mmap at offsets
103 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
1e84b97b
SB		 104 *
105 * The offsets to the member fields are published through struct
106 * io_sqring_offsets when calling io_uring_setup.
107 */
75b28aff 108struct io_rings {
1e84b97b
SB		 109 /*
110 * Head and tail offsets into the ring; the offsets need to be
111 * masked to get valid indices.
112 *
75b28aff
HV		 113 * The kernel controls head of the sq ring and the tail of the cq ring,
114 * and the application controls tail of the sq ring and the head of the
115 * cq ring.
1e84b97b 116 */
75b28aff 117 struct io_uring sq, cq;
1e84b97b 118 /*
75b28aff 119 * Bitmasks to apply to head and tail offsets (constant, equals
1e84b97b
SB		 120 * ring_entries - 1)
121 */
75b28aff
HV		 122 u32 sq_ring_mask, cq_ring_mask;
123 /* Ring sizes (constant, power of 2) */
124 u32 sq_ring_entries, cq_ring_entries;
1e84b97b
SB		 125 /*
126 * Number of invalid entries dropped by the kernel due to
127 * invalid index stored in array
128 *
129 * Written by the kernel, shouldn't be modified by the
130 * application (i.e. get number of "new events" by comparing to
131 * cached value).
132 *
133 * After a new SQ head value was read by the application this
134 * counter includes all submissions that were dropped reaching
135 * the new SQ head (and possibly more).
136 */
75b28aff 137 u32 sq_dropped;
1e84b97b
SB		 138 /*
139 * Runtime flags
140 *
141 * Written by the kernel, shouldn't be modified by the
142 * application.
143 *
144 * The application needs a full memory barrier before checking
145 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
146 */
75b28aff 147 u32 sq_flags;
1e84b97b
SB		 148 /*
149 * Number of completion events lost because the queue was full;
150 * this should be avoided by the application by making sure
0b4295b5 151 * there are not more requests pending than there is space in
1e84b97b
SB		 152 * the completion queue.
153 *
154 * Written by the kernel, shouldn't be modified by the
155 * application (i.e. get number of "new events" by comparing to
156 * cached value).
157 *
158 * As completion events come in out of order this counter is not
159 * ordered with any other data.
160 */
75b28aff 161 u32 cq_overflow;
1e84b97b
SB		 162 /*
163 * Ring buffer of completion events.
164 *
165 * The kernel writes completion events fresh every time they are
166 * produced, so the application is allowed to modify pending
167 * entries.
168 */
75b28aff 169 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
2b188cc1
JA		 170};
171
edafccee
JA		 172struct io_mapped_ubuf {
173 u64 ubuf;
174 size_t len;
175 struct bio_vec *bvec;
176 unsigned int nr_bvecs;
177};
178
65e19f54
JA		 179struct fixed_file_table {
180 struct file **files;
31b51510
JA		 181};
182
05f3fb3c
JA		 183enum {
184 FFD_F_ATOMIC,
185};
186
187struct fixed_file_data {
188 struct fixed_file_table *table;
189 struct io_ring_ctx *ctx;
190
191 struct percpu_ref refs;
192 struct llist_head put_llist;
193 unsigned long state;
194 struct work_struct ref_work;
195 struct completion done;
196};
197
2b188cc1
JA		 198struct io_ring_ctx {
199 struct {
200 struct percpu_ref refs;
201 } ____cacheline_aligned_in_smp;
202
203 struct {
204 unsigned int flags;
69b3e546
JA		 205 int compat: 1;
206 int account_mem: 1;
207 int cq_overflow_flushed: 1;
208 int drain_next: 1;
2b188cc1 209
75b28aff
HV		 210 /*
211 * Ring buffer of indices into array of io_uring_sqe, which is
212 * mmapped by the application using the IORING_OFF_SQES offset.
213 *
214 * This indirection could e.g. be used to assign fixed
215 * io_uring_sqe entries to operations and only submit them to
216 * the queue when needed.
217 *
218 * The kernel modifies neither the indices array nor the entries
219 * array.
220 */
221 u32 *sq_array;
2b188cc1
JA		 222 unsigned cached_sq_head;
223 unsigned sq_entries;
224 unsigned sq_mask;
6c271ce2 225 unsigned sq_thread_idle;
498ccd9e 226 unsigned cached_sq_dropped;
206aefde 227 atomic_t cached_cq_overflow;
ad3eb2c8 228 unsigned long sq_check_overflow;
de0617e4
JA		 229
230 struct list_head defer_list;
5262f567 231 struct list_head timeout_list;
1d7bb1d5 232 struct list_head cq_overflow_list;
fcb323cc
JA		 233
234 wait_queue_head_t inflight_wait;
ad3eb2c8 235 struct io_uring_sqe *sq_sqes;
2b188cc1
JA		 236 } ____cacheline_aligned_in_smp;
237
206aefde
JA		 238 struct io_rings *rings;
239
2b188cc1 240 /* IO offload */
561fb04a 241 struct io_wq *io_wq;
6c271ce2 242 struct task_struct *sqo_thread; /* if using sq thread polling */
2b188cc1 243 struct mm_struct *sqo_mm;
6c271ce2 244 wait_queue_head_t sqo_wait;
75b28aff 245
6b06314c
JA		 246 /*
247 * If used, fixed file set. Writers must ensure that ->refs is dead,
248 * readers must ensure that ->refs is alive as long as the file* is
249 * used. Only updated through io_uring_register(2).
250 */
05f3fb3c 251 struct fixed_file_data *file_data;
6b06314c
JA		 252 unsigned nr_user_files;
253
edafccee
JA		 254 /* if used, fixed mapped user buffers */
255 unsigned nr_user_bufs;
256 struct io_mapped_ubuf *user_bufs;
257
2b188cc1
JA		 258 struct user_struct *user;
259
0b8c0ec7 260 const struct cred *creds;
181e448d 261
206aefde
JA		 262 /* 0 is for ctx quiesce/reinit/free, 1 is for sqo_thread started */
263 struct completion *completions;
264
0ddf92e8
JA		 265 /* if all else fails... */
266 struct io_kiocb *fallback_req;
267
206aefde
JA		 268#if defined(CONFIG_UNIX)
269 struct socket *ring_sock;
270#endif
271
272 struct {
273 unsigned cached_cq_tail;
274 unsigned cq_entries;
275 unsigned cq_mask;
276 atomic_t cq_timeouts;
ad3eb2c8 277 unsigned long cq_check_overflow;
206aefde
JA		 278 struct wait_queue_head cq_wait;
279 struct fasync_struct *cq_fasync;
280 struct eventfd_ctx *cq_ev_fd;
281 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 282
283 struct {
284 struct mutex uring_lock;
285 wait_queue_head_t wait;
286 } ____cacheline_aligned_in_smp;
287
288 struct {
289 spinlock_t completion_lock;
e94f141b
JA		 290 struct llist_head poll_llist;
291
def596e9
JA		 292 /*
293 * ->poll_list is protected by the ctx->uring_lock for
294 * io_uring instances that don't use IORING_SETUP_SQPOLL.
295 * For SQPOLL, only the single threaded io_sq_thread() will
296 * manipulate the list, hence no extra locking is needed there.
297 */
298 struct list_head poll_list;
78076bb6
JA		 299 struct hlist_head *cancel_hash;
300 unsigned cancel_hash_bits;
e94f141b 301 bool poll_multi_file;
31b51510 302
fcb323cc
JA		 303 spinlock_t inflight_lock;
304 struct list_head inflight_list;
2b188cc1 305 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 306};
307
09bb8394
JA		 308/*
309 * First field must be the file pointer in all the
310 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
311 */
221c5eb2
JA		 312struct io_poll_iocb {
313 struct file *file;
0969e783
JA		 314 union {
315 struct wait_queue_head *head;
316 u64 addr;
317 };
221c5eb2 318 __poll_t events;
8c838788 319 bool done;
221c5eb2 320 bool canceled;
392edb45 321 struct wait_queue_entry wait;
221c5eb2
JA		 322};
323
b5dba59e
JA		 324struct io_close {
325 struct file *file;
326 struct file *put_file;
327 int fd;
328};
329
ad8a48ac
JA		 330struct io_timeout_data {
331 struct io_kiocb *req;
332 struct hrtimer timer;
333 struct timespec64 ts;
334 enum hrtimer_mode mode;
cc42e0ac 335 u32 seq_offset;
ad8a48ac
JA		 336};
337
8ed8d3c3
JA		 338struct io_accept {
339 struct file *file;
340 struct sockaddr __user *addr;
341 int __user *addr_len;
342 int flags;
343};
344
345struct io_sync {
346 struct file *file;
347 loff_t len;
348 loff_t off;
349 int flags;
d63d1b5e 350 int mode;
8ed8d3c3
JA		 351};
352
fbf23849
JA		 353struct io_cancel {
354 struct file *file;
355 u64 addr;
356};
357
b29472ee
JA		 358struct io_timeout {
359 struct file *file;
360 u64 addr;
361 int flags;
26a61679 362 unsigned count;
b29472ee
JA		 363};
364
9adbd45d
JA		 365struct io_rw {
366 /* NOTE: kiocb has the file as the first member, so don't do it here */
367 struct kiocb kiocb;
368 u64 addr;
369 u64 len;
370};
371
3fbb51c1
JA		 372struct io_connect {
373 struct file *file;
374 struct sockaddr __user *addr;
375 int addr_len;
376};
377
e47293fd
JA		 378struct io_sr_msg {
379 struct file *file;
fddaface
JA		 380 union {
381 struct user_msghdr __user *msg;
382 void __user *buf;
383 };
e47293fd 384 int msg_flags;
fddaface 385 size_t len;
e47293fd
JA		 386};
387
15b71abe
JA		 388struct io_open {
389 struct file *file;
390 int dfd;
eddc7ef5
JA		 391 union {
392 umode_t mode;
393 unsigned mask;
394 };
15b71abe
JA		 395 const char __user *fname;
396 struct filename *filename;
eddc7ef5 397 struct statx __user *buffer;
15b71abe
JA		 398 int flags;
399};
400
05f3fb3c
JA		 401struct io_files_update {
402 struct file *file;
403 u64 arg;
404 u32 nr_args;
405 u32 offset;
406};
407
4840e418
JA		 408struct io_fadvise {
409 struct file *file;
410 u64 offset;
411 u32 len;
412 u32 advice;
413};
414
c1ca757b
JA		 415struct io_madvise {
416 struct file *file;
417 u64 addr;
418 u32 len;
419 u32 advice;
420};
421
f499a021
JA		 422struct io_async_connect {
423 struct sockaddr_storage address;
424};
425
03b1230c
JA		 426struct io_async_msghdr {
427 struct iovec fast_iov[UIO_FASTIOV];
428 struct iovec *iov;
429 struct sockaddr __user *uaddr;
430 struct msghdr msg;
431};
432
f67676d1
JA		 433struct io_async_rw {
434 struct iovec fast_iov[UIO_FASTIOV];
435 struct iovec *iov;
436 ssize_t nr_segs;
437 ssize_t size;
438};
439
15b71abe
JA		 440struct io_async_open {
441 struct filename *filename;
442};
443
1a6b74fc 444struct io_async_ctx {
f67676d1
JA		 445 union {
446 struct io_async_rw rw;
03b1230c 447 struct io_async_msghdr msg;
f499a021 448 struct io_async_connect connect;
2d28390a 449 struct io_timeout_data timeout;
15b71abe 450 struct io_async_open open;
f67676d1 451 };
1a6b74fc
JA		 452};
453
09bb8394
JA		 454/*
455 * NOTE! Each of the iocb union members has the file pointer
456 * as the first entry in their struct definition. So you can
457 * access the file pointer through any of the sub-structs,
458 * or directly as just 'ki_filp' in this struct.
459 */
2b188cc1 460struct io_kiocb {
221c5eb2 461 union {
09bb8394 462 struct file *file;
9adbd45d 463 struct io_rw rw;
221c5eb2 464 struct io_poll_iocb poll;
8ed8d3c3
JA		 465 struct io_accept accept;
466 struct io_sync sync;
fbf23849 467 struct io_cancel cancel;
b29472ee 468 struct io_timeout timeout;
3fbb51c1 469 struct io_connect connect;
e47293fd 470 struct io_sr_msg sr_msg;
15b71abe 471 struct io_open open;
b5dba59e 472 struct io_close close;
05f3fb3c 473 struct io_files_update files_update;
4840e418 474 struct io_fadvise fadvise;
c1ca757b 475 struct io_madvise madvise;
221c5eb2 476 };
2b188cc1 477
1a6b74fc 478 struct io_async_ctx *io;
e94f141b
JA		 479 union {
480 /*
481 * ring_file is only used in the submission path, and
482 * llist_node is only used for poll deferred completions
483 */
484 struct file *ring_file;
485 struct llist_node llist_node;
486 };
cf6fd4bd
PB		 487 int ring_fd;
488 bool has_user;
489 bool in_async;
490 bool needs_fixed_file;
d625c6ee 491 u8 opcode;
2b188cc1
JA		 492
493 struct io_ring_ctx *ctx;
eac406c6
JA		 494 union {
495 struct list_head list;
78076bb6 496 struct hlist_node hash_node;
eac406c6 497 };
9e645e11 498 struct list_head link_list;
2b188cc1 499 unsigned int flags;
c16361c1 500 refcount_t refs;
8449eeda 501#define REQ_F_NOWAIT 1 /* must not punt to workers */
def596e9 502#define REQ_F_IOPOLL_COMPLETED 2 /* polled IO has completed */
6b06314c 503#define REQ_F_FIXED_FILE 4 /* ctx owns file */
4d7dd462 504#define REQ_F_LINK_NEXT 8 /* already grabbed next link */
e2033e33
SB		 505#define REQ_F_IO_DRAIN 16 /* drain existing IO first */
506#define REQ_F_IO_DRAINED 32 /* drain done */
9e645e11 507#define REQ_F_LINK 64 /* linked sqes */
2665abfd 508#define REQ_F_LINK_TIMEOUT 128 /* has linked timeout */
f7b76ac9 509#define REQ_F_FAIL_LINK 256 /* fail rest of links */
1b4a51b6 510#define REQ_F_DRAIN_LINK 512 /* link should be fully drained */
5262f567 511#define REQ_F_TIMEOUT 1024 /* timeout request */
491381ce
JA		 512#define REQ_F_ISREG 2048 /* regular file */
513#define REQ_F_MUST_PUNT 4096 /* must be punted even for NONBLOCK */
93bd25bb 514#define REQ_F_TIMEOUT_NOSEQ 8192 /* no timeout sequence */
fb4b3d3f
LT		 515#define REQ_F_INFLIGHT 16384 /* on inflight list */
516#define REQ_F_COMP_LOCKED 32768 /* completion under lock */
4e88d6e7 517#define REQ_F_HARDLINK 65536 /* doesn't sever on completion < 0 */
ce35a47a 518#define REQ_F_FORCE_ASYNC 131072 /* IOSQE_ASYNC */
ba04291e 519#define REQ_F_CUR_POS 262144 /* read/write uses file position */
2b188cc1 520 u64 user_data;
9e645e11 521 u32 result;
de0617e4 522 u32 sequence;
2b188cc1 523
fcb323cc
JA		 524 struct list_head inflight_entry;
525
561fb04a 526 struct io_wq_work work;
2b188cc1
JA		 527};
528
529#define IO_PLUG_THRESHOLD 2
def596e9 530#define IO_IOPOLL_BATCH 8
2b188cc1 531
9a56a232
JA		 532struct io_submit_state {
533 struct blk_plug plug;
534
2579f913
JA		 535 /*
536 * io_kiocb alloc cache
537 */
538 void *reqs[IO_IOPOLL_BATCH];
539 unsigned int free_reqs;
540 unsigned int cur_req;
541
9a56a232
JA		 542 /*
543 * File reference cache
544 */
545 struct file *file;
546 unsigned int fd;
547 unsigned int has_refs;
548 unsigned int used_refs;
549 unsigned int ios_left;
550};
551
d3656344
JA		 552struct io_op_def {
553 /* needs req->io allocated for deferral/async */
554 unsigned async_ctx : 1;
555 /* needs current->mm setup, does mm access */
556 unsigned needs_mm : 1;
557 /* needs req->file assigned */
558 unsigned needs_file : 1;
559 /* needs req->file assigned IFF fd is >= 0 */
560 unsigned fd_non_neg : 1;
561 /* hash wq insertion if file is a regular file */
562 unsigned hash_reg_file : 1;
563 /* unbound wq insertion if file is a non-regular file */
564 unsigned unbound_nonreg_file : 1;
565};
566
567static const struct io_op_def io_op_defs[] = {
568 {
569 /* IORING_OP_NOP */
570 },
571 {
572 /* IORING_OP_READV */
573 .async_ctx = 1,
574 .needs_mm = 1,
575 .needs_file = 1,
576 .unbound_nonreg_file = 1,
577 },
578 {
579 /* IORING_OP_WRITEV */
580 .async_ctx = 1,
581 .needs_mm = 1,
582 .needs_file = 1,
583 .hash_reg_file = 1,
584 .unbound_nonreg_file = 1,
585 },
586 {
587 /* IORING_OP_FSYNC */
588 .needs_file = 1,
589 },
590 {
591 /* IORING_OP_READ_FIXED */
592 .needs_file = 1,
593 .unbound_nonreg_file = 1,
594 },
595 {
596 /* IORING_OP_WRITE_FIXED */
597 .needs_file = 1,
598 .hash_reg_file = 1,
599 .unbound_nonreg_file = 1,
600 },
601 {
602 /* IORING_OP_POLL_ADD */
603 .needs_file = 1,
604 .unbound_nonreg_file = 1,
605 },
606 {
607 /* IORING_OP_POLL_REMOVE */
608 },
609 {
610 /* IORING_OP_SYNC_FILE_RANGE */
611 .needs_file = 1,
612 },
613 {
614 /* IORING_OP_SENDMSG */
615 .async_ctx = 1,
616 .needs_mm = 1,
617 .needs_file = 1,
618 .unbound_nonreg_file = 1,
619 },
620 {
621 /* IORING_OP_RECVMSG */
622 .async_ctx = 1,
623 .needs_mm = 1,
624 .needs_file = 1,
625 .unbound_nonreg_file = 1,
626 },
627 {
628 /* IORING_OP_TIMEOUT */
629 .async_ctx = 1,
630 .needs_mm = 1,
631 },
632 {
633 /* IORING_OP_TIMEOUT_REMOVE */
634 },
635 {
636 /* IORING_OP_ACCEPT */
637 .needs_mm = 1,
638 .needs_file = 1,
639 .unbound_nonreg_file = 1,
640 },
641 {
642 /* IORING_OP_ASYNC_CANCEL */
643 },
644 {
645 /* IORING_OP_LINK_TIMEOUT */
646 .async_ctx = 1,
647 .needs_mm = 1,
648 },
649 {
650 /* IORING_OP_CONNECT */
651 .async_ctx = 1,
652 .needs_mm = 1,
653 .needs_file = 1,
654 .unbound_nonreg_file = 1,
655 },
656 {
657 /* IORING_OP_FALLOCATE */
658 .needs_file = 1,
659 },
660 {
661 /* IORING_OP_OPENAT */
662 .needs_file = 1,
663 .fd_non_neg = 1,
664 },
665 {
666 /* IORING_OP_CLOSE */
667 .needs_file = 1,
668 },
669 {
670 /* IORING_OP_FILES_UPDATE */
671 .needs_mm = 1,
672 },
673 {
674 /* IORING_OP_STATX */
675 .needs_mm = 1,
676 .needs_file = 1,
677 .fd_non_neg = 1,
678 },
3a6820f2
JA		 679 {
680 /* IORING_OP_READ */
681 .needs_mm = 1,
682 .needs_file = 1,
683 .unbound_nonreg_file = 1,
684 },
685 {
686 /* IORING_OP_WRITE */
687 .needs_mm = 1,
688 .needs_file = 1,
689 .unbound_nonreg_file = 1,
690 },
4840e418
JA		 691 {
692 /* IORING_OP_FADVISE */
693 .needs_file = 1,
694 },
c1ca757b
JA		 695 {
696 /* IORING_OP_MADVISE */
697 .needs_mm = 1,
698 },
fddaface
JA		 699 {
700 /* IORING_OP_SEND */
701 .needs_mm = 1,
702 .needs_file = 1,
703 .unbound_nonreg_file = 1,
704 },
705 {
706 /* IORING_OP_RECV */
707 .needs_mm = 1,
708 .needs_file = 1,
709 .unbound_nonreg_file = 1,
710 },
d3656344
JA		 711};
712
561fb04a 713static void io_wq_submit_work(struct io_wq_work **workptr);
78e19bbe 714static void io_cqring_fill_event(struct io_kiocb *req, long res);
ec9c02ad 715static void io_put_req(struct io_kiocb *req);
978db57e 716static void __io_double_put_req(struct io_kiocb *req);
94ae5e77
JA		 717static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
718static void io_queue_linked_timeout(struct io_kiocb *req);
05f3fb3c
JA		 719static int __io_sqe_files_update(struct io_ring_ctx *ctx,
720 struct io_uring_files_update *ip,
721 unsigned nr_args);
de0617e4 722
2b188cc1
JA		 723static struct kmem_cache *req_cachep;
724
725static const struct file_operations io_uring_fops;
726
727struct sock *io_uring_get_socket(struct file *file)
728{
729#if defined(CONFIG_UNIX)
730 if (file->f_op == &io_uring_fops) {
731 struct io_ring_ctx *ctx = file->private_data;
732
733 return ctx->ring_sock->sk;
734 }
735#endif
736 return NULL;
737}
738EXPORT_SYMBOL(io_uring_get_socket);
739
740static void io_ring_ctx_ref_free(struct percpu_ref *ref)
741{
742 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
743
206aefde 744 complete(&ctx->completions[0]);
2b188cc1
JA		 745}
746
747static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
748{
749 struct io_ring_ctx *ctx;
78076bb6 750 int hash_bits;
2b188cc1
JA		 751
752 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
753 if (!ctx)
754 return NULL;
755
0ddf92e8
JA		 756 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
757 if (!ctx->fallback_req)
758 goto err;
759
206aefde
JA		 760 ctx->completions = kmalloc(2 * sizeof(struct completion), GFP_KERNEL);
761 if (!ctx->completions)
762 goto err;
763
78076bb6
JA		 764 /*
765 * Use 5 bits less than the max cq entries, that should give us around
766 * 32 entries per hash list if totally full and uniformly spread.
767 */
768 hash_bits = ilog2(p->cq_entries);
769 hash_bits -= 5;
770 if (hash_bits <= 0)
771 hash_bits = 1;
772 ctx->cancel_hash_bits = hash_bits;
773 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
774 GFP_KERNEL);
775 if (!ctx->cancel_hash)
776 goto err;
777 __hash_init(ctx->cancel_hash, 1U << hash_bits);
778
21482896 779 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
206aefde
JA		 780 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
781 goto err;
2b188cc1
JA		 782
783 ctx->flags = p->flags;
784 init_waitqueue_head(&ctx->cq_wait);
1d7bb1d5 785 INIT_LIST_HEAD(&ctx->cq_overflow_list);
206aefde
JA		 786 init_completion(&ctx->completions[0]);
787 init_completion(&ctx->completions[1]);
2b188cc1
JA		 788 mutex_init(&ctx->uring_lock);
789 init_waitqueue_head(&ctx->wait);
790 spin_lock_init(&ctx->completion_lock);
e94f141b 791 init_llist_head(&ctx->poll_llist);
def596e9 792 INIT_LIST_HEAD(&ctx->poll_list);
de0617e4 793 INIT_LIST_HEAD(&ctx->defer_list);
5262f567 794 INIT_LIST_HEAD(&ctx->timeout_list);
fcb323cc
JA		 795 init_waitqueue_head(&ctx->inflight_wait);
796 spin_lock_init(&ctx->inflight_lock);
797 INIT_LIST_HEAD(&ctx->inflight_list);
2b188cc1 798 return ctx;
206aefde 799err:
0ddf92e8
JA		 800 if (ctx->fallback_req)
801 kmem_cache_free(req_cachep, ctx->fallback_req);
206aefde 802 kfree(ctx->completions);
78076bb6 803 kfree(ctx->cancel_hash);
206aefde
JA		 804 kfree(ctx);
805 return NULL;
2b188cc1
JA		 806}
807
9d858b21 808static inline bool __req_need_defer(struct io_kiocb *req)
7adf4eaf 809{
a197f664
JL		 810 struct io_ring_ctx *ctx = req->ctx;
811
498ccd9e
JA		 812 return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
813 + atomic_read(&ctx->cached_cq_overflow);
7adf4eaf
JA		 814}
815
9d858b21 816static inline bool req_need_defer(struct io_kiocb *req)
de0617e4 817{
9d858b21
BL		 818 if ((req->flags & (REQ_F_IO_DRAIN|REQ_F_IO_DRAINED)) == REQ_F_IO_DRAIN)
819 return __req_need_defer(req);
de0617e4 820
9d858b21 821 return false;
de0617e4
JA		 822}
823
7adf4eaf 824static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)
de0617e4
JA		 825{
826 struct io_kiocb *req;
827
7adf4eaf 828 req = list_first_entry_or_null(&ctx->defer_list, struct io_kiocb, list);
9d858b21 829 if (req && !req_need_defer(req)) {
de0617e4
JA		 830 list_del_init(&req->list);
831 return req;
832 }
833
834 return NULL;
835}
836
5262f567
JA		 837static struct io_kiocb *io_get_timeout_req(struct io_ring_ctx *ctx)
838{
7adf4eaf
JA		 839 struct io_kiocb *req;
840
841 req = list_first_entry_or_null(&ctx->timeout_list, struct io_kiocb, list);
93bd25bb
JA		 842 if (req) {
843 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
844 return NULL;
fb4b3d3f 845 if (!__req_need_defer(req)) {
93bd25bb
JA		 846 list_del_init(&req->list);
847 return req;
848 }
7adf4eaf
JA		 849 }
850
851 return NULL;
5262f567
JA		 852}
853
de0617e4 854static void __io_commit_cqring(struct io_ring_ctx *ctx)
2b188cc1 855{
75b28aff 856 struct io_rings *rings = ctx->rings;
2b188cc1 857
75b28aff 858 if (ctx->cached_cq_tail != READ_ONCE(rings->cq.tail)) {
2b188cc1 859 /* order cqe stores with ring update */
75b28aff 860 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
2b188cc1 861
2b188cc1
JA		 862 if (wq_has_sleeper(&ctx->cq_wait)) {
863 wake_up_interruptible(&ctx->cq_wait);
864 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
865 }
866 }
867}
868
94ae5e77
JA		 869static inline bool io_prep_async_work(struct io_kiocb *req,
870 struct io_kiocb **link)
18d9be1a 871{
d3656344 872 const struct io_op_def *def = &io_op_defs[req->opcode];
561fb04a 873 bool do_hashed = false;
54a91f3b 874
d3656344
JA		 875 if (req->flags & REQ_F_ISREG) {
876 if (def->hash_reg_file)
3529d8c2 877 do_hashed = true;
d3656344
JA		 878 } else {
879 if (def->unbound_nonreg_file)
3529d8c2 880 req->work.flags |= IO_WQ_WORK_UNBOUND;
54a91f3b 881 }
d3656344 882 if (def->needs_mm)
3529d8c2 883 req->work.flags |= IO_WQ_WORK_NEEDS_USER;
54a91f3b 884
94ae5e77 885 *link = io_prep_linked_timeout(req);
561fb04a
JA		 886 return do_hashed;
887}
888
a197f664 889static inline void io_queue_async_work(struct io_kiocb *req)
561fb04a 890{
a197f664 891 struct io_ring_ctx *ctx = req->ctx;
94ae5e77
JA		 892 struct io_kiocb *link;
893 bool do_hashed;
894
895 do_hashed = io_prep_async_work(req, &link);
561fb04a
JA		 896
897 trace_io_uring_queue_async_work(ctx, do_hashed, req, &req->work,
898 req->flags);
899 if (!do_hashed) {
900 io_wq_enqueue(ctx->io_wq, &req->work);
901 } else {
902 io_wq_enqueue_hashed(ctx->io_wq, &req->work,
903 file_inode(req->file));
904 }
94ae5e77
JA		 905
906 if (link)
907 io_queue_linked_timeout(link);
18d9be1a
JA		 908}
909
5262f567
JA		 910static void io_kill_timeout(struct io_kiocb *req)
911{
912 int ret;
913
2d28390a 914 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
5262f567
JA		 915 if (ret != -1) {
916 atomic_inc(&req->ctx->cq_timeouts);
842f9612 917 list_del_init(&req->list);
78e19bbe 918 io_cqring_fill_event(req, 0);
ec9c02ad 919 io_put_req(req);
5262f567
JA		 920 }
921}
922
923static void io_kill_timeouts(struct io_ring_ctx *ctx)
924{
925 struct io_kiocb *req, *tmp;
926
927 spin_lock_irq(&ctx->completion_lock);
928 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
929 io_kill_timeout(req);
930 spin_unlock_irq(&ctx->completion_lock);
931}
932
de0617e4
JA		 933static void io_commit_cqring(struct io_ring_ctx *ctx)
934{
935 struct io_kiocb *req;
936
5262f567
JA		 937 while ((req = io_get_timeout_req(ctx)) != NULL)
938 io_kill_timeout(req);
939
de0617e4
JA		 940 __io_commit_cqring(ctx);
941
942 while ((req = io_get_deferred_req(ctx)) != NULL) {
943 req->flags |= REQ_F_IO_DRAINED;
a197f664 944 io_queue_async_work(req);
de0617e4
JA		 945 }
946}
947
2b188cc1
JA		 948static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
949{
75b28aff 950 struct io_rings *rings = ctx->rings;
2b188cc1
JA		 951 unsigned tail;
952
953 tail = ctx->cached_cq_tail;
115e12e5
SB		 954 /*
955 * writes to the cq entry need to come after reading head; the
956 * control dependency is enough as we're using WRITE_ONCE to
957 * fill the cq entry
958 */
75b28aff 959 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
2b188cc1
JA		 960 return NULL;
961
962 ctx->cached_cq_tail++;
75b28aff 963 return &rings->cqes[tail & ctx->cq_mask];
2b188cc1
JA		 964}
965
1d7bb1d5
JA		 966static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
967{
968 if (waitqueue_active(&ctx->wait))
969 wake_up(&ctx->wait);
970 if (waitqueue_active(&ctx->sqo_wait))
971 wake_up(&ctx->sqo_wait);
972 if (ctx->cq_ev_fd)
973 eventfd_signal(ctx->cq_ev_fd, 1);
974}
975
c4a2ed72
JA		 976/* Returns true if there are no backlogged entries after the flush */
977static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1d7bb1d5
JA		 978{
979 struct io_rings *rings = ctx->rings;
980 struct io_uring_cqe *cqe;
981 struct io_kiocb *req;
982 unsigned long flags;
983 LIST_HEAD(list);
984
985 if (!force) {
986 if (list_empty_careful(&ctx->cq_overflow_list))
c4a2ed72 987 return true;
1d7bb1d5
JA		 988 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
989 rings->cq_ring_entries))
c4a2ed72 990 return false;
1d7bb1d5
JA		 991 }
992
993 spin_lock_irqsave(&ctx->completion_lock, flags);
994
995 /* if force is set, the ring is going away. always drop after that */
996 if (force)
69b3e546 997 ctx->cq_overflow_flushed = 1;
1d7bb1d5 998
c4a2ed72 999 cqe = NULL;
1d7bb1d5
JA		 1000 while (!list_empty(&ctx->cq_overflow_list)) {
1001 cqe = io_get_cqring(ctx);
1002 if (!cqe && !force)
1003 break;
1004
1005 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
1006 list);
1007 list_move(&req->list, &list);
1008 if (cqe) {
1009 WRITE_ONCE(cqe->user_data, req->user_data);
1010 WRITE_ONCE(cqe->res, req->result);
1011 WRITE_ONCE(cqe->flags, 0);
1012 } else {
1013 WRITE_ONCE(ctx->rings->cq_overflow,
1014 atomic_inc_return(&ctx->cached_cq_overflow));
1015 }
1016 }
1017
1018 io_commit_cqring(ctx);
ad3eb2c8
JA		 1019 if (cqe) {
1020 clear_bit(0, &ctx->sq_check_overflow);
1021 clear_bit(0, &ctx->cq_check_overflow);
1022 }
1d7bb1d5
JA		 1023 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1024 io_cqring_ev_posted(ctx);
1025
1026 while (!list_empty(&list)) {
1027 req = list_first_entry(&list, struct io_kiocb, list);
1028 list_del(&req->list);
ec9c02ad 1029 io_put_req(req);
1d7bb1d5 1030 }
c4a2ed72
JA		 1031
1032 return cqe != NULL;
1d7bb1d5
JA		 1033}
1034
78e19bbe 1035static void io_cqring_fill_event(struct io_kiocb *req, long res)
2b188cc1 1036{
78e19bbe 1037 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 1038 struct io_uring_cqe *cqe;
1039
78e19bbe 1040 trace_io_uring_complete(ctx, req->user_data, res);
51c3ff62 1041
2b188cc1
JA		 1042 /*
1043 * If we can't get a cq entry, userspace overflowed the
1044 * submission (by quite a lot). Increment the overflow count in
1045 * the ring.
1046 */
1047 cqe = io_get_cqring(ctx);
1d7bb1d5 1048 if (likely(cqe)) {
78e19bbe 1049 WRITE_ONCE(cqe->user_data, req->user_data);
2b188cc1 1050 WRITE_ONCE(cqe->res, res);
c71ffb67 1051 WRITE_ONCE(cqe->flags, 0);
1d7bb1d5 1052 } else if (ctx->cq_overflow_flushed) {
498ccd9e
JA		 1053 WRITE_ONCE(ctx->rings->cq_overflow,
1054 atomic_inc_return(&ctx->cached_cq_overflow));
1d7bb1d5 1055 } else {
ad3eb2c8
JA		 1056 if (list_empty(&ctx->cq_overflow_list)) {
1057 set_bit(0, &ctx->sq_check_overflow);
1058 set_bit(0, &ctx->cq_check_overflow);
1059 }
1d7bb1d5
JA		 1060 refcount_inc(&req->refs);
1061 req->result = res;
1062 list_add_tail(&req->list, &ctx->cq_overflow_list);
2b188cc1
JA		 1063 }
1064}
1065
78e19bbe 1066static void io_cqring_add_event(struct io_kiocb *req, long res)
2b188cc1 1067{
78e19bbe 1068 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 1069 unsigned long flags;
1070
1071 spin_lock_irqsave(&ctx->completion_lock, flags);
78e19bbe 1072 io_cqring_fill_event(req, res);
2b188cc1
JA		 1073 io_commit_cqring(ctx);
1074 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1075
8c838788 1076 io_cqring_ev_posted(ctx);
2b188cc1
JA		 1077}
1078
0ddf92e8
JA		 1079static inline bool io_is_fallback_req(struct io_kiocb *req)
1080{
1081 return req == (struct io_kiocb *)
1082 ((unsigned long) req->ctx->fallback_req & ~1UL);
1083}
1084
1085static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1086{
1087 struct io_kiocb *req;
1088
1089 req = ctx->fallback_req;
1090 if (!test_and_set_bit_lock(0, (unsigned long *) ctx->fallback_req))
1091 return req;
1092
1093 return NULL;
1094}
1095
2579f913
JA		 1096static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
1097 struct io_submit_state *state)
2b188cc1 1098{
fd6fab2c 1099 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
2b188cc1
JA		 1100 struct io_kiocb *req;
1101
2579f913 1102 if (!state) {
fd6fab2c 1103 req = kmem_cache_alloc(req_cachep, gfp);
2579f913 1104 if (unlikely(!req))
0ddf92e8 1105 goto fallback;
2579f913
JA		 1106 } else if (!state->free_reqs) {
1107 size_t sz;
1108 int ret;
1109
1110 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
fd6fab2c
JA		 1111 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1112
1113 /*
1114 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1115 * retry single alloc to be on the safe side.
1116 */
1117 if (unlikely(ret <= 0)) {
1118 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1119 if (!state->reqs[0])
0ddf92e8 1120 goto fallback;
fd6fab2c
JA		 1121 ret = 1;
1122 }
2579f913
JA		 1123 state->free_reqs = ret - 1;
1124 state->cur_req = 1;
1125 req = state->reqs[0];
1126 } else {
1127 req = state->reqs[state->cur_req];
1128 state->free_reqs--;
1129 state->cur_req++;
2b188cc1
JA		 1130 }
1131
0ddf92e8 1132got_it:
1a6b74fc 1133 req->io = NULL;
cf6fd4bd 1134 req->ring_file = NULL;
60c112b0 1135 req->file = NULL;
2579f913
JA		 1136 req->ctx = ctx;
1137 req->flags = 0;
e65ef56d
JA		 1138 /* one is dropped after submission, the other at completion */
1139 refcount_set(&req->refs, 2);
9e645e11 1140 req->result = 0;
561fb04a 1141 INIT_IO_WORK(&req->work, io_wq_submit_work);
2579f913 1142 return req;
0ddf92e8
JA		 1143fallback:
1144 req = io_get_fallback_req(ctx);
1145 if (req)
1146 goto got_it;
6805b32e 1147 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 1148 return NULL;
1149}
1150
2b85edfc
PB		 1151static void __io_req_do_free(struct io_kiocb *req)
1152{
1153 if (likely(!io_is_fallback_req(req)))
1154 kmem_cache_free(req_cachep, req);
1155 else
1156 clear_bit_unlock(0, (unsigned long *) req->ctx->fallback_req);
1157}
1158
c6ca97b3 1159static void __io_req_aux_free(struct io_kiocb *req)
2b188cc1 1160{
fcb323cc
JA		 1161 struct io_ring_ctx *ctx = req->ctx;
1162
96fd84d8 1163 kfree(req->io);
05f3fb3c
JA		 1164 if (req->file) {
1165 if (req->flags & REQ_F_FIXED_FILE)
1166 percpu_ref_put(&ctx->file_data->refs);
1167 else
1168 fput(req->file);
1169 }
c6ca97b3
JA		 1170}
1171
1172static void __io_free_req(struct io_kiocb *req)
1173{
1174 __io_req_aux_free(req);
1175
fcb323cc 1176 if (req->flags & REQ_F_INFLIGHT) {
c6ca97b3 1177 struct io_ring_ctx *ctx = req->ctx;
fcb323cc
JA		 1178 unsigned long flags;
1179
1180 spin_lock_irqsave(&ctx->inflight_lock, flags);
1181 list_del(&req->inflight_entry);
1182 if (waitqueue_active(&ctx->inflight_wait))
1183 wake_up(&ctx->inflight_wait);
1184 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1185 }
2b85edfc
PB		 1186
1187 percpu_ref_put(&req->ctx->refs);
1188 __io_req_do_free(req);
e65ef56d
JA		 1189}
1190
c6ca97b3
JA		 1191struct req_batch {
1192 void *reqs[IO_IOPOLL_BATCH];
1193 int to_free;
1194 int need_iter;
1195};
1196
1197static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
1198{
1199 if (!rb->to_free)
1200 return;
1201 if (rb->need_iter) {
1202 int i, inflight = 0;
1203 unsigned long flags;
1204
1205 for (i = 0; i < rb->to_free; i++) {
1206 struct io_kiocb *req = rb->reqs[i];
1207
1208 if (req->flags & REQ_F_FIXED_FILE)
1209 req->file = NULL;
1210 if (req->flags & REQ_F_INFLIGHT)
1211 inflight++;
1212 else
1213 rb->reqs[i] = NULL;
1214 __io_req_aux_free(req);
1215 }
1216 if (!inflight)
1217 goto do_free;
1218
1219 spin_lock_irqsave(&ctx->inflight_lock, flags);
1220 for (i = 0; i < rb->to_free; i++) {
1221 struct io_kiocb *req = rb->reqs[i];
1222
1223 if (req) {
1224 list_del(&req->inflight_entry);
1225 if (!--inflight)
1226 break;
1227 }
1228 }
1229 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1230
1231 if (waitqueue_active(&ctx->inflight_wait))
1232 wake_up(&ctx->inflight_wait);
1233 }
1234do_free:
1235 kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
1236 percpu_ref_put_many(&ctx->refs, rb->to_free);
1237 percpu_ref_put_many(&ctx->file_data->refs, rb->to_free);
1238 rb->to_free = rb->need_iter = 0;
1239}
1240
a197f664 1241static bool io_link_cancel_timeout(struct io_kiocb *req)
2665abfd 1242{
a197f664 1243 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 1244 int ret;
1245
2d28390a 1246 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
2665abfd 1247 if (ret != -1) {
78e19bbe 1248 io_cqring_fill_event(req, -ECANCELED);
2665abfd
JA		 1249 io_commit_cqring(ctx);
1250 req->flags &= ~REQ_F_LINK;
ec9c02ad 1251 io_put_req(req);
2665abfd
JA		 1252 return true;
1253 }
1254
1255 return false;
e65ef56d
JA		 1256}
1257
ba816ad6 1258static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
9e645e11 1259{
2665abfd 1260 struct io_ring_ctx *ctx = req->ctx;
2665abfd 1261 bool wake_ev = false;
9e645e11 1262
4d7dd462
JA		 1263 /* Already got next link */
1264 if (req->flags & REQ_F_LINK_NEXT)
1265 return;
1266
9e645e11
JA		 1267 /*
1268 * The list should never be empty when we are called here. But could
1269 * potentially happen if the chain is messed up, check to be on the
1270 * safe side.
1271 */
4493233e
PB		 1272 while (!list_empty(&req->link_list)) {
1273 struct io_kiocb *nxt = list_first_entry(&req->link_list,
1274 struct io_kiocb, link_list);
94ae5e77 1275
4493233e
PB		 1276 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
1277 (nxt->flags & REQ_F_TIMEOUT))) {
1278 list_del_init(&nxt->link_list);
94ae5e77 1279 wake_ev |= io_link_cancel_timeout(nxt);
94ae5e77
JA		 1280 req->flags &= ~REQ_F_LINK_TIMEOUT;
1281 continue;
1282 }
9e645e11 1283
4493233e
PB		 1284 list_del_init(&req->link_list);
1285 if (!list_empty(&nxt->link_list))
1286 nxt->flags |= REQ_F_LINK;
b18fdf71 1287 *nxtptr = nxt;
94ae5e77 1288 break;
9e645e11 1289 }
2665abfd 1290
4d7dd462 1291 req->flags |= REQ_F_LINK_NEXT;
2665abfd
JA		 1292 if (wake_ev)
1293 io_cqring_ev_posted(ctx);
9e645e11
JA		 1294}
1295
1296/*
1297 * Called if REQ_F_LINK is set, and we fail the head request
1298 */
1299static void io_fail_links(struct io_kiocb *req)
1300{
2665abfd 1301 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 1302 unsigned long flags;
1303
1304 spin_lock_irqsave(&ctx->completion_lock, flags);
9e645e11
JA		 1305
1306 while (!list_empty(&req->link_list)) {
4493233e
PB		 1307 struct io_kiocb *link = list_first_entry(&req->link_list,
1308 struct io_kiocb, link_list);
9e645e11 1309
4493233e 1310 list_del_init(&link->link_list);
c826bd7a 1311 trace_io_uring_fail_link(req, link);
2665abfd
JA		 1312
1313 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
d625c6ee 1314 link->opcode == IORING_OP_LINK_TIMEOUT) {
a197f664 1315 io_link_cancel_timeout(link);
2665abfd 1316 } else {
78e19bbe 1317 io_cqring_fill_event(link, -ECANCELED);
978db57e 1318 __io_double_put_req(link);
2665abfd 1319 }
5d960724 1320 req->flags &= ~REQ_F_LINK_TIMEOUT;
9e645e11 1321 }
2665abfd
JA		 1322
1323 io_commit_cqring(ctx);
1324 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1325 io_cqring_ev_posted(ctx);
9e645e11
JA		 1326}
1327
4d7dd462 1328static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
9e645e11 1329{
4d7dd462 1330 if (likely(!(req->flags & REQ_F_LINK)))
2665abfd 1331 return;
2665abfd 1332
9e645e11
JA		 1333 /*
1334 * If LINK is set, we have dependent requests in this chain. If we
1335 * didn't fail this request, queue the first one up, moving any other
1336 * dependencies to the next request. In case of failure, fail the rest
1337 * of the chain.
1338 */
2665abfd
JA		 1339 if (req->flags & REQ_F_FAIL_LINK) {
1340 io_fail_links(req);
7c9e7f0f
JA		 1341 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1342 REQ_F_LINK_TIMEOUT) {
2665abfd
JA		 1343 struct io_ring_ctx *ctx = req->ctx;
1344 unsigned long flags;
1345
1346 /*
1347 * If this is a timeout link, we could be racing with the
1348 * timeout timer. Grab the completion lock for this case to
7c9e7f0f 1349 * protect against that.
2665abfd
JA		 1350 */
1351 spin_lock_irqsave(&ctx->completion_lock, flags);
1352 io_req_link_next(req, nxt);
1353 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1354 } else {
1355 io_req_link_next(req, nxt);
9e645e11 1356 }
4d7dd462 1357}
9e645e11 1358
c69f8dbe
JL		 1359static void io_free_req(struct io_kiocb *req)
1360{
944e58bf
PB		 1361 struct io_kiocb *nxt = NULL;
1362
1363 io_req_find_next(req, &nxt);
70cf9f32 1364 __io_free_req(req);
944e58bf
PB		 1365
1366 if (nxt)
1367 io_queue_async_work(nxt);
c69f8dbe
JL		 1368}
1369
ba816ad6
JA		 1370/*
1371 * Drop reference to request, return next in chain (if there is one) if this
1372 * was the last reference to this request.
1373 */
f9bd67f6 1374__attribute__((nonnull))
ec9c02ad 1375static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
e65ef56d 1376{
f9bd67f6 1377 io_req_find_next(req, nxtptr);
4d7dd462 1378
e65ef56d 1379 if (refcount_dec_and_test(&req->refs))
4d7dd462 1380 __io_free_req(req);
2b188cc1
JA		 1381}
1382
e65ef56d
JA		 1383static void io_put_req(struct io_kiocb *req)
1384{
1385 if (refcount_dec_and_test(&req->refs))
1386 io_free_req(req);
2b188cc1
JA		 1387}
1388
978db57e
JA		 1389/*
1390 * Must only be used if we don't need to care about links, usually from
1391 * within the completion handling itself.
1392 */
1393static void __io_double_put_req(struct io_kiocb *req)
78e19bbe
JA		 1394{
1395 /* drop both submit and complete references */
1396 if (refcount_sub_and_test(2, &req->refs))
1397 __io_free_req(req);
1398}
1399
978db57e
JA		 1400static void io_double_put_req(struct io_kiocb *req)
1401{
1402 /* drop both submit and complete references */
1403 if (refcount_sub_and_test(2, &req->refs))
1404 io_free_req(req);
1405}
1406
1d7bb1d5 1407static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
a3a0e43f 1408{
84f97dc2
JA		 1409 struct io_rings *rings = ctx->rings;
1410
ad3eb2c8
JA		 1411 if (test_bit(0, &ctx->cq_check_overflow)) {
1412 /*
1413 * noflush == true is from the waitqueue handler, just ensure
1414 * we wake up the task, and the next invocation will flush the
1415 * entries. We cannot safely to it from here.
1416 */
1417 if (noflush && !list_empty(&ctx->cq_overflow_list))
1418 return -1U;
1d7bb1d5 1419
ad3eb2c8
JA		 1420 io_cqring_overflow_flush(ctx, false);
1421 }
1d7bb1d5 1422
a3a0e43f
JA		 1423 /* See comment at the top of this file */
1424 smp_rmb();
ad3eb2c8 1425 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
a3a0e43f
JA		 1426}
1427
fb5ccc98
PB		 1428static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1429{
1430 struct io_rings *rings = ctx->rings;
1431
1432 /* make sure SQ entry isn't read before tail */
1433 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1434}
1435
8237e045 1436static inline bool io_req_multi_free(struct req_batch *rb, struct io_kiocb *req)
e94f141b 1437{
c6ca97b3
JA		 1438 if ((req->flags & REQ_F_LINK) || io_is_fallback_req(req))
1439 return false;
e94f141b 1440
c6ca97b3
JA		 1441 if (!(req->flags & REQ_F_FIXED_FILE) || req->io)
1442 rb->need_iter++;
1443
1444 rb->reqs[rb->to_free++] = req;
1445 if (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))
1446 io_free_req_many(req->ctx, rb);
1447 return true;
e94f141b
JA		 1448}
1449
def596e9
JA		 1450/*
1451 * Find and free completed poll iocbs
1452 */
1453static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1454 struct list_head *done)
1455{
8237e045 1456 struct req_batch rb;
def596e9 1457 struct io_kiocb *req;
def596e9 1458
c6ca97b3 1459 rb.to_free = rb.need_iter = 0;
def596e9
JA		 1460 while (!list_empty(done)) {
1461 req = list_first_entry(done, struct io_kiocb, list);
1462 list_del(&req->list);
1463
78e19bbe 1464 io_cqring_fill_event(req, req->result);
def596e9
JA		 1465 (*nr_events)++;
1466
8237e045
JA		 1467 if (refcount_dec_and_test(&req->refs) &&
1468 !io_req_multi_free(&rb, req))
1469 io_free_req(req);
def596e9 1470 }
def596e9 1471
09bb8394 1472 io_commit_cqring(ctx);
8237e045 1473 io_free_req_many(ctx, &rb);
def596e9
JA		 1474}
1475
1476static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1477 long min)
1478{
1479 struct io_kiocb *req, *tmp;
1480 LIST_HEAD(done);
1481 bool spin;
1482 int ret;
1483
1484 /*
1485 * Only spin for completions if we don't have multiple devices hanging
1486 * off our complete list, and we're under the requested amount.
1487 */
1488 spin = !ctx->poll_multi_file && *nr_events < min;
1489
1490 ret = 0;
1491 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
9adbd45d 1492 struct kiocb *kiocb = &req->rw.kiocb;
def596e9
JA		 1493
1494 /*
1495 * Move completed entries to our local list. If we find a
1496 * request that requires polling, break out and complete
1497 * the done list first, if we have entries there.
1498 */
1499 if (req->flags & REQ_F_IOPOLL_COMPLETED) {
1500 list_move_tail(&req->list, &done);
1501 continue;
1502 }
1503 if (!list_empty(&done))
1504 break;
1505
1506 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1507 if (ret < 0)
1508 break;
1509
1510 if (ret && spin)
1511 spin = false;
1512 ret = 0;
1513 }
1514
1515 if (!list_empty(&done))
1516 io_iopoll_complete(ctx, nr_events, &done);
1517
1518 return ret;
1519}
1520
1521/*
d195a66e 1522 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
def596e9
JA		 1523 * non-spinning poll check - we'll still enter the driver poll loop, but only
1524 * as a non-spinning completion check.
1525 */
1526static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1527 long min)
1528{
08f5439f 1529 while (!list_empty(&ctx->poll_list) && !need_resched()) {
def596e9
JA		 1530 int ret;
1531
1532 ret = io_do_iopoll(ctx, nr_events, min);
1533 if (ret < 0)
1534 return ret;
1535 if (!min || *nr_events >= min)
1536 return 0;
1537 }
1538
1539 return 1;
1540}
1541
1542/*
1543 * We can't just wait for polled events to come to us, we have to actively
1544 * find and complete them.
1545 */
1546static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1547{
1548 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1549 return;
1550
1551 mutex_lock(&ctx->uring_lock);
1552 while (!list_empty(&ctx->poll_list)) {
1553 unsigned int nr_events = 0;
1554
1555 io_iopoll_getevents(ctx, &nr_events, 1);
08f5439f
JA		 1556
1557 /*
1558 * Ensure we allow local-to-the-cpu processing to take place,
1559 * in this case we need to ensure that we reap all events.
1560 */
1561 cond_resched();
def596e9
JA		 1562 }
1563 mutex_unlock(&ctx->uring_lock);
1564}
1565
2b2ed975
JA		 1566static int __io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1567 long min)
def596e9 1568{
2b2ed975 1569 int iters = 0, ret = 0;
500f9fba 1570
def596e9
JA		 1571 do {
1572 int tmin = 0;
1573
a3a0e43f
JA		 1574 /*
1575 * Don't enter poll loop if we already have events pending.
1576 * If we do, we can potentially be spinning for commands that
1577 * already triggered a CQE (eg in error).
1578 */
1d7bb1d5 1579 if (io_cqring_events(ctx, false))
a3a0e43f
JA		 1580 break;
1581
500f9fba
JA		 1582 /*
1583 * If a submit got punted to a workqueue, we can have the
1584 * application entering polling for a command before it gets
1585 * issued. That app will hold the uring_lock for the duration
1586 * of the poll right here, so we need to take a breather every
1587 * now and then to ensure that the issue has a chance to add
1588 * the poll to the issued list. Otherwise we can spin here
1589 * forever, while the workqueue is stuck trying to acquire the
1590 * very same mutex.
1591 */
1592 if (!(++iters & 7)) {
1593 mutex_unlock(&ctx->uring_lock);
1594 mutex_lock(&ctx->uring_lock);
1595 }
1596
def596e9
JA		 1597 if (*nr_events < min)
1598 tmin = min - *nr_events;
1599
1600 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1601 if (ret <= 0)
1602 break;
1603 ret = 0;
1604 } while (min && !*nr_events && !need_resched());
1605
2b2ed975
JA		 1606 return ret;
1607}
1608
1609static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1610 long min)
1611{
1612 int ret;
1613
1614 /*
1615 * We disallow the app entering submit/complete with polling, but we
1616 * still need to lock the ring to prevent racing with polled issue
1617 * that got punted to a workqueue.
1618 */
1619 mutex_lock(&ctx->uring_lock);
1620 ret = __io_iopoll_check(ctx, nr_events, min);
500f9fba 1621 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 1622 return ret;
1623}
1624
491381ce 1625static void kiocb_end_write(struct io_kiocb *req)
2b188cc1 1626{
491381ce
JA		 1627 /*
1628 * Tell lockdep we inherited freeze protection from submission
1629 * thread.
1630 */
1631 if (req->flags & REQ_F_ISREG) {
1632 struct inode *inode = file_inode(req->file);
2b188cc1 1633
491381ce 1634 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2b188cc1 1635 }
491381ce 1636 file_end_write(req->file);
2b188cc1
JA		 1637}
1638
4e88d6e7
JA		 1639static inline void req_set_fail_links(struct io_kiocb *req)
1640{
1641 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1642 req->flags |= REQ_F_FAIL_LINK;
1643}
1644
ba816ad6 1645static void io_complete_rw_common(struct kiocb *kiocb, long res)
2b188cc1 1646{
9adbd45d 1647 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2b188cc1 1648
491381ce
JA		 1649 if (kiocb->ki_flags & IOCB_WRITE)
1650 kiocb_end_write(req);
2b188cc1 1651
4e88d6e7
JA		 1652 if (res != req->result)
1653 req_set_fail_links(req);
78e19bbe 1654 io_cqring_add_event(req, res);
ba816ad6
JA		 1655}
1656
1657static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1658{
9adbd45d 1659 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ba816ad6
JA		 1660
1661 io_complete_rw_common(kiocb, res);
e65ef56d 1662 io_put_req(req);
2b188cc1
JA		 1663}
1664
ba816ad6
JA		 1665static struct io_kiocb *__io_complete_rw(struct kiocb *kiocb, long res)
1666{
9adbd45d 1667 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ec9c02ad 1668 struct io_kiocb *nxt = NULL;
ba816ad6
JA		 1669
1670 io_complete_rw_common(kiocb, res);
ec9c02ad
JL		 1671 io_put_req_find_next(req, &nxt);
1672
1673 return nxt;
2b188cc1
JA		 1674}
1675
def596e9
JA		 1676static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1677{
9adbd45d 1678 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
def596e9 1679
491381ce
JA		 1680 if (kiocb->ki_flags & IOCB_WRITE)
1681 kiocb_end_write(req);
def596e9 1682
4e88d6e7
JA		 1683 if (res != req->result)
1684 req_set_fail_links(req);
9e645e11 1685 req->result = res;
def596e9
JA		 1686 if (res != -EAGAIN)
1687 req->flags |= REQ_F_IOPOLL_COMPLETED;
1688}
1689
1690/*
1691 * After the iocb has been issued, it's safe to be found on the poll list.
1692 * Adding the kiocb to the list AFTER submission ensures that we don't
1693 * find it from a io_iopoll_getevents() thread before the issuer is done
1694 * accessing the kiocb cookie.
1695 */
1696static void io_iopoll_req_issued(struct io_kiocb *req)
1697{
1698 struct io_ring_ctx *ctx = req->ctx;
1699
1700 /*
1701 * Track whether we have multiple files in our lists. This will impact
1702 * how we do polling eventually, not spinning if we're on potentially
1703 * different devices.
1704 */
1705 if (list_empty(&ctx->poll_list)) {
1706 ctx->poll_multi_file = false;
1707 } else if (!ctx->poll_multi_file) {
1708 struct io_kiocb *list_req;
1709
1710 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
1711 list);
9adbd45d 1712 if (list_req->file != req->file)
def596e9
JA		 1713 ctx->poll_multi_file = true;
1714 }
1715
1716 /*
1717 * For fast devices, IO may have already completed. If it has, add
1718 * it to the front so we find it first.
1719 */
1720 if (req->flags & REQ_F_IOPOLL_COMPLETED)
1721 list_add(&req->list, &ctx->poll_list);
1722 else
1723 list_add_tail(&req->list, &ctx->poll_list);
1724}
1725
3d6770fb 1726static void io_file_put(struct io_submit_state *state)
9a56a232 1727{
3d6770fb 1728 if (state->file) {
9a56a232
JA		 1729 int diff = state->has_refs - state->used_refs;
1730
1731 if (diff)
1732 fput_many(state->file, diff);
1733 state->file = NULL;
1734 }
1735}
1736
1737/*
1738 * Get as many references to a file as we have IOs left in this submission,
1739 * assuming most submissions are for one file, or at least that each file
1740 * has more than one submission.
1741 */
1742static struct file *io_file_get(struct io_submit_state *state, int fd)
1743{
1744 if (!state)
1745 return fget(fd);
1746
1747 if (state->file) {
1748 if (state->fd == fd) {
1749 state->used_refs++;
1750 state->ios_left--;
1751 return state->file;
1752 }
3d6770fb 1753 io_file_put(state);
9a56a232
JA		 1754 }
1755 state->file = fget_many(fd, state->ios_left);
1756 if (!state->file)
1757 return NULL;
1758
1759 state->fd = fd;
1760 state->has_refs = state->ios_left;
1761 state->used_refs = 1;
1762 state->ios_left--;
1763 return state->file;
1764}
1765
2b188cc1
JA		 1766/*
1767 * If we tracked the file through the SCM inflight mechanism, we could support
1768 * any file. For now, just ensure that anything potentially problematic is done
1769 * inline.
1770 */
1771static bool io_file_supports_async(struct file *file)
1772{
1773 umode_t mode = file_inode(file)->i_mode;
1774
10d59345 1775 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
2b188cc1
JA		 1776 return true;
1777 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
1778 return true;
1779
1780 return false;
1781}
1782
3529d8c2
JA		 1783static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1784 bool force_nonblock)
2b188cc1 1785{
def596e9 1786 struct io_ring_ctx *ctx = req->ctx;
9adbd45d 1787 struct kiocb *kiocb = &req->rw.kiocb;
09bb8394
JA		 1788 unsigned ioprio;
1789 int ret;
2b188cc1 1790
09bb8394
JA		 1791 if (!req->file)
1792 return -EBADF;
2b188cc1 1793
491381ce
JA		 1794 if (S_ISREG(file_inode(req->file)->i_mode))
1795 req->flags |= REQ_F_ISREG;
1796
2b188cc1 1797 kiocb->ki_pos = READ_ONCE(sqe->off);
ba04291e
JA		 1798 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
1799 req->flags |= REQ_F_CUR_POS;
1800 kiocb->ki_pos = req->file->f_pos;
1801 }
2b188cc1
JA		 1802 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
1803 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
1804
1805 ioprio = READ_ONCE(sqe->ioprio);
1806 if (ioprio) {
1807 ret = ioprio_check_cap(ioprio);
1808 if (ret)
09bb8394 1809 return ret;
2b188cc1
JA		 1810
1811 kiocb->ki_ioprio = ioprio;
1812 } else
1813 kiocb->ki_ioprio = get_current_ioprio();
1814
1815 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
1816 if (unlikely(ret))
09bb8394 1817 return ret;
8449eeda
SB		 1818
1819 /* don't allow async punt if RWF_NOWAIT was requested */
491381ce
JA		 1820 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
1821 (req->file->f_flags & O_NONBLOCK))
8449eeda
SB		 1822 req->flags |= REQ_F_NOWAIT;
1823
1824 if (force_nonblock)
2b188cc1 1825 kiocb->ki_flags |= IOCB_NOWAIT;
8449eeda 1826
def596e9 1827 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9
JA		 1828 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
1829 !kiocb->ki_filp->f_op->iopoll)
09bb8394 1830 return -EOPNOTSUPP;
2b188cc1 1831
def596e9
JA		 1832 kiocb->ki_flags |= IOCB_HIPRI;
1833 kiocb->ki_complete = io_complete_rw_iopoll;
6873e0bd 1834 req->result = 0;
def596e9 1835 } else {
09bb8394
JA		 1836 if (kiocb->ki_flags & IOCB_HIPRI)
1837 return -EINVAL;
def596e9
JA		 1838 kiocb->ki_complete = io_complete_rw;
1839 }
9adbd45d 1840
3529d8c2
JA		 1841 req->rw.addr = READ_ONCE(sqe->addr);
1842 req->rw.len = READ_ONCE(sqe->len);
9adbd45d
JA		 1843 /* we own ->private, reuse it for the buffer index */
1844 req->rw.kiocb.private = (void *) (unsigned long)
3529d8c2 1845 READ_ONCE(sqe->buf_index);
2b188cc1 1846 return 0;
2b188cc1
JA		 1847}
1848
1849static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
1850{
1851 switch (ret) {
1852 case -EIOCBQUEUED:
1853 break;
1854 case -ERESTARTSYS:
1855 case -ERESTARTNOINTR:
1856 case -ERESTARTNOHAND:
1857 case -ERESTART_RESTARTBLOCK:
1858 /*
1859 * We can't just restart the syscall, since previously
1860 * submitted sqes may already be in progress. Just fail this
1861 * IO with EINTR.
1862 */
1863 ret = -EINTR;
1864 /* fall through */
1865 default:
1866 kiocb->ki_complete(kiocb, ret, 0);
1867 }
1868}
1869
ba816ad6
JA		 1870static void kiocb_done(struct kiocb *kiocb, ssize_t ret, struct io_kiocb **nxt,
1871 bool in_async)
1872{
ba04291e
JA		 1873 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1874
1875 if (req->flags & REQ_F_CUR_POS)
1876 req->file->f_pos = kiocb->ki_pos;
f9bd67f6 1877 if (in_async && ret >= 0 && kiocb->ki_complete == io_complete_rw)
ba816ad6
JA		 1878 *nxt = __io_complete_rw(kiocb, ret);
1879 else
1880 io_rw_done(kiocb, ret);
1881}
1882
9adbd45d 1883static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
7d009165 1884 struct iov_iter *iter)
edafccee 1885{
9adbd45d
JA		 1886 struct io_ring_ctx *ctx = req->ctx;
1887 size_t len = req->rw.len;
edafccee
JA		 1888 struct io_mapped_ubuf *imu;
1889 unsigned index, buf_index;
1890 size_t offset;
1891 u64 buf_addr;
1892
1893 /* attempt to use fixed buffers without having provided iovecs */
1894 if (unlikely(!ctx->user_bufs))
1895 return -EFAULT;
1896
9adbd45d 1897 buf_index = (unsigned long) req->rw.kiocb.private;
edafccee
JA		 1898 if (unlikely(buf_index >= ctx->nr_user_bufs))
1899 return -EFAULT;
1900
1901 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
1902 imu = &ctx->user_bufs[index];
9adbd45d 1903 buf_addr = req->rw.addr;
edafccee
JA		 1904
1905 /* overflow */
1906 if (buf_addr + len < buf_addr)
1907 return -EFAULT;
1908 /* not inside the mapped region */
1909 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
1910 return -EFAULT;
1911
1912 /*
1913 * May not be a start of buffer, set size appropriately
1914 * and advance us to the beginning.
1915 */
1916 offset = buf_addr - imu->ubuf;
1917 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
bd11b3a3
JA		 1918
1919 if (offset) {
1920 /*
1921 * Don't use iov_iter_advance() here, as it's really slow for
1922 * using the latter parts of a big fixed buffer - it iterates
1923 * over each segment manually. We can cheat a bit here, because
1924 * we know that:
1925 *
1926 * 1) it's a BVEC iter, we set it up
1927 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1928 * first and last bvec
1929 *
1930 * So just find our index, and adjust the iterator afterwards.
1931 * If the offset is within the first bvec (or the whole first
1932 * bvec, just use iov_iter_advance(). This makes it easier
1933 * since we can just skip the first segment, which may not
1934 * be PAGE_SIZE aligned.
1935 */
1936 const struct bio_vec *bvec = imu->bvec;
1937
1938 if (offset <= bvec->bv_len) {
1939 iov_iter_advance(iter, offset);
1940 } else {
1941 unsigned long seg_skip;
1942
1943 /* skip first vec */
1944 offset -= bvec->bv_len;
1945 seg_skip = 1 + (offset >> PAGE_SHIFT);
1946
1947 iter->bvec = bvec + seg_skip;
1948 iter->nr_segs -= seg_skip;
99c79f66 1949 iter->count -= bvec->bv_len + offset;
bd11b3a3 1950 iter->iov_offset = offset & ~PAGE_MASK;
bd11b3a3
JA		 1951 }
1952 }
1953
5e559561 1954 return len;
edafccee
JA		 1955}
1956
cf6fd4bd
PB		 1957static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
1958 struct iovec **iovec, struct iov_iter *iter)
2b188cc1 1959{
9adbd45d
JA		 1960 void __user *buf = u64_to_user_ptr(req->rw.addr);
1961 size_t sqe_len = req->rw.len;
edafccee
JA		 1962 u8 opcode;
1963
d625c6ee 1964 opcode = req->opcode;
7d009165 1965 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
edafccee 1966 *iovec = NULL;
9adbd45d 1967 return io_import_fixed(req, rw, iter);
edafccee 1968 }
2b188cc1 1969
9adbd45d
JA		 1970 /* buffer index only valid with fixed read/write */
1971 if (req->rw.kiocb.private)
1972 return -EINVAL;
1973
3a6820f2
JA		 1974 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
1975 ssize_t ret;
1976 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
1977 *iovec = NULL;
1978 return ret;
1979 }
1980
f67676d1
JA		 1981 if (req->io) {
1982 struct io_async_rw *iorw = &req->io->rw;
1983
1984 *iovec = iorw->iov;
1985 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
1986 if (iorw->iov == iorw->fast_iov)
1987 *iovec = NULL;
1988 return iorw->size;
1989 }
1990
cf6fd4bd 1991 if (!req->has_user)
2b188cc1
JA		 1992 return -EFAULT;
1993
1994#ifdef CONFIG_COMPAT
cf6fd4bd 1995 if (req->ctx->compat)
2b188cc1
JA		 1996 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
1997 iovec, iter);
1998#endif
1999
2000 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
2001}
2002
31b51510 2003/*
32960613
JA		 2004 * For files that don't have ->read_iter() and ->write_iter(), handle them
2005 * by looping over ->read() or ->write() manually.
31b51510 2006 */
32960613
JA		 2007static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
2008 struct iov_iter *iter)
2009{
2010 ssize_t ret = 0;
2011
2012 /*
2013 * Don't support polled IO through this interface, and we can't
2014 * support non-blocking either. For the latter, this just causes
2015 * the kiocb to be handled from an async context.
2016 */
2017 if (kiocb->ki_flags & IOCB_HIPRI)
2018 return -EOPNOTSUPP;
2019 if (kiocb->ki_flags & IOCB_NOWAIT)
2020 return -EAGAIN;
2021
2022 while (iov_iter_count(iter)) {
311ae9e1 2023 struct iovec iovec;
32960613
JA		 2024 ssize_t nr;
2025
311ae9e1
PB		 2026 if (!iov_iter_is_bvec(iter)) {
2027 iovec = iov_iter_iovec(iter);
2028 } else {
2029 /* fixed buffers import bvec */
2030 iovec.iov_base = kmap(iter->bvec->bv_page)
2031 + iter->iov_offset;
2032 iovec.iov_len = min(iter->count,
2033 iter->bvec->bv_len - iter->iov_offset);
2034 }
2035
32960613
JA		 2036 if (rw == READ) {
2037 nr = file->f_op->read(file, iovec.iov_base,
2038 iovec.iov_len, &kiocb->ki_pos);
2039 } else {
2040 nr = file->f_op->write(file, iovec.iov_base,
2041 iovec.iov_len, &kiocb->ki_pos);
2042 }
2043
311ae9e1
PB		 2044 if (iov_iter_is_bvec(iter))
2045 kunmap(iter->bvec->bv_page);
2046
32960613
JA		 2047 if (nr < 0) {
2048 if (!ret)
2049 ret = nr;
2050 break;
2051 }
2052 ret += nr;
2053 if (nr != iovec.iov_len)
2054 break;
2055 iov_iter_advance(iter, nr);
2056 }
2057
2058 return ret;
2059}
2060
b7bb4f7d 2061static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
f67676d1
JA		 2062 struct iovec *iovec, struct iovec *fast_iov,
2063 struct iov_iter *iter)
2064{
2065 req->io->rw.nr_segs = iter->nr_segs;
2066 req->io->rw.size = io_size;
2067 req->io->rw.iov = iovec;
2068 if (!req->io->rw.iov) {
2069 req->io->rw.iov = req->io->rw.fast_iov;
2070 memcpy(req->io->rw.iov, fast_iov,
2071 sizeof(struct iovec) * iter->nr_segs);
2072 }
2073}
2074
b7bb4f7d 2075static int io_alloc_async_ctx(struct io_kiocb *req)
f67676d1 2076{
d3656344
JA		 2077 if (!io_op_defs[req->opcode].async_ctx)
2078 return 0;
f67676d1 2079 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
06b76d44 2080 return req->io == NULL;
b7bb4f7d
JA		 2081}
2082
2083static void io_rw_async(struct io_wq_work **workptr)
2084{
2085 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2086 struct iovec *iov = NULL;
2087
2088 if (req->io->rw.iov != req->io->rw.fast_iov)
2089 iov = req->io->rw.iov;
2090 io_wq_submit_work(workptr);
2091 kfree(iov);
2092}
2093
2094static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
2095 struct iovec *iovec, struct iovec *fast_iov,
2096 struct iov_iter *iter)
2097{
74566df3
JA		 2098 if (req->opcode == IORING_OP_READ_FIXED ||
2099 req->opcode == IORING_OP_WRITE_FIXED)
2100 return 0;
b7bb4f7d
JA		 2101 if (!req->io && io_alloc_async_ctx(req))
2102 return -ENOMEM;
2103
2104 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
2105 req->work.func = io_rw_async;
2106 return 0;
f67676d1
JA		 2107}
2108
3529d8c2
JA		 2109static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2110 bool force_nonblock)
f67676d1 2111{
3529d8c2
JA		 2112 struct io_async_ctx *io;
2113 struct iov_iter iter;
f67676d1
JA		 2114 ssize_t ret;
2115
3529d8c2
JA		 2116 ret = io_prep_rw(req, sqe, force_nonblock);
2117 if (ret)
2118 return ret;
f67676d1 2119
3529d8c2
JA		 2120 if (unlikely(!(req->file->f_mode & FMODE_READ)))
2121 return -EBADF;
f67676d1 2122
3529d8c2
JA		 2123 if (!req->io)
2124 return 0;
2125
2126 io = req->io;
2127 io->rw.iov = io->rw.fast_iov;
2128 req->io = NULL;
2129 ret = io_import_iovec(READ, req, &io->rw.iov, &iter);
2130 req->io = io;
2131 if (ret < 0)
2132 return ret;
2133
2134 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2135 return 0;
f67676d1
JA		 2136}
2137
267bc904 2138static int io_read(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 2139 bool force_nonblock)
2b188cc1
JA		 2140{
2141 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 2142 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 2143 struct iov_iter iter;
31b51510 2144 size_t iov_count;
f67676d1 2145 ssize_t io_size, ret;
2b188cc1 2146
3529d8c2 2147 ret = io_import_iovec(READ, req, &iovec, &iter);
06b76d44
JA		 2148 if (ret < 0)
2149 return ret;
2b188cc1 2150
fd6c2e4c
JA		 2151 /* Ensure we clear previously set non-block flag */
2152 if (!force_nonblock)
9adbd45d 2153 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 2154
797f3f53 2155 req->result = 0;
f67676d1 2156 io_size = ret;
9e645e11 2157 if (req->flags & REQ_F_LINK)
f67676d1
JA		 2158 req->result = io_size;
2159
2160 /*
2161 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2162 * we know to async punt it even if it was opened O_NONBLOCK
2163 */
9adbd45d 2164 if (force_nonblock && !io_file_supports_async(req->file)) {
f67676d1
JA		 2165 req->flags |= REQ_F_MUST_PUNT;
2166 goto copy_iov;
2167 }
9e645e11 2168
31b51510 2169 iov_count = iov_iter_count(&iter);
9adbd45d 2170 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
2b188cc1
JA		 2171 if (!ret) {
2172 ssize_t ret2;
2173
9adbd45d
JA		 2174 if (req->file->f_op->read_iter)
2175 ret2 = call_read_iter(req->file, kiocb, &iter);
32960613 2176 else
9adbd45d 2177 ret2 = loop_rw_iter(READ, req->file, kiocb, &iter);
32960613 2178
9d93a3f5 2179 /* Catch -EAGAIN return for forced non-blocking submission */
f67676d1 2180 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 2181 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 2182 } else {
2183copy_iov:
b7bb4f7d 2184 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 2185 inline_vecs, &iter);
2186 if (ret)
2187 goto out_free;
2188 return -EAGAIN;
2189 }
2b188cc1 2190 }
f67676d1 2191out_free:
b7bb4f7d
JA		 2192 if (!io_wq_current_is_worker())
2193 kfree(iovec);
2b188cc1
JA		 2194 return ret;
2195}
2196
3529d8c2
JA		 2197static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2198 bool force_nonblock)
f67676d1 2199{
3529d8c2
JA		 2200 struct io_async_ctx *io;
2201 struct iov_iter iter;
f67676d1
JA		 2202 ssize_t ret;
2203
3529d8c2
JA		 2204 ret = io_prep_rw(req, sqe, force_nonblock);
2205 if (ret)
2206 return ret;
f67676d1 2207
3529d8c2
JA		 2208 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
2209 return -EBADF;
f67676d1 2210
3529d8c2
JA		 2211 if (!req->io)
2212 return 0;
2213
2214 io = req->io;
2215 io->rw.iov = io->rw.fast_iov;
2216 req->io = NULL;
2217 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter);
2218 req->io = io;
2219 if (ret < 0)
2220 return ret;
2221
2222 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2223 return 0;
f67676d1
JA		 2224}
2225
267bc904 2226static int io_write(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 2227 bool force_nonblock)
2b188cc1
JA		 2228{
2229 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 2230 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 2231 struct iov_iter iter;
31b51510 2232 size_t iov_count;
f67676d1 2233 ssize_t ret, io_size;
2b188cc1 2234
3529d8c2 2235 ret = io_import_iovec(WRITE, req, &iovec, &iter);
06b76d44
JA		 2236 if (ret < 0)
2237 return ret;
2b188cc1 2238
fd6c2e4c
JA		 2239 /* Ensure we clear previously set non-block flag */
2240 if (!force_nonblock)
9adbd45d 2241 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 2242
797f3f53 2243 req->result = 0;
f67676d1 2244 io_size = ret;
9e645e11 2245 if (req->flags & REQ_F_LINK)
f67676d1 2246 req->result = io_size;
9e645e11 2247
f67676d1
JA		 2248 /*
2249 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2250 * we know to async punt it even if it was opened O_NONBLOCK
2251 */
2252 if (force_nonblock && !io_file_supports_async(req->file)) {
2253 req->flags |= REQ_F_MUST_PUNT;
2254 goto copy_iov;
2255 }
31b51510 2256
10d59345
JA		 2257 /* file path doesn't support NOWAIT for non-direct_IO */
2258 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
2259 (req->flags & REQ_F_ISREG))
f67676d1 2260 goto copy_iov;
31b51510 2261
f67676d1 2262 iov_count = iov_iter_count(&iter);
9adbd45d 2263 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
2b188cc1 2264 if (!ret) {
9bf7933f
RP		 2265 ssize_t ret2;
2266
2b188cc1
JA		 2267 /*
2268 * Open-code file_start_write here to grab freeze protection,
2269 * which will be released by another thread in
2270 * io_complete_rw(). Fool lockdep by telling it the lock got
2271 * released so that it doesn't complain about the held lock when
2272 * we return to userspace.
2273 */
491381ce 2274 if (req->flags & REQ_F_ISREG) {
9adbd45d 2275 __sb_start_write(file_inode(req->file)->i_sb,
2b188cc1 2276 SB_FREEZE_WRITE, true);
9adbd45d 2277 __sb_writers_release(file_inode(req->file)->i_sb,
2b188cc1
JA		 2278 SB_FREEZE_WRITE);
2279 }
2280 kiocb->ki_flags |= IOCB_WRITE;
9bf7933f 2281
9adbd45d
JA		 2282 if (req->file->f_op->write_iter)
2283 ret2 = call_write_iter(req->file, kiocb, &iter);
32960613 2284 else
9adbd45d 2285 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
f67676d1 2286 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 2287 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 2288 } else {
2289copy_iov:
b7bb4f7d 2290 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 2291 inline_vecs, &iter);
2292 if (ret)
2293 goto out_free;
2294 return -EAGAIN;
2295 }
2b188cc1 2296 }
31b51510 2297out_free:
b7bb4f7d
JA		 2298 if (!io_wq_current_is_worker())
2299 kfree(iovec);
2b188cc1
JA		 2300 return ret;
2301}
2302
2303/*
2304 * IORING_OP_NOP just posts a completion event, nothing else.
2305 */
78e19bbe 2306static int io_nop(struct io_kiocb *req)
2b188cc1
JA		 2307{
2308 struct io_ring_ctx *ctx = req->ctx;
2b188cc1 2309
def596e9
JA		 2310 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2311 return -EINVAL;
2312
78e19bbe 2313 io_cqring_add_event(req, 0);
e65ef56d 2314 io_put_req(req);
2b188cc1
JA		 2315 return 0;
2316}
2317
3529d8c2 2318static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
c992fe29 2319{
6b06314c 2320 struct io_ring_ctx *ctx = req->ctx;
c992fe29 2321
09bb8394
JA		 2322 if (!req->file)
2323 return -EBADF;
c992fe29 2324
6b06314c 2325 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
def596e9 2326 return -EINVAL;
edafccee 2327 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
c992fe29
CH		 2328 return -EINVAL;
2329
8ed8d3c3
JA		 2330 req->sync.flags = READ_ONCE(sqe->fsync_flags);
2331 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
2332 return -EINVAL;
2333
2334 req->sync.off = READ_ONCE(sqe->off);
2335 req->sync.len = READ_ONCE(sqe->len);
c992fe29
CH		 2336 return 0;
2337}
2338
8ed8d3c3
JA		 2339static bool io_req_cancelled(struct io_kiocb *req)
2340{
2341 if (req->work.flags & IO_WQ_WORK_CANCEL) {
2342 req_set_fail_links(req);
2343 io_cqring_add_event(req, -ECANCELED);
2344 io_put_req(req);
2345 return true;
2346 }
2347
2348 return false;
2349}
2350
78912934
JA		 2351static void io_link_work_cb(struct io_wq_work **workptr)
2352{
2353 struct io_wq_work *work = *workptr;
2354 struct io_kiocb *link = work->data;
2355
2356 io_queue_linked_timeout(link);
2357 work->func = io_wq_submit_work;
2358}
2359
2360static void io_wq_assign_next(struct io_wq_work **workptr, struct io_kiocb *nxt)
2361{
2362 struct io_kiocb *link;
2363
2364 io_prep_async_work(nxt, &link);
2365 *workptr = &nxt->work;
2366 if (link) {
2367 nxt->work.flags |= IO_WQ_WORK_CB;
2368 nxt->work.func = io_link_work_cb;
2369 nxt->work.data = link;
2370 }
2371}
2372
8ed8d3c3
JA		 2373static void io_fsync_finish(struct io_wq_work **workptr)
2374{
2375 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2376 loff_t end = req->sync.off + req->sync.len;
2377 struct io_kiocb *nxt = NULL;
2378 int ret;
2379
2380 if (io_req_cancelled(req))
2381 return;
2382
9adbd45d 2383 ret = vfs_fsync_range(req->file, req->sync.off,
8ed8d3c3
JA		 2384 end > 0 ? end : LLONG_MAX,
2385 req->sync.flags & IORING_FSYNC_DATASYNC);
2386 if (ret < 0)
2387 req_set_fail_links(req);
2388 io_cqring_add_event(req, ret);
2389 io_put_req_find_next(req, &nxt);
2390 if (nxt)
78912934 2391 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 2392}
2393
fc4df999
JA		 2394static int io_fsync(struct io_kiocb *req, struct io_kiocb **nxt,
2395 bool force_nonblock)
c992fe29 2396{
8ed8d3c3 2397 struct io_wq_work *work, *old_work;
c992fe29
CH		 2398
2399 /* fsync always requires a blocking context */
8ed8d3c3
JA		 2400 if (force_nonblock) {
2401 io_put_req(req);
2402 req->work.func = io_fsync_finish;
c992fe29 2403 return -EAGAIN;
8ed8d3c3 2404 }
c992fe29 2405
8ed8d3c3
JA		 2406 work = old_work = &req->work;
2407 io_fsync_finish(&work);
2408 if (work && work != old_work)
2409 *nxt = container_of(work, struct io_kiocb, work);
c992fe29
CH		 2410 return 0;
2411}
2412
d63d1b5e
JA		 2413static void io_fallocate_finish(struct io_wq_work **workptr)
2414{
2415 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2416 struct io_kiocb *nxt = NULL;
2417 int ret;
2418
2419 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
2420 req->sync.len);
2421 if (ret < 0)
2422 req_set_fail_links(req);
2423 io_cqring_add_event(req, ret);
2424 io_put_req_find_next(req, &nxt);
2425 if (nxt)
2426 io_wq_assign_next(workptr, nxt);
2427}
2428
2429static int io_fallocate_prep(struct io_kiocb *req,
2430 const struct io_uring_sqe *sqe)
2431{
2432 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
2433 return -EINVAL;
2434
2435 req->sync.off = READ_ONCE(sqe->off);
2436 req->sync.len = READ_ONCE(sqe->addr);
2437 req->sync.mode = READ_ONCE(sqe->len);
2438 return 0;
2439}
2440
2441static int io_fallocate(struct io_kiocb *req, struct io_kiocb **nxt,
2442 bool force_nonblock)
2443{
2444 struct io_wq_work *work, *old_work;
2445
2446 /* fallocate always requiring blocking context */
2447 if (force_nonblock) {
2448 io_put_req(req);
2449 req->work.func = io_fallocate_finish;
2450 return -EAGAIN;
2451 }
2452
2453 work = old_work = &req->work;
2454 io_fallocate_finish(&work);
2455 if (work && work != old_work)
2456 *nxt = container_of(work, struct io_kiocb, work);
2457
2458 return 0;
2459}
2460
15b71abe
JA		 2461static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2462{
2463 int ret;
2464
2465 if (sqe->ioprio || sqe->buf_index)
2466 return -EINVAL;
2467
2468 req->open.dfd = READ_ONCE(sqe->fd);
2469 req->open.mode = READ_ONCE(sqe->len);
2470 req->open.fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2471 req->open.flags = READ_ONCE(sqe->open_flags);
2472
2473 req->open.filename = getname(req->open.fname);
2474 if (IS_ERR(req->open.filename)) {
2475 ret = PTR_ERR(req->open.filename);
2476 req->open.filename = NULL;
2477 return ret;
2478 }
2479
2480 return 0;
2481}
2482
2483static int io_openat(struct io_kiocb *req, struct io_kiocb **nxt,
2484 bool force_nonblock)
2485{
2486 struct open_flags op;
2487 struct open_how how;
2488 struct file *file;
2489 int ret;
2490
2491 if (force_nonblock) {
2492 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2493 return -EAGAIN;
2494 }
2495
2496 how = build_open_how(req->open.flags, req->open.mode);
2497 ret = build_open_flags(&how, &op);
2498 if (ret)
2499 goto err;
2500
2501 ret = get_unused_fd_flags(how.flags);
2502 if (ret < 0)
2503 goto err;
2504
2505 file = do_filp_open(req->open.dfd, req->open.filename, &op);
2506 if (IS_ERR(file)) {
2507 put_unused_fd(ret);
2508 ret = PTR_ERR(file);
2509 } else {
2510 fsnotify_open(file);
2511 fd_install(ret, file);
2512 }
2513err:
2514 putname(req->open.filename);
2515 if (ret < 0)
2516 req_set_fail_links(req);
2517 io_cqring_add_event(req, ret);
2518 io_put_req_find_next(req, nxt);
2519 return 0;
2520}
2521
c1ca757b
JA		 2522static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2523{
2524#if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2525 if (sqe->ioprio || sqe->buf_index || sqe->off)
2526 return -EINVAL;
2527
2528 req->madvise.addr = READ_ONCE(sqe->addr);
2529 req->madvise.len = READ_ONCE(sqe->len);
2530 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
2531 return 0;
2532#else
2533 return -EOPNOTSUPP;
2534#endif
2535}
2536
2537static int io_madvise(struct io_kiocb *req, struct io_kiocb **nxt,
2538 bool force_nonblock)
2539{
2540#if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2541 struct io_madvise *ma = &req->madvise;
2542 int ret;
2543
2544 if (force_nonblock)
2545 return -EAGAIN;
2546
2547 ret = do_madvise(ma->addr, ma->len, ma->advice);
2548 if (ret < 0)
2549 req_set_fail_links(req);
2550 io_cqring_add_event(req, ret);
2551 io_put_req_find_next(req, nxt);
2552 return 0;
2553#else
2554 return -EOPNOTSUPP;
2555#endif
2556}
2557
4840e418
JA		 2558static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2559{
2560 if (sqe->ioprio || sqe->buf_index || sqe->addr)
2561 return -EINVAL;
2562
2563 req->fadvise.offset = READ_ONCE(sqe->off);
2564 req->fadvise.len = READ_ONCE(sqe->len);
2565 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
2566 return 0;
2567}
2568
2569static int io_fadvise(struct io_kiocb *req, struct io_kiocb **nxt,
2570 bool force_nonblock)
2571{
2572 struct io_fadvise *fa = &req->fadvise;
2573 int ret;
2574
2575 /* DONTNEED may block, others _should_ not */
2576 if (fa->advice == POSIX_FADV_DONTNEED && force_nonblock)
2577 return -EAGAIN;
2578
2579 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
2580 if (ret < 0)
2581 req_set_fail_links(req);
2582 io_cqring_add_event(req, ret);
2583 io_put_req_find_next(req, nxt);
2584 return 0;
2585}
2586
eddc7ef5
JA		 2587static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2588{
2589 unsigned lookup_flags;
2590 int ret;
2591
2592 if (sqe->ioprio || sqe->buf_index)
2593 return -EINVAL;
2594
2595 req->open.dfd = READ_ONCE(sqe->fd);
2596 req->open.mask = READ_ONCE(sqe->len);
2597 req->open.fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2598 req->open.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
2599 req->open.flags = READ_ONCE(sqe->statx_flags);
2600
2601 if (vfs_stat_set_lookup_flags(&lookup_flags, req->open.flags))
2602 return -EINVAL;
2603
2604 req->open.filename = getname_flags(req->open.fname, lookup_flags, NULL);
2605 if (IS_ERR(req->open.filename)) {
2606 ret = PTR_ERR(req->open.filename);
2607 req->open.filename = NULL;
2608 return ret;
2609 }
2610
2611 return 0;
2612}
2613
2614static int io_statx(struct io_kiocb *req, struct io_kiocb **nxt,
2615 bool force_nonblock)
2616{
2617 struct io_open *ctx = &req->open;
2618 unsigned lookup_flags;
2619 struct path path;
2620 struct kstat stat;
2621 int ret;
2622
2623 if (force_nonblock)
2624 return -EAGAIN;
2625
2626 if (vfs_stat_set_lookup_flags(&lookup_flags, ctx->flags))
2627 return -EINVAL;
2628
2629retry:
2630 /* filename_lookup() drops it, keep a reference */
2631 ctx->filename->refcnt++;
2632
2633 ret = filename_lookup(ctx->dfd, ctx->filename, lookup_flags, &path,
2634 NULL);
2635 if (ret)
2636 goto err;
2637
2638 ret = vfs_getattr(&path, &stat, ctx->mask, ctx->flags);
2639 path_put(&path);
2640 if (retry_estale(ret, lookup_flags)) {
2641 lookup_flags |= LOOKUP_REVAL;
2642 goto retry;
2643 }
2644 if (!ret)
2645 ret = cp_statx(&stat, ctx->buffer);
2646err:
2647 putname(ctx->filename);
2648 if (ret < 0)
2649 req_set_fail_links(req);
2650 io_cqring_add_event(req, ret);
2651 io_put_req_find_next(req, nxt);
2652 return 0;
2653}
2654
b5dba59e
JA		 2655static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2656{
2657 /*
2658 * If we queue this for async, it must not be cancellable. That would
2659 * leave the 'file' in an undeterminate state.
2660 */
2661 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
2662
2663 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
2664 sqe->rw_flags || sqe->buf_index)
2665 return -EINVAL;
2666 if (sqe->flags & IOSQE_FIXED_FILE)
2667 return -EINVAL;
2668
2669 req->close.fd = READ_ONCE(sqe->fd);
2670 if (req->file->f_op == &io_uring_fops ||
2671 req->close.fd == req->ring_fd)
2672 return -EBADF;
2673
2674 return 0;
2675}
2676
2677static void io_close_finish(struct io_wq_work **workptr)
2678{
2679 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2680 struct io_kiocb *nxt = NULL;
2681
2682 /* Invoked with files, we need to do the close */
2683 if (req->work.files) {
2684 int ret;
2685
2686 ret = filp_close(req->close.put_file, req->work.files);
2687 if (ret < 0) {
2688 req_set_fail_links(req);
2689 }
2690 io_cqring_add_event(req, ret);
2691 }
2692
2693 fput(req->close.put_file);
2694
2695 /* we bypassed the re-issue, drop the submission reference */
2696 io_put_req(req);
2697 io_put_req_find_next(req, &nxt);
2698 if (nxt)
2699 io_wq_assign_next(workptr, nxt);
2700}
2701
2702static int io_close(struct io_kiocb *req, struct io_kiocb **nxt,
2703 bool force_nonblock)
2704{
2705 int ret;
2706
2707 req->close.put_file = NULL;
2708 ret = __close_fd_get_file(req->close.fd, &req->close.put_file);
2709 if (ret < 0)
2710 return ret;
2711
2712 /* if the file has a flush method, be safe and punt to async */
2713 if (req->close.put_file->f_op->flush && !io_wq_current_is_worker()) {
2714 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2715 goto eagain;
2716 }
2717
2718 /*
2719 * No ->flush(), safely close from here and just punt the
2720 * fput() to async context.
2721 */
2722 ret = filp_close(req->close.put_file, current->files);
2723
2724 if (ret < 0)
2725 req_set_fail_links(req);
2726 io_cqring_add_event(req, ret);
2727
2728 if (io_wq_current_is_worker()) {
2729 struct io_wq_work *old_work, *work;
2730
2731 old_work = work = &req->work;
2732 io_close_finish(&work);
2733 if (work && work != old_work)
2734 *nxt = container_of(work, struct io_kiocb, work);
2735 return 0;
2736 }
2737
2738eagain:
2739 req->work.func = io_close_finish;
2740 return -EAGAIN;
2741}
2742
3529d8c2 2743static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5d17b4a4
JA		 2744{
2745 struct io_ring_ctx *ctx = req->ctx;
5d17b4a4
JA		 2746
2747 if (!req->file)
2748 return -EBADF;
5d17b4a4
JA		 2749
2750 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2751 return -EINVAL;
2752 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2753 return -EINVAL;
2754
8ed8d3c3
JA		 2755 req->sync.off = READ_ONCE(sqe->off);
2756 req->sync.len = READ_ONCE(sqe->len);
2757 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
8ed8d3c3
JA		 2758 return 0;
2759}
2760
2761static void io_sync_file_range_finish(struct io_wq_work **workptr)
2762{
2763 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2764 struct io_kiocb *nxt = NULL;
2765 int ret;
2766
2767 if (io_req_cancelled(req))
2768 return;
2769
9adbd45d 2770 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
8ed8d3c3
JA		 2771 req->sync.flags);
2772 if (ret < 0)
2773 req_set_fail_links(req);
2774 io_cqring_add_event(req, ret);
2775 io_put_req_find_next(req, &nxt);
2776 if (nxt)
78912934 2777 io_wq_assign_next(workptr, nxt);
5d17b4a4
JA		 2778}
2779
fc4df999 2780static int io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt,
5d17b4a4
JA		 2781 bool force_nonblock)
2782{
8ed8d3c3 2783 struct io_wq_work *work, *old_work;
5d17b4a4
JA		 2784
2785 /* sync_file_range always requires a blocking context */
8ed8d3c3
JA		 2786 if (force_nonblock) {
2787 io_put_req(req);
2788 req->work.func = io_sync_file_range_finish;
5d17b4a4 2789 return -EAGAIN;
8ed8d3c3 2790 }
5d17b4a4 2791
8ed8d3c3
JA		 2792 work = old_work = &req->work;
2793 io_sync_file_range_finish(&work);
2794 if (work && work != old_work)
2795 *nxt = container_of(work, struct io_kiocb, work);
5d17b4a4
JA		 2796 return 0;
2797}
2798
b7bb4f7d
JA		 2799#if defined(CONFIG_NET)
2800static void io_sendrecv_async(struct io_wq_work **workptr)
2801{
2802 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2803 struct iovec *iov = NULL;
2804
2805 if (req->io->rw.iov != req->io->rw.fast_iov)
2806 iov = req->io->msg.iov;
2807 io_wq_submit_work(workptr);
2808 kfree(iov);
2809}
2810#endif
2811
3529d8c2 2812static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
03b1230c 2813{
0fa03c62 2814#if defined(CONFIG_NET)
e47293fd 2815 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2 2816 struct io_async_ctx *io = req->io;
03b1230c 2817
e47293fd
JA		 2818 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2819 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
fddaface 2820 sr->len = READ_ONCE(sqe->len);
3529d8c2 2821
fddaface 2822 if (!io || req->opcode == IORING_OP_SEND)
3529d8c2
JA		 2823 return 0;
2824
d9688565 2825 io->msg.iov = io->msg.fast_iov;
3529d8c2 2826 return sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 2827 &io->msg.iov);
03b1230c 2828#else
e47293fd 2829 return -EOPNOTSUPP;
03b1230c
JA		 2830#endif
2831}
2832
fc4df999
JA		 2833static int io_sendmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2834 bool force_nonblock)
aa1fa28f 2835{
03b1230c 2836#if defined(CONFIG_NET)
0b416c3e 2837 struct io_async_msghdr *kmsg = NULL;
0fa03c62
JA		 2838 struct socket *sock;
2839 int ret;
2840
2841 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2842 return -EINVAL;
2843
2844 sock = sock_from_file(req->file, &ret);
2845 if (sock) {
b7bb4f7d 2846 struct io_async_ctx io;
03b1230c 2847 struct sockaddr_storage addr;
0fa03c62
JA		 2848 unsigned flags;
2849
03b1230c 2850 if (req->io) {
0b416c3e
JA		 2851 kmsg = &req->io->msg;
2852 kmsg->msg.msg_name = &addr;
2853 /* if iov is set, it's allocated already */
2854 if (!kmsg->iov)
2855 kmsg->iov = kmsg->fast_iov;
2856 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 2857 } else {
3529d8c2
JA		 2858 struct io_sr_msg *sr = &req->sr_msg;
2859
0b416c3e
JA		 2860 kmsg = &io.msg;
2861 kmsg->msg.msg_name = &addr;
3529d8c2
JA		 2862
2863 io.msg.iov = io.msg.fast_iov;
2864 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
2865 sr->msg_flags, &io.msg.iov);
03b1230c 2866 if (ret)
3529d8c2 2867 return ret;
03b1230c 2868 }
0fa03c62 2869
e47293fd
JA		 2870 flags = req->sr_msg.msg_flags;
2871 if (flags & MSG_DONTWAIT)
2872 req->flags |= REQ_F_NOWAIT;
2873 else if (force_nonblock)
2874 flags |= MSG_DONTWAIT;
2875
0b416c3e 2876 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
03b1230c 2877 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 2878 if (req->io)
2879 return -EAGAIN;
2880 if (io_alloc_async_ctx(req))
2881 return -ENOMEM;
2882 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2883 req->work.func = io_sendrecv_async;
0b416c3e 2884 return -EAGAIN;
03b1230c 2885 }
441cdbd5
JA		 2886 if (ret == -ERESTARTSYS)
2887 ret = -EINTR;
0fa03c62
JA		 2888 }
2889
b7bb4f7d 2890 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 2891 kfree(kmsg->iov);
78e19bbe 2892 io_cqring_add_event(req, ret);
4e88d6e7
JA		 2893 if (ret < 0)
2894 req_set_fail_links(req);
ec9c02ad 2895 io_put_req_find_next(req, nxt);
5d17b4a4 2896 return 0;
03b1230c
JA		 2897#else
2898 return -EOPNOTSUPP;
aa1fa28f 2899#endif
03b1230c 2900}
aa1fa28f 2901
fddaface
JA		 2902static int io_send(struct io_kiocb *req, struct io_kiocb **nxt,
2903 bool force_nonblock)
2904{
2905#if defined(CONFIG_NET)
2906 struct socket *sock;
2907 int ret;
2908
2909 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2910 return -EINVAL;
2911
2912 sock = sock_from_file(req->file, &ret);
2913 if (sock) {
2914 struct io_sr_msg *sr = &req->sr_msg;
2915 struct msghdr msg;
2916 struct iovec iov;
2917 unsigned flags;
2918
2919 ret = import_single_range(WRITE, sr->buf, sr->len, &iov,
2920 &msg.msg_iter);
2921 if (ret)
2922 return ret;
2923
2924 msg.msg_name = NULL;
2925 msg.msg_control = NULL;
2926 msg.msg_controllen = 0;
2927 msg.msg_namelen = 0;
2928
2929 flags = req->sr_msg.msg_flags;
2930 if (flags & MSG_DONTWAIT)
2931 req->flags |= REQ_F_NOWAIT;
2932 else if (force_nonblock)
2933 flags |= MSG_DONTWAIT;
2934
2935 ret = __sys_sendmsg_sock(sock, &msg, flags);
2936 if (force_nonblock && ret == -EAGAIN)
2937 return -EAGAIN;
2938 if (ret == -ERESTARTSYS)
2939 ret = -EINTR;
2940 }
2941
2942 io_cqring_add_event(req, ret);
2943 if (ret < 0)
2944 req_set_fail_links(req);
2945 io_put_req_find_next(req, nxt);
2946 return 0;
2947#else
2948 return -EOPNOTSUPP;
2949#endif
2950}
2951
3529d8c2
JA		 2952static int io_recvmsg_prep(struct io_kiocb *req,
2953 const struct io_uring_sqe *sqe)
aa1fa28f
JA		 2954{
2955#if defined(CONFIG_NET)
e47293fd 2956 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2
JA		 2957 struct io_async_ctx *io = req->io;
2958
2959 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2960 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
06b76d44 2961
fddaface 2962 if (!io || req->opcode == IORING_OP_RECV)
06b76d44 2963 return 0;
03b1230c 2964
d9688565 2965 io->msg.iov = io->msg.fast_iov;
3529d8c2 2966 return recvmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 2967 &io->msg.uaddr, &io->msg.iov);
aa1fa28f 2968#else
e47293fd 2969 return -EOPNOTSUPP;
aa1fa28f
JA		 2970#endif
2971}
2972
fc4df999
JA		 2973static int io_recvmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2974 bool force_nonblock)
aa1fa28f
JA		 2975{
2976#if defined(CONFIG_NET)
0b416c3e 2977 struct io_async_msghdr *kmsg = NULL;
03b1230c
JA		 2978 struct socket *sock;
2979 int ret;
2980
2981 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2982 return -EINVAL;
2983
2984 sock = sock_from_file(req->file, &ret);
2985 if (sock) {
b7bb4f7d 2986 struct io_async_ctx io;
03b1230c 2987 struct sockaddr_storage addr;
03b1230c
JA		 2988 unsigned flags;
2989
03b1230c 2990 if (req->io) {
0b416c3e
JA		 2991 kmsg = &req->io->msg;
2992 kmsg->msg.msg_name = &addr;
2993 /* if iov is set, it's allocated already */
2994 if (!kmsg->iov)
2995 kmsg->iov = kmsg->fast_iov;
2996 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 2997 } else {
3529d8c2
JA		 2998 struct io_sr_msg *sr = &req->sr_msg;
2999
0b416c3e
JA		 3000 kmsg = &io.msg;
3001 kmsg->msg.msg_name = &addr;
3529d8c2
JA		 3002
3003 io.msg.iov = io.msg.fast_iov;
3004 ret = recvmsg_copy_msghdr(&io.msg.msg, sr->msg,
3005 sr->msg_flags, &io.msg.uaddr,
3006 &io.msg.iov);
03b1230c 3007 if (ret)
3529d8c2 3008 return ret;
03b1230c
JA		 3009 }
3010
e47293fd
JA		 3011 flags = req->sr_msg.msg_flags;
3012 if (flags & MSG_DONTWAIT)
3013 req->flags |= REQ_F_NOWAIT;
3014 else if (force_nonblock)
3015 flags |= MSG_DONTWAIT;
3016
3017 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
3018 kmsg->uaddr, flags);
03b1230c 3019 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 3020 if (req->io)
3021 return -EAGAIN;
3022 if (io_alloc_async_ctx(req))
3023 return -ENOMEM;
3024 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
3025 req->work.func = io_sendrecv_async;
0b416c3e 3026 return -EAGAIN;
03b1230c
JA		 3027 }
3028 if (ret == -ERESTARTSYS)
3029 ret = -EINTR;
3030 }
3031
b7bb4f7d 3032 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 3033 kfree(kmsg->iov);
03b1230c 3034 io_cqring_add_event(req, ret);
4e88d6e7
JA		 3035 if (ret < 0)
3036 req_set_fail_links(req);
03b1230c
JA		 3037 io_put_req_find_next(req, nxt);
3038 return 0;
0fa03c62
JA		 3039#else
3040 return -EOPNOTSUPP;
3041#endif
3042}
5d17b4a4 3043
fddaface
JA		 3044static int io_recv(struct io_kiocb *req, struct io_kiocb **nxt,
3045 bool force_nonblock)
3046{
3047#if defined(CONFIG_NET)
3048 struct socket *sock;
3049 int ret;
3050
3051 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3052 return -EINVAL;
3053
3054 sock = sock_from_file(req->file, &ret);
3055 if (sock) {
3056 struct io_sr_msg *sr = &req->sr_msg;
3057 struct msghdr msg;
3058 struct iovec iov;
3059 unsigned flags;
3060
3061 ret = import_single_range(READ, sr->buf, sr->len, &iov,
3062 &msg.msg_iter);
3063 if (ret)
3064 return ret;
3065
3066 msg.msg_name = NULL;
3067 msg.msg_control = NULL;
3068 msg.msg_controllen = 0;
3069 msg.msg_namelen = 0;
3070 msg.msg_iocb = NULL;
3071 msg.msg_flags = 0;
3072
3073 flags = req->sr_msg.msg_flags;
3074 if (flags & MSG_DONTWAIT)
3075 req->flags |= REQ_F_NOWAIT;
3076 else if (force_nonblock)
3077 flags |= MSG_DONTWAIT;
3078
3079 ret = __sys_recvmsg_sock(sock, &msg, NULL, NULL, flags);
3080 if (force_nonblock && ret == -EAGAIN)
3081 return -EAGAIN;
3082 if (ret == -ERESTARTSYS)
3083 ret = -EINTR;
3084 }
3085
3086 io_cqring_add_event(req, ret);
3087 if (ret < 0)
3088 req_set_fail_links(req);
3089 io_put_req_find_next(req, nxt);
3090 return 0;
3091#else
3092 return -EOPNOTSUPP;
3093#endif
3094}
3095
3096
3529d8c2 3097static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
17f2fe35
JA		 3098{
3099#if defined(CONFIG_NET)
8ed8d3c3
JA		 3100 struct io_accept *accept = &req->accept;
3101
17f2fe35
JA		 3102 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3103 return -EINVAL;
8042d6ce 3104 if (sqe->ioprio || sqe->len || sqe->buf_index)
17f2fe35
JA		 3105 return -EINVAL;
3106
d55e5f5b
JA		 3107 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3108 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
8ed8d3c3 3109 accept->flags = READ_ONCE(sqe->accept_flags);
8ed8d3c3
JA		 3110 return 0;
3111#else
3112 return -EOPNOTSUPP;
3113#endif
3114}
17f2fe35 3115
8ed8d3c3
JA		 3116#if defined(CONFIG_NET)
3117static int __io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
3118 bool force_nonblock)
3119{
3120 struct io_accept *accept = &req->accept;
3121 unsigned file_flags;
3122 int ret;
3123
3124 file_flags = force_nonblock ? O_NONBLOCK : 0;
3125 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
3126 accept->addr_len, accept->flags);
3127 if (ret == -EAGAIN && force_nonblock)
17f2fe35 3128 return -EAGAIN;
8e3cca12
JA		 3129 if (ret == -ERESTARTSYS)
3130 ret = -EINTR;
4e88d6e7
JA		 3131 if (ret < 0)
3132 req_set_fail_links(req);
78e19bbe 3133 io_cqring_add_event(req, ret);
ec9c02ad 3134 io_put_req_find_next(req, nxt);
17f2fe35 3135 return 0;
8ed8d3c3
JA		 3136}
3137
3138static void io_accept_finish(struct io_wq_work **workptr)
3139{
3140 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3141 struct io_kiocb *nxt = NULL;
3142
3143 if (io_req_cancelled(req))
3144 return;
3145 __io_accept(req, &nxt, false);
3146 if (nxt)
78912934 3147 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 3148}
3149#endif
3150
3151static int io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
3152 bool force_nonblock)
3153{
3154#if defined(CONFIG_NET)
3155 int ret;
3156
8ed8d3c3
JA		 3157 ret = __io_accept(req, nxt, force_nonblock);
3158 if (ret == -EAGAIN && force_nonblock) {
3159 req->work.func = io_accept_finish;
3160 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
3161 io_put_req(req);
3162 return -EAGAIN;
3163 }
3164 return 0;
0fa03c62
JA		 3165#else
3166 return -EOPNOTSUPP;
3167#endif
3168}
5d17b4a4 3169
3529d8c2 3170static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
f499a021
JA		 3171{
3172#if defined(CONFIG_NET)
3529d8c2
JA		 3173 struct io_connect *conn = &req->connect;
3174 struct io_async_ctx *io = req->io;
f499a021 3175
3fbb51c1
JA		 3176 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3177 return -EINVAL;
3178 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
3179 return -EINVAL;
3180
3529d8c2
JA		 3181 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3182 conn->addr_len = READ_ONCE(sqe->addr2);
3183
3184 if (!io)
3185 return 0;
3186
3187 return move_addr_to_kernel(conn->addr, conn->addr_len,
3fbb51c1 3188 &io->connect.address);
f499a021 3189#else
3fbb51c1 3190 return -EOPNOTSUPP;
f499a021
JA		 3191#endif
3192}
3193
fc4df999
JA		 3194static int io_connect(struct io_kiocb *req, struct io_kiocb **nxt,
3195 bool force_nonblock)
f8e85cf2
JA		 3196{
3197#if defined(CONFIG_NET)
f499a021 3198 struct io_async_ctx __io, *io;
f8e85cf2 3199 unsigned file_flags;
3fbb51c1 3200 int ret;
f8e85cf2 3201
f499a021
JA		 3202 if (req->io) {
3203 io = req->io;
3204 } else {
3529d8c2
JA		 3205 ret = move_addr_to_kernel(req->connect.addr,
3206 req->connect.addr_len,
3207 &__io.connect.address);
f499a021
JA		 3208 if (ret)
3209 goto out;
3210 io = &__io;
3211 }
3212
3fbb51c1
JA		 3213 file_flags = force_nonblock ? O_NONBLOCK : 0;
3214
3215 ret = __sys_connect_file(req->file, &io->connect.address,
3216 req->connect.addr_len, file_flags);
87f80d62 3217 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
b7bb4f7d
JA		 3218 if (req->io)
3219 return -EAGAIN;
3220 if (io_alloc_async_ctx(req)) {
f499a021
JA		 3221 ret = -ENOMEM;
3222 goto out;
3223 }
b7bb4f7d 3224 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
f8e85cf2 3225 return -EAGAIN;
f499a021 3226 }
f8e85cf2
JA		 3227 if (ret == -ERESTARTSYS)
3228 ret = -EINTR;
f499a021 3229out:
4e88d6e7
JA		 3230 if (ret < 0)
3231 req_set_fail_links(req);
f8e85cf2
JA		 3232 io_cqring_add_event(req, ret);
3233 io_put_req_find_next(req, nxt);
3234 return 0;
3235#else
3236 return -EOPNOTSUPP;
3237#endif
3238}
3239
221c5eb2
JA		 3240static void io_poll_remove_one(struct io_kiocb *req)
3241{
3242 struct io_poll_iocb *poll = &req->poll;
3243
3244 spin_lock(&poll->head->lock);
3245 WRITE_ONCE(poll->canceled, true);
392edb45
JA		 3246 if (!list_empty(&poll->wait.entry)) {
3247 list_del_init(&poll->wait.entry);
a197f664 3248 io_queue_async_work(req);
221c5eb2
JA		 3249 }
3250 spin_unlock(&poll->head->lock);
78076bb6 3251 hash_del(&req->hash_node);
221c5eb2
JA		 3252}
3253
3254static void io_poll_remove_all(struct io_ring_ctx *ctx)
3255{
78076bb6 3256 struct hlist_node *tmp;
221c5eb2 3257 struct io_kiocb *req;
78076bb6 3258 int i;
221c5eb2
JA		 3259
3260 spin_lock_irq(&ctx->completion_lock);
78076bb6
JA		 3261 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
3262 struct hlist_head *list;
3263
3264 list = &ctx->cancel_hash[i];
3265 hlist_for_each_entry_safe(req, tmp, list, hash_node)
3266 io_poll_remove_one(req);
221c5eb2
JA		 3267 }
3268 spin_unlock_irq(&ctx->completion_lock);
3269}
3270
47f46768
JA		 3271static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
3272{
78076bb6 3273 struct hlist_head *list;
47f46768
JA		 3274 struct io_kiocb *req;
3275
78076bb6
JA		 3276 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
3277 hlist_for_each_entry(req, list, hash_node) {
3278 if (sqe_addr == req->user_data) {
eac406c6
JA		 3279 io_poll_remove_one(req);
3280 return 0;
3281 }
47f46768
JA		 3282 }
3283
3284 return -ENOENT;
3285}
3286
3529d8c2
JA		 3287static int io_poll_remove_prep(struct io_kiocb *req,
3288 const struct io_uring_sqe *sqe)
0969e783 3289{
0969e783
JA		 3290 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3291 return -EINVAL;
3292 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
3293 sqe->poll_events)
3294 return -EINVAL;
3295
3296 req->poll.addr = READ_ONCE(sqe->addr);
0969e783
JA		 3297 return 0;
3298}
3299
221c5eb2
JA		 3300/*
3301 * Find a running poll command that matches one specified in sqe->addr,
3302 * and remove it if found.
3303 */
fc4df999 3304static int io_poll_remove(struct io_kiocb *req)
221c5eb2
JA		 3305{
3306 struct io_ring_ctx *ctx = req->ctx;
0969e783 3307 u64 addr;
47f46768 3308 int ret;
221c5eb2 3309
0969e783 3310 addr = req->poll.addr;
221c5eb2 3311 spin_lock_irq(&ctx->completion_lock);
0969e783 3312 ret = io_poll_cancel(ctx, addr);
221c5eb2
JA		 3313 spin_unlock_irq(&ctx->completion_lock);
3314
78e19bbe 3315 io_cqring_add_event(req, ret);
4e88d6e7
JA		 3316 if (ret < 0)
3317 req_set_fail_links(req);
e65ef56d 3318 io_put_req(req);
221c5eb2
JA		 3319 return 0;
3320}
3321
b0dd8a41 3322static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
221c5eb2 3323{
a197f664
JL		 3324 struct io_ring_ctx *ctx = req->ctx;
3325
8c838788 3326 req->poll.done = true;
b0dd8a41
JA		 3327 if (error)
3328 io_cqring_fill_event(req, error);
3329 else
3330 io_cqring_fill_event(req, mangle_poll(mask));
8c838788 3331 io_commit_cqring(ctx);
221c5eb2
JA		 3332}
3333
561fb04a 3334static void io_poll_complete_work(struct io_wq_work **workptr)
221c5eb2 3335{
561fb04a 3336 struct io_wq_work *work = *workptr;
221c5eb2
JA		 3337 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3338 struct io_poll_iocb *poll = &req->poll;
3339 struct poll_table_struct pt = { ._key = poll->events };
3340 struct io_ring_ctx *ctx = req->ctx;
89723d0b 3341 struct io_kiocb *nxt = NULL;
221c5eb2 3342 __poll_t mask = 0;
b0dd8a41 3343 int ret = 0;
221c5eb2 3344
b0dd8a41 3345 if (work->flags & IO_WQ_WORK_CANCEL) {
561fb04a 3346 WRITE_ONCE(poll->canceled, true);
b0dd8a41
JA		 3347 ret = -ECANCELED;
3348 } else if (READ_ONCE(poll->canceled)) {
3349 ret = -ECANCELED;
3350 }
561fb04a 3351
b0dd8a41 3352 if (ret != -ECANCELED)
221c5eb2
JA		 3353 mask = vfs_poll(poll->file, &pt) & poll->events;
3354
3355 /*
3356 * Note that ->ki_cancel callers also delete iocb from active_reqs after
3357 * calling ->ki_cancel. We need the ctx_lock roundtrip here to
3358 * synchronize with them. In the cancellation case the list_del_init
3359 * itself is not actually needed, but harmless so we keep it in to
3360 * avoid further branches in the fast path.
3361 */
3362 spin_lock_irq(&ctx->completion_lock);
b0dd8a41 3363 if (!mask && ret != -ECANCELED) {
392edb45 3364 add_wait_queue(poll->head, &poll->wait);
221c5eb2
JA		 3365 spin_unlock_irq(&ctx->completion_lock);
3366 return;
3367 }
78076bb6 3368 hash_del(&req->hash_node);
b0dd8a41 3369 io_poll_complete(req, mask, ret);
221c5eb2
JA		 3370 spin_unlock_irq(&ctx->completion_lock);
3371
8c838788 3372 io_cqring_ev_posted(ctx);
89723d0b 3373
4e88d6e7
JA		 3374 if (ret < 0)
3375 req_set_fail_links(req);
ec9c02ad 3376 io_put_req_find_next(req, &nxt);
89723d0b 3377 if (nxt)
78912934 3378 io_wq_assign_next(workptr, nxt);
221c5eb2
JA		 3379}
3380
e94f141b
JA		 3381static void __io_poll_flush(struct io_ring_ctx *ctx, struct llist_node *nodes)
3382{
e94f141b 3383 struct io_kiocb *req, *tmp;
8237e045 3384 struct req_batch rb;
e94f141b 3385
c6ca97b3 3386 rb.to_free = rb.need_iter = 0;
e94f141b
JA		 3387 spin_lock_irq(&ctx->completion_lock);
3388 llist_for_each_entry_safe(req, tmp, nodes, llist_node) {
3389 hash_del(&req->hash_node);
3390 io_poll_complete(req, req->result, 0);
3391
8237e045
JA		 3392 if (refcount_dec_and_test(&req->refs) &&
3393 !io_req_multi_free(&rb, req)) {
3394 req->flags |= REQ_F_COMP_LOCKED;
3395 io_free_req(req);
e94f141b
JA		 3396 }
3397 }
3398 spin_unlock_irq(&ctx->completion_lock);
3399
3400 io_cqring_ev_posted(ctx);
8237e045 3401 io_free_req_many(ctx, &rb);
e94f141b
JA		 3402}
3403
3404static void io_poll_flush(struct io_wq_work **workptr)
3405{
3406 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3407 struct llist_node *nodes;
3408
3409 nodes = llist_del_all(&req->ctx->poll_llist);
3410 if (nodes)
3411 __io_poll_flush(req->ctx, nodes);
3412}
3413
221c5eb2
JA		 3414static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
3415 void *key)
3416{
e944475e 3417 struct io_poll_iocb *poll = wait->private;
221c5eb2
JA		 3418 struct io_kiocb *req = container_of(poll, struct io_kiocb, poll);
3419 struct io_ring_ctx *ctx = req->ctx;
3420 __poll_t mask = key_to_poll(key);
221c5eb2
JA		 3421
3422 /* for instances that support it check for an event match first: */
8c838788
JA		 3423 if (mask && !(mask & poll->events))
3424 return 0;
221c5eb2 3425
392edb45 3426 list_del_init(&poll->wait.entry);
221c5eb2 3427
7c9e7f0f
JA		 3428 /*
3429 * Run completion inline if we can. We're using trylock here because
3430 * we are violating the completion_lock -> poll wq lock ordering.
3431 * If we have a link timeout we're going to need the completion_lock
3432 * for finalizing the request, mark us as having grabbed that already.
3433 */
e94f141b
JA		 3434 if (mask) {
3435 unsigned long flags;
221c5eb2 3436
e94f141b
JA		 3437 if (llist_empty(&ctx->poll_llist) &&
3438 spin_trylock_irqsave(&ctx->completion_lock, flags)) {
3439 hash_del(&req->hash_node);
3440 io_poll_complete(req, mask, 0);
3441 req->flags |= REQ_F_COMP_LOCKED;
3442 io_put_req(req);
3443 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3444
3445 io_cqring_ev_posted(ctx);
3446 req = NULL;
3447 } else {
3448 req->result = mask;
3449 req->llist_node.next = NULL;
3450 /* if the list wasn't empty, we're done */
3451 if (!llist_add(&req->llist_node, &ctx->poll_llist))
3452 req = NULL;
3453 else
3454 req->work.func = io_poll_flush;
3455 }
221c5eb2 3456 }
e94f141b
JA		 3457 if (req)
3458 io_queue_async_work(req);
221c5eb2 3459
221c5eb2
JA		 3460 return 1;
3461}
3462
3463struct io_poll_table {
3464 struct poll_table_struct pt;
3465 struct io_kiocb *req;
3466 int error;
3467};
3468
3469static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
3470 struct poll_table_struct *p)
3471{
3472 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
3473
3474 if (unlikely(pt->req->poll.head)) {
3475 pt->error = -EINVAL;
3476 return;
3477 }
3478
3479 pt->error = 0;
3480 pt->req->poll.head = head;
392edb45 3481 add_wait_queue(head, &pt->req->poll.wait);
221c5eb2
JA		 3482}
3483
eac406c6
JA		 3484static void io_poll_req_insert(struct io_kiocb *req)
3485{
3486 struct io_ring_ctx *ctx = req->ctx;
78076bb6
JA		 3487 struct hlist_head *list;
3488
3489 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
3490 hlist_add_head(&req->hash_node, list);
eac406c6
JA		 3491}
3492
3529d8c2 3493static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
221c5eb2
JA		 3494{
3495 struct io_poll_iocb *poll = &req->poll;
221c5eb2 3496 u16 events;
221c5eb2
JA		 3497
3498 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3499 return -EINVAL;
3500 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
3501 return -EINVAL;
09bb8394
JA		 3502 if (!poll->file)
3503 return -EBADF;
221c5eb2 3504
221c5eb2
JA		 3505 events = READ_ONCE(sqe->poll_events);
3506 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
0969e783
JA		 3507 return 0;
3508}
3509
3510static int io_poll_add(struct io_kiocb *req, struct io_kiocb **nxt)
3511{
3512 struct io_poll_iocb *poll = &req->poll;
3513 struct io_ring_ctx *ctx = req->ctx;
3514 struct io_poll_table ipt;
3515 bool cancel = false;
3516 __poll_t mask;
0969e783
JA		 3517
3518 INIT_IO_WORK(&req->work, io_poll_complete_work);
78076bb6 3519 INIT_HLIST_NODE(&req->hash_node);
221c5eb2 3520
221c5eb2 3521 poll->head = NULL;
8c838788 3522 poll->done = false;
221c5eb2
JA		 3523 poll->canceled = false;
3524
3525 ipt.pt._qproc = io_poll_queue_proc;
3526 ipt.pt._key = poll->events;
3527 ipt.req = req;
3528 ipt.error = -EINVAL; /* same as no support for IOCB_CMD_POLL */
3529
3530 /* initialized the list so that we can do list_empty checks */
392edb45
JA		 3531 INIT_LIST_HEAD(&poll->wait.entry);
3532 init_waitqueue_func_entry(&poll->wait, io_poll_wake);
3533 poll->wait.private = poll;
221c5eb2 3534
36703247
JA		 3535 INIT_LIST_HEAD(&req->list);
3536
221c5eb2 3537 mask = vfs_poll(poll->file, &ipt.pt) & poll->events;
221c5eb2
JA		 3538
3539 spin_lock_irq(&ctx->completion_lock);
8c838788
JA		 3540 if (likely(poll->head)) {
3541 spin_lock(&poll->head->lock);
392edb45 3542 if (unlikely(list_empty(&poll->wait.entry))) {
8c838788
JA		 3543 if (ipt.error)
3544 cancel = true;
3545 ipt.error = 0;
3546 mask = 0;
3547 }
3548 if (mask || ipt.error)
392edb45 3549 list_del_init(&poll->wait.entry);
8c838788
JA		 3550 else if (cancel)
3551 WRITE_ONCE(poll->canceled, true);
3552 else if (!poll->done) /* actually waiting for an event */
eac406c6 3553 io_poll_req_insert(req);
8c838788
JA		 3554 spin_unlock(&poll->head->lock);
3555 }
3556 if (mask) { /* no async, we'd stolen it */
221c5eb2 3557 ipt.error = 0;
b0dd8a41 3558 io_poll_complete(req, mask, 0);
221c5eb2 3559 }
221c5eb2
JA		 3560 spin_unlock_irq(&ctx->completion_lock);
3561
8c838788
JA		 3562 if (mask) {
3563 io_cqring_ev_posted(ctx);
ec9c02ad 3564 io_put_req_find_next(req, nxt);
221c5eb2 3565 }
8c838788 3566 return ipt.error;
221c5eb2
JA		 3567}
3568
5262f567
JA		 3569static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
3570{
ad8a48ac
JA		 3571 struct io_timeout_data *data = container_of(timer,
3572 struct io_timeout_data, timer);
3573 struct io_kiocb *req = data->req;
3574 struct io_ring_ctx *ctx = req->ctx;
5262f567
JA		 3575 unsigned long flags;
3576
5262f567
JA		 3577 atomic_inc(&ctx->cq_timeouts);
3578
3579 spin_lock_irqsave(&ctx->completion_lock, flags);
ef03681a 3580 /*
11365043
JA		 3581 * We could be racing with timeout deletion. If the list is empty,
3582 * then timeout lookup already found it and will be handling it.
ef03681a 3583 */
842f9612 3584 if (!list_empty(&req->list)) {
11365043 3585 struct io_kiocb *prev;
5262f567 3586
11365043
JA		 3587 /*
3588 * Adjust the reqs sequence before the current one because it
d195a66e 3589 * will consume a slot in the cq_ring and the cq_tail
11365043
JA		 3590 * pointer will be increased, otherwise other timeout reqs may
3591 * return in advance without waiting for enough wait_nr.
3592 */
3593 prev = req;
3594 list_for_each_entry_continue_reverse(prev, &ctx->timeout_list, list)
3595 prev->sequence++;
11365043 3596 list_del_init(&req->list);
11365043 3597 }
5262f567 3598
78e19bbe 3599 io_cqring_fill_event(req, -ETIME);
5262f567
JA		 3600 io_commit_cqring(ctx);
3601 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3602
3603 io_cqring_ev_posted(ctx);
4e88d6e7 3604 req_set_fail_links(req);
5262f567
JA		 3605 io_put_req(req);
3606 return HRTIMER_NORESTART;
3607}
3608
47f46768
JA		 3609static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
3610{
3611 struct io_kiocb *req;
3612 int ret = -ENOENT;
3613
3614 list_for_each_entry(req, &ctx->timeout_list, list) {
3615 if (user_data == req->user_data) {
3616 list_del_init(&req->list);
3617 ret = 0;
3618 break;
3619 }
3620 }
3621
3622 if (ret == -ENOENT)
3623 return ret;
3624
2d28390a 3625 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
47f46768
JA		 3626 if (ret == -1)
3627 return -EALREADY;
3628
4e88d6e7 3629 req_set_fail_links(req);
47f46768
JA		 3630 io_cqring_fill_event(req, -ECANCELED);
3631 io_put_req(req);
3632 return 0;
3633}
3634
3529d8c2
JA		 3635static int io_timeout_remove_prep(struct io_kiocb *req,
3636 const struct io_uring_sqe *sqe)
b29472ee 3637{
b29472ee
JA		 3638 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3639 return -EINVAL;
3640 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
3641 return -EINVAL;
3642
3643 req->timeout.addr = READ_ONCE(sqe->addr);
3644 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
3645 if (req->timeout.flags)
3646 return -EINVAL;
3647
b29472ee
JA		 3648 return 0;
3649}
3650
11365043
JA		 3651/*
3652 * Remove or update an existing timeout command
3653 */
fc4df999 3654static int io_timeout_remove(struct io_kiocb *req)
11365043
JA		 3655{
3656 struct io_ring_ctx *ctx = req->ctx;
47f46768 3657 int ret;
11365043 3658
11365043 3659 spin_lock_irq(&ctx->completion_lock);
b29472ee 3660 ret = io_timeout_cancel(ctx, req->timeout.addr);
11365043 3661
47f46768 3662 io_cqring_fill_event(req, ret);
11365043
JA		 3663 io_commit_cqring(ctx);
3664 spin_unlock_irq(&ctx->completion_lock);
5262f567 3665 io_cqring_ev_posted(ctx);
4e88d6e7
JA		 3666 if (ret < 0)
3667 req_set_fail_links(req);
ec9c02ad 3668 io_put_req(req);
11365043 3669 return 0;
5262f567
JA		 3670}
3671
3529d8c2 3672static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2d28390a 3673 bool is_timeout_link)
5262f567 3674{
ad8a48ac 3675 struct io_timeout_data *data;
a41525ab 3676 unsigned flags;
5262f567 3677
ad8a48ac 3678 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5262f567 3679 return -EINVAL;
ad8a48ac 3680 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
a41525ab 3681 return -EINVAL;
2d28390a
JA		 3682 if (sqe->off && is_timeout_link)
3683 return -EINVAL;
a41525ab
JA		 3684 flags = READ_ONCE(sqe->timeout_flags);
3685 if (flags & ~IORING_TIMEOUT_ABS)
5262f567 3686 return -EINVAL;
bdf20073 3687
26a61679
JA		 3688 req->timeout.count = READ_ONCE(sqe->off);
3689
3529d8c2 3690 if (!req->io && io_alloc_async_ctx(req))
26a61679
JA		 3691 return -ENOMEM;
3692
3693 data = &req->io->timeout;
ad8a48ac 3694 data->req = req;
ad8a48ac
JA		 3695 req->flags |= REQ_F_TIMEOUT;
3696
3697 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5262f567
JA		 3698 return -EFAULT;
3699
11365043 3700 if (flags & IORING_TIMEOUT_ABS)
ad8a48ac 3701 data->mode = HRTIMER_MODE_ABS;
11365043 3702 else
ad8a48ac 3703 data->mode = HRTIMER_MODE_REL;
11365043 3704
ad8a48ac
JA		 3705 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
3706 return 0;
3707}
3708
fc4df999 3709static int io_timeout(struct io_kiocb *req)
ad8a48ac
JA		 3710{
3711 unsigned count;
3712 struct io_ring_ctx *ctx = req->ctx;
3713 struct io_timeout_data *data;
3714 struct list_head *entry;
3715 unsigned span = 0;
ad8a48ac 3716
2d28390a 3717 data = &req->io->timeout;
93bd25bb 3718
5262f567
JA		 3719 /*
3720 * sqe->off holds how many events that need to occur for this
93bd25bb
JA		 3721 * timeout event to be satisfied. If it isn't set, then this is
3722 * a pure timeout request, sequence isn't used.
5262f567 3723 */
26a61679 3724 count = req->timeout.count;
93bd25bb
JA		 3725 if (!count) {
3726 req->flags |= REQ_F_TIMEOUT_NOSEQ;
3727 spin_lock_irq(&ctx->completion_lock);
3728 entry = ctx->timeout_list.prev;
3729 goto add;
3730 }
5262f567
JA		 3731
3732 req->sequence = ctx->cached_sq_head + count - 1;
2d28390a 3733 data->seq_offset = count;
5262f567
JA		 3734
3735 /*
3736 * Insertion sort, ensuring the first entry in the list is always
3737 * the one we need first.
3738 */
5262f567
JA		 3739 spin_lock_irq(&ctx->completion_lock);
3740 list_for_each_prev(entry, &ctx->timeout_list) {
3741 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
5da0fb1a 3742 unsigned nxt_sq_head;
3743 long long tmp, tmp_nxt;
2d28390a 3744 u32 nxt_offset = nxt->io->timeout.seq_offset;
5262f567 3745
93bd25bb
JA		 3746 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
3747 continue;
3748
5da0fb1a 3749 /*
3750 * Since cached_sq_head + count - 1 can overflow, use type long
3751 * long to store it.
3752 */
3753 tmp = (long long)ctx->cached_sq_head + count - 1;
cc42e0ac
PB		 3754 nxt_sq_head = nxt->sequence - nxt_offset + 1;
3755 tmp_nxt = (long long)nxt_sq_head + nxt_offset - 1;
5da0fb1a 3756
3757 /*
3758 * cached_sq_head may overflow, and it will never overflow twice
3759 * once there is some timeout req still be valid.
3760 */
3761 if (ctx->cached_sq_head < nxt_sq_head)
8b07a65a 3762 tmp += UINT_MAX;
5da0fb1a 3763
a1f58ba4 3764 if (tmp > tmp_nxt)
5262f567 3765 break;
a1f58ba4 3766
3767 /*
3768 * Sequence of reqs after the insert one and itself should
3769 * be adjusted because each timeout req consumes a slot.
3770 */
3771 span++;
3772 nxt->sequence++;
5262f567 3773 }
a1f58ba4 3774 req->sequence -= span;
93bd25bb 3775add:
5262f567 3776 list_add(&req->list, entry);
ad8a48ac
JA		 3777 data->timer.function = io_timeout_fn;
3778 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5262f567 3779 spin_unlock_irq(&ctx->completion_lock);
5262f567
JA		 3780 return 0;
3781}
5262f567 3782
62755e35
JA		 3783static bool io_cancel_cb(struct io_wq_work *work, void *data)
3784{
3785 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3786
3787 return req->user_data == (unsigned long) data;
3788}
3789
e977d6d3 3790static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
62755e35 3791{
62755e35 3792 enum io_wq_cancel cancel_ret;
62755e35
JA		 3793 int ret = 0;
3794
62755e35
JA		 3795 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr);
3796 switch (cancel_ret) {
3797 case IO_WQ_CANCEL_OK:
3798 ret = 0;
3799 break;
3800 case IO_WQ_CANCEL_RUNNING:
3801 ret = -EALREADY;
3802 break;
3803 case IO_WQ_CANCEL_NOTFOUND:
3804 ret = -ENOENT;
3805 break;
3806 }
3807
e977d6d3
JA		 3808 return ret;
3809}
3810
47f46768
JA		 3811static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
3812 struct io_kiocb *req, __u64 sqe_addr,
b0dd8a41 3813 struct io_kiocb **nxt, int success_ret)
47f46768
JA		 3814{
3815 unsigned long flags;
3816 int ret;
3817
3818 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
3819 if (ret != -ENOENT) {
3820 spin_lock_irqsave(&ctx->completion_lock, flags);
3821 goto done;
3822 }
3823
3824 spin_lock_irqsave(&ctx->completion_lock, flags);
3825 ret = io_timeout_cancel(ctx, sqe_addr);
3826 if (ret != -ENOENT)
3827 goto done;
3828 ret = io_poll_cancel(ctx, sqe_addr);
3829done:
b0dd8a41
JA		 3830 if (!ret)
3831 ret = success_ret;
47f46768
JA		 3832 io_cqring_fill_event(req, ret);
3833 io_commit_cqring(ctx);
3834 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3835 io_cqring_ev_posted(ctx);
3836
4e88d6e7
JA		 3837 if (ret < 0)
3838 req_set_fail_links(req);
47f46768
JA		 3839 io_put_req_find_next(req, nxt);
3840}
3841
3529d8c2
JA		 3842static int io_async_cancel_prep(struct io_kiocb *req,
3843 const struct io_uring_sqe *sqe)
e977d6d3 3844{
fbf23849 3845 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
e977d6d3
JA		 3846 return -EINVAL;
3847 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
3848 sqe->cancel_flags)
3849 return -EINVAL;
3850
fbf23849
JA		 3851 req->cancel.addr = READ_ONCE(sqe->addr);
3852 return 0;
3853}
3854
3855static int io_async_cancel(struct io_kiocb *req, struct io_kiocb **nxt)
3856{
3857 struct io_ring_ctx *ctx = req->ctx;
fbf23849
JA		 3858
3859 io_async_find_and_cancel(ctx, req, req->cancel.addr, nxt, 0);
5262f567
JA		 3860 return 0;
3861}
3862
05f3fb3c
JA		 3863static int io_files_update_prep(struct io_kiocb *req,
3864 const struct io_uring_sqe *sqe)
3865{
3866 if (sqe->flags || sqe->ioprio || sqe->rw_flags)
3867 return -EINVAL;
3868
3869 req->files_update.offset = READ_ONCE(sqe->off);
3870 req->files_update.nr_args = READ_ONCE(sqe->len);
3871 if (!req->files_update.nr_args)
3872 return -EINVAL;
3873 req->files_update.arg = READ_ONCE(sqe->addr);
3874 return 0;
3875}
3876
3877static int io_files_update(struct io_kiocb *req, bool force_nonblock)
3878{
3879 struct io_ring_ctx *ctx = req->ctx;
3880 struct io_uring_files_update up;
3881 int ret;
3882
3883 if (force_nonblock) {
3884 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
3885 return -EAGAIN;
3886 }
3887
3888 up.offset = req->files_update.offset;
3889 up.fds = req->files_update.arg;
3890
3891 mutex_lock(&ctx->uring_lock);
3892 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
3893 mutex_unlock(&ctx->uring_lock);
3894
3895 if (ret < 0)
3896 req_set_fail_links(req);
3897 io_cqring_add_event(req, ret);
3898 io_put_req(req);
3899 return 0;
3900}
3901
3529d8c2
JA		 3902static int io_req_defer_prep(struct io_kiocb *req,
3903 const struct io_uring_sqe *sqe)
f67676d1 3904{
e781573e 3905 ssize_t ret = 0;
f67676d1 3906
d625c6ee 3907 switch (req->opcode) {
e781573e
JA		 3908 case IORING_OP_NOP:
3909 break;
f67676d1
JA		 3910 case IORING_OP_READV:
3911 case IORING_OP_READ_FIXED:
3a6820f2 3912 case IORING_OP_READ:
3529d8c2 3913 ret = io_read_prep(req, sqe, true);
f67676d1
JA		 3914 break;
3915 case IORING_OP_WRITEV:
3916 case IORING_OP_WRITE_FIXED:
3a6820f2 3917 case IORING_OP_WRITE:
3529d8c2 3918 ret = io_write_prep(req, sqe, true);
f67676d1 3919 break;
0969e783 3920 case IORING_OP_POLL_ADD:
3529d8c2 3921 ret = io_poll_add_prep(req, sqe);
0969e783
JA		 3922 break;
3923 case IORING_OP_POLL_REMOVE:
3529d8c2 3924 ret = io_poll_remove_prep(req, sqe);
0969e783 3925 break;
8ed8d3c3 3926 case IORING_OP_FSYNC:
3529d8c2 3927 ret = io_prep_fsync(req, sqe);
8ed8d3c3
JA		 3928 break;
3929 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2 3930 ret = io_prep_sfr(req, sqe);
8ed8d3c3 3931 break;
03b1230c 3932 case IORING_OP_SENDMSG:
fddaface 3933 case IORING_OP_SEND:
3529d8c2 3934 ret = io_sendmsg_prep(req, sqe);
03b1230c
JA		 3935 break;
3936 case IORING_OP_RECVMSG:
fddaface 3937 case IORING_OP_RECV:
3529d8c2 3938 ret = io_recvmsg_prep(req, sqe);
03b1230c 3939 break;
f499a021 3940 case IORING_OP_CONNECT:
3529d8c2 3941 ret = io_connect_prep(req, sqe);
f499a021 3942 break;
2d28390a 3943 case IORING_OP_TIMEOUT:
3529d8c2 3944 ret = io_timeout_prep(req, sqe, false);
b7bb4f7d 3945 break;
b29472ee 3946 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2 3947 ret = io_timeout_remove_prep(req, sqe);
b29472ee 3948 break;
fbf23849 3949 case IORING_OP_ASYNC_CANCEL:
3529d8c2 3950 ret = io_async_cancel_prep(req, sqe);
fbf23849 3951 break;
2d28390a 3952 case IORING_OP_LINK_TIMEOUT:
3529d8c2 3953 ret = io_timeout_prep(req, sqe, true);
b7bb4f7d 3954 break;
8ed8d3c3 3955 case IORING_OP_ACCEPT:
3529d8c2 3956 ret = io_accept_prep(req, sqe);
8ed8d3c3 3957 break;
d63d1b5e
JA		 3958 case IORING_OP_FALLOCATE:
3959 ret = io_fallocate_prep(req, sqe);
3960 break;
15b71abe
JA		 3961 case IORING_OP_OPENAT:
3962 ret = io_openat_prep(req, sqe);
3963 break;
b5dba59e
JA		 3964 case IORING_OP_CLOSE:
3965 ret = io_close_prep(req, sqe);
3966 break;
05f3fb3c
JA		 3967 case IORING_OP_FILES_UPDATE:
3968 ret = io_files_update_prep(req, sqe);
3969 break;
eddc7ef5
JA		 3970 case IORING_OP_STATX:
3971 ret = io_statx_prep(req, sqe);
3972 break;
4840e418
JA		 3973 case IORING_OP_FADVISE:
3974 ret = io_fadvise_prep(req, sqe);
3975 break;
c1ca757b
JA		 3976 case IORING_OP_MADVISE:
3977 ret = io_madvise_prep(req, sqe);
3978 break;
f67676d1 3979 default:
e781573e
JA		 3980 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
3981 req->opcode);
3982 ret = -EINVAL;
b7bb4f7d 3983 break;
f67676d1
JA		 3984 }
3985
b7bb4f7d 3986 return ret;
f67676d1
JA		 3987}
3988
3529d8c2 3989static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
de0617e4 3990{
a197f664 3991 struct io_ring_ctx *ctx = req->ctx;
f67676d1 3992 int ret;
de0617e4 3993
9d858b21
BL		 3994 /* Still need defer if there is pending req in defer list. */
3995 if (!req_need_defer(req) && list_empty(&ctx->defer_list))
de0617e4
JA		 3996 return 0;
3997
3529d8c2 3998 if (!req->io && io_alloc_async_ctx(req))
de0617e4
JA		 3999 return -EAGAIN;
4000
3529d8c2 4001 ret = io_req_defer_prep(req, sqe);
b7bb4f7d 4002 if (ret < 0)
2d28390a 4003 return ret;
2d28390a 4004
de0617e4 4005 spin_lock_irq(&ctx->completion_lock);
9d858b21 4006 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
de0617e4 4007 spin_unlock_irq(&ctx->completion_lock);
de0617e4
JA		 4008 return 0;
4009 }
4010
915967f6 4011 trace_io_uring_defer(ctx, req, req->user_data);
de0617e4
JA		 4012 list_add_tail(&req->list, &ctx->defer_list);
4013 spin_unlock_irq(&ctx->completion_lock);
4014 return -EIOCBQUEUED;
4015}
4016
3529d8c2
JA		 4017static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4018 struct io_kiocb **nxt, bool force_nonblock)
2b188cc1 4019{
a197f664 4020 struct io_ring_ctx *ctx = req->ctx;
d625c6ee 4021 int ret;
2b188cc1 4022
d625c6ee 4023 switch (req->opcode) {
2b188cc1 4024 case IORING_OP_NOP:
78e19bbe 4025 ret = io_nop(req);
2b188cc1
JA		 4026 break;
4027 case IORING_OP_READV:
edafccee 4028 case IORING_OP_READ_FIXED:
3a6820f2 4029 case IORING_OP_READ:
3529d8c2
JA		 4030 if (sqe) {
4031 ret = io_read_prep(req, sqe, force_nonblock);
4032 if (ret < 0)
4033 break;
4034 }
267bc904 4035 ret = io_read(req, nxt, force_nonblock);
edafccee 4036 break;
3529d8c2 4037 case IORING_OP_WRITEV:
edafccee 4038 case IORING_OP_WRITE_FIXED:
3a6820f2 4039 case IORING_OP_WRITE:
3529d8c2
JA		 4040 if (sqe) {
4041 ret = io_write_prep(req, sqe, force_nonblock);
4042 if (ret < 0)
4043 break;
4044 }
267bc904 4045 ret = io_write(req, nxt, force_nonblock);
2b188cc1 4046 break;
c992fe29 4047 case IORING_OP_FSYNC:
3529d8c2
JA		 4048 if (sqe) {
4049 ret = io_prep_fsync(req, sqe);
4050 if (ret < 0)
4051 break;
4052 }
fc4df999 4053 ret = io_fsync(req, nxt, force_nonblock);
c992fe29 4054 break;
221c5eb2 4055 case IORING_OP_POLL_ADD:
3529d8c2
JA		 4056 if (sqe) {
4057 ret = io_poll_add_prep(req, sqe);
4058 if (ret)
4059 break;
4060 }
fc4df999 4061 ret = io_poll_add(req, nxt);
221c5eb2
JA		 4062 break;
4063 case IORING_OP_POLL_REMOVE:
3529d8c2
JA		 4064 if (sqe) {
4065 ret = io_poll_remove_prep(req, sqe);
4066 if (ret < 0)
4067 break;
4068 }
fc4df999 4069 ret = io_poll_remove(req);
221c5eb2 4070 break;
5d17b4a4 4071 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2
JA		 4072 if (sqe) {
4073 ret = io_prep_sfr(req, sqe);
4074 if (ret < 0)
4075 break;
4076 }
fc4df999 4077 ret = io_sync_file_range(req, nxt, force_nonblock);
5d17b4a4 4078 break;
0fa03c62 4079 case IORING_OP_SENDMSG:
fddaface 4080 case IORING_OP_SEND:
3529d8c2
JA		 4081 if (sqe) {
4082 ret = io_sendmsg_prep(req, sqe);
4083 if (ret < 0)
4084 break;
4085 }
fddaface
JA		 4086 if (req->opcode == IORING_OP_SENDMSG)
4087 ret = io_sendmsg(req, nxt, force_nonblock);
4088 else
4089 ret = io_send(req, nxt, force_nonblock);
0fa03c62 4090 break;
aa1fa28f 4091 case IORING_OP_RECVMSG:
fddaface 4092 case IORING_OP_RECV:
3529d8c2
JA		 4093 if (sqe) {
4094 ret = io_recvmsg_prep(req, sqe);
4095 if (ret)
4096 break;
4097 }
fddaface
JA		 4098 if (req->opcode == IORING_OP_RECVMSG)
4099 ret = io_recvmsg(req, nxt, force_nonblock);
4100 else
4101 ret = io_recv(req, nxt, force_nonblock);
aa1fa28f 4102 break;
5262f567 4103 case IORING_OP_TIMEOUT:
3529d8c2
JA		 4104 if (sqe) {
4105 ret = io_timeout_prep(req, sqe, false);
4106 if (ret)
4107 break;
4108 }
fc4df999 4109 ret = io_timeout(req);
5262f567 4110 break;
11365043 4111 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2
JA		 4112 if (sqe) {
4113 ret = io_timeout_remove_prep(req, sqe);
4114 if (ret)
4115 break;
4116 }
fc4df999 4117 ret = io_timeout_remove(req);
11365043 4118 break;
17f2fe35 4119 case IORING_OP_ACCEPT:
3529d8c2
JA		 4120 if (sqe) {
4121 ret = io_accept_prep(req, sqe);
4122 if (ret)
4123 break;
4124 }
fc4df999 4125 ret = io_accept(req, nxt, force_nonblock);
17f2fe35 4126 break;
f8e85cf2 4127 case IORING_OP_CONNECT:
3529d8c2
JA		 4128 if (sqe) {
4129 ret = io_connect_prep(req, sqe);
4130 if (ret)
4131 break;
4132 }
fc4df999 4133 ret = io_connect(req, nxt, force_nonblock);
f8e85cf2 4134 break;
62755e35 4135 case IORING_OP_ASYNC_CANCEL:
3529d8c2
JA		 4136 if (sqe) {
4137 ret = io_async_cancel_prep(req, sqe);
4138 if (ret)
4139 break;
4140 }
fc4df999 4141 ret = io_async_cancel(req, nxt);
62755e35 4142 break;
d63d1b5e
JA		 4143 case IORING_OP_FALLOCATE:
4144 if (sqe) {
4145 ret = io_fallocate_prep(req, sqe);
4146 if (ret)
4147 break;
4148 }
4149 ret = io_fallocate(req, nxt, force_nonblock);
4150 break;
15b71abe
JA		 4151 case IORING_OP_OPENAT:
4152 if (sqe) {
4153 ret = io_openat_prep(req, sqe);
4154 if (ret)
4155 break;
4156 }
4157 ret = io_openat(req, nxt, force_nonblock);
4158 break;
b5dba59e
JA		 4159 case IORING_OP_CLOSE:
4160 if (sqe) {
4161 ret = io_close_prep(req, sqe);
4162 if (ret)
4163 break;
4164 }
4165 ret = io_close(req, nxt, force_nonblock);
4166 break;
05f3fb3c
JA		 4167 case IORING_OP_FILES_UPDATE:
4168 if (sqe) {
4169 ret = io_files_update_prep(req, sqe);
4170 if (ret)
4171 break;
4172 }
4173 ret = io_files_update(req, force_nonblock);
4174 break;
eddc7ef5
JA		 4175 case IORING_OP_STATX:
4176 if (sqe) {
4177 ret = io_statx_prep(req, sqe);
4178 if (ret)
4179 break;
4180 }
4181 ret = io_statx(req, nxt, force_nonblock);
4182 break;
4840e418
JA		 4183 case IORING_OP_FADVISE:
4184 if (sqe) {
4185 ret = io_fadvise_prep(req, sqe);
4186 if (ret)
4187 break;
4188 }
4189 ret = io_fadvise(req, nxt, force_nonblock);
4190 break;
c1ca757b
JA		 4191 case IORING_OP_MADVISE:
4192 if (sqe) {
4193 ret = io_madvise_prep(req, sqe);
4194 if (ret)
4195 break;
4196 }
4197 ret = io_madvise(req, nxt, force_nonblock);
4198 break;
2b188cc1
JA		 4199 default:
4200 ret = -EINVAL;
4201 break;
4202 }
4203
def596e9
JA		 4204 if (ret)
4205 return ret;
4206
4207 if (ctx->flags & IORING_SETUP_IOPOLL) {
11ba820b
JA		 4208 const bool in_async = io_wq_current_is_worker();
4209
9e645e11 4210 if (req->result == -EAGAIN)
def596e9
JA		 4211 return -EAGAIN;
4212
11ba820b
JA		 4213 /* workqueue context doesn't hold uring_lock, grab it now */
4214 if (in_async)
4215 mutex_lock(&ctx->uring_lock);
4216
def596e9 4217 io_iopoll_req_issued(req);
11ba820b
JA		 4218
4219 if (in_async)
4220 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 4221 }
4222
4223 return 0;
2b188cc1
JA		 4224}
4225
561fb04a 4226static void io_wq_submit_work(struct io_wq_work **workptr)
2b188cc1 4227{
561fb04a 4228 struct io_wq_work *work = *workptr;
2b188cc1 4229 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
561fb04a
JA		 4230 struct io_kiocb *nxt = NULL;
4231 int ret = 0;
2b188cc1 4232
0c9d5ccd
JA		 4233 /* if NO_CANCEL is set, we must still run the work */
4234 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
4235 IO_WQ_WORK_CANCEL) {
561fb04a 4236 ret = -ECANCELED;
0c9d5ccd 4237 }
31b51510 4238
561fb04a 4239 if (!ret) {
cf6fd4bd
PB		 4240 req->has_user = (work->flags & IO_WQ_WORK_HAS_MM) != 0;
4241 req->in_async = true;
561fb04a 4242 do {
3529d8c2 4243 ret = io_issue_sqe(req, NULL, &nxt, false);
561fb04a
JA		 4244 /*
4245 * We can get EAGAIN for polled IO even though we're
4246 * forcing a sync submission from here, since we can't
4247 * wait for request slots on the block side.
4248 */
4249 if (ret != -EAGAIN)
4250 break;
4251 cond_resched();
4252 } while (1);
4253 }
31b51510 4254
561fb04a 4255 /* drop submission reference */
ec9c02ad 4256 io_put_req(req);
817869d2 4257
561fb04a 4258 if (ret) {
4e88d6e7 4259 req_set_fail_links(req);
78e19bbe 4260 io_cqring_add_event(req, ret);
817869d2 4261 io_put_req(req);
edafccee 4262 }
2b188cc1 4263
561fb04a 4264 /* if a dependent link is ready, pass it back */
78912934
JA		 4265 if (!ret && nxt)
4266 io_wq_assign_next(workptr, nxt);
2b188cc1
JA		 4267}
4268
15b71abe 4269static int io_req_needs_file(struct io_kiocb *req, int fd)
09bb8394 4270{
d3656344 4271 if (!io_op_defs[req->opcode].needs_file)
9e3aa61a 4272 return 0;
d3656344
JA		 4273 if (fd == -1 && io_op_defs[req->opcode].fd_non_neg)
4274 return 0;
4275 return 1;
09bb8394
JA		 4276}
4277
65e19f54
JA		 4278static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
4279 int index)
4280{
4281 struct fixed_file_table *table;
4282
05f3fb3c
JA		 4283 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
4284 return table->files[index & IORING_FILE_TABLE_MASK];;
65e19f54
JA		 4285}
4286
3529d8c2
JA		 4287static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
4288 const struct io_uring_sqe *sqe)
09bb8394 4289{
a197f664 4290 struct io_ring_ctx *ctx = req->ctx;
09bb8394 4291 unsigned flags;
d3656344 4292 int fd;
09bb8394 4293
3529d8c2
JA		 4294 flags = READ_ONCE(sqe->flags);
4295 fd = READ_ONCE(sqe->fd);
09bb8394 4296
4fe2c963 4297 if (flags & IOSQE_IO_DRAIN)
de0617e4 4298 req->flags |= REQ_F_IO_DRAIN;
de0617e4 4299
d3656344
JA		 4300 if (!io_req_needs_file(req, fd))
4301 return 0;
09bb8394
JA		 4302
4303 if (flags & IOSQE_FIXED_FILE) {
05f3fb3c 4304 if (unlikely(!ctx->file_data ||
09bb8394
JA		 4305 (unsigned) fd >= ctx->nr_user_files))
4306 return -EBADF;
b7620121 4307 fd = array_index_nospec(fd, ctx->nr_user_files);
65e19f54
JA		 4308 req->file = io_file_from_index(ctx, fd);
4309 if (!req->file)
08a45173 4310 return -EBADF;
09bb8394 4311 req->flags |= REQ_F_FIXED_FILE;
05f3fb3c 4312 percpu_ref_get(&ctx->file_data->refs);
09bb8394 4313 } else {
cf6fd4bd 4314 if (req->needs_fixed_file)
09bb8394 4315 return -EBADF;
c826bd7a 4316 trace_io_uring_file_get(ctx, fd);
09bb8394
JA		 4317 req->file = io_file_get(state, fd);
4318 if (unlikely(!req->file))
4319 return -EBADF;
4320 }
4321
4322 return 0;
4323}
4324
a197f664 4325static int io_grab_files(struct io_kiocb *req)
fcb323cc
JA		 4326{
4327 int ret = -EBADF;
a197f664 4328 struct io_ring_ctx *ctx = req->ctx;
fcb323cc 4329
b5dba59e
JA		 4330 if (!req->ring_file)
4331 return -EBADF;
4332
fcb323cc
JA		 4333 rcu_read_lock();
4334 spin_lock_irq(&ctx->inflight_lock);
4335 /*
4336 * We use the f_ops->flush() handler to ensure that we can flush
4337 * out work accessing these files if the fd is closed. Check if
4338 * the fd has changed since we started down this path, and disallow
4339 * this operation if it has.
4340 */
cf6fd4bd 4341 if (fcheck(req->ring_fd) == req->ring_file) {
fcb323cc
JA		 4342 list_add(&req->inflight_entry, &ctx->inflight_list);
4343 req->flags |= REQ_F_INFLIGHT;
4344 req->work.files = current->files;
4345 ret = 0;
4346 }
4347 spin_unlock_irq(&ctx->inflight_lock);
4348 rcu_read_unlock();
4349
4350 return ret;
4351}
4352
2665abfd 4353static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
2b188cc1 4354{
ad8a48ac
JA		 4355 struct io_timeout_data *data = container_of(timer,
4356 struct io_timeout_data, timer);
4357 struct io_kiocb *req = data->req;
2665abfd
JA		 4358 struct io_ring_ctx *ctx = req->ctx;
4359 struct io_kiocb *prev = NULL;
4360 unsigned long flags;
2665abfd
JA		 4361
4362 spin_lock_irqsave(&ctx->completion_lock, flags);
4363
4364 /*
4365 * We don't expect the list to be empty, that will only happen if we
4366 * race with the completion of the linked work.
4367 */
4493233e
PB		 4368 if (!list_empty(&req->link_list)) {
4369 prev = list_entry(req->link_list.prev, struct io_kiocb,
4370 link_list);
5d960724 4371 if (refcount_inc_not_zero(&prev->refs)) {
4493233e 4372 list_del_init(&req->link_list);
5d960724
JA		 4373 prev->flags &= ~REQ_F_LINK_TIMEOUT;
4374 } else
76a46e06 4375 prev = NULL;
2665abfd
JA		 4376 }
4377
4378 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4379
4380 if (prev) {
4e88d6e7 4381 req_set_fail_links(prev);
b0dd8a41
JA		 4382 io_async_find_and_cancel(ctx, req, prev->user_data, NULL,
4383 -ETIME);
76a46e06 4384 io_put_req(prev);
47f46768
JA		 4385 } else {
4386 io_cqring_add_event(req, -ETIME);
4387 io_put_req(req);
2665abfd 4388 }
2665abfd
JA		 4389 return HRTIMER_NORESTART;
4390}
4391
ad8a48ac 4392static void io_queue_linked_timeout(struct io_kiocb *req)
2665abfd 4393{
76a46e06 4394 struct io_ring_ctx *ctx = req->ctx;
2665abfd 4395
76a46e06
JA		 4396 /*
4397 * If the list is now empty, then our linked request finished before
4398 * we got a chance to setup the timer
4399 */
4400 spin_lock_irq(&ctx->completion_lock);
4493233e 4401 if (!list_empty(&req->link_list)) {
2d28390a 4402 struct io_timeout_data *data = &req->io->timeout;
94ae5e77 4403
ad8a48ac
JA		 4404 data->timer.function = io_link_timeout_fn;
4405 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
4406 data->mode);
2665abfd 4407 }
76a46e06 4408 spin_unlock_irq(&ctx->completion_lock);
2665abfd 4409
2665abfd 4410 /* drop submission reference */
76a46e06
JA		 4411 io_put_req(req);
4412}
2665abfd 4413
ad8a48ac 4414static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
2665abfd
JA		 4415{
4416 struct io_kiocb *nxt;
4417
4418 if (!(req->flags & REQ_F_LINK))
4419 return NULL;
4420
4493233e
PB		 4421 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
4422 link_list);
d625c6ee 4423 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
76a46e06 4424 return NULL;
2665abfd 4425
76a46e06 4426 req->flags |= REQ_F_LINK_TIMEOUT;
76a46e06 4427 return nxt;
2665abfd
JA		 4428}
4429
3529d8c2 4430static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2b188cc1 4431{
4a0a7a18 4432 struct io_kiocb *linked_timeout;
f9bd67f6 4433 struct io_kiocb *nxt = NULL;
e0c5c576 4434 int ret;
2b188cc1 4435
4a0a7a18
JA		 4436again:
4437 linked_timeout = io_prep_linked_timeout(req);
4438
3529d8c2 4439 ret = io_issue_sqe(req, sqe, &nxt, true);
491381ce
JA		 4440
4441 /*
4442 * We async punt it if the file wasn't marked NOWAIT, or if the file
4443 * doesn't support non-blocking read/write attempts
4444 */
4445 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
4446 (req->flags & REQ_F_MUST_PUNT))) {
bbad27b2
PB		 4447 if (req->work.flags & IO_WQ_WORK_NEEDS_FILES) {
4448 ret = io_grab_files(req);
4449 if (ret)
4450 goto err;
2b188cc1 4451 }
bbad27b2
PB		 4452
4453 /*
4454 * Queued up for async execution, worker will release
4455 * submit reference when the iocb is actually submitted.
4456 */
4457 io_queue_async_work(req);
4a0a7a18 4458 goto done_req;
2b188cc1 4459 }
e65ef56d 4460
fcb323cc 4461err:
76a46e06 4462 /* drop submission reference */
ec9c02ad 4463 io_put_req(req);
e65ef56d 4464
f9bd67f6 4465 if (linked_timeout) {
76a46e06 4466 if (!ret)
f9bd67f6 4467 io_queue_linked_timeout(linked_timeout);
76a46e06 4468 else
f9bd67f6 4469 io_put_req(linked_timeout);
76a46e06
JA		 4470 }
4471
e65ef56d 4472 /* and drop final reference, if we failed */
9e645e11 4473 if (ret) {
78e19bbe 4474 io_cqring_add_event(req, ret);
4e88d6e7 4475 req_set_fail_links(req);
e65ef56d 4476 io_put_req(req);
9e645e11 4477 }
4a0a7a18
JA		 4478done_req:
4479 if (nxt) {
4480 req = nxt;
4481 nxt = NULL;
4482 goto again;
4483 }
2b188cc1
JA		 4484}
4485
3529d8c2 4486static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4fe2c963
JL		 4487{
4488 int ret;
4489
1b4a51b6
PB		 4490 if (unlikely(req->ctx->drain_next)) {
4491 req->flags |= REQ_F_IO_DRAIN;
69b3e546 4492 req->ctx->drain_next = 0;
1b4a51b6 4493 }
69b3e546 4494 req->ctx->drain_next = (req->flags & REQ_F_DRAIN_LINK) != 0;
1b4a51b6 4495
3529d8c2 4496 ret = io_req_defer(req, sqe);
4fe2c963
JL		 4497 if (ret) {
4498 if (ret != -EIOCBQUEUED) {
78e19bbe 4499 io_cqring_add_event(req, ret);
4e88d6e7 4500 req_set_fail_links(req);
78e19bbe 4501 io_double_put_req(req);
4fe2c963 4502 }
2550878f 4503 } else if (req->flags & REQ_F_FORCE_ASYNC) {
ce35a47a
JA		 4504 /*
4505 * Never try inline submit of IOSQE_ASYNC is set, go straight
4506 * to async execution.
4507 */
4508 req->work.flags |= IO_WQ_WORK_CONCURRENT;
4509 io_queue_async_work(req);
4510 } else {
3529d8c2 4511 __io_queue_sqe(req, sqe);
ce35a47a 4512 }
4fe2c963
JL		 4513}
4514
1b4a51b6 4515static inline void io_queue_link_head(struct io_kiocb *req)
4fe2c963 4516{
94ae5e77 4517 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
1b4a51b6
PB		 4518 io_cqring_add_event(req, -ECANCELED);
4519 io_double_put_req(req);
4520 } else
3529d8c2 4521 io_queue_sqe(req, NULL);
4fe2c963
JL		 4522}
4523
4e88d6e7 4524#define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
ce35a47a 4525 IOSQE_IO_HARDLINK | IOSQE_ASYNC)
9e645e11 4526
3529d8c2
JA		 4527static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4528 struct io_submit_state *state, struct io_kiocb **link)
9e645e11 4529{
a197f664 4530 struct io_ring_ctx *ctx = req->ctx;
32fe525b 4531 unsigned int sqe_flags;
9e645e11
JA		 4532 int ret;
4533
32fe525b
PB		 4534 sqe_flags = READ_ONCE(sqe->flags);
4535
9e645e11 4536 /* enforce forwards compatibility on users */
32fe525b 4537 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS)) {
9e645e11 4538 ret = -EINVAL;
196be95c 4539 goto err_req;
9e645e11 4540 }
32fe525b 4541 if (sqe_flags & IOSQE_ASYNC)
ce35a47a 4542 req->flags |= REQ_F_FORCE_ASYNC;
9e645e11 4543
3529d8c2 4544 ret = io_req_set_file(state, req, sqe);
9e645e11
JA		 4545 if (unlikely(ret)) {
4546err_req:
78e19bbe
JA		 4547 io_cqring_add_event(req, ret);
4548 io_double_put_req(req);
2e6e1fde 4549 return false;
9e645e11
JA		 4550 }
4551
9e645e11
JA		 4552 /*
4553 * If we already have a head request, queue this one for async
4554 * submittal once the head completes. If we don't have a head but
4555 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
4556 * submitted sync once the chain is complete. If none of those
4557 * conditions are true (normal request), then just queue it.
4558 */
4559 if (*link) {
9d76377f 4560 struct io_kiocb *head = *link;
9e645e11 4561
32fe525b 4562 if (sqe_flags & IOSQE_IO_DRAIN)
9d76377f 4563 head->flags |= REQ_F_DRAIN_LINK | REQ_F_IO_DRAIN;
1b4a51b6 4564
32fe525b 4565 if (sqe_flags & IOSQE_IO_HARDLINK)
4e88d6e7
JA		 4566 req->flags |= REQ_F_HARDLINK;
4567
b7bb4f7d 4568 if (io_alloc_async_ctx(req)) {
9e645e11
JA		 4569 ret = -EAGAIN;
4570 goto err_req;
4571 }
4572
3529d8c2 4573 ret = io_req_defer_prep(req, sqe);
2d28390a 4574 if (ret) {
4e88d6e7 4575 /* fail even hard links since we don't submit */
9d76377f 4576 head->flags |= REQ_F_FAIL_LINK;
f67676d1 4577 goto err_req;
2d28390a 4578 }
9d76377f
PB		 4579 trace_io_uring_link(ctx, req, head);
4580 list_add_tail(&req->link_list, &head->link_list);
32fe525b
PB		 4581
4582 /* last request of a link, enqueue the link */
4583 if (!(sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK))) {
4584 io_queue_link_head(head);
4585 *link = NULL;
4586 }
4587 } else if (sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
9e645e11 4588 req->flags |= REQ_F_LINK;
32fe525b 4589 if (sqe_flags & IOSQE_IO_HARDLINK)
4e88d6e7 4590 req->flags |= REQ_F_HARDLINK;
9e645e11 4591
9e645e11 4592 INIT_LIST_HEAD(&req->link_list);
3529d8c2
JA		 4593 ret = io_req_defer_prep(req, sqe);
4594 if (ret)
4595 req->flags |= REQ_F_FAIL_LINK;
9e645e11
JA		 4596 *link = req;
4597 } else {
3529d8c2 4598 io_queue_sqe(req, sqe);
9e645e11 4599 }
2e6e1fde
PB		 4600
4601 return true;
9e645e11
JA		 4602}
4603
9a56a232
JA		 4604/*
4605 * Batched submission is done, ensure local IO is flushed out.
4606 */
4607static void io_submit_state_end(struct io_submit_state *state)
4608{
4609 blk_finish_plug(&state->plug);
3d6770fb 4610 io_file_put(state);
2579f913
JA		 4611 if (state->free_reqs)
4612 kmem_cache_free_bulk(req_cachep, state->free_reqs,
4613 &state->reqs[state->cur_req]);
9a56a232
JA		 4614}
4615
4616/*
4617 * Start submission side cache.
4618 */
4619static void io_submit_state_start(struct io_submit_state *state,
22efde59 4620 unsigned int max_ios)
9a56a232
JA		 4621{
4622 blk_start_plug(&state->plug);
2579f913 4623 state->free_reqs = 0;
9a56a232
JA		 4624 state->file = NULL;
4625 state->ios_left = max_ios;
4626}
4627
2b188cc1
JA		 4628static void io_commit_sqring(struct io_ring_ctx *ctx)
4629{
75b28aff 4630 struct io_rings *rings = ctx->rings;
2b188cc1 4631
caf582c6
PB		 4632 /*
4633 * Ensure any loads from the SQEs are done at this point,
4634 * since once we write the new head, the application could
4635 * write new data to them.
4636 */
4637 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
2b188cc1
JA		 4638}
4639
2b188cc1 4640/*
3529d8c2 4641 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
2b188cc1
JA		 4642 * that is mapped by userspace. This means that care needs to be taken to
4643 * ensure that reads are stable, as we cannot rely on userspace always
4644 * being a good citizen. If members of the sqe are validated and then later
4645 * used, it's important that those reads are done through READ_ONCE() to
4646 * prevent a re-load down the line.
4647 */
3529d8c2
JA		 4648static bool io_get_sqring(struct io_ring_ctx *ctx, struct io_kiocb *req,
4649 const struct io_uring_sqe **sqe_ptr)
2b188cc1 4650{
75b28aff 4651 u32 *sq_array = ctx->sq_array;
2b188cc1
JA		 4652 unsigned head;
4653
4654 /*
4655 * The cached sq head (or cq tail) serves two purposes:
4656 *
4657 * 1) allows us to batch the cost of updating the user visible
4658 * head updates.
4659 * 2) allows the kernel side to track the head on its own, even
4660 * though the application is the one updating it.
4661 */
ee7d46d9 4662 head = READ_ONCE(sq_array[ctx->cached_sq_head & ctx->sq_mask]);
9835d6fa 4663 if (likely(head < ctx->sq_entries)) {
cf6fd4bd
PB		 4664 /*
4665 * All io need record the previous position, if LINK vs DARIN,
4666 * it can be used to mark the position of the first IO in the
4667 * link list.
4668 */
4669 req->sequence = ctx->cached_sq_head;
3529d8c2
JA		 4670 *sqe_ptr = &ctx->sq_sqes[head];
4671 req->opcode = READ_ONCE((*sqe_ptr)->opcode);
4672 req->user_data = READ_ONCE((*sqe_ptr)->user_data);
2b188cc1
JA		 4673 ctx->cached_sq_head++;
4674 return true;
4675 }
4676
4677 /* drop invalid entries */
4678 ctx->cached_sq_head++;
498ccd9e 4679 ctx->cached_sq_dropped++;
ee7d46d9 4680 WRITE_ONCE(ctx->rings->sq_dropped, ctx->cached_sq_dropped);
2b188cc1
JA		 4681 return false;
4682}
4683
fb5ccc98 4684static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
ae9428ca
PB		 4685 struct file *ring_file, int ring_fd,
4686 struct mm_struct **mm, bool async)
6c271ce2
JA		 4687{
4688 struct io_submit_state state, *statep = NULL;
9e645e11 4689 struct io_kiocb *link = NULL;
9e645e11 4690 int i, submitted = 0;
95a1b3ff 4691 bool mm_fault = false;
6c271ce2 4692
c4a2ed72 4693 /* if we have a backlog and couldn't flush it all, return BUSY */
ad3eb2c8
JA		 4694 if (test_bit(0, &ctx->sq_check_overflow)) {
4695 if (!list_empty(&ctx->cq_overflow_list) &&
4696 !io_cqring_overflow_flush(ctx, false))
4697 return -EBUSY;
4698 }
6c271ce2 4699
ee7d46d9
PB		 4700 /* make sure SQ entry isn't read before tail */
4701 nr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));
9ef4f124 4702
2b85edfc
PB		 4703 if (!percpu_ref_tryget_many(&ctx->refs, nr))
4704 return -EAGAIN;
4705
6c271ce2 4706 if (nr > IO_PLUG_THRESHOLD) {
22efde59 4707 io_submit_state_start(&state, nr);
6c271ce2
JA		 4708 statep = &state;
4709 }
4710
4711 for (i = 0; i < nr; i++) {
3529d8c2 4712 const struct io_uring_sqe *sqe;
196be95c 4713 struct io_kiocb *req;
fb5ccc98 4714
196be95c
PB		 4715 req = io_get_req(ctx, statep);
4716 if (unlikely(!req)) {
4717 if (!submitted)
4718 submitted = -EAGAIN;
fb5ccc98 4719 break;
196be95c 4720 }
3529d8c2 4721 if (!io_get_sqring(ctx, req, &sqe)) {
2b85edfc 4722 __io_req_do_free(req);
196be95c
PB		 4723 break;
4724 }
fb5ccc98 4725
d3656344
JA		 4726 /* will complete beyond this point, count as submitted */
4727 submitted++;
4728
4729 if (unlikely(req->opcode >= IORING_OP_LAST)) {
4730 io_cqring_add_event(req, -EINVAL);
4731 io_double_put_req(req);
4732 break;
4733 }
4734
4735 if (io_op_defs[req->opcode].needs_mm && !*mm) {
95a1b3ff
PB		 4736 mm_fault = mm_fault || !mmget_not_zero(ctx->sqo_mm);
4737 if (!mm_fault) {
4738 use_mm(ctx->sqo_mm);
4739 *mm = ctx->sqo_mm;
4740 }
9e645e11 4741 }
9e645e11 4742
cf6fd4bd
PB		 4743 req->ring_file = ring_file;
4744 req->ring_fd = ring_fd;
4745 req->has_user = *mm != NULL;
4746 req->in_async = async;
4747 req->needs_fixed_file = async;
d625c6ee 4748 trace_io_uring_submit_sqe(ctx, req->user_data, true, async);
3529d8c2 4749 if (!io_submit_sqe(req, sqe, statep, &link))
2e6e1fde 4750 break;
6c271ce2
JA		 4751 }
4752
2b85edfc
PB		 4753 if (submitted != nr)
4754 percpu_ref_put_many(&ctx->refs, nr - submitted);
9e645e11 4755 if (link)
1b4a51b6 4756 io_queue_link_head(link);
6c271ce2
JA		 4757 if (statep)
4758 io_submit_state_end(&state);
4759
ae9428ca
PB		 4760 /* Commit SQ ring head once we've consumed and submitted all SQEs */
4761 io_commit_sqring(ctx);
4762
6c271ce2
JA		 4763 return submitted;
4764}
4765
4766static int io_sq_thread(void *data)
4767{
6c271ce2
JA		 4768 struct io_ring_ctx *ctx = data;
4769 struct mm_struct *cur_mm = NULL;
181e448d 4770 const struct cred *old_cred;
6c271ce2
JA		 4771 mm_segment_t old_fs;
4772 DEFINE_WAIT(wait);
4773 unsigned inflight;
4774 unsigned long timeout;
c1edbf5f 4775 int ret;
6c271ce2 4776
206aefde 4777 complete(&ctx->completions[1]);
a4c0b3de 4778
6c271ce2
JA		 4779 old_fs = get_fs();
4780 set_fs(USER_DS);
181e448d 4781 old_cred = override_creds(ctx->creds);
6c271ce2 4782
c1edbf5f 4783 ret = timeout = inflight = 0;
2bbcd6d3 4784 while (!kthread_should_park()) {
fb5ccc98 4785 unsigned int to_submit;
6c271ce2
JA		 4786
4787 if (inflight) {
4788 unsigned nr_events = 0;
4789
4790 if (ctx->flags & IORING_SETUP_IOPOLL) {
2b2ed975
JA		 4791 /*
4792 * inflight is the count of the maximum possible
4793 * entries we submitted, but it can be smaller
4794 * if we dropped some of them. If we don't have
4795 * poll entries available, then we know that we
4796 * have nothing left to poll for. Reset the
4797 * inflight count to zero in that case.
4798 */
4799 mutex_lock(&ctx->uring_lock);
4800 if (!list_empty(&ctx->poll_list))
4801 __io_iopoll_check(ctx, &nr_events, 0);
4802 else
4803 inflight = 0;
4804 mutex_unlock(&ctx->uring_lock);
6c271ce2
JA		 4805 } else {
4806 /*
4807 * Normal IO, just pretend everything completed.
4808 * We don't have to poll completions for that.
4809 */
4810 nr_events = inflight;
4811 }
4812
4813 inflight -= nr_events;
4814 if (!inflight)
4815 timeout = jiffies + ctx->sq_thread_idle;
4816 }
4817
fb5ccc98 4818 to_submit = io_sqring_entries(ctx);
c1edbf5f
JA		 4819
4820 /*
4821 * If submit got -EBUSY, flag us as needing the application
4822 * to enter the kernel to reap and flush events.
4823 */
4824 if (!to_submit || ret == -EBUSY) {
6c271ce2
JA		 4825 /*
4826 * We're polling. If we're within the defined idle
4827 * period, then let us spin without work before going
c1edbf5f
JA		 4828 * to sleep. The exception is if we got EBUSY doing
4829 * more IO, we should wait for the application to
4830 * reap events and wake us up.
6c271ce2 4831 */
c1edbf5f
JA		 4832 if (inflight ||
4833 (!time_after(jiffies, timeout) && ret != -EBUSY)) {
9831a90c 4834 cond_resched();
6c271ce2
JA		 4835 continue;
4836 }
4837
4838 /*
4839 * Drop cur_mm before scheduling, we can't hold it for
4840 * long periods (or over schedule()). Do this before
4841 * adding ourselves to the waitqueue, as the unuse/drop
4842 * may sleep.
4843 */
4844 if (cur_mm) {
4845 unuse_mm(cur_mm);
4846 mmput(cur_mm);
4847 cur_mm = NULL;
4848 }
4849
4850 prepare_to_wait(&ctx->sqo_wait, &wait,
4851 TASK_INTERRUPTIBLE);
4852
4853 /* Tell userspace we may need a wakeup call */
75b28aff 4854 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
0d7bae69
SB		 4855 /* make sure to read SQ tail after writing flags */
4856 smp_mb();
6c271ce2 4857
fb5ccc98 4858 to_submit = io_sqring_entries(ctx);
c1edbf5f 4859 if (!to_submit || ret == -EBUSY) {
2bbcd6d3 4860 if (kthread_should_park()) {
6c271ce2
JA		 4861 finish_wait(&ctx->sqo_wait, &wait);
4862 break;
4863 }
4864 if (signal_pending(current))
4865 flush_signals(current);
4866 schedule();
4867 finish_wait(&ctx->sqo_wait, &wait);
4868
75b28aff 4869 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 4870 continue;
4871 }
4872 finish_wait(&ctx->sqo_wait, &wait);
4873
75b28aff 4874 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 4875 }
4876
8a4955ff 4877 mutex_lock(&ctx->uring_lock);
1d7bb1d5 4878 ret = io_submit_sqes(ctx, to_submit, NULL, -1, &cur_mm, true);
8a4955ff 4879 mutex_unlock(&ctx->uring_lock);
1d7bb1d5
JA		 4880 if (ret > 0)
4881 inflight += ret;
6c271ce2
JA		 4882 }
4883
4884 set_fs(old_fs);
4885 if (cur_mm) {
4886 unuse_mm(cur_mm);
4887 mmput(cur_mm);
4888 }
181e448d 4889 revert_creds(old_cred);
06058632 4890
2bbcd6d3 4891 kthread_parkme();
06058632 4892
6c271ce2
JA		 4893 return 0;
4894}
4895
bda52162
JA		 4896struct io_wait_queue {
4897 struct wait_queue_entry wq;
4898 struct io_ring_ctx *ctx;
4899 unsigned to_wait;
4900 unsigned nr_timeouts;
4901};
4902
1d7bb1d5 4903static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
bda52162
JA		 4904{
4905 struct io_ring_ctx *ctx = iowq->ctx;
4906
4907 /*
d195a66e 4908 * Wake up if we have enough events, or if a timeout occurred since we
bda52162
JA		 4909 * started waiting. For timeouts, we always want to return to userspace,
4910 * regardless of event count.
4911 */
1d7bb1d5 4912 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
bda52162
JA		 4913 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
4914}
4915
4916static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
4917 int wake_flags, void *key)
4918{
4919 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
4920 wq);
4921
1d7bb1d5
JA		 4922 /* use noflush == true, as we can't safely rely on locking context */
4923 if (!io_should_wake(iowq, true))
bda52162
JA		 4924 return -1;
4925
4926 return autoremove_wake_function(curr, mode, wake_flags, key);
4927}
4928
2b188cc1
JA		 4929/*
4930 * Wait until events become available, if we don't already have some. The
4931 * application must reap them itself, as they reside on the shared cq ring.
4932 */
4933static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
4934 const sigset_t __user *sig, size_t sigsz)
4935{
bda52162
JA		 4936 struct io_wait_queue iowq = {
4937 .wq = {
4938 .private = current,
4939 .func = io_wake_function,
4940 .entry = LIST_HEAD_INIT(iowq.wq.entry),
4941 },
4942 .ctx = ctx,
4943 .to_wait = min_events,
4944 };
75b28aff 4945 struct io_rings *rings = ctx->rings;
e9ffa5c2 4946 int ret = 0;
2b188cc1 4947
1d7bb1d5 4948 if (io_cqring_events(ctx, false) >= min_events)
2b188cc1
JA		 4949 return 0;
4950
4951 if (sig) {
9e75ad5d
AB		 4952#ifdef CONFIG_COMPAT
4953 if (in_compat_syscall())
4954 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
b772434b 4955 sigsz);
9e75ad5d
AB		 4956 else
4957#endif
b772434b 4958 ret = set_user_sigmask(sig, sigsz);
9e75ad5d 4959
2b188cc1
JA		 4960 if (ret)
4961 return ret;
4962 }
4963
bda52162 4964 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
c826bd7a 4965 trace_io_uring_cqring_wait(ctx, min_events);
bda52162
JA		 4966 do {
4967 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
4968 TASK_INTERRUPTIBLE);
1d7bb1d5 4969 if (io_should_wake(&iowq, false))
bda52162
JA		 4970 break;
4971 schedule();
4972 if (signal_pending(current)) {
e9ffa5c2 4973 ret = -EINTR;
bda52162
JA		 4974 break;
4975 }
4976 } while (1);
4977 finish_wait(&ctx->wait, &iowq.wq);
4978
e9ffa5c2 4979 restore_saved_sigmask_unless(ret == -EINTR);
2b188cc1 4980
75b28aff 4981 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
2b188cc1
JA		 4982}
4983
6b06314c
JA		 4984static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
4985{
4986#if defined(CONFIG_UNIX)
4987 if (ctx->ring_sock) {
4988 struct sock *sock = ctx->ring_sock->sk;
4989 struct sk_buff *skb;
4990
4991 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
4992 kfree_skb(skb);
4993 }
4994#else
4995 int i;
4996
65e19f54
JA		 4997 for (i = 0; i < ctx->nr_user_files; i++) {
4998 struct file *file;
4999
5000 file = io_file_from_index(ctx, i);
5001 if (file)
5002 fput(file);
5003 }
6b06314c
JA		 5004#endif
5005}
5006
05f3fb3c
JA		 5007static void io_file_ref_kill(struct percpu_ref *ref)
5008{
5009 struct fixed_file_data *data;
5010
5011 data = container_of(ref, struct fixed_file_data, refs);
5012 complete(&data->done);
5013}
5014
6b06314c
JA		 5015static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
5016{
05f3fb3c 5017 struct fixed_file_data *data = ctx->file_data;
65e19f54
JA		 5018 unsigned nr_tables, i;
5019
05f3fb3c 5020 if (!data)
6b06314c
JA		 5021 return -ENXIO;
5022
05f3fb3c
JA		 5023 /* protect against inflight atomic switch, which drops the ref */
5024 flush_work(&data->ref_work);
5025 percpu_ref_get(&data->refs);
5026 percpu_ref_kill_and_confirm(&data->refs, io_file_ref_kill);
5027 wait_for_completion(&data->done);
5028 percpu_ref_put(&data->refs);
5029 percpu_ref_exit(&data->refs);
5030
6b06314c 5031 __io_sqe_files_unregister(ctx);
65e19f54
JA		 5032 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
5033 for (i = 0; i < nr_tables; i++)
05f3fb3c
JA		 5034 kfree(data->table[i].files);
5035 kfree(data->table);
5036 kfree(data);
5037 ctx->file_data = NULL;
6b06314c
JA		 5038 ctx->nr_user_files = 0;
5039 return 0;
5040}
5041
6c271ce2
JA		 5042static void io_sq_thread_stop(struct io_ring_ctx *ctx)
5043{
5044 if (ctx->sqo_thread) {
206aefde 5045 wait_for_completion(&ctx->completions[1]);
2bbcd6d3
RP		 5046 /*
5047 * The park is a bit of a work-around, without it we get
5048 * warning spews on shutdown with SQPOLL set and affinity
5049 * set to a single CPU.
5050 */
06058632 5051 kthread_park(ctx->sqo_thread);
6c271ce2
JA		 5052 kthread_stop(ctx->sqo_thread);
5053 ctx->sqo_thread = NULL;
5054 }
5055}
5056
6b06314c
JA		 5057static void io_finish_async(struct io_ring_ctx *ctx)
5058{
6c271ce2
JA		 5059 io_sq_thread_stop(ctx);
5060
561fb04a
JA		 5061 if (ctx->io_wq) {
5062 io_wq_destroy(ctx->io_wq);
5063 ctx->io_wq = NULL;
6b06314c
JA		 5064 }
5065}
5066
5067#if defined(CONFIG_UNIX)
6b06314c
JA		 5068/*
5069 * Ensure the UNIX gc is aware of our file set, so we are certain that
5070 * the io_uring can be safely unregistered on process exit, even if we have
5071 * loops in the file referencing.
5072 */
5073static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
5074{
5075 struct sock *sk = ctx->ring_sock->sk;
5076 struct scm_fp_list *fpl;
5077 struct sk_buff *skb;
08a45173 5078 int i, nr_files;
6b06314c
JA		 5079
5080 if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
5081 unsigned long inflight = ctx->user->unix_inflight + nr;
5082
5083 if (inflight > task_rlimit(current, RLIMIT_NOFILE))
5084 return -EMFILE;
5085 }
5086
5087 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
5088 if (!fpl)
5089 return -ENOMEM;
5090
5091 skb = alloc_skb(0, GFP_KERNEL);
5092 if (!skb) {
5093 kfree(fpl);
5094 return -ENOMEM;
5095 }
5096
5097 skb->sk = sk;
6b06314c 5098
08a45173 5099 nr_files = 0;
6b06314c
JA		 5100 fpl->user = get_uid(ctx->user);
5101 for (i = 0; i < nr; i++) {
65e19f54
JA		 5102 struct file *file = io_file_from_index(ctx, i + offset);
5103
5104 if (!file)
08a45173 5105 continue;
65e19f54 5106 fpl->fp[nr_files] = get_file(file);
08a45173
JA		 5107 unix_inflight(fpl->user, fpl->fp[nr_files]);
5108 nr_files++;
6b06314c
JA		 5109 }
5110
08a45173
JA		 5111 if (nr_files) {
5112 fpl->max = SCM_MAX_FD;
5113 fpl->count = nr_files;
5114 UNIXCB(skb).fp = fpl;
05f3fb3c 5115 skb->destructor = unix_destruct_scm;
08a45173
JA		 5116 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
5117 skb_queue_head(&sk->sk_receive_queue, skb);
6b06314c 5118
08a45173
JA		 5119 for (i = 0; i < nr_files; i++)
5120 fput(fpl->fp[i]);
5121 } else {
5122 kfree_skb(skb);
5123 kfree(fpl);
5124 }
6b06314c
JA		 5125
5126 return 0;
5127}
5128
5129/*
5130 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
5131 * causes regular reference counting to break down. We rely on the UNIX
5132 * garbage collection to take care of this problem for us.
5133 */
5134static int io_sqe_files_scm(struct io_ring_ctx *ctx)
5135{
5136 unsigned left, total;
5137 int ret = 0;
5138
5139 total = 0;
5140 left = ctx->nr_user_files;
5141 while (left) {
5142 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
6b06314c
JA		 5143
5144 ret = __io_sqe_files_scm(ctx, this_files, total);
5145 if (ret)
5146 break;
5147 left -= this_files;
5148 total += this_files;
5149 }
5150
5151 if (!ret)
5152 return 0;
5153
5154 while (total < ctx->nr_user_files) {
65e19f54
JA		 5155 struct file *file = io_file_from_index(ctx, total);
5156
5157 if (file)
5158 fput(file);
6b06314c
JA		 5159 total++;
5160 }
5161
5162 return ret;
5163}
5164#else
5165static int io_sqe_files_scm(struct io_ring_ctx *ctx)
5166{
5167 return 0;
5168}
5169#endif
5170
65e19f54
JA		 5171static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
5172 unsigned nr_files)
5173{
5174 int i;
5175
5176 for (i = 0; i < nr_tables; i++) {
05f3fb3c 5177 struct fixed_file_table *table = &ctx->file_data->table[i];
65e19f54
JA		 5178 unsigned this_files;
5179
5180 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
5181 table->files = kcalloc(this_files, sizeof(struct file *),
5182 GFP_KERNEL);
5183 if (!table->files)
5184 break;
5185 nr_files -= this_files;
5186 }
5187
5188 if (i == nr_tables)
5189 return 0;
5190
5191 for (i = 0; i < nr_tables; i++) {
05f3fb3c 5192 struct fixed_file_table *table = &ctx->file_data->table[i];
65e19f54
JA		 5193 kfree(table->files);
5194 }
5195 return 1;
5196}
5197
05f3fb3c
JA		 5198static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
5199{
5200#if defined(CONFIG_UNIX)
5201 struct sock *sock = ctx->ring_sock->sk;
5202 struct sk_buff_head list, *head = &sock->sk_receive_queue;
5203 struct sk_buff *skb;
5204 int i;
5205
5206 __skb_queue_head_init(&list);
5207
5208 /*
5209 * Find the skb that holds this file in its SCM_RIGHTS. When found,
5210 * remove this entry and rearrange the file array.
5211 */
5212 skb = skb_dequeue(head);
5213 while (skb) {
5214 struct scm_fp_list *fp;
5215
5216 fp = UNIXCB(skb).fp;
5217 for (i = 0; i < fp->count; i++) {
5218 int left;
5219
5220 if (fp->fp[i] != file)
5221 continue;
5222
5223 unix_notinflight(fp->user, fp->fp[i]);
5224 left = fp->count - 1 - i;
5225 if (left) {
5226 memmove(&fp->fp[i], &fp->fp[i + 1],
5227 left * sizeof(struct file *));
5228 }
5229 fp->count--;
5230 if (!fp->count) {
5231 kfree_skb(skb);
5232 skb = NULL;
5233 } else {
5234 __skb_queue_tail(&list, skb);
5235 }
5236 fput(file);
5237 file = NULL;
5238 break;
5239 }
5240
5241 if (!file)
5242 break;
5243
5244 __skb_queue_tail(&list, skb);
5245
5246 skb = skb_dequeue(head);
5247 }
5248
5249 if (skb_peek(&list)) {
5250 spin_lock_irq(&head->lock);
5251 while ((skb = __skb_dequeue(&list)) != NULL)
5252 __skb_queue_tail(head, skb);
5253 spin_unlock_irq(&head->lock);
5254 }
5255#else
5256 fput(file);
5257#endif
5258}
5259
5260struct io_file_put {
5261 struct llist_node llist;
5262 struct file *file;
5263 struct completion *done;
5264};
5265
5266static void io_ring_file_ref_switch(struct work_struct *work)
5267{
5268 struct io_file_put *pfile, *tmp;
5269 struct fixed_file_data *data;
5270 struct llist_node *node;
5271
5272 data = container_of(work, struct fixed_file_data, ref_work);
5273
5274 while ((node = llist_del_all(&data->put_llist)) != NULL) {
5275 llist_for_each_entry_safe(pfile, tmp, node, llist) {
5276 io_ring_file_put(data->ctx, pfile->file);
5277 if (pfile->done)
5278 complete(pfile->done);
5279 else
5280 kfree(pfile);
5281 }
5282 }
5283
5284 percpu_ref_get(&data->refs);
5285 percpu_ref_switch_to_percpu(&data->refs);
5286}
5287
5288static void io_file_data_ref_zero(struct percpu_ref *ref)
5289{
5290 struct fixed_file_data *data;
5291
5292 data = container_of(ref, struct fixed_file_data, refs);
5293
5294 /* we can't safely switch from inside this context, punt to wq */
5295 queue_work(system_wq, &data->ref_work);
5296}
5297
6b06314c
JA		 5298static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
5299 unsigned nr_args)
5300{
5301 __s32 __user *fds = (__s32 __user *) arg;
65e19f54 5302 unsigned nr_tables;
05f3fb3c 5303 struct file *file;
6b06314c
JA		 5304 int fd, ret = 0;
5305 unsigned i;
5306
05f3fb3c 5307 if (ctx->file_data)
6b06314c
JA		 5308 return -EBUSY;
5309 if (!nr_args)
5310 return -EINVAL;
5311 if (nr_args > IORING_MAX_FIXED_FILES)
5312 return -EMFILE;
5313
05f3fb3c
JA		 5314 ctx->file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
5315 if (!ctx->file_data)
5316 return -ENOMEM;
5317 ctx->file_data->ctx = ctx;
5318 init_completion(&ctx->file_data->done);
5319
65e19f54 5320 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
05f3fb3c
JA		 5321 ctx->file_data->table = kcalloc(nr_tables,
5322 sizeof(struct fixed_file_table),
65e19f54 5323 GFP_KERNEL);
05f3fb3c
JA		 5324 if (!ctx->file_data->table) {
5325 kfree(ctx->file_data);
5326 ctx->file_data = NULL;
6b06314c 5327 return -ENOMEM;
05f3fb3c
JA		 5328 }
5329
5330 if (percpu_ref_init(&ctx->file_data->refs, io_file_data_ref_zero,
5331 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
5332 kfree(ctx->file_data->table);
5333 kfree(ctx->file_data);
5334 ctx->file_data = NULL;
5335 return -ENOMEM;
5336 }
5337 ctx->file_data->put_llist.first = NULL;
5338 INIT_WORK(&ctx->file_data->ref_work, io_ring_file_ref_switch);
6b06314c 5339
65e19f54 5340 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
05f3fb3c
JA		 5341 percpu_ref_exit(&ctx->file_data->refs);
5342 kfree(ctx->file_data->table);
5343 kfree(ctx->file_data);
5344 ctx->file_data = NULL;
65e19f54
JA		 5345 return -ENOMEM;
5346 }
5347
08a45173 5348 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
65e19f54
JA		 5349 struct fixed_file_table *table;
5350 unsigned index;
5351
6b06314c
JA		 5352 ret = -EFAULT;
5353 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
5354 break;
08a45173
JA		 5355 /* allow sparse sets */
5356 if (fd == -1) {
5357 ret = 0;
5358 continue;
5359 }
6b06314c 5360
05f3fb3c 5361 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
65e19f54 5362 index = i & IORING_FILE_TABLE_MASK;
05f3fb3c 5363 file = fget(fd);
6b06314c
JA		 5364
5365 ret = -EBADF;
05f3fb3c 5366 if (!file)
6b06314c 5367 break;
05f3fb3c 5368
6b06314c
JA		 5369 /*
5370 * Don't allow io_uring instances to be registered. If UNIX
5371 * isn't enabled, then this causes a reference cycle and this
5372 * instance can never get freed. If UNIX is enabled we'll
5373 * handle it just fine, but there's still no point in allowing
5374 * a ring fd as it doesn't support regular read/write anyway.
5375 */
05f3fb3c
JA		 5376 if (file->f_op == &io_uring_fops) {
5377 fput(file);
6b06314c
JA		 5378 break;
5379 }
6b06314c 5380 ret = 0;
05f3fb3c 5381 table->files[index] = file;
6b06314c
JA		 5382 }
5383
5384 if (ret) {
65e19f54 5385 for (i = 0; i < ctx->nr_user_files; i++) {
65e19f54
JA		 5386 file = io_file_from_index(ctx, i);
5387 if (file)
5388 fput(file);
5389 }
5390 for (i = 0; i < nr_tables; i++)
05f3fb3c 5391 kfree(ctx->file_data->table[i].files);
6b06314c 5392
05f3fb3c
JA		 5393 kfree(ctx->file_data->table);
5394 kfree(ctx->file_data);
5395 ctx->file_data = NULL;
6b06314c
JA		 5396 ctx->nr_user_files = 0;
5397 return ret;
5398 }
5399
5400 ret = io_sqe_files_scm(ctx);
5401 if (ret)
5402 io_sqe_files_unregister(ctx);
5403
5404 return ret;
5405}
5406
c3a31e60
JA		 5407static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
5408 int index)
5409{
5410#if defined(CONFIG_UNIX)
5411 struct sock *sock = ctx->ring_sock->sk;
5412 struct sk_buff_head *head = &sock->sk_receive_queue;
5413 struct sk_buff *skb;
5414
5415 /*
5416 * See if we can merge this file into an existing skb SCM_RIGHTS
5417 * file set. If there's no room, fall back to allocating a new skb
5418 * and filling it in.
5419 */
5420 spin_lock_irq(&head->lock);
5421 skb = skb_peek(head);
5422 if (skb) {
5423 struct scm_fp_list *fpl = UNIXCB(skb).fp;
5424
5425 if (fpl->count < SCM_MAX_FD) {
5426 __skb_unlink(skb, head);
5427 spin_unlock_irq(&head->lock);
5428 fpl->fp[fpl->count] = get_file(file);
5429 unix_inflight(fpl->user, fpl->fp[fpl->count]);
5430 fpl->count++;
5431 spin_lock_irq(&head->lock);
5432 __skb_queue_head(head, skb);
5433 } else {
5434 skb = NULL;
5435 }
5436 }
5437 spin_unlock_irq(&head->lock);
5438
5439 if (skb) {
5440 fput(file);
5441 return 0;
5442 }
5443
5444 return __io_sqe_files_scm(ctx, 1, index);
5445#else
5446 return 0;
5447#endif
5448}
5449
05f3fb3c 5450static void io_atomic_switch(struct percpu_ref *ref)
c3a31e60 5451{
05f3fb3c
JA		 5452 struct fixed_file_data *data;
5453
5454 data = container_of(ref, struct fixed_file_data, refs);
5455 clear_bit(FFD_F_ATOMIC, &data->state);
5456}
5457
5458static bool io_queue_file_removal(struct fixed_file_data *data,
5459 struct file *file)
5460{
5461 struct io_file_put *pfile, pfile_stack;
5462 DECLARE_COMPLETION_ONSTACK(done);
5463
5464 /*
5465 * If we fail allocating the struct we need for doing async reomval
5466 * of this file, just punt to sync and wait for it.
5467 */
5468 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
5469 if (!pfile) {
5470 pfile = &pfile_stack;
5471 pfile->done = &done;
5472 }
5473
5474 pfile->file = file;
5475 llist_add(&pfile->llist, &data->put_llist);
5476
5477 if (pfile == &pfile_stack) {
5478 if (!test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
5479 percpu_ref_put(&data->refs);
5480 percpu_ref_switch_to_atomic(&data->refs,
5481 io_atomic_switch);
5482 }
5483 wait_for_completion(&done);
5484 flush_work(&data->ref_work);
5485 return false;
5486 }
5487
5488 return true;
5489}
5490
5491static int __io_sqe_files_update(struct io_ring_ctx *ctx,
5492 struct io_uring_files_update *up,
5493 unsigned nr_args)
5494{
5495 struct fixed_file_data *data = ctx->file_data;
5496 bool ref_switch = false;
5497 struct file *file;
c3a31e60
JA		 5498 __s32 __user *fds;
5499 int fd, i, err;
5500 __u32 done;
5501
05f3fb3c 5502 if (check_add_overflow(up->offset, nr_args, &done))
c3a31e60
JA		 5503 return -EOVERFLOW;
5504 if (done > ctx->nr_user_files)
5505 return -EINVAL;
5506
5507 done = 0;
05f3fb3c 5508 fds = u64_to_user_ptr(up->fds);
c3a31e60 5509 while (nr_args) {
65e19f54
JA		 5510 struct fixed_file_table *table;
5511 unsigned index;
5512
c3a31e60
JA		 5513 err = 0;
5514 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
5515 err = -EFAULT;
5516 break;
5517 }
05f3fb3c
JA		 5518 i = array_index_nospec(up->offset, ctx->nr_user_files);
5519 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
65e19f54
JA		 5520 index = i & IORING_FILE_TABLE_MASK;
5521 if (table->files[index]) {
05f3fb3c 5522 file = io_file_from_index(ctx, index);
65e19f54 5523 table->files[index] = NULL;
05f3fb3c
JA		 5524 if (io_queue_file_removal(data, file))
5525 ref_switch = true;
c3a31e60
JA		 5526 }
5527 if (fd != -1) {
c3a31e60
JA		 5528 file = fget(fd);
5529 if (!file) {
5530 err = -EBADF;
5531 break;
5532 }
5533 /*
5534 * Don't allow io_uring instances to be registered. If
5535 * UNIX isn't enabled, then this causes a reference
5536 * cycle and this instance can never get freed. If UNIX
5537 * is enabled we'll handle it just fine, but there's
5538 * still no point in allowing a ring fd as it doesn't
5539 * support regular read/write anyway.
5540 */
5541 if (file->f_op == &io_uring_fops) {
5542 fput(file);
5543 err = -EBADF;
5544 break;
5545 }
65e19f54 5546 table->files[index] = file;
c3a31e60
JA		 5547 err = io_sqe_file_register(ctx, file, i);
5548 if (err)
5549 break;
5550 }
5551 nr_args--;
5552 done++;
05f3fb3c
JA		 5553 up->offset++;
5554 }
5555
5556 if (ref_switch && !test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
5557 percpu_ref_put(&data->refs);
5558 percpu_ref_switch_to_atomic(&data->refs, io_atomic_switch);
c3a31e60
JA		 5559 }
5560
5561 return done ? done : err;
5562}
05f3fb3c
JA		 5563static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
5564 unsigned nr_args)
5565{
5566 struct io_uring_files_update up;
5567
5568 if (!ctx->file_data)
5569 return -ENXIO;
5570 if (!nr_args)
5571 return -EINVAL;
5572 if (copy_from_user(&up, arg, sizeof(up)))
5573 return -EFAULT;
5574 if (up.resv)
5575 return -EINVAL;
5576
5577 return __io_sqe_files_update(ctx, &up, nr_args);
5578}
c3a31e60 5579
7d723065
JA		 5580static void io_put_work(struct io_wq_work *work)
5581{
5582 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5583
5584 io_put_req(req);
5585}
5586
5587static void io_get_work(struct io_wq_work *work)
5588{
5589 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5590
5591 refcount_inc(&req->refs);
5592}
5593
6c271ce2
JA		 5594static int io_sq_offload_start(struct io_ring_ctx *ctx,
5595 struct io_uring_params *p)
2b188cc1 5596{
576a347b 5597 struct io_wq_data data;
561fb04a 5598 unsigned concurrency;
2b188cc1
JA		 5599 int ret;
5600
6c271ce2 5601 init_waitqueue_head(&ctx->sqo_wait);
2b188cc1
JA		 5602 mmgrab(current->mm);
5603 ctx->sqo_mm = current->mm;
5604
6c271ce2 5605 if (ctx->flags & IORING_SETUP_SQPOLL) {
3ec482d1
JA		 5606 ret = -EPERM;
5607 if (!capable(CAP_SYS_ADMIN))
5608 goto err;
5609
917257da
JA		 5610 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
5611 if (!ctx->sq_thread_idle)
5612 ctx->sq_thread_idle = HZ;
5613
6c271ce2 5614 if (p->flags & IORING_SETUP_SQ_AFF) {
44a9bd18 5615 int cpu = p->sq_thread_cpu;
6c271ce2 5616
917257da 5617 ret = -EINVAL;
44a9bd18
JA		 5618 if (cpu >= nr_cpu_ids)
5619 goto err;
7889f44d 5620 if (!cpu_online(cpu))
917257da
JA		 5621 goto err;
5622
6c271ce2
JA		 5623 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
5624 ctx, cpu,
5625 "io_uring-sq");
5626 } else {
5627 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
5628 "io_uring-sq");
5629 }
5630 if (IS_ERR(ctx->sqo_thread)) {
5631 ret = PTR_ERR(ctx->sqo_thread);
5632 ctx->sqo_thread = NULL;
5633 goto err;
5634 }
5635 wake_up_process(ctx->sqo_thread);
5636 } else if (p->flags & IORING_SETUP_SQ_AFF) {
5637 /* Can't have SQ_AFF without SQPOLL */
5638 ret = -EINVAL;
5639 goto err;
5640 }
5641
576a347b
JA		 5642 data.mm = ctx->sqo_mm;
5643 data.user = ctx->user;
181e448d 5644 data.creds = ctx->creds;
576a347b
JA		 5645 data.get_work = io_get_work;
5646 data.put_work = io_put_work;
5647
561fb04a
JA		 5648 /* Do QD, or 4 * CPUS, whatever is smallest */
5649 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
576a347b 5650 ctx->io_wq = io_wq_create(concurrency, &data);
975c99a5
JA		 5651 if (IS_ERR(ctx->io_wq)) {
5652 ret = PTR_ERR(ctx->io_wq);
5653 ctx->io_wq = NULL;
2b188cc1
JA		 5654 goto err;
5655 }
5656
5657 return 0;
5658err:
54a91f3b 5659 io_finish_async(ctx);
2b188cc1
JA		 5660 mmdrop(ctx->sqo_mm);
5661 ctx->sqo_mm = NULL;
5662 return ret;
5663}
5664
5665static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
5666{
5667 atomic_long_sub(nr_pages, &user->locked_vm);
5668}
5669
5670static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
5671{
5672 unsigned long page_limit, cur_pages, new_pages;
5673
5674 /* Don't allow more pages than we can safely lock */
5675 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
5676
5677 do {
5678 cur_pages = atomic_long_read(&user->locked_vm);
5679 new_pages = cur_pages + nr_pages;
5680 if (new_pages > page_limit)
5681 return -ENOMEM;
5682 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
5683 new_pages) != cur_pages);
5684
5685 return 0;
5686}
5687
5688static void io_mem_free(void *ptr)
5689{
52e04ef4
MR		 5690 struct page *page;
5691
5692 if (!ptr)
5693 return;
2b188cc1 5694
52e04ef4 5695 page = virt_to_head_page(ptr);
2b188cc1
JA		 5696 if (put_page_testzero(page))
5697 free_compound_page(page);
5698}
5699
5700static void *io_mem_alloc(size_t size)
5701{
5702 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
5703 __GFP_NORETRY;
5704
5705 return (void *) __get_free_pages(gfp_flags, get_order(size));
5706}
5707
75b28aff
HV		 5708static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
5709 size_t *sq_offset)
5710{
5711 struct io_rings *rings;
5712 size_t off, sq_array_size;
5713
5714 off = struct_size(rings, cqes, cq_entries);
5715 if (off == SIZE_MAX)
5716 return SIZE_MAX;
5717
5718#ifdef CONFIG_SMP
5719 off = ALIGN(off, SMP_CACHE_BYTES);
5720 if (off == 0)
5721 return SIZE_MAX;
5722#endif
5723
5724 sq_array_size = array_size(sizeof(u32), sq_entries);
5725 if (sq_array_size == SIZE_MAX)
5726 return SIZE_MAX;
5727
5728 if (check_add_overflow(off, sq_array_size, &off))
5729 return SIZE_MAX;
5730
5731 if (sq_offset)
5732 *sq_offset = off;
5733
5734 return off;
5735}
5736
2b188cc1
JA		 5737static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
5738{
75b28aff 5739 size_t pages;
2b188cc1 5740
75b28aff
HV		 5741 pages = (size_t)1 << get_order(
5742 rings_size(sq_entries, cq_entries, NULL));
5743 pages += (size_t)1 << get_order(
5744 array_size(sizeof(struct io_uring_sqe), sq_entries));
2b188cc1 5745
75b28aff 5746 return pages;
2b188cc1
JA		 5747}
5748
edafccee
JA		 5749static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
5750{
5751 int i, j;
5752
5753 if (!ctx->user_bufs)
5754 return -ENXIO;
5755
5756 for (i = 0; i < ctx->nr_user_bufs; i++) {
5757 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5758
5759 for (j = 0; j < imu->nr_bvecs; j++)
27c4d3a3 5760 put_user_page(imu->bvec[j].bv_page);
edafccee
JA		 5761
5762 if (ctx->account_mem)
5763 io_unaccount_mem(ctx->user, imu->nr_bvecs);
d4ef6475 5764 kvfree(imu->bvec);
edafccee
JA		 5765 imu->nr_bvecs = 0;
5766 }
5767
5768 kfree(ctx->user_bufs);
5769 ctx->user_bufs = NULL;
5770 ctx->nr_user_bufs = 0;
5771 return 0;
5772}
5773
5774static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
5775 void __user *arg, unsigned index)
5776{
5777 struct iovec __user *src;
5778
5779#ifdef CONFIG_COMPAT
5780 if (ctx->compat) {
5781 struct compat_iovec __user *ciovs;
5782 struct compat_iovec ciov;
5783
5784 ciovs = (struct compat_iovec __user *) arg;
5785 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
5786 return -EFAULT;
5787
d55e5f5b 5788 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
edafccee
JA		 5789 dst->iov_len = ciov.iov_len;
5790 return 0;
5791 }
5792#endif
5793 src = (struct iovec __user *) arg;
5794 if (copy_from_user(dst, &src[index], sizeof(*dst)))
5795 return -EFAULT;
5796 return 0;
5797}
5798
5799static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
5800 unsigned nr_args)
5801{
5802 struct vm_area_struct **vmas = NULL;
5803 struct page **pages = NULL;
5804 int i, j, got_pages = 0;
5805 int ret = -EINVAL;
5806
5807 if (ctx->user_bufs)
5808 return -EBUSY;
5809 if (!nr_args || nr_args > UIO_MAXIOV)
5810 return -EINVAL;
5811
5812 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
5813 GFP_KERNEL);
5814 if (!ctx->user_bufs)
5815 return -ENOMEM;
5816
5817 for (i = 0; i < nr_args; i++) {
5818 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5819 unsigned long off, start, end, ubuf;
5820 int pret, nr_pages;
5821 struct iovec iov;
5822 size_t size;
5823
5824 ret = io_copy_iov(ctx, &iov, arg, i);
5825 if (ret)
a278682d 5826 goto err;
edafccee
JA		 5827
5828 /*
5829 * Don't impose further limits on the size and buffer
5830 * constraints here, we'll -EINVAL later when IO is
5831 * submitted if they are wrong.
5832 */
5833 ret = -EFAULT;
5834 if (!iov.iov_base || !iov.iov_len)
5835 goto err;
5836
5837 /* arbitrary limit, but we need something */
5838 if (iov.iov_len > SZ_1G)
5839 goto err;
5840
5841 ubuf = (unsigned long) iov.iov_base;
5842 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
5843 start = ubuf >> PAGE_SHIFT;
5844 nr_pages = end - start;
5845
5846 if (ctx->account_mem) {
5847 ret = io_account_mem(ctx->user, nr_pages);
5848 if (ret)
5849 goto err;
5850 }
5851
5852 ret = 0;
5853 if (!pages || nr_pages > got_pages) {
5854 kfree(vmas);
5855 kfree(pages);
d4ef6475 5856 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
edafccee 5857 GFP_KERNEL);
d4ef6475 5858 vmas = kvmalloc_array(nr_pages,
edafccee
JA		 5859 sizeof(struct vm_area_struct *),
5860 GFP_KERNEL);
5861 if (!pages || !vmas) {
5862 ret = -ENOMEM;
5863 if (ctx->account_mem)
5864 io_unaccount_mem(ctx->user, nr_pages);
5865 goto err;
5866 }
5867 got_pages = nr_pages;
5868 }
5869
d4ef6475 5870 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
edafccee
JA		 5871 GFP_KERNEL);
5872 ret = -ENOMEM;
5873 if (!imu->bvec) {
5874 if (ctx->account_mem)
5875 io_unaccount_mem(ctx->user, nr_pages);
5876 goto err;
5877 }
5878
5879 ret = 0;
5880 down_read(&current->mm->mmap_sem);
932f4a63
IW		 5881 pret = get_user_pages(ubuf, nr_pages,
5882 FOLL_WRITE | FOLL_LONGTERM,
5883 pages, vmas);
edafccee
JA		 5884 if (pret == nr_pages) {
5885 /* don't support file backed memory */
5886 for (j = 0; j < nr_pages; j++) {
5887 struct vm_area_struct *vma = vmas[j];
5888
5889 if (vma->vm_file &&
5890 !is_file_hugepages(vma->vm_file)) {
5891 ret = -EOPNOTSUPP;
5892 break;
5893 }
5894 }
5895 } else {
5896 ret = pret < 0 ? pret : -EFAULT;
5897 }
5898 up_read(&current->mm->mmap_sem);
5899 if (ret) {
5900 /*
5901 * if we did partial map, or found file backed vmas,
5902 * release any pages we did get
5903 */
27c4d3a3
JH		 5904 if (pret > 0)
5905 put_user_pages(pages, pret);
edafccee
JA		 5906 if (ctx->account_mem)
5907 io_unaccount_mem(ctx->user, nr_pages);
d4ef6475 5908 kvfree(imu->bvec);
edafccee
JA		 5909 goto err;
5910 }
5911
5912 off = ubuf & ~PAGE_MASK;
5913 size = iov.iov_len;
5914 for (j = 0; j < nr_pages; j++) {
5915 size_t vec_len;
5916
5917 vec_len = min_t(size_t, size, PAGE_SIZE - off);
5918 imu->bvec[j].bv_page = pages[j];
5919 imu->bvec[j].bv_len = vec_len;
5920 imu->bvec[j].bv_offset = off;
5921 off = 0;
5922 size -= vec_len;
5923 }
5924 /* store original address for later verification */
5925 imu->ubuf = ubuf;
5926 imu->len = iov.iov_len;
5927 imu->nr_bvecs = nr_pages;
5928
5929 ctx->nr_user_bufs++;
5930 }
d4ef6475
MR		 5931 kvfree(pages);
5932 kvfree(vmas);
edafccee
JA		 5933 return 0;
5934err:
d4ef6475
MR		 5935 kvfree(pages);
5936 kvfree(vmas);
edafccee
JA		 5937 io_sqe_buffer_unregister(ctx);
5938 return ret;
5939}
5940
9b402849
JA		 5941static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
5942{
5943 __s32 __user *fds = arg;
5944 int fd;
5945
5946 if (ctx->cq_ev_fd)
5947 return -EBUSY;
5948
5949 if (copy_from_user(&fd, fds, sizeof(*fds)))
5950 return -EFAULT;
5951
5952 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
5953 if (IS_ERR(ctx->cq_ev_fd)) {
5954 int ret = PTR_ERR(ctx->cq_ev_fd);
5955 ctx->cq_ev_fd = NULL;
5956 return ret;
5957 }
5958
5959 return 0;
5960}
5961
5962static int io_eventfd_unregister(struct io_ring_ctx *ctx)
5963{
5964 if (ctx->cq_ev_fd) {
5965 eventfd_ctx_put(ctx->cq_ev_fd);
5966 ctx->cq_ev_fd = NULL;
5967 return 0;
5968 }
5969
5970 return -ENXIO;
5971}
5972
2b188cc1
JA		 5973static void io_ring_ctx_free(struct io_ring_ctx *ctx)
5974{
6b06314c 5975 io_finish_async(ctx);
2b188cc1
JA		 5976 if (ctx->sqo_mm)
5977 mmdrop(ctx->sqo_mm);
def596e9
JA		 5978
5979 io_iopoll_reap_events(ctx);
edafccee 5980 io_sqe_buffer_unregister(ctx);
6b06314c 5981 io_sqe_files_unregister(ctx);
9b402849 5982 io_eventfd_unregister(ctx);
def596e9 5983
2b188cc1 5984#if defined(CONFIG_UNIX)
355e8d26
EB		 5985 if (ctx->ring_sock) {
5986 ctx->ring_sock->file = NULL; /* so that iput() is called */
2b188cc1 5987 sock_release(ctx->ring_sock);
355e8d26 5988 }
2b188cc1
JA		 5989#endif
5990
75b28aff 5991 io_mem_free(ctx->rings);
2b188cc1 5992 io_mem_free(ctx->sq_sqes);
2b188cc1
JA		 5993
5994 percpu_ref_exit(&ctx->refs);
5995 if (ctx->account_mem)
5996 io_unaccount_mem(ctx->user,
5997 ring_pages(ctx->sq_entries, ctx->cq_entries));
5998 free_uid(ctx->user);
181e448d 5999 put_cred(ctx->creds);
206aefde 6000 kfree(ctx->completions);
78076bb6 6001 kfree(ctx->cancel_hash);
0ddf92e8 6002 kmem_cache_free(req_cachep, ctx->fallback_req);
2b188cc1
JA		 6003 kfree(ctx);
6004}
6005
6006static __poll_t io_uring_poll(struct file *file, poll_table *wait)
6007{
6008 struct io_ring_ctx *ctx = file->private_data;
6009 __poll_t mask = 0;
6010
6011 poll_wait(file, &ctx->cq_wait, wait);
4f7067c3
SB		 6012 /*
6013 * synchronizes with barrier from wq_has_sleeper call in
6014 * io_commit_cqring
6015 */
2b188cc1 6016 smp_rmb();
75b28aff
HV		 6017 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
6018 ctx->rings->sq_ring_entries)
2b188cc1 6019 mask |= EPOLLOUT | EPOLLWRNORM;
daa5de54 6020 if (READ_ONCE(ctx->rings->cq.head) != ctx->cached_cq_tail)
2b188cc1
JA		 6021 mask |= EPOLLIN | EPOLLRDNORM;
6022
6023 return mask;
6024}
6025
6026static int io_uring_fasync(int fd, struct file *file, int on)
6027{
6028 struct io_ring_ctx *ctx = file->private_data;
6029
6030 return fasync_helper(fd, file, on, &ctx->cq_fasync);
6031}
6032
6033static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
6034{
6035 mutex_lock(&ctx->uring_lock);
6036 percpu_ref_kill(&ctx->refs);
6037 mutex_unlock(&ctx->uring_lock);
6038
5262f567 6039 io_kill_timeouts(ctx);
221c5eb2 6040 io_poll_remove_all(ctx);
561fb04a
JA		 6041
6042 if (ctx->io_wq)
6043 io_wq_cancel_all(ctx->io_wq);
6044
def596e9 6045 io_iopoll_reap_events(ctx);
15dff286
JA		 6046 /* if we failed setting up the ctx, we might not have any rings */
6047 if (ctx->rings)
6048 io_cqring_overflow_flush(ctx, true);
206aefde 6049 wait_for_completion(&ctx->completions[0]);
2b188cc1
JA		 6050 io_ring_ctx_free(ctx);
6051}
6052
6053static int io_uring_release(struct inode *inode, struct file *file)
6054{
6055 struct io_ring_ctx *ctx = file->private_data;
6056
6057 file->private_data = NULL;
6058 io_ring_ctx_wait_and_kill(ctx);
6059 return 0;
6060}
6061
fcb323cc
JA		 6062static void io_uring_cancel_files(struct io_ring_ctx *ctx,
6063 struct files_struct *files)
6064{
6065 struct io_kiocb *req;
6066 DEFINE_WAIT(wait);
6067
6068 while (!list_empty_careful(&ctx->inflight_list)) {
768134d4 6069 struct io_kiocb *cancel_req = NULL;
fcb323cc
JA		 6070
6071 spin_lock_irq(&ctx->inflight_lock);
6072 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
768134d4
JA		 6073 if (req->work.files != files)
6074 continue;
6075 /* req is being completed, ignore */
6076 if (!refcount_inc_not_zero(&req->refs))
6077 continue;
6078 cancel_req = req;
6079 break;
fcb323cc 6080 }
768134d4 6081 if (cancel_req)
fcb323cc 6082 prepare_to_wait(&ctx->inflight_wait, &wait,
768134d4 6083 TASK_UNINTERRUPTIBLE);
fcb323cc
JA		 6084 spin_unlock_irq(&ctx->inflight_lock);
6085
768134d4
JA		 6086 /* We need to keep going until we don't find a matching req */
6087 if (!cancel_req)
fcb323cc 6088 break;
2f6d9b9d
BL		 6089
6090 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
6091 io_put_req(cancel_req);
fcb323cc
JA		 6092 schedule();
6093 }
768134d4 6094 finish_wait(&ctx->inflight_wait, &wait);
fcb323cc
JA		 6095}
6096
6097static int io_uring_flush(struct file *file, void *data)
6098{
6099 struct io_ring_ctx *ctx = file->private_data;
6100
6101 io_uring_cancel_files(ctx, data);
1d7bb1d5
JA		 6102 if (fatal_signal_pending(current) || (current->flags & PF_EXITING)) {
6103 io_cqring_overflow_flush(ctx, true);
fcb323cc 6104 io_wq_cancel_all(ctx->io_wq);
1d7bb1d5 6105 }
fcb323cc
JA		 6106 return 0;
6107}
6108
6c5c240e
RP		 6109static void *io_uring_validate_mmap_request(struct file *file,
6110 loff_t pgoff, size_t sz)
2b188cc1 6111{
2b188cc1 6112 struct io_ring_ctx *ctx = file->private_data;
6c5c240e 6113 loff_t offset = pgoff << PAGE_SHIFT;
2b188cc1
JA		 6114 struct page *page;
6115 void *ptr;
6116
6117 switch (offset) {
6118 case IORING_OFF_SQ_RING:
75b28aff
HV		 6119 case IORING_OFF_CQ_RING:
6120 ptr = ctx->rings;
2b188cc1
JA		 6121 break;
6122 case IORING_OFF_SQES:
6123 ptr = ctx->sq_sqes;
6124 break;
2b188cc1 6125 default:
6c5c240e 6126 return ERR_PTR(-EINVAL);
2b188cc1
JA		 6127 }
6128
6129 page = virt_to_head_page(ptr);
a50b854e 6130 if (sz > page_size(page))
6c5c240e
RP		 6131 return ERR_PTR(-EINVAL);
6132
6133 return ptr;
6134}
6135
6136#ifdef CONFIG_MMU
6137
6138static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
6139{
6140 size_t sz = vma->vm_end - vma->vm_start;
6141 unsigned long pfn;
6142 void *ptr;
6143
6144 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
6145 if (IS_ERR(ptr))
6146 return PTR_ERR(ptr);
2b188cc1
JA		 6147
6148 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
6149 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
6150}
6151
6c5c240e
RP		 6152#else /* !CONFIG_MMU */
6153
6154static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
6155{
6156 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
6157}
6158
6159static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
6160{
6161 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
6162}
6163
6164static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
6165 unsigned long addr, unsigned long len,
6166 unsigned long pgoff, unsigned long flags)
6167{
6168 void *ptr;
6169
6170 ptr = io_uring_validate_mmap_request(file, pgoff, len);
6171 if (IS_ERR(ptr))
6172 return PTR_ERR(ptr);
6173
6174 return (unsigned long) ptr;
6175}
6176
6177#endif /* !CONFIG_MMU */
6178
2b188cc1
JA		 6179SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
6180 u32, min_complete, u32, flags, const sigset_t __user *, sig,
6181 size_t, sigsz)
6182{
6183 struct io_ring_ctx *ctx;
6184 long ret = -EBADF;
6185 int submitted = 0;
6186 struct fd f;
6187
6c271ce2 6188 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
2b188cc1
JA		 6189 return -EINVAL;
6190
6191 f = fdget(fd);
6192 if (!f.file)
6193 return -EBADF;
6194
6195 ret = -EOPNOTSUPP;
6196 if (f.file->f_op != &io_uring_fops)
6197 goto out_fput;
6198
6199 ret = -ENXIO;
6200 ctx = f.file->private_data;
6201 if (!percpu_ref_tryget(&ctx->refs))
6202 goto out_fput;
6203
6c271ce2
JA		 6204 /*
6205 * For SQ polling, the thread will do all submissions and completions.
6206 * Just return the requested submit count, and wake the thread if
6207 * we were asked to.
6208 */
b2a9eada 6209 ret = 0;
6c271ce2 6210 if (ctx->flags & IORING_SETUP_SQPOLL) {
c1edbf5f
JA		 6211 if (!list_empty_careful(&ctx->cq_overflow_list))
6212 io_cqring_overflow_flush(ctx, false);
6c271ce2
JA		 6213 if (flags & IORING_ENTER_SQ_WAKEUP)
6214 wake_up(&ctx->sqo_wait);
6215 submitted = to_submit;
b2a9eada 6216 } else if (to_submit) {
ae9428ca 6217 struct mm_struct *cur_mm;
2b188cc1 6218
44d28279
JA		 6219 if (current->mm != ctx->sqo_mm ||
6220 current_cred() != ctx->creds) {
6221 ret = -EPERM;
6222 goto out;
6223 }
6224
2b188cc1 6225 mutex_lock(&ctx->uring_lock);
ae9428ca
PB		 6226 /* already have mm, so io_submit_sqes() won't try to grab it */
6227 cur_mm = ctx->sqo_mm;
6228 submitted = io_submit_sqes(ctx, to_submit, f.file, fd,
6229 &cur_mm, false);
2b188cc1 6230 mutex_unlock(&ctx->uring_lock);
7c504e65
PB		 6231
6232 if (submitted != to_submit)
6233 goto out;
2b188cc1
JA		 6234 }
6235 if (flags & IORING_ENTER_GETEVENTS) {
def596e9
JA		 6236 unsigned nr_events = 0;
6237
2b188cc1
JA		 6238 min_complete = min(min_complete, ctx->cq_entries);
6239
def596e9 6240 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9 6241 ret = io_iopoll_check(ctx, &nr_events, min_complete);
def596e9
JA		 6242 } else {
6243 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
6244 }
2b188cc1
JA		 6245 }
6246
7c504e65 6247out:
6805b32e 6248 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 6249out_fput:
6250 fdput(f);
6251 return submitted ? submitted : ret;
6252}
6253
6254static const struct file_operations io_uring_fops = {
6255 .release = io_uring_release,
fcb323cc 6256 .flush = io_uring_flush,
2b188cc1 6257 .mmap = io_uring_mmap,
6c5c240e
RP		 6258#ifndef CONFIG_MMU
6259 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
6260 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
6261#endif
2b188cc1
JA		 6262 .poll = io_uring_poll,
6263 .fasync = io_uring_fasync,
6264};
6265
6266static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
6267 struct io_uring_params *p)
6268{
75b28aff
HV		 6269 struct io_rings *rings;
6270 size_t size, sq_array_offset;
2b188cc1 6271
75b28aff
HV		 6272 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
6273 if (size == SIZE_MAX)
6274 return -EOVERFLOW;
6275
6276 rings = io_mem_alloc(size);
6277 if (!rings)
2b188cc1
JA		 6278 return -ENOMEM;
6279
75b28aff
HV		 6280 ctx->rings = rings;
6281 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
6282 rings->sq_ring_mask = p->sq_entries - 1;
6283 rings->cq_ring_mask = p->cq_entries - 1;
6284 rings->sq_ring_entries = p->sq_entries;
6285 rings->cq_ring_entries = p->cq_entries;
6286 ctx->sq_mask = rings->sq_ring_mask;
6287 ctx->cq_mask = rings->cq_ring_mask;
6288 ctx->sq_entries = rings->sq_ring_entries;
6289 ctx->cq_entries = rings->cq_ring_entries;
2b188cc1
JA		 6290
6291 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
eb065d30
JA		 6292 if (size == SIZE_MAX) {
6293 io_mem_free(ctx->rings);
6294 ctx->rings = NULL;
2b188cc1 6295 return -EOVERFLOW;
eb065d30 6296 }
2b188cc1
JA		 6297
6298 ctx->sq_sqes = io_mem_alloc(size);
eb065d30
JA		 6299 if (!ctx->sq_sqes) {
6300 io_mem_free(ctx->rings);
6301 ctx->rings = NULL;
2b188cc1 6302 return -ENOMEM;
eb065d30 6303 }
2b188cc1 6304
2b188cc1
JA		 6305 return 0;
6306}
6307
6308/*
6309 * Allocate an anonymous fd, this is what constitutes the application
6310 * visible backing of an io_uring instance. The application mmaps this
6311 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
6312 * we have to tie this fd to a socket for file garbage collection purposes.
6313 */
6314static int io_uring_get_fd(struct io_ring_ctx *ctx)
6315{
6316 struct file *file;
6317 int ret;
6318
6319#if defined(CONFIG_UNIX)
6320 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
6321 &ctx->ring_sock);
6322 if (ret)
6323 return ret;
6324#endif
6325
6326 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
6327 if (ret < 0)
6328 goto err;
6329
6330 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
6331 O_RDWR | O_CLOEXEC);
6332 if (IS_ERR(file)) {
6333 put_unused_fd(ret);
6334 ret = PTR_ERR(file);
6335 goto err;
6336 }
6337
6338#if defined(CONFIG_UNIX)
6339 ctx->ring_sock->file = file;
6340#endif
6341 fd_install(ret, file);
6342 return ret;
6343err:
6344#if defined(CONFIG_UNIX)
6345 sock_release(ctx->ring_sock);
6346 ctx->ring_sock = NULL;
6347#endif
6348 return ret;
6349}
6350
6351static int io_uring_create(unsigned entries, struct io_uring_params *p)
6352{
6353 struct user_struct *user = NULL;
6354 struct io_ring_ctx *ctx;
6355 bool account_mem;
6356 int ret;
6357
8110c1a6 6358 if (!entries)
2b188cc1 6359 return -EINVAL;
8110c1a6
JA		 6360 if (entries > IORING_MAX_ENTRIES) {
6361 if (!(p->flags & IORING_SETUP_CLAMP))
6362 return -EINVAL;
6363 entries = IORING_MAX_ENTRIES;
6364 }
2b188cc1
JA		 6365
6366 /*
6367 * Use twice as many entries for the CQ ring. It's possible for the
6368 * application to drive a higher depth than the size of the SQ ring,
6369 * since the sqes are only used at submission time. This allows for
33a107f0
JA		 6370 * some flexibility in overcommitting a bit. If the application has
6371 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
6372 * of CQ ring entries manually.
2b188cc1
JA		 6373 */
6374 p->sq_entries = roundup_pow_of_two(entries);
33a107f0
JA		 6375 if (p->flags & IORING_SETUP_CQSIZE) {
6376 /*
6377 * If IORING_SETUP_CQSIZE is set, we do the same roundup
6378 * to a power-of-two, if it isn't already. We do NOT impose
6379 * any cq vs sq ring sizing.
6380 */
8110c1a6 6381 if (p->cq_entries < p->sq_entries)
33a107f0 6382 return -EINVAL;
8110c1a6
JA		 6383 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
6384 if (!(p->flags & IORING_SETUP_CLAMP))
6385 return -EINVAL;
6386 p->cq_entries = IORING_MAX_CQ_ENTRIES;
6387 }
33a107f0
JA		 6388 p->cq_entries = roundup_pow_of_two(p->cq_entries);
6389 } else {
6390 p->cq_entries = 2 * p->sq_entries;
6391 }
2b188cc1
JA		 6392
6393 user = get_uid(current_user());
6394 account_mem = !capable(CAP_IPC_LOCK);
6395
6396 if (account_mem) {
6397 ret = io_account_mem(user,
6398 ring_pages(p->sq_entries, p->cq_entries));
6399 if (ret) {
6400 free_uid(user);
6401 return ret;
6402 }
6403 }
6404
6405 ctx = io_ring_ctx_alloc(p);
6406 if (!ctx) {
6407 if (account_mem)
6408 io_unaccount_mem(user, ring_pages(p->sq_entries,
6409 p->cq_entries));
6410 free_uid(user);
6411 return -ENOMEM;
6412 }
6413 ctx->compat = in_compat_syscall();
6414 ctx->account_mem = account_mem;
6415 ctx->user = user;
0b8c0ec7 6416 ctx->creds = get_current_cred();
2b188cc1
JA		 6417
6418 ret = io_allocate_scq_urings(ctx, p);
6419 if (ret)
6420 goto err;
6421
6c271ce2 6422 ret = io_sq_offload_start(ctx, p);
2b188cc1
JA		 6423 if (ret)
6424 goto err;
6425
2b188cc1 6426 memset(&p->sq_off, 0, sizeof(p->sq_off));
75b28aff
HV		 6427 p->sq_off.head = offsetof(struct io_rings, sq.head);
6428 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
6429 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
6430 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
6431 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
6432 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
6433 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
2b188cc1
JA		 6434
6435 memset(&p->cq_off, 0, sizeof(p->cq_off));
75b28aff
HV		 6436 p->cq_off.head = offsetof(struct io_rings, cq.head);
6437 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
6438 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
6439 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
6440 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
6441 p->cq_off.cqes = offsetof(struct io_rings, cqes);
ac90f249 6442
044c1ab3
JA		 6443 /*
6444 * Install ring fd as the very last thing, so we don't risk someone
6445 * having closed it before we finish setup
6446 */
6447 ret = io_uring_get_fd(ctx);
6448 if (ret < 0)
6449 goto err;
6450
da8c9690 6451 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
ba04291e 6452 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS;
c826bd7a 6453 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
2b188cc1
JA		 6454 return ret;
6455err:
6456 io_ring_ctx_wait_and_kill(ctx);
6457 return ret;
6458}
6459
6460/*
6461 * Sets up an aio uring context, and returns the fd. Applications asks for a
6462 * ring size, we return the actual sq/cq ring sizes (among other things) in the
6463 * params structure passed in.
6464 */
6465static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
6466{
6467 struct io_uring_params p;
6468 long ret;
6469 int i;
6470
6471 if (copy_from_user(&p, params, sizeof(p)))
6472 return -EFAULT;
6473 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
6474 if (p.resv[i])
6475 return -EINVAL;
6476 }
6477
6c271ce2 6478 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
8110c1a6
JA		 6479 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
6480 IORING_SETUP_CLAMP))
2b188cc1
JA		 6481 return -EINVAL;
6482
6483 ret = io_uring_create(entries, &p);
6484 if (ret < 0)
6485 return ret;
6486
6487 if (copy_to_user(params, &p, sizeof(p)))
6488 return -EFAULT;
6489
6490 return ret;
6491}
6492
6493SYSCALL_DEFINE2(io_uring_setup, u32, entries,
6494 struct io_uring_params __user *, params)
6495{
6496 return io_uring_setup(entries, params);
6497}
6498
edafccee
JA		 6499static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
6500 void __user *arg, unsigned nr_args)
b19062a5
JA		 6501 __releases(ctx->uring_lock)
6502 __acquires(ctx->uring_lock)
edafccee
JA		 6503{
6504 int ret;
6505
35fa71a0
JA		 6506 /*
6507 * We're inside the ring mutex, if the ref is already dying, then
6508 * someone else killed the ctx or is already going through
6509 * io_uring_register().
6510 */
6511 if (percpu_ref_is_dying(&ctx->refs))
6512 return -ENXIO;
6513
05f3fb3c
JA		 6514 if (opcode != IORING_UNREGISTER_FILES &&
6515 opcode != IORING_REGISTER_FILES_UPDATE) {
6516 percpu_ref_kill(&ctx->refs);
b19062a5 6517
05f3fb3c
JA		 6518 /*
6519 * Drop uring mutex before waiting for references to exit. If
6520 * another thread is currently inside io_uring_enter() it might
6521 * need to grab the uring_lock to make progress. If we hold it
6522 * here across the drain wait, then we can deadlock. It's safe
6523 * to drop the mutex here, since no new references will come in
6524 * after we've killed the percpu ref.
6525 */
6526 mutex_unlock(&ctx->uring_lock);
c150368b 6527 ret = wait_for_completion_interruptible(&ctx->completions[0]);
05f3fb3c 6528 mutex_lock(&ctx->uring_lock);
c150368b
JA		 6529 if (ret) {
6530 percpu_ref_resurrect(&ctx->refs);
6531 ret = -EINTR;
6532 goto out;
6533 }
05f3fb3c 6534 }
edafccee
JA		 6535
6536 switch (opcode) {
6537 case IORING_REGISTER_BUFFERS:
6538 ret = io_sqe_buffer_register(ctx, arg, nr_args);
6539 break;
6540 case IORING_UNREGISTER_BUFFERS:
6541 ret = -EINVAL;
6542 if (arg || nr_args)
6543 break;
6544 ret = io_sqe_buffer_unregister(ctx);
6545 break;
6b06314c
JA		 6546 case IORING_REGISTER_FILES:
6547 ret = io_sqe_files_register(ctx, arg, nr_args);
6548 break;
6549 case IORING_UNREGISTER_FILES:
6550 ret = -EINVAL;
6551 if (arg || nr_args)
6552 break;
6553 ret = io_sqe_files_unregister(ctx);
6554 break;
c3a31e60
JA		 6555 case IORING_REGISTER_FILES_UPDATE:
6556 ret = io_sqe_files_update(ctx, arg, nr_args);
6557 break;
9b402849
JA		 6558 case IORING_REGISTER_EVENTFD:
6559 ret = -EINVAL;
6560 if (nr_args != 1)
6561 break;
6562 ret = io_eventfd_register(ctx, arg);
6563 break;
6564 case IORING_UNREGISTER_EVENTFD:
6565 ret = -EINVAL;
6566 if (arg || nr_args)
6567 break;
6568 ret = io_eventfd_unregister(ctx);
6569 break;
edafccee
JA		 6570 default:
6571 ret = -EINVAL;
6572 break;
6573 }
6574
05f3fb3c
JA		 6575
6576 if (opcode != IORING_UNREGISTER_FILES &&
6577 opcode != IORING_REGISTER_FILES_UPDATE) {
6578 /* bring the ctx back to life */
05f3fb3c 6579 percpu_ref_reinit(&ctx->refs);
c150368b
JA		 6580out:
6581 reinit_completion(&ctx->completions[0]);
05f3fb3c 6582 }
edafccee
JA		 6583 return ret;
6584}
6585
6586SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
6587 void __user *, arg, unsigned int, nr_args)
6588{
6589 struct io_ring_ctx *ctx;
6590 long ret = -EBADF;
6591 struct fd f;
6592
6593 f = fdget(fd);
6594 if (!f.file)
6595 return -EBADF;
6596
6597 ret = -EOPNOTSUPP;
6598 if (f.file->f_op != &io_uring_fops)
6599 goto out_fput;
6600
6601 ctx = f.file->private_data;
6602
6603 mutex_lock(&ctx->uring_lock);
6604 ret = __io_uring_register(ctx, opcode, arg, nr_args);
6605 mutex_unlock(&ctx->uring_lock);
c826bd7a
DD		 6606 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
6607 ctx->cq_ev_fd != NULL, ret);
edafccee
JA		 6608out_fput:
6609 fdput(f);
6610 return ret;
6611}
6612
2b188cc1
JA		 6613static int __init io_uring_init(void)
6614{
d3656344 6615 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
2b188cc1
JA		 6616 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
6617 return 0;
6618};
6619__initcall(io_uring_init);
Linux 6.x block layer and io_uring tree(s)