projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
io_uring: Ensure mask is initialized in io_arm_poll_handler
[linux-2.6-block.git] / fs / io_uring.c
CommitLineData
2b188cc1
JA		 1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
5 *
6 * A note on the read/write ordering memory barriers that are matched between
1e84b97b
SB		 7 * the application and kernel side.
8 *
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
16 * CQ entries.
17 *
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
23 * head will do).
24 *
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
28 * between.
2b188cc1
JA		 29 *
30 * Also see the examples in the liburing library:
31 *
32 * git://git.kernel.dk/liburing
33 *
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
38 *
39 * Copyright (C) 2018-2019 Jens Axboe
c992fe29 40 * Copyright (c) 2018-2019 Christoph Hellwig
2b188cc1
JA		 41 */
42#include <linux/kernel.h>
43#include <linux/init.h>
44#include <linux/errno.h>
45#include <linux/syscalls.h>
46#include <linux/compat.h>
47#include <linux/refcount.h>
48#include <linux/uio.h>
6b47ee6e 49#include <linux/bits.h>
2b188cc1
JA		 50
51#include <linux/sched/signal.h>
52#include <linux/fs.h>
53#include <linux/file.h>
54#include <linux/fdtable.h>
55#include <linux/mm.h>
56#include <linux/mman.h>
57#include <linux/mmu_context.h>
58#include <linux/percpu.h>
59#include <linux/slab.h>
6c271ce2 60#include <linux/kthread.h>
2b188cc1 61#include <linux/blkdev.h>
edafccee 62#include <linux/bvec.h>
2b188cc1
JA		 63#include <linux/net.h>
64#include <net/sock.h>
65#include <net/af_unix.h>
6b06314c 66#include <net/scm.h>
2b188cc1
JA		 67#include <linux/anon_inodes.h>
68#include <linux/sched/mm.h>
69#include <linux/uaccess.h>
70#include <linux/nospec.h>
edafccee
JA		 71#include <linux/sizes.h>
72#include <linux/hugetlb.h>
aa4c3967 73#include <linux/highmem.h>
15b71abe
JA		 74#include <linux/namei.h>
75#include <linux/fsnotify.h>
4840e418 76#include <linux/fadvise.h>
3e4827b0 77#include <linux/eventpoll.h>
ff002b30 78#include <linux/fs_struct.h>
7d67af2c 79#include <linux/splice.h>
b41e9852 80#include <linux/task_work.h>
2b188cc1 81
c826bd7a
DD		 82#define CREATE_TRACE_POINTS
83#include <trace/events/io_uring.h>
84
2b188cc1
JA		 85#include <uapi/linux/io_uring.h>
86
87#include "internal.h"
561fb04a 88#include "io-wq.h"
2b188cc1 89
5277deaa 90#define IORING_MAX_ENTRIES 32768
33a107f0 91#define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
65e19f54
JA		 92
93/*
94 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
95 */
96#define IORING_FILE_TABLE_SHIFT 9
97#define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
98#define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
99#define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
2b188cc1
JA		 100
101struct io_uring {
102 u32 head ____cacheline_aligned_in_smp;
103 u32 tail ____cacheline_aligned_in_smp;
104};
105
1e84b97b 106/*
75b28aff
HV		 107 * This data is shared with the application through the mmap at offsets
108 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
1e84b97b
SB		 109 *
110 * The offsets to the member fields are published through struct
111 * io_sqring_offsets when calling io_uring_setup.
112 */
75b28aff 113struct io_rings {
1e84b97b
SB		 114 /*
115 * Head and tail offsets into the ring; the offsets need to be
116 * masked to get valid indices.
117 *
75b28aff
HV		 118 * The kernel controls head of the sq ring and the tail of the cq ring,
119 * and the application controls tail of the sq ring and the head of the
120 * cq ring.
1e84b97b 121 */
75b28aff 122 struct io_uring sq, cq;
1e84b97b 123 /*
75b28aff 124 * Bitmasks to apply to head and tail offsets (constant, equals
1e84b97b
SB		 125 * ring_entries - 1)
126 */
75b28aff
HV		 127 u32 sq_ring_mask, cq_ring_mask;
128 /* Ring sizes (constant, power of 2) */
129 u32 sq_ring_entries, cq_ring_entries;
1e84b97b
SB		 130 /*
131 * Number of invalid entries dropped by the kernel due to
132 * invalid index stored in array
133 *
134 * Written by the kernel, shouldn't be modified by the
135 * application (i.e. get number of "new events" by comparing to
136 * cached value).
137 *
138 * After a new SQ head value was read by the application this
139 * counter includes all submissions that were dropped reaching
140 * the new SQ head (and possibly more).
141 */
75b28aff 142 u32 sq_dropped;
1e84b97b
SB		 143 /*
144 * Runtime flags
145 *
146 * Written by the kernel, shouldn't be modified by the
147 * application.
148 *
149 * The application needs a full memory barrier before checking
150 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
151 */
75b28aff 152 u32 sq_flags;
1e84b97b
SB		 153 /*
154 * Number of completion events lost because the queue was full;
155 * this should be avoided by the application by making sure
0b4295b5 156 * there are not more requests pending than there is space in
1e84b97b
SB		 157 * the completion queue.
158 *
159 * Written by the kernel, shouldn't be modified by the
160 * application (i.e. get number of "new events" by comparing to
161 * cached value).
162 *
163 * As completion events come in out of order this counter is not
164 * ordered with any other data.
165 */
75b28aff 166 u32 cq_overflow;
1e84b97b
SB		 167 /*
168 * Ring buffer of completion events.
169 *
170 * The kernel writes completion events fresh every time they are
171 * produced, so the application is allowed to modify pending
172 * entries.
173 */
75b28aff 174 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
2b188cc1
JA		 175};
176
edafccee
JA		 177struct io_mapped_ubuf {
178 u64 ubuf;
179 size_t len;
180 struct bio_vec *bvec;
181 unsigned int nr_bvecs;
182};
183
65e19f54
JA		 184struct fixed_file_table {
185 struct file **files;
31b51510
JA		 186};
187
05f3fb3c
JA		 188struct fixed_file_data {
189 struct fixed_file_table *table;
190 struct io_ring_ctx *ctx;
191
192 struct percpu_ref refs;
193 struct llist_head put_llist;
05f3fb3c
JA		 194 struct work_struct ref_work;
195 struct completion done;
196};
197
2b188cc1
JA		 198struct io_ring_ctx {
199 struct {
200 struct percpu_ref refs;
201 } ____cacheline_aligned_in_smp;
202
203 struct {
204 unsigned int flags;
e1d85334
RD		 205 unsigned int compat: 1;
206 unsigned int account_mem: 1;
207 unsigned int cq_overflow_flushed: 1;
208 unsigned int drain_next: 1;
209 unsigned int eventfd_async: 1;
2b188cc1 210
75b28aff
HV		 211 /*
212 * Ring buffer of indices into array of io_uring_sqe, which is
213 * mmapped by the application using the IORING_OFF_SQES offset.
214 *
215 * This indirection could e.g. be used to assign fixed
216 * io_uring_sqe entries to operations and only submit them to
217 * the queue when needed.
218 *
219 * The kernel modifies neither the indices array nor the entries
220 * array.
221 */
222 u32 *sq_array;
2b188cc1
JA		 223 unsigned cached_sq_head;
224 unsigned sq_entries;
225 unsigned sq_mask;
6c271ce2 226 unsigned sq_thread_idle;
498ccd9e 227 unsigned cached_sq_dropped;
206aefde 228 atomic_t cached_cq_overflow;
ad3eb2c8 229 unsigned long sq_check_overflow;
de0617e4
JA		 230
231 struct list_head defer_list;
5262f567 232 struct list_head timeout_list;
1d7bb1d5 233 struct list_head cq_overflow_list;
fcb323cc
JA		 234
235 wait_queue_head_t inflight_wait;
ad3eb2c8 236 struct io_uring_sqe *sq_sqes;
2b188cc1
JA		 237 } ____cacheline_aligned_in_smp;
238
206aefde
JA		 239 struct io_rings *rings;
240
2b188cc1 241 /* IO offload */
561fb04a 242 struct io_wq *io_wq;
6c271ce2 243 struct task_struct *sqo_thread; /* if using sq thread polling */
2b188cc1 244 struct mm_struct *sqo_mm;
6c271ce2 245 wait_queue_head_t sqo_wait;
75b28aff 246
6b06314c
JA		 247 /*
248 * If used, fixed file set. Writers must ensure that ->refs is dead,
249 * readers must ensure that ->refs is alive as long as the file* is
250 * used. Only updated through io_uring_register(2).
251 */
05f3fb3c 252 struct fixed_file_data *file_data;
6b06314c 253 unsigned nr_user_files;
b14cca0c
PB		 254 int ring_fd;
255 struct file *ring_file;
6b06314c 256
edafccee
JA		 257 /* if used, fixed mapped user buffers */
258 unsigned nr_user_bufs;
259 struct io_mapped_ubuf *user_bufs;
260
2b188cc1
JA		 261 struct user_struct *user;
262
0b8c0ec7 263 const struct cred *creds;
181e448d 264
206aefde
JA		 265 /* 0 is for ctx quiesce/reinit/free, 1 is for sqo_thread started */
266 struct completion *completions;
267
0ddf92e8
JA		 268 /* if all else fails... */
269 struct io_kiocb *fallback_req;
270
206aefde
JA		 271#if defined(CONFIG_UNIX)
272 struct socket *ring_sock;
273#endif
274
071698e1
JA		 275 struct idr personality_idr;
276
206aefde
JA		 277 struct {
278 unsigned cached_cq_tail;
279 unsigned cq_entries;
280 unsigned cq_mask;
281 atomic_t cq_timeouts;
ad3eb2c8 282 unsigned long cq_check_overflow;
206aefde
JA		 283 struct wait_queue_head cq_wait;
284 struct fasync_struct *cq_fasync;
285 struct eventfd_ctx *cq_ev_fd;
286 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 287
288 struct {
289 struct mutex uring_lock;
290 wait_queue_head_t wait;
291 } ____cacheline_aligned_in_smp;
292
293 struct {
294 spinlock_t completion_lock;
e94f141b 295
def596e9
JA		 296 /*
297 * ->poll_list is protected by the ctx->uring_lock for
298 * io_uring instances that don't use IORING_SETUP_SQPOLL.
299 * For SQPOLL, only the single threaded io_sq_thread() will
300 * manipulate the list, hence no extra locking is needed there.
301 */
302 struct list_head poll_list;
78076bb6
JA		 303 struct hlist_head *cancel_hash;
304 unsigned cancel_hash_bits;
e94f141b 305 bool poll_multi_file;
31b51510 306
fcb323cc
JA		 307 spinlock_t inflight_lock;
308 struct list_head inflight_list;
2b188cc1 309 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 310};
311
09bb8394
JA		 312/*
313 * First field must be the file pointer in all the
314 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
315 */
221c5eb2
JA		 316struct io_poll_iocb {
317 struct file *file;
0969e783
JA		 318 union {
319 struct wait_queue_head *head;
320 u64 addr;
321 };
221c5eb2 322 __poll_t events;
8c838788 323 bool done;
221c5eb2 324 bool canceled;
392edb45 325 struct wait_queue_entry wait;
221c5eb2
JA		 326};
327
b5dba59e
JA		 328struct io_close {
329 struct file *file;
330 struct file *put_file;
331 int fd;
332};
333
ad8a48ac
JA		 334struct io_timeout_data {
335 struct io_kiocb *req;
336 struct hrtimer timer;
337 struct timespec64 ts;
338 enum hrtimer_mode mode;
cc42e0ac 339 u32 seq_offset;
ad8a48ac
JA		 340};
341
8ed8d3c3
JA		 342struct io_accept {
343 struct file *file;
344 struct sockaddr __user *addr;
345 int __user *addr_len;
346 int flags;
347};
348
349struct io_sync {
350 struct file *file;
351 loff_t len;
352 loff_t off;
353 int flags;
d63d1b5e 354 int mode;
8ed8d3c3
JA		 355};
356
fbf23849
JA		 357struct io_cancel {
358 struct file *file;
359 u64 addr;
360};
361
b29472ee
JA		 362struct io_timeout {
363 struct file *file;
364 u64 addr;
365 int flags;
26a61679 366 unsigned count;
b29472ee
JA		 367};
368
9adbd45d
JA		 369struct io_rw {
370 /* NOTE: kiocb has the file as the first member, so don't do it here */
371 struct kiocb kiocb;
372 u64 addr;
373 u64 len;
374};
375
3fbb51c1
JA		 376struct io_connect {
377 struct file *file;
378 struct sockaddr __user *addr;
379 int addr_len;
380};
381
e47293fd
JA		 382struct io_sr_msg {
383 struct file *file;
fddaface
JA		 384 union {
385 struct user_msghdr __user *msg;
386 void __user *buf;
387 };
e47293fd 388 int msg_flags;
fddaface 389 size_t len;
e47293fd
JA		 390};
391
15b71abe
JA		 392struct io_open {
393 struct file *file;
394 int dfd;
eddc7ef5 395 union {
eddc7ef5
JA		 396 unsigned mask;
397 };
15b71abe 398 struct filename *filename;
eddc7ef5 399 struct statx __user *buffer;
c12cedf2 400 struct open_how how;
15b71abe
JA		 401};
402
05f3fb3c
JA		 403struct io_files_update {
404 struct file *file;
405 u64 arg;
406 u32 nr_args;
407 u32 offset;
408};
409
4840e418
JA		 410struct io_fadvise {
411 struct file *file;
412 u64 offset;
413 u32 len;
414 u32 advice;
415};
416
c1ca757b
JA		 417struct io_madvise {
418 struct file *file;
419 u64 addr;
420 u32 len;
421 u32 advice;
422};
423
3e4827b0
JA		 424struct io_epoll {
425 struct file *file;
426 int epfd;
427 int op;
428 int fd;
429 struct epoll_event event;
e47293fd
JA		 430};
431
7d67af2c
PB		 432struct io_splice {
433 struct file *file_out;
434 struct file *file_in;
435 loff_t off_out;
436 loff_t off_in;
437 u64 len;
438 unsigned int flags;
439};
440
f499a021
JA		 441struct io_async_connect {
442 struct sockaddr_storage address;
443};
444
03b1230c
JA		 445struct io_async_msghdr {
446 struct iovec fast_iov[UIO_FASTIOV];
447 struct iovec *iov;
448 struct sockaddr __user *uaddr;
449 struct msghdr msg;
b537916c 450 struct sockaddr_storage addr;
03b1230c
JA		 451};
452
f67676d1
JA		 453struct io_async_rw {
454 struct iovec fast_iov[UIO_FASTIOV];
455 struct iovec *iov;
456 ssize_t nr_segs;
457 ssize_t size;
458};
459
1a6b74fc 460struct io_async_ctx {
f67676d1
JA		 461 union {
462 struct io_async_rw rw;
03b1230c 463 struct io_async_msghdr msg;
f499a021 464 struct io_async_connect connect;
2d28390a 465 struct io_timeout_data timeout;
f67676d1 466 };
1a6b74fc
JA		 467};
468
6b47ee6e
PB		 469enum {
470 REQ_F_FIXED_FILE_BIT = IOSQE_FIXED_FILE_BIT,
471 REQ_F_IO_DRAIN_BIT = IOSQE_IO_DRAIN_BIT,
472 REQ_F_LINK_BIT = IOSQE_IO_LINK_BIT,
473 REQ_F_HARDLINK_BIT = IOSQE_IO_HARDLINK_BIT,
474 REQ_F_FORCE_ASYNC_BIT = IOSQE_ASYNC_BIT,
475
476 REQ_F_LINK_NEXT_BIT,
477 REQ_F_FAIL_LINK_BIT,
478 REQ_F_INFLIGHT_BIT,
479 REQ_F_CUR_POS_BIT,
480 REQ_F_NOWAIT_BIT,
481 REQ_F_IOPOLL_COMPLETED_BIT,
482 REQ_F_LINK_TIMEOUT_BIT,
483 REQ_F_TIMEOUT_BIT,
484 REQ_F_ISREG_BIT,
485 REQ_F_MUST_PUNT_BIT,
486 REQ_F_TIMEOUT_NOSEQ_BIT,
487 REQ_F_COMP_LOCKED_BIT,
99bc4c38 488 REQ_F_NEED_CLEANUP_BIT,
2ca10259 489 REQ_F_OVERFLOW_BIT,
d7718a9d 490 REQ_F_POLLED_BIT,
6b47ee6e
PB		 491};
492
493enum {
494 /* ctx owns file */
495 REQ_F_FIXED_FILE = BIT(REQ_F_FIXED_FILE_BIT),
496 /* drain existing IO first */
497 REQ_F_IO_DRAIN = BIT(REQ_F_IO_DRAIN_BIT),
498 /* linked sqes */
499 REQ_F_LINK = BIT(REQ_F_LINK_BIT),
500 /* doesn't sever on completion < 0 */
501 REQ_F_HARDLINK = BIT(REQ_F_HARDLINK_BIT),
502 /* IOSQE_ASYNC */
503 REQ_F_FORCE_ASYNC = BIT(REQ_F_FORCE_ASYNC_BIT),
504
505 /* already grabbed next link */
506 REQ_F_LINK_NEXT = BIT(REQ_F_LINK_NEXT_BIT),
507 /* fail rest of links */
508 REQ_F_FAIL_LINK = BIT(REQ_F_FAIL_LINK_BIT),
509 /* on inflight list */
510 REQ_F_INFLIGHT = BIT(REQ_F_INFLIGHT_BIT),
511 /* read/write uses file position */
512 REQ_F_CUR_POS = BIT(REQ_F_CUR_POS_BIT),
513 /* must not punt to workers */
514 REQ_F_NOWAIT = BIT(REQ_F_NOWAIT_BIT),
515 /* polled IO has completed */
516 REQ_F_IOPOLL_COMPLETED = BIT(REQ_F_IOPOLL_COMPLETED_BIT),
517 /* has linked timeout */
518 REQ_F_LINK_TIMEOUT = BIT(REQ_F_LINK_TIMEOUT_BIT),
519 /* timeout request */
520 REQ_F_TIMEOUT = BIT(REQ_F_TIMEOUT_BIT),
521 /* regular file */
522 REQ_F_ISREG = BIT(REQ_F_ISREG_BIT),
523 /* must be punted even for NONBLOCK */
524 REQ_F_MUST_PUNT = BIT(REQ_F_MUST_PUNT_BIT),
525 /* no timeout sequence */
526 REQ_F_TIMEOUT_NOSEQ = BIT(REQ_F_TIMEOUT_NOSEQ_BIT),
527 /* completion under lock */
528 REQ_F_COMP_LOCKED = BIT(REQ_F_COMP_LOCKED_BIT),
99bc4c38
PB		 529 /* needs cleanup */
530 REQ_F_NEED_CLEANUP = BIT(REQ_F_NEED_CLEANUP_BIT),
2ca10259
JA		 531 /* in overflow list */
532 REQ_F_OVERFLOW = BIT(REQ_F_OVERFLOW_BIT),
d7718a9d
JA		 533 /* already went through poll handler */
534 REQ_F_POLLED = BIT(REQ_F_POLLED_BIT),
535};
536
537struct async_poll {
538 struct io_poll_iocb poll;
539 struct io_wq_work work;
6b47ee6e
PB		 540};
541
09bb8394
JA		 542/*
543 * NOTE! Each of the iocb union members has the file pointer
544 * as the first entry in their struct definition. So you can
545 * access the file pointer through any of the sub-structs,
546 * or directly as just 'ki_filp' in this struct.
547 */
2b188cc1 548struct io_kiocb {
221c5eb2 549 union {
09bb8394 550 struct file *file;
9adbd45d 551 struct io_rw rw;
221c5eb2 552 struct io_poll_iocb poll;
8ed8d3c3
JA		 553 struct io_accept accept;
554 struct io_sync sync;
fbf23849 555 struct io_cancel cancel;
b29472ee 556 struct io_timeout timeout;
3fbb51c1 557 struct io_connect connect;
e47293fd 558 struct io_sr_msg sr_msg;
15b71abe 559 struct io_open open;
b5dba59e 560 struct io_close close;
05f3fb3c 561 struct io_files_update files_update;
4840e418 562 struct io_fadvise fadvise;
c1ca757b 563 struct io_madvise madvise;
3e4827b0 564 struct io_epoll epoll;
7d67af2c 565 struct io_splice splice;
221c5eb2 566 };
2b188cc1 567
1a6b74fc 568 struct io_async_ctx *io;
cf6fd4bd 569 bool needs_fixed_file;
d625c6ee 570 u8 opcode;
2b188cc1
JA		 571
572 struct io_ring_ctx *ctx;
d7718a9d 573 struct list_head list;
2b188cc1 574 unsigned int flags;
c16361c1 575 refcount_t refs;
d7718a9d 576 struct task_struct *task;
2b188cc1 577 u64 user_data;
9e645e11 578 u32 result;
de0617e4 579 u32 sequence;
2b188cc1 580
d7718a9d
JA		 581 struct list_head link_list;
582
fcb323cc
JA		 583 struct list_head inflight_entry;
584
b41e9852
JA		 585 union {
586 /*
587 * Only commands that never go async can use the below fields,
d7718a9d
JA		 588 * obviously. Right now only IORING_OP_POLL_ADD uses them, and
589 * async armed poll handlers for regular commands. The latter
590 * restore the work, if needed.
b41e9852
JA		 591 */
592 struct {
b41e9852 593 struct callback_head task_work;
d7718a9d
JA		 594 struct hlist_node hash_node;
595 struct async_poll *apoll;
b41e9852
JA		 596 };
597 struct io_wq_work work;
598 };
2b188cc1
JA		 599};
600
601#define IO_PLUG_THRESHOLD 2
def596e9 602#define IO_IOPOLL_BATCH 8
2b188cc1 603
9a56a232
JA		 604struct io_submit_state {
605 struct blk_plug plug;
606
2579f913
JA		 607 /*
608 * io_kiocb alloc cache
609 */
610 void *reqs[IO_IOPOLL_BATCH];
6c8a3134 611 unsigned int free_reqs;
2579f913 612
9a56a232
JA		 613 /*
614 * File reference cache
615 */
616 struct file *file;
617 unsigned int fd;
618 unsigned int has_refs;
619 unsigned int used_refs;
620 unsigned int ios_left;
621};
622
d3656344
JA		 623struct io_op_def {
624 /* needs req->io allocated for deferral/async */
625 unsigned async_ctx : 1;
626 /* needs current->mm setup, does mm access */
627 unsigned needs_mm : 1;
628 /* needs req->file assigned */
629 unsigned needs_file : 1;
630 /* needs req->file assigned IFF fd is >= 0 */
631 unsigned fd_non_neg : 1;
632 /* hash wq insertion if file is a regular file */
633 unsigned hash_reg_file : 1;
634 /* unbound wq insertion if file is a non-regular file */
635 unsigned unbound_nonreg_file : 1;
66f4af93
JA		 636 /* opcode is not supported by this kernel */
637 unsigned not_supported : 1;
f86cd20c
JA		 638 /* needs file table */
639 unsigned file_table : 1;
ff002b30
JA		 640 /* needs ->fs */
641 unsigned needs_fs : 1;
8a72758c
JA		 642 /* set if opcode supports polled "wait" */
643 unsigned pollin : 1;
644 unsigned pollout : 1;
d3656344
JA		 645};
646
647static const struct io_op_def io_op_defs[] = {
0463b6c5
PB		 648 [IORING_OP_NOP] = {},
649 [IORING_OP_READV] = {
d3656344
JA		 650 .async_ctx = 1,
651 .needs_mm = 1,
652 .needs_file = 1,
653 .unbound_nonreg_file = 1,
8a72758c 654 .pollin = 1,
d3656344 655 },
0463b6c5 656 [IORING_OP_WRITEV] = {
d3656344
JA		 657 .async_ctx = 1,
658 .needs_mm = 1,
659 .needs_file = 1,
660 .hash_reg_file = 1,
661 .unbound_nonreg_file = 1,
8a72758c 662 .pollout = 1,
d3656344 663 },
0463b6c5 664 [IORING_OP_FSYNC] = {
d3656344
JA		 665 .needs_file = 1,
666 },
0463b6c5 667 [IORING_OP_READ_FIXED] = {
d3656344
JA		 668 .needs_file = 1,
669 .unbound_nonreg_file = 1,
8a72758c 670 .pollin = 1,
d3656344 671 },
0463b6c5 672 [IORING_OP_WRITE_FIXED] = {
d3656344
JA		 673 .needs_file = 1,
674 .hash_reg_file = 1,
675 .unbound_nonreg_file = 1,
8a72758c 676 .pollout = 1,
d3656344 677 },
0463b6c5 678 [IORING_OP_POLL_ADD] = {
d3656344
JA		 679 .needs_file = 1,
680 .unbound_nonreg_file = 1,
681 },
0463b6c5
PB		 682 [IORING_OP_POLL_REMOVE] = {},
683 [IORING_OP_SYNC_FILE_RANGE] = {
d3656344
JA		 684 .needs_file = 1,
685 },
0463b6c5 686 [IORING_OP_SENDMSG] = {
d3656344
JA		 687 .async_ctx = 1,
688 .needs_mm = 1,
689 .needs_file = 1,
690 .unbound_nonreg_file = 1,
ff002b30 691 .needs_fs = 1,
8a72758c 692 .pollout = 1,
d3656344 693 },
0463b6c5 694 [IORING_OP_RECVMSG] = {
d3656344
JA		 695 .async_ctx = 1,
696 .needs_mm = 1,
697 .needs_file = 1,
698 .unbound_nonreg_file = 1,
ff002b30 699 .needs_fs = 1,
8a72758c 700 .pollin = 1,
d3656344 701 },
0463b6c5 702 [IORING_OP_TIMEOUT] = {
d3656344
JA		 703 .async_ctx = 1,
704 .needs_mm = 1,
705 },
0463b6c5
PB		 706 [IORING_OP_TIMEOUT_REMOVE] = {},
707 [IORING_OP_ACCEPT] = {
d3656344
JA		 708 .needs_mm = 1,
709 .needs_file = 1,
710 .unbound_nonreg_file = 1,
f86cd20c 711 .file_table = 1,
8a72758c 712 .pollin = 1,
d3656344 713 },
0463b6c5
PB		 714 [IORING_OP_ASYNC_CANCEL] = {},
715 [IORING_OP_LINK_TIMEOUT] = {
d3656344
JA		 716 .async_ctx = 1,
717 .needs_mm = 1,
718 },
0463b6c5 719 [IORING_OP_CONNECT] = {
d3656344
JA		 720 .async_ctx = 1,
721 .needs_mm = 1,
722 .needs_file = 1,
723 .unbound_nonreg_file = 1,
8a72758c 724 .pollout = 1,
d3656344 725 },
0463b6c5 726 [IORING_OP_FALLOCATE] = {
d3656344
JA		 727 .needs_file = 1,
728 },
0463b6c5 729 [IORING_OP_OPENAT] = {
d3656344
JA		 730 .needs_file = 1,
731 .fd_non_neg = 1,
f86cd20c 732 .file_table = 1,
ff002b30 733 .needs_fs = 1,
d3656344 734 },
0463b6c5 735 [IORING_OP_CLOSE] = {
d3656344 736 .needs_file = 1,
f86cd20c 737 .file_table = 1,
d3656344 738 },
0463b6c5 739 [IORING_OP_FILES_UPDATE] = {
d3656344 740 .needs_mm = 1,
f86cd20c 741 .file_table = 1,
d3656344 742 },
0463b6c5 743 [IORING_OP_STATX] = {
d3656344
JA		 744 .needs_mm = 1,
745 .needs_file = 1,
746 .fd_non_neg = 1,
ff002b30 747 .needs_fs = 1,
d3656344 748 },
0463b6c5 749 [IORING_OP_READ] = {
3a6820f2
JA		 750 .needs_mm = 1,
751 .needs_file = 1,
752 .unbound_nonreg_file = 1,
8a72758c 753 .pollin = 1,
3a6820f2 754 },
0463b6c5 755 [IORING_OP_WRITE] = {
3a6820f2
JA		 756 .needs_mm = 1,
757 .needs_file = 1,
758 .unbound_nonreg_file = 1,
8a72758c 759 .pollout = 1,
3a6820f2 760 },
0463b6c5 761 [IORING_OP_FADVISE] = {
4840e418
JA		 762 .needs_file = 1,
763 },
0463b6c5 764 [IORING_OP_MADVISE] = {
c1ca757b
JA		 765 .needs_mm = 1,
766 },
0463b6c5 767 [IORING_OP_SEND] = {
fddaface
JA		 768 .needs_mm = 1,
769 .needs_file = 1,
770 .unbound_nonreg_file = 1,
8a72758c 771 .pollout = 1,
fddaface 772 },
0463b6c5 773 [IORING_OP_RECV] = {
fddaface
JA		 774 .needs_mm = 1,
775 .needs_file = 1,
776 .unbound_nonreg_file = 1,
8a72758c 777 .pollin = 1,
fddaface 778 },
0463b6c5 779 [IORING_OP_OPENAT2] = {
cebdb986
JA		 780 .needs_file = 1,
781 .fd_non_neg = 1,
f86cd20c 782 .file_table = 1,
ff002b30 783 .needs_fs = 1,
cebdb986 784 },
3e4827b0
JA		 785 [IORING_OP_EPOLL_CTL] = {
786 .unbound_nonreg_file = 1,
787 .file_table = 1,
788 },
7d67af2c
PB		 789 [IORING_OP_SPLICE] = {
790 .needs_file = 1,
791 .hash_reg_file = 1,
792 .unbound_nonreg_file = 1,
793 }
d3656344
JA		 794};
795
561fb04a 796static void io_wq_submit_work(struct io_wq_work **workptr);
78e19bbe 797static void io_cqring_fill_event(struct io_kiocb *req, long res);
ec9c02ad 798static void io_put_req(struct io_kiocb *req);
978db57e 799static void __io_double_put_req(struct io_kiocb *req);
94ae5e77
JA		 800static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
801static void io_queue_linked_timeout(struct io_kiocb *req);
05f3fb3c
JA		 802static int __io_sqe_files_update(struct io_ring_ctx *ctx,
803 struct io_uring_files_update *ip,
804 unsigned nr_args);
f86cd20c 805static int io_grab_files(struct io_kiocb *req);
2faf852d 806static void io_ring_file_ref_flush(struct fixed_file_data *data);
99bc4c38 807static void io_cleanup_req(struct io_kiocb *req);
b41e9852
JA		 808static int io_file_get(struct io_submit_state *state, struct io_kiocb *req,
809 int fd, struct file **out_file, bool fixed);
810static void __io_queue_sqe(struct io_kiocb *req,
811 const struct io_uring_sqe *sqe);
de0617e4 812
2b188cc1
JA		 813static struct kmem_cache *req_cachep;
814
815static const struct file_operations io_uring_fops;
816
817struct sock *io_uring_get_socket(struct file *file)
818{
819#if defined(CONFIG_UNIX)
820 if (file->f_op == &io_uring_fops) {
821 struct io_ring_ctx *ctx = file->private_data;
822
823 return ctx->ring_sock->sk;
824 }
825#endif
826 return NULL;
827}
828EXPORT_SYMBOL(io_uring_get_socket);
829
830static void io_ring_ctx_ref_free(struct percpu_ref *ref)
831{
832 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
833
206aefde 834 complete(&ctx->completions[0]);
2b188cc1
JA		 835}
836
837static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
838{
839 struct io_ring_ctx *ctx;
78076bb6 840 int hash_bits;
2b188cc1
JA		 841
842 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
843 if (!ctx)
844 return NULL;
845
0ddf92e8
JA		 846 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
847 if (!ctx->fallback_req)
848 goto err;
849
206aefde
JA		 850 ctx->completions = kmalloc(2 * sizeof(struct completion), GFP_KERNEL);
851 if (!ctx->completions)
852 goto err;
853
78076bb6
JA		 854 /*
855 * Use 5 bits less than the max cq entries, that should give us around
856 * 32 entries per hash list if totally full and uniformly spread.
857 */
858 hash_bits = ilog2(p->cq_entries);
859 hash_bits -= 5;
860 if (hash_bits <= 0)
861 hash_bits = 1;
862 ctx->cancel_hash_bits = hash_bits;
863 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
864 GFP_KERNEL);
865 if (!ctx->cancel_hash)
866 goto err;
867 __hash_init(ctx->cancel_hash, 1U << hash_bits);
868
21482896 869 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
206aefde
JA		 870 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
871 goto err;
2b188cc1
JA		 872
873 ctx->flags = p->flags;
874 init_waitqueue_head(&ctx->cq_wait);
1d7bb1d5 875 INIT_LIST_HEAD(&ctx->cq_overflow_list);
206aefde
JA		 876 init_completion(&ctx->completions[0]);
877 init_completion(&ctx->completions[1]);
071698e1 878 idr_init(&ctx->personality_idr);
2b188cc1
JA		 879 mutex_init(&ctx->uring_lock);
880 init_waitqueue_head(&ctx->wait);
881 spin_lock_init(&ctx->completion_lock);
def596e9 882 INIT_LIST_HEAD(&ctx->poll_list);
de0617e4 883 INIT_LIST_HEAD(&ctx->defer_list);
5262f567 884 INIT_LIST_HEAD(&ctx->timeout_list);
fcb323cc
JA		 885 init_waitqueue_head(&ctx->inflight_wait);
886 spin_lock_init(&ctx->inflight_lock);
887 INIT_LIST_HEAD(&ctx->inflight_list);
2b188cc1 888 return ctx;
206aefde 889err:
0ddf92e8
JA		 890 if (ctx->fallback_req)
891 kmem_cache_free(req_cachep, ctx->fallback_req);
206aefde 892 kfree(ctx->completions);
78076bb6 893 kfree(ctx->cancel_hash);
206aefde
JA		 894 kfree(ctx);
895 return NULL;
2b188cc1
JA		 896}
897
9d858b21 898static inline bool __req_need_defer(struct io_kiocb *req)
7adf4eaf 899{
a197f664
JL		 900 struct io_ring_ctx *ctx = req->ctx;
901
498ccd9e
JA		 902 return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
903 + atomic_read(&ctx->cached_cq_overflow);
7adf4eaf
JA		 904}
905
9d858b21 906static inline bool req_need_defer(struct io_kiocb *req)
de0617e4 907{
87987898 908 if (unlikely(req->flags & REQ_F_IO_DRAIN))
9d858b21 909 return __req_need_defer(req);
de0617e4 910
9d858b21 911 return false;
de0617e4
JA		 912}
913
7adf4eaf 914static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)
de0617e4
JA		 915{
916 struct io_kiocb *req;
917
7adf4eaf 918 req = list_first_entry_or_null(&ctx->defer_list, struct io_kiocb, list);
9d858b21 919 if (req && !req_need_defer(req)) {
de0617e4
JA		 920 list_del_init(&req->list);
921 return req;
922 }
923
924 return NULL;
925}
926
5262f567
JA		 927static struct io_kiocb *io_get_timeout_req(struct io_ring_ctx *ctx)
928{
7adf4eaf
JA		 929 struct io_kiocb *req;
930
931 req = list_first_entry_or_null(&ctx->timeout_list, struct io_kiocb, list);
93bd25bb
JA		 932 if (req) {
933 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
934 return NULL;
fb4b3d3f 935 if (!__req_need_defer(req)) {
93bd25bb
JA		 936 list_del_init(&req->list);
937 return req;
938 }
7adf4eaf
JA		 939 }
940
941 return NULL;
5262f567
JA		 942}
943
de0617e4 944static void __io_commit_cqring(struct io_ring_ctx *ctx)
2b188cc1 945{
75b28aff 946 struct io_rings *rings = ctx->rings;
2b188cc1 947
07910158
PB		 948 /* order cqe stores with ring update */
949 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
2b188cc1 950
07910158
PB		 951 if (wq_has_sleeper(&ctx->cq_wait)) {
952 wake_up_interruptible(&ctx->cq_wait);
953 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
2b188cc1
JA		 954 }
955}
956
cccf0ee8
JA		 957static inline void io_req_work_grab_env(struct io_kiocb *req,
958 const struct io_op_def *def)
959{
960 if (!req->work.mm && def->needs_mm) {
961 mmgrab(current->mm);
962 req->work.mm = current->mm;
2b188cc1 963 }
cccf0ee8
JA		 964 if (!req->work.creds)
965 req->work.creds = get_current_cred();
ff002b30
JA		 966 if (!req->work.fs && def->needs_fs) {
967 spin_lock(&current->fs->lock);
968 if (!current->fs->in_exec) {
969 req->work.fs = current->fs;
970 req->work.fs->users++;
971 } else {
972 req->work.flags |= IO_WQ_WORK_CANCEL;
973 }
974 spin_unlock(&current->fs->lock);
975 }
6ab23144
JA		 976 if (!req->work.task_pid)
977 req->work.task_pid = task_pid_vnr(current);
2b188cc1
JA		 978}
979
cccf0ee8 980static inline void io_req_work_drop_env(struct io_kiocb *req)
18d9be1a 981{
cccf0ee8
JA		 982 if (req->work.mm) {
983 mmdrop(req->work.mm);
984 req->work.mm = NULL;
985 }
986 if (req->work.creds) {
987 put_cred(req->work.creds);
988 req->work.creds = NULL;
989 }
ff002b30
JA		 990 if (req->work.fs) {
991 struct fs_struct *fs = req->work.fs;
992
993 spin_lock(&req->work.fs->lock);
994 if (--fs->users)
995 fs = NULL;
996 spin_unlock(&req->work.fs->lock);
997 if (fs)
998 free_fs_struct(fs);
999 }
561fb04a
JA		 1000}
1001
94ae5e77
JA		 1002static inline bool io_prep_async_work(struct io_kiocb *req,
1003 struct io_kiocb **link)
18d9be1a 1004{
d3656344 1005 const struct io_op_def *def = &io_op_defs[req->opcode];
561fb04a 1006 bool do_hashed = false;
54a91f3b 1007
d3656344
JA		 1008 if (req->flags & REQ_F_ISREG) {
1009 if (def->hash_reg_file)
3529d8c2 1010 do_hashed = true;
d3656344
JA		 1011 } else {
1012 if (def->unbound_nonreg_file)
3529d8c2 1013 req->work.flags |= IO_WQ_WORK_UNBOUND;
54a91f3b 1014 }
cccf0ee8
JA		 1015
1016 io_req_work_grab_env(req, def);
54a91f3b 1017
94ae5e77 1018 *link = io_prep_linked_timeout(req);
561fb04a
JA		 1019 return do_hashed;
1020}
1021
a197f664 1022static inline void io_queue_async_work(struct io_kiocb *req)
561fb04a 1023{
a197f664 1024 struct io_ring_ctx *ctx = req->ctx;
94ae5e77
JA		 1025 struct io_kiocb *link;
1026 bool do_hashed;
1027
1028 do_hashed = io_prep_async_work(req, &link);
561fb04a
JA		 1029
1030 trace_io_uring_queue_async_work(ctx, do_hashed, req, &req->work,
1031 req->flags);
1032 if (!do_hashed) {
1033 io_wq_enqueue(ctx->io_wq, &req->work);
1034 } else {
1035 io_wq_enqueue_hashed(ctx->io_wq, &req->work,
1036 file_inode(req->file));
1037 }
94ae5e77
JA		 1038
1039 if (link)
1040 io_queue_linked_timeout(link);
18d9be1a
JA		 1041}
1042
5262f567
JA		 1043static void io_kill_timeout(struct io_kiocb *req)
1044{
1045 int ret;
1046
2d28390a 1047 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
5262f567
JA		 1048 if (ret != -1) {
1049 atomic_inc(&req->ctx->cq_timeouts);
842f9612 1050 list_del_init(&req->list);
78e19bbe 1051 io_cqring_fill_event(req, 0);
ec9c02ad 1052 io_put_req(req);
5262f567
JA		 1053 }
1054}
1055
1056static void io_kill_timeouts(struct io_ring_ctx *ctx)
1057{
1058 struct io_kiocb *req, *tmp;
1059
1060 spin_lock_irq(&ctx->completion_lock);
1061 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
1062 io_kill_timeout(req);
1063 spin_unlock_irq(&ctx->completion_lock);
1064}
1065
de0617e4
JA		 1066static void io_commit_cqring(struct io_ring_ctx *ctx)
1067{
1068 struct io_kiocb *req;
1069
5262f567
JA		 1070 while ((req = io_get_timeout_req(ctx)) != NULL)
1071 io_kill_timeout(req);
1072
de0617e4
JA		 1073 __io_commit_cqring(ctx);
1074
87987898 1075 while ((req = io_get_deferred_req(ctx)) != NULL)
a197f664 1076 io_queue_async_work(req);
de0617e4
JA		 1077}
1078
2b188cc1
JA		 1079static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
1080{
75b28aff 1081 struct io_rings *rings = ctx->rings;
2b188cc1
JA		 1082 unsigned tail;
1083
1084 tail = ctx->cached_cq_tail;
115e12e5
SB		 1085 /*
1086 * writes to the cq entry need to come after reading head; the
1087 * control dependency is enough as we're using WRITE_ONCE to
1088 * fill the cq entry
1089 */
75b28aff 1090 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
2b188cc1
JA		 1091 return NULL;
1092
1093 ctx->cached_cq_tail++;
75b28aff 1094 return &rings->cqes[tail & ctx->cq_mask];
2b188cc1
JA		 1095}
1096
f2842ab5
JA		 1097static inline bool io_should_trigger_evfd(struct io_ring_ctx *ctx)
1098{
f0b493e6
JA		 1099 if (!ctx->cq_ev_fd)
1100 return false;
f2842ab5
JA		 1101 if (!ctx->eventfd_async)
1102 return true;
b41e9852 1103 return io_wq_current_is_worker();
f2842ab5
JA		 1104}
1105
b41e9852 1106static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
1d7bb1d5
JA		 1107{
1108 if (waitqueue_active(&ctx->wait))
1109 wake_up(&ctx->wait);
1110 if (waitqueue_active(&ctx->sqo_wait))
1111 wake_up(&ctx->sqo_wait);
b41e9852 1112 if (io_should_trigger_evfd(ctx))
1d7bb1d5
JA		 1113 eventfd_signal(ctx->cq_ev_fd, 1);
1114}
1115
c4a2ed72
JA		 1116/* Returns true if there are no backlogged entries after the flush */
1117static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1d7bb1d5
JA		 1118{
1119 struct io_rings *rings = ctx->rings;
1120 struct io_uring_cqe *cqe;
1121 struct io_kiocb *req;
1122 unsigned long flags;
1123 LIST_HEAD(list);
1124
1125 if (!force) {
1126 if (list_empty_careful(&ctx->cq_overflow_list))
c4a2ed72 1127 return true;
1d7bb1d5
JA		 1128 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
1129 rings->cq_ring_entries))
c4a2ed72 1130 return false;
1d7bb1d5
JA		 1131 }
1132
1133 spin_lock_irqsave(&ctx->completion_lock, flags);
1134
1135 /* if force is set, the ring is going away. always drop after that */
1136 if (force)
69b3e546 1137 ctx->cq_overflow_flushed = 1;
1d7bb1d5 1138
c4a2ed72 1139 cqe = NULL;
1d7bb1d5
JA		 1140 while (!list_empty(&ctx->cq_overflow_list)) {
1141 cqe = io_get_cqring(ctx);
1142 if (!cqe && !force)
1143 break;
1144
1145 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
1146 list);
1147 list_move(&req->list, &list);
2ca10259 1148 req->flags &= ~REQ_F_OVERFLOW;
1d7bb1d5
JA		 1149 if (cqe) {
1150 WRITE_ONCE(cqe->user_data, req->user_data);
1151 WRITE_ONCE(cqe->res, req->result);
1152 WRITE_ONCE(cqe->flags, 0);
1153 } else {
1154 WRITE_ONCE(ctx->rings->cq_overflow,
1155 atomic_inc_return(&ctx->cached_cq_overflow));
1156 }
1157 }
1158
1159 io_commit_cqring(ctx);
ad3eb2c8
JA		 1160 if (cqe) {
1161 clear_bit(0, &ctx->sq_check_overflow);
1162 clear_bit(0, &ctx->cq_check_overflow);
1163 }
1d7bb1d5
JA		 1164 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1165 io_cqring_ev_posted(ctx);
1166
1167 while (!list_empty(&list)) {
1168 req = list_first_entry(&list, struct io_kiocb, list);
1169 list_del(&req->list);
ec9c02ad 1170 io_put_req(req);
1d7bb1d5 1171 }
c4a2ed72
JA		 1172
1173 return cqe != NULL;
1d7bb1d5
JA		 1174}
1175
78e19bbe 1176static void io_cqring_fill_event(struct io_kiocb *req, long res)
2b188cc1 1177{
78e19bbe 1178 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 1179 struct io_uring_cqe *cqe;
1180
78e19bbe 1181 trace_io_uring_complete(ctx, req->user_data, res);
51c3ff62 1182
2b188cc1
JA		 1183 /*
1184 * If we can't get a cq entry, userspace overflowed the
1185 * submission (by quite a lot). Increment the overflow count in
1186 * the ring.
1187 */
1188 cqe = io_get_cqring(ctx);
1d7bb1d5 1189 if (likely(cqe)) {
78e19bbe 1190 WRITE_ONCE(cqe->user_data, req->user_data);
2b188cc1 1191 WRITE_ONCE(cqe->res, res);
c71ffb67 1192 WRITE_ONCE(cqe->flags, 0);
1d7bb1d5 1193 } else if (ctx->cq_overflow_flushed) {
498ccd9e
JA		 1194 WRITE_ONCE(ctx->rings->cq_overflow,
1195 atomic_inc_return(&ctx->cached_cq_overflow));
1d7bb1d5 1196 } else {
ad3eb2c8
JA		 1197 if (list_empty(&ctx->cq_overflow_list)) {
1198 set_bit(0, &ctx->sq_check_overflow);
1199 set_bit(0, &ctx->cq_check_overflow);
1200 }
2ca10259 1201 req->flags |= REQ_F_OVERFLOW;
1d7bb1d5
JA		 1202 refcount_inc(&req->refs);
1203 req->result = res;
1204 list_add_tail(&req->list, &ctx->cq_overflow_list);
2b188cc1
JA		 1205 }
1206}
1207
78e19bbe 1208static void io_cqring_add_event(struct io_kiocb *req, long res)
2b188cc1 1209{
78e19bbe 1210 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 1211 unsigned long flags;
1212
1213 spin_lock_irqsave(&ctx->completion_lock, flags);
78e19bbe 1214 io_cqring_fill_event(req, res);
2b188cc1
JA		 1215 io_commit_cqring(ctx);
1216 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1217
8c838788 1218 io_cqring_ev_posted(ctx);
2b188cc1
JA		 1219}
1220
0ddf92e8
JA		 1221static inline bool io_is_fallback_req(struct io_kiocb *req)
1222{
1223 return req == (struct io_kiocb *)
1224 ((unsigned long) req->ctx->fallback_req & ~1UL);
1225}
1226
1227static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1228{
1229 struct io_kiocb *req;
1230
1231 req = ctx->fallback_req;
1232 if (!test_and_set_bit_lock(0, (unsigned long *) ctx->fallback_req))
1233 return req;
1234
1235 return NULL;
1236}
1237
2579f913
JA		 1238static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
1239 struct io_submit_state *state)
2b188cc1 1240{
fd6fab2c 1241 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
2b188cc1
JA		 1242 struct io_kiocb *req;
1243
2579f913 1244 if (!state) {
fd6fab2c 1245 req = kmem_cache_alloc(req_cachep, gfp);
2579f913 1246 if (unlikely(!req))
0ddf92e8 1247 goto fallback;
2579f913
JA		 1248 } else if (!state->free_reqs) {
1249 size_t sz;
1250 int ret;
1251
1252 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
fd6fab2c
JA		 1253 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1254
1255 /*
1256 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1257 * retry single alloc to be on the safe side.
1258 */
1259 if (unlikely(ret <= 0)) {
1260 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1261 if (!state->reqs[0])
0ddf92e8 1262 goto fallback;
fd6fab2c
JA		 1263 ret = 1;
1264 }
2579f913 1265 state->free_reqs = ret - 1;
6c8a3134 1266 req = state->reqs[ret - 1];
2579f913 1267 } else {
2579f913 1268 state->free_reqs--;
6c8a3134 1269 req = state->reqs[state->free_reqs];
2b188cc1
JA		 1270 }
1271
0ddf92e8 1272got_it:
1a6b74fc 1273 req->io = NULL;
60c112b0 1274 req->file = NULL;
2579f913
JA		 1275 req->ctx = ctx;
1276 req->flags = 0;
e65ef56d
JA		 1277 /* one is dropped after submission, the other at completion */
1278 refcount_set(&req->refs, 2);
9e645e11 1279 req->result = 0;
561fb04a 1280 INIT_IO_WORK(&req->work, io_wq_submit_work);
2579f913 1281 return req;
0ddf92e8
JA		 1282fallback:
1283 req = io_get_fallback_req(ctx);
1284 if (req)
1285 goto got_it;
6805b32e 1286 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 1287 return NULL;
1288}
1289
8da11c19
PB		 1290static inline void io_put_file(struct io_kiocb *req, struct file *file,
1291 bool fixed)
1292{
1293 if (fixed)
1294 percpu_ref_put(&req->ctx->file_data->refs);
1295 else
1296 fput(file);
1297}
1298
2b85edfc 1299static void __io_req_do_free(struct io_kiocb *req)
def596e9 1300{
2b85edfc
PB		 1301 if (likely(!io_is_fallback_req(req)))
1302 kmem_cache_free(req_cachep, req);
1303 else
1304 clear_bit_unlock(0, (unsigned long *) req->ctx->fallback_req);
1305}
1306
c6ca97b3 1307static void __io_req_aux_free(struct io_kiocb *req)
2b188cc1 1308{
929a3af9
PB		 1309 if (req->flags & REQ_F_NEED_CLEANUP)
1310 io_cleanup_req(req);
1311
96fd84d8 1312 kfree(req->io);
8da11c19
PB		 1313 if (req->file)
1314 io_put_file(req, req->file, (req->flags & REQ_F_FIXED_FILE));
cccf0ee8
JA		 1315
1316 io_req_work_drop_env(req);
def596e9
JA		 1317}
1318
9e645e11 1319static void __io_free_req(struct io_kiocb *req)
2b188cc1 1320{
c6ca97b3 1321 __io_req_aux_free(req);
fcb323cc 1322
fcb323cc 1323 if (req->flags & REQ_F_INFLIGHT) {
c6ca97b3 1324 struct io_ring_ctx *ctx = req->ctx;
fcb323cc
JA		 1325 unsigned long flags;
1326
1327 spin_lock_irqsave(&ctx->inflight_lock, flags);
1328 list_del(&req->inflight_entry);
1329 if (waitqueue_active(&ctx->inflight_wait))
1330 wake_up(&ctx->inflight_wait);
1331 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1332 }
2b85edfc
PB		 1333
1334 percpu_ref_put(&req->ctx->refs);
1335 __io_req_do_free(req);
e65ef56d
JA		 1336}
1337
c6ca97b3
JA		 1338struct req_batch {
1339 void *reqs[IO_IOPOLL_BATCH];
1340 int to_free;
1341 int need_iter;
1342};
1343
1344static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
1345{
10fef4be
JA		 1346 int fixed_refs = rb->to_free;
1347
c6ca97b3
JA		 1348 if (!rb->to_free)
1349 return;
1350 if (rb->need_iter) {
1351 int i, inflight = 0;
1352 unsigned long flags;
1353
10fef4be 1354 fixed_refs = 0;
c6ca97b3
JA		 1355 for (i = 0; i < rb->to_free; i++) {
1356 struct io_kiocb *req = rb->reqs[i];
1357
10fef4be 1358 if (req->flags & REQ_F_FIXED_FILE) {
c6ca97b3 1359 req->file = NULL;
10fef4be
JA		 1360 fixed_refs++;
1361 }
c6ca97b3
JA		 1362 if (req->flags & REQ_F_INFLIGHT)
1363 inflight++;
c6ca97b3
JA		 1364 __io_req_aux_free(req);
1365 }
1366 if (!inflight)
1367 goto do_free;
1368
1369 spin_lock_irqsave(&ctx->inflight_lock, flags);
1370 for (i = 0; i < rb->to_free; i++) {
1371 struct io_kiocb *req = rb->reqs[i];
1372
10fef4be 1373 if (req->flags & REQ_F_INFLIGHT) {
c6ca97b3
JA		 1374 list_del(&req->inflight_entry);
1375 if (!--inflight)
1376 break;
1377 }
1378 }
1379 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1380
1381 if (waitqueue_active(&ctx->inflight_wait))
1382 wake_up(&ctx->inflight_wait);
1383 }
1384do_free:
1385 kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
10fef4be
JA		 1386 if (fixed_refs)
1387 percpu_ref_put_many(&ctx->file_data->refs, fixed_refs);
c6ca97b3 1388 percpu_ref_put_many(&ctx->refs, rb->to_free);
c6ca97b3 1389 rb->to_free = rb->need_iter = 0;
e65ef56d
JA		 1390}
1391
a197f664 1392static bool io_link_cancel_timeout(struct io_kiocb *req)
2665abfd 1393{
a197f664 1394 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 1395 int ret;
1396
2d28390a 1397 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
2665abfd 1398 if (ret != -1) {
78e19bbe 1399 io_cqring_fill_event(req, -ECANCELED);
2665abfd
JA		 1400 io_commit_cqring(ctx);
1401 req->flags &= ~REQ_F_LINK;
ec9c02ad 1402 io_put_req(req);
2665abfd
JA		 1403 return true;
1404 }
1405
1406 return false;
e65ef56d
JA		 1407}
1408
ba816ad6 1409static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
9e645e11 1410{
2665abfd 1411 struct io_ring_ctx *ctx = req->ctx;
2665abfd 1412 bool wake_ev = false;
9e645e11 1413
4d7dd462
JA		 1414 /* Already got next link */
1415 if (req->flags & REQ_F_LINK_NEXT)
1416 return;
1417
9e645e11
JA		 1418 /*
1419 * The list should never be empty when we are called here. But could
1420 * potentially happen if the chain is messed up, check to be on the
1421 * safe side.
1422 */
4493233e
PB		 1423 while (!list_empty(&req->link_list)) {
1424 struct io_kiocb *nxt = list_first_entry(&req->link_list,
1425 struct io_kiocb, link_list);
94ae5e77 1426
4493233e
PB		 1427 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
1428 (nxt->flags & REQ_F_TIMEOUT))) {
1429 list_del_init(&nxt->link_list);
94ae5e77 1430 wake_ev |= io_link_cancel_timeout(nxt);
94ae5e77
JA		 1431 req->flags &= ~REQ_F_LINK_TIMEOUT;
1432 continue;
1433 }
9e645e11 1434
4493233e
PB		 1435 list_del_init(&req->link_list);
1436 if (!list_empty(&nxt->link_list))
1437 nxt->flags |= REQ_F_LINK;
b18fdf71 1438 *nxtptr = nxt;
94ae5e77 1439 break;
9e645e11 1440 }
2665abfd 1441
4d7dd462 1442 req->flags |= REQ_F_LINK_NEXT;
2665abfd
JA		 1443 if (wake_ev)
1444 io_cqring_ev_posted(ctx);
9e645e11
JA		 1445}
1446
1447/*
1448 * Called if REQ_F_LINK is set, and we fail the head request
1449 */
1450static void io_fail_links(struct io_kiocb *req)
1451{
2665abfd 1452 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 1453 unsigned long flags;
1454
1455 spin_lock_irqsave(&ctx->completion_lock, flags);
9e645e11
JA		 1456
1457 while (!list_empty(&req->link_list)) {
4493233e
PB		 1458 struct io_kiocb *link = list_first_entry(&req->link_list,
1459 struct io_kiocb, link_list);
9e645e11 1460
4493233e 1461 list_del_init(&link->link_list);
c826bd7a 1462 trace_io_uring_fail_link(req, link);
2665abfd
JA		 1463
1464 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
d625c6ee 1465 link->opcode == IORING_OP_LINK_TIMEOUT) {
a197f664 1466 io_link_cancel_timeout(link);
2665abfd 1467 } else {
78e19bbe 1468 io_cqring_fill_event(link, -ECANCELED);
978db57e 1469 __io_double_put_req(link);
2665abfd 1470 }
5d960724 1471 req->flags &= ~REQ_F_LINK_TIMEOUT;
9e645e11 1472 }
2665abfd
JA		 1473
1474 io_commit_cqring(ctx);
1475 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1476 io_cqring_ev_posted(ctx);
9e645e11
JA		 1477}
1478
4d7dd462 1479static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
9e645e11 1480{
4d7dd462 1481 if (likely(!(req->flags & REQ_F_LINK)))
2665abfd 1482 return;
2665abfd 1483
9e645e11
JA		 1484 /*
1485 * If LINK is set, we have dependent requests in this chain. If we
1486 * didn't fail this request, queue the first one up, moving any other
1487 * dependencies to the next request. In case of failure, fail the rest
1488 * of the chain.
1489 */
2665abfd
JA		 1490 if (req->flags & REQ_F_FAIL_LINK) {
1491 io_fail_links(req);
7c9e7f0f
JA		 1492 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1493 REQ_F_LINK_TIMEOUT) {
2665abfd
JA		 1494 struct io_ring_ctx *ctx = req->ctx;
1495 unsigned long flags;
1496
1497 /*
1498 * If this is a timeout link, we could be racing with the
1499 * timeout timer. Grab the completion lock for this case to
7c9e7f0f 1500 * protect against that.
2665abfd
JA		 1501 */
1502 spin_lock_irqsave(&ctx->completion_lock, flags);
1503 io_req_link_next(req, nxt);
1504 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1505 } else {
1506 io_req_link_next(req, nxt);
9e645e11 1507 }
4d7dd462 1508}
9e645e11 1509
c69f8dbe
JL		 1510static void io_free_req(struct io_kiocb *req)
1511{
944e58bf
PB		 1512 struct io_kiocb *nxt = NULL;
1513
1514 io_req_find_next(req, &nxt);
70cf9f32 1515 __io_free_req(req);
944e58bf
PB		 1516
1517 if (nxt)
1518 io_queue_async_work(nxt);
c69f8dbe
JL		 1519}
1520
ba816ad6
JA		 1521/*
1522 * Drop reference to request, return next in chain (if there is one) if this
1523 * was the last reference to this request.
1524 */
f9bd67f6 1525__attribute__((nonnull))
ec9c02ad 1526static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
e65ef56d 1527{
2a44f467
JA		 1528 if (refcount_dec_and_test(&req->refs)) {
1529 io_req_find_next(req, nxtptr);
4d7dd462 1530 __io_free_req(req);
2a44f467 1531 }
2b188cc1
JA		 1532}
1533
e65ef56d
JA		 1534static void io_put_req(struct io_kiocb *req)
1535{
1536 if (refcount_dec_and_test(&req->refs))
1537 io_free_req(req);
2b188cc1
JA		 1538}
1539
978db57e
JA		 1540/*
1541 * Must only be used if we don't need to care about links, usually from
1542 * within the completion handling itself.
1543 */
1544static void __io_double_put_req(struct io_kiocb *req)
78e19bbe
JA		 1545{
1546 /* drop both submit and complete references */
1547 if (refcount_sub_and_test(2, &req->refs))
1548 __io_free_req(req);
1549}
1550
978db57e
JA		 1551static void io_double_put_req(struct io_kiocb *req)
1552{
1553 /* drop both submit and complete references */
1554 if (refcount_sub_and_test(2, &req->refs))
1555 io_free_req(req);
1556}
1557
1d7bb1d5 1558static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
a3a0e43f 1559{
84f97dc2
JA		 1560 struct io_rings *rings = ctx->rings;
1561
ad3eb2c8
JA		 1562 if (test_bit(0, &ctx->cq_check_overflow)) {
1563 /*
1564 * noflush == true is from the waitqueue handler, just ensure
1565 * we wake up the task, and the next invocation will flush the
1566 * entries. We cannot safely to it from here.
1567 */
1568 if (noflush && !list_empty(&ctx->cq_overflow_list))
1569 return -1U;
1d7bb1d5 1570
ad3eb2c8
JA		 1571 io_cqring_overflow_flush(ctx, false);
1572 }
1d7bb1d5 1573
a3a0e43f
JA		 1574 /* See comment at the top of this file */
1575 smp_rmb();
ad3eb2c8 1576 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
a3a0e43f
JA		 1577}
1578
fb5ccc98
PB		 1579static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1580{
1581 struct io_rings *rings = ctx->rings;
1582
1583 /* make sure SQ entry isn't read before tail */
1584 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1585}
1586
8237e045 1587static inline bool io_req_multi_free(struct req_batch *rb, struct io_kiocb *req)
e94f141b 1588{
c6ca97b3
JA		 1589 if ((req->flags & REQ_F_LINK) || io_is_fallback_req(req))
1590 return false;
e94f141b 1591
c6ca97b3
JA		 1592 if (!(req->flags & REQ_F_FIXED_FILE) || req->io)
1593 rb->need_iter++;
1594
1595 rb->reqs[rb->to_free++] = req;
1596 if (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))
1597 io_free_req_many(req->ctx, rb);
1598 return true;
e94f141b
JA		 1599}
1600
def596e9
JA		 1601/*
1602 * Find and free completed poll iocbs
1603 */
1604static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1605 struct list_head *done)
1606{
8237e045 1607 struct req_batch rb;
def596e9 1608 struct io_kiocb *req;
def596e9 1609
c6ca97b3 1610 rb.to_free = rb.need_iter = 0;
def596e9
JA		 1611 while (!list_empty(done)) {
1612 req = list_first_entry(done, struct io_kiocb, list);
1613 list_del(&req->list);
1614
78e19bbe 1615 io_cqring_fill_event(req, req->result);
def596e9
JA		 1616 (*nr_events)++;
1617
8237e045
JA		 1618 if (refcount_dec_and_test(&req->refs) &&
1619 !io_req_multi_free(&rb, req))
1620 io_free_req(req);
def596e9 1621 }
def596e9 1622
09bb8394 1623 io_commit_cqring(ctx);
8237e045 1624 io_free_req_many(ctx, &rb);
def596e9
JA		 1625}
1626
1627static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1628 long min)
1629{
1630 struct io_kiocb *req, *tmp;
1631 LIST_HEAD(done);
1632 bool spin;
1633 int ret;
1634
1635 /*
1636 * Only spin for completions if we don't have multiple devices hanging
1637 * off our complete list, and we're under the requested amount.
1638 */
1639 spin = !ctx->poll_multi_file && *nr_events < min;
1640
1641 ret = 0;
1642 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
9adbd45d 1643 struct kiocb *kiocb = &req->rw.kiocb;
def596e9
JA		 1644
1645 /*
1646 * Move completed entries to our local list. If we find a
1647 * request that requires polling, break out and complete
1648 * the done list first, if we have entries there.
1649 */
1650 if (req->flags & REQ_F_IOPOLL_COMPLETED) {
1651 list_move_tail(&req->list, &done);
1652 continue;
1653 }
1654 if (!list_empty(&done))
1655 break;
1656
1657 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1658 if (ret < 0)
1659 break;
1660
1661 if (ret && spin)
1662 spin = false;
1663 ret = 0;
1664 }
1665
1666 if (!list_empty(&done))
1667 io_iopoll_complete(ctx, nr_events, &done);
1668
1669 return ret;
1670}
1671
1672/*
d195a66e 1673 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
def596e9
JA		 1674 * non-spinning poll check - we'll still enter the driver poll loop, but only
1675 * as a non-spinning completion check.
1676 */
1677static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1678 long min)
1679{
08f5439f 1680 while (!list_empty(&ctx->poll_list) && !need_resched()) {
def596e9
JA		 1681 int ret;
1682
1683 ret = io_do_iopoll(ctx, nr_events, min);
1684 if (ret < 0)
1685 return ret;
1686 if (!min || *nr_events >= min)
1687 return 0;
1688 }
1689
1690 return 1;
1691}
1692
1693/*
1694 * We can't just wait for polled events to come to us, we have to actively
1695 * find and complete them.
1696 */
1697static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1698{
1699 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1700 return;
1701
1702 mutex_lock(&ctx->uring_lock);
1703 while (!list_empty(&ctx->poll_list)) {
1704 unsigned int nr_events = 0;
1705
1706 io_iopoll_getevents(ctx, &nr_events, 1);
08f5439f
JA		 1707
1708 /*
1709 * Ensure we allow local-to-the-cpu processing to take place,
1710 * in this case we need to ensure that we reap all events.
1711 */
1712 cond_resched();
def596e9
JA		 1713 }
1714 mutex_unlock(&ctx->uring_lock);
1715}
1716
c7849be9
XW		 1717static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1718 long min)
def596e9 1719{
2b2ed975 1720 int iters = 0, ret = 0;
500f9fba 1721
c7849be9
XW		 1722 /*
1723 * We disallow the app entering submit/complete with polling, but we
1724 * still need to lock the ring to prevent racing with polled issue
1725 * that got punted to a workqueue.
1726 */
1727 mutex_lock(&ctx->uring_lock);
def596e9
JA		 1728 do {
1729 int tmin = 0;
1730
a3a0e43f
JA		 1731 /*
1732 * Don't enter poll loop if we already have events pending.
1733 * If we do, we can potentially be spinning for commands that
1734 * already triggered a CQE (eg in error).
1735 */
1d7bb1d5 1736 if (io_cqring_events(ctx, false))
a3a0e43f
JA		 1737 break;
1738
500f9fba
JA		 1739 /*
1740 * If a submit got punted to a workqueue, we can have the
1741 * application entering polling for a command before it gets
1742 * issued. That app will hold the uring_lock for the duration
1743 * of the poll right here, so we need to take a breather every
1744 * now and then to ensure that the issue has a chance to add
1745 * the poll to the issued list. Otherwise we can spin here
1746 * forever, while the workqueue is stuck trying to acquire the
1747 * very same mutex.
1748 */
1749 if (!(++iters & 7)) {
1750 mutex_unlock(&ctx->uring_lock);
1751 mutex_lock(&ctx->uring_lock);
1752 }
1753
def596e9
JA		 1754 if (*nr_events < min)
1755 tmin = min - *nr_events;
1756
1757 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1758 if (ret <= 0)
1759 break;
1760 ret = 0;
1761 } while (min && !*nr_events && !need_resched());
1762
500f9fba 1763 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 1764 return ret;
1765}
1766
491381ce 1767static void kiocb_end_write(struct io_kiocb *req)
2b188cc1 1768{
491381ce
JA		 1769 /*
1770 * Tell lockdep we inherited freeze protection from submission
1771 * thread.
1772 */
1773 if (req->flags & REQ_F_ISREG) {
1774 struct inode *inode = file_inode(req->file);
2b188cc1 1775
491381ce 1776 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2b188cc1 1777 }
491381ce 1778 file_end_write(req->file);
2b188cc1
JA		 1779}
1780
4e88d6e7
JA		 1781static inline void req_set_fail_links(struct io_kiocb *req)
1782{
1783 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1784 req->flags |= REQ_F_FAIL_LINK;
1785}
1786
ba816ad6 1787static void io_complete_rw_common(struct kiocb *kiocb, long res)
2b188cc1 1788{
9adbd45d 1789 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2b188cc1 1790
491381ce
JA		 1791 if (kiocb->ki_flags & IOCB_WRITE)
1792 kiocb_end_write(req);
2b188cc1 1793
4e88d6e7
JA		 1794 if (res != req->result)
1795 req_set_fail_links(req);
78e19bbe 1796 io_cqring_add_event(req, res);
ba816ad6
JA		 1797}
1798
1799static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1800{
9adbd45d 1801 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ba816ad6
JA		 1802
1803 io_complete_rw_common(kiocb, res);
e65ef56d 1804 io_put_req(req);
2b188cc1
JA		 1805}
1806
ba816ad6
JA		 1807static struct io_kiocb *__io_complete_rw(struct kiocb *kiocb, long res)
1808{
9adbd45d 1809 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ec9c02ad 1810 struct io_kiocb *nxt = NULL;
ba816ad6
JA		 1811
1812 io_complete_rw_common(kiocb, res);
ec9c02ad
JL		 1813 io_put_req_find_next(req, &nxt);
1814
1815 return nxt;
2b188cc1
JA		 1816}
1817
def596e9
JA		 1818static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1819{
9adbd45d 1820 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
def596e9 1821
491381ce
JA		 1822 if (kiocb->ki_flags & IOCB_WRITE)
1823 kiocb_end_write(req);
def596e9 1824
4e88d6e7
JA		 1825 if (res != req->result)
1826 req_set_fail_links(req);
9e645e11 1827 req->result = res;
def596e9
JA		 1828 if (res != -EAGAIN)
1829 req->flags |= REQ_F_IOPOLL_COMPLETED;
1830}
1831
1832/*
1833 * After the iocb has been issued, it's safe to be found on the poll list.
1834 * Adding the kiocb to the list AFTER submission ensures that we don't
1835 * find it from a io_iopoll_getevents() thread before the issuer is done
1836 * accessing the kiocb cookie.
1837 */
1838static void io_iopoll_req_issued(struct io_kiocb *req)
1839{
1840 struct io_ring_ctx *ctx = req->ctx;
1841
1842 /*
1843 * Track whether we have multiple files in our lists. This will impact
1844 * how we do polling eventually, not spinning if we're on potentially
1845 * different devices.
1846 */
1847 if (list_empty(&ctx->poll_list)) {
1848 ctx->poll_multi_file = false;
1849 } else if (!ctx->poll_multi_file) {
1850 struct io_kiocb *list_req;
1851
1852 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
1853 list);
9adbd45d 1854 if (list_req->file != req->file)
def596e9
JA		 1855 ctx->poll_multi_file = true;
1856 }
1857
1858 /*
1859 * For fast devices, IO may have already completed. If it has, add
1860 * it to the front so we find it first.
1861 */
1862 if (req->flags & REQ_F_IOPOLL_COMPLETED)
1863 list_add(&req->list, &ctx->poll_list);
1864 else
1865 list_add_tail(&req->list, &ctx->poll_list);
bdcd3eab
XW		 1866
1867 if ((ctx->flags & IORING_SETUP_SQPOLL) &&
1868 wq_has_sleeper(&ctx->sqo_wait))
1869 wake_up(&ctx->sqo_wait);
def596e9
JA		 1870}
1871
3d6770fb 1872static void io_file_put(struct io_submit_state *state)
9a56a232 1873{
3d6770fb 1874 if (state->file) {
9a56a232
JA		 1875 int diff = state->has_refs - state->used_refs;
1876
1877 if (diff)
1878 fput_many(state->file, diff);
1879 state->file = NULL;
1880 }
1881}
1882
1883/*
1884 * Get as many references to a file as we have IOs left in this submission,
1885 * assuming most submissions are for one file, or at least that each file
1886 * has more than one submission.
1887 */
8da11c19 1888static struct file *__io_file_get(struct io_submit_state *state, int fd)
9a56a232
JA		 1889{
1890 if (!state)
1891 return fget(fd);
1892
1893 if (state->file) {
1894 if (state->fd == fd) {
1895 state->used_refs++;
1896 state->ios_left--;
1897 return state->file;
1898 }
3d6770fb 1899 io_file_put(state);
9a56a232
JA		 1900 }
1901 state->file = fget_many(fd, state->ios_left);
1902 if (!state->file)
1903 return NULL;
1904
1905 state->fd = fd;
1906 state->has_refs = state->ios_left;
1907 state->used_refs = 1;
1908 state->ios_left--;
1909 return state->file;
1910}
1911
2b188cc1
JA		 1912/*
1913 * If we tracked the file through the SCM inflight mechanism, we could support
1914 * any file. For now, just ensure that anything potentially problematic is done
1915 * inline.
1916 */
1917static bool io_file_supports_async(struct file *file)
1918{
1919 umode_t mode = file_inode(file)->i_mode;
1920
10d59345 1921 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
2b188cc1
JA		 1922 return true;
1923 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
1924 return true;
1925
1926 return false;
1927}
1928
3529d8c2
JA		 1929static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1930 bool force_nonblock)
2b188cc1 1931{
def596e9 1932 struct io_ring_ctx *ctx = req->ctx;
9adbd45d 1933 struct kiocb *kiocb = &req->rw.kiocb;
09bb8394
JA		 1934 unsigned ioprio;
1935 int ret;
2b188cc1 1936
491381ce
JA		 1937 if (S_ISREG(file_inode(req->file)->i_mode))
1938 req->flags |= REQ_F_ISREG;
1939
2b188cc1 1940 kiocb->ki_pos = READ_ONCE(sqe->off);
ba04291e
JA		 1941 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
1942 req->flags |= REQ_F_CUR_POS;
1943 kiocb->ki_pos = req->file->f_pos;
1944 }
2b188cc1 1945 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
3e577dcd
PB		 1946 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
1947 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
1948 if (unlikely(ret))
1949 return ret;
2b188cc1
JA		 1950
1951 ioprio = READ_ONCE(sqe->ioprio);
1952 if (ioprio) {
1953 ret = ioprio_check_cap(ioprio);
1954 if (ret)
09bb8394 1955 return ret;
2b188cc1
JA		 1956
1957 kiocb->ki_ioprio = ioprio;
1958 } else
1959 kiocb->ki_ioprio = get_current_ioprio();
1960
8449eeda 1961 /* don't allow async punt if RWF_NOWAIT was requested */
491381ce
JA		 1962 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
1963 (req->file->f_flags & O_NONBLOCK))
8449eeda
SB		 1964 req->flags |= REQ_F_NOWAIT;
1965
1966 if (force_nonblock)
2b188cc1 1967 kiocb->ki_flags |= IOCB_NOWAIT;
8449eeda 1968
def596e9 1969 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9
JA		 1970 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
1971 !kiocb->ki_filp->f_op->iopoll)
09bb8394 1972 return -EOPNOTSUPP;
2b188cc1 1973
def596e9
JA		 1974 kiocb->ki_flags |= IOCB_HIPRI;
1975 kiocb->ki_complete = io_complete_rw_iopoll;
6873e0bd 1976 req->result = 0;
def596e9 1977 } else {
09bb8394
JA		 1978 if (kiocb->ki_flags & IOCB_HIPRI)
1979 return -EINVAL;
def596e9
JA		 1980 kiocb->ki_complete = io_complete_rw;
1981 }
9adbd45d 1982
3529d8c2
JA		 1983 req->rw.addr = READ_ONCE(sqe->addr);
1984 req->rw.len = READ_ONCE(sqe->len);
9adbd45d
JA		 1985 /* we own ->private, reuse it for the buffer index */
1986 req->rw.kiocb.private = (void *) (unsigned long)
3529d8c2 1987 READ_ONCE(sqe->buf_index);
2b188cc1 1988 return 0;
2b188cc1
JA		 1989}
1990
1991static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
1992{
1993 switch (ret) {
1994 case -EIOCBQUEUED:
1995 break;
1996 case -ERESTARTSYS:
1997 case -ERESTARTNOINTR:
1998 case -ERESTARTNOHAND:
1999 case -ERESTART_RESTARTBLOCK:
2000 /*
2001 * We can't just restart the syscall, since previously
2002 * submitted sqes may already be in progress. Just fail this
2003 * IO with EINTR.
2004 */
2005 ret = -EINTR;
2006 /* fall through */
2007 default:
2008 kiocb->ki_complete(kiocb, ret, 0);
2009 }
2010}
2011
bcaec089 2012static void kiocb_done(struct kiocb *kiocb, ssize_t ret, struct io_kiocb **nxt)
ba816ad6 2013{
ba04291e
JA		 2014 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2015
2016 if (req->flags & REQ_F_CUR_POS)
2017 req->file->f_pos = kiocb->ki_pos;
bcaec089 2018 if (ret >= 0 && kiocb->ki_complete == io_complete_rw)
ba816ad6
JA		 2019 *nxt = __io_complete_rw(kiocb, ret);
2020 else
2021 io_rw_done(kiocb, ret);
2022}
2023
9adbd45d 2024static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
7d009165 2025 struct iov_iter *iter)
edafccee 2026{
9adbd45d
JA		 2027 struct io_ring_ctx *ctx = req->ctx;
2028 size_t len = req->rw.len;
edafccee
JA		 2029 struct io_mapped_ubuf *imu;
2030 unsigned index, buf_index;
2031 size_t offset;
2032 u64 buf_addr;
2033
2034 /* attempt to use fixed buffers without having provided iovecs */
2035 if (unlikely(!ctx->user_bufs))
2036 return -EFAULT;
2037
9adbd45d 2038 buf_index = (unsigned long) req->rw.kiocb.private;
edafccee
JA		 2039 if (unlikely(buf_index >= ctx->nr_user_bufs))
2040 return -EFAULT;
2041
2042 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
2043 imu = &ctx->user_bufs[index];
9adbd45d 2044 buf_addr = req->rw.addr;
edafccee
JA		 2045
2046 /* overflow */
2047 if (buf_addr + len < buf_addr)
2048 return -EFAULT;
2049 /* not inside the mapped region */
2050 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
2051 return -EFAULT;
2052
2053 /*
2054 * May not be a start of buffer, set size appropriately
2055 * and advance us to the beginning.
2056 */
2057 offset = buf_addr - imu->ubuf;
2058 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
bd11b3a3
JA		 2059
2060 if (offset) {
2061 /*
2062 * Don't use iov_iter_advance() here, as it's really slow for
2063 * using the latter parts of a big fixed buffer - it iterates
2064 * over each segment manually. We can cheat a bit here, because
2065 * we know that:
2066 *
2067 * 1) it's a BVEC iter, we set it up
2068 * 2) all bvecs are PAGE_SIZE in size, except potentially the
2069 * first and last bvec
2070 *
2071 * So just find our index, and adjust the iterator afterwards.
2072 * If the offset is within the first bvec (or the whole first
2073 * bvec, just use iov_iter_advance(). This makes it easier
2074 * since we can just skip the first segment, which may not
2075 * be PAGE_SIZE aligned.
2076 */
2077 const struct bio_vec *bvec = imu->bvec;
2078
2079 if (offset <= bvec->bv_len) {
2080 iov_iter_advance(iter, offset);
2081 } else {
2082 unsigned long seg_skip;
2083
2084 /* skip first vec */
2085 offset -= bvec->bv_len;
2086 seg_skip = 1 + (offset >> PAGE_SHIFT);
2087
2088 iter->bvec = bvec + seg_skip;
2089 iter->nr_segs -= seg_skip;
99c79f66 2090 iter->count -= bvec->bv_len + offset;
bd11b3a3 2091 iter->iov_offset = offset & ~PAGE_MASK;
bd11b3a3
JA		 2092 }
2093 }
2094
5e559561 2095 return len;
edafccee
JA		 2096}
2097
cf6fd4bd
PB		 2098static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
2099 struct iovec **iovec, struct iov_iter *iter)
2b188cc1 2100{
9adbd45d
JA		 2101 void __user *buf = u64_to_user_ptr(req->rw.addr);
2102 size_t sqe_len = req->rw.len;
edafccee
JA		 2103 u8 opcode;
2104
d625c6ee 2105 opcode = req->opcode;
7d009165 2106 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
edafccee 2107 *iovec = NULL;
9adbd45d 2108 return io_import_fixed(req, rw, iter);
edafccee 2109 }
2b188cc1 2110
9adbd45d
JA		 2111 /* buffer index only valid with fixed read/write */
2112 if (req->rw.kiocb.private)
2113 return -EINVAL;
2114
3a6820f2
JA		 2115 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
2116 ssize_t ret;
2117 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
2118 *iovec = NULL;
3a901598 2119 return ret < 0 ? ret : sqe_len;
3a6820f2
JA		 2120 }
2121
f67676d1
JA		 2122 if (req->io) {
2123 struct io_async_rw *iorw = &req->io->rw;
2124
2125 *iovec = iorw->iov;
2126 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
2127 if (iorw->iov == iorw->fast_iov)
2128 *iovec = NULL;
2129 return iorw->size;
2130 }
2131
2b188cc1 2132#ifdef CONFIG_COMPAT
cf6fd4bd 2133 if (req->ctx->compat)
2b188cc1
JA		 2134 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
2135 iovec, iter);
2136#endif
2137
2138 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
2139}
2140
31b51510 2141/*
32960613
JA		 2142 * For files that don't have ->read_iter() and ->write_iter(), handle them
2143 * by looping over ->read() or ->write() manually.
31b51510 2144 */
32960613
JA		 2145static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
2146 struct iov_iter *iter)
2147{
2148 ssize_t ret = 0;
2149
2150 /*
2151 * Don't support polled IO through this interface, and we can't
2152 * support non-blocking either. For the latter, this just causes
2153 * the kiocb to be handled from an async context.
2154 */
2155 if (kiocb->ki_flags & IOCB_HIPRI)
2156 return -EOPNOTSUPP;
2157 if (kiocb->ki_flags & IOCB_NOWAIT)
2158 return -EAGAIN;
2159
2160 while (iov_iter_count(iter)) {
311ae9e1 2161 struct iovec iovec;
32960613
JA		 2162 ssize_t nr;
2163
311ae9e1
PB		 2164 if (!iov_iter_is_bvec(iter)) {
2165 iovec = iov_iter_iovec(iter);
2166 } else {
2167 /* fixed buffers import bvec */
2168 iovec.iov_base = kmap(iter->bvec->bv_page)
2169 + iter->iov_offset;
2170 iovec.iov_len = min(iter->count,
2171 iter->bvec->bv_len - iter->iov_offset);
2172 }
2173
32960613
JA		 2174 if (rw == READ) {
2175 nr = file->f_op->read(file, iovec.iov_base,
2176 iovec.iov_len, &kiocb->ki_pos);
2177 } else {
2178 nr = file->f_op->write(file, iovec.iov_base,
2179 iovec.iov_len, &kiocb->ki_pos);
2180 }
2181
311ae9e1
PB		 2182 if (iov_iter_is_bvec(iter))
2183 kunmap(iter->bvec->bv_page);
2184
32960613
JA		 2185 if (nr < 0) {
2186 if (!ret)
2187 ret = nr;
2188 break;
2189 }
2190 ret += nr;
2191 if (nr != iovec.iov_len)
2192 break;
2193 iov_iter_advance(iter, nr);
2194 }
2195
2196 return ret;
2197}
2198
b7bb4f7d 2199static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
f67676d1
JA		 2200 struct iovec *iovec, struct iovec *fast_iov,
2201 struct iov_iter *iter)
2202{
2203 req->io->rw.nr_segs = iter->nr_segs;
2204 req->io->rw.size = io_size;
2205 req->io->rw.iov = iovec;
2206 if (!req->io->rw.iov) {
2207 req->io->rw.iov = req->io->rw.fast_iov;
2208 memcpy(req->io->rw.iov, fast_iov,
2209 sizeof(struct iovec) * iter->nr_segs);
99bc4c38
PB		 2210 } else {
2211 req->flags |= REQ_F_NEED_CLEANUP;
f67676d1
JA		 2212 }
2213}
2214
b7bb4f7d 2215static int io_alloc_async_ctx(struct io_kiocb *req)
f67676d1 2216{
d3656344
JA		 2217 if (!io_op_defs[req->opcode].async_ctx)
2218 return 0;
f67676d1 2219 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
06b76d44 2220 return req->io == NULL;
b7bb4f7d
JA		 2221}
2222
b7bb4f7d
JA		 2223static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
2224 struct iovec *iovec, struct iovec *fast_iov,
2225 struct iov_iter *iter)
2226{
980ad263 2227 if (!io_op_defs[req->opcode].async_ctx)
74566df3 2228 return 0;
5d204bcf
JA		 2229 if (!req->io) {
2230 if (io_alloc_async_ctx(req))
2231 return -ENOMEM;
b7bb4f7d 2232
5d204bcf
JA		 2233 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
2234 }
b7bb4f7d 2235 return 0;
f67676d1
JA		 2236}
2237
3529d8c2
JA		 2238static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2239 bool force_nonblock)
f67676d1 2240{
3529d8c2
JA		 2241 struct io_async_ctx *io;
2242 struct iov_iter iter;
f67676d1
JA		 2243 ssize_t ret;
2244
3529d8c2
JA		 2245 ret = io_prep_rw(req, sqe, force_nonblock);
2246 if (ret)
2247 return ret;
f67676d1 2248
3529d8c2
JA		 2249 if (unlikely(!(req->file->f_mode & FMODE_READ)))
2250 return -EBADF;
f67676d1 2251
5f798bea
PB		 2252 /* either don't need iovec imported or already have it */
2253 if (!req->io || req->flags & REQ_F_NEED_CLEANUP)
3529d8c2
JA		 2254 return 0;
2255
2256 io = req->io;
2257 io->rw.iov = io->rw.fast_iov;
2258 req->io = NULL;
2259 ret = io_import_iovec(READ, req, &io->rw.iov, &iter);
2260 req->io = io;
2261 if (ret < 0)
2262 return ret;
2263
2264 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2265 return 0;
f67676d1
JA		 2266}
2267
267bc904 2268static int io_read(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 2269 bool force_nonblock)
2b188cc1
JA		 2270{
2271 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 2272 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 2273 struct iov_iter iter;
31b51510 2274 size_t iov_count;
f67676d1 2275 ssize_t io_size, ret;
2b188cc1 2276
3529d8c2 2277 ret = io_import_iovec(READ, req, &iovec, &iter);
06b76d44
JA		 2278 if (ret < 0)
2279 return ret;
2b188cc1 2280
fd6c2e4c
JA		 2281 /* Ensure we clear previously set non-block flag */
2282 if (!force_nonblock)
29de5f6a 2283 kiocb->ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 2284
797f3f53 2285 req->result = 0;
f67676d1 2286 io_size = ret;
9e645e11 2287 if (req->flags & REQ_F_LINK)
f67676d1
JA		 2288 req->result = io_size;
2289
2290 /*
2291 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2292 * we know to async punt it even if it was opened O_NONBLOCK
2293 */
29de5f6a 2294 if (force_nonblock && !io_file_supports_async(req->file))
f67676d1 2295 goto copy_iov;
9e645e11 2296
31b51510 2297 iov_count = iov_iter_count(&iter);
9adbd45d 2298 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
2b188cc1
JA		 2299 if (!ret) {
2300 ssize_t ret2;
2301
9adbd45d
JA		 2302 if (req->file->f_op->read_iter)
2303 ret2 = call_read_iter(req->file, kiocb, &iter);
32960613 2304 else
9adbd45d 2305 ret2 = loop_rw_iter(READ, req->file, kiocb, &iter);
32960613 2306
9d93a3f5 2307 /* Catch -EAGAIN return for forced non-blocking submission */
f67676d1 2308 if (!force_nonblock || ret2 != -EAGAIN) {
bcaec089 2309 kiocb_done(kiocb, ret2, nxt);
f67676d1
JA		 2310 } else {
2311copy_iov:
b7bb4f7d 2312 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 2313 inline_vecs, &iter);
2314 if (ret)
2315 goto out_free;
29de5f6a
JA		 2316 /* any defer here is final, must blocking retry */
2317 if (!(req->flags & REQ_F_NOWAIT))
2318 req->flags |= REQ_F_MUST_PUNT;
f67676d1
JA		 2319 return -EAGAIN;
2320 }
2b188cc1 2321 }
f67676d1 2322out_free:
1e95081c 2323 kfree(iovec);
99bc4c38 2324 req->flags &= ~REQ_F_NEED_CLEANUP;
2b188cc1
JA		 2325 return ret;
2326}
2327
3529d8c2
JA		 2328static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2329 bool force_nonblock)
f67676d1 2330{
3529d8c2
JA		 2331 struct io_async_ctx *io;
2332 struct iov_iter iter;
f67676d1
JA		 2333 ssize_t ret;
2334
3529d8c2
JA		 2335 ret = io_prep_rw(req, sqe, force_nonblock);
2336 if (ret)
2337 return ret;
f67676d1 2338
3529d8c2
JA		 2339 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
2340 return -EBADF;
f67676d1 2341
5f798bea
PB		 2342 /* either don't need iovec imported or already have it */
2343 if (!req->io || req->flags & REQ_F_NEED_CLEANUP)
3529d8c2
JA		 2344 return 0;
2345
2346 io = req->io;
2347 io->rw.iov = io->rw.fast_iov;
2348 req->io = NULL;
2349 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter);
2350 req->io = io;
2351 if (ret < 0)
2352 return ret;
2353
2354 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2355 return 0;
f67676d1
JA		 2356}
2357
267bc904 2358static int io_write(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 2359 bool force_nonblock)
2b188cc1
JA		 2360{
2361 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 2362 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 2363 struct iov_iter iter;
31b51510 2364 size_t iov_count;
f67676d1 2365 ssize_t ret, io_size;
2b188cc1 2366
3529d8c2 2367 ret = io_import_iovec(WRITE, req, &iovec, &iter);
06b76d44
JA		 2368 if (ret < 0)
2369 return ret;
2b188cc1 2370
fd6c2e4c
JA		 2371 /* Ensure we clear previously set non-block flag */
2372 if (!force_nonblock)
9adbd45d 2373 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 2374
797f3f53 2375 req->result = 0;
f67676d1 2376 io_size = ret;
9e645e11 2377 if (req->flags & REQ_F_LINK)
f67676d1 2378 req->result = io_size;
9e645e11 2379
f67676d1
JA		 2380 /*
2381 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2382 * we know to async punt it even if it was opened O_NONBLOCK
2383 */
29de5f6a 2384 if (force_nonblock && !io_file_supports_async(req->file))
f67676d1 2385 goto copy_iov;
31b51510 2386
10d59345
JA		 2387 /* file path doesn't support NOWAIT for non-direct_IO */
2388 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
2389 (req->flags & REQ_F_ISREG))
f67676d1 2390 goto copy_iov;
31b51510 2391
f67676d1 2392 iov_count = iov_iter_count(&iter);
9adbd45d 2393 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
2b188cc1 2394 if (!ret) {
9bf7933f
RP		 2395 ssize_t ret2;
2396
2b188cc1
JA		 2397 /*
2398 * Open-code file_start_write here to grab freeze protection,
2399 * which will be released by another thread in
2400 * io_complete_rw(). Fool lockdep by telling it the lock got
2401 * released so that it doesn't complain about the held lock when
2402 * we return to userspace.
2403 */
491381ce 2404 if (req->flags & REQ_F_ISREG) {
9adbd45d 2405 __sb_start_write(file_inode(req->file)->i_sb,
2b188cc1 2406 SB_FREEZE_WRITE, true);
9adbd45d 2407 __sb_writers_release(file_inode(req->file)->i_sb,
2b188cc1
JA		 2408 SB_FREEZE_WRITE);
2409 }
2410 kiocb->ki_flags |= IOCB_WRITE;
9bf7933f 2411
9adbd45d
JA		 2412 if (req->file->f_op->write_iter)
2413 ret2 = call_write_iter(req->file, kiocb, &iter);
32960613 2414 else
9adbd45d 2415 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
faac996c
JA		 2416 /*
2417 * Raw bdev writes will -EOPNOTSUPP for IOCB_NOWAIT. Just
2418 * retry them without IOCB_NOWAIT.
2419 */
2420 if (ret2 == -EOPNOTSUPP && (kiocb->ki_flags & IOCB_NOWAIT))
2421 ret2 = -EAGAIN;
f67676d1 2422 if (!force_nonblock || ret2 != -EAGAIN) {
bcaec089 2423 kiocb_done(kiocb, ret2, nxt);
f67676d1
JA		 2424 } else {
2425copy_iov:
b7bb4f7d 2426 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 2427 inline_vecs, &iter);
2428 if (ret)
2429 goto out_free;
29de5f6a
JA		 2430 /* any defer here is final, must blocking retry */
2431 req->flags |= REQ_F_MUST_PUNT;
f67676d1
JA		 2432 return -EAGAIN;
2433 }
2b188cc1 2434 }
31b51510 2435out_free:
99bc4c38 2436 req->flags &= ~REQ_F_NEED_CLEANUP;
1e95081c 2437 kfree(iovec);
2b188cc1
JA		 2438 return ret;
2439}
2440
7d67af2c
PB		 2441static int io_splice_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2442{
2443 struct io_splice* sp = &req->splice;
2444 unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL;
2445 int ret;
2446
2447 if (req->flags & REQ_F_NEED_CLEANUP)
2448 return 0;
2449
2450 sp->file_in = NULL;
2451 sp->off_in = READ_ONCE(sqe->splice_off_in);
2452 sp->off_out = READ_ONCE(sqe->off);
2453 sp->len = READ_ONCE(sqe->len);
2454 sp->flags = READ_ONCE(sqe->splice_flags);
2455
2456 if (unlikely(sp->flags & ~valid_flags))
2457 return -EINVAL;
2458
2459 ret = io_file_get(NULL, req, READ_ONCE(sqe->splice_fd_in), &sp->file_in,
2460 (sp->flags & SPLICE_F_FD_IN_FIXED));
2461 if (ret)
2462 return ret;
2463 req->flags |= REQ_F_NEED_CLEANUP;
2464
2465 if (!S_ISREG(file_inode(sp->file_in)->i_mode))
2466 req->work.flags |= IO_WQ_WORK_UNBOUND;
2467
2468 return 0;
2469}
2470
2471static bool io_splice_punt(struct file *file)
2472{
2473 if (get_pipe_info(file))
2474 return false;
2475 if (!io_file_supports_async(file))
2476 return true;
2477 return !(file->f_mode & O_NONBLOCK);
2478}
2479
2480static int io_splice(struct io_kiocb *req, struct io_kiocb **nxt,
2481 bool force_nonblock)
2482{
2483 struct io_splice *sp = &req->splice;
2484 struct file *in = sp->file_in;
2485 struct file *out = sp->file_out;
2486 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
2487 loff_t *poff_in, *poff_out;
2488 long ret;
2489
2490 if (force_nonblock) {
2491 if (io_splice_punt(in) || io_splice_punt(out))
2492 return -EAGAIN;
2493 flags |= SPLICE_F_NONBLOCK;
2494 }
2495
2496 poff_in = (sp->off_in == -1) ? NULL : &sp->off_in;
2497 poff_out = (sp->off_out == -1) ? NULL : &sp->off_out;
2498 ret = do_splice(in, poff_in, out, poff_out, sp->len, flags);
2499 if (force_nonblock && ret == -EAGAIN)
2500 return -EAGAIN;
2501
2502 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
2503 req->flags &= ~REQ_F_NEED_CLEANUP;
2504
2505 io_cqring_add_event(req, ret);
2506 if (ret != sp->len)
2507 req_set_fail_links(req);
2508 io_put_req_find_next(req, nxt);
2509 return 0;
2510}
2511
2b188cc1
JA		 2512/*
2513 * IORING_OP_NOP just posts a completion event, nothing else.
2514 */
78e19bbe 2515static int io_nop(struct io_kiocb *req)
2b188cc1
JA		 2516{
2517 struct io_ring_ctx *ctx = req->ctx;
2b188cc1 2518
def596e9
JA		 2519 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2520 return -EINVAL;
2521
78e19bbe 2522 io_cqring_add_event(req, 0);
e65ef56d 2523 io_put_req(req);
2b188cc1
JA		 2524 return 0;
2525}
2526
3529d8c2 2527static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
c992fe29 2528{
6b06314c 2529 struct io_ring_ctx *ctx = req->ctx;
c992fe29 2530
09bb8394
JA		 2531 if (!req->file)
2532 return -EBADF;
c992fe29 2533
6b06314c 2534 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
def596e9 2535 return -EINVAL;
edafccee 2536 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
c992fe29
CH		 2537 return -EINVAL;
2538
8ed8d3c3
JA		 2539 req->sync.flags = READ_ONCE(sqe->fsync_flags);
2540 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
2541 return -EINVAL;
2542
2543 req->sync.off = READ_ONCE(sqe->off);
2544 req->sync.len = READ_ONCE(sqe->len);
c992fe29
CH		 2545 return 0;
2546}
2547
8ed8d3c3
JA		 2548static bool io_req_cancelled(struct io_kiocb *req)
2549{
2550 if (req->work.flags & IO_WQ_WORK_CANCEL) {
2551 req_set_fail_links(req);
2552 io_cqring_add_event(req, -ECANCELED);
2553 io_put_req(req);
2554 return true;
2555 }
2556
2557 return false;
2558}
2559
78912934
JA		 2560static void io_link_work_cb(struct io_wq_work **workptr)
2561{
2562 struct io_wq_work *work = *workptr;
2563 struct io_kiocb *link = work->data;
2564
2565 io_queue_linked_timeout(link);
5eae8619 2566 io_wq_submit_work(workptr);
78912934
JA		 2567}
2568
2569static void io_wq_assign_next(struct io_wq_work **workptr, struct io_kiocb *nxt)
2570{
2571 struct io_kiocb *link;
2572
78912934 2573 *workptr = &nxt->work;
3b17cf5a 2574 link = io_prep_linked_timeout(nxt);
78912934 2575 if (link) {
78912934
JA		 2576 nxt->work.func = io_link_work_cb;
2577 nxt->work.data = link;
2578 }
2579}
2580
5ea62161 2581static void __io_fsync(struct io_kiocb *req, struct io_kiocb **nxt)
8ed8d3c3 2582{
8ed8d3c3 2583 loff_t end = req->sync.off + req->sync.len;
8ed8d3c3
JA		 2584 int ret;
2585
9adbd45d 2586 ret = vfs_fsync_range(req->file, req->sync.off,
8ed8d3c3
JA		 2587 end > 0 ? end : LLONG_MAX,
2588 req->sync.flags & IORING_FSYNC_DATASYNC);
2589 if (ret < 0)
2590 req_set_fail_links(req);
2591 io_cqring_add_event(req, ret);
5ea62161
PB		 2592 io_put_req_find_next(req, nxt);
2593}
2594
2595static void io_fsync_finish(struct io_wq_work **workptr)
2596{
2597 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2598 struct io_kiocb *nxt = NULL;
2599
2600 if (io_req_cancelled(req))
2601 return;
2602 __io_fsync(req, &nxt);
8ed8d3c3 2603 if (nxt)
78912934 2604 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 2605}
2606
fc4df999
JA		 2607static int io_fsync(struct io_kiocb *req, struct io_kiocb **nxt,
2608 bool force_nonblock)
c992fe29 2609{
c992fe29 2610 /* fsync always requires a blocking context */
8ed8d3c3
JA		 2611 if (force_nonblock) {
2612 io_put_req(req);
2613 req->work.func = io_fsync_finish;
c992fe29 2614 return -EAGAIN;
8ed8d3c3 2615 }
5ea62161 2616 __io_fsync(req, nxt);
c992fe29
CH		 2617 return 0;
2618}
2619
5ea62161 2620static void __io_fallocate(struct io_kiocb *req, struct io_kiocb **nxt)
8ed8d3c3 2621{
8ed8d3c3
JA		 2622 int ret;
2623
7fbeb95d
PB		 2624 if (io_req_cancelled(req))
2625 return;
2626
d63d1b5e
JA		 2627 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
2628 req->sync.len);
8ed8d3c3
JA		 2629 if (ret < 0)
2630 req_set_fail_links(req);
2631 io_cqring_add_event(req, ret);
5ea62161
PB		 2632 io_put_req_find_next(req, nxt);
2633}
2634
2635static void io_fallocate_finish(struct io_wq_work **workptr)
2636{
2637 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2638 struct io_kiocb *nxt = NULL;
2639
2640 __io_fallocate(req, &nxt);
8ed8d3c3 2641 if (nxt)
78912934 2642 io_wq_assign_next(workptr, nxt);
5d17b4a4
JA		 2643}
2644
d63d1b5e
JA		 2645static int io_fallocate_prep(struct io_kiocb *req,
2646 const struct io_uring_sqe *sqe)
2647{
2648 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
2649 return -EINVAL;
2650
2651 req->sync.off = READ_ONCE(sqe->off);
2652 req->sync.len = READ_ONCE(sqe->addr);
2653 req->sync.mode = READ_ONCE(sqe->len);
2654 return 0;
2655}
2656
2657static int io_fallocate(struct io_kiocb *req, struct io_kiocb **nxt,
2658 bool force_nonblock)
5d17b4a4 2659{
d63d1b5e 2660 /* fallocate always requiring blocking context */
8ed8d3c3
JA		 2661 if (force_nonblock) {
2662 io_put_req(req);
d63d1b5e 2663 req->work.func = io_fallocate_finish;
5d17b4a4 2664 return -EAGAIN;
8ed8d3c3 2665 }
5d17b4a4 2666
5ea62161 2667 __io_fallocate(req, nxt);
5d17b4a4
JA		 2668 return 0;
2669}
2670
15b71abe 2671static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
b7bb4f7d 2672{
f8748881 2673 const char __user *fname;
15b71abe 2674 int ret;
b7bb4f7d 2675
15b71abe
JA		 2676 if (sqe->ioprio || sqe->buf_index)
2677 return -EINVAL;
cf3040ca
JA		 2678 if (sqe->flags & IOSQE_FIXED_FILE)
2679 return -EBADF;
0bdbdd08
PB		 2680 if (req->flags & REQ_F_NEED_CLEANUP)
2681 return 0;
03b1230c 2682
15b71abe 2683 req->open.dfd = READ_ONCE(sqe->fd);
c12cedf2 2684 req->open.how.mode = READ_ONCE(sqe->len);
f8748881 2685 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
c12cedf2 2686 req->open.how.flags = READ_ONCE(sqe->open_flags);
3529d8c2 2687
f8748881 2688 req->open.filename = getname(fname);
15b71abe
JA		 2689 if (IS_ERR(req->open.filename)) {
2690 ret = PTR_ERR(req->open.filename);
2691 req->open.filename = NULL;
2692 return ret;
2693 }
3529d8c2 2694
8fef80bf 2695 req->flags |= REQ_F_NEED_CLEANUP;
15b71abe 2696 return 0;
03b1230c
JA		 2697}
2698
cebdb986 2699static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
aa1fa28f 2700{
cebdb986
JA		 2701 struct open_how __user *how;
2702 const char __user *fname;
2703 size_t len;
0fa03c62
JA		 2704 int ret;
2705
cebdb986 2706 if (sqe->ioprio || sqe->buf_index)
0fa03c62 2707 return -EINVAL;
cf3040ca
JA		 2708 if (sqe->flags & IOSQE_FIXED_FILE)
2709 return -EBADF;
0bdbdd08
PB		 2710 if (req->flags & REQ_F_NEED_CLEANUP)
2711 return 0;
0fa03c62 2712
cebdb986
JA		 2713 req->open.dfd = READ_ONCE(sqe->fd);
2714 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2715 how = u64_to_user_ptr(READ_ONCE(sqe->addr2));
2716 len = READ_ONCE(sqe->len);
0fa03c62 2717
cebdb986
JA		 2718 if (len < OPEN_HOW_SIZE_VER0)
2719 return -EINVAL;
3529d8c2 2720
cebdb986
JA		 2721 ret = copy_struct_from_user(&req->open.how, sizeof(req->open.how), how,
2722 len);
2723 if (ret)
2724 return ret;
3529d8c2 2725
cebdb986
JA		 2726 if (!(req->open.how.flags & O_PATH) && force_o_largefile())
2727 req->open.how.flags |= O_LARGEFILE;
0fa03c62 2728
cebdb986
JA		 2729 req->open.filename = getname(fname);
2730 if (IS_ERR(req->open.filename)) {
2731 ret = PTR_ERR(req->open.filename);
2732 req->open.filename = NULL;
2733 return ret;
2734 }
2735
8fef80bf 2736 req->flags |= REQ_F_NEED_CLEANUP;
cebdb986
JA		 2737 return 0;
2738}
2739
2740static int io_openat2(struct io_kiocb *req, struct io_kiocb **nxt,
2741 bool force_nonblock)
15b71abe
JA		 2742{
2743 struct open_flags op;
15b71abe
JA		 2744 struct file *file;
2745 int ret;
2746
f86cd20c 2747 if (force_nonblock)
15b71abe 2748 return -EAGAIN;
15b71abe 2749
cebdb986 2750 ret = build_open_flags(&req->open.how, &op);
15b71abe
JA		 2751 if (ret)
2752 goto err;
2753
cebdb986 2754 ret = get_unused_fd_flags(req->open.how.flags);
15b71abe
JA		 2755 if (ret < 0)
2756 goto err;
2757
2758 file = do_filp_open(req->open.dfd, req->open.filename, &op);
2759 if (IS_ERR(file)) {
2760 put_unused_fd(ret);
2761 ret = PTR_ERR(file);
2762 } else {
2763 fsnotify_open(file);
2764 fd_install(ret, file);
2765 }
2766err:
2767 putname(req->open.filename);
8fef80bf 2768 req->flags &= ~REQ_F_NEED_CLEANUP;
15b71abe
JA		 2769 if (ret < 0)
2770 req_set_fail_links(req);
2771 io_cqring_add_event(req, ret);
2772 io_put_req_find_next(req, nxt);
2773 return 0;
2774}
2775
cebdb986
JA		 2776static int io_openat(struct io_kiocb *req, struct io_kiocb **nxt,
2777 bool force_nonblock)
2778{
2779 req->open.how = build_open_how(req->open.how.flags, req->open.how.mode);
2780 return io_openat2(req, nxt, force_nonblock);
2781}
2782
3e4827b0
JA		 2783static int io_epoll_ctl_prep(struct io_kiocb *req,
2784 const struct io_uring_sqe *sqe)
2785{
2786#if defined(CONFIG_EPOLL)
2787 if (sqe->ioprio || sqe->buf_index)
2788 return -EINVAL;
2789
2790 req->epoll.epfd = READ_ONCE(sqe->fd);
2791 req->epoll.op = READ_ONCE(sqe->len);
2792 req->epoll.fd = READ_ONCE(sqe->off);
2793
2794 if (ep_op_has_event(req->epoll.op)) {
2795 struct epoll_event __user *ev;
2796
2797 ev = u64_to_user_ptr(READ_ONCE(sqe->addr));
2798 if (copy_from_user(&req->epoll.event, ev, sizeof(*ev)))
2799 return -EFAULT;
2800 }
2801
2802 return 0;
2803#else
2804 return -EOPNOTSUPP;
2805#endif
2806}
2807
2808static int io_epoll_ctl(struct io_kiocb *req, struct io_kiocb **nxt,
2809 bool force_nonblock)
2810{
2811#if defined(CONFIG_EPOLL)
2812 struct io_epoll *ie = &req->epoll;
2813 int ret;
2814
2815 ret = do_epoll_ctl(ie->epfd, ie->op, ie->fd, &ie->event, force_nonblock);
2816 if (force_nonblock && ret == -EAGAIN)
2817 return -EAGAIN;
2818
2819 if (ret < 0)
2820 req_set_fail_links(req);
2821 io_cqring_add_event(req, ret);
2822 io_put_req_find_next(req, nxt);
2823 return 0;
2824#else
2825 return -EOPNOTSUPP;
2826#endif
2827}
2828
c1ca757b
JA		 2829static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2830{
2831#if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2832 if (sqe->ioprio || sqe->buf_index || sqe->off)
2833 return -EINVAL;
2834
2835 req->madvise.addr = READ_ONCE(sqe->addr);
2836 req->madvise.len = READ_ONCE(sqe->len);
2837 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
2838 return 0;
2839#else
2840 return -EOPNOTSUPP;
2841#endif
2842}
2843
2844static int io_madvise(struct io_kiocb *req, struct io_kiocb **nxt,
2845 bool force_nonblock)
2846{
2847#if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2848 struct io_madvise *ma = &req->madvise;
2849 int ret;
2850
2851 if (force_nonblock)
2852 return -EAGAIN;
2853
2854 ret = do_madvise(ma->addr, ma->len, ma->advice);
2855 if (ret < 0)
2856 req_set_fail_links(req);
2857 io_cqring_add_event(req, ret);
2858 io_put_req_find_next(req, nxt);
2859 return 0;
2860#else
2861 return -EOPNOTSUPP;
2862#endif
2863}
2864
4840e418
JA		 2865static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2866{
2867 if (sqe->ioprio || sqe->buf_index || sqe->addr)
2868 return -EINVAL;
2869
2870 req->fadvise.offset = READ_ONCE(sqe->off);
2871 req->fadvise.len = READ_ONCE(sqe->len);
2872 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
2873 return 0;
2874}
2875
2876static int io_fadvise(struct io_kiocb *req, struct io_kiocb **nxt,
2877 bool force_nonblock)
2878{
2879 struct io_fadvise *fa = &req->fadvise;
2880 int ret;
2881
3e69426d
JA		 2882 if (force_nonblock) {
2883 switch (fa->advice) {
2884 case POSIX_FADV_NORMAL:
2885 case POSIX_FADV_RANDOM:
2886 case POSIX_FADV_SEQUENTIAL:
2887 break;
2888 default:
2889 return -EAGAIN;
2890 }
2891 }
4840e418
JA		 2892
2893 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
2894 if (ret < 0)
2895 req_set_fail_links(req);
2896 io_cqring_add_event(req, ret);
2897 io_put_req_find_next(req, nxt);
2898 return 0;
2899}
2900
eddc7ef5
JA		 2901static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2902{
f8748881 2903 const char __user *fname;
eddc7ef5
JA		 2904 unsigned lookup_flags;
2905 int ret;
2906
2907 if (sqe->ioprio || sqe->buf_index)
2908 return -EINVAL;
cf3040ca
JA		 2909 if (sqe->flags & IOSQE_FIXED_FILE)
2910 return -EBADF;
0bdbdd08
PB		 2911 if (req->flags & REQ_F_NEED_CLEANUP)
2912 return 0;
eddc7ef5
JA		 2913
2914 req->open.dfd = READ_ONCE(sqe->fd);
2915 req->open.mask = READ_ONCE(sqe->len);
f8748881 2916 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
eddc7ef5 2917 req->open.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
c12cedf2 2918 req->open.how.flags = READ_ONCE(sqe->statx_flags);
eddc7ef5 2919
c12cedf2 2920 if (vfs_stat_set_lookup_flags(&lookup_flags, req->open.how.flags))
eddc7ef5
JA		 2921 return -EINVAL;
2922
f8748881 2923 req->open.filename = getname_flags(fname, lookup_flags, NULL);
eddc7ef5
JA		 2924 if (IS_ERR(req->open.filename)) {
2925 ret = PTR_ERR(req->open.filename);
2926 req->open.filename = NULL;
2927 return ret;
2928 }
2929
8fef80bf 2930 req->flags |= REQ_F_NEED_CLEANUP;
eddc7ef5
JA		 2931 return 0;
2932}
2933
2934static int io_statx(struct io_kiocb *req, struct io_kiocb **nxt,
2935 bool force_nonblock)
2936{
2937 struct io_open *ctx = &req->open;
2938 unsigned lookup_flags;
2939 struct path path;
2940 struct kstat stat;
2941 int ret;
2942
2943 if (force_nonblock)
2944 return -EAGAIN;
2945
c12cedf2 2946 if (vfs_stat_set_lookup_flags(&lookup_flags, ctx->how.flags))
eddc7ef5
JA		 2947 return -EINVAL;
2948
2949retry:
2950 /* filename_lookup() drops it, keep a reference */
2951 ctx->filename->refcnt++;
2952
2953 ret = filename_lookup(ctx->dfd, ctx->filename, lookup_flags, &path,
2954 NULL);
2955 if (ret)
2956 goto err;
2957
c12cedf2 2958 ret = vfs_getattr(&path, &stat, ctx->mask, ctx->how.flags);
eddc7ef5
JA		 2959 path_put(&path);
2960 if (retry_estale(ret, lookup_flags)) {
2961 lookup_flags |= LOOKUP_REVAL;
2962 goto retry;
2963 }
2964 if (!ret)
2965 ret = cp_statx(&stat, ctx->buffer);
2966err:
2967 putname(ctx->filename);
8fef80bf 2968 req->flags &= ~REQ_F_NEED_CLEANUP;
eddc7ef5
JA		 2969 if (ret < 0)
2970 req_set_fail_links(req);
2971 io_cqring_add_event(req, ret);
2972 io_put_req_find_next(req, nxt);
2973 return 0;
2974}
2975
b5dba59e
JA		 2976static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2977{
2978 /*
2979 * If we queue this for async, it must not be cancellable. That would
2980 * leave the 'file' in an undeterminate state.
2981 */
2982 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
2983
2984 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
2985 sqe->rw_flags || sqe->buf_index)
2986 return -EINVAL;
2987 if (sqe->flags & IOSQE_FIXED_FILE)
cf3040ca 2988 return -EBADF;
b5dba59e
JA		 2989
2990 req->close.fd = READ_ONCE(sqe->fd);
2991 if (req->file->f_op == &io_uring_fops ||
b14cca0c 2992 req->close.fd == req->ctx->ring_fd)
b5dba59e
JA		 2993 return -EBADF;
2994
2995 return 0;
2996}
2997
a93b3331
PB		 2998/* only called when __close_fd_get_file() is done */
2999static void __io_close_finish(struct io_kiocb *req, struct io_kiocb **nxt)
3000{
3001 int ret;
3002
3003 ret = filp_close(req->close.put_file, req->work.files);
3004 if (ret < 0)
3005 req_set_fail_links(req);
3006 io_cqring_add_event(req, ret);
3007 fput(req->close.put_file);
3008 io_put_req_find_next(req, nxt);
3009}
3010
b5dba59e
JA		 3011static void io_close_finish(struct io_wq_work **workptr)
3012{
3013 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3014 struct io_kiocb *nxt = NULL;
3015
7fbeb95d 3016 /* not cancellable, don't do io_req_cancelled() */
a93b3331 3017 __io_close_finish(req, &nxt);
b5dba59e
JA		 3018 if (nxt)
3019 io_wq_assign_next(workptr, nxt);
3020}
3021
3022static int io_close(struct io_kiocb *req, struct io_kiocb **nxt,
3023 bool force_nonblock)
3024{
3025 int ret;
3026
3027 req->close.put_file = NULL;
3028 ret = __close_fd_get_file(req->close.fd, &req->close.put_file);
3029 if (ret < 0)
3030 return ret;
3031
3032 /* if the file has a flush method, be safe and punt to async */
f86cd20c 3033 if (req->close.put_file->f_op->flush && !io_wq_current_is_worker())
b5dba59e 3034 goto eagain;
b5dba59e
JA		 3035
3036 /*
3037 * No ->flush(), safely close from here and just punt the
3038 * fput() to async context.
3039 */
a93b3331
PB		 3040 __io_close_finish(req, nxt);
3041 return 0;
b5dba59e
JA		 3042eagain:
3043 req->work.func = io_close_finish;
1a417f4e
JA		 3044 /*
3045 * Do manual async queue here to avoid grabbing files - we don't
3046 * need the files, and it'll cause io_close_finish() to close
3047 * the file again and cause a double CQE entry for this request
3048 */
3049 io_queue_async_work(req);
3050 return 0;
b5dba59e
JA		 3051}
3052
3529d8c2 3053static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5d17b4a4
JA		 3054{
3055 struct io_ring_ctx *ctx = req->ctx;
5d17b4a4
JA		 3056
3057 if (!req->file)
3058 return -EBADF;
5d17b4a4
JA		 3059
3060 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3061 return -EINVAL;
3062 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
3063 return -EINVAL;
3064
8ed8d3c3
JA		 3065 req->sync.off = READ_ONCE(sqe->off);
3066 req->sync.len = READ_ONCE(sqe->len);
3067 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
8ed8d3c3
JA		 3068 return 0;
3069}
3070
5ea62161 3071static void __io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt)
8ed8d3c3 3072{
8ed8d3c3
JA		 3073 int ret;
3074
9adbd45d 3075 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
8ed8d3c3
JA		 3076 req->sync.flags);
3077 if (ret < 0)
3078 req_set_fail_links(req);
3079 io_cqring_add_event(req, ret);
5ea62161
PB		 3080 io_put_req_find_next(req, nxt);
3081}
3082
3083
3084static void io_sync_file_range_finish(struct io_wq_work **workptr)
3085{
3086 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3087 struct io_kiocb *nxt = NULL;
3088
3089 if (io_req_cancelled(req))
3090 return;
3091 __io_sync_file_range(req, &nxt);
8ed8d3c3 3092 if (nxt)
78912934 3093 io_wq_assign_next(workptr, nxt);
5d17b4a4
JA		 3094}
3095
fc4df999 3096static int io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt,
5d17b4a4
JA		 3097 bool force_nonblock)
3098{
5d17b4a4 3099 /* sync_file_range always requires a blocking context */
8ed8d3c3
JA		 3100 if (force_nonblock) {
3101 io_put_req(req);
3102 req->work.func = io_sync_file_range_finish;
5d17b4a4 3103 return -EAGAIN;
8ed8d3c3 3104 }
5d17b4a4 3105
5ea62161 3106 __io_sync_file_range(req, nxt);
5d17b4a4
JA		 3107 return 0;
3108}
3109
02d27d89
PB		 3110static int io_setup_async_msg(struct io_kiocb *req,
3111 struct io_async_msghdr *kmsg)
3112{
3113 if (req->io)
3114 return -EAGAIN;
3115 if (io_alloc_async_ctx(req)) {
3116 if (kmsg->iov != kmsg->fast_iov)
3117 kfree(kmsg->iov);
3118 return -ENOMEM;
3119 }
3120 req->flags |= REQ_F_NEED_CLEANUP;
3121 memcpy(&req->io->msg, kmsg, sizeof(*kmsg));
3122 return -EAGAIN;
3123}
3124
3529d8c2 3125static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
03b1230c 3126{
0fa03c62 3127#if defined(CONFIG_NET)
e47293fd 3128 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2 3129 struct io_async_ctx *io = req->io;
99bc4c38 3130 int ret;
03b1230c 3131
e47293fd
JA		 3132 sr->msg_flags = READ_ONCE(sqe->msg_flags);
3133 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
fddaface 3134 sr->len = READ_ONCE(sqe->len);
3529d8c2 3135
d8768362
JA		 3136#ifdef CONFIG_COMPAT
3137 if (req->ctx->compat)
3138 sr->msg_flags |= MSG_CMSG_COMPAT;
3139#endif
3140
fddaface 3141 if (!io || req->opcode == IORING_OP_SEND)
3529d8c2 3142 return 0;
5f798bea
PB		 3143 /* iovec is already imported */
3144 if (req->flags & REQ_F_NEED_CLEANUP)
3145 return 0;
3529d8c2 3146
d9688565 3147 io->msg.iov = io->msg.fast_iov;
99bc4c38 3148 ret = sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 3149 &io->msg.iov);
99bc4c38
PB		 3150 if (!ret)
3151 req->flags |= REQ_F_NEED_CLEANUP;
3152 return ret;
03b1230c 3153#else
e47293fd 3154 return -EOPNOTSUPP;
03b1230c
JA		 3155#endif
3156}
3157
fc4df999
JA		 3158static int io_sendmsg(struct io_kiocb *req, struct io_kiocb **nxt,
3159 bool force_nonblock)
aa1fa28f 3160{
03b1230c 3161#if defined(CONFIG_NET)
0b416c3e 3162 struct io_async_msghdr *kmsg = NULL;
0fa03c62
JA		 3163 struct socket *sock;
3164 int ret;
3165
3166 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3167 return -EINVAL;
3168
3169 sock = sock_from_file(req->file, &ret);
3170 if (sock) {
b7bb4f7d 3171 struct io_async_ctx io;
0fa03c62
JA		 3172 unsigned flags;
3173
03b1230c 3174 if (req->io) {
0b416c3e 3175 kmsg = &req->io->msg;
b537916c 3176 kmsg->msg.msg_name = &req->io->msg.addr;
0b416c3e
JA		 3177 /* if iov is set, it's allocated already */
3178 if (!kmsg->iov)
3179 kmsg->iov = kmsg->fast_iov;
3180 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 3181 } else {
3529d8c2
JA		 3182 struct io_sr_msg *sr = &req->sr_msg;
3183
0b416c3e 3184 kmsg = &io.msg;
b537916c 3185 kmsg->msg.msg_name = &io.msg.addr;
3529d8c2
JA		 3186
3187 io.msg.iov = io.msg.fast_iov;
3188 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
3189 sr->msg_flags, &io.msg.iov);
03b1230c 3190 if (ret)
3529d8c2 3191 return ret;
03b1230c 3192 }
0fa03c62 3193
e47293fd
JA		 3194 flags = req->sr_msg.msg_flags;
3195 if (flags & MSG_DONTWAIT)
3196 req->flags |= REQ_F_NOWAIT;
3197 else if (force_nonblock)
3198 flags |= MSG_DONTWAIT;
3199
0b416c3e 3200 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
02d27d89
PB		 3201 if (force_nonblock && ret == -EAGAIN)
3202 return io_setup_async_msg(req, kmsg);
441cdbd5
JA		 3203 if (ret == -ERESTARTSYS)
3204 ret = -EINTR;
0fa03c62
JA		 3205 }
3206
1e95081c 3207 if (kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 3208 kfree(kmsg->iov);
99bc4c38 3209 req->flags &= ~REQ_F_NEED_CLEANUP;
78e19bbe 3210 io_cqring_add_event(req, ret);
4e88d6e7
JA		 3211 if (ret < 0)
3212 req_set_fail_links(req);
ec9c02ad 3213 io_put_req_find_next(req, nxt);
5d17b4a4 3214 return 0;
03b1230c
JA		 3215#else
3216 return -EOPNOTSUPP;
aa1fa28f 3217#endif
03b1230c 3218}
aa1fa28f 3219
fddaface
JA		 3220static int io_send(struct io_kiocb *req, struct io_kiocb **nxt,
3221 bool force_nonblock)
3222{
3223#if defined(CONFIG_NET)
3224 struct socket *sock;
3225 int ret;
3226
3227 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3228 return -EINVAL;
3229
3230 sock = sock_from_file(req->file, &ret);
3231 if (sock) {
3232 struct io_sr_msg *sr = &req->sr_msg;
3233 struct msghdr msg;
3234 struct iovec iov;
3235 unsigned flags;
3236
3237 ret = import_single_range(WRITE, sr->buf, sr->len, &iov,
3238 &msg.msg_iter);
3239 if (ret)
3240 return ret;
3241
3242 msg.msg_name = NULL;
3243 msg.msg_control = NULL;
3244 msg.msg_controllen = 0;
3245 msg.msg_namelen = 0;
3246
3247 flags = req->sr_msg.msg_flags;
3248 if (flags & MSG_DONTWAIT)
3249 req->flags |= REQ_F_NOWAIT;
3250 else if (force_nonblock)
3251 flags |= MSG_DONTWAIT;
3252
0b7b21e4
JA		 3253 msg.msg_flags = flags;
3254 ret = sock_sendmsg(sock, &msg);
fddaface
JA		 3255 if (force_nonblock && ret == -EAGAIN)
3256 return -EAGAIN;
3257 if (ret == -ERESTARTSYS)
3258 ret = -EINTR;
3259 }
3260
3261 io_cqring_add_event(req, ret);
3262 if (ret < 0)
3263 req_set_fail_links(req);
3264 io_put_req_find_next(req, nxt);
3265 return 0;
3266#else
3267 return -EOPNOTSUPP;
3268#endif
3269}
3270
3529d8c2
JA		 3271static int io_recvmsg_prep(struct io_kiocb *req,
3272 const struct io_uring_sqe *sqe)
aa1fa28f
JA		 3273{
3274#if defined(CONFIG_NET)
e47293fd 3275 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2 3276 struct io_async_ctx *io = req->io;
99bc4c38 3277 int ret;
3529d8c2
JA		 3278
3279 sr->msg_flags = READ_ONCE(sqe->msg_flags);
3280 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
0b7b21e4 3281 sr->len = READ_ONCE(sqe->len);
06b76d44 3282
d8768362
JA		 3283#ifdef CONFIG_COMPAT
3284 if (req->ctx->compat)
3285 sr->msg_flags |= MSG_CMSG_COMPAT;
3286#endif
3287
fddaface 3288 if (!io || req->opcode == IORING_OP_RECV)
06b76d44 3289 return 0;
5f798bea
PB		 3290 /* iovec is already imported */
3291 if (req->flags & REQ_F_NEED_CLEANUP)
3292 return 0;
03b1230c 3293
d9688565 3294 io->msg.iov = io->msg.fast_iov;
99bc4c38 3295 ret = recvmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 3296 &io->msg.uaddr, &io->msg.iov);
99bc4c38
PB		 3297 if (!ret)
3298 req->flags |= REQ_F_NEED_CLEANUP;
3299 return ret;
aa1fa28f 3300#else
e47293fd 3301 return -EOPNOTSUPP;
aa1fa28f
JA		 3302#endif
3303}
3304
fc4df999
JA		 3305static int io_recvmsg(struct io_kiocb *req, struct io_kiocb **nxt,
3306 bool force_nonblock)
aa1fa28f
JA		 3307{
3308#if defined(CONFIG_NET)
0b416c3e 3309 struct io_async_msghdr *kmsg = NULL;
03b1230c
JA		 3310 struct socket *sock;
3311 int ret;
3312
3313 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3314 return -EINVAL;
3315
3316 sock = sock_from_file(req->file, &ret);
3317 if (sock) {
b7bb4f7d 3318 struct io_async_ctx io;
03b1230c
JA		 3319 unsigned flags;
3320
03b1230c 3321 if (req->io) {
0b416c3e 3322 kmsg = &req->io->msg;
b537916c 3323 kmsg->msg.msg_name = &req->io->msg.addr;
0b416c3e
JA		 3324 /* if iov is set, it's allocated already */
3325 if (!kmsg->iov)
3326 kmsg->iov = kmsg->fast_iov;
3327 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 3328 } else {
3529d8c2
JA		 3329 struct io_sr_msg *sr = &req->sr_msg;
3330
0b416c3e 3331 kmsg = &io.msg;
b537916c 3332 kmsg->msg.msg_name = &io.msg.addr;
3529d8c2
JA		 3333
3334 io.msg.iov = io.msg.fast_iov;
3335 ret = recvmsg_copy_msghdr(&io.msg.msg, sr->msg,
3336 sr->msg_flags, &io.msg.uaddr,
3337 &io.msg.iov);
03b1230c 3338 if (ret)
3529d8c2 3339 return ret;
03b1230c
JA		 3340 }
3341
e47293fd
JA		 3342 flags = req->sr_msg.msg_flags;
3343 if (flags & MSG_DONTWAIT)
3344 req->flags |= REQ_F_NOWAIT;
3345 else if (force_nonblock)
3346 flags |= MSG_DONTWAIT;
3347
3348 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
3349 kmsg->uaddr, flags);
02d27d89
PB		 3350 if (force_nonblock && ret == -EAGAIN)
3351 return io_setup_async_msg(req, kmsg);
03b1230c
JA		 3352 if (ret == -ERESTARTSYS)
3353 ret = -EINTR;
3354 }
3355
1e95081c 3356 if (kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 3357 kfree(kmsg->iov);
99bc4c38 3358 req->flags &= ~REQ_F_NEED_CLEANUP;
03b1230c 3359 io_cqring_add_event(req, ret);
4e88d6e7
JA		 3360 if (ret < 0)
3361 req_set_fail_links(req);
03b1230c
JA		 3362 io_put_req_find_next(req, nxt);
3363 return 0;
0fa03c62
JA		 3364#else
3365 return -EOPNOTSUPP;
3366#endif
3367}
5d17b4a4 3368
fddaface
JA		 3369static int io_recv(struct io_kiocb *req, struct io_kiocb **nxt,
3370 bool force_nonblock)
3371{
3372#if defined(CONFIG_NET)
3373 struct socket *sock;
3374 int ret;
3375
3376 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3377 return -EINVAL;
3378
3379 sock = sock_from_file(req->file, &ret);
3380 if (sock) {
3381 struct io_sr_msg *sr = &req->sr_msg;
3382 struct msghdr msg;
3383 struct iovec iov;
3384 unsigned flags;
3385
3386 ret = import_single_range(READ, sr->buf, sr->len, &iov,
3387 &msg.msg_iter);
3388 if (ret)
3389 return ret;
3390
3391 msg.msg_name = NULL;
3392 msg.msg_control = NULL;
3393 msg.msg_controllen = 0;
3394 msg.msg_namelen = 0;
3395 msg.msg_iocb = NULL;
3396 msg.msg_flags = 0;
3397
3398 flags = req->sr_msg.msg_flags;
3399 if (flags & MSG_DONTWAIT)
3400 req->flags |= REQ_F_NOWAIT;
3401 else if (force_nonblock)
3402 flags |= MSG_DONTWAIT;
3403
0b7b21e4 3404 ret = sock_recvmsg(sock, &msg, flags);
fddaface
JA		 3405 if (force_nonblock && ret == -EAGAIN)
3406 return -EAGAIN;
3407 if (ret == -ERESTARTSYS)
3408 ret = -EINTR;
3409 }
3410
3411 io_cqring_add_event(req, ret);
3412 if (ret < 0)
3413 req_set_fail_links(req);
3414 io_put_req_find_next(req, nxt);
3415 return 0;
3416#else
3417 return -EOPNOTSUPP;
3418#endif
3419}
3420
3421
3529d8c2 3422static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
17f2fe35
JA		 3423{
3424#if defined(CONFIG_NET)
8ed8d3c3
JA		 3425 struct io_accept *accept = &req->accept;
3426
17f2fe35
JA		 3427 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3428 return -EINVAL;
8042d6ce 3429 if (sqe->ioprio || sqe->len || sqe->buf_index)
17f2fe35
JA		 3430 return -EINVAL;
3431
d55e5f5b
JA		 3432 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3433 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
8ed8d3c3 3434 accept->flags = READ_ONCE(sqe->accept_flags);
8ed8d3c3
JA		 3435 return 0;
3436#else
3437 return -EOPNOTSUPP;
3438#endif
3439}
17f2fe35 3440
8ed8d3c3
JA		 3441#if defined(CONFIG_NET)
3442static int __io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
3443 bool force_nonblock)
3444{
3445 struct io_accept *accept = &req->accept;
3446 unsigned file_flags;
3447 int ret;
3448
3449 file_flags = force_nonblock ? O_NONBLOCK : 0;
3450 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
3451 accept->addr_len, accept->flags);
3452 if (ret == -EAGAIN && force_nonblock)
17f2fe35 3453 return -EAGAIN;
8e3cca12
JA		 3454 if (ret == -ERESTARTSYS)
3455 ret = -EINTR;
4e88d6e7
JA		 3456 if (ret < 0)
3457 req_set_fail_links(req);
78e19bbe 3458 io_cqring_add_event(req, ret);
ec9c02ad 3459 io_put_req_find_next(req, nxt);
17f2fe35 3460 return 0;
8ed8d3c3
JA		 3461}
3462
3463static void io_accept_finish(struct io_wq_work **workptr)
3464{
3465 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3466 struct io_kiocb *nxt = NULL;
3467
e441d1cf
JA		 3468 io_put_req(req);
3469
8ed8d3c3
JA		 3470 if (io_req_cancelled(req))
3471 return;
3472 __io_accept(req, &nxt, false);
3473 if (nxt)
78912934 3474 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 3475}
3476#endif
3477
3478static int io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
3479 bool force_nonblock)
3480{
3481#if defined(CONFIG_NET)
3482 int ret;
3483
8ed8d3c3
JA		 3484 ret = __io_accept(req, nxt, force_nonblock);
3485 if (ret == -EAGAIN && force_nonblock) {
3486 req->work.func = io_accept_finish;
8ed8d3c3
JA		 3487 return -EAGAIN;
3488 }
3489 return 0;
0fa03c62
JA		 3490#else
3491 return -EOPNOTSUPP;
3492#endif
3493}
5d17b4a4 3494
3529d8c2 3495static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
f499a021
JA		 3496{
3497#if defined(CONFIG_NET)
3529d8c2
JA		 3498 struct io_connect *conn = &req->connect;
3499 struct io_async_ctx *io = req->io;
f499a021 3500
3fbb51c1
JA		 3501 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3502 return -EINVAL;
3503 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
3504 return -EINVAL;
3505
3529d8c2
JA		 3506 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3507 conn->addr_len = READ_ONCE(sqe->addr2);
3508
3509 if (!io)
3510 return 0;
3511
3512 return move_addr_to_kernel(conn->addr, conn->addr_len,
3fbb51c1 3513 &io->connect.address);
f499a021 3514#else
3fbb51c1 3515 return -EOPNOTSUPP;
f499a021
JA		 3516#endif
3517}
3518
fc4df999
JA		 3519static int io_connect(struct io_kiocb *req, struct io_kiocb **nxt,
3520 bool force_nonblock)
f8e85cf2
JA		 3521{
3522#if defined(CONFIG_NET)
f499a021 3523 struct io_async_ctx __io, *io;
f8e85cf2 3524 unsigned file_flags;
3fbb51c1 3525 int ret;
f8e85cf2 3526
f499a021
JA		 3527 if (req->io) {
3528 io = req->io;
3529 } else {
3529d8c2
JA		 3530 ret = move_addr_to_kernel(req->connect.addr,
3531 req->connect.addr_len,
3532 &__io.connect.address);
f499a021
JA		 3533 if (ret)
3534 goto out;
3535 io = &__io;
3536 }
3537
3fbb51c1
JA		 3538 file_flags = force_nonblock ? O_NONBLOCK : 0;
3539
3540 ret = __sys_connect_file(req->file, &io->connect.address,
3541 req->connect.addr_len, file_flags);
87f80d62 3542 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
b7bb4f7d
JA		 3543 if (req->io)
3544 return -EAGAIN;
3545 if (io_alloc_async_ctx(req)) {
f499a021
JA		 3546 ret = -ENOMEM;
3547 goto out;
3548 }
b7bb4f7d 3549 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
f8e85cf2 3550 return -EAGAIN;
f499a021 3551 }
f8e85cf2
JA		 3552 if (ret == -ERESTARTSYS)
3553 ret = -EINTR;
f499a021 3554out:
4e88d6e7
JA		 3555 if (ret < 0)
3556 req_set_fail_links(req);
f8e85cf2
JA		 3557 io_cqring_add_event(req, ret);
3558 io_put_req_find_next(req, nxt);
3559 return 0;
3560#else
3561 return -EOPNOTSUPP;
3562#endif
3563}
3564
d7718a9d
JA		 3565struct io_poll_table {
3566 struct poll_table_struct pt;
3567 struct io_kiocb *req;
3568 int error;
3569};
3570
3571static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
3572 struct wait_queue_head *head)
3573{
3574 if (unlikely(poll->head)) {
3575 pt->error = -EINVAL;
3576 return;
3577 }
3578
3579 pt->error = 0;
3580 poll->head = head;
3581 add_wait_queue(head, &poll->wait);
3582}
3583
3584static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
3585 struct poll_table_struct *p)
3586{
3587 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
3588
3589 __io_queue_proc(&pt->req->apoll->poll, pt, head);
3590}
3591
3592static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,
3593 __poll_t mask, task_work_func_t func)
3594{
3595 struct task_struct *tsk;
3596
3597 /* for instances that support it check for an event match first: */
3598 if (mask && !(mask & poll->events))
3599 return 0;
3600
3601 trace_io_uring_task_add(req->ctx, req->opcode, req->user_data, mask);
3602
3603 list_del_init(&poll->wait.entry);
3604
3605 tsk = req->task;
3606 req->result = mask;
3607 init_task_work(&req->task_work, func);
3608 /*
3609 * If this fails, then the task is exiting. If that is the case, then
3610 * the exit check will ultimately cancel these work items. Hence we
3611 * don't need to check here and handle it specifically.
3612 */
3613 task_work_add(tsk, &req->task_work, true);
3614 wake_up_process(tsk);
3615 return 1;
3616}
3617
3618static void io_async_task_func(struct callback_head *cb)
3619{
3620 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
3621 struct async_poll *apoll = req->apoll;
3622 struct io_ring_ctx *ctx = req->ctx;
3623
3624 trace_io_uring_task_run(req->ctx, req->opcode, req->user_data);
3625
3626 WARN_ON_ONCE(!list_empty(&req->apoll->poll.wait.entry));
3627
3628 if (hash_hashed(&req->hash_node)) {
3629 spin_lock_irq(&ctx->completion_lock);
3630 hash_del(&req->hash_node);
3631 spin_unlock_irq(&ctx->completion_lock);
3632 }
3633
3634 /* restore ->work in case we need to retry again */
3635 memcpy(&req->work, &apoll->work, sizeof(req->work));
3636
3637 __set_current_state(TASK_RUNNING);
3638 mutex_lock(&ctx->uring_lock);
3639 __io_queue_sqe(req, NULL);
3640 mutex_unlock(&ctx->uring_lock);
3641
3642 kfree(apoll);
3643}
3644
3645static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
3646 void *key)
3647{
3648 struct io_kiocb *req = wait->private;
3649 struct io_poll_iocb *poll = &req->apoll->poll;
3650
3651 trace_io_uring_poll_wake(req->ctx, req->opcode, req->user_data,
3652 key_to_poll(key));
3653
3654 return __io_async_wake(req, poll, key_to_poll(key), io_async_task_func);
3655}
3656
3657static void io_poll_req_insert(struct io_kiocb *req)
3658{
3659 struct io_ring_ctx *ctx = req->ctx;
3660 struct hlist_head *list;
3661
3662 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
3663 hlist_add_head(&req->hash_node, list);
3664}
3665
3666static __poll_t __io_arm_poll_handler(struct io_kiocb *req,
3667 struct io_poll_iocb *poll,
3668 struct io_poll_table *ipt, __poll_t mask,
3669 wait_queue_func_t wake_func)
3670 __acquires(&ctx->completion_lock)
3671{
3672 struct io_ring_ctx *ctx = req->ctx;
3673 bool cancel = false;
3674
3675 poll->file = req->file;
3676 poll->head = NULL;
3677 poll->done = poll->canceled = false;
3678 poll->events = mask;
3679
3680 ipt->pt._key = mask;
3681 ipt->req = req;
3682 ipt->error = -EINVAL;
3683
3684 INIT_LIST_HEAD(&poll->wait.entry);
3685 init_waitqueue_func_entry(&poll->wait, wake_func);
3686 poll->wait.private = req;
3687
3688 mask = vfs_poll(req->file, &ipt->pt) & poll->events;
3689
3690 spin_lock_irq(&ctx->completion_lock);
3691 if (likely(poll->head)) {
3692 spin_lock(&poll->head->lock);
3693 if (unlikely(list_empty(&poll->wait.entry))) {
3694 if (ipt->error)
3695 cancel = true;
3696 ipt->error = 0;
3697 mask = 0;
3698 }
3699 if (mask || ipt->error)
3700 list_del_init(&poll->wait.entry);
3701 else if (cancel)
3702 WRITE_ONCE(poll->canceled, true);
3703 else if (!poll->done) /* actually waiting for an event */
3704 io_poll_req_insert(req);
3705 spin_unlock(&poll->head->lock);
3706 }
3707
3708 return mask;
3709}
3710
3711static bool io_arm_poll_handler(struct io_kiocb *req)
3712{
3713 const struct io_op_def *def = &io_op_defs[req->opcode];
3714 struct io_ring_ctx *ctx = req->ctx;
3715 struct async_poll *apoll;
3716 struct io_poll_table ipt;
3717 __poll_t mask, ret;
3718
3719 if (!req->file || !file_can_poll(req->file))
3720 return false;
3721 if (req->flags & (REQ_F_MUST_PUNT | REQ_F_POLLED))
3722 return false;
3723 if (!def->pollin && !def->pollout)
3724 return false;
3725
3726 apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
3727 if (unlikely(!apoll))
3728 return false;
3729
3730 req->flags |= REQ_F_POLLED;
3731 memcpy(&apoll->work, &req->work, sizeof(req->work));
3732
3733 /*
3734 * Don't need a reference here, as we're adding it to the task
3735 * task_works list. If the task exits, the list is pruned.
3736 */
3737 req->task = current;
3738 req->apoll = apoll;
3739 INIT_HLIST_NODE(&req->hash_node);
3740
8755d97a 3741 mask = 0;
d7718a9d 3742 if (def->pollin)
8755d97a 3743 mask |= POLLIN | POLLRDNORM;
d7718a9d
JA		 3744 if (def->pollout)
3745 mask |= POLLOUT | POLLWRNORM;
3746 mask |= POLLERR | POLLPRI;
3747
3748 ipt.pt._qproc = io_async_queue_proc;
3749
3750 ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
3751 io_async_wake);
3752 if (ret) {
3753 ipt.error = 0;
3754 apoll->poll.done = true;
3755 spin_unlock_irq(&ctx->completion_lock);
3756 memcpy(&req->work, &apoll->work, sizeof(req->work));
3757 kfree(apoll);
3758 return false;
3759 }
3760 spin_unlock_irq(&ctx->completion_lock);
3761 trace_io_uring_poll_arm(ctx, req->opcode, req->user_data, mask,
3762 apoll->poll.events);
3763 return true;
3764}
3765
3766static bool __io_poll_remove_one(struct io_kiocb *req,
3767 struct io_poll_iocb *poll)
221c5eb2 3768{
b41e9852 3769 bool do_complete = false;
221c5eb2
JA		 3770
3771 spin_lock(&poll->head->lock);
3772 WRITE_ONCE(poll->canceled, true);
392edb45
JA		 3773 if (!list_empty(&poll->wait.entry)) {
3774 list_del_init(&poll->wait.entry);
b41e9852 3775 do_complete = true;
221c5eb2
JA		 3776 }
3777 spin_unlock(&poll->head->lock);
d7718a9d
JA		 3778 return do_complete;
3779}
3780
3781static bool io_poll_remove_one(struct io_kiocb *req)
3782{
3783 bool do_complete;
3784
3785 if (req->opcode == IORING_OP_POLL_ADD) {
3786 do_complete = __io_poll_remove_one(req, &req->poll);
3787 } else {
3788 /* non-poll requests have submit ref still */
3789 do_complete = __io_poll_remove_one(req, &req->apoll->poll);
3790 if (do_complete)
3791 io_put_req(req);
3792 }
3793
78076bb6 3794 hash_del(&req->hash_node);
d7718a9d 3795
b41e9852
JA		 3796 if (do_complete) {
3797 io_cqring_fill_event(req, -ECANCELED);
3798 io_commit_cqring(req->ctx);
3799 req->flags |= REQ_F_COMP_LOCKED;
3800 io_put_req(req);
3801 }
3802
3803 return do_complete;
221c5eb2
JA		 3804}
3805
3806static void io_poll_remove_all(struct io_ring_ctx *ctx)
3807{
78076bb6 3808 struct hlist_node *tmp;
221c5eb2 3809 struct io_kiocb *req;
78076bb6 3810 int i;
221c5eb2
JA		 3811
3812 spin_lock_irq(&ctx->completion_lock);
78076bb6
JA		 3813 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
3814 struct hlist_head *list;
3815
3816 list = &ctx->cancel_hash[i];
3817 hlist_for_each_entry_safe(req, tmp, list, hash_node)
3818 io_poll_remove_one(req);
221c5eb2
JA		 3819 }
3820 spin_unlock_irq(&ctx->completion_lock);
b41e9852
JA		 3821
3822 io_cqring_ev_posted(ctx);
221c5eb2
JA		 3823}
3824
47f46768
JA		 3825static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
3826{
78076bb6 3827 struct hlist_head *list;
47f46768
JA		 3828 struct io_kiocb *req;
3829
78076bb6
JA		 3830 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
3831 hlist_for_each_entry(req, list, hash_node) {
b41e9852
JA		 3832 if (sqe_addr != req->user_data)
3833 continue;
3834 if (io_poll_remove_one(req))
eac406c6 3835 return 0;
b41e9852 3836 return -EALREADY;
47f46768
JA		 3837 }
3838
3839 return -ENOENT;
3840}
3841
3529d8c2
JA		 3842static int io_poll_remove_prep(struct io_kiocb *req,
3843 const struct io_uring_sqe *sqe)
0969e783 3844{
0969e783
JA		 3845 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3846 return -EINVAL;
3847 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
3848 sqe->poll_events)
3849 return -EINVAL;
3850
3851 req->poll.addr = READ_ONCE(sqe->addr);
0969e783
JA		 3852 return 0;
3853}
3854
221c5eb2
JA		 3855/*
3856 * Find a running poll command that matches one specified in sqe->addr,
3857 * and remove it if found.
3858 */
fc4df999 3859static int io_poll_remove(struct io_kiocb *req)
221c5eb2
JA		 3860{
3861 struct io_ring_ctx *ctx = req->ctx;
0969e783 3862 u64 addr;
47f46768 3863 int ret;
221c5eb2 3864
0969e783 3865 addr = req->poll.addr;
221c5eb2 3866 spin_lock_irq(&ctx->completion_lock);
0969e783 3867 ret = io_poll_cancel(ctx, addr);
221c5eb2
JA		 3868 spin_unlock_irq(&ctx->completion_lock);
3869
78e19bbe 3870 io_cqring_add_event(req, ret);
4e88d6e7
JA		 3871 if (ret < 0)
3872 req_set_fail_links(req);
e65ef56d 3873 io_put_req(req);
221c5eb2
JA		 3874 return 0;
3875}
3876
b0dd8a41 3877static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
221c5eb2 3878{
a197f664
JL		 3879 struct io_ring_ctx *ctx = req->ctx;
3880
8c838788 3881 req->poll.done = true;
b0a20349 3882 io_cqring_fill_event(req, error ? error : mangle_poll(mask));
8c838788 3883 io_commit_cqring(ctx);
221c5eb2
JA		 3884}
3885
b41e9852 3886static void io_poll_task_handler(struct io_kiocb *req, struct io_kiocb **nxt)
221c5eb2 3887{
221c5eb2 3888 struct io_ring_ctx *ctx = req->ctx;
221c5eb2 3889
221c5eb2 3890 spin_lock_irq(&ctx->completion_lock);
78076bb6 3891 hash_del(&req->hash_node);
b41e9852
JA		 3892 io_poll_complete(req, req->result, 0);
3893 req->flags |= REQ_F_COMP_LOCKED;
3894 io_put_req_find_next(req, nxt);
e94f141b
JA		 3895 spin_unlock_irq(&ctx->completion_lock);
3896
3897 io_cqring_ev_posted(ctx);
e94f141b
JA		 3898}
3899
b41e9852 3900static void io_poll_task_func(struct callback_head *cb)
f0b493e6 3901{
b41e9852
JA		 3902 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
3903 struct io_kiocb *nxt = NULL;
f0b493e6 3904
b41e9852 3905 io_poll_task_handler(req, &nxt);
d7718a9d
JA		 3906 if (nxt) {
3907 struct io_ring_ctx *ctx = nxt->ctx;
3908
3909 mutex_lock(&ctx->uring_lock);
b41e9852 3910 __io_queue_sqe(nxt, NULL);
d7718a9d
JA		 3911 mutex_unlock(&ctx->uring_lock);
3912 }
f0b493e6
JA		 3913}
3914
221c5eb2
JA		 3915static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
3916 void *key)
3917{
c2f2eb7d
JA		 3918 struct io_kiocb *req = wait->private;
3919 struct io_poll_iocb *poll = &req->poll;
221c5eb2 3920
d7718a9d 3921 return __io_async_wake(req, poll, key_to_poll(key), io_poll_task_func);
221c5eb2
JA		 3922}
3923
221c5eb2
JA		 3924static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
3925 struct poll_table_struct *p)
3926{
3927 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
3928
d7718a9d 3929 __io_queue_proc(&pt->req->poll, pt, head);
eac406c6
JA		 3930}
3931
3529d8c2 3932static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
221c5eb2
JA		 3933{
3934 struct io_poll_iocb *poll = &req->poll;
221c5eb2 3935 u16 events;
221c5eb2
JA		 3936
3937 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3938 return -EINVAL;
3939 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
3940 return -EINVAL;
09bb8394
JA		 3941 if (!poll->file)
3942 return -EBADF;
221c5eb2 3943
221c5eb2
JA		 3944 events = READ_ONCE(sqe->poll_events);
3945 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
b41e9852 3946
d7718a9d
JA		 3947 /*
3948 * Don't need a reference here, as we're adding it to the task
3949 * task_works list. If the task exits, the list is pruned.
3950 */
b41e9852 3951 req->task = current;
0969e783
JA		 3952 return 0;
3953}
3954
3955static int io_poll_add(struct io_kiocb *req, struct io_kiocb **nxt)
3956{
3957 struct io_poll_iocb *poll = &req->poll;
3958 struct io_ring_ctx *ctx = req->ctx;
3959 struct io_poll_table ipt;
0969e783 3960 __poll_t mask;
0969e783 3961
78076bb6 3962 INIT_HLIST_NODE(&req->hash_node);
36703247 3963 INIT_LIST_HEAD(&req->list);
d7718a9d 3964 ipt.pt._qproc = io_poll_queue_proc;
36703247 3965
d7718a9d
JA		 3966 mask = __io_arm_poll_handler(req, &req->poll, &ipt, poll->events,
3967 io_poll_wake);
221c5eb2 3968
8c838788 3969 if (mask) { /* no async, we'd stolen it */
221c5eb2 3970 ipt.error = 0;
b0dd8a41 3971 io_poll_complete(req, mask, 0);
221c5eb2 3972 }
221c5eb2
JA		 3973 spin_unlock_irq(&ctx->completion_lock);
3974
8c838788
JA		 3975 if (mask) {
3976 io_cqring_ev_posted(ctx);
ec9c02ad 3977 io_put_req_find_next(req, nxt);
221c5eb2 3978 }
8c838788 3979 return ipt.error;
221c5eb2
JA		 3980}
3981
5262f567
JA		 3982static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
3983{
ad8a48ac
JA		 3984 struct io_timeout_data *data = container_of(timer,
3985 struct io_timeout_data, timer);
3986 struct io_kiocb *req = data->req;
3987 struct io_ring_ctx *ctx = req->ctx;
5262f567
JA		 3988 unsigned long flags;
3989
5262f567
JA		 3990 atomic_inc(&ctx->cq_timeouts);
3991
3992 spin_lock_irqsave(&ctx->completion_lock, flags);
ef03681a 3993 /*
11365043
JA		 3994 * We could be racing with timeout deletion. If the list is empty,
3995 * then timeout lookup already found it and will be handling it.
ef03681a 3996 */
842f9612 3997 if (!list_empty(&req->list)) {
11365043 3998 struct io_kiocb *prev;
5262f567 3999
11365043
JA		 4000 /*
4001 * Adjust the reqs sequence before the current one because it
d195a66e 4002 * will consume a slot in the cq_ring and the cq_tail
11365043
JA		 4003 * pointer will be increased, otherwise other timeout reqs may
4004 * return in advance without waiting for enough wait_nr.
4005 */
4006 prev = req;
4007 list_for_each_entry_continue_reverse(prev, &ctx->timeout_list, list)
4008 prev->sequence++;
11365043 4009 list_del_init(&req->list);
11365043 4010 }
5262f567 4011
78e19bbe 4012 io_cqring_fill_event(req, -ETIME);
5262f567
JA		 4013 io_commit_cqring(ctx);
4014 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4015
4016 io_cqring_ev_posted(ctx);
4e88d6e7 4017 req_set_fail_links(req);
5262f567
JA		 4018 io_put_req(req);
4019 return HRTIMER_NORESTART;
4020}
4021
47f46768
JA		 4022static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
4023{
4024 struct io_kiocb *req;
4025 int ret = -ENOENT;
4026
4027 list_for_each_entry(req, &ctx->timeout_list, list) {
4028 if (user_data == req->user_data) {
4029 list_del_init(&req->list);
4030 ret = 0;
4031 break;
4032 }
4033 }
4034
4035 if (ret == -ENOENT)
4036 return ret;
4037
2d28390a 4038 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
47f46768
JA		 4039 if (ret == -1)
4040 return -EALREADY;
4041
4e88d6e7 4042 req_set_fail_links(req);
47f46768
JA		 4043 io_cqring_fill_event(req, -ECANCELED);
4044 io_put_req(req);
4045 return 0;
4046}
4047
3529d8c2
JA		 4048static int io_timeout_remove_prep(struct io_kiocb *req,
4049 const struct io_uring_sqe *sqe)
b29472ee 4050{
b29472ee
JA		 4051 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4052 return -EINVAL;
4053 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
4054 return -EINVAL;
4055
4056 req->timeout.addr = READ_ONCE(sqe->addr);
4057 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
4058 if (req->timeout.flags)
4059 return -EINVAL;
4060
b29472ee
JA		 4061 return 0;
4062}
4063
11365043
JA		 4064/*
4065 * Remove or update an existing timeout command
4066 */
fc4df999 4067static int io_timeout_remove(struct io_kiocb *req)
11365043
JA		 4068{
4069 struct io_ring_ctx *ctx = req->ctx;
47f46768 4070 int ret;
11365043 4071
11365043 4072 spin_lock_irq(&ctx->completion_lock);
b29472ee 4073 ret = io_timeout_cancel(ctx, req->timeout.addr);
11365043 4074
47f46768 4075 io_cqring_fill_event(req, ret);
11365043
JA		 4076 io_commit_cqring(ctx);
4077 spin_unlock_irq(&ctx->completion_lock);
5262f567 4078 io_cqring_ev_posted(ctx);
4e88d6e7
JA		 4079 if (ret < 0)
4080 req_set_fail_links(req);
ec9c02ad 4081 io_put_req(req);
11365043 4082 return 0;
5262f567
JA		 4083}
4084
3529d8c2 4085static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2d28390a 4086 bool is_timeout_link)
5262f567 4087{
ad8a48ac 4088 struct io_timeout_data *data;
a41525ab 4089 unsigned flags;
5262f567 4090
ad8a48ac 4091 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5262f567 4092 return -EINVAL;
ad8a48ac 4093 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
a41525ab 4094 return -EINVAL;
2d28390a
JA		 4095 if (sqe->off && is_timeout_link)
4096 return -EINVAL;
a41525ab
JA		 4097 flags = READ_ONCE(sqe->timeout_flags);
4098 if (flags & ~IORING_TIMEOUT_ABS)
5262f567 4099 return -EINVAL;
bdf20073 4100
26a61679
JA		 4101 req->timeout.count = READ_ONCE(sqe->off);
4102
3529d8c2 4103 if (!req->io && io_alloc_async_ctx(req))
26a61679
JA		 4104 return -ENOMEM;
4105
4106 data = &req->io->timeout;
ad8a48ac 4107 data->req = req;
ad8a48ac
JA		 4108 req->flags |= REQ_F_TIMEOUT;
4109
4110 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5262f567
JA		 4111 return -EFAULT;
4112
11365043 4113 if (flags & IORING_TIMEOUT_ABS)
ad8a48ac 4114 data->mode = HRTIMER_MODE_ABS;
11365043 4115 else
ad8a48ac 4116 data->mode = HRTIMER_MODE_REL;
11365043 4117
ad8a48ac
JA		 4118 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
4119 return 0;
4120}
4121
fc4df999 4122static int io_timeout(struct io_kiocb *req)
ad8a48ac
JA		 4123{
4124 unsigned count;
4125 struct io_ring_ctx *ctx = req->ctx;
4126 struct io_timeout_data *data;
4127 struct list_head *entry;
4128 unsigned span = 0;
ad8a48ac 4129
2d28390a 4130 data = &req->io->timeout;
93bd25bb 4131
5262f567
JA		 4132 /*
4133 * sqe->off holds how many events that need to occur for this
93bd25bb
JA		 4134 * timeout event to be satisfied. If it isn't set, then this is
4135 * a pure timeout request, sequence isn't used.
5262f567 4136 */
26a61679 4137 count = req->timeout.count;
93bd25bb
JA		 4138 if (!count) {
4139 req->flags |= REQ_F_TIMEOUT_NOSEQ;
4140 spin_lock_irq(&ctx->completion_lock);
4141 entry = ctx->timeout_list.prev;
4142 goto add;
4143 }
5262f567
JA		 4144
4145 req->sequence = ctx->cached_sq_head + count - 1;
2d28390a 4146 data->seq_offset = count;
5262f567
JA		 4147
4148 /*
4149 * Insertion sort, ensuring the first entry in the list is always
4150 * the one we need first.
4151 */
5262f567
JA		 4152 spin_lock_irq(&ctx->completion_lock);
4153 list_for_each_prev(entry, &ctx->timeout_list) {
4154 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
5da0fb1a 4155 unsigned nxt_sq_head;
4156 long long tmp, tmp_nxt;
2d28390a 4157 u32 nxt_offset = nxt->io->timeout.seq_offset;
5262f567 4158
93bd25bb
JA		 4159 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
4160 continue;
4161
5da0fb1a 4162 /*
4163 * Since cached_sq_head + count - 1 can overflow, use type long
4164 * long to store it.
4165 */
4166 tmp = (long long)ctx->cached_sq_head + count - 1;
cc42e0ac
PB		 4167 nxt_sq_head = nxt->sequence - nxt_offset + 1;
4168 tmp_nxt = (long long)nxt_sq_head + nxt_offset - 1;
5da0fb1a 4169
4170 /*
4171 * cached_sq_head may overflow, and it will never overflow twice
4172 * once there is some timeout req still be valid.
4173 */
4174 if (ctx->cached_sq_head < nxt_sq_head)
8b07a65a 4175 tmp += UINT_MAX;
5da0fb1a 4176
a1f58ba4 4177 if (tmp > tmp_nxt)
5262f567 4178 break;
a1f58ba4 4179
4180 /*
4181 * Sequence of reqs after the insert one and itself should
4182 * be adjusted because each timeout req consumes a slot.
4183 */
4184 span++;
4185 nxt->sequence++;
5262f567 4186 }
a1f58ba4 4187 req->sequence -= span;
93bd25bb 4188add:
5262f567 4189 list_add(&req->list, entry);
ad8a48ac
JA		 4190 data->timer.function = io_timeout_fn;
4191 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5262f567 4192 spin_unlock_irq(&ctx->completion_lock);
5262f567
JA		 4193 return 0;
4194}
5262f567 4195
62755e35
JA		 4196static bool io_cancel_cb(struct io_wq_work *work, void *data)
4197{
4198 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
4199
4200 return req->user_data == (unsigned long) data;
4201}
4202
e977d6d3 4203static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
62755e35 4204{
62755e35 4205 enum io_wq_cancel cancel_ret;
62755e35
JA		 4206 int ret = 0;
4207
62755e35
JA		 4208 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr);
4209 switch (cancel_ret) {
4210 case IO_WQ_CANCEL_OK:
4211 ret = 0;
4212 break;
4213 case IO_WQ_CANCEL_RUNNING:
4214 ret = -EALREADY;
4215 break;
4216 case IO_WQ_CANCEL_NOTFOUND:
4217 ret = -ENOENT;
4218 break;
4219 }
4220
e977d6d3
JA		 4221 return ret;
4222}
4223
47f46768
JA		 4224static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
4225 struct io_kiocb *req, __u64 sqe_addr,
b0dd8a41 4226 struct io_kiocb **nxt, int success_ret)
47f46768
JA		 4227{
4228 unsigned long flags;
4229 int ret;
4230
4231 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
4232 if (ret != -ENOENT) {
4233 spin_lock_irqsave(&ctx->completion_lock, flags);
4234 goto done;
4235 }
4236
4237 spin_lock_irqsave(&ctx->completion_lock, flags);
4238 ret = io_timeout_cancel(ctx, sqe_addr);
4239 if (ret != -ENOENT)
4240 goto done;
4241 ret = io_poll_cancel(ctx, sqe_addr);
4242done:
b0dd8a41
JA		 4243 if (!ret)
4244 ret = success_ret;
47f46768
JA		 4245 io_cqring_fill_event(req, ret);
4246 io_commit_cqring(ctx);
4247 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4248 io_cqring_ev_posted(ctx);
4249
4e88d6e7
JA		 4250 if (ret < 0)
4251 req_set_fail_links(req);
47f46768
JA		 4252 io_put_req_find_next(req, nxt);
4253}
4254
3529d8c2
JA		 4255static int io_async_cancel_prep(struct io_kiocb *req,
4256 const struct io_uring_sqe *sqe)
e977d6d3 4257{
fbf23849 4258 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
e977d6d3
JA		 4259 return -EINVAL;
4260 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
4261 sqe->cancel_flags)
4262 return -EINVAL;
4263
fbf23849
JA		 4264 req->cancel.addr = READ_ONCE(sqe->addr);
4265 return 0;
4266}
4267
4268static int io_async_cancel(struct io_kiocb *req, struct io_kiocb **nxt)
4269{
4270 struct io_ring_ctx *ctx = req->ctx;
fbf23849
JA		 4271
4272 io_async_find_and_cancel(ctx, req, req->cancel.addr, nxt, 0);
5262f567
JA		 4273 return 0;
4274}
4275
05f3fb3c
JA		 4276static int io_files_update_prep(struct io_kiocb *req,
4277 const struct io_uring_sqe *sqe)
4278{
4279 if (sqe->flags || sqe->ioprio || sqe->rw_flags)
4280 return -EINVAL;
4281
4282 req->files_update.offset = READ_ONCE(sqe->off);
4283 req->files_update.nr_args = READ_ONCE(sqe->len);
4284 if (!req->files_update.nr_args)
4285 return -EINVAL;
4286 req->files_update.arg = READ_ONCE(sqe->addr);
4287 return 0;
4288}
4289
4290static int io_files_update(struct io_kiocb *req, bool force_nonblock)
fbf23849
JA		 4291{
4292 struct io_ring_ctx *ctx = req->ctx;
05f3fb3c
JA		 4293 struct io_uring_files_update up;
4294 int ret;
fbf23849 4295
f86cd20c 4296 if (force_nonblock)
05f3fb3c 4297 return -EAGAIN;
05f3fb3c
JA		 4298
4299 up.offset = req->files_update.offset;
4300 up.fds = req->files_update.arg;
4301
4302 mutex_lock(&ctx->uring_lock);
4303 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
4304 mutex_unlock(&ctx->uring_lock);
4305
4306 if (ret < 0)
4307 req_set_fail_links(req);
4308 io_cqring_add_event(req, ret);
4309 io_put_req(req);
5262f567
JA		 4310 return 0;
4311}
4312
3529d8c2
JA		 4313static int io_req_defer_prep(struct io_kiocb *req,
4314 const struct io_uring_sqe *sqe)
f67676d1 4315{
e781573e 4316 ssize_t ret = 0;
f67676d1 4317
f86cd20c
JA		 4318 if (io_op_defs[req->opcode].file_table) {
4319 ret = io_grab_files(req);
4320 if (unlikely(ret))
4321 return ret;
4322 }
4323
cccf0ee8
JA		 4324 io_req_work_grab_env(req, &io_op_defs[req->opcode]);
4325
d625c6ee 4326 switch (req->opcode) {
e781573e
JA		 4327 case IORING_OP_NOP:
4328 break;
f67676d1
JA		 4329 case IORING_OP_READV:
4330 case IORING_OP_READ_FIXED:
3a6820f2 4331 case IORING_OP_READ:
3529d8c2 4332 ret = io_read_prep(req, sqe, true);
f67676d1
JA		 4333 break;
4334 case IORING_OP_WRITEV:
4335 case IORING_OP_WRITE_FIXED:
3a6820f2 4336 case IORING_OP_WRITE:
3529d8c2 4337 ret = io_write_prep(req, sqe, true);
f67676d1 4338 break;
0969e783 4339 case IORING_OP_POLL_ADD:
3529d8c2 4340 ret = io_poll_add_prep(req, sqe);
0969e783
JA		 4341 break;
4342 case IORING_OP_POLL_REMOVE:
3529d8c2 4343 ret = io_poll_remove_prep(req, sqe);
0969e783 4344 break;
8ed8d3c3 4345 case IORING_OP_FSYNC:
3529d8c2 4346 ret = io_prep_fsync(req, sqe);
8ed8d3c3
JA		 4347 break;
4348 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2 4349 ret = io_prep_sfr(req, sqe);
8ed8d3c3 4350 break;
03b1230c 4351 case IORING_OP_SENDMSG:
fddaface 4352 case IORING_OP_SEND:
3529d8c2 4353 ret = io_sendmsg_prep(req, sqe);
03b1230c
JA		 4354 break;
4355 case IORING_OP_RECVMSG:
fddaface 4356 case IORING_OP_RECV:
3529d8c2 4357 ret = io_recvmsg_prep(req, sqe);
03b1230c 4358 break;
f499a021 4359 case IORING_OP_CONNECT:
3529d8c2 4360 ret = io_connect_prep(req, sqe);
f499a021 4361 break;
2d28390a 4362 case IORING_OP_TIMEOUT:
3529d8c2 4363 ret = io_timeout_prep(req, sqe, false);
b7bb4f7d 4364 break;
b29472ee 4365 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2 4366 ret = io_timeout_remove_prep(req, sqe);
b29472ee 4367 break;
fbf23849 4368 case IORING_OP_ASYNC_CANCEL:
3529d8c2 4369 ret = io_async_cancel_prep(req, sqe);
fbf23849 4370 break;
2d28390a 4371 case IORING_OP_LINK_TIMEOUT:
3529d8c2 4372 ret = io_timeout_prep(req, sqe, true);
b7bb4f7d 4373 break;
8ed8d3c3 4374 case IORING_OP_ACCEPT:
3529d8c2 4375 ret = io_accept_prep(req, sqe);
8ed8d3c3 4376 break;
d63d1b5e
JA		 4377 case IORING_OP_FALLOCATE:
4378 ret = io_fallocate_prep(req, sqe);
4379 break;
15b71abe
JA		 4380 case IORING_OP_OPENAT:
4381 ret = io_openat_prep(req, sqe);
4382 break;
b5dba59e
JA		 4383 case IORING_OP_CLOSE:
4384 ret = io_close_prep(req, sqe);
4385 break;
05f3fb3c
JA		 4386 case IORING_OP_FILES_UPDATE:
4387 ret = io_files_update_prep(req, sqe);
4388 break;
eddc7ef5
JA		 4389 case IORING_OP_STATX:
4390 ret = io_statx_prep(req, sqe);
4391 break;
4840e418
JA		 4392 case IORING_OP_FADVISE:
4393 ret = io_fadvise_prep(req, sqe);
4394 break;
c1ca757b
JA		 4395 case IORING_OP_MADVISE:
4396 ret = io_madvise_prep(req, sqe);
4397 break;
cebdb986
JA		 4398 case IORING_OP_OPENAT2:
4399 ret = io_openat2_prep(req, sqe);
4400 break;
3e4827b0
JA		 4401 case IORING_OP_EPOLL_CTL:
4402 ret = io_epoll_ctl_prep(req, sqe);
4403 break;
7d67af2c
PB		 4404 case IORING_OP_SPLICE:
4405 ret = io_splice_prep(req, sqe);
4406 break;
f67676d1 4407 default:
e781573e
JA		 4408 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
4409 req->opcode);
4410 ret = -EINVAL;
b7bb4f7d 4411 break;
f67676d1
JA		 4412 }
4413
b7bb4f7d 4414 return ret;
f67676d1
JA		 4415}
4416
3529d8c2 4417static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
de0617e4 4418{
a197f664 4419 struct io_ring_ctx *ctx = req->ctx;
f67676d1 4420 int ret;
de0617e4 4421
9d858b21
BL		 4422 /* Still need defer if there is pending req in defer list. */
4423 if (!req_need_defer(req) && list_empty(&ctx->defer_list))
de0617e4
JA		 4424 return 0;
4425
3529d8c2 4426 if (!req->io && io_alloc_async_ctx(req))
de0617e4
JA		 4427 return -EAGAIN;
4428
3529d8c2 4429 ret = io_req_defer_prep(req, sqe);
b7bb4f7d 4430 if (ret < 0)
2d28390a 4431 return ret;
2d28390a 4432
de0617e4 4433 spin_lock_irq(&ctx->completion_lock);
9d858b21 4434 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
de0617e4 4435 spin_unlock_irq(&ctx->completion_lock);
de0617e4
JA		 4436 return 0;
4437 }
4438
915967f6 4439 trace_io_uring_defer(ctx, req, req->user_data);
de0617e4
JA		 4440 list_add_tail(&req->list, &ctx->defer_list);
4441 spin_unlock_irq(&ctx->completion_lock);
4442 return -EIOCBQUEUED;
4443}
4444
99bc4c38
PB		 4445static void io_cleanup_req(struct io_kiocb *req)
4446{
4447 struct io_async_ctx *io = req->io;
4448
4449 switch (req->opcode) {
4450 case IORING_OP_READV:
4451 case IORING_OP_READ_FIXED:
4452 case IORING_OP_READ:
4453 case IORING_OP_WRITEV:
4454 case IORING_OP_WRITE_FIXED:
4455 case IORING_OP_WRITE:
4456 if (io->rw.iov != io->rw.fast_iov)
4457 kfree(io->rw.iov);
4458 break;
4459 case IORING_OP_SENDMSG:
4460 case IORING_OP_RECVMSG:
4461 if (io->msg.iov != io->msg.fast_iov)
4462 kfree(io->msg.iov);
4463 break;
8fef80bf
PB		 4464 case IORING_OP_OPENAT:
4465 case IORING_OP_OPENAT2:
4466 case IORING_OP_STATX:
4467 putname(req->open.filename);
4468 break;
7d67af2c
PB		 4469 case IORING_OP_SPLICE:
4470 io_put_file(req, req->splice.file_in,
4471 (req->splice.flags & SPLICE_F_FD_IN_FIXED));
4472 break;
99bc4c38
PB		 4473 }
4474
4475 req->flags &= ~REQ_F_NEED_CLEANUP;
4476}
4477
3529d8c2
JA		 4478static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4479 struct io_kiocb **nxt, bool force_nonblock)
2b188cc1 4480{
a197f664 4481 struct io_ring_ctx *ctx = req->ctx;
d625c6ee 4482 int ret;
2b188cc1 4483
d625c6ee 4484 switch (req->opcode) {
2b188cc1 4485 case IORING_OP_NOP:
78e19bbe 4486 ret = io_nop(req);
2b188cc1
JA		 4487 break;
4488 case IORING_OP_READV:
edafccee 4489 case IORING_OP_READ_FIXED:
3a6820f2 4490 case IORING_OP_READ:
3529d8c2
JA		 4491 if (sqe) {
4492 ret = io_read_prep(req, sqe, force_nonblock);
4493 if (ret < 0)
4494 break;
4495 }
267bc904 4496 ret = io_read(req, nxt, force_nonblock);
edafccee 4497 break;
3529d8c2 4498 case IORING_OP_WRITEV:
edafccee 4499 case IORING_OP_WRITE_FIXED:
3a6820f2 4500 case IORING_OP_WRITE:
3529d8c2
JA		 4501 if (sqe) {
4502 ret = io_write_prep(req, sqe, force_nonblock);
4503 if (ret < 0)
4504 break;
4505 }
267bc904 4506 ret = io_write(req, nxt, force_nonblock);
2b188cc1 4507 break;
c992fe29 4508 case IORING_OP_FSYNC:
3529d8c2
JA		 4509 if (sqe) {
4510 ret = io_prep_fsync(req, sqe);
4511 if (ret < 0)
4512 break;
4513 }
fc4df999 4514 ret = io_fsync(req, nxt, force_nonblock);
c992fe29 4515 break;
221c5eb2 4516 case IORING_OP_POLL_ADD:
3529d8c2
JA		 4517 if (sqe) {
4518 ret = io_poll_add_prep(req, sqe);
4519 if (ret)
4520 break;
4521 }
fc4df999 4522 ret = io_poll_add(req, nxt);
221c5eb2
JA		 4523 break;
4524 case IORING_OP_POLL_REMOVE:
3529d8c2
JA		 4525 if (sqe) {
4526 ret = io_poll_remove_prep(req, sqe);
4527 if (ret < 0)
4528 break;
4529 }
fc4df999 4530 ret = io_poll_remove(req);
221c5eb2 4531 break;
5d17b4a4 4532 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2
JA		 4533 if (sqe) {
4534 ret = io_prep_sfr(req, sqe);
4535 if (ret < 0)
4536 break;
4537 }
fc4df999 4538 ret = io_sync_file_range(req, nxt, force_nonblock);
5d17b4a4 4539 break;
0fa03c62 4540 case IORING_OP_SENDMSG:
fddaface 4541 case IORING_OP_SEND:
3529d8c2
JA		 4542 if (sqe) {
4543 ret = io_sendmsg_prep(req, sqe);
4544 if (ret < 0)
4545 break;
4546 }
fddaface
JA		 4547 if (req->opcode == IORING_OP_SENDMSG)
4548 ret = io_sendmsg(req, nxt, force_nonblock);
4549 else
4550 ret = io_send(req, nxt, force_nonblock);
0fa03c62 4551 break;
aa1fa28f 4552 case IORING_OP_RECVMSG:
fddaface 4553 case IORING_OP_RECV:
3529d8c2
JA		 4554 if (sqe) {
4555 ret = io_recvmsg_prep(req, sqe);
4556 if (ret)
4557 break;
4558 }
fddaface
JA		 4559 if (req->opcode == IORING_OP_RECVMSG)
4560 ret = io_recvmsg(req, nxt, force_nonblock);
4561 else
4562 ret = io_recv(req, nxt, force_nonblock);
aa1fa28f 4563 break;
5262f567 4564 case IORING_OP_TIMEOUT:
3529d8c2
JA		 4565 if (sqe) {
4566 ret = io_timeout_prep(req, sqe, false);
4567 if (ret)
4568 break;
4569 }
fc4df999 4570 ret = io_timeout(req);
5262f567 4571 break;
11365043 4572 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2
JA		 4573 if (sqe) {
4574 ret = io_timeout_remove_prep(req, sqe);
4575 if (ret)
4576 break;
4577 }
fc4df999 4578 ret = io_timeout_remove(req);
11365043 4579 break;
17f2fe35 4580 case IORING_OP_ACCEPT:
3529d8c2
JA		 4581 if (sqe) {
4582 ret = io_accept_prep(req, sqe);
4583 if (ret)
4584 break;
4585 }
fc4df999 4586 ret = io_accept(req, nxt, force_nonblock);
17f2fe35 4587 break;
f8e85cf2 4588 case IORING_OP_CONNECT:
3529d8c2
JA		 4589 if (sqe) {
4590 ret = io_connect_prep(req, sqe);
4591 if (ret)
4592 break;
4593 }
fc4df999 4594 ret = io_connect(req, nxt, force_nonblock);
f8e85cf2 4595 break;
62755e35 4596 case IORING_OP_ASYNC_CANCEL:
3529d8c2
JA		 4597 if (sqe) {
4598 ret = io_async_cancel_prep(req, sqe);
4599 if (ret)
4600 break;
4601 }
fc4df999 4602 ret = io_async_cancel(req, nxt);
62755e35 4603 break;
d63d1b5e
JA		 4604 case IORING_OP_FALLOCATE:
4605 if (sqe) {
4606 ret = io_fallocate_prep(req, sqe);
4607 if (ret)
4608 break;
4609 }
4610 ret = io_fallocate(req, nxt, force_nonblock);
4611 break;
15b71abe
JA		 4612 case IORING_OP_OPENAT:
4613 if (sqe) {
4614 ret = io_openat_prep(req, sqe);
4615 if (ret)
4616 break;
4617 }
4618 ret = io_openat(req, nxt, force_nonblock);
4619 break;
b5dba59e
JA		 4620 case IORING_OP_CLOSE:
4621 if (sqe) {
4622 ret = io_close_prep(req, sqe);
4623 if (ret)
4624 break;
4625 }
4626 ret = io_close(req, nxt, force_nonblock);
4627 break;
05f3fb3c
JA		 4628 case IORING_OP_FILES_UPDATE:
4629 if (sqe) {
4630 ret = io_files_update_prep(req, sqe);
4631 if (ret)
4632 break;
4633 }
4634 ret = io_files_update(req, force_nonblock);
4635 break;
eddc7ef5
JA		 4636 case IORING_OP_STATX:
4637 if (sqe) {
4638 ret = io_statx_prep(req, sqe);
4639 if (ret)
4640 break;
4641 }
4642 ret = io_statx(req, nxt, force_nonblock);
4643 break;
4840e418
JA		 4644 case IORING_OP_FADVISE:
4645 if (sqe) {
4646 ret = io_fadvise_prep(req, sqe);
4647 if (ret)
4648 break;
4649 }
4650 ret = io_fadvise(req, nxt, force_nonblock);
4651 break;
c1ca757b
JA		 4652 case IORING_OP_MADVISE:
4653 if (sqe) {
4654 ret = io_madvise_prep(req, sqe);
4655 if (ret)
4656 break;
4657 }
4658 ret = io_madvise(req, nxt, force_nonblock);
4659 break;
cebdb986
JA		 4660 case IORING_OP_OPENAT2:
4661 if (sqe) {
4662 ret = io_openat2_prep(req, sqe);
4663 if (ret)
4664 break;
4665 }
4666 ret = io_openat2(req, nxt, force_nonblock);
4667 break;
3e4827b0
JA		 4668 case IORING_OP_EPOLL_CTL:
4669 if (sqe) {
4670 ret = io_epoll_ctl_prep(req, sqe);
4671 if (ret)
4672 break;
4673 }
4674 ret = io_epoll_ctl(req, nxt, force_nonblock);
4675 break;
7d67af2c
PB		 4676 case IORING_OP_SPLICE:
4677 if (sqe) {
4678 ret = io_splice_prep(req, sqe);
4679 if (ret < 0)
4680 break;
4681 }
4682 ret = io_splice(req, nxt, force_nonblock);
4683 break;
2b188cc1
JA		 4684 default:
4685 ret = -EINVAL;
4686 break;
4687 }
4688
def596e9
JA		 4689 if (ret)
4690 return ret;
4691
4692 if (ctx->flags & IORING_SETUP_IOPOLL) {
11ba820b
JA		 4693 const bool in_async = io_wq_current_is_worker();
4694
9e645e11 4695 if (req->result == -EAGAIN)
def596e9
JA		 4696 return -EAGAIN;
4697
11ba820b
JA		 4698 /* workqueue context doesn't hold uring_lock, grab it now */
4699 if (in_async)
4700 mutex_lock(&ctx->uring_lock);
4701
def596e9 4702 io_iopoll_req_issued(req);
11ba820b
JA		 4703
4704 if (in_async)
4705 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 4706 }
4707
4708 return 0;
2b188cc1
JA		 4709}
4710
561fb04a 4711static void io_wq_submit_work(struct io_wq_work **workptr)
2b188cc1 4712{
561fb04a 4713 struct io_wq_work *work = *workptr;
2b188cc1 4714 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
561fb04a
JA		 4715 struct io_kiocb *nxt = NULL;
4716 int ret = 0;
2b188cc1 4717
0c9d5ccd
JA		 4718 /* if NO_CANCEL is set, we must still run the work */
4719 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
4720 IO_WQ_WORK_CANCEL) {
561fb04a 4721 ret = -ECANCELED;
0c9d5ccd 4722 }
31b51510 4723
561fb04a 4724 if (!ret) {
561fb04a 4725 do {
3529d8c2 4726 ret = io_issue_sqe(req, NULL, &nxt, false);
561fb04a
JA		 4727 /*
4728 * We can get EAGAIN for polled IO even though we're
4729 * forcing a sync submission from here, since we can't
4730 * wait for request slots on the block side.
4731 */
4732 if (ret != -EAGAIN)
4733 break;
4734 cond_resched();
4735 } while (1);
4736 }
31b51510 4737
561fb04a 4738 /* drop submission reference */
ec9c02ad 4739 io_put_req(req);
817869d2 4740
561fb04a 4741 if (ret) {
4e88d6e7 4742 req_set_fail_links(req);
78e19bbe 4743 io_cqring_add_event(req, ret);
817869d2 4744 io_put_req(req);
edafccee 4745 }
2b188cc1 4746
561fb04a 4747 /* if a dependent link is ready, pass it back */
78912934
JA		 4748 if (!ret && nxt)
4749 io_wq_assign_next(workptr, nxt);
2b188cc1
JA		 4750}
4751
15b71abe 4752static int io_req_needs_file(struct io_kiocb *req, int fd)
9e3aa61a 4753{
d3656344 4754 if (!io_op_defs[req->opcode].needs_file)
9e3aa61a 4755 return 0;
0b5faf6b 4756 if ((fd == -1 || fd == AT_FDCWD) && io_op_defs[req->opcode].fd_non_neg)
d3656344
JA		 4757 return 0;
4758 return 1;
09bb8394
JA		 4759}
4760
65e19f54
JA		 4761static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
4762 int index)
4763{
4764 struct fixed_file_table *table;
4765
05f3fb3c
JA		 4766 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
4767 return table->files[index & IORING_FILE_TABLE_MASK];;
65e19f54
JA		 4768}
4769
8da11c19
PB		 4770static int io_file_get(struct io_submit_state *state, struct io_kiocb *req,
4771 int fd, struct file **out_file, bool fixed)
09bb8394 4772{
a197f664 4773 struct io_ring_ctx *ctx = req->ctx;
8da11c19 4774 struct file *file;
09bb8394 4775
8da11c19 4776 if (fixed) {
05f3fb3c 4777 if (unlikely(!ctx->file_data ||
09bb8394
JA		 4778 (unsigned) fd >= ctx->nr_user_files))
4779 return -EBADF;
b7620121 4780 fd = array_index_nospec(fd, ctx->nr_user_files);
8da11c19
PB		 4781 file = io_file_from_index(ctx, fd);
4782 if (!file)
08a45173 4783 return -EBADF;
05f3fb3c 4784 percpu_ref_get(&ctx->file_data->refs);
09bb8394 4785 } else {
c826bd7a 4786 trace_io_uring_file_get(ctx, fd);
8da11c19
PB		 4787 file = __io_file_get(state, fd);
4788 if (unlikely(!file))
09bb8394
JA		 4789 return -EBADF;
4790 }
4791
8da11c19 4792 *out_file = file;
09bb8394
JA		 4793 return 0;
4794}
4795
8da11c19
PB		 4796static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
4797 const struct io_uring_sqe *sqe)
4798{
4799 unsigned flags;
4800 int fd;
4801 bool fixed;
4802
4803 flags = READ_ONCE(sqe->flags);
4804 fd = READ_ONCE(sqe->fd);
4805
4806 if (!io_req_needs_file(req, fd))
4807 return 0;
4808
4809 fixed = (flags & IOSQE_FIXED_FILE);
4810 if (unlikely(!fixed && req->needs_fixed_file))
4811 return -EBADF;
4812
4813 return io_file_get(state, req, fd, &req->file, fixed);
4814}
4815
a197f664 4816static int io_grab_files(struct io_kiocb *req)
fcb323cc
JA		 4817{
4818 int ret = -EBADF;
a197f664 4819 struct io_ring_ctx *ctx = req->ctx;
fcb323cc 4820
f86cd20c
JA		 4821 if (req->work.files)
4822 return 0;
b14cca0c 4823 if (!ctx->ring_file)
b5dba59e
JA		 4824 return -EBADF;
4825
fcb323cc
JA		 4826 rcu_read_lock();
4827 spin_lock_irq(&ctx->inflight_lock);
4828 /*
4829 * We use the f_ops->flush() handler to ensure that we can flush
4830 * out work accessing these files if the fd is closed. Check if
4831 * the fd has changed since we started down this path, and disallow
4832 * this operation if it has.
4833 */
b14cca0c 4834 if (fcheck(ctx->ring_fd) == ctx->ring_file) {
fcb323cc
JA		 4835 list_add(&req->inflight_entry, &ctx->inflight_list);
4836 req->flags |= REQ_F_INFLIGHT;
4837 req->work.files = current->files;
4838 ret = 0;
4839 }
4840 spin_unlock_irq(&ctx->inflight_lock);
4841 rcu_read_unlock();
4842
4843 return ret;
4844}
4845
2665abfd 4846static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
2b188cc1 4847{
ad8a48ac
JA		 4848 struct io_timeout_data *data = container_of(timer,
4849 struct io_timeout_data, timer);
4850 struct io_kiocb *req = data->req;
2665abfd
JA		 4851 struct io_ring_ctx *ctx = req->ctx;
4852 struct io_kiocb *prev = NULL;
4853 unsigned long flags;
2665abfd
JA		 4854
4855 spin_lock_irqsave(&ctx->completion_lock, flags);
4856
4857 /*
4858 * We don't expect the list to be empty, that will only happen if we
4859 * race with the completion of the linked work.
4860 */
4493233e
PB		 4861 if (!list_empty(&req->link_list)) {
4862 prev = list_entry(req->link_list.prev, struct io_kiocb,
4863 link_list);
5d960724 4864 if (refcount_inc_not_zero(&prev->refs)) {
4493233e 4865 list_del_init(&req->link_list);
5d960724
JA		 4866 prev->flags &= ~REQ_F_LINK_TIMEOUT;
4867 } else
76a46e06 4868 prev = NULL;
2665abfd
JA		 4869 }
4870
4871 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4872
4873 if (prev) {
4e88d6e7 4874 req_set_fail_links(prev);
b0dd8a41
JA		 4875 io_async_find_and_cancel(ctx, req, prev->user_data, NULL,
4876 -ETIME);
76a46e06 4877 io_put_req(prev);
47f46768
JA		 4878 } else {
4879 io_cqring_add_event(req, -ETIME);
4880 io_put_req(req);
2665abfd 4881 }
2665abfd
JA		 4882 return HRTIMER_NORESTART;
4883}
4884
ad8a48ac 4885static void io_queue_linked_timeout(struct io_kiocb *req)
2665abfd 4886{
76a46e06 4887 struct io_ring_ctx *ctx = req->ctx;
2665abfd 4888
76a46e06
JA		 4889 /*
4890 * If the list is now empty, then our linked request finished before
4891 * we got a chance to setup the timer
4892 */
4893 spin_lock_irq(&ctx->completion_lock);
4493233e 4894 if (!list_empty(&req->link_list)) {
2d28390a 4895 struct io_timeout_data *data = &req->io->timeout;
94ae5e77 4896
ad8a48ac
JA		 4897 data->timer.function = io_link_timeout_fn;
4898 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
4899 data->mode);
2665abfd 4900 }
76a46e06 4901 spin_unlock_irq(&ctx->completion_lock);
2665abfd 4902
2665abfd 4903 /* drop submission reference */
76a46e06
JA		 4904 io_put_req(req);
4905}
2665abfd 4906
ad8a48ac 4907static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
2665abfd
JA		 4908{
4909 struct io_kiocb *nxt;
4910
4911 if (!(req->flags & REQ_F_LINK))
4912 return NULL;
d7718a9d
JA		 4913 /* for polled retry, if flag is set, we already went through here */
4914 if (req->flags & REQ_F_POLLED)
4915 return NULL;
2665abfd 4916
4493233e
PB		 4917 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
4918 link_list);
d625c6ee 4919 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
76a46e06 4920 return NULL;
2665abfd 4921
76a46e06 4922 req->flags |= REQ_F_LINK_TIMEOUT;
76a46e06 4923 return nxt;
2665abfd
JA		 4924}
4925
3529d8c2 4926static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2b188cc1 4927{
4a0a7a18 4928 struct io_kiocb *linked_timeout;
4bc4494e 4929 struct io_kiocb *nxt;
193155c8 4930 const struct cred *old_creds = NULL;
e0c5c576 4931 int ret;
2b188cc1 4932
4a0a7a18
JA		 4933again:
4934 linked_timeout = io_prep_linked_timeout(req);
4935
193155c8
JA		 4936 if (req->work.creds && req->work.creds != current_cred()) {
4937 if (old_creds)
4938 revert_creds(old_creds);
4939 if (old_creds == req->work.creds)
4940 old_creds = NULL; /* restored original creds */
4941 else
4942 old_creds = override_creds(req->work.creds);
4943 }
4944
3529d8c2 4945 ret = io_issue_sqe(req, sqe, &nxt, true);
491381ce
JA		 4946
4947 /*
4948 * We async punt it if the file wasn't marked NOWAIT, or if the file
4949 * doesn't support non-blocking read/write attempts
4950 */
4951 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
4952 (req->flags & REQ_F_MUST_PUNT))) {
d7718a9d
JA		 4953 if (io_arm_poll_handler(req)) {
4954 if (linked_timeout)
4955 io_queue_linked_timeout(linked_timeout);
4bc4494e 4956 goto exit;
d7718a9d 4957 }
86a761f8 4958punt:
f86cd20c 4959 if (io_op_defs[req->opcode].file_table) {
bbad27b2
PB		 4960 ret = io_grab_files(req);
4961 if (ret)
4962 goto err;
2b188cc1 4963 }
bbad27b2
PB		 4964
4965 /*
4966 * Queued up for async execution, worker will release
4967 * submit reference when the iocb is actually submitted.
4968 */
4969 io_queue_async_work(req);
4bc4494e 4970 goto exit;
2b188cc1 4971 }
e65ef56d 4972
fcb323cc 4973err:
4bc4494e 4974 nxt = NULL;
76a46e06 4975 /* drop submission reference */
2a44f467 4976 io_put_req_find_next(req, &nxt);
e65ef56d 4977
f9bd67f6 4978 if (linked_timeout) {
76a46e06 4979 if (!ret)
f9bd67f6 4980 io_queue_linked_timeout(linked_timeout);
76a46e06 4981 else
f9bd67f6 4982 io_put_req(linked_timeout);
76a46e06
JA		 4983 }
4984
e65ef56d 4985 /* and drop final reference, if we failed */
9e645e11 4986 if (ret) {
78e19bbe 4987 io_cqring_add_event(req, ret);
4e88d6e7 4988 req_set_fail_links(req);
e65ef56d 4989 io_put_req(req);
9e645e11 4990 }
4a0a7a18
JA		 4991 if (nxt) {
4992 req = nxt;
86a761f8
PB		 4993
4994 if (req->flags & REQ_F_FORCE_ASYNC)
4995 goto punt;
4a0a7a18
JA		 4996 goto again;
4997 }
4bc4494e 4998exit:
193155c8
JA		 4999 if (old_creds)
5000 revert_creds(old_creds);
2b188cc1
JA		 5001}
5002
3529d8c2 5003static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4fe2c963
JL		 5004{
5005 int ret;
5006
3529d8c2 5007 ret = io_req_defer(req, sqe);
4fe2c963
JL		 5008 if (ret) {
5009 if (ret != -EIOCBQUEUED) {
1118591a 5010fail_req:
78e19bbe 5011 io_cqring_add_event(req, ret);
4e88d6e7 5012 req_set_fail_links(req);
78e19bbe 5013 io_double_put_req(req);
4fe2c963 5014 }
2550878f 5015 } else if (req->flags & REQ_F_FORCE_ASYNC) {
1118591a
PB		 5016 ret = io_req_defer_prep(req, sqe);
5017 if (unlikely(ret < 0))
5018 goto fail_req;
ce35a47a
JA		 5019 /*
5020 * Never try inline submit of IOSQE_ASYNC is set, go straight
5021 * to async execution.
5022 */
5023 req->work.flags |= IO_WQ_WORK_CONCURRENT;
5024 io_queue_async_work(req);
5025 } else {
3529d8c2 5026 __io_queue_sqe(req, sqe);
ce35a47a 5027 }
4fe2c963
JL		 5028}
5029
1b4a51b6 5030static inline void io_queue_link_head(struct io_kiocb *req)
4fe2c963 5031{
94ae5e77 5032 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
1b4a51b6
PB		 5033 io_cqring_add_event(req, -ECANCELED);
5034 io_double_put_req(req);
5035 } else
3529d8c2 5036 io_queue_sqe(req, NULL);
4fe2c963
JL		 5037}
5038
4e88d6e7 5039#define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
ce35a47a 5040 IOSQE_IO_HARDLINK | IOSQE_ASYNC)
9e645e11 5041
3529d8c2
JA		 5042static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5043 struct io_submit_state *state, struct io_kiocb **link)
9e645e11 5044{
a197f664 5045 struct io_ring_ctx *ctx = req->ctx;
32fe525b 5046 unsigned int sqe_flags;
75c6a039 5047 int ret, id;
9e645e11 5048
32fe525b 5049 sqe_flags = READ_ONCE(sqe->flags);
9e645e11
JA		 5050
5051 /* enforce forwards compatibility on users */
32fe525b 5052 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS)) {
9e645e11 5053 ret = -EINVAL;
196be95c 5054 goto err_req;
9e645e11
JA		 5055 }
5056
75c6a039
JA		 5057 id = READ_ONCE(sqe->personality);
5058 if (id) {
193155c8
JA		 5059 req->work.creds = idr_find(&ctx->personality_idr, id);
5060 if (unlikely(!req->work.creds)) {
75c6a039
JA		 5061 ret = -EINVAL;
5062 goto err_req;
5063 }
193155c8 5064 get_cred(req->work.creds);
75c6a039
JA		 5065 }
5066
6b47ee6e 5067 /* same numerical values with corresponding REQ_F_*, safe to copy */
8da11c19
PB		 5068 req->flags |= sqe_flags & (IOSQE_IO_DRAIN | IOSQE_IO_HARDLINK |
5069 IOSQE_ASYNC | IOSQE_FIXED_FILE);
9e645e11 5070
3529d8c2 5071 ret = io_req_set_file(state, req, sqe);
9e645e11
JA		 5072 if (unlikely(ret)) {
5073err_req:
78e19bbe
JA		 5074 io_cqring_add_event(req, ret);
5075 io_double_put_req(req);
2e6e1fde 5076 return false;
9e645e11
JA		 5077 }
5078
9e645e11
JA		 5079 /*
5080 * If we already have a head request, queue this one for async
5081 * submittal once the head completes. If we don't have a head but
5082 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
5083 * submitted sync once the chain is complete. If none of those
5084 * conditions are true (normal request), then just queue it.
5085 */
5086 if (*link) {
9d76377f 5087 struct io_kiocb *head = *link;
4e88d6e7 5088
8cdf2193
PB		 5089 /*
5090 * Taking sequential execution of a link, draining both sides
5091 * of the link also fullfils IOSQE_IO_DRAIN semantics for all
5092 * requests in the link. So, it drains the head and the
5093 * next after the link request. The last one is done via
5094 * drain_next flag to persist the effect across calls.
5095 */
711be031
PB		 5096 if (sqe_flags & IOSQE_IO_DRAIN) {
5097 head->flags |= REQ_F_IO_DRAIN;
5098 ctx->drain_next = 1;
5099 }
b7bb4f7d 5100 if (io_alloc_async_ctx(req)) {
9e645e11
JA		 5101 ret = -EAGAIN;
5102 goto err_req;
5103 }
5104
3529d8c2 5105 ret = io_req_defer_prep(req, sqe);
2d28390a 5106 if (ret) {
4e88d6e7 5107 /* fail even hard links since we don't submit */
9d76377f 5108 head->flags |= REQ_F_FAIL_LINK;
f67676d1 5109 goto err_req;
2d28390a 5110 }
9d76377f
PB		 5111 trace_io_uring_link(ctx, req, head);
5112 list_add_tail(&req->link_list, &head->link_list);
32fe525b
PB		 5113
5114 /* last request of a link, enqueue the link */
5115 if (!(sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK))) {
5116 io_queue_link_head(head);
5117 *link = NULL;
5118 }
9e645e11 5119 } else {
711be031
PB		 5120 if (unlikely(ctx->drain_next)) {
5121 req->flags |= REQ_F_IO_DRAIN;
5122 req->ctx->drain_next = 0;
5123 }
5124 if (sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
5125 req->flags |= REQ_F_LINK;
711be031
PB		 5126 INIT_LIST_HEAD(&req->link_list);
5127 ret = io_req_defer_prep(req, sqe);
5128 if (ret)
5129 req->flags |= REQ_F_FAIL_LINK;
5130 *link = req;
5131 } else {
5132 io_queue_sqe(req, sqe);
5133 }
9e645e11 5134 }
2e6e1fde
PB		 5135
5136 return true;
9e645e11
JA		 5137}
5138
9a56a232
JA		 5139/*
5140 * Batched submission is done, ensure local IO is flushed out.
5141 */
5142static void io_submit_state_end(struct io_submit_state *state)
5143{
5144 blk_finish_plug(&state->plug);
3d6770fb 5145 io_file_put(state);
2579f913 5146 if (state->free_reqs)
6c8a3134 5147 kmem_cache_free_bulk(req_cachep, state->free_reqs, state->reqs);
9a56a232
JA		 5148}
5149
5150/*
5151 * Start submission side cache.
5152 */
5153static void io_submit_state_start(struct io_submit_state *state,
22efde59 5154 unsigned int max_ios)
9a56a232
JA		 5155{
5156 blk_start_plug(&state->plug);
2579f913 5157 state->free_reqs = 0;
9a56a232
JA		 5158 state->file = NULL;
5159 state->ios_left = max_ios;
5160}
5161
2b188cc1
JA		 5162static void io_commit_sqring(struct io_ring_ctx *ctx)
5163{
75b28aff 5164 struct io_rings *rings = ctx->rings;
2b188cc1 5165
caf582c6
PB		 5166 /*
5167 * Ensure any loads from the SQEs are done at this point,
5168 * since once we write the new head, the application could
5169 * write new data to them.
5170 */
5171 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
2b188cc1
JA		 5172}
5173
2b188cc1 5174/*
3529d8c2 5175 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
2b188cc1
JA		 5176 * that is mapped by userspace. This means that care needs to be taken to
5177 * ensure that reads are stable, as we cannot rely on userspace always
5178 * being a good citizen. If members of the sqe are validated and then later
5179 * used, it's important that those reads are done through READ_ONCE() to
5180 * prevent a re-load down the line.
5181 */
3529d8c2
JA		 5182static bool io_get_sqring(struct io_ring_ctx *ctx, struct io_kiocb *req,
5183 const struct io_uring_sqe **sqe_ptr)
2b188cc1 5184{
75b28aff 5185 u32 *sq_array = ctx->sq_array;
2b188cc1
JA		 5186 unsigned head;
5187
5188 /*
5189 * The cached sq head (or cq tail) serves two purposes:
5190 *
5191 * 1) allows us to batch the cost of updating the user visible
5192 * head updates.
5193 * 2) allows the kernel side to track the head on its own, even
5194 * though the application is the one updating it.
5195 */
ee7d46d9 5196 head = READ_ONCE(sq_array[ctx->cached_sq_head & ctx->sq_mask]);
9835d6fa 5197 if (likely(head < ctx->sq_entries)) {
cf6fd4bd
PB		 5198 /*
5199 * All io need record the previous position, if LINK vs DARIN,
5200 * it can be used to mark the position of the first IO in the
5201 * link list.
5202 */
5203 req->sequence = ctx->cached_sq_head;
3529d8c2
JA		 5204 *sqe_ptr = &ctx->sq_sqes[head];
5205 req->opcode = READ_ONCE((*sqe_ptr)->opcode);
5206 req->user_data = READ_ONCE((*sqe_ptr)->user_data);
2b188cc1
JA		 5207 ctx->cached_sq_head++;
5208 return true;
5209 }
5210
5211 /* drop invalid entries */
5212 ctx->cached_sq_head++;
498ccd9e 5213 ctx->cached_sq_dropped++;
ee7d46d9 5214 WRITE_ONCE(ctx->rings->sq_dropped, ctx->cached_sq_dropped);
2b188cc1
JA		 5215 return false;
5216}
5217
fb5ccc98 5218static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
ae9428ca
PB		 5219 struct file *ring_file, int ring_fd,
5220 struct mm_struct **mm, bool async)
6c271ce2
JA		 5221{
5222 struct io_submit_state state, *statep = NULL;
9e645e11 5223 struct io_kiocb *link = NULL;
9e645e11 5224 int i, submitted = 0;
95a1b3ff 5225 bool mm_fault = false;
6c271ce2 5226
c4a2ed72 5227 /* if we have a backlog and couldn't flush it all, return BUSY */
ad3eb2c8
JA		 5228 if (test_bit(0, &ctx->sq_check_overflow)) {
5229 if (!list_empty(&ctx->cq_overflow_list) &&
5230 !io_cqring_overflow_flush(ctx, false))
5231 return -EBUSY;
5232 }
6c271ce2 5233
ee7d46d9
PB		 5234 /* make sure SQ entry isn't read before tail */
5235 nr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));
9ef4f124 5236
2b85edfc
PB		 5237 if (!percpu_ref_tryget_many(&ctx->refs, nr))
5238 return -EAGAIN;
6c271ce2
JA		 5239
5240 if (nr > IO_PLUG_THRESHOLD) {
22efde59 5241 io_submit_state_start(&state, nr);
6c271ce2
JA		 5242 statep = &state;
5243 }
5244
b14cca0c
PB		 5245 ctx->ring_fd = ring_fd;
5246 ctx->ring_file = ring_file;
5247
6c271ce2 5248 for (i = 0; i < nr; i++) {
3529d8c2 5249 const struct io_uring_sqe *sqe;
196be95c 5250 struct io_kiocb *req;
1cb1edb2 5251 int err;
fb5ccc98 5252
196be95c
PB		 5253 req = io_get_req(ctx, statep);
5254 if (unlikely(!req)) {
5255 if (!submitted)
5256 submitted = -EAGAIN;
fb5ccc98 5257 break;
196be95c 5258 }
3529d8c2 5259 if (!io_get_sqring(ctx, req, &sqe)) {
2b85edfc 5260 __io_req_do_free(req);
196be95c
PB		 5261 break;
5262 }
fb5ccc98 5263
d3656344
JA		 5264 /* will complete beyond this point, count as submitted */
5265 submitted++;
5266
5267 if (unlikely(req->opcode >= IORING_OP_LAST)) {
1cb1edb2
PB		 5268 err = -EINVAL;
5269fail_req:
5270 io_cqring_add_event(req, err);
d3656344 5271 io_double_put_req(req);
196be95c
PB		 5272 break;
5273 }
fb5ccc98 5274
d3656344 5275 if (io_op_defs[req->opcode].needs_mm && !*mm) {
95a1b3ff 5276 mm_fault = mm_fault || !mmget_not_zero(ctx->sqo_mm);
1cb1edb2
PB		 5277 if (unlikely(mm_fault)) {
5278 err = -EFAULT;
5279 goto fail_req;
95a1b3ff 5280 }
1cb1edb2
PB		 5281 use_mm(ctx->sqo_mm);
5282 *mm = ctx->sqo_mm;
9e645e11 5283 }
9e645e11 5284
cf6fd4bd 5285 req->needs_fixed_file = async;
354420f7
JA		 5286 trace_io_uring_submit_sqe(ctx, req->opcode, req->user_data,
5287 true, async);
3529d8c2 5288 if (!io_submit_sqe(req, sqe, statep, &link))
2e6e1fde 5289 break;
6c271ce2
JA		 5290 }
5291
9466f437
PB		 5292 if (unlikely(submitted != nr)) {
5293 int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
5294
5295 percpu_ref_put_many(&ctx->refs, nr - ref_used);
5296 }
9e645e11 5297 if (link)
1b4a51b6 5298 io_queue_link_head(link);
6c271ce2
JA		 5299 if (statep)
5300 io_submit_state_end(&state);
5301
ae9428ca
PB		 5302 /* Commit SQ ring head once we've consumed and submitted all SQEs */
5303 io_commit_sqring(ctx);
5304
6c271ce2
JA		 5305 return submitted;
5306}
5307
5308static int io_sq_thread(void *data)
5309{
6c271ce2
JA		 5310 struct io_ring_ctx *ctx = data;
5311 struct mm_struct *cur_mm = NULL;
181e448d 5312 const struct cred *old_cred;
6c271ce2
JA		 5313 mm_segment_t old_fs;
5314 DEFINE_WAIT(wait);
6c271ce2 5315 unsigned long timeout;
bdcd3eab 5316 int ret = 0;
6c271ce2 5317
206aefde 5318 complete(&ctx->completions[1]);
a4c0b3de 5319
6c271ce2
JA		 5320 old_fs = get_fs();
5321 set_fs(USER_DS);
181e448d 5322 old_cred = override_creds(ctx->creds);
6c271ce2 5323
bdcd3eab 5324 timeout = jiffies + ctx->sq_thread_idle;
2bbcd6d3 5325 while (!kthread_should_park()) {
fb5ccc98 5326 unsigned int to_submit;
6c271ce2 5327
bdcd3eab 5328 if (!list_empty(&ctx->poll_list)) {
6c271ce2
JA		 5329 unsigned nr_events = 0;
5330
bdcd3eab
XW		 5331 mutex_lock(&ctx->uring_lock);
5332 if (!list_empty(&ctx->poll_list))
5333 io_iopoll_getevents(ctx, &nr_events, 0);
5334 else
6c271ce2 5335 timeout = jiffies + ctx->sq_thread_idle;
bdcd3eab 5336 mutex_unlock(&ctx->uring_lock);
6c271ce2
JA		 5337 }
5338
fb5ccc98 5339 to_submit = io_sqring_entries(ctx);
c1edbf5f
JA		 5340
5341 /*
5342 * If submit got -EBUSY, flag us as needing the application
5343 * to enter the kernel to reap and flush events.
5344 */
5345 if (!to_submit || ret == -EBUSY) {
7143b5ac
SG		 5346 /*
5347 * Drop cur_mm before scheduling, we can't hold it for
5348 * long periods (or over schedule()). Do this before
5349 * adding ourselves to the waitqueue, as the unuse/drop
5350 * may sleep.
5351 */
5352 if (cur_mm) {
5353 unuse_mm(cur_mm);
5354 mmput(cur_mm);
5355 cur_mm = NULL;
5356 }
5357
6c271ce2
JA		 5358 /*
5359 * We're polling. If we're within the defined idle
5360 * period, then let us spin without work before going
c1edbf5f
JA		 5361 * to sleep. The exception is if we got EBUSY doing
5362 * more IO, we should wait for the application to
5363 * reap events and wake us up.
6c271ce2 5364 */
bdcd3eab 5365 if (!list_empty(&ctx->poll_list) ||
df069d80
JA		 5366 (!time_after(jiffies, timeout) && ret != -EBUSY &&
5367 !percpu_ref_is_dying(&ctx->refs))) {
b41e9852
JA		 5368 if (current->task_works)
5369 task_work_run();
9831a90c 5370 cond_resched();
6c271ce2
JA		 5371 continue;
5372 }
5373
6c271ce2
JA		 5374 prepare_to_wait(&ctx->sqo_wait, &wait,
5375 TASK_INTERRUPTIBLE);
5376
bdcd3eab
XW		 5377 /*
5378 * While doing polled IO, before going to sleep, we need
5379 * to check if there are new reqs added to poll_list, it
5380 * is because reqs may have been punted to io worker and
5381 * will be added to poll_list later, hence check the
5382 * poll_list again.
5383 */
5384 if ((ctx->flags & IORING_SETUP_IOPOLL) &&
5385 !list_empty_careful(&ctx->poll_list)) {
5386 finish_wait(&ctx->sqo_wait, &wait);
5387 continue;
5388 }
5389
6c271ce2 5390 /* Tell userspace we may need a wakeup call */
75b28aff 5391 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
0d7bae69
SB		 5392 /* make sure to read SQ tail after writing flags */
5393 smp_mb();
6c271ce2 5394
fb5ccc98 5395 to_submit = io_sqring_entries(ctx);
c1edbf5f 5396 if (!to_submit || ret == -EBUSY) {
2bbcd6d3 5397 if (kthread_should_park()) {
6c271ce2
JA		 5398 finish_wait(&ctx->sqo_wait, &wait);
5399 break;
5400 }
b41e9852
JA		 5401 if (current->task_works) {
5402 task_work_run();
5403 continue;
5404 }
6c271ce2
JA		 5405 if (signal_pending(current))
5406 flush_signals(current);
5407 schedule();
5408 finish_wait(&ctx->sqo_wait, &wait);
5409
75b28aff 5410 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 5411 continue;
5412 }
5413 finish_wait(&ctx->sqo_wait, &wait);
5414
75b28aff 5415 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 5416 }
5417
8a4955ff 5418 mutex_lock(&ctx->uring_lock);
1d7bb1d5 5419 ret = io_submit_sqes(ctx, to_submit, NULL, -1, &cur_mm, true);
8a4955ff 5420 mutex_unlock(&ctx->uring_lock);
bdcd3eab 5421 timeout = jiffies + ctx->sq_thread_idle;
6c271ce2
JA		 5422 }
5423
b41e9852
JA		 5424 if (current->task_works)
5425 task_work_run();
5426
6c271ce2
JA		 5427 set_fs(old_fs);
5428 if (cur_mm) {
5429 unuse_mm(cur_mm);
5430 mmput(cur_mm);
5431 }
181e448d 5432 revert_creds(old_cred);
06058632 5433
2bbcd6d3 5434 kthread_parkme();
06058632 5435
6c271ce2
JA		 5436 return 0;
5437}
5438
bda52162
JA		 5439struct io_wait_queue {
5440 struct wait_queue_entry wq;
5441 struct io_ring_ctx *ctx;
5442 unsigned to_wait;
5443 unsigned nr_timeouts;
5444};
5445
1d7bb1d5 5446static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
bda52162
JA		 5447{
5448 struct io_ring_ctx *ctx = iowq->ctx;
5449
5450 /*
d195a66e 5451 * Wake up if we have enough events, or if a timeout occurred since we
bda52162
JA		 5452 * started waiting. For timeouts, we always want to return to userspace,
5453 * regardless of event count.
5454 */
1d7bb1d5 5455 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
bda52162
JA		 5456 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
5457}
5458
5459static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
5460 int wake_flags, void *key)
5461{
5462 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
5463 wq);
5464
1d7bb1d5
JA		 5465 /* use noflush == true, as we can't safely rely on locking context */
5466 if (!io_should_wake(iowq, true))
bda52162
JA		 5467 return -1;
5468
5469 return autoremove_wake_function(curr, mode, wake_flags, key);
5470}
5471
2b188cc1
JA		 5472/*
5473 * Wait until events become available, if we don't already have some. The
5474 * application must reap them itself, as they reside on the shared cq ring.
5475 */
5476static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
5477 const sigset_t __user *sig, size_t sigsz)
5478{
bda52162
JA		 5479 struct io_wait_queue iowq = {
5480 .wq = {
5481 .private = current,
5482 .func = io_wake_function,
5483 .entry = LIST_HEAD_INIT(iowq.wq.entry),
5484 },
5485 .ctx = ctx,
5486 .to_wait = min_events,
5487 };
75b28aff 5488 struct io_rings *rings = ctx->rings;
e9ffa5c2 5489 int ret = 0;
2b188cc1 5490
b41e9852
JA		 5491 do {
5492 if (io_cqring_events(ctx, false) >= min_events)
5493 return 0;
5494 if (!current->task_works)
5495 break;
5496 task_work_run();
5497 } while (1);
2b188cc1
JA		 5498
5499 if (sig) {
9e75ad5d
AB		 5500#ifdef CONFIG_COMPAT
5501 if (in_compat_syscall())
5502 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
b772434b 5503 sigsz);
9e75ad5d
AB		 5504 else
5505#endif
b772434b 5506 ret = set_user_sigmask(sig, sigsz);
9e75ad5d 5507
2b188cc1
JA		 5508 if (ret)
5509 return ret;
5510 }
5511
bda52162 5512 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
c826bd7a 5513 trace_io_uring_cqring_wait(ctx, min_events);
bda52162
JA		 5514 do {
5515 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
5516 TASK_INTERRUPTIBLE);
b41e9852
JA		 5517 if (current->task_works)
5518 task_work_run();
1d7bb1d5 5519 if (io_should_wake(&iowq, false))
bda52162
JA		 5520 break;
5521 schedule();
5522 if (signal_pending(current)) {
e9ffa5c2 5523 ret = -EINTR;
bda52162
JA		 5524 break;
5525 }
5526 } while (1);
5527 finish_wait(&ctx->wait, &iowq.wq);
5528
e9ffa5c2 5529 restore_saved_sigmask_unless(ret == -EINTR);
2b188cc1 5530
75b28aff 5531 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
2b188cc1
JA		 5532}
5533
6b06314c
JA		 5534static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
5535{
5536#if defined(CONFIG_UNIX)
5537 if (ctx->ring_sock) {
5538 struct sock *sock = ctx->ring_sock->sk;
5539 struct sk_buff *skb;
5540
5541 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
5542 kfree_skb(skb);
5543 }
5544#else
5545 int i;
5546
65e19f54
JA		 5547 for (i = 0; i < ctx->nr_user_files; i++) {
5548 struct file *file;
5549
5550 file = io_file_from_index(ctx, i);
5551 if (file)
5552 fput(file);
5553 }
6b06314c
JA		 5554#endif
5555}
5556
05f3fb3c
JA		 5557static void io_file_ref_kill(struct percpu_ref *ref)
5558{
5559 struct fixed_file_data *data;
5560
5561 data = container_of(ref, struct fixed_file_data, refs);
5562 complete(&data->done);
5563}
5564
6b06314c
JA		 5565static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
5566{
05f3fb3c 5567 struct fixed_file_data *data = ctx->file_data;
65e19f54
JA		 5568 unsigned nr_tables, i;
5569
05f3fb3c 5570 if (!data)
6b06314c
JA		 5571 return -ENXIO;
5572
05f3fb3c 5573 percpu_ref_kill_and_confirm(&data->refs, io_file_ref_kill);
e46a7950 5574 flush_work(&data->ref_work);
2faf852d
JA		 5575 wait_for_completion(&data->done);
5576 io_ring_file_ref_flush(data);
05f3fb3c
JA		 5577 percpu_ref_exit(&data->refs);
5578
6b06314c 5579 __io_sqe_files_unregister(ctx);
65e19f54
JA		 5580 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
5581 for (i = 0; i < nr_tables; i++)
05f3fb3c
JA		 5582 kfree(data->table[i].files);
5583 kfree(data->table);
5584 kfree(data);
5585 ctx->file_data = NULL;
6b06314c
JA		 5586 ctx->nr_user_files = 0;
5587 return 0;
5588}
5589
6c271ce2
JA		 5590static void io_sq_thread_stop(struct io_ring_ctx *ctx)
5591{
5592 if (ctx->sqo_thread) {
206aefde 5593 wait_for_completion(&ctx->completions[1]);
2bbcd6d3
RP		 5594 /*
5595 * The park is a bit of a work-around, without it we get
5596 * warning spews on shutdown with SQPOLL set and affinity
5597 * set to a single CPU.
5598 */
06058632 5599 kthread_park(ctx->sqo_thread);
6c271ce2
JA		 5600 kthread_stop(ctx->sqo_thread);
5601 ctx->sqo_thread = NULL;
5602 }
5603}
5604
6b06314c
JA		 5605static void io_finish_async(struct io_ring_ctx *ctx)
5606{
6c271ce2
JA		 5607 io_sq_thread_stop(ctx);
5608
561fb04a
JA		 5609 if (ctx->io_wq) {
5610 io_wq_destroy(ctx->io_wq);
5611 ctx->io_wq = NULL;
6b06314c
JA		 5612 }
5613}
5614
5615#if defined(CONFIG_UNIX)
6b06314c
JA		 5616/*
5617 * Ensure the UNIX gc is aware of our file set, so we are certain that
5618 * the io_uring can be safely unregistered on process exit, even if we have
5619 * loops in the file referencing.
5620 */
5621static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
5622{
5623 struct sock *sk = ctx->ring_sock->sk;
5624 struct scm_fp_list *fpl;
5625 struct sk_buff *skb;
08a45173 5626 int i, nr_files;
6b06314c
JA		 5627
5628 if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
5629 unsigned long inflight = ctx->user->unix_inflight + nr;
5630
5631 if (inflight > task_rlimit(current, RLIMIT_NOFILE))
5632 return -EMFILE;
5633 }
5634
5635 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
5636 if (!fpl)
5637 return -ENOMEM;
5638
5639 skb = alloc_skb(0, GFP_KERNEL);
5640 if (!skb) {
5641 kfree(fpl);
5642 return -ENOMEM;
5643 }
5644
5645 skb->sk = sk;
6b06314c 5646
08a45173 5647 nr_files = 0;
6b06314c
JA		 5648 fpl->user = get_uid(ctx->user);
5649 for (i = 0; i < nr; i++) {
65e19f54
JA		 5650 struct file *file = io_file_from_index(ctx, i + offset);
5651
5652 if (!file)
08a45173 5653 continue;
65e19f54 5654 fpl->fp[nr_files] = get_file(file);
08a45173
JA		 5655 unix_inflight(fpl->user, fpl->fp[nr_files]);
5656 nr_files++;
6b06314c
JA		 5657 }
5658
08a45173
JA		 5659 if (nr_files) {
5660 fpl->max = SCM_MAX_FD;
5661 fpl->count = nr_files;
5662 UNIXCB(skb).fp = fpl;
05f3fb3c 5663 skb->destructor = unix_destruct_scm;
08a45173
JA		 5664 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
5665 skb_queue_head(&sk->sk_receive_queue, skb);
6b06314c 5666
08a45173
JA		 5667 for (i = 0; i < nr_files; i++)
5668 fput(fpl->fp[i]);
5669 } else {
5670 kfree_skb(skb);
5671 kfree(fpl);
5672 }
6b06314c
JA		 5673
5674 return 0;
5675}
5676
5677/*
5678 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
5679 * causes regular reference counting to break down. We rely on the UNIX
5680 * garbage collection to take care of this problem for us.
5681 */
5682static int io_sqe_files_scm(struct io_ring_ctx *ctx)
5683{
5684 unsigned left, total;
5685 int ret = 0;
5686
5687 total = 0;
5688 left = ctx->nr_user_files;
5689 while (left) {
5690 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
6b06314c
JA		 5691
5692 ret = __io_sqe_files_scm(ctx, this_files, total);
5693 if (ret)
5694 break;
5695 left -= this_files;
5696 total += this_files;
5697 }
5698
5699 if (!ret)
5700 return 0;
5701
5702 while (total < ctx->nr_user_files) {
65e19f54
JA		 5703 struct file *file = io_file_from_index(ctx, total);
5704
5705 if (file)
5706 fput(file);
6b06314c
JA		 5707 total++;
5708 }
5709
5710 return ret;
5711}
5712#else
5713static int io_sqe_files_scm(struct io_ring_ctx *ctx)
5714{
5715 return 0;
5716}
5717#endif
5718
65e19f54
JA		 5719static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
5720 unsigned nr_files)
5721{
5722 int i;
5723
5724 for (i = 0; i < nr_tables; i++) {
05f3fb3c 5725 struct fixed_file_table *table = &ctx->file_data->table[i];
65e19f54
JA		 5726 unsigned this_files;
5727
5728 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
5729 table->files = kcalloc(this_files, sizeof(struct file *),
5730 GFP_KERNEL);
5731 if (!table->files)
5732 break;
5733 nr_files -= this_files;
5734 }
5735
5736 if (i == nr_tables)
5737 return 0;
5738
5739 for (i = 0; i < nr_tables; i++) {
05f3fb3c 5740 struct fixed_file_table *table = &ctx->file_data->table[i];
65e19f54
JA		 5741 kfree(table->files);
5742 }
5743 return 1;
5744}
5745
05f3fb3c
JA		 5746static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
5747{
5748#if defined(CONFIG_UNIX)
5749 struct sock *sock = ctx->ring_sock->sk;
5750 struct sk_buff_head list, *head = &sock->sk_receive_queue;
5751 struct sk_buff *skb;
5752 int i;
5753
5754 __skb_queue_head_init(&list);
5755
5756 /*
5757 * Find the skb that holds this file in its SCM_RIGHTS. When found,
5758 * remove this entry and rearrange the file array.
5759 */
5760 skb = skb_dequeue(head);
5761 while (skb) {
5762 struct scm_fp_list *fp;
5763
5764 fp = UNIXCB(skb).fp;
5765 for (i = 0; i < fp->count; i++) {
5766 int left;
5767
5768 if (fp->fp[i] != file)
5769 continue;
5770
5771 unix_notinflight(fp->user, fp->fp[i]);
5772 left = fp->count - 1 - i;
5773 if (left) {
5774 memmove(&fp->fp[i], &fp->fp[i + 1],
5775 left * sizeof(struct file *));
5776 }
5777 fp->count--;
5778 if (!fp->count) {
5779 kfree_skb(skb);
5780 skb = NULL;
5781 } else {
5782 __skb_queue_tail(&list, skb);
5783 }
5784 fput(file);
5785 file = NULL;
5786 break;
5787 }
5788
5789 if (!file)
5790 break;
5791
5792 __skb_queue_tail(&list, skb);
5793
5794 skb = skb_dequeue(head);
5795 }
5796
5797 if (skb_peek(&list)) {
5798 spin_lock_irq(&head->lock);
5799 while ((skb = __skb_dequeue(&list)) != NULL)
5800 __skb_queue_tail(head, skb);
5801 spin_unlock_irq(&head->lock);
5802 }
5803#else
5804 fput(file);
5805#endif
5806}
5807
5808struct io_file_put {
5809 struct llist_node llist;
5810 struct file *file;
5811 struct completion *done;
5812};
5813
2faf852d 5814static void io_ring_file_ref_flush(struct fixed_file_data *data)
65e19f54 5815{
05f3fb3c 5816 struct io_file_put *pfile, *tmp;
05f3fb3c 5817 struct llist_node *node;
65e19f54 5818
05f3fb3c
JA		 5819 while ((node = llist_del_all(&data->put_llist)) != NULL) {
5820 llist_for_each_entry_safe(pfile, tmp, node, llist) {
5821 io_ring_file_put(data->ctx, pfile->file);
5822 if (pfile->done)
5823 complete(pfile->done);
5824 else
5825 kfree(pfile);
5826 }
65e19f54 5827 }
2faf852d 5828}
65e19f54 5829
2faf852d
JA		 5830static void io_ring_file_ref_switch(struct work_struct *work)
5831{
5832 struct fixed_file_data *data;
65e19f54 5833
2faf852d
JA		 5834 data = container_of(work, struct fixed_file_data, ref_work);
5835 io_ring_file_ref_flush(data);
05f3fb3c
JA		 5836 percpu_ref_switch_to_percpu(&data->refs);
5837}
65e19f54 5838
05f3fb3c
JA		 5839static void io_file_data_ref_zero(struct percpu_ref *ref)
5840{
5841 struct fixed_file_data *data;
5842
5843 data = container_of(ref, struct fixed_file_data, refs);
5844
2faf852d
JA		 5845 /*
5846 * We can't safely switch from inside this context, punt to wq. If
5847 * the table ref is going away, the table is being unregistered.
5848 * Don't queue up the async work for that case, the caller will
5849 * handle it.
5850 */
5851 if (!percpu_ref_is_dying(&data->refs))
5852 queue_work(system_wq, &data->ref_work);
65e19f54
JA		 5853}
5854
6b06314c
JA		 5855static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
5856 unsigned nr_args)
5857{
5858 __s32 __user *fds = (__s32 __user *) arg;
65e19f54 5859 unsigned nr_tables;
05f3fb3c 5860 struct file *file;
6b06314c
JA		 5861 int fd, ret = 0;
5862 unsigned i;
5863
05f3fb3c 5864 if (ctx->file_data)
6b06314c
JA		 5865 return -EBUSY;
5866 if (!nr_args)
5867 return -EINVAL;
5868 if (nr_args > IORING_MAX_FIXED_FILES)
5869 return -EMFILE;
5870
05f3fb3c
JA		 5871 ctx->file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
5872 if (!ctx->file_data)
5873 return -ENOMEM;
5874 ctx->file_data->ctx = ctx;
5875 init_completion(&ctx->file_data->done);
5876
65e19f54 5877 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
05f3fb3c
JA		 5878 ctx->file_data->table = kcalloc(nr_tables,
5879 sizeof(struct fixed_file_table),
65e19f54 5880 GFP_KERNEL);
05f3fb3c
JA		 5881 if (!ctx->file_data->table) {
5882 kfree(ctx->file_data);
5883 ctx->file_data = NULL;
6b06314c 5884 return -ENOMEM;
05f3fb3c
JA		 5885 }
5886
5887 if (percpu_ref_init(&ctx->file_data->refs, io_file_data_ref_zero,
5888 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
5889 kfree(ctx->file_data->table);
5890 kfree(ctx->file_data);
5891 ctx->file_data = NULL;
6b06314c 5892 return -ENOMEM;
05f3fb3c
JA		 5893 }
5894 ctx->file_data->put_llist.first = NULL;
5895 INIT_WORK(&ctx->file_data->ref_work, io_ring_file_ref_switch);
6b06314c 5896
65e19f54 5897 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
05f3fb3c
JA		 5898 percpu_ref_exit(&ctx->file_data->refs);
5899 kfree(ctx->file_data->table);
5900 kfree(ctx->file_data);
5901 ctx->file_data = NULL;
65e19f54
JA		 5902 return -ENOMEM;
5903 }
5904
08a45173 5905 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
65e19f54
JA		 5906 struct fixed_file_table *table;
5907 unsigned index;
5908
6b06314c
JA		 5909 ret = -EFAULT;
5910 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
5911 break;
08a45173
JA		 5912 /* allow sparse sets */
5913 if (fd == -1) {
5914 ret = 0;
5915 continue;
5916 }
6b06314c 5917
05f3fb3c 5918 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
65e19f54 5919 index = i & IORING_FILE_TABLE_MASK;
05f3fb3c 5920 file = fget(fd);
6b06314c
JA		 5921
5922 ret = -EBADF;
05f3fb3c 5923 if (!file)
6b06314c 5924 break;
05f3fb3c 5925
6b06314c
JA		 5926 /*
5927 * Don't allow io_uring instances to be registered. If UNIX
5928 * isn't enabled, then this causes a reference cycle and this
5929 * instance can never get freed. If UNIX is enabled we'll
5930 * handle it just fine, but there's still no point in allowing
5931 * a ring fd as it doesn't support regular read/write anyway.
5932 */
05f3fb3c
JA		 5933 if (file->f_op == &io_uring_fops) {
5934 fput(file);
6b06314c
JA		 5935 break;
5936 }
6b06314c 5937 ret = 0;
05f3fb3c 5938 table->files[index] = file;
6b06314c
JA		 5939 }
5940
5941 if (ret) {
65e19f54 5942 for (i = 0; i < ctx->nr_user_files; i++) {
65e19f54
JA		 5943 file = io_file_from_index(ctx, i);
5944 if (file)
5945 fput(file);
5946 }
5947 for (i = 0; i < nr_tables; i++)
05f3fb3c 5948 kfree(ctx->file_data->table[i].files);
6b06314c 5949
05f3fb3c
JA		 5950 kfree(ctx->file_data->table);
5951 kfree(ctx->file_data);
5952 ctx->file_data = NULL;
6b06314c
JA		 5953 ctx->nr_user_files = 0;
5954 return ret;
5955 }
5956
5957 ret = io_sqe_files_scm(ctx);
5958 if (ret)
5959 io_sqe_files_unregister(ctx);
5960
5961 return ret;
5962}
5963
c3a31e60
JA		 5964static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
5965 int index)
5966{
5967#if defined(CONFIG_UNIX)
5968 struct sock *sock = ctx->ring_sock->sk;
5969 struct sk_buff_head *head = &sock->sk_receive_queue;
5970 struct sk_buff *skb;
5971
5972 /*
5973 * See if we can merge this file into an existing skb SCM_RIGHTS
5974 * file set. If there's no room, fall back to allocating a new skb
5975 * and filling it in.
5976 */
5977 spin_lock_irq(&head->lock);
5978 skb = skb_peek(head);
5979 if (skb) {
5980 struct scm_fp_list *fpl = UNIXCB(skb).fp;
5981
5982 if (fpl->count < SCM_MAX_FD) {
5983 __skb_unlink(skb, head);
5984 spin_unlock_irq(&head->lock);
5985 fpl->fp[fpl->count] = get_file(file);
5986 unix_inflight(fpl->user, fpl->fp[fpl->count]);
5987 fpl->count++;
5988 spin_lock_irq(&head->lock);
5989 __skb_queue_head(head, skb);
5990 } else {
5991 skb = NULL;
5992 }
5993 }
5994 spin_unlock_irq(&head->lock);
5995
5996 if (skb) {
5997 fput(file);
5998 return 0;
5999 }
6000
6001 return __io_sqe_files_scm(ctx, 1, index);
6002#else
6003 return 0;
6004#endif
6005}
6006
05f3fb3c 6007static void io_atomic_switch(struct percpu_ref *ref)
c3a31e60 6008{
05f3fb3c
JA		 6009 struct fixed_file_data *data;
6010
dd3db2a3
JA		 6011 /*
6012 * Juggle reference to ensure we hit zero, if needed, so we can
6013 * switch back to percpu mode
6014 */
05f3fb3c 6015 data = container_of(ref, struct fixed_file_data, refs);
dd3db2a3
JA		 6016 percpu_ref_put(&data->refs);
6017 percpu_ref_get(&data->refs);
05f3fb3c
JA		 6018}
6019
6020static bool io_queue_file_removal(struct fixed_file_data *data,
6021 struct file *file)
6022{
6023 struct io_file_put *pfile, pfile_stack;
6024 DECLARE_COMPLETION_ONSTACK(done);
6025
6026 /*
6027 * If we fail allocating the struct we need for doing async reomval
6028 * of this file, just punt to sync and wait for it.
6029 */
6030 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
6031 if (!pfile) {
6032 pfile = &pfile_stack;
6033 pfile->done = &done;
6034 }
6035
6036 pfile->file = file;
6037 llist_add(&pfile->llist, &data->put_llist);
6038
6039 if (pfile == &pfile_stack) {
dd3db2a3 6040 percpu_ref_switch_to_atomic(&data->refs, io_atomic_switch);
05f3fb3c
JA		 6041 wait_for_completion(&done);
6042 flush_work(&data->ref_work);
6043 return false;
6044 }
6045
6046 return true;
6047}
6048
6049static int __io_sqe_files_update(struct io_ring_ctx *ctx,
6050 struct io_uring_files_update *up,
6051 unsigned nr_args)
6052{
6053 struct fixed_file_data *data = ctx->file_data;
6054 bool ref_switch = false;
6055 struct file *file;
c3a31e60
JA		 6056 __s32 __user *fds;
6057 int fd, i, err;
6058 __u32 done;
6059
05f3fb3c 6060 if (check_add_overflow(up->offset, nr_args, &done))
c3a31e60
JA		 6061 return -EOVERFLOW;
6062 if (done > ctx->nr_user_files)
6063 return -EINVAL;
6064
6065 done = 0;
05f3fb3c 6066 fds = u64_to_user_ptr(up->fds);
c3a31e60 6067 while (nr_args) {
65e19f54
JA		 6068 struct fixed_file_table *table;
6069 unsigned index;
6070
c3a31e60
JA		 6071 err = 0;
6072 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
6073 err = -EFAULT;
6074 break;
6075 }
05f3fb3c
JA		 6076 i = array_index_nospec(up->offset, ctx->nr_user_files);
6077 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
65e19f54
JA		 6078 index = i & IORING_FILE_TABLE_MASK;
6079 if (table->files[index]) {
05f3fb3c 6080 file = io_file_from_index(ctx, index);
65e19f54 6081 table->files[index] = NULL;
05f3fb3c
JA		 6082 if (io_queue_file_removal(data, file))
6083 ref_switch = true;
c3a31e60
JA		 6084 }
6085 if (fd != -1) {
c3a31e60
JA		 6086 file = fget(fd);
6087 if (!file) {
6088 err = -EBADF;
6089 break;
6090 }
6091 /*
6092 * Don't allow io_uring instances to be registered. If
6093 * UNIX isn't enabled, then this causes a reference
6094 * cycle and this instance can never get freed. If UNIX
6095 * is enabled we'll handle it just fine, but there's
6096 * still no point in allowing a ring fd as it doesn't
6097 * support regular read/write anyway.
6098 */
6099 if (file->f_op == &io_uring_fops) {
6100 fput(file);
6101 err = -EBADF;
6102 break;
6103 }
65e19f54 6104 table->files[index] = file;
c3a31e60
JA		 6105 err = io_sqe_file_register(ctx, file, i);
6106 if (err)
6107 break;
6108 }
6109 nr_args--;
6110 done++;
05f3fb3c
JA		 6111 up->offset++;
6112 }
6113
dd3db2a3 6114 if (ref_switch)
05f3fb3c 6115 percpu_ref_switch_to_atomic(&data->refs, io_atomic_switch);
c3a31e60
JA		 6116
6117 return done ? done : err;
6118}
05f3fb3c
JA		 6119static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
6120 unsigned nr_args)
6121{
6122 struct io_uring_files_update up;
6123
6124 if (!ctx->file_data)
6125 return -ENXIO;
6126 if (!nr_args)
6127 return -EINVAL;
6128 if (copy_from_user(&up, arg, sizeof(up)))
6129 return -EFAULT;
6130 if (up.resv)
6131 return -EINVAL;
6132
6133 return __io_sqe_files_update(ctx, &up, nr_args);
6134}
c3a31e60 6135
7d723065
JA		 6136static void io_put_work(struct io_wq_work *work)
6137{
6138 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
6139
6140 io_put_req(req);
6141}
6142
6143static void io_get_work(struct io_wq_work *work)
6144{
6145 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
6146
6147 refcount_inc(&req->refs);
6148}
6149
24369c2e
PB		 6150static int io_init_wq_offload(struct io_ring_ctx *ctx,
6151 struct io_uring_params *p)
6152{
6153 struct io_wq_data data;
6154 struct fd f;
6155 struct io_ring_ctx *ctx_attach;
6156 unsigned int concurrency;
6157 int ret = 0;
6158
6159 data.user = ctx->user;
6160 data.get_work = io_get_work;
6161 data.put_work = io_put_work;
6162
6163 if (!(p->flags & IORING_SETUP_ATTACH_WQ)) {
6164 /* Do QD, or 4 * CPUS, whatever is smallest */
6165 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
6166
6167 ctx->io_wq = io_wq_create(concurrency, &data);
6168 if (IS_ERR(ctx->io_wq)) {
6169 ret = PTR_ERR(ctx->io_wq);
6170 ctx->io_wq = NULL;
6171 }
6172 return ret;
6173 }
6174
6175 f = fdget(p->wq_fd);
6176 if (!f.file)
6177 return -EBADF;
6178
6179 if (f.file->f_op != &io_uring_fops) {
6180 ret = -EINVAL;
6181 goto out_fput;
6182 }
6183
6184 ctx_attach = f.file->private_data;
6185 /* @io_wq is protected by holding the fd */
6186 if (!io_wq_get(ctx_attach->io_wq, &data)) {
6187 ret = -EINVAL;
6188 goto out_fput;
6189 }
6190
6191 ctx->io_wq = ctx_attach->io_wq;
6192out_fput:
6193 fdput(f);
6194 return ret;
6195}
6196
6c271ce2
JA		 6197static int io_sq_offload_start(struct io_ring_ctx *ctx,
6198 struct io_uring_params *p)
2b188cc1
JA		 6199{
6200 int ret;
6201
6c271ce2 6202 init_waitqueue_head(&ctx->sqo_wait);
2b188cc1
JA		 6203 mmgrab(current->mm);
6204 ctx->sqo_mm = current->mm;
6205
6c271ce2 6206 if (ctx->flags & IORING_SETUP_SQPOLL) {
3ec482d1
JA		 6207 ret = -EPERM;
6208 if (!capable(CAP_SYS_ADMIN))
6209 goto err;
6210
917257da
JA		 6211 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
6212 if (!ctx->sq_thread_idle)
6213 ctx->sq_thread_idle = HZ;
6214
6c271ce2 6215 if (p->flags & IORING_SETUP_SQ_AFF) {
44a9bd18 6216 int cpu = p->sq_thread_cpu;
6c271ce2 6217
917257da 6218 ret = -EINVAL;
44a9bd18
JA		 6219 if (cpu >= nr_cpu_ids)
6220 goto err;
7889f44d 6221 if (!cpu_online(cpu))
917257da
JA		 6222 goto err;
6223
6c271ce2
JA		 6224 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
6225 ctx, cpu,
6226 "io_uring-sq");
6227 } else {
6228 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
6229 "io_uring-sq");
6230 }
6231 if (IS_ERR(ctx->sqo_thread)) {
6232 ret = PTR_ERR(ctx->sqo_thread);
6233 ctx->sqo_thread = NULL;
6234 goto err;
6235 }
6236 wake_up_process(ctx->sqo_thread);
6237 } else if (p->flags & IORING_SETUP_SQ_AFF) {
6238 /* Can't have SQ_AFF without SQPOLL */
6239 ret = -EINVAL;
6240 goto err;
6241 }
6242
24369c2e
PB		 6243 ret = io_init_wq_offload(ctx, p);
6244 if (ret)
2b188cc1 6245 goto err;
2b188cc1
JA		 6246
6247 return 0;
6248err:
54a91f3b 6249 io_finish_async(ctx);
2b188cc1
JA		 6250 mmdrop(ctx->sqo_mm);
6251 ctx->sqo_mm = NULL;
6252 return ret;
6253}
6254
6255static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
6256{
6257 atomic_long_sub(nr_pages, &user->locked_vm);
6258}
6259
6260static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
6261{
6262 unsigned long page_limit, cur_pages, new_pages;
6263
6264 /* Don't allow more pages than we can safely lock */
6265 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
6266
6267 do {
6268 cur_pages = atomic_long_read(&user->locked_vm);
6269 new_pages = cur_pages + nr_pages;
6270 if (new_pages > page_limit)
6271 return -ENOMEM;
6272 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
6273 new_pages) != cur_pages);
6274
6275 return 0;
6276}
6277
6278static void io_mem_free(void *ptr)
6279{
52e04ef4
MR		 6280 struct page *page;
6281
6282 if (!ptr)
6283 return;
2b188cc1 6284
52e04ef4 6285 page = virt_to_head_page(ptr);
2b188cc1
JA		 6286 if (put_page_testzero(page))
6287 free_compound_page(page);
6288}
6289
6290static void *io_mem_alloc(size_t size)
6291{
6292 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
6293 __GFP_NORETRY;
6294
6295 return (void *) __get_free_pages(gfp_flags, get_order(size));
6296}
6297
75b28aff
HV		 6298static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
6299 size_t *sq_offset)
6300{
6301 struct io_rings *rings;
6302 size_t off, sq_array_size;
6303
6304 off = struct_size(rings, cqes, cq_entries);
6305 if (off == SIZE_MAX)
6306 return SIZE_MAX;
6307
6308#ifdef CONFIG_SMP
6309 off = ALIGN(off, SMP_CACHE_BYTES);
6310 if (off == 0)
6311 return SIZE_MAX;
6312#endif
6313
6314 sq_array_size = array_size(sizeof(u32), sq_entries);
6315 if (sq_array_size == SIZE_MAX)
6316 return SIZE_MAX;
6317
6318 if (check_add_overflow(off, sq_array_size, &off))
6319 return SIZE_MAX;
6320
6321 if (sq_offset)
6322 *sq_offset = off;
6323
6324 return off;
6325}
6326
2b188cc1
JA		 6327static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
6328{
75b28aff 6329 size_t pages;
2b188cc1 6330
75b28aff
HV		 6331 pages = (size_t)1 << get_order(
6332 rings_size(sq_entries, cq_entries, NULL));
6333 pages += (size_t)1 << get_order(
6334 array_size(sizeof(struct io_uring_sqe), sq_entries));
2b188cc1 6335
75b28aff 6336 return pages;
2b188cc1
JA		 6337}
6338
edafccee
JA		 6339static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
6340{
6341 int i, j;
6342
6343 if (!ctx->user_bufs)
6344 return -ENXIO;
6345
6346 for (i = 0; i < ctx->nr_user_bufs; i++) {
6347 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
6348
6349 for (j = 0; j < imu->nr_bvecs; j++)
f1f6a7dd 6350 unpin_user_page(imu->bvec[j].bv_page);
edafccee
JA		 6351
6352 if (ctx->account_mem)
6353 io_unaccount_mem(ctx->user, imu->nr_bvecs);
d4ef6475 6354 kvfree(imu->bvec);
edafccee
JA		 6355 imu->nr_bvecs = 0;
6356 }
6357
6358 kfree(ctx->user_bufs);
6359 ctx->user_bufs = NULL;
6360 ctx->nr_user_bufs = 0;
6361 return 0;
6362}
6363
6364static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
6365 void __user *arg, unsigned index)
6366{
6367 struct iovec __user *src;
6368
6369#ifdef CONFIG_COMPAT
6370 if (ctx->compat) {
6371 struct compat_iovec __user *ciovs;
6372 struct compat_iovec ciov;
6373
6374 ciovs = (struct compat_iovec __user *) arg;
6375 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
6376 return -EFAULT;
6377
d55e5f5b 6378 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
edafccee
JA		 6379 dst->iov_len = ciov.iov_len;
6380 return 0;
6381 }
6382#endif
6383 src = (struct iovec __user *) arg;
6384 if (copy_from_user(dst, &src[index], sizeof(*dst)))
6385 return -EFAULT;
6386 return 0;
6387}
6388
6389static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
6390 unsigned nr_args)
6391{
6392 struct vm_area_struct **vmas = NULL;
6393 struct page **pages = NULL;
6394 int i, j, got_pages = 0;
6395 int ret = -EINVAL;
6396
6397 if (ctx->user_bufs)
6398 return -EBUSY;
6399 if (!nr_args || nr_args > UIO_MAXIOV)
6400 return -EINVAL;
6401
6402 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
6403 GFP_KERNEL);
6404 if (!ctx->user_bufs)
6405 return -ENOMEM;
6406
6407 for (i = 0; i < nr_args; i++) {
6408 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
6409 unsigned long off, start, end, ubuf;
6410 int pret, nr_pages;
6411 struct iovec iov;
6412 size_t size;
6413
6414 ret = io_copy_iov(ctx, &iov, arg, i);
6415 if (ret)
a278682d 6416 goto err;
edafccee
JA		 6417
6418 /*
6419 * Don't impose further limits on the size and buffer
6420 * constraints here, we'll -EINVAL later when IO is
6421 * submitted if they are wrong.
6422 */
6423 ret = -EFAULT;
6424 if (!iov.iov_base || !iov.iov_len)
6425 goto err;
6426
6427 /* arbitrary limit, but we need something */
6428 if (iov.iov_len > SZ_1G)
6429 goto err;
6430
6431 ubuf = (unsigned long) iov.iov_base;
6432 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
6433 start = ubuf >> PAGE_SHIFT;
6434 nr_pages = end - start;
6435
6436 if (ctx->account_mem) {
6437 ret = io_account_mem(ctx->user, nr_pages);
6438 if (ret)
6439 goto err;
6440 }
6441
6442 ret = 0;
6443 if (!pages || nr_pages > got_pages) {
6444 kfree(vmas);
6445 kfree(pages);
d4ef6475 6446 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
edafccee 6447 GFP_KERNEL);
d4ef6475 6448 vmas = kvmalloc_array(nr_pages,
edafccee
JA		 6449 sizeof(struct vm_area_struct *),
6450 GFP_KERNEL);
6451 if (!pages || !vmas) {
6452 ret = -ENOMEM;
6453 if (ctx->account_mem)
6454 io_unaccount_mem(ctx->user, nr_pages);
6455 goto err;
6456 }
6457 got_pages = nr_pages;
6458 }
6459
d4ef6475 6460 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
edafccee
JA		 6461 GFP_KERNEL);
6462 ret = -ENOMEM;
6463 if (!imu->bvec) {
6464 if (ctx->account_mem)
6465 io_unaccount_mem(ctx->user, nr_pages);
6466 goto err;
6467 }
6468
6469 ret = 0;
6470 down_read(&current->mm->mmap_sem);
2113b05d 6471 pret = pin_user_pages(ubuf, nr_pages,
932f4a63
IW		 6472 FOLL_WRITE | FOLL_LONGTERM,
6473 pages, vmas);
edafccee
JA		 6474 if (pret == nr_pages) {
6475 /* don't support file backed memory */
6476 for (j = 0; j < nr_pages; j++) {
6477 struct vm_area_struct *vma = vmas[j];
6478
6479 if (vma->vm_file &&
6480 !is_file_hugepages(vma->vm_file)) {
6481 ret = -EOPNOTSUPP;
6482 break;
6483 }
6484 }
6485 } else {
6486 ret = pret < 0 ? pret : -EFAULT;
6487 }
6488 up_read(&current->mm->mmap_sem);
6489 if (ret) {
6490 /*
6491 * if we did partial map, or found file backed vmas,
6492 * release any pages we did get
6493 */
27c4d3a3 6494 if (pret > 0)
f1f6a7dd 6495 unpin_user_pages(pages, pret);
edafccee
JA		 6496 if (ctx->account_mem)
6497 io_unaccount_mem(ctx->user, nr_pages);
d4ef6475 6498 kvfree(imu->bvec);
edafccee
JA		 6499 goto err;
6500 }
6501
6502 off = ubuf & ~PAGE_MASK;
6503 size = iov.iov_len;
6504 for (j = 0; j < nr_pages; j++) {
6505 size_t vec_len;
6506
6507 vec_len = min_t(size_t, size, PAGE_SIZE - off);
6508 imu->bvec[j].bv_page = pages[j];
6509 imu->bvec[j].bv_len = vec_len;
6510 imu->bvec[j].bv_offset = off;
6511 off = 0;
6512 size -= vec_len;
6513 }
6514 /* store original address for later verification */
6515 imu->ubuf = ubuf;
6516 imu->len = iov.iov_len;
6517 imu->nr_bvecs = nr_pages;
6518
6519 ctx->nr_user_bufs++;
6520 }
d4ef6475
MR		 6521 kvfree(pages);
6522 kvfree(vmas);
edafccee
JA		 6523 return 0;
6524err:
d4ef6475
MR		 6525 kvfree(pages);
6526 kvfree(vmas);
edafccee
JA		 6527 io_sqe_buffer_unregister(ctx);
6528 return ret;
6529}
6530
9b402849
JA		 6531static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
6532{
6533 __s32 __user *fds = arg;
6534 int fd;
6535
6536 if (ctx->cq_ev_fd)
6537 return -EBUSY;
6538
6539 if (copy_from_user(&fd, fds, sizeof(*fds)))
6540 return -EFAULT;
6541
6542 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
6543 if (IS_ERR(ctx->cq_ev_fd)) {
6544 int ret = PTR_ERR(ctx->cq_ev_fd);
6545 ctx->cq_ev_fd = NULL;
6546 return ret;
6547 }
6548
6549 return 0;
6550}
6551
6552static int io_eventfd_unregister(struct io_ring_ctx *ctx)
6553{
6554 if (ctx->cq_ev_fd) {
6555 eventfd_ctx_put(ctx->cq_ev_fd);
6556 ctx->cq_ev_fd = NULL;
6557 return 0;
6558 }
6559
6560 return -ENXIO;
6561}
6562
2b188cc1
JA		 6563static void io_ring_ctx_free(struct io_ring_ctx *ctx)
6564{
6b06314c 6565 io_finish_async(ctx);
2b188cc1
JA		 6566 if (ctx->sqo_mm)
6567 mmdrop(ctx->sqo_mm);
def596e9
JA		 6568
6569 io_iopoll_reap_events(ctx);
edafccee 6570 io_sqe_buffer_unregister(ctx);
6b06314c 6571 io_sqe_files_unregister(ctx);
9b402849 6572 io_eventfd_unregister(ctx);
41726c9a 6573 idr_destroy(&ctx->personality_idr);
def596e9 6574
2b188cc1 6575#if defined(CONFIG_UNIX)
355e8d26
EB		 6576 if (ctx->ring_sock) {
6577 ctx->ring_sock->file = NULL; /* so that iput() is called */
2b188cc1 6578 sock_release(ctx->ring_sock);
355e8d26 6579 }
2b188cc1
JA		 6580#endif
6581
75b28aff 6582 io_mem_free(ctx->rings);
2b188cc1 6583 io_mem_free(ctx->sq_sqes);
2b188cc1
JA		 6584
6585 percpu_ref_exit(&ctx->refs);
6586 if (ctx->account_mem)
6587 io_unaccount_mem(ctx->user,
6588 ring_pages(ctx->sq_entries, ctx->cq_entries));
6589 free_uid(ctx->user);
181e448d 6590 put_cred(ctx->creds);
206aefde 6591 kfree(ctx->completions);
78076bb6 6592 kfree(ctx->cancel_hash);
0ddf92e8 6593 kmem_cache_free(req_cachep, ctx->fallback_req);
2b188cc1
JA		 6594 kfree(ctx);
6595}
6596
6597static __poll_t io_uring_poll(struct file *file, poll_table *wait)
6598{
6599 struct io_ring_ctx *ctx = file->private_data;
6600 __poll_t mask = 0;
6601
6602 poll_wait(file, &ctx->cq_wait, wait);
4f7067c3
SB		 6603 /*
6604 * synchronizes with barrier from wq_has_sleeper call in
6605 * io_commit_cqring
6606 */
2b188cc1 6607 smp_rmb();
75b28aff
HV		 6608 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
6609 ctx->rings->sq_ring_entries)
2b188cc1 6610 mask |= EPOLLOUT | EPOLLWRNORM;
63e5d81f 6611 if (io_cqring_events(ctx, false))
2b188cc1
JA		 6612 mask |= EPOLLIN | EPOLLRDNORM;
6613
6614 return mask;
6615}
6616
6617static int io_uring_fasync(int fd, struct file *file, int on)
6618{
6619 struct io_ring_ctx *ctx = file->private_data;
6620
6621 return fasync_helper(fd, file, on, &ctx->cq_fasync);
6622}
6623
071698e1
JA		 6624static int io_remove_personalities(int id, void *p, void *data)
6625{
6626 struct io_ring_ctx *ctx = data;
6627 const struct cred *cred;
6628
6629 cred = idr_remove(&ctx->personality_idr, id);
6630 if (cred)
6631 put_cred(cred);
6632 return 0;
6633}
6634
2b188cc1
JA		 6635static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
6636{
6637 mutex_lock(&ctx->uring_lock);
6638 percpu_ref_kill(&ctx->refs);
6639 mutex_unlock(&ctx->uring_lock);
6640
df069d80
JA		 6641 /*
6642 * Wait for sq thread to idle, if we have one. It won't spin on new
6643 * work after we've killed the ctx ref above. This is important to do
6644 * before we cancel existing commands, as the thread could otherwise
6645 * be queueing new work post that. If that's work we need to cancel,
6646 * it could cause shutdown to hang.
6647 */
6648 while (ctx->sqo_thread && !wq_has_sleeper(&ctx->sqo_wait))
6649 cpu_relax();
6650
5262f567 6651 io_kill_timeouts(ctx);
221c5eb2 6652 io_poll_remove_all(ctx);
561fb04a
JA		 6653
6654 if (ctx->io_wq)
6655 io_wq_cancel_all(ctx->io_wq);
6656
def596e9 6657 io_iopoll_reap_events(ctx);
15dff286
JA		 6658 /* if we failed setting up the ctx, we might not have any rings */
6659 if (ctx->rings)
6660 io_cqring_overflow_flush(ctx, true);
071698e1 6661 idr_for_each(&ctx->personality_idr, io_remove_personalities, ctx);
206aefde 6662 wait_for_completion(&ctx->completions[0]);
2b188cc1
JA		 6663 io_ring_ctx_free(ctx);
6664}
6665
6666static int io_uring_release(struct inode *inode, struct file *file)
6667{
6668 struct io_ring_ctx *ctx = file->private_data;
6669
6670 file->private_data = NULL;
6671 io_ring_ctx_wait_and_kill(ctx);
6672 return 0;
6673}
6674
fcb323cc
JA		 6675static void io_uring_cancel_files(struct io_ring_ctx *ctx,
6676 struct files_struct *files)
6677{
6678 struct io_kiocb *req;
6679 DEFINE_WAIT(wait);
6680
6681 while (!list_empty_careful(&ctx->inflight_list)) {
768134d4 6682 struct io_kiocb *cancel_req = NULL;
fcb323cc
JA		 6683
6684 spin_lock_irq(&ctx->inflight_lock);
6685 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
768134d4
JA		 6686 if (req->work.files != files)
6687 continue;
6688 /* req is being completed, ignore */
6689 if (!refcount_inc_not_zero(&req->refs))
6690 continue;
6691 cancel_req = req;
6692 break;
fcb323cc 6693 }
768134d4 6694 if (cancel_req)
fcb323cc 6695 prepare_to_wait(&ctx->inflight_wait, &wait,
768134d4 6696 TASK_UNINTERRUPTIBLE);
fcb323cc
JA		 6697 spin_unlock_irq(&ctx->inflight_lock);
6698
768134d4
JA		 6699 /* We need to keep going until we don't find a matching req */
6700 if (!cancel_req)
fcb323cc 6701 break;
2f6d9b9d 6702
2ca10259
JA		 6703 if (cancel_req->flags & REQ_F_OVERFLOW) {
6704 spin_lock_irq(&ctx->completion_lock);
6705 list_del(&cancel_req->list);
6706 cancel_req->flags &= ~REQ_F_OVERFLOW;
6707 if (list_empty(&ctx->cq_overflow_list)) {
6708 clear_bit(0, &ctx->sq_check_overflow);
6709 clear_bit(0, &ctx->cq_check_overflow);
6710 }
6711 spin_unlock_irq(&ctx->completion_lock);
6712
6713 WRITE_ONCE(ctx->rings->cq_overflow,
6714 atomic_inc_return(&ctx->cached_cq_overflow));
6715
6716 /*
6717 * Put inflight ref and overflow ref. If that's
6718 * all we had, then we're done with this request.
6719 */
6720 if (refcount_sub_and_test(2, &cancel_req->refs)) {
6721 io_put_req(cancel_req);
6722 continue;
6723 }
6724 }
6725
2f6d9b9d
BL		 6726 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
6727 io_put_req(cancel_req);
fcb323cc
JA		 6728 schedule();
6729 }
768134d4 6730 finish_wait(&ctx->inflight_wait, &wait);
fcb323cc
JA		 6731}
6732
6733static int io_uring_flush(struct file *file, void *data)
6734{
6735 struct io_ring_ctx *ctx = file->private_data;
6736
6737 io_uring_cancel_files(ctx, data);
6ab23144
JA		 6738
6739 /*
6740 * If the task is going away, cancel work it may have pending
6741 */
6742 if (fatal_signal_pending(current) || (current->flags & PF_EXITING))
6743 io_wq_cancel_pid(ctx->io_wq, task_pid_vnr(current));
6744
fcb323cc
JA		 6745 return 0;
6746}
6747
6c5c240e
RP		 6748static void *io_uring_validate_mmap_request(struct file *file,
6749 loff_t pgoff, size_t sz)
2b188cc1 6750{
2b188cc1 6751 struct io_ring_ctx *ctx = file->private_data;
6c5c240e 6752 loff_t offset = pgoff << PAGE_SHIFT;
2b188cc1
JA		 6753 struct page *page;
6754 void *ptr;
6755
6756 switch (offset) {
6757 case IORING_OFF_SQ_RING:
75b28aff
HV		 6758 case IORING_OFF_CQ_RING:
6759 ptr = ctx->rings;
2b188cc1
JA		 6760 break;
6761 case IORING_OFF_SQES:
6762 ptr = ctx->sq_sqes;
6763 break;
2b188cc1 6764 default:
6c5c240e 6765 return ERR_PTR(-EINVAL);
2b188cc1
JA		 6766 }
6767
6768 page = virt_to_head_page(ptr);
a50b854e 6769 if (sz > page_size(page))
6c5c240e
RP		 6770 return ERR_PTR(-EINVAL);
6771
6772 return ptr;
6773}
6774
6775#ifdef CONFIG_MMU
6776
6777static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
6778{
6779 size_t sz = vma->vm_end - vma->vm_start;
6780 unsigned long pfn;
6781 void *ptr;
6782
6783 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
6784 if (IS_ERR(ptr))
6785 return PTR_ERR(ptr);
2b188cc1
JA		 6786
6787 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
6788 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
6789}
6790
6c5c240e
RP		 6791#else /* !CONFIG_MMU */
6792
6793static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
6794{
6795 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
6796}
6797
6798static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
6799{
6800 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
6801}
6802
6803static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
6804 unsigned long addr, unsigned long len,
6805 unsigned long pgoff, unsigned long flags)
6806{
6807 void *ptr;
6808
6809 ptr = io_uring_validate_mmap_request(file, pgoff, len);
6810 if (IS_ERR(ptr))
6811 return PTR_ERR(ptr);
6812
6813 return (unsigned long) ptr;
6814}
6815
6816#endif /* !CONFIG_MMU */
6817
2b188cc1
JA		 6818SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
6819 u32, min_complete, u32, flags, const sigset_t __user *, sig,
6820 size_t, sigsz)
6821{
6822 struct io_ring_ctx *ctx;
6823 long ret = -EBADF;
6824 int submitted = 0;
6825 struct fd f;
6826
b41e9852
JA		 6827 if (current->task_works)
6828 task_work_run();
6829
6c271ce2 6830 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
2b188cc1
JA		 6831 return -EINVAL;
6832
6833 f = fdget(fd);
6834 if (!f.file)
6835 return -EBADF;
6836
6837 ret = -EOPNOTSUPP;
6838 if (f.file->f_op != &io_uring_fops)
6839 goto out_fput;
6840
6841 ret = -ENXIO;
6842 ctx = f.file->private_data;
6843 if (!percpu_ref_tryget(&ctx->refs))
6844 goto out_fput;
6845
6c271ce2
JA		 6846 /*
6847 * For SQ polling, the thread will do all submissions and completions.
6848 * Just return the requested submit count, and wake the thread if
6849 * we were asked to.
6850 */
b2a9eada 6851 ret = 0;
6c271ce2 6852 if (ctx->flags & IORING_SETUP_SQPOLL) {
c1edbf5f
JA		 6853 if (!list_empty_careful(&ctx->cq_overflow_list))
6854 io_cqring_overflow_flush(ctx, false);
6c271ce2
JA		 6855 if (flags & IORING_ENTER_SQ_WAKEUP)
6856 wake_up(&ctx->sqo_wait);
6857 submitted = to_submit;
b2a9eada 6858 } else if (to_submit) {
ae9428ca 6859 struct mm_struct *cur_mm;
2b188cc1
JA		 6860
6861 mutex_lock(&ctx->uring_lock);
ae9428ca
PB		 6862 /* already have mm, so io_submit_sqes() won't try to grab it */
6863 cur_mm = ctx->sqo_mm;
6864 submitted = io_submit_sqes(ctx, to_submit, f.file, fd,
6865 &cur_mm, false);
2b188cc1 6866 mutex_unlock(&ctx->uring_lock);
7c504e65
PB		 6867
6868 if (submitted != to_submit)
6869 goto out;
2b188cc1
JA		 6870 }
6871 if (flags & IORING_ENTER_GETEVENTS) {
def596e9
JA		 6872 unsigned nr_events = 0;
6873
2b188cc1
JA		 6874 min_complete = min(min_complete, ctx->cq_entries);
6875
def596e9 6876 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9 6877 ret = io_iopoll_check(ctx, &nr_events, min_complete);
def596e9
JA		 6878 } else {
6879 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
6880 }
2b188cc1
JA		 6881 }
6882
7c504e65 6883out:
6805b32e 6884 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 6885out_fput:
6886 fdput(f);
6887 return submitted ? submitted : ret;
6888}
6889
bebdb65e 6890#ifdef CONFIG_PROC_FS
87ce955b
JA		 6891static int io_uring_show_cred(int id, void *p, void *data)
6892{
6893 const struct cred *cred = p;
6894 struct seq_file *m = data;
6895 struct user_namespace *uns = seq_user_ns(m);
6896 struct group_info *gi;
6897 kernel_cap_t cap;
6898 unsigned __capi;
6899 int g;
6900
6901 seq_printf(m, "%5d\n", id);
6902 seq_put_decimal_ull(m, "\tUid:\t", from_kuid_munged(uns, cred->uid));
6903 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->euid));
6904 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->suid));
6905 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->fsuid));
6906 seq_put_decimal_ull(m, "\n\tGid:\t", from_kgid_munged(uns, cred->gid));
6907 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->egid));
6908 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->sgid));
6909 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->fsgid));
6910 seq_puts(m, "\n\tGroups:\t");
6911 gi = cred->group_info;
6912 for (g = 0; g < gi->ngroups; g++) {
6913 seq_put_decimal_ull(m, g ? " " : "",
6914 from_kgid_munged(uns, gi->gid[g]));
6915 }
6916 seq_puts(m, "\n\tCapEff:\t");
6917 cap = cred->cap_effective;
6918 CAP_FOR_EACH_U32(__capi)
6919 seq_put_hex_ll(m, NULL, cap.cap[CAP_LAST_U32 - __capi], 8);
6920 seq_putc(m, '\n');
6921 return 0;
6922}
6923
6924static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
6925{
6926 int i;
6927
6928 mutex_lock(&ctx->uring_lock);
6929 seq_printf(m, "UserFiles:\t%u\n", ctx->nr_user_files);
6930 for (i = 0; i < ctx->nr_user_files; i++) {
6931 struct fixed_file_table *table;
6932 struct file *f;
6933
6934 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
6935 f = table->files[i & IORING_FILE_TABLE_MASK];
6936 if (f)
6937 seq_printf(m, "%5u: %s\n", i, file_dentry(f)->d_iname);
6938 else
6939 seq_printf(m, "%5u: <none>\n", i);
6940 }
6941 seq_printf(m, "UserBufs:\t%u\n", ctx->nr_user_bufs);
6942 for (i = 0; i < ctx->nr_user_bufs; i++) {
6943 struct io_mapped_ubuf *buf = &ctx->user_bufs[i];
6944
6945 seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf,
6946 (unsigned int) buf->len);
6947 }
6948 if (!idr_is_empty(&ctx->personality_idr)) {
6949 seq_printf(m, "Personalities:\n");
6950 idr_for_each(&ctx->personality_idr, io_uring_show_cred, m);
6951 }
d7718a9d
JA		 6952 seq_printf(m, "PollList:\n");
6953 spin_lock_irq(&ctx->completion_lock);
6954 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
6955 struct hlist_head *list = &ctx->cancel_hash[i];
6956 struct io_kiocb *req;
6957
6958 hlist_for_each_entry(req, list, hash_node)
6959 seq_printf(m, " op=%d, task_works=%d\n", req->opcode,
6960 req->task->task_works != NULL);
6961 }
6962 spin_unlock_irq(&ctx->completion_lock);
87ce955b
JA		 6963 mutex_unlock(&ctx->uring_lock);
6964}
6965
6966static void io_uring_show_fdinfo(struct seq_file *m, struct file *f)
6967{
6968 struct io_ring_ctx *ctx = f->private_data;
6969
6970 if (percpu_ref_tryget(&ctx->refs)) {
6971 __io_uring_show_fdinfo(ctx, m);
6972 percpu_ref_put(&ctx->refs);
6973 }
6974}
bebdb65e 6975#endif
87ce955b 6976
2b188cc1
JA		 6977static const struct file_operations io_uring_fops = {
6978 .release = io_uring_release,
fcb323cc 6979 .flush = io_uring_flush,
2b188cc1 6980 .mmap = io_uring_mmap,
6c5c240e
RP		 6981#ifndef CONFIG_MMU
6982 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
6983 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
6984#endif
2b188cc1
JA		 6985 .poll = io_uring_poll,
6986 .fasync = io_uring_fasync,
bebdb65e 6987#ifdef CONFIG_PROC_FS
87ce955b 6988 .show_fdinfo = io_uring_show_fdinfo,
bebdb65e 6989#endif
2b188cc1
JA		 6990};
6991
6992static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
6993 struct io_uring_params *p)
6994{
75b28aff
HV		 6995 struct io_rings *rings;
6996 size_t size, sq_array_offset;
2b188cc1 6997
75b28aff
HV		 6998 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
6999 if (size == SIZE_MAX)
7000 return -EOVERFLOW;
7001
7002 rings = io_mem_alloc(size);
7003 if (!rings)
2b188cc1
JA		 7004 return -ENOMEM;
7005
75b28aff
HV		 7006 ctx->rings = rings;
7007 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
7008 rings->sq_ring_mask = p->sq_entries - 1;
7009 rings->cq_ring_mask = p->cq_entries - 1;
7010 rings->sq_ring_entries = p->sq_entries;
7011 rings->cq_ring_entries = p->cq_entries;
7012 ctx->sq_mask = rings->sq_ring_mask;
7013 ctx->cq_mask = rings->cq_ring_mask;
7014 ctx->sq_entries = rings->sq_ring_entries;
7015 ctx->cq_entries = rings->cq_ring_entries;
2b188cc1
JA		 7016
7017 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
eb065d30
JA		 7018 if (size == SIZE_MAX) {
7019 io_mem_free(ctx->rings);
7020 ctx->rings = NULL;
2b188cc1 7021 return -EOVERFLOW;
eb065d30 7022 }
2b188cc1
JA		 7023
7024 ctx->sq_sqes = io_mem_alloc(size);
eb065d30
JA		 7025 if (!ctx->sq_sqes) {
7026 io_mem_free(ctx->rings);
7027 ctx->rings = NULL;
2b188cc1 7028 return -ENOMEM;
eb065d30 7029 }
2b188cc1 7030
2b188cc1
JA		 7031 return 0;
7032}
7033
7034/*
7035 * Allocate an anonymous fd, this is what constitutes the application
7036 * visible backing of an io_uring instance. The application mmaps this
7037 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
7038 * we have to tie this fd to a socket for file garbage collection purposes.
7039 */
7040static int io_uring_get_fd(struct io_ring_ctx *ctx)
7041{
7042 struct file *file;
7043 int ret;
7044
7045#if defined(CONFIG_UNIX)
7046 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
7047 &ctx->ring_sock);
7048 if (ret)
7049 return ret;
7050#endif
7051
7052 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
7053 if (ret < 0)
7054 goto err;
7055
7056 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
7057 O_RDWR | O_CLOEXEC);
7058 if (IS_ERR(file)) {
7059 put_unused_fd(ret);
7060 ret = PTR_ERR(file);
7061 goto err;
7062 }
7063
7064#if defined(CONFIG_UNIX)
7065 ctx->ring_sock->file = file;
7066#endif
7067 fd_install(ret, file);
7068 return ret;
7069err:
7070#if defined(CONFIG_UNIX)
7071 sock_release(ctx->ring_sock);
7072 ctx->ring_sock = NULL;
7073#endif
7074 return ret;
7075}
7076
7077static int io_uring_create(unsigned entries, struct io_uring_params *p)
7078{
7079 struct user_struct *user = NULL;
7080 struct io_ring_ctx *ctx;
7081 bool account_mem;
7082 int ret;
7083
8110c1a6 7084 if (!entries)
2b188cc1 7085 return -EINVAL;
8110c1a6
JA		 7086 if (entries > IORING_MAX_ENTRIES) {
7087 if (!(p->flags & IORING_SETUP_CLAMP))
7088 return -EINVAL;
7089 entries = IORING_MAX_ENTRIES;
7090 }
2b188cc1
JA		 7091
7092 /*
7093 * Use twice as many entries for the CQ ring. It's possible for the
7094 * application to drive a higher depth than the size of the SQ ring,
7095 * since the sqes are only used at submission time. This allows for
33a107f0
JA		 7096 * some flexibility in overcommitting a bit. If the application has
7097 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
7098 * of CQ ring entries manually.
2b188cc1
JA		 7099 */
7100 p->sq_entries = roundup_pow_of_two(entries);
33a107f0
JA		 7101 if (p->flags & IORING_SETUP_CQSIZE) {
7102 /*
7103 * If IORING_SETUP_CQSIZE is set, we do the same roundup
7104 * to a power-of-two, if it isn't already. We do NOT impose
7105 * any cq vs sq ring sizing.
7106 */
8110c1a6 7107 if (p->cq_entries < p->sq_entries)
33a107f0 7108 return -EINVAL;
8110c1a6
JA		 7109 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
7110 if (!(p->flags & IORING_SETUP_CLAMP))
7111 return -EINVAL;
7112 p->cq_entries = IORING_MAX_CQ_ENTRIES;
7113 }
33a107f0
JA		 7114 p->cq_entries = roundup_pow_of_two(p->cq_entries);
7115 } else {
7116 p->cq_entries = 2 * p->sq_entries;
7117 }
2b188cc1
JA		 7118
7119 user = get_uid(current_user());
7120 account_mem = !capable(CAP_IPC_LOCK);
7121
7122 if (account_mem) {
7123 ret = io_account_mem(user,
7124 ring_pages(p->sq_entries, p->cq_entries));
7125 if (ret) {
7126 free_uid(user);
7127 return ret;
7128 }
7129 }
7130
7131 ctx = io_ring_ctx_alloc(p);
7132 if (!ctx) {
7133 if (account_mem)
7134 io_unaccount_mem(user, ring_pages(p->sq_entries,
7135 p->cq_entries));
7136 free_uid(user);
7137 return -ENOMEM;
7138 }
7139 ctx->compat = in_compat_syscall();
7140 ctx->account_mem = account_mem;
7141 ctx->user = user;
0b8c0ec7 7142 ctx->creds = get_current_cred();
2b188cc1
JA		 7143
7144 ret = io_allocate_scq_urings(ctx, p);
7145 if (ret)
7146 goto err;
7147
6c271ce2 7148 ret = io_sq_offload_start(ctx, p);
2b188cc1
JA		 7149 if (ret)
7150 goto err;
7151
2b188cc1 7152 memset(&p->sq_off, 0, sizeof(p->sq_off));
75b28aff
HV		 7153 p->sq_off.head = offsetof(struct io_rings, sq.head);
7154 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
7155 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
7156 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
7157 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
7158 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
7159 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
2b188cc1
JA		 7160
7161 memset(&p->cq_off, 0, sizeof(p->cq_off));
75b28aff
HV		 7162 p->cq_off.head = offsetof(struct io_rings, cq.head);
7163 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
7164 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
7165 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
7166 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
7167 p->cq_off.cqes = offsetof(struct io_rings, cqes);
ac90f249 7168
044c1ab3
JA		 7169 /*
7170 * Install ring fd as the very last thing, so we don't risk someone
7171 * having closed it before we finish setup
7172 */
7173 ret = io_uring_get_fd(ctx);
7174 if (ret < 0)
7175 goto err;
7176
da8c9690 7177 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
cccf0ee8 7178 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS |
d7718a9d 7179 IORING_FEAT_CUR_PERSONALITY | IORING_FEAT_FAST_POLL;
c826bd7a 7180 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
2b188cc1
JA		 7181 return ret;
7182err:
7183 io_ring_ctx_wait_and_kill(ctx);
7184 return ret;
7185}
7186
7187/*
7188 * Sets up an aio uring context, and returns the fd. Applications asks for a
7189 * ring size, we return the actual sq/cq ring sizes (among other things) in the
7190 * params structure passed in.
7191 */
7192static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
7193{
7194 struct io_uring_params p;
7195 long ret;
7196 int i;
7197
7198 if (copy_from_user(&p, params, sizeof(p)))
7199 return -EFAULT;
7200 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
7201 if (p.resv[i])
7202 return -EINVAL;
7203 }
7204
6c271ce2 7205 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
8110c1a6 7206 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
24369c2e 7207 IORING_SETUP_CLAMP | IORING_SETUP_ATTACH_WQ))
2b188cc1
JA		 7208 return -EINVAL;
7209
7210 ret = io_uring_create(entries, &p);
7211 if (ret < 0)
7212 return ret;
7213
7214 if (copy_to_user(params, &p, sizeof(p)))
7215 return -EFAULT;
7216
7217 return ret;
7218}
7219
7220SYSCALL_DEFINE2(io_uring_setup, u32, entries,
7221 struct io_uring_params __user *, params)
7222{
7223 return io_uring_setup(entries, params);
7224}
7225
66f4af93
JA		 7226static int io_probe(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
7227{
7228 struct io_uring_probe *p;
7229 size_t size;
7230 int i, ret;
7231
7232 size = struct_size(p, ops, nr_args);
7233 if (size == SIZE_MAX)
7234 return -EOVERFLOW;
7235 p = kzalloc(size, GFP_KERNEL);
7236 if (!p)
7237 return -ENOMEM;
7238
7239 ret = -EFAULT;
7240 if (copy_from_user(p, arg, size))
7241 goto out;
7242 ret = -EINVAL;
7243 if (memchr_inv(p, 0, size))
7244 goto out;
7245
7246 p->last_op = IORING_OP_LAST - 1;
7247 if (nr_args > IORING_OP_LAST)
7248 nr_args = IORING_OP_LAST;
7249
7250 for (i = 0; i < nr_args; i++) {
7251 p->ops[i].op = i;
7252 if (!io_op_defs[i].not_supported)
7253 p->ops[i].flags = IO_URING_OP_SUPPORTED;
7254 }
7255 p->ops_len = i;
7256
7257 ret = 0;
7258 if (copy_to_user(arg, p, size))
7259 ret = -EFAULT;
7260out:
7261 kfree(p);
7262 return ret;
7263}
7264
071698e1
JA		 7265static int io_register_personality(struct io_ring_ctx *ctx)
7266{
7267 const struct cred *creds = get_current_cred();
7268 int id;
7269
7270 id = idr_alloc_cyclic(&ctx->personality_idr, (void *) creds, 1,
7271 USHRT_MAX, GFP_KERNEL);
7272 if (id < 0)
7273 put_cred(creds);
7274 return id;
7275}
7276
7277static int io_unregister_personality(struct io_ring_ctx *ctx, unsigned id)
7278{
7279 const struct cred *old_creds;
7280
7281 old_creds = idr_remove(&ctx->personality_idr, id);
7282 if (old_creds) {
7283 put_cred(old_creds);
7284 return 0;
7285 }
7286
7287 return -EINVAL;
7288}
7289
7290static bool io_register_op_must_quiesce(int op)
7291{
7292 switch (op) {
7293 case IORING_UNREGISTER_FILES:
7294 case IORING_REGISTER_FILES_UPDATE:
7295 case IORING_REGISTER_PROBE:
7296 case IORING_REGISTER_PERSONALITY:
7297 case IORING_UNREGISTER_PERSONALITY:
7298 return false;
7299 default:
7300 return true;
7301 }
7302}
7303
edafccee
JA		 7304static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
7305 void __user *arg, unsigned nr_args)
b19062a5
JA		 7306 __releases(ctx->uring_lock)
7307 __acquires(ctx->uring_lock)
edafccee
JA		 7308{
7309 int ret;
7310
35fa71a0
JA		 7311 /*
7312 * We're inside the ring mutex, if the ref is already dying, then
7313 * someone else killed the ctx or is already going through
7314 * io_uring_register().
7315 */
7316 if (percpu_ref_is_dying(&ctx->refs))
7317 return -ENXIO;
7318
071698e1 7319 if (io_register_op_must_quiesce(opcode)) {
05f3fb3c 7320 percpu_ref_kill(&ctx->refs);
b19062a5 7321
05f3fb3c
JA		 7322 /*
7323 * Drop uring mutex before waiting for references to exit. If
7324 * another thread is currently inside io_uring_enter() it might
7325 * need to grab the uring_lock to make progress. If we hold it
7326 * here across the drain wait, then we can deadlock. It's safe
7327 * to drop the mutex here, since no new references will come in
7328 * after we've killed the percpu ref.
7329 */
7330 mutex_unlock(&ctx->uring_lock);
c150368b 7331 ret = wait_for_completion_interruptible(&ctx->completions[0]);
05f3fb3c 7332 mutex_lock(&ctx->uring_lock);
c150368b
JA		 7333 if (ret) {
7334 percpu_ref_resurrect(&ctx->refs);
7335 ret = -EINTR;
7336 goto out;
7337 }
05f3fb3c 7338 }
edafccee
JA		 7339
7340 switch (opcode) {
7341 case IORING_REGISTER_BUFFERS:
7342 ret = io_sqe_buffer_register(ctx, arg, nr_args);
7343 break;
7344 case IORING_UNREGISTER_BUFFERS:
7345 ret = -EINVAL;
7346 if (arg || nr_args)
7347 break;
7348 ret = io_sqe_buffer_unregister(ctx);
7349 break;
6b06314c
JA		 7350 case IORING_REGISTER_FILES:
7351 ret = io_sqe_files_register(ctx, arg, nr_args);
7352 break;
7353 case IORING_UNREGISTER_FILES:
7354 ret = -EINVAL;
7355 if (arg || nr_args)
7356 break;
7357 ret = io_sqe_files_unregister(ctx);
7358 break;
c3a31e60
JA		 7359 case IORING_REGISTER_FILES_UPDATE:
7360 ret = io_sqe_files_update(ctx, arg, nr_args);
7361 break;
9b402849 7362 case IORING_REGISTER_EVENTFD:
f2842ab5 7363 case IORING_REGISTER_EVENTFD_ASYNC:
9b402849
JA		 7364 ret = -EINVAL;
7365 if (nr_args != 1)
7366 break;
7367 ret = io_eventfd_register(ctx, arg);
f2842ab5
JA		 7368 if (ret)
7369 break;
7370 if (opcode == IORING_REGISTER_EVENTFD_ASYNC)
7371 ctx->eventfd_async = 1;
7372 else
7373 ctx->eventfd_async = 0;
9b402849
JA		 7374 break;
7375 case IORING_UNREGISTER_EVENTFD:
7376 ret = -EINVAL;
7377 if (arg || nr_args)
7378 break;
7379 ret = io_eventfd_unregister(ctx);
7380 break;
66f4af93
JA		 7381 case IORING_REGISTER_PROBE:
7382 ret = -EINVAL;
7383 if (!arg || nr_args > 256)
7384 break;
7385 ret = io_probe(ctx, arg, nr_args);
7386 break;
071698e1
JA		 7387 case IORING_REGISTER_PERSONALITY:
7388 ret = -EINVAL;
7389 if (arg || nr_args)
7390 break;
7391 ret = io_register_personality(ctx);
7392 break;
7393 case IORING_UNREGISTER_PERSONALITY:
7394 ret = -EINVAL;
7395 if (arg)
7396 break;
7397 ret = io_unregister_personality(ctx, nr_args);
7398 break;
edafccee
JA		 7399 default:
7400 ret = -EINVAL;
7401 break;
7402 }
7403
071698e1 7404 if (io_register_op_must_quiesce(opcode)) {
05f3fb3c 7405 /* bring the ctx back to life */
05f3fb3c 7406 percpu_ref_reinit(&ctx->refs);
c150368b
JA		 7407out:
7408 reinit_completion(&ctx->completions[0]);
05f3fb3c 7409 }
edafccee
JA		 7410 return ret;
7411}
7412
7413SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
7414 void __user *, arg, unsigned int, nr_args)
7415{
7416 struct io_ring_ctx *ctx;
7417 long ret = -EBADF;
7418 struct fd f;
7419
7420 f = fdget(fd);
7421 if (!f.file)
7422 return -EBADF;
7423
7424 ret = -EOPNOTSUPP;
7425 if (f.file->f_op != &io_uring_fops)
7426 goto out_fput;
7427
7428 ctx = f.file->private_data;
7429
7430 mutex_lock(&ctx->uring_lock);
7431 ret = __io_uring_register(ctx, opcode, arg, nr_args);
7432 mutex_unlock(&ctx->uring_lock);
c826bd7a
DD		 7433 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
7434 ctx->cq_ev_fd != NULL, ret);
edafccee
JA		 7435out_fput:
7436 fdput(f);
7437 return ret;
7438}
7439
2b188cc1
JA		 7440static int __init io_uring_init(void)
7441{
d7f62e82
SM		 7442#define __BUILD_BUG_VERIFY_ELEMENT(stype, eoffset, etype, ename) do { \
7443 BUILD_BUG_ON(offsetof(stype, ename) != eoffset); \
7444 BUILD_BUG_ON(sizeof(etype) != sizeof_field(stype, ename)); \
7445} while (0)
7446
7447#define BUILD_BUG_SQE_ELEM(eoffset, etype, ename) \
7448 __BUILD_BUG_VERIFY_ELEMENT(struct io_uring_sqe, eoffset, etype, ename)
7449 BUILD_BUG_ON(sizeof(struct io_uring_sqe) != 64);
7450 BUILD_BUG_SQE_ELEM(0, __u8, opcode);
7451 BUILD_BUG_SQE_ELEM(1, __u8, flags);
7452 BUILD_BUG_SQE_ELEM(2, __u16, ioprio);
7453 BUILD_BUG_SQE_ELEM(4, __s32, fd);
7454 BUILD_BUG_SQE_ELEM(8, __u64, off);
7455 BUILD_BUG_SQE_ELEM(8, __u64, addr2);
7456 BUILD_BUG_SQE_ELEM(16, __u64, addr);
7d67af2c 7457 BUILD_BUG_SQE_ELEM(16, __u64, splice_off_in);
d7f62e82
SM		 7458 BUILD_BUG_SQE_ELEM(24, __u32, len);
7459 BUILD_BUG_SQE_ELEM(28, __kernel_rwf_t, rw_flags);
7460 BUILD_BUG_SQE_ELEM(28, /* compat */ int, rw_flags);
7461 BUILD_BUG_SQE_ELEM(28, /* compat */ __u32, rw_flags);
7462 BUILD_BUG_SQE_ELEM(28, __u32, fsync_flags);
7463 BUILD_BUG_SQE_ELEM(28, __u16, poll_events);
7464 BUILD_BUG_SQE_ELEM(28, __u32, sync_range_flags);
7465 BUILD_BUG_SQE_ELEM(28, __u32, msg_flags);
7466 BUILD_BUG_SQE_ELEM(28, __u32, timeout_flags);
7467 BUILD_BUG_SQE_ELEM(28, __u32, accept_flags);
7468 BUILD_BUG_SQE_ELEM(28, __u32, cancel_flags);
7469 BUILD_BUG_SQE_ELEM(28, __u32, open_flags);
7470 BUILD_BUG_SQE_ELEM(28, __u32, statx_flags);
7471 BUILD_BUG_SQE_ELEM(28, __u32, fadvise_advice);
7d67af2c 7472 BUILD_BUG_SQE_ELEM(28, __u32, splice_flags);
d7f62e82
SM		 7473 BUILD_BUG_SQE_ELEM(32, __u64, user_data);
7474 BUILD_BUG_SQE_ELEM(40, __u16, buf_index);
7475 BUILD_BUG_SQE_ELEM(42, __u16, personality);
7d67af2c 7476 BUILD_BUG_SQE_ELEM(44, __s32, splice_fd_in);
d7f62e82 7477
d3656344 7478 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
2b188cc1
JA		 7479 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
7480 return 0;
7481};
7482__initcall(io_uring_init);
Linux 6.x block layer and io_uring tree(s)