projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
io_uring: enable option to only trigger eventfd for async completions
[linux-block.git] / fs / io_uring.c
CommitLineData
2b188cc1
JA		 1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
5 *
6 * A note on the read/write ordering memory barriers that are matched between
1e84b97b
SB		 7 * the application and kernel side.
8 *
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
16 * CQ entries.
17 *
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
23 * head will do).
24 *
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
28 * between.
2b188cc1
JA		 29 *
30 * Also see the examples in the liburing library:
31 *
32 * git://git.kernel.dk/liburing
33 *
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
38 *
39 * Copyright (C) 2018-2019 Jens Axboe
c992fe29 40 * Copyright (c) 2018-2019 Christoph Hellwig
2b188cc1
JA		 41 */
42#include <linux/kernel.h>
43#include <linux/init.h>
44#include <linux/errno.h>
45#include <linux/syscalls.h>
46#include <linux/compat.h>
47#include <linux/refcount.h>
48#include <linux/uio.h>
49
50#include <linux/sched/signal.h>
51#include <linux/fs.h>
52#include <linux/file.h>
53#include <linux/fdtable.h>
54#include <linux/mm.h>
55#include <linux/mman.h>
56#include <linux/mmu_context.h>
57#include <linux/percpu.h>
58#include <linux/slab.h>
6c271ce2 59#include <linux/kthread.h>
2b188cc1 60#include <linux/blkdev.h>
edafccee 61#include <linux/bvec.h>
2b188cc1
JA		 62#include <linux/net.h>
63#include <net/sock.h>
64#include <net/af_unix.h>
6b06314c 65#include <net/scm.h>
2b188cc1
JA		 66#include <linux/anon_inodes.h>
67#include <linux/sched/mm.h>
68#include <linux/uaccess.h>
69#include <linux/nospec.h>
edafccee
JA		 70#include <linux/sizes.h>
71#include <linux/hugetlb.h>
aa4c3967 72#include <linux/highmem.h>
15b71abe
JA		 73#include <linux/namei.h>
74#include <linux/fsnotify.h>
4840e418 75#include <linux/fadvise.h>
2b188cc1 76
c826bd7a
DD		 77#define CREATE_TRACE_POINTS
78#include <trace/events/io_uring.h>
79
2b188cc1
JA		 80#include <uapi/linux/io_uring.h>
81
82#include "internal.h"
561fb04a 83#include "io-wq.h"
2b188cc1 84
5277deaa 85#define IORING_MAX_ENTRIES 32768
33a107f0 86#define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
65e19f54
JA		 87
88/*
89 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
90 */
91#define IORING_FILE_TABLE_SHIFT 9
92#define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
93#define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
94#define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
2b188cc1
JA		 95
96struct io_uring {
97 u32 head ____cacheline_aligned_in_smp;
98 u32 tail ____cacheline_aligned_in_smp;
99};
100
1e84b97b 101/*
75b28aff
HV		 102 * This data is shared with the application through the mmap at offsets
103 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
1e84b97b
SB		 104 *
105 * The offsets to the member fields are published through struct
106 * io_sqring_offsets when calling io_uring_setup.
107 */
75b28aff 108struct io_rings {
1e84b97b
SB		 109 /*
110 * Head and tail offsets into the ring; the offsets need to be
111 * masked to get valid indices.
112 *
75b28aff
HV		 113 * The kernel controls head of the sq ring and the tail of the cq ring,
114 * and the application controls tail of the sq ring and the head of the
115 * cq ring.
1e84b97b 116 */
75b28aff 117 struct io_uring sq, cq;
1e84b97b 118 /*
75b28aff 119 * Bitmasks to apply to head and tail offsets (constant, equals
1e84b97b
SB		 120 * ring_entries - 1)
121 */
75b28aff
HV		 122 u32 sq_ring_mask, cq_ring_mask;
123 /* Ring sizes (constant, power of 2) */
124 u32 sq_ring_entries, cq_ring_entries;
1e84b97b
SB		 125 /*
126 * Number of invalid entries dropped by the kernel due to
127 * invalid index stored in array
128 *
129 * Written by the kernel, shouldn't be modified by the
130 * application (i.e. get number of "new events" by comparing to
131 * cached value).
132 *
133 * After a new SQ head value was read by the application this
134 * counter includes all submissions that were dropped reaching
135 * the new SQ head (and possibly more).
136 */
75b28aff 137 u32 sq_dropped;
1e84b97b
SB		 138 /*
139 * Runtime flags
140 *
141 * Written by the kernel, shouldn't be modified by the
142 * application.
143 *
144 * The application needs a full memory barrier before checking
145 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
146 */
75b28aff 147 u32 sq_flags;
1e84b97b
SB		 148 /*
149 * Number of completion events lost because the queue was full;
150 * this should be avoided by the application by making sure
0b4295b5 151 * there are not more requests pending than there is space in
1e84b97b
SB		 152 * the completion queue.
153 *
154 * Written by the kernel, shouldn't be modified by the
155 * application (i.e. get number of "new events" by comparing to
156 * cached value).
157 *
158 * As completion events come in out of order this counter is not
159 * ordered with any other data.
160 */
75b28aff 161 u32 cq_overflow;
1e84b97b
SB		 162 /*
163 * Ring buffer of completion events.
164 *
165 * The kernel writes completion events fresh every time they are
166 * produced, so the application is allowed to modify pending
167 * entries.
168 */
75b28aff 169 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
2b188cc1
JA		 170};
171
edafccee
JA		 172struct io_mapped_ubuf {
173 u64 ubuf;
174 size_t len;
175 struct bio_vec *bvec;
176 unsigned int nr_bvecs;
177};
178
65e19f54
JA		 179struct fixed_file_table {
180 struct file **files;
31b51510
JA		 181};
182
05f3fb3c
JA		 183enum {
184 FFD_F_ATOMIC,
185};
186
187struct fixed_file_data {
188 struct fixed_file_table *table;
189 struct io_ring_ctx *ctx;
190
191 struct percpu_ref refs;
192 struct llist_head put_llist;
193 unsigned long state;
194 struct work_struct ref_work;
195 struct completion done;
196};
197
2b188cc1
JA		 198struct io_ring_ctx {
199 struct {
200 struct percpu_ref refs;
201 } ____cacheline_aligned_in_smp;
202
203 struct {
204 unsigned int flags;
69b3e546
JA		 205 int compat: 1;
206 int account_mem: 1;
207 int cq_overflow_flushed: 1;
208 int drain_next: 1;
f2842ab5 209 int eventfd_async: 1;
2b188cc1 210
75b28aff
HV		 211 /*
212 * Ring buffer of indices into array of io_uring_sqe, which is
213 * mmapped by the application using the IORING_OFF_SQES offset.
214 *
215 * This indirection could e.g. be used to assign fixed
216 * io_uring_sqe entries to operations and only submit them to
217 * the queue when needed.
218 *
219 * The kernel modifies neither the indices array nor the entries
220 * array.
221 */
222 u32 *sq_array;
2b188cc1
JA		 223 unsigned cached_sq_head;
224 unsigned sq_entries;
225 unsigned sq_mask;
6c271ce2 226 unsigned sq_thread_idle;
498ccd9e 227 unsigned cached_sq_dropped;
206aefde 228 atomic_t cached_cq_overflow;
ad3eb2c8 229 unsigned long sq_check_overflow;
de0617e4
JA		 230
231 struct list_head defer_list;
5262f567 232 struct list_head timeout_list;
1d7bb1d5 233 struct list_head cq_overflow_list;
fcb323cc
JA		 234
235 wait_queue_head_t inflight_wait;
ad3eb2c8 236 struct io_uring_sqe *sq_sqes;
2b188cc1
JA		 237 } ____cacheline_aligned_in_smp;
238
206aefde
JA		 239 struct io_rings *rings;
240
2b188cc1 241 /* IO offload */
561fb04a 242 struct io_wq *io_wq;
6c271ce2 243 struct task_struct *sqo_thread; /* if using sq thread polling */
2b188cc1 244 struct mm_struct *sqo_mm;
6c271ce2 245 wait_queue_head_t sqo_wait;
75b28aff 246
6b06314c
JA		 247 /*
248 * If used, fixed file set. Writers must ensure that ->refs is dead,
249 * readers must ensure that ->refs is alive as long as the file* is
250 * used. Only updated through io_uring_register(2).
251 */
05f3fb3c 252 struct fixed_file_data *file_data;
6b06314c
JA		 253 unsigned nr_user_files;
254
edafccee
JA		 255 /* if used, fixed mapped user buffers */
256 unsigned nr_user_bufs;
257 struct io_mapped_ubuf *user_bufs;
258
2b188cc1
JA		 259 struct user_struct *user;
260
0b8c0ec7 261 const struct cred *creds;
181e448d 262
206aefde
JA		 263 /* 0 is for ctx quiesce/reinit/free, 1 is for sqo_thread started */
264 struct completion *completions;
265
0ddf92e8
JA		 266 /* if all else fails... */
267 struct io_kiocb *fallback_req;
268
206aefde
JA		 269#if defined(CONFIG_UNIX)
270 struct socket *ring_sock;
271#endif
272
273 struct {
274 unsigned cached_cq_tail;
275 unsigned cq_entries;
276 unsigned cq_mask;
277 atomic_t cq_timeouts;
ad3eb2c8 278 unsigned long cq_check_overflow;
206aefde
JA		 279 struct wait_queue_head cq_wait;
280 struct fasync_struct *cq_fasync;
281 struct eventfd_ctx *cq_ev_fd;
282 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 283
284 struct {
285 struct mutex uring_lock;
286 wait_queue_head_t wait;
287 } ____cacheline_aligned_in_smp;
288
289 struct {
290 spinlock_t completion_lock;
e94f141b
JA		 291 struct llist_head poll_llist;
292
def596e9
JA		 293 /*
294 * ->poll_list is protected by the ctx->uring_lock for
295 * io_uring instances that don't use IORING_SETUP_SQPOLL.
296 * For SQPOLL, only the single threaded io_sq_thread() will
297 * manipulate the list, hence no extra locking is needed there.
298 */
299 struct list_head poll_list;
78076bb6
JA		 300 struct hlist_head *cancel_hash;
301 unsigned cancel_hash_bits;
e94f141b 302 bool poll_multi_file;
31b51510 303
fcb323cc
JA		 304 spinlock_t inflight_lock;
305 struct list_head inflight_list;
2b188cc1 306 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 307};
308
09bb8394
JA		 309/*
310 * First field must be the file pointer in all the
311 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
312 */
221c5eb2
JA		 313struct io_poll_iocb {
314 struct file *file;
0969e783
JA		 315 union {
316 struct wait_queue_head *head;
317 u64 addr;
318 };
221c5eb2 319 __poll_t events;
8c838788 320 bool done;
221c5eb2 321 bool canceled;
392edb45 322 struct wait_queue_entry wait;
221c5eb2
JA		 323};
324
b5dba59e
JA		 325struct io_close {
326 struct file *file;
327 struct file *put_file;
328 int fd;
329};
330
ad8a48ac
JA		 331struct io_timeout_data {
332 struct io_kiocb *req;
333 struct hrtimer timer;
334 struct timespec64 ts;
335 enum hrtimer_mode mode;
cc42e0ac 336 u32 seq_offset;
ad8a48ac
JA		 337};
338
8ed8d3c3
JA		 339struct io_accept {
340 struct file *file;
341 struct sockaddr __user *addr;
342 int __user *addr_len;
343 int flags;
344};
345
346struct io_sync {
347 struct file *file;
348 loff_t len;
349 loff_t off;
350 int flags;
d63d1b5e 351 int mode;
8ed8d3c3
JA		 352};
353
fbf23849
JA		 354struct io_cancel {
355 struct file *file;
356 u64 addr;
357};
358
b29472ee
JA		 359struct io_timeout {
360 struct file *file;
361 u64 addr;
362 int flags;
26a61679 363 unsigned count;
b29472ee
JA		 364};
365
9adbd45d
JA		 366struct io_rw {
367 /* NOTE: kiocb has the file as the first member, so don't do it here */
368 struct kiocb kiocb;
369 u64 addr;
370 u64 len;
371};
372
3fbb51c1
JA		 373struct io_connect {
374 struct file *file;
375 struct sockaddr __user *addr;
376 int addr_len;
377};
378
e47293fd
JA		 379struct io_sr_msg {
380 struct file *file;
fddaface
JA		 381 union {
382 struct user_msghdr __user *msg;
383 void __user *buf;
384 };
e47293fd 385 int msg_flags;
fddaface 386 size_t len;
e47293fd
JA		 387};
388
15b71abe
JA		 389struct io_open {
390 struct file *file;
391 int dfd;
eddc7ef5
JA		 392 union {
393 umode_t mode;
394 unsigned mask;
395 };
15b71abe
JA		 396 const char __user *fname;
397 struct filename *filename;
eddc7ef5 398 struct statx __user *buffer;
15b71abe
JA		 399 int flags;
400};
401
05f3fb3c
JA		 402struct io_files_update {
403 struct file *file;
404 u64 arg;
405 u32 nr_args;
406 u32 offset;
407};
408
4840e418
JA		 409struct io_fadvise {
410 struct file *file;
411 u64 offset;
412 u32 len;
413 u32 advice;
414};
415
c1ca757b
JA		 416struct io_madvise {
417 struct file *file;
418 u64 addr;
419 u32 len;
420 u32 advice;
421};
422
f499a021
JA		 423struct io_async_connect {
424 struct sockaddr_storage address;
425};
426
03b1230c
JA		 427struct io_async_msghdr {
428 struct iovec fast_iov[UIO_FASTIOV];
429 struct iovec *iov;
430 struct sockaddr __user *uaddr;
431 struct msghdr msg;
432};
433
f67676d1
JA		 434struct io_async_rw {
435 struct iovec fast_iov[UIO_FASTIOV];
436 struct iovec *iov;
437 ssize_t nr_segs;
438 ssize_t size;
439};
440
15b71abe
JA		 441struct io_async_open {
442 struct filename *filename;
443};
444
1a6b74fc 445struct io_async_ctx {
f67676d1
JA		 446 union {
447 struct io_async_rw rw;
03b1230c 448 struct io_async_msghdr msg;
f499a021 449 struct io_async_connect connect;
2d28390a 450 struct io_timeout_data timeout;
15b71abe 451 struct io_async_open open;
f67676d1 452 };
1a6b74fc
JA		 453};
454
09bb8394
JA		 455/*
456 * NOTE! Each of the iocb union members has the file pointer
457 * as the first entry in their struct definition. So you can
458 * access the file pointer through any of the sub-structs,
459 * or directly as just 'ki_filp' in this struct.
460 */
2b188cc1 461struct io_kiocb {
221c5eb2 462 union {
09bb8394 463 struct file *file;
9adbd45d 464 struct io_rw rw;
221c5eb2 465 struct io_poll_iocb poll;
8ed8d3c3
JA		 466 struct io_accept accept;
467 struct io_sync sync;
fbf23849 468 struct io_cancel cancel;
b29472ee 469 struct io_timeout timeout;
3fbb51c1 470 struct io_connect connect;
e47293fd 471 struct io_sr_msg sr_msg;
15b71abe 472 struct io_open open;
b5dba59e 473 struct io_close close;
05f3fb3c 474 struct io_files_update files_update;
4840e418 475 struct io_fadvise fadvise;
c1ca757b 476 struct io_madvise madvise;
221c5eb2 477 };
2b188cc1 478
1a6b74fc 479 struct io_async_ctx *io;
e94f141b
JA		 480 union {
481 /*
482 * ring_file is only used in the submission path, and
483 * llist_node is only used for poll deferred completions
484 */
485 struct file *ring_file;
486 struct llist_node llist_node;
487 };
cf6fd4bd
PB		 488 int ring_fd;
489 bool has_user;
490 bool in_async;
491 bool needs_fixed_file;
d625c6ee 492 u8 opcode;
2b188cc1
JA		 493
494 struct io_ring_ctx *ctx;
eac406c6
JA		 495 union {
496 struct list_head list;
78076bb6 497 struct hlist_node hash_node;
eac406c6 498 };
9e645e11 499 struct list_head link_list;
2b188cc1 500 unsigned int flags;
c16361c1 501 refcount_t refs;
8449eeda 502#define REQ_F_NOWAIT 1 /* must not punt to workers */
def596e9 503#define REQ_F_IOPOLL_COMPLETED 2 /* polled IO has completed */
6b06314c 504#define REQ_F_FIXED_FILE 4 /* ctx owns file */
4d7dd462 505#define REQ_F_LINK_NEXT 8 /* already grabbed next link */
e2033e33
SB		 506#define REQ_F_IO_DRAIN 16 /* drain existing IO first */
507#define REQ_F_IO_DRAINED 32 /* drain done */
9e645e11 508#define REQ_F_LINK 64 /* linked sqes */
2665abfd 509#define REQ_F_LINK_TIMEOUT 128 /* has linked timeout */
f7b76ac9 510#define REQ_F_FAIL_LINK 256 /* fail rest of links */
1b4a51b6 511#define REQ_F_DRAIN_LINK 512 /* link should be fully drained */
5262f567 512#define REQ_F_TIMEOUT 1024 /* timeout request */
491381ce
JA		 513#define REQ_F_ISREG 2048 /* regular file */
514#define REQ_F_MUST_PUNT 4096 /* must be punted even for NONBLOCK */
93bd25bb 515#define REQ_F_TIMEOUT_NOSEQ 8192 /* no timeout sequence */
fb4b3d3f
LT		 516#define REQ_F_INFLIGHT 16384 /* on inflight list */
517#define REQ_F_COMP_LOCKED 32768 /* completion under lock */
4e88d6e7 518#define REQ_F_HARDLINK 65536 /* doesn't sever on completion < 0 */
ce35a47a 519#define REQ_F_FORCE_ASYNC 131072 /* IOSQE_ASYNC */
ba04291e 520#define REQ_F_CUR_POS 262144 /* read/write uses file position */
2b188cc1 521 u64 user_data;
9e645e11 522 u32 result;
de0617e4 523 u32 sequence;
2b188cc1 524
fcb323cc
JA		 525 struct list_head inflight_entry;
526
561fb04a 527 struct io_wq_work work;
2b188cc1
JA		 528};
529
530#define IO_PLUG_THRESHOLD 2
def596e9 531#define IO_IOPOLL_BATCH 8
2b188cc1 532
9a56a232
JA		 533struct io_submit_state {
534 struct blk_plug plug;
535
2579f913
JA		 536 /*
537 * io_kiocb alloc cache
538 */
539 void *reqs[IO_IOPOLL_BATCH];
540 unsigned int free_reqs;
541 unsigned int cur_req;
542
9a56a232
JA		 543 /*
544 * File reference cache
545 */
546 struct file *file;
547 unsigned int fd;
548 unsigned int has_refs;
549 unsigned int used_refs;
550 unsigned int ios_left;
551};
552
d3656344
JA		 553struct io_op_def {
554 /* needs req->io allocated for deferral/async */
555 unsigned async_ctx : 1;
556 /* needs current->mm setup, does mm access */
557 unsigned needs_mm : 1;
558 /* needs req->file assigned */
559 unsigned needs_file : 1;
560 /* needs req->file assigned IFF fd is >= 0 */
561 unsigned fd_non_neg : 1;
562 /* hash wq insertion if file is a regular file */
563 unsigned hash_reg_file : 1;
564 /* unbound wq insertion if file is a non-regular file */
565 unsigned unbound_nonreg_file : 1;
566};
567
568static const struct io_op_def io_op_defs[] = {
569 {
570 /* IORING_OP_NOP */
571 },
572 {
573 /* IORING_OP_READV */
574 .async_ctx = 1,
575 .needs_mm = 1,
576 .needs_file = 1,
577 .unbound_nonreg_file = 1,
578 },
579 {
580 /* IORING_OP_WRITEV */
581 .async_ctx = 1,
582 .needs_mm = 1,
583 .needs_file = 1,
584 .hash_reg_file = 1,
585 .unbound_nonreg_file = 1,
586 },
587 {
588 /* IORING_OP_FSYNC */
589 .needs_file = 1,
590 },
591 {
592 /* IORING_OP_READ_FIXED */
593 .needs_file = 1,
594 .unbound_nonreg_file = 1,
595 },
596 {
597 /* IORING_OP_WRITE_FIXED */
598 .needs_file = 1,
599 .hash_reg_file = 1,
600 .unbound_nonreg_file = 1,
601 },
602 {
603 /* IORING_OP_POLL_ADD */
604 .needs_file = 1,
605 .unbound_nonreg_file = 1,
606 },
607 {
608 /* IORING_OP_POLL_REMOVE */
609 },
610 {
611 /* IORING_OP_SYNC_FILE_RANGE */
612 .needs_file = 1,
613 },
614 {
615 /* IORING_OP_SENDMSG */
616 .async_ctx = 1,
617 .needs_mm = 1,
618 .needs_file = 1,
619 .unbound_nonreg_file = 1,
620 },
621 {
622 /* IORING_OP_RECVMSG */
623 .async_ctx = 1,
624 .needs_mm = 1,
625 .needs_file = 1,
626 .unbound_nonreg_file = 1,
627 },
628 {
629 /* IORING_OP_TIMEOUT */
630 .async_ctx = 1,
631 .needs_mm = 1,
632 },
633 {
634 /* IORING_OP_TIMEOUT_REMOVE */
635 },
636 {
637 /* IORING_OP_ACCEPT */
638 .needs_mm = 1,
639 .needs_file = 1,
640 .unbound_nonreg_file = 1,
641 },
642 {
643 /* IORING_OP_ASYNC_CANCEL */
644 },
645 {
646 /* IORING_OP_LINK_TIMEOUT */
647 .async_ctx = 1,
648 .needs_mm = 1,
649 },
650 {
651 /* IORING_OP_CONNECT */
652 .async_ctx = 1,
653 .needs_mm = 1,
654 .needs_file = 1,
655 .unbound_nonreg_file = 1,
656 },
657 {
658 /* IORING_OP_FALLOCATE */
659 .needs_file = 1,
660 },
661 {
662 /* IORING_OP_OPENAT */
663 .needs_file = 1,
664 .fd_non_neg = 1,
665 },
666 {
667 /* IORING_OP_CLOSE */
668 .needs_file = 1,
669 },
670 {
671 /* IORING_OP_FILES_UPDATE */
672 .needs_mm = 1,
673 },
674 {
675 /* IORING_OP_STATX */
676 .needs_mm = 1,
677 .needs_file = 1,
678 .fd_non_neg = 1,
679 },
3a6820f2
JA		 680 {
681 /* IORING_OP_READ */
682 .needs_mm = 1,
683 .needs_file = 1,
684 .unbound_nonreg_file = 1,
685 },
686 {
687 /* IORING_OP_WRITE */
688 .needs_mm = 1,
689 .needs_file = 1,
690 .unbound_nonreg_file = 1,
691 },
4840e418
JA		 692 {
693 /* IORING_OP_FADVISE */
694 .needs_file = 1,
695 },
c1ca757b
JA		 696 {
697 /* IORING_OP_MADVISE */
698 .needs_mm = 1,
699 },
fddaface
JA		 700 {
701 /* IORING_OP_SEND */
702 .needs_mm = 1,
703 .needs_file = 1,
704 .unbound_nonreg_file = 1,
705 },
706 {
707 /* IORING_OP_RECV */
708 .needs_mm = 1,
709 .needs_file = 1,
710 .unbound_nonreg_file = 1,
711 },
d3656344
JA		 712};
713
561fb04a 714static void io_wq_submit_work(struct io_wq_work **workptr);
78e19bbe 715static void io_cqring_fill_event(struct io_kiocb *req, long res);
ec9c02ad 716static void io_put_req(struct io_kiocb *req);
978db57e 717static void __io_double_put_req(struct io_kiocb *req);
94ae5e77
JA		 718static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
719static void io_queue_linked_timeout(struct io_kiocb *req);
05f3fb3c
JA		 720static int __io_sqe_files_update(struct io_ring_ctx *ctx,
721 struct io_uring_files_update *ip,
722 unsigned nr_args);
de0617e4 723
2b188cc1
JA		 724static struct kmem_cache *req_cachep;
725
726static const struct file_operations io_uring_fops;
727
728struct sock *io_uring_get_socket(struct file *file)
729{
730#if defined(CONFIG_UNIX)
731 if (file->f_op == &io_uring_fops) {
732 struct io_ring_ctx *ctx = file->private_data;
733
734 return ctx->ring_sock->sk;
735 }
736#endif
737 return NULL;
738}
739EXPORT_SYMBOL(io_uring_get_socket);
740
741static void io_ring_ctx_ref_free(struct percpu_ref *ref)
742{
743 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
744
206aefde 745 complete(&ctx->completions[0]);
2b188cc1
JA		 746}
747
748static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
749{
750 struct io_ring_ctx *ctx;
78076bb6 751 int hash_bits;
2b188cc1
JA		 752
753 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
754 if (!ctx)
755 return NULL;
756
0ddf92e8
JA		 757 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
758 if (!ctx->fallback_req)
759 goto err;
760
206aefde
JA		 761 ctx->completions = kmalloc(2 * sizeof(struct completion), GFP_KERNEL);
762 if (!ctx->completions)
763 goto err;
764
78076bb6
JA		 765 /*
766 * Use 5 bits less than the max cq entries, that should give us around
767 * 32 entries per hash list if totally full and uniformly spread.
768 */
769 hash_bits = ilog2(p->cq_entries);
770 hash_bits -= 5;
771 if (hash_bits <= 0)
772 hash_bits = 1;
773 ctx->cancel_hash_bits = hash_bits;
774 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
775 GFP_KERNEL);
776 if (!ctx->cancel_hash)
777 goto err;
778 __hash_init(ctx->cancel_hash, 1U << hash_bits);
779
21482896 780 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
206aefde
JA		 781 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
782 goto err;
2b188cc1
JA		 783
784 ctx->flags = p->flags;
785 init_waitqueue_head(&ctx->cq_wait);
1d7bb1d5 786 INIT_LIST_HEAD(&ctx->cq_overflow_list);
206aefde
JA		 787 init_completion(&ctx->completions[0]);
788 init_completion(&ctx->completions[1]);
2b188cc1
JA		 789 mutex_init(&ctx->uring_lock);
790 init_waitqueue_head(&ctx->wait);
791 spin_lock_init(&ctx->completion_lock);
e94f141b 792 init_llist_head(&ctx->poll_llist);
def596e9 793 INIT_LIST_HEAD(&ctx->poll_list);
de0617e4 794 INIT_LIST_HEAD(&ctx->defer_list);
5262f567 795 INIT_LIST_HEAD(&ctx->timeout_list);
fcb323cc
JA		 796 init_waitqueue_head(&ctx->inflight_wait);
797 spin_lock_init(&ctx->inflight_lock);
798 INIT_LIST_HEAD(&ctx->inflight_list);
2b188cc1 799 return ctx;
206aefde 800err:
0ddf92e8
JA		 801 if (ctx->fallback_req)
802 kmem_cache_free(req_cachep, ctx->fallback_req);
206aefde 803 kfree(ctx->completions);
78076bb6 804 kfree(ctx->cancel_hash);
206aefde
JA		 805 kfree(ctx);
806 return NULL;
2b188cc1
JA		 807}
808
9d858b21 809static inline bool __req_need_defer(struct io_kiocb *req)
7adf4eaf 810{
a197f664
JL		 811 struct io_ring_ctx *ctx = req->ctx;
812
498ccd9e
JA		 813 return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
814 + atomic_read(&ctx->cached_cq_overflow);
7adf4eaf
JA		 815}
816
9d858b21 817static inline bool req_need_defer(struct io_kiocb *req)
de0617e4 818{
9d858b21
BL		 819 if ((req->flags & (REQ_F_IO_DRAIN|REQ_F_IO_DRAINED)) == REQ_F_IO_DRAIN)
820 return __req_need_defer(req);
de0617e4 821
9d858b21 822 return false;
de0617e4
JA		 823}
824
7adf4eaf 825static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)
de0617e4
JA		 826{
827 struct io_kiocb *req;
828
7adf4eaf 829 req = list_first_entry_or_null(&ctx->defer_list, struct io_kiocb, list);
9d858b21 830 if (req && !req_need_defer(req)) {
de0617e4
JA		 831 list_del_init(&req->list);
832 return req;
833 }
834
835 return NULL;
836}
837
5262f567
JA		 838static struct io_kiocb *io_get_timeout_req(struct io_ring_ctx *ctx)
839{
7adf4eaf
JA		 840 struct io_kiocb *req;
841
842 req = list_first_entry_or_null(&ctx->timeout_list, struct io_kiocb, list);
93bd25bb
JA		 843 if (req) {
844 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
845 return NULL;
fb4b3d3f 846 if (!__req_need_defer(req)) {
93bd25bb
JA		 847 list_del_init(&req->list);
848 return req;
849 }
7adf4eaf
JA		 850 }
851
852 return NULL;
5262f567
JA		 853}
854
de0617e4 855static void __io_commit_cqring(struct io_ring_ctx *ctx)
2b188cc1 856{
75b28aff 857 struct io_rings *rings = ctx->rings;
2b188cc1 858
75b28aff 859 if (ctx->cached_cq_tail != READ_ONCE(rings->cq.tail)) {
2b188cc1 860 /* order cqe stores with ring update */
75b28aff 861 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
2b188cc1 862
2b188cc1
JA		 863 if (wq_has_sleeper(&ctx->cq_wait)) {
864 wake_up_interruptible(&ctx->cq_wait);
865 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
866 }
867 }
868}
869
94ae5e77
JA		 870static inline bool io_prep_async_work(struct io_kiocb *req,
871 struct io_kiocb **link)
18d9be1a 872{
d3656344 873 const struct io_op_def *def = &io_op_defs[req->opcode];
561fb04a 874 bool do_hashed = false;
54a91f3b 875
d3656344
JA		 876 if (req->flags & REQ_F_ISREG) {
877 if (def->hash_reg_file)
3529d8c2 878 do_hashed = true;
d3656344
JA		 879 } else {
880 if (def->unbound_nonreg_file)
3529d8c2 881 req->work.flags |= IO_WQ_WORK_UNBOUND;
54a91f3b 882 }
d3656344 883 if (def->needs_mm)
3529d8c2 884 req->work.flags |= IO_WQ_WORK_NEEDS_USER;
54a91f3b 885
94ae5e77 886 *link = io_prep_linked_timeout(req);
561fb04a
JA		 887 return do_hashed;
888}
889
a197f664 890static inline void io_queue_async_work(struct io_kiocb *req)
561fb04a 891{
a197f664 892 struct io_ring_ctx *ctx = req->ctx;
94ae5e77
JA		 893 struct io_kiocb *link;
894 bool do_hashed;
895
896 do_hashed = io_prep_async_work(req, &link);
561fb04a
JA		 897
898 trace_io_uring_queue_async_work(ctx, do_hashed, req, &req->work,
899 req->flags);
900 if (!do_hashed) {
901 io_wq_enqueue(ctx->io_wq, &req->work);
902 } else {
903 io_wq_enqueue_hashed(ctx->io_wq, &req->work,
904 file_inode(req->file));
905 }
94ae5e77
JA		 906
907 if (link)
908 io_queue_linked_timeout(link);
18d9be1a
JA		 909}
910
5262f567
JA		 911static void io_kill_timeout(struct io_kiocb *req)
912{
913 int ret;
914
2d28390a 915 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
5262f567
JA		 916 if (ret != -1) {
917 atomic_inc(&req->ctx->cq_timeouts);
842f9612 918 list_del_init(&req->list);
78e19bbe 919 io_cqring_fill_event(req, 0);
ec9c02ad 920 io_put_req(req);
5262f567
JA		 921 }
922}
923
924static void io_kill_timeouts(struct io_ring_ctx *ctx)
925{
926 struct io_kiocb *req, *tmp;
927
928 spin_lock_irq(&ctx->completion_lock);
929 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
930 io_kill_timeout(req);
931 spin_unlock_irq(&ctx->completion_lock);
932}
933
de0617e4
JA		 934static void io_commit_cqring(struct io_ring_ctx *ctx)
935{
936 struct io_kiocb *req;
937
5262f567
JA		 938 while ((req = io_get_timeout_req(ctx)) != NULL)
939 io_kill_timeout(req);
940
de0617e4
JA		 941 __io_commit_cqring(ctx);
942
943 while ((req = io_get_deferred_req(ctx)) != NULL) {
944 req->flags |= REQ_F_IO_DRAINED;
a197f664 945 io_queue_async_work(req);
de0617e4
JA		 946 }
947}
948
2b188cc1
JA		 949static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
950{
75b28aff 951 struct io_rings *rings = ctx->rings;
2b188cc1
JA		 952 unsigned tail;
953
954 tail = ctx->cached_cq_tail;
115e12e5
SB		 955 /*
956 * writes to the cq entry need to come after reading head; the
957 * control dependency is enough as we're using WRITE_ONCE to
958 * fill the cq entry
959 */
75b28aff 960 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
2b188cc1
JA		 961 return NULL;
962
963 ctx->cached_cq_tail++;
75b28aff 964 return &rings->cqes[tail & ctx->cq_mask];
2b188cc1
JA		 965}
966
f2842ab5
JA		 967static inline bool io_should_trigger_evfd(struct io_ring_ctx *ctx)
968{
969 if (!ctx->eventfd_async)
970 return true;
971 return io_wq_current_is_worker() || in_interrupt();
972}
973
1d7bb1d5
JA		 974static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
975{
976 if (waitqueue_active(&ctx->wait))
977 wake_up(&ctx->wait);
978 if (waitqueue_active(&ctx->sqo_wait))
979 wake_up(&ctx->sqo_wait);
f2842ab5 980 if (ctx->cq_ev_fd && io_should_trigger_evfd(ctx))
1d7bb1d5
JA		 981 eventfd_signal(ctx->cq_ev_fd, 1);
982}
983
c4a2ed72
JA		 984/* Returns true if there are no backlogged entries after the flush */
985static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1d7bb1d5
JA		 986{
987 struct io_rings *rings = ctx->rings;
988 struct io_uring_cqe *cqe;
989 struct io_kiocb *req;
990 unsigned long flags;
991 LIST_HEAD(list);
992
993 if (!force) {
994 if (list_empty_careful(&ctx->cq_overflow_list))
c4a2ed72 995 return true;
1d7bb1d5
JA		 996 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
997 rings->cq_ring_entries))
c4a2ed72 998 return false;
1d7bb1d5
JA		 999 }
1000
1001 spin_lock_irqsave(&ctx->completion_lock, flags);
1002
1003 /* if force is set, the ring is going away. always drop after that */
1004 if (force)
69b3e546 1005 ctx->cq_overflow_flushed = 1;
1d7bb1d5 1006
c4a2ed72 1007 cqe = NULL;
1d7bb1d5
JA		 1008 while (!list_empty(&ctx->cq_overflow_list)) {
1009 cqe = io_get_cqring(ctx);
1010 if (!cqe && !force)
1011 break;
1012
1013 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
1014 list);
1015 list_move(&req->list, &list);
1016 if (cqe) {
1017 WRITE_ONCE(cqe->user_data, req->user_data);
1018 WRITE_ONCE(cqe->res, req->result);
1019 WRITE_ONCE(cqe->flags, 0);
1020 } else {
1021 WRITE_ONCE(ctx->rings->cq_overflow,
1022 atomic_inc_return(&ctx->cached_cq_overflow));
1023 }
1024 }
1025
1026 io_commit_cqring(ctx);
ad3eb2c8
JA		 1027 if (cqe) {
1028 clear_bit(0, &ctx->sq_check_overflow);
1029 clear_bit(0, &ctx->cq_check_overflow);
1030 }
1d7bb1d5
JA		 1031 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1032 io_cqring_ev_posted(ctx);
1033
1034 while (!list_empty(&list)) {
1035 req = list_first_entry(&list, struct io_kiocb, list);
1036 list_del(&req->list);
ec9c02ad 1037 io_put_req(req);
1d7bb1d5 1038 }
c4a2ed72
JA		 1039
1040 return cqe != NULL;
1d7bb1d5
JA		 1041}
1042
78e19bbe 1043static void io_cqring_fill_event(struct io_kiocb *req, long res)
2b188cc1 1044{
78e19bbe 1045 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 1046 struct io_uring_cqe *cqe;
1047
78e19bbe 1048 trace_io_uring_complete(ctx, req->user_data, res);
51c3ff62 1049
2b188cc1
JA		 1050 /*
1051 * If we can't get a cq entry, userspace overflowed the
1052 * submission (by quite a lot). Increment the overflow count in
1053 * the ring.
1054 */
1055 cqe = io_get_cqring(ctx);
1d7bb1d5 1056 if (likely(cqe)) {
78e19bbe 1057 WRITE_ONCE(cqe->user_data, req->user_data);
2b188cc1 1058 WRITE_ONCE(cqe->res, res);
c71ffb67 1059 WRITE_ONCE(cqe->flags, 0);
1d7bb1d5 1060 } else if (ctx->cq_overflow_flushed) {
498ccd9e
JA		 1061 WRITE_ONCE(ctx->rings->cq_overflow,
1062 atomic_inc_return(&ctx->cached_cq_overflow));
1d7bb1d5 1063 } else {
ad3eb2c8
JA		 1064 if (list_empty(&ctx->cq_overflow_list)) {
1065 set_bit(0, &ctx->sq_check_overflow);
1066 set_bit(0, &ctx->cq_check_overflow);
1067 }
1d7bb1d5
JA		 1068 refcount_inc(&req->refs);
1069 req->result = res;
1070 list_add_tail(&req->list, &ctx->cq_overflow_list);
2b188cc1
JA		 1071 }
1072}
1073
78e19bbe 1074static void io_cqring_add_event(struct io_kiocb *req, long res)
2b188cc1 1075{
78e19bbe 1076 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 1077 unsigned long flags;
1078
1079 spin_lock_irqsave(&ctx->completion_lock, flags);
78e19bbe 1080 io_cqring_fill_event(req, res);
2b188cc1
JA		 1081 io_commit_cqring(ctx);
1082 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1083
8c838788 1084 io_cqring_ev_posted(ctx);
2b188cc1
JA		 1085}
1086
0ddf92e8
JA		 1087static inline bool io_is_fallback_req(struct io_kiocb *req)
1088{
1089 return req == (struct io_kiocb *)
1090 ((unsigned long) req->ctx->fallback_req & ~1UL);
1091}
1092
1093static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1094{
1095 struct io_kiocb *req;
1096
1097 req = ctx->fallback_req;
1098 if (!test_and_set_bit_lock(0, (unsigned long *) ctx->fallback_req))
1099 return req;
1100
1101 return NULL;
1102}
1103
2579f913
JA		 1104static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
1105 struct io_submit_state *state)
2b188cc1 1106{
fd6fab2c 1107 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
2b188cc1
JA		 1108 struct io_kiocb *req;
1109
2579f913 1110 if (!state) {
fd6fab2c 1111 req = kmem_cache_alloc(req_cachep, gfp);
2579f913 1112 if (unlikely(!req))
0ddf92e8 1113 goto fallback;
2579f913
JA		 1114 } else if (!state->free_reqs) {
1115 size_t sz;
1116 int ret;
1117
1118 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
fd6fab2c
JA		 1119 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1120
1121 /*
1122 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1123 * retry single alloc to be on the safe side.
1124 */
1125 if (unlikely(ret <= 0)) {
1126 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1127 if (!state->reqs[0])
0ddf92e8 1128 goto fallback;
fd6fab2c
JA		 1129 ret = 1;
1130 }
2579f913
JA		 1131 state->free_reqs = ret - 1;
1132 state->cur_req = 1;
1133 req = state->reqs[0];
1134 } else {
1135 req = state->reqs[state->cur_req];
1136 state->free_reqs--;
1137 state->cur_req++;
2b188cc1
JA		 1138 }
1139
0ddf92e8 1140got_it:
1a6b74fc 1141 req->io = NULL;
cf6fd4bd 1142 req->ring_file = NULL;
60c112b0 1143 req->file = NULL;
2579f913
JA		 1144 req->ctx = ctx;
1145 req->flags = 0;
e65ef56d
JA		 1146 /* one is dropped after submission, the other at completion */
1147 refcount_set(&req->refs, 2);
9e645e11 1148 req->result = 0;
561fb04a 1149 INIT_IO_WORK(&req->work, io_wq_submit_work);
2579f913 1150 return req;
0ddf92e8
JA		 1151fallback:
1152 req = io_get_fallback_req(ctx);
1153 if (req)
1154 goto got_it;
6805b32e 1155 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 1156 return NULL;
1157}
1158
2b85edfc
PB		 1159static void __io_req_do_free(struct io_kiocb *req)
1160{
1161 if (likely(!io_is_fallback_req(req)))
1162 kmem_cache_free(req_cachep, req);
1163 else
1164 clear_bit_unlock(0, (unsigned long *) req->ctx->fallback_req);
1165}
1166
c6ca97b3 1167static void __io_req_aux_free(struct io_kiocb *req)
2b188cc1 1168{
fcb323cc
JA		 1169 struct io_ring_ctx *ctx = req->ctx;
1170
96fd84d8 1171 kfree(req->io);
05f3fb3c
JA		 1172 if (req->file) {
1173 if (req->flags & REQ_F_FIXED_FILE)
1174 percpu_ref_put(&ctx->file_data->refs);
1175 else
1176 fput(req->file);
1177 }
c6ca97b3
JA		 1178}
1179
1180static void __io_free_req(struct io_kiocb *req)
1181{
1182 __io_req_aux_free(req);
1183
fcb323cc 1184 if (req->flags & REQ_F_INFLIGHT) {
c6ca97b3 1185 struct io_ring_ctx *ctx = req->ctx;
fcb323cc
JA		 1186 unsigned long flags;
1187
1188 spin_lock_irqsave(&ctx->inflight_lock, flags);
1189 list_del(&req->inflight_entry);
1190 if (waitqueue_active(&ctx->inflight_wait))
1191 wake_up(&ctx->inflight_wait);
1192 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1193 }
2b85edfc
PB		 1194
1195 percpu_ref_put(&req->ctx->refs);
1196 __io_req_do_free(req);
e65ef56d
JA		 1197}
1198
c6ca97b3
JA		 1199struct req_batch {
1200 void *reqs[IO_IOPOLL_BATCH];
1201 int to_free;
1202 int need_iter;
1203};
1204
1205static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
1206{
1207 if (!rb->to_free)
1208 return;
1209 if (rb->need_iter) {
1210 int i, inflight = 0;
1211 unsigned long flags;
1212
1213 for (i = 0; i < rb->to_free; i++) {
1214 struct io_kiocb *req = rb->reqs[i];
1215
1216 if (req->flags & REQ_F_FIXED_FILE)
1217 req->file = NULL;
1218 if (req->flags & REQ_F_INFLIGHT)
1219 inflight++;
1220 else
1221 rb->reqs[i] = NULL;
1222 __io_req_aux_free(req);
1223 }
1224 if (!inflight)
1225 goto do_free;
1226
1227 spin_lock_irqsave(&ctx->inflight_lock, flags);
1228 for (i = 0; i < rb->to_free; i++) {
1229 struct io_kiocb *req = rb->reqs[i];
1230
1231 if (req) {
1232 list_del(&req->inflight_entry);
1233 if (!--inflight)
1234 break;
1235 }
1236 }
1237 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1238
1239 if (waitqueue_active(&ctx->inflight_wait))
1240 wake_up(&ctx->inflight_wait);
1241 }
1242do_free:
1243 kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
1244 percpu_ref_put_many(&ctx->refs, rb->to_free);
1245 percpu_ref_put_many(&ctx->file_data->refs, rb->to_free);
1246 rb->to_free = rb->need_iter = 0;
1247}
1248
a197f664 1249static bool io_link_cancel_timeout(struct io_kiocb *req)
2665abfd 1250{
a197f664 1251 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 1252 int ret;
1253
2d28390a 1254 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
2665abfd 1255 if (ret != -1) {
78e19bbe 1256 io_cqring_fill_event(req, -ECANCELED);
2665abfd
JA		 1257 io_commit_cqring(ctx);
1258 req->flags &= ~REQ_F_LINK;
ec9c02ad 1259 io_put_req(req);
2665abfd
JA		 1260 return true;
1261 }
1262
1263 return false;
e65ef56d
JA		 1264}
1265
ba816ad6 1266static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
9e645e11 1267{
2665abfd 1268 struct io_ring_ctx *ctx = req->ctx;
2665abfd 1269 bool wake_ev = false;
9e645e11 1270
4d7dd462
JA		 1271 /* Already got next link */
1272 if (req->flags & REQ_F_LINK_NEXT)
1273 return;
1274
9e645e11
JA		 1275 /*
1276 * The list should never be empty when we are called here. But could
1277 * potentially happen if the chain is messed up, check to be on the
1278 * safe side.
1279 */
4493233e
PB		 1280 while (!list_empty(&req->link_list)) {
1281 struct io_kiocb *nxt = list_first_entry(&req->link_list,
1282 struct io_kiocb, link_list);
94ae5e77 1283
4493233e
PB		 1284 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
1285 (nxt->flags & REQ_F_TIMEOUT))) {
1286 list_del_init(&nxt->link_list);
94ae5e77 1287 wake_ev |= io_link_cancel_timeout(nxt);
94ae5e77
JA		 1288 req->flags &= ~REQ_F_LINK_TIMEOUT;
1289 continue;
1290 }
9e645e11 1291
4493233e
PB		 1292 list_del_init(&req->link_list);
1293 if (!list_empty(&nxt->link_list))
1294 nxt->flags |= REQ_F_LINK;
b18fdf71 1295 *nxtptr = nxt;
94ae5e77 1296 break;
9e645e11 1297 }
2665abfd 1298
4d7dd462 1299 req->flags |= REQ_F_LINK_NEXT;
2665abfd
JA		 1300 if (wake_ev)
1301 io_cqring_ev_posted(ctx);
9e645e11
JA		 1302}
1303
1304/*
1305 * Called if REQ_F_LINK is set, and we fail the head request
1306 */
1307static void io_fail_links(struct io_kiocb *req)
1308{
2665abfd 1309 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 1310 unsigned long flags;
1311
1312 spin_lock_irqsave(&ctx->completion_lock, flags);
9e645e11
JA		 1313
1314 while (!list_empty(&req->link_list)) {
4493233e
PB		 1315 struct io_kiocb *link = list_first_entry(&req->link_list,
1316 struct io_kiocb, link_list);
9e645e11 1317
4493233e 1318 list_del_init(&link->link_list);
c826bd7a 1319 trace_io_uring_fail_link(req, link);
2665abfd
JA		 1320
1321 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
d625c6ee 1322 link->opcode == IORING_OP_LINK_TIMEOUT) {
a197f664 1323 io_link_cancel_timeout(link);
2665abfd 1324 } else {
78e19bbe 1325 io_cqring_fill_event(link, -ECANCELED);
978db57e 1326 __io_double_put_req(link);
2665abfd 1327 }
5d960724 1328 req->flags &= ~REQ_F_LINK_TIMEOUT;
9e645e11 1329 }
2665abfd
JA		 1330
1331 io_commit_cqring(ctx);
1332 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1333 io_cqring_ev_posted(ctx);
9e645e11
JA		 1334}
1335
4d7dd462 1336static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
9e645e11 1337{
4d7dd462 1338 if (likely(!(req->flags & REQ_F_LINK)))
2665abfd 1339 return;
2665abfd 1340
9e645e11
JA		 1341 /*
1342 * If LINK is set, we have dependent requests in this chain. If we
1343 * didn't fail this request, queue the first one up, moving any other
1344 * dependencies to the next request. In case of failure, fail the rest
1345 * of the chain.
1346 */
2665abfd
JA		 1347 if (req->flags & REQ_F_FAIL_LINK) {
1348 io_fail_links(req);
7c9e7f0f
JA		 1349 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1350 REQ_F_LINK_TIMEOUT) {
2665abfd
JA		 1351 struct io_ring_ctx *ctx = req->ctx;
1352 unsigned long flags;
1353
1354 /*
1355 * If this is a timeout link, we could be racing with the
1356 * timeout timer. Grab the completion lock for this case to
7c9e7f0f 1357 * protect against that.
2665abfd
JA		 1358 */
1359 spin_lock_irqsave(&ctx->completion_lock, flags);
1360 io_req_link_next(req, nxt);
1361 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1362 } else {
1363 io_req_link_next(req, nxt);
9e645e11 1364 }
4d7dd462 1365}
9e645e11 1366
c69f8dbe
JL		 1367static void io_free_req(struct io_kiocb *req)
1368{
944e58bf
PB		 1369 struct io_kiocb *nxt = NULL;
1370
1371 io_req_find_next(req, &nxt);
70cf9f32 1372 __io_free_req(req);
944e58bf
PB		 1373
1374 if (nxt)
1375 io_queue_async_work(nxt);
c69f8dbe
JL		 1376}
1377
ba816ad6
JA		 1378/*
1379 * Drop reference to request, return next in chain (if there is one) if this
1380 * was the last reference to this request.
1381 */
f9bd67f6 1382__attribute__((nonnull))
ec9c02ad 1383static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
e65ef56d 1384{
f9bd67f6 1385 io_req_find_next(req, nxtptr);
4d7dd462 1386
e65ef56d 1387 if (refcount_dec_and_test(&req->refs))
4d7dd462 1388 __io_free_req(req);
2b188cc1
JA		 1389}
1390
e65ef56d
JA		 1391static void io_put_req(struct io_kiocb *req)
1392{
1393 if (refcount_dec_and_test(&req->refs))
1394 io_free_req(req);
2b188cc1
JA		 1395}
1396
978db57e
JA		 1397/*
1398 * Must only be used if we don't need to care about links, usually from
1399 * within the completion handling itself.
1400 */
1401static void __io_double_put_req(struct io_kiocb *req)
78e19bbe
JA		 1402{
1403 /* drop both submit and complete references */
1404 if (refcount_sub_and_test(2, &req->refs))
1405 __io_free_req(req);
1406}
1407
978db57e
JA		 1408static void io_double_put_req(struct io_kiocb *req)
1409{
1410 /* drop both submit and complete references */
1411 if (refcount_sub_and_test(2, &req->refs))
1412 io_free_req(req);
1413}
1414
1d7bb1d5 1415static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
a3a0e43f 1416{
84f97dc2
JA		 1417 struct io_rings *rings = ctx->rings;
1418
ad3eb2c8
JA		 1419 if (test_bit(0, &ctx->cq_check_overflow)) {
1420 /*
1421 * noflush == true is from the waitqueue handler, just ensure
1422 * we wake up the task, and the next invocation will flush the
1423 * entries. We cannot safely to it from here.
1424 */
1425 if (noflush && !list_empty(&ctx->cq_overflow_list))
1426 return -1U;
1d7bb1d5 1427
ad3eb2c8
JA		 1428 io_cqring_overflow_flush(ctx, false);
1429 }
1d7bb1d5 1430
a3a0e43f
JA		 1431 /* See comment at the top of this file */
1432 smp_rmb();
ad3eb2c8 1433 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
a3a0e43f
JA		 1434}
1435
fb5ccc98
PB		 1436static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1437{
1438 struct io_rings *rings = ctx->rings;
1439
1440 /* make sure SQ entry isn't read before tail */
1441 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1442}
1443
8237e045 1444static inline bool io_req_multi_free(struct req_batch *rb, struct io_kiocb *req)
e94f141b 1445{
c6ca97b3
JA		 1446 if ((req->flags & REQ_F_LINK) || io_is_fallback_req(req))
1447 return false;
e94f141b 1448
c6ca97b3
JA		 1449 if (!(req->flags & REQ_F_FIXED_FILE) || req->io)
1450 rb->need_iter++;
1451
1452 rb->reqs[rb->to_free++] = req;
1453 if (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))
1454 io_free_req_many(req->ctx, rb);
1455 return true;
e94f141b
JA		 1456}
1457
def596e9
JA		 1458/*
1459 * Find and free completed poll iocbs
1460 */
1461static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1462 struct list_head *done)
1463{
8237e045 1464 struct req_batch rb;
def596e9 1465 struct io_kiocb *req;
def596e9 1466
c6ca97b3 1467 rb.to_free = rb.need_iter = 0;
def596e9
JA		 1468 while (!list_empty(done)) {
1469 req = list_first_entry(done, struct io_kiocb, list);
1470 list_del(&req->list);
1471
78e19bbe 1472 io_cqring_fill_event(req, req->result);
def596e9
JA		 1473 (*nr_events)++;
1474
8237e045
JA		 1475 if (refcount_dec_and_test(&req->refs) &&
1476 !io_req_multi_free(&rb, req))
1477 io_free_req(req);
def596e9 1478 }
def596e9 1479
09bb8394 1480 io_commit_cqring(ctx);
8237e045 1481 io_free_req_many(ctx, &rb);
def596e9
JA		 1482}
1483
1484static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1485 long min)
1486{
1487 struct io_kiocb *req, *tmp;
1488 LIST_HEAD(done);
1489 bool spin;
1490 int ret;
1491
1492 /*
1493 * Only spin for completions if we don't have multiple devices hanging
1494 * off our complete list, and we're under the requested amount.
1495 */
1496 spin = !ctx->poll_multi_file && *nr_events < min;
1497
1498 ret = 0;
1499 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
9adbd45d 1500 struct kiocb *kiocb = &req->rw.kiocb;
def596e9
JA		 1501
1502 /*
1503 * Move completed entries to our local list. If we find a
1504 * request that requires polling, break out and complete
1505 * the done list first, if we have entries there.
1506 */
1507 if (req->flags & REQ_F_IOPOLL_COMPLETED) {
1508 list_move_tail(&req->list, &done);
1509 continue;
1510 }
1511 if (!list_empty(&done))
1512 break;
1513
1514 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1515 if (ret < 0)
1516 break;
1517
1518 if (ret && spin)
1519 spin = false;
1520 ret = 0;
1521 }
1522
1523 if (!list_empty(&done))
1524 io_iopoll_complete(ctx, nr_events, &done);
1525
1526 return ret;
1527}
1528
1529/*
d195a66e 1530 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
def596e9
JA		 1531 * non-spinning poll check - we'll still enter the driver poll loop, but only
1532 * as a non-spinning completion check.
1533 */
1534static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1535 long min)
1536{
08f5439f 1537 while (!list_empty(&ctx->poll_list) && !need_resched()) {
def596e9
JA		 1538 int ret;
1539
1540 ret = io_do_iopoll(ctx, nr_events, min);
1541 if (ret < 0)
1542 return ret;
1543 if (!min || *nr_events >= min)
1544 return 0;
1545 }
1546
1547 return 1;
1548}
1549
1550/*
1551 * We can't just wait for polled events to come to us, we have to actively
1552 * find and complete them.
1553 */
1554static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1555{
1556 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1557 return;
1558
1559 mutex_lock(&ctx->uring_lock);
1560 while (!list_empty(&ctx->poll_list)) {
1561 unsigned int nr_events = 0;
1562
1563 io_iopoll_getevents(ctx, &nr_events, 1);
08f5439f
JA		 1564
1565 /*
1566 * Ensure we allow local-to-the-cpu processing to take place,
1567 * in this case we need to ensure that we reap all events.
1568 */
1569 cond_resched();
def596e9
JA		 1570 }
1571 mutex_unlock(&ctx->uring_lock);
1572}
1573
2b2ed975
JA		 1574static int __io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1575 long min)
def596e9 1576{
2b2ed975 1577 int iters = 0, ret = 0;
500f9fba 1578
def596e9
JA		 1579 do {
1580 int tmin = 0;
1581
a3a0e43f
JA		 1582 /*
1583 * Don't enter poll loop if we already have events pending.
1584 * If we do, we can potentially be spinning for commands that
1585 * already triggered a CQE (eg in error).
1586 */
1d7bb1d5 1587 if (io_cqring_events(ctx, false))
a3a0e43f
JA		 1588 break;
1589
500f9fba
JA		 1590 /*
1591 * If a submit got punted to a workqueue, we can have the
1592 * application entering polling for a command before it gets
1593 * issued. That app will hold the uring_lock for the duration
1594 * of the poll right here, so we need to take a breather every
1595 * now and then to ensure that the issue has a chance to add
1596 * the poll to the issued list. Otherwise we can spin here
1597 * forever, while the workqueue is stuck trying to acquire the
1598 * very same mutex.
1599 */
1600 if (!(++iters & 7)) {
1601 mutex_unlock(&ctx->uring_lock);
1602 mutex_lock(&ctx->uring_lock);
1603 }
1604
def596e9
JA		 1605 if (*nr_events < min)
1606 tmin = min - *nr_events;
1607
1608 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1609 if (ret <= 0)
1610 break;
1611 ret = 0;
1612 } while (min && !*nr_events && !need_resched());
1613
2b2ed975
JA		 1614 return ret;
1615}
1616
1617static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1618 long min)
1619{
1620 int ret;
1621
1622 /*
1623 * We disallow the app entering submit/complete with polling, but we
1624 * still need to lock the ring to prevent racing with polled issue
1625 * that got punted to a workqueue.
1626 */
1627 mutex_lock(&ctx->uring_lock);
1628 ret = __io_iopoll_check(ctx, nr_events, min);
500f9fba 1629 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 1630 return ret;
1631}
1632
491381ce 1633static void kiocb_end_write(struct io_kiocb *req)
2b188cc1 1634{
491381ce
JA		 1635 /*
1636 * Tell lockdep we inherited freeze protection from submission
1637 * thread.
1638 */
1639 if (req->flags & REQ_F_ISREG) {
1640 struct inode *inode = file_inode(req->file);
2b188cc1 1641
491381ce 1642 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2b188cc1 1643 }
491381ce 1644 file_end_write(req->file);
2b188cc1
JA		 1645}
1646
4e88d6e7
JA		 1647static inline void req_set_fail_links(struct io_kiocb *req)
1648{
1649 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1650 req->flags |= REQ_F_FAIL_LINK;
1651}
1652
ba816ad6 1653static void io_complete_rw_common(struct kiocb *kiocb, long res)
2b188cc1 1654{
9adbd45d 1655 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2b188cc1 1656
491381ce
JA		 1657 if (kiocb->ki_flags & IOCB_WRITE)
1658 kiocb_end_write(req);
2b188cc1 1659
4e88d6e7
JA		 1660 if (res != req->result)
1661 req_set_fail_links(req);
78e19bbe 1662 io_cqring_add_event(req, res);
ba816ad6
JA		 1663}
1664
1665static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1666{
9adbd45d 1667 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ba816ad6
JA		 1668
1669 io_complete_rw_common(kiocb, res);
e65ef56d 1670 io_put_req(req);
2b188cc1
JA		 1671}
1672
ba816ad6
JA		 1673static struct io_kiocb *__io_complete_rw(struct kiocb *kiocb, long res)
1674{
9adbd45d 1675 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ec9c02ad 1676 struct io_kiocb *nxt = NULL;
ba816ad6
JA		 1677
1678 io_complete_rw_common(kiocb, res);
ec9c02ad
JL		 1679 io_put_req_find_next(req, &nxt);
1680
1681 return nxt;
2b188cc1
JA		 1682}
1683
def596e9
JA		 1684static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1685{
9adbd45d 1686 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
def596e9 1687
491381ce
JA		 1688 if (kiocb->ki_flags & IOCB_WRITE)
1689 kiocb_end_write(req);
def596e9 1690
4e88d6e7
JA		 1691 if (res != req->result)
1692 req_set_fail_links(req);
9e645e11 1693 req->result = res;
def596e9
JA		 1694 if (res != -EAGAIN)
1695 req->flags |= REQ_F_IOPOLL_COMPLETED;
1696}
1697
1698/*
1699 * After the iocb has been issued, it's safe to be found on the poll list.
1700 * Adding the kiocb to the list AFTER submission ensures that we don't
1701 * find it from a io_iopoll_getevents() thread before the issuer is done
1702 * accessing the kiocb cookie.
1703 */
1704static void io_iopoll_req_issued(struct io_kiocb *req)
1705{
1706 struct io_ring_ctx *ctx = req->ctx;
1707
1708 /*
1709 * Track whether we have multiple files in our lists. This will impact
1710 * how we do polling eventually, not spinning if we're on potentially
1711 * different devices.
1712 */
1713 if (list_empty(&ctx->poll_list)) {
1714 ctx->poll_multi_file = false;
1715 } else if (!ctx->poll_multi_file) {
1716 struct io_kiocb *list_req;
1717
1718 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
1719 list);
9adbd45d 1720 if (list_req->file != req->file)
def596e9
JA		 1721 ctx->poll_multi_file = true;
1722 }
1723
1724 /*
1725 * For fast devices, IO may have already completed. If it has, add
1726 * it to the front so we find it first.
1727 */
1728 if (req->flags & REQ_F_IOPOLL_COMPLETED)
1729 list_add(&req->list, &ctx->poll_list);
1730 else
1731 list_add_tail(&req->list, &ctx->poll_list);
1732}
1733
3d6770fb 1734static void io_file_put(struct io_submit_state *state)
9a56a232 1735{
3d6770fb 1736 if (state->file) {
9a56a232
JA		 1737 int diff = state->has_refs - state->used_refs;
1738
1739 if (diff)
1740 fput_many(state->file, diff);
1741 state->file = NULL;
1742 }
1743}
1744
1745/*
1746 * Get as many references to a file as we have IOs left in this submission,
1747 * assuming most submissions are for one file, or at least that each file
1748 * has more than one submission.
1749 */
1750static struct file *io_file_get(struct io_submit_state *state, int fd)
1751{
1752 if (!state)
1753 return fget(fd);
1754
1755 if (state->file) {
1756 if (state->fd == fd) {
1757 state->used_refs++;
1758 state->ios_left--;
1759 return state->file;
1760 }
3d6770fb 1761 io_file_put(state);
9a56a232
JA		 1762 }
1763 state->file = fget_many(fd, state->ios_left);
1764 if (!state->file)
1765 return NULL;
1766
1767 state->fd = fd;
1768 state->has_refs = state->ios_left;
1769 state->used_refs = 1;
1770 state->ios_left--;
1771 return state->file;
1772}
1773
2b188cc1
JA		 1774/*
1775 * If we tracked the file through the SCM inflight mechanism, we could support
1776 * any file. For now, just ensure that anything potentially problematic is done
1777 * inline.
1778 */
1779static bool io_file_supports_async(struct file *file)
1780{
1781 umode_t mode = file_inode(file)->i_mode;
1782
10d59345 1783 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
2b188cc1
JA		 1784 return true;
1785 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
1786 return true;
1787
1788 return false;
1789}
1790
3529d8c2
JA		 1791static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1792 bool force_nonblock)
2b188cc1 1793{
def596e9 1794 struct io_ring_ctx *ctx = req->ctx;
9adbd45d 1795 struct kiocb *kiocb = &req->rw.kiocb;
09bb8394
JA		 1796 unsigned ioprio;
1797 int ret;
2b188cc1 1798
09bb8394
JA		 1799 if (!req->file)
1800 return -EBADF;
2b188cc1 1801
491381ce
JA		 1802 if (S_ISREG(file_inode(req->file)->i_mode))
1803 req->flags |= REQ_F_ISREG;
1804
2b188cc1 1805 kiocb->ki_pos = READ_ONCE(sqe->off);
ba04291e
JA		 1806 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
1807 req->flags |= REQ_F_CUR_POS;
1808 kiocb->ki_pos = req->file->f_pos;
1809 }
2b188cc1
JA		 1810 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
1811 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
1812
1813 ioprio = READ_ONCE(sqe->ioprio);
1814 if (ioprio) {
1815 ret = ioprio_check_cap(ioprio);
1816 if (ret)
09bb8394 1817 return ret;
2b188cc1
JA		 1818
1819 kiocb->ki_ioprio = ioprio;
1820 } else
1821 kiocb->ki_ioprio = get_current_ioprio();
1822
1823 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
1824 if (unlikely(ret))
09bb8394 1825 return ret;
8449eeda
SB		 1826
1827 /* don't allow async punt if RWF_NOWAIT was requested */
491381ce
JA		 1828 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
1829 (req->file->f_flags & O_NONBLOCK))
8449eeda
SB		 1830 req->flags |= REQ_F_NOWAIT;
1831
1832 if (force_nonblock)
2b188cc1 1833 kiocb->ki_flags |= IOCB_NOWAIT;
8449eeda 1834
def596e9 1835 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9
JA		 1836 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
1837 !kiocb->ki_filp->f_op->iopoll)
09bb8394 1838 return -EOPNOTSUPP;
2b188cc1 1839
def596e9
JA		 1840 kiocb->ki_flags |= IOCB_HIPRI;
1841 kiocb->ki_complete = io_complete_rw_iopoll;
6873e0bd 1842 req->result = 0;
def596e9 1843 } else {
09bb8394
JA		 1844 if (kiocb->ki_flags & IOCB_HIPRI)
1845 return -EINVAL;
def596e9
JA		 1846 kiocb->ki_complete = io_complete_rw;
1847 }
9adbd45d 1848
3529d8c2
JA		 1849 req->rw.addr = READ_ONCE(sqe->addr);
1850 req->rw.len = READ_ONCE(sqe->len);
9adbd45d
JA		 1851 /* we own ->private, reuse it for the buffer index */
1852 req->rw.kiocb.private = (void *) (unsigned long)
3529d8c2 1853 READ_ONCE(sqe->buf_index);
2b188cc1 1854 return 0;
2b188cc1
JA		 1855}
1856
1857static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
1858{
1859 switch (ret) {
1860 case -EIOCBQUEUED:
1861 break;
1862 case -ERESTARTSYS:
1863 case -ERESTARTNOINTR:
1864 case -ERESTARTNOHAND:
1865 case -ERESTART_RESTARTBLOCK:
1866 /*
1867 * We can't just restart the syscall, since previously
1868 * submitted sqes may already be in progress. Just fail this
1869 * IO with EINTR.
1870 */
1871 ret = -EINTR;
1872 /* fall through */
1873 default:
1874 kiocb->ki_complete(kiocb, ret, 0);
1875 }
1876}
1877
ba816ad6
JA		 1878static void kiocb_done(struct kiocb *kiocb, ssize_t ret, struct io_kiocb **nxt,
1879 bool in_async)
1880{
ba04291e
JA		 1881 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1882
1883 if (req->flags & REQ_F_CUR_POS)
1884 req->file->f_pos = kiocb->ki_pos;
f9bd67f6 1885 if (in_async && ret >= 0 && kiocb->ki_complete == io_complete_rw)
ba816ad6
JA		 1886 *nxt = __io_complete_rw(kiocb, ret);
1887 else
1888 io_rw_done(kiocb, ret);
1889}
1890
9adbd45d 1891static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
7d009165 1892 struct iov_iter *iter)
edafccee 1893{
9adbd45d
JA		 1894 struct io_ring_ctx *ctx = req->ctx;
1895 size_t len = req->rw.len;
edafccee
JA		 1896 struct io_mapped_ubuf *imu;
1897 unsigned index, buf_index;
1898 size_t offset;
1899 u64 buf_addr;
1900
1901 /* attempt to use fixed buffers without having provided iovecs */
1902 if (unlikely(!ctx->user_bufs))
1903 return -EFAULT;
1904
9adbd45d 1905 buf_index = (unsigned long) req->rw.kiocb.private;
edafccee
JA		 1906 if (unlikely(buf_index >= ctx->nr_user_bufs))
1907 return -EFAULT;
1908
1909 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
1910 imu = &ctx->user_bufs[index];
9adbd45d 1911 buf_addr = req->rw.addr;
edafccee
JA		 1912
1913 /* overflow */
1914 if (buf_addr + len < buf_addr)
1915 return -EFAULT;
1916 /* not inside the mapped region */
1917 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
1918 return -EFAULT;
1919
1920 /*
1921 * May not be a start of buffer, set size appropriately
1922 * and advance us to the beginning.
1923 */
1924 offset = buf_addr - imu->ubuf;
1925 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
bd11b3a3
JA		 1926
1927 if (offset) {
1928 /*
1929 * Don't use iov_iter_advance() here, as it's really slow for
1930 * using the latter parts of a big fixed buffer - it iterates
1931 * over each segment manually. We can cheat a bit here, because
1932 * we know that:
1933 *
1934 * 1) it's a BVEC iter, we set it up
1935 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1936 * first and last bvec
1937 *
1938 * So just find our index, and adjust the iterator afterwards.
1939 * If the offset is within the first bvec (or the whole first
1940 * bvec, just use iov_iter_advance(). This makes it easier
1941 * since we can just skip the first segment, which may not
1942 * be PAGE_SIZE aligned.
1943 */
1944 const struct bio_vec *bvec = imu->bvec;
1945
1946 if (offset <= bvec->bv_len) {
1947 iov_iter_advance(iter, offset);
1948 } else {
1949 unsigned long seg_skip;
1950
1951 /* skip first vec */
1952 offset -= bvec->bv_len;
1953 seg_skip = 1 + (offset >> PAGE_SHIFT);
1954
1955 iter->bvec = bvec + seg_skip;
1956 iter->nr_segs -= seg_skip;
99c79f66 1957 iter->count -= bvec->bv_len + offset;
bd11b3a3 1958 iter->iov_offset = offset & ~PAGE_MASK;
bd11b3a3
JA		 1959 }
1960 }
1961
5e559561 1962 return len;
edafccee
JA		 1963}
1964
cf6fd4bd
PB		 1965static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
1966 struct iovec **iovec, struct iov_iter *iter)
2b188cc1 1967{
9adbd45d
JA		 1968 void __user *buf = u64_to_user_ptr(req->rw.addr);
1969 size_t sqe_len = req->rw.len;
edafccee
JA		 1970 u8 opcode;
1971
d625c6ee 1972 opcode = req->opcode;
7d009165 1973 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
edafccee 1974 *iovec = NULL;
9adbd45d 1975 return io_import_fixed(req, rw, iter);
edafccee 1976 }
2b188cc1 1977
9adbd45d
JA		 1978 /* buffer index only valid with fixed read/write */
1979 if (req->rw.kiocb.private)
1980 return -EINVAL;
1981
3a6820f2
JA		 1982 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
1983 ssize_t ret;
1984 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
1985 *iovec = NULL;
1986 return ret;
1987 }
1988
f67676d1
JA		 1989 if (req->io) {
1990 struct io_async_rw *iorw = &req->io->rw;
1991
1992 *iovec = iorw->iov;
1993 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
1994 if (iorw->iov == iorw->fast_iov)
1995 *iovec = NULL;
1996 return iorw->size;
1997 }
1998
cf6fd4bd 1999 if (!req->has_user)
2b188cc1
JA		 2000 return -EFAULT;
2001
2002#ifdef CONFIG_COMPAT
cf6fd4bd 2003 if (req->ctx->compat)
2b188cc1
JA		 2004 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
2005 iovec, iter);
2006#endif
2007
2008 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
2009}
2010
31b51510 2011/*
32960613
JA		 2012 * For files that don't have ->read_iter() and ->write_iter(), handle them
2013 * by looping over ->read() or ->write() manually.
31b51510 2014 */
32960613
JA		 2015static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
2016 struct iov_iter *iter)
2017{
2018 ssize_t ret = 0;
2019
2020 /*
2021 * Don't support polled IO through this interface, and we can't
2022 * support non-blocking either. For the latter, this just causes
2023 * the kiocb to be handled from an async context.
2024 */
2025 if (kiocb->ki_flags & IOCB_HIPRI)
2026 return -EOPNOTSUPP;
2027 if (kiocb->ki_flags & IOCB_NOWAIT)
2028 return -EAGAIN;
2029
2030 while (iov_iter_count(iter)) {
311ae9e1 2031 struct iovec iovec;
32960613
JA		 2032 ssize_t nr;
2033
311ae9e1
PB		 2034 if (!iov_iter_is_bvec(iter)) {
2035 iovec = iov_iter_iovec(iter);
2036 } else {
2037 /* fixed buffers import bvec */
2038 iovec.iov_base = kmap(iter->bvec->bv_page)
2039 + iter->iov_offset;
2040 iovec.iov_len = min(iter->count,
2041 iter->bvec->bv_len - iter->iov_offset);
2042 }
2043
32960613
JA		 2044 if (rw == READ) {
2045 nr = file->f_op->read(file, iovec.iov_base,
2046 iovec.iov_len, &kiocb->ki_pos);
2047 } else {
2048 nr = file->f_op->write(file, iovec.iov_base,
2049 iovec.iov_len, &kiocb->ki_pos);
2050 }
2051
311ae9e1
PB		 2052 if (iov_iter_is_bvec(iter))
2053 kunmap(iter->bvec->bv_page);
2054
32960613
JA		 2055 if (nr < 0) {
2056 if (!ret)
2057 ret = nr;
2058 break;
2059 }
2060 ret += nr;
2061 if (nr != iovec.iov_len)
2062 break;
2063 iov_iter_advance(iter, nr);
2064 }
2065
2066 return ret;
2067}
2068
b7bb4f7d 2069static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
f67676d1
JA		 2070 struct iovec *iovec, struct iovec *fast_iov,
2071 struct iov_iter *iter)
2072{
2073 req->io->rw.nr_segs = iter->nr_segs;
2074 req->io->rw.size = io_size;
2075 req->io->rw.iov = iovec;
2076 if (!req->io->rw.iov) {
2077 req->io->rw.iov = req->io->rw.fast_iov;
2078 memcpy(req->io->rw.iov, fast_iov,
2079 sizeof(struct iovec) * iter->nr_segs);
2080 }
2081}
2082
b7bb4f7d 2083static int io_alloc_async_ctx(struct io_kiocb *req)
f67676d1 2084{
d3656344
JA		 2085 if (!io_op_defs[req->opcode].async_ctx)
2086 return 0;
f67676d1 2087 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
06b76d44 2088 return req->io == NULL;
b7bb4f7d
JA		 2089}
2090
2091static void io_rw_async(struct io_wq_work **workptr)
2092{
2093 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2094 struct iovec *iov = NULL;
2095
2096 if (req->io->rw.iov != req->io->rw.fast_iov)
2097 iov = req->io->rw.iov;
2098 io_wq_submit_work(workptr);
2099 kfree(iov);
2100}
2101
2102static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
2103 struct iovec *iovec, struct iovec *fast_iov,
2104 struct iov_iter *iter)
2105{
74566df3
JA		 2106 if (req->opcode == IORING_OP_READ_FIXED ||
2107 req->opcode == IORING_OP_WRITE_FIXED)
2108 return 0;
b7bb4f7d
JA		 2109 if (!req->io && io_alloc_async_ctx(req))
2110 return -ENOMEM;
2111
2112 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
2113 req->work.func = io_rw_async;
2114 return 0;
f67676d1
JA		 2115}
2116
3529d8c2
JA		 2117static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2118 bool force_nonblock)
f67676d1 2119{
3529d8c2
JA		 2120 struct io_async_ctx *io;
2121 struct iov_iter iter;
f67676d1
JA		 2122 ssize_t ret;
2123
3529d8c2
JA		 2124 ret = io_prep_rw(req, sqe, force_nonblock);
2125 if (ret)
2126 return ret;
f67676d1 2127
3529d8c2
JA		 2128 if (unlikely(!(req->file->f_mode & FMODE_READ)))
2129 return -EBADF;
f67676d1 2130
3529d8c2
JA		 2131 if (!req->io)
2132 return 0;
2133
2134 io = req->io;
2135 io->rw.iov = io->rw.fast_iov;
2136 req->io = NULL;
2137 ret = io_import_iovec(READ, req, &io->rw.iov, &iter);
2138 req->io = io;
2139 if (ret < 0)
2140 return ret;
2141
2142 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2143 return 0;
f67676d1
JA		 2144}
2145
267bc904 2146static int io_read(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 2147 bool force_nonblock)
2b188cc1
JA		 2148{
2149 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 2150 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 2151 struct iov_iter iter;
31b51510 2152 size_t iov_count;
f67676d1 2153 ssize_t io_size, ret;
2b188cc1 2154
3529d8c2 2155 ret = io_import_iovec(READ, req, &iovec, &iter);
06b76d44
JA		 2156 if (ret < 0)
2157 return ret;
2b188cc1 2158
fd6c2e4c
JA		 2159 /* Ensure we clear previously set non-block flag */
2160 if (!force_nonblock)
9adbd45d 2161 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 2162
797f3f53 2163 req->result = 0;
f67676d1 2164 io_size = ret;
9e645e11 2165 if (req->flags & REQ_F_LINK)
f67676d1
JA		 2166 req->result = io_size;
2167
2168 /*
2169 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2170 * we know to async punt it even if it was opened O_NONBLOCK
2171 */
9adbd45d 2172 if (force_nonblock && !io_file_supports_async(req->file)) {
f67676d1
JA		 2173 req->flags |= REQ_F_MUST_PUNT;
2174 goto copy_iov;
2175 }
9e645e11 2176
31b51510 2177 iov_count = iov_iter_count(&iter);
9adbd45d 2178 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
2b188cc1
JA		 2179 if (!ret) {
2180 ssize_t ret2;
2181
9adbd45d
JA		 2182 if (req->file->f_op->read_iter)
2183 ret2 = call_read_iter(req->file, kiocb, &iter);
32960613 2184 else
9adbd45d 2185 ret2 = loop_rw_iter(READ, req->file, kiocb, &iter);
32960613 2186
9d93a3f5 2187 /* Catch -EAGAIN return for forced non-blocking submission */
f67676d1 2188 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 2189 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 2190 } else {
2191copy_iov:
b7bb4f7d 2192 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 2193 inline_vecs, &iter);
2194 if (ret)
2195 goto out_free;
2196 return -EAGAIN;
2197 }
2b188cc1 2198 }
f67676d1 2199out_free:
b7bb4f7d
JA		 2200 if (!io_wq_current_is_worker())
2201 kfree(iovec);
2b188cc1
JA		 2202 return ret;
2203}
2204
3529d8c2
JA		 2205static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2206 bool force_nonblock)
f67676d1 2207{
3529d8c2
JA		 2208 struct io_async_ctx *io;
2209 struct iov_iter iter;
f67676d1
JA		 2210 ssize_t ret;
2211
3529d8c2
JA		 2212 ret = io_prep_rw(req, sqe, force_nonblock);
2213 if (ret)
2214 return ret;
f67676d1 2215
3529d8c2
JA		 2216 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
2217 return -EBADF;
f67676d1 2218
3529d8c2
JA		 2219 if (!req->io)
2220 return 0;
2221
2222 io = req->io;
2223 io->rw.iov = io->rw.fast_iov;
2224 req->io = NULL;
2225 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter);
2226 req->io = io;
2227 if (ret < 0)
2228 return ret;
2229
2230 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2231 return 0;
f67676d1
JA		 2232}
2233
267bc904 2234static int io_write(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 2235 bool force_nonblock)
2b188cc1
JA		 2236{
2237 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 2238 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 2239 struct iov_iter iter;
31b51510 2240 size_t iov_count;
f67676d1 2241 ssize_t ret, io_size;
2b188cc1 2242
3529d8c2 2243 ret = io_import_iovec(WRITE, req, &iovec, &iter);
06b76d44
JA		 2244 if (ret < 0)
2245 return ret;
2b188cc1 2246
fd6c2e4c
JA		 2247 /* Ensure we clear previously set non-block flag */
2248 if (!force_nonblock)
9adbd45d 2249 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 2250
797f3f53 2251 req->result = 0;
f67676d1 2252 io_size = ret;
9e645e11 2253 if (req->flags & REQ_F_LINK)
f67676d1 2254 req->result = io_size;
9e645e11 2255
f67676d1
JA		 2256 /*
2257 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2258 * we know to async punt it even if it was opened O_NONBLOCK
2259 */
2260 if (force_nonblock && !io_file_supports_async(req->file)) {
2261 req->flags |= REQ_F_MUST_PUNT;
2262 goto copy_iov;
2263 }
31b51510 2264
10d59345
JA		 2265 /* file path doesn't support NOWAIT for non-direct_IO */
2266 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
2267 (req->flags & REQ_F_ISREG))
f67676d1 2268 goto copy_iov;
31b51510 2269
f67676d1 2270 iov_count = iov_iter_count(&iter);
9adbd45d 2271 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
2b188cc1 2272 if (!ret) {
9bf7933f
RP		 2273 ssize_t ret2;
2274
2b188cc1
JA		 2275 /*
2276 * Open-code file_start_write here to grab freeze protection,
2277 * which will be released by another thread in
2278 * io_complete_rw(). Fool lockdep by telling it the lock got
2279 * released so that it doesn't complain about the held lock when
2280 * we return to userspace.
2281 */
491381ce 2282 if (req->flags & REQ_F_ISREG) {
9adbd45d 2283 __sb_start_write(file_inode(req->file)->i_sb,
2b188cc1 2284 SB_FREEZE_WRITE, true);
9adbd45d 2285 __sb_writers_release(file_inode(req->file)->i_sb,
2b188cc1
JA		 2286 SB_FREEZE_WRITE);
2287 }
2288 kiocb->ki_flags |= IOCB_WRITE;
9bf7933f 2289
9adbd45d
JA		 2290 if (req->file->f_op->write_iter)
2291 ret2 = call_write_iter(req->file, kiocb, &iter);
32960613 2292 else
9adbd45d 2293 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
f67676d1 2294 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 2295 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 2296 } else {
2297copy_iov:
b7bb4f7d 2298 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 2299 inline_vecs, &iter);
2300 if (ret)
2301 goto out_free;
2302 return -EAGAIN;
2303 }
2b188cc1 2304 }
31b51510 2305out_free:
b7bb4f7d
JA		 2306 if (!io_wq_current_is_worker())
2307 kfree(iovec);
2b188cc1
JA		 2308 return ret;
2309}
2310
2311/*
2312 * IORING_OP_NOP just posts a completion event, nothing else.
2313 */
78e19bbe 2314static int io_nop(struct io_kiocb *req)
2b188cc1
JA		 2315{
2316 struct io_ring_ctx *ctx = req->ctx;
2b188cc1 2317
def596e9
JA		 2318 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2319 return -EINVAL;
2320
78e19bbe 2321 io_cqring_add_event(req, 0);
e65ef56d 2322 io_put_req(req);
2b188cc1
JA		 2323 return 0;
2324}
2325
3529d8c2 2326static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
c992fe29 2327{
6b06314c 2328 struct io_ring_ctx *ctx = req->ctx;
c992fe29 2329
09bb8394
JA		 2330 if (!req->file)
2331 return -EBADF;
c992fe29 2332
6b06314c 2333 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
def596e9 2334 return -EINVAL;
edafccee 2335 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
c992fe29
CH		 2336 return -EINVAL;
2337
8ed8d3c3
JA		 2338 req->sync.flags = READ_ONCE(sqe->fsync_flags);
2339 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
2340 return -EINVAL;
2341
2342 req->sync.off = READ_ONCE(sqe->off);
2343 req->sync.len = READ_ONCE(sqe->len);
c992fe29
CH		 2344 return 0;
2345}
2346
8ed8d3c3
JA		 2347static bool io_req_cancelled(struct io_kiocb *req)
2348{
2349 if (req->work.flags & IO_WQ_WORK_CANCEL) {
2350 req_set_fail_links(req);
2351 io_cqring_add_event(req, -ECANCELED);
2352 io_put_req(req);
2353 return true;
2354 }
2355
2356 return false;
2357}
2358
78912934
JA		 2359static void io_link_work_cb(struct io_wq_work **workptr)
2360{
2361 struct io_wq_work *work = *workptr;
2362 struct io_kiocb *link = work->data;
2363
2364 io_queue_linked_timeout(link);
2365 work->func = io_wq_submit_work;
2366}
2367
2368static void io_wq_assign_next(struct io_wq_work **workptr, struct io_kiocb *nxt)
2369{
2370 struct io_kiocb *link;
2371
2372 io_prep_async_work(nxt, &link);
2373 *workptr = &nxt->work;
2374 if (link) {
2375 nxt->work.flags |= IO_WQ_WORK_CB;
2376 nxt->work.func = io_link_work_cb;
2377 nxt->work.data = link;
2378 }
2379}
2380
8ed8d3c3
JA		 2381static void io_fsync_finish(struct io_wq_work **workptr)
2382{
2383 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2384 loff_t end = req->sync.off + req->sync.len;
2385 struct io_kiocb *nxt = NULL;
2386 int ret;
2387
2388 if (io_req_cancelled(req))
2389 return;
2390
9adbd45d 2391 ret = vfs_fsync_range(req->file, req->sync.off,
8ed8d3c3
JA		 2392 end > 0 ? end : LLONG_MAX,
2393 req->sync.flags & IORING_FSYNC_DATASYNC);
2394 if (ret < 0)
2395 req_set_fail_links(req);
2396 io_cqring_add_event(req, ret);
2397 io_put_req_find_next(req, &nxt);
2398 if (nxt)
78912934 2399 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 2400}
2401
fc4df999
JA		 2402static int io_fsync(struct io_kiocb *req, struct io_kiocb **nxt,
2403 bool force_nonblock)
c992fe29 2404{
8ed8d3c3 2405 struct io_wq_work *work, *old_work;
c992fe29
CH		 2406
2407 /* fsync always requires a blocking context */
8ed8d3c3
JA		 2408 if (force_nonblock) {
2409 io_put_req(req);
2410 req->work.func = io_fsync_finish;
c992fe29 2411 return -EAGAIN;
8ed8d3c3 2412 }
c992fe29 2413
8ed8d3c3
JA		 2414 work = old_work = &req->work;
2415 io_fsync_finish(&work);
2416 if (work && work != old_work)
2417 *nxt = container_of(work, struct io_kiocb, work);
c992fe29
CH		 2418 return 0;
2419}
2420
d63d1b5e
JA		 2421static void io_fallocate_finish(struct io_wq_work **workptr)
2422{
2423 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2424 struct io_kiocb *nxt = NULL;
2425 int ret;
2426
2427 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
2428 req->sync.len);
2429 if (ret < 0)
2430 req_set_fail_links(req);
2431 io_cqring_add_event(req, ret);
2432 io_put_req_find_next(req, &nxt);
2433 if (nxt)
2434 io_wq_assign_next(workptr, nxt);
2435}
2436
2437static int io_fallocate_prep(struct io_kiocb *req,
2438 const struct io_uring_sqe *sqe)
2439{
2440 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
2441 return -EINVAL;
2442
2443 req->sync.off = READ_ONCE(sqe->off);
2444 req->sync.len = READ_ONCE(sqe->addr);
2445 req->sync.mode = READ_ONCE(sqe->len);
2446 return 0;
2447}
2448
2449static int io_fallocate(struct io_kiocb *req, struct io_kiocb **nxt,
2450 bool force_nonblock)
2451{
2452 struct io_wq_work *work, *old_work;
2453
2454 /* fallocate always requiring blocking context */
2455 if (force_nonblock) {
2456 io_put_req(req);
2457 req->work.func = io_fallocate_finish;
2458 return -EAGAIN;
2459 }
2460
2461 work = old_work = &req->work;
2462 io_fallocate_finish(&work);
2463 if (work && work != old_work)
2464 *nxt = container_of(work, struct io_kiocb, work);
2465
2466 return 0;
2467}
2468
15b71abe
JA		 2469static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2470{
2471 int ret;
2472
2473 if (sqe->ioprio || sqe->buf_index)
2474 return -EINVAL;
2475
2476 req->open.dfd = READ_ONCE(sqe->fd);
2477 req->open.mode = READ_ONCE(sqe->len);
2478 req->open.fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2479 req->open.flags = READ_ONCE(sqe->open_flags);
2480
2481 req->open.filename = getname(req->open.fname);
2482 if (IS_ERR(req->open.filename)) {
2483 ret = PTR_ERR(req->open.filename);
2484 req->open.filename = NULL;
2485 return ret;
2486 }
2487
2488 return 0;
2489}
2490
2491static int io_openat(struct io_kiocb *req, struct io_kiocb **nxt,
2492 bool force_nonblock)
2493{
2494 struct open_flags op;
2495 struct open_how how;
2496 struct file *file;
2497 int ret;
2498
2499 if (force_nonblock) {
2500 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2501 return -EAGAIN;
2502 }
2503
2504 how = build_open_how(req->open.flags, req->open.mode);
2505 ret = build_open_flags(&how, &op);
2506 if (ret)
2507 goto err;
2508
2509 ret = get_unused_fd_flags(how.flags);
2510 if (ret < 0)
2511 goto err;
2512
2513 file = do_filp_open(req->open.dfd, req->open.filename, &op);
2514 if (IS_ERR(file)) {
2515 put_unused_fd(ret);
2516 ret = PTR_ERR(file);
2517 } else {
2518 fsnotify_open(file);
2519 fd_install(ret, file);
2520 }
2521err:
2522 putname(req->open.filename);
2523 if (ret < 0)
2524 req_set_fail_links(req);
2525 io_cqring_add_event(req, ret);
2526 io_put_req_find_next(req, nxt);
2527 return 0;
2528}
2529
c1ca757b
JA		 2530static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2531{
2532#if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2533 if (sqe->ioprio || sqe->buf_index || sqe->off)
2534 return -EINVAL;
2535
2536 req->madvise.addr = READ_ONCE(sqe->addr);
2537 req->madvise.len = READ_ONCE(sqe->len);
2538 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
2539 return 0;
2540#else
2541 return -EOPNOTSUPP;
2542#endif
2543}
2544
2545static int io_madvise(struct io_kiocb *req, struct io_kiocb **nxt,
2546 bool force_nonblock)
2547{
2548#if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2549 struct io_madvise *ma = &req->madvise;
2550 int ret;
2551
2552 if (force_nonblock)
2553 return -EAGAIN;
2554
2555 ret = do_madvise(ma->addr, ma->len, ma->advice);
2556 if (ret < 0)
2557 req_set_fail_links(req);
2558 io_cqring_add_event(req, ret);
2559 io_put_req_find_next(req, nxt);
2560 return 0;
2561#else
2562 return -EOPNOTSUPP;
2563#endif
2564}
2565
4840e418
JA		 2566static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2567{
2568 if (sqe->ioprio || sqe->buf_index || sqe->addr)
2569 return -EINVAL;
2570
2571 req->fadvise.offset = READ_ONCE(sqe->off);
2572 req->fadvise.len = READ_ONCE(sqe->len);
2573 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
2574 return 0;
2575}
2576
2577static int io_fadvise(struct io_kiocb *req, struct io_kiocb **nxt,
2578 bool force_nonblock)
2579{
2580 struct io_fadvise *fa = &req->fadvise;
2581 int ret;
2582
2583 /* DONTNEED may block, others _should_ not */
2584 if (fa->advice == POSIX_FADV_DONTNEED && force_nonblock)
2585 return -EAGAIN;
2586
2587 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
2588 if (ret < 0)
2589 req_set_fail_links(req);
2590 io_cqring_add_event(req, ret);
2591 io_put_req_find_next(req, nxt);
2592 return 0;
2593}
2594
eddc7ef5
JA		 2595static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2596{
2597 unsigned lookup_flags;
2598 int ret;
2599
2600 if (sqe->ioprio || sqe->buf_index)
2601 return -EINVAL;
2602
2603 req->open.dfd = READ_ONCE(sqe->fd);
2604 req->open.mask = READ_ONCE(sqe->len);
2605 req->open.fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2606 req->open.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
2607 req->open.flags = READ_ONCE(sqe->statx_flags);
2608
2609 if (vfs_stat_set_lookup_flags(&lookup_flags, req->open.flags))
2610 return -EINVAL;
2611
2612 req->open.filename = getname_flags(req->open.fname, lookup_flags, NULL);
2613 if (IS_ERR(req->open.filename)) {
2614 ret = PTR_ERR(req->open.filename);
2615 req->open.filename = NULL;
2616 return ret;
2617 }
2618
2619 return 0;
2620}
2621
2622static int io_statx(struct io_kiocb *req, struct io_kiocb **nxt,
2623 bool force_nonblock)
2624{
2625 struct io_open *ctx = &req->open;
2626 unsigned lookup_flags;
2627 struct path path;
2628 struct kstat stat;
2629 int ret;
2630
2631 if (force_nonblock)
2632 return -EAGAIN;
2633
2634 if (vfs_stat_set_lookup_flags(&lookup_flags, ctx->flags))
2635 return -EINVAL;
2636
2637retry:
2638 /* filename_lookup() drops it, keep a reference */
2639 ctx->filename->refcnt++;
2640
2641 ret = filename_lookup(ctx->dfd, ctx->filename, lookup_flags, &path,
2642 NULL);
2643 if (ret)
2644 goto err;
2645
2646 ret = vfs_getattr(&path, &stat, ctx->mask, ctx->flags);
2647 path_put(&path);
2648 if (retry_estale(ret, lookup_flags)) {
2649 lookup_flags |= LOOKUP_REVAL;
2650 goto retry;
2651 }
2652 if (!ret)
2653 ret = cp_statx(&stat, ctx->buffer);
2654err:
2655 putname(ctx->filename);
2656 if (ret < 0)
2657 req_set_fail_links(req);
2658 io_cqring_add_event(req, ret);
2659 io_put_req_find_next(req, nxt);
2660 return 0;
2661}
2662
b5dba59e
JA		 2663static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2664{
2665 /*
2666 * If we queue this for async, it must not be cancellable. That would
2667 * leave the 'file' in an undeterminate state.
2668 */
2669 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
2670
2671 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
2672 sqe->rw_flags || sqe->buf_index)
2673 return -EINVAL;
2674 if (sqe->flags & IOSQE_FIXED_FILE)
2675 return -EINVAL;
2676
2677 req->close.fd = READ_ONCE(sqe->fd);
2678 if (req->file->f_op == &io_uring_fops ||
2679 req->close.fd == req->ring_fd)
2680 return -EBADF;
2681
2682 return 0;
2683}
2684
2685static void io_close_finish(struct io_wq_work **workptr)
2686{
2687 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2688 struct io_kiocb *nxt = NULL;
2689
2690 /* Invoked with files, we need to do the close */
2691 if (req->work.files) {
2692 int ret;
2693
2694 ret = filp_close(req->close.put_file, req->work.files);
2695 if (ret < 0) {
2696 req_set_fail_links(req);
2697 }
2698 io_cqring_add_event(req, ret);
2699 }
2700
2701 fput(req->close.put_file);
2702
2703 /* we bypassed the re-issue, drop the submission reference */
2704 io_put_req(req);
2705 io_put_req_find_next(req, &nxt);
2706 if (nxt)
2707 io_wq_assign_next(workptr, nxt);
2708}
2709
2710static int io_close(struct io_kiocb *req, struct io_kiocb **nxt,
2711 bool force_nonblock)
2712{
2713 int ret;
2714
2715 req->close.put_file = NULL;
2716 ret = __close_fd_get_file(req->close.fd, &req->close.put_file);
2717 if (ret < 0)
2718 return ret;
2719
2720 /* if the file has a flush method, be safe and punt to async */
2721 if (req->close.put_file->f_op->flush && !io_wq_current_is_worker()) {
2722 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2723 goto eagain;
2724 }
2725
2726 /*
2727 * No ->flush(), safely close from here and just punt the
2728 * fput() to async context.
2729 */
2730 ret = filp_close(req->close.put_file, current->files);
2731
2732 if (ret < 0)
2733 req_set_fail_links(req);
2734 io_cqring_add_event(req, ret);
2735
2736 if (io_wq_current_is_worker()) {
2737 struct io_wq_work *old_work, *work;
2738
2739 old_work = work = &req->work;
2740 io_close_finish(&work);
2741 if (work && work != old_work)
2742 *nxt = container_of(work, struct io_kiocb, work);
2743 return 0;
2744 }
2745
2746eagain:
2747 req->work.func = io_close_finish;
2748 return -EAGAIN;
2749}
2750
3529d8c2 2751static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5d17b4a4
JA		 2752{
2753 struct io_ring_ctx *ctx = req->ctx;
5d17b4a4
JA		 2754
2755 if (!req->file)
2756 return -EBADF;
5d17b4a4
JA		 2757
2758 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2759 return -EINVAL;
2760 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2761 return -EINVAL;
2762
8ed8d3c3
JA		 2763 req->sync.off = READ_ONCE(sqe->off);
2764 req->sync.len = READ_ONCE(sqe->len);
2765 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
8ed8d3c3
JA		 2766 return 0;
2767}
2768
2769static void io_sync_file_range_finish(struct io_wq_work **workptr)
2770{
2771 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2772 struct io_kiocb *nxt = NULL;
2773 int ret;
2774
2775 if (io_req_cancelled(req))
2776 return;
2777
9adbd45d 2778 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
8ed8d3c3
JA		 2779 req->sync.flags);
2780 if (ret < 0)
2781 req_set_fail_links(req);
2782 io_cqring_add_event(req, ret);
2783 io_put_req_find_next(req, &nxt);
2784 if (nxt)
78912934 2785 io_wq_assign_next(workptr, nxt);
5d17b4a4
JA		 2786}
2787
fc4df999 2788static int io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt,
5d17b4a4
JA		 2789 bool force_nonblock)
2790{
8ed8d3c3 2791 struct io_wq_work *work, *old_work;
5d17b4a4
JA		 2792
2793 /* sync_file_range always requires a blocking context */
8ed8d3c3
JA		 2794 if (force_nonblock) {
2795 io_put_req(req);
2796 req->work.func = io_sync_file_range_finish;
5d17b4a4 2797 return -EAGAIN;
8ed8d3c3 2798 }
5d17b4a4 2799
8ed8d3c3
JA		 2800 work = old_work = &req->work;
2801 io_sync_file_range_finish(&work);
2802 if (work && work != old_work)
2803 *nxt = container_of(work, struct io_kiocb, work);
5d17b4a4
JA		 2804 return 0;
2805}
2806
b7bb4f7d
JA		 2807#if defined(CONFIG_NET)
2808static void io_sendrecv_async(struct io_wq_work **workptr)
2809{
2810 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2811 struct iovec *iov = NULL;
2812
2813 if (req->io->rw.iov != req->io->rw.fast_iov)
2814 iov = req->io->msg.iov;
2815 io_wq_submit_work(workptr);
2816 kfree(iov);
2817}
2818#endif
2819
3529d8c2 2820static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
03b1230c 2821{
0fa03c62 2822#if defined(CONFIG_NET)
e47293fd 2823 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2 2824 struct io_async_ctx *io = req->io;
03b1230c 2825
e47293fd
JA		 2826 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2827 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
fddaface 2828 sr->len = READ_ONCE(sqe->len);
3529d8c2 2829
fddaface 2830 if (!io || req->opcode == IORING_OP_SEND)
3529d8c2
JA		 2831 return 0;
2832
d9688565 2833 io->msg.iov = io->msg.fast_iov;
3529d8c2 2834 return sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 2835 &io->msg.iov);
03b1230c 2836#else
e47293fd 2837 return -EOPNOTSUPP;
03b1230c
JA		 2838#endif
2839}
2840
fc4df999
JA		 2841static int io_sendmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2842 bool force_nonblock)
aa1fa28f 2843{
03b1230c 2844#if defined(CONFIG_NET)
0b416c3e 2845 struct io_async_msghdr *kmsg = NULL;
0fa03c62
JA		 2846 struct socket *sock;
2847 int ret;
2848
2849 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2850 return -EINVAL;
2851
2852 sock = sock_from_file(req->file, &ret);
2853 if (sock) {
b7bb4f7d 2854 struct io_async_ctx io;
03b1230c 2855 struct sockaddr_storage addr;
0fa03c62
JA		 2856 unsigned flags;
2857
03b1230c 2858 if (req->io) {
0b416c3e
JA		 2859 kmsg = &req->io->msg;
2860 kmsg->msg.msg_name = &addr;
2861 /* if iov is set, it's allocated already */
2862 if (!kmsg->iov)
2863 kmsg->iov = kmsg->fast_iov;
2864 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 2865 } else {
3529d8c2
JA		 2866 struct io_sr_msg *sr = &req->sr_msg;
2867
0b416c3e
JA		 2868 kmsg = &io.msg;
2869 kmsg->msg.msg_name = &addr;
3529d8c2
JA		 2870
2871 io.msg.iov = io.msg.fast_iov;
2872 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
2873 sr->msg_flags, &io.msg.iov);
03b1230c 2874 if (ret)
3529d8c2 2875 return ret;
03b1230c 2876 }
0fa03c62 2877
e47293fd
JA		 2878 flags = req->sr_msg.msg_flags;
2879 if (flags & MSG_DONTWAIT)
2880 req->flags |= REQ_F_NOWAIT;
2881 else if (force_nonblock)
2882 flags |= MSG_DONTWAIT;
2883
0b416c3e 2884 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
03b1230c 2885 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 2886 if (req->io)
2887 return -EAGAIN;
2888 if (io_alloc_async_ctx(req))
2889 return -ENOMEM;
2890 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2891 req->work.func = io_sendrecv_async;
0b416c3e 2892 return -EAGAIN;
03b1230c 2893 }
441cdbd5
JA		 2894 if (ret == -ERESTARTSYS)
2895 ret = -EINTR;
0fa03c62
JA		 2896 }
2897
b7bb4f7d 2898 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 2899 kfree(kmsg->iov);
78e19bbe 2900 io_cqring_add_event(req, ret);
4e88d6e7
JA		 2901 if (ret < 0)
2902 req_set_fail_links(req);
ec9c02ad 2903 io_put_req_find_next(req, nxt);
5d17b4a4 2904 return 0;
03b1230c
JA		 2905#else
2906 return -EOPNOTSUPP;
aa1fa28f 2907#endif
03b1230c 2908}
aa1fa28f 2909
fddaface
JA		 2910static int io_send(struct io_kiocb *req, struct io_kiocb **nxt,
2911 bool force_nonblock)
2912{
2913#if defined(CONFIG_NET)
2914 struct socket *sock;
2915 int ret;
2916
2917 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2918 return -EINVAL;
2919
2920 sock = sock_from_file(req->file, &ret);
2921 if (sock) {
2922 struct io_sr_msg *sr = &req->sr_msg;
2923 struct msghdr msg;
2924 struct iovec iov;
2925 unsigned flags;
2926
2927 ret = import_single_range(WRITE, sr->buf, sr->len, &iov,
2928 &msg.msg_iter);
2929 if (ret)
2930 return ret;
2931
2932 msg.msg_name = NULL;
2933 msg.msg_control = NULL;
2934 msg.msg_controllen = 0;
2935 msg.msg_namelen = 0;
2936
2937 flags = req->sr_msg.msg_flags;
2938 if (flags & MSG_DONTWAIT)
2939 req->flags |= REQ_F_NOWAIT;
2940 else if (force_nonblock)
2941 flags |= MSG_DONTWAIT;
2942
2943 ret = __sys_sendmsg_sock(sock, &msg, flags);
2944 if (force_nonblock && ret == -EAGAIN)
2945 return -EAGAIN;
2946 if (ret == -ERESTARTSYS)
2947 ret = -EINTR;
2948 }
2949
2950 io_cqring_add_event(req, ret);
2951 if (ret < 0)
2952 req_set_fail_links(req);
2953 io_put_req_find_next(req, nxt);
2954 return 0;
2955#else
2956 return -EOPNOTSUPP;
2957#endif
2958}
2959
3529d8c2
JA		 2960static int io_recvmsg_prep(struct io_kiocb *req,
2961 const struct io_uring_sqe *sqe)
aa1fa28f
JA		 2962{
2963#if defined(CONFIG_NET)
e47293fd 2964 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2
JA		 2965 struct io_async_ctx *io = req->io;
2966
2967 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2968 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
06b76d44 2969
fddaface 2970 if (!io || req->opcode == IORING_OP_RECV)
06b76d44 2971 return 0;
03b1230c 2972
d9688565 2973 io->msg.iov = io->msg.fast_iov;
3529d8c2 2974 return recvmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 2975 &io->msg.uaddr, &io->msg.iov);
aa1fa28f 2976#else
e47293fd 2977 return -EOPNOTSUPP;
aa1fa28f
JA		 2978#endif
2979}
2980
fc4df999
JA		 2981static int io_recvmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2982 bool force_nonblock)
aa1fa28f
JA		 2983{
2984#if defined(CONFIG_NET)
0b416c3e 2985 struct io_async_msghdr *kmsg = NULL;
03b1230c
JA		 2986 struct socket *sock;
2987 int ret;
2988
2989 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2990 return -EINVAL;
2991
2992 sock = sock_from_file(req->file, &ret);
2993 if (sock) {
b7bb4f7d 2994 struct io_async_ctx io;
03b1230c 2995 struct sockaddr_storage addr;
03b1230c
JA		 2996 unsigned flags;
2997
03b1230c 2998 if (req->io) {
0b416c3e
JA		 2999 kmsg = &req->io->msg;
3000 kmsg->msg.msg_name = &addr;
3001 /* if iov is set, it's allocated already */
3002 if (!kmsg->iov)
3003 kmsg->iov = kmsg->fast_iov;
3004 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 3005 } else {
3529d8c2
JA		 3006 struct io_sr_msg *sr = &req->sr_msg;
3007
0b416c3e
JA		 3008 kmsg = &io.msg;
3009 kmsg->msg.msg_name = &addr;
3529d8c2
JA		 3010
3011 io.msg.iov = io.msg.fast_iov;
3012 ret = recvmsg_copy_msghdr(&io.msg.msg, sr->msg,
3013 sr->msg_flags, &io.msg.uaddr,
3014 &io.msg.iov);
03b1230c 3015 if (ret)
3529d8c2 3016 return ret;
03b1230c
JA		 3017 }
3018
e47293fd
JA		 3019 flags = req->sr_msg.msg_flags;
3020 if (flags & MSG_DONTWAIT)
3021 req->flags |= REQ_F_NOWAIT;
3022 else if (force_nonblock)
3023 flags |= MSG_DONTWAIT;
3024
3025 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
3026 kmsg->uaddr, flags);
03b1230c 3027 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 3028 if (req->io)
3029 return -EAGAIN;
3030 if (io_alloc_async_ctx(req))
3031 return -ENOMEM;
3032 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
3033 req->work.func = io_sendrecv_async;
0b416c3e 3034 return -EAGAIN;
03b1230c
JA		 3035 }
3036 if (ret == -ERESTARTSYS)
3037 ret = -EINTR;
3038 }
3039
b7bb4f7d 3040 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 3041 kfree(kmsg->iov);
03b1230c 3042 io_cqring_add_event(req, ret);
4e88d6e7
JA		 3043 if (ret < 0)
3044 req_set_fail_links(req);
03b1230c
JA		 3045 io_put_req_find_next(req, nxt);
3046 return 0;
0fa03c62
JA		 3047#else
3048 return -EOPNOTSUPP;
3049#endif
3050}
5d17b4a4 3051
fddaface
JA		 3052static int io_recv(struct io_kiocb *req, struct io_kiocb **nxt,
3053 bool force_nonblock)
3054{
3055#if defined(CONFIG_NET)
3056 struct socket *sock;
3057 int ret;
3058
3059 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3060 return -EINVAL;
3061
3062 sock = sock_from_file(req->file, &ret);
3063 if (sock) {
3064 struct io_sr_msg *sr = &req->sr_msg;
3065 struct msghdr msg;
3066 struct iovec iov;
3067 unsigned flags;
3068
3069 ret = import_single_range(READ, sr->buf, sr->len, &iov,
3070 &msg.msg_iter);
3071 if (ret)
3072 return ret;
3073
3074 msg.msg_name = NULL;
3075 msg.msg_control = NULL;
3076 msg.msg_controllen = 0;
3077 msg.msg_namelen = 0;
3078 msg.msg_iocb = NULL;
3079 msg.msg_flags = 0;
3080
3081 flags = req->sr_msg.msg_flags;
3082 if (flags & MSG_DONTWAIT)
3083 req->flags |= REQ_F_NOWAIT;
3084 else if (force_nonblock)
3085 flags |= MSG_DONTWAIT;
3086
3087 ret = __sys_recvmsg_sock(sock, &msg, NULL, NULL, flags);
3088 if (force_nonblock && ret == -EAGAIN)
3089 return -EAGAIN;
3090 if (ret == -ERESTARTSYS)
3091 ret = -EINTR;
3092 }
3093
3094 io_cqring_add_event(req, ret);
3095 if (ret < 0)
3096 req_set_fail_links(req);
3097 io_put_req_find_next(req, nxt);
3098 return 0;
3099#else
3100 return -EOPNOTSUPP;
3101#endif
3102}
3103
3104
3529d8c2 3105static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
17f2fe35
JA		 3106{
3107#if defined(CONFIG_NET)
8ed8d3c3
JA		 3108 struct io_accept *accept = &req->accept;
3109
17f2fe35
JA		 3110 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3111 return -EINVAL;
8042d6ce 3112 if (sqe->ioprio || sqe->len || sqe->buf_index)
17f2fe35
JA		 3113 return -EINVAL;
3114
d55e5f5b
JA		 3115 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3116 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
8ed8d3c3 3117 accept->flags = READ_ONCE(sqe->accept_flags);
8ed8d3c3
JA		 3118 return 0;
3119#else
3120 return -EOPNOTSUPP;
3121#endif
3122}
17f2fe35 3123
8ed8d3c3
JA		 3124#if defined(CONFIG_NET)
3125static int __io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
3126 bool force_nonblock)
3127{
3128 struct io_accept *accept = &req->accept;
3129 unsigned file_flags;
3130 int ret;
3131
3132 file_flags = force_nonblock ? O_NONBLOCK : 0;
3133 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
3134 accept->addr_len, accept->flags);
3135 if (ret == -EAGAIN && force_nonblock)
17f2fe35 3136 return -EAGAIN;
8e3cca12
JA		 3137 if (ret == -ERESTARTSYS)
3138 ret = -EINTR;
4e88d6e7
JA		 3139 if (ret < 0)
3140 req_set_fail_links(req);
78e19bbe 3141 io_cqring_add_event(req, ret);
ec9c02ad 3142 io_put_req_find_next(req, nxt);
17f2fe35 3143 return 0;
8ed8d3c3
JA		 3144}
3145
3146static void io_accept_finish(struct io_wq_work **workptr)
3147{
3148 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3149 struct io_kiocb *nxt = NULL;
3150
3151 if (io_req_cancelled(req))
3152 return;
3153 __io_accept(req, &nxt, false);
3154 if (nxt)
78912934 3155 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 3156}
3157#endif
3158
3159static int io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
3160 bool force_nonblock)
3161{
3162#if defined(CONFIG_NET)
3163 int ret;
3164
8ed8d3c3
JA		 3165 ret = __io_accept(req, nxt, force_nonblock);
3166 if (ret == -EAGAIN && force_nonblock) {
3167 req->work.func = io_accept_finish;
3168 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
3169 io_put_req(req);
3170 return -EAGAIN;
3171 }
3172 return 0;
0fa03c62
JA		 3173#else
3174 return -EOPNOTSUPP;
3175#endif
3176}
5d17b4a4 3177
3529d8c2 3178static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
f499a021
JA		 3179{
3180#if defined(CONFIG_NET)
3529d8c2
JA		 3181 struct io_connect *conn = &req->connect;
3182 struct io_async_ctx *io = req->io;
f499a021 3183
3fbb51c1
JA		 3184 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3185 return -EINVAL;
3186 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
3187 return -EINVAL;
3188
3529d8c2
JA		 3189 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3190 conn->addr_len = READ_ONCE(sqe->addr2);
3191
3192 if (!io)
3193 return 0;
3194
3195 return move_addr_to_kernel(conn->addr, conn->addr_len,
3fbb51c1 3196 &io->connect.address);
f499a021 3197#else
3fbb51c1 3198 return -EOPNOTSUPP;
f499a021
JA		 3199#endif
3200}
3201
fc4df999
JA		 3202static int io_connect(struct io_kiocb *req, struct io_kiocb **nxt,
3203 bool force_nonblock)
f8e85cf2
JA		 3204{
3205#if defined(CONFIG_NET)
f499a021 3206 struct io_async_ctx __io, *io;
f8e85cf2 3207 unsigned file_flags;
3fbb51c1 3208 int ret;
f8e85cf2 3209
f499a021
JA		 3210 if (req->io) {
3211 io = req->io;
3212 } else {
3529d8c2
JA		 3213 ret = move_addr_to_kernel(req->connect.addr,
3214 req->connect.addr_len,
3215 &__io.connect.address);
f499a021
JA		 3216 if (ret)
3217 goto out;
3218 io = &__io;
3219 }
3220
3fbb51c1
JA		 3221 file_flags = force_nonblock ? O_NONBLOCK : 0;
3222
3223 ret = __sys_connect_file(req->file, &io->connect.address,
3224 req->connect.addr_len, file_flags);
87f80d62 3225 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
b7bb4f7d
JA		 3226 if (req->io)
3227 return -EAGAIN;
3228 if (io_alloc_async_ctx(req)) {
f499a021
JA		 3229 ret = -ENOMEM;
3230 goto out;
3231 }
b7bb4f7d 3232 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
f8e85cf2 3233 return -EAGAIN;
f499a021 3234 }
f8e85cf2
JA		 3235 if (ret == -ERESTARTSYS)
3236 ret = -EINTR;
f499a021 3237out:
4e88d6e7
JA		 3238 if (ret < 0)
3239 req_set_fail_links(req);
f8e85cf2
JA		 3240 io_cqring_add_event(req, ret);
3241 io_put_req_find_next(req, nxt);
3242 return 0;
3243#else
3244 return -EOPNOTSUPP;
3245#endif
3246}
3247
221c5eb2
JA		 3248static void io_poll_remove_one(struct io_kiocb *req)
3249{
3250 struct io_poll_iocb *poll = &req->poll;
3251
3252 spin_lock(&poll->head->lock);
3253 WRITE_ONCE(poll->canceled, true);
392edb45
JA		 3254 if (!list_empty(&poll->wait.entry)) {
3255 list_del_init(&poll->wait.entry);
a197f664 3256 io_queue_async_work(req);
221c5eb2
JA		 3257 }
3258 spin_unlock(&poll->head->lock);
78076bb6 3259 hash_del(&req->hash_node);
221c5eb2
JA		 3260}
3261
3262static void io_poll_remove_all(struct io_ring_ctx *ctx)
3263{
78076bb6 3264 struct hlist_node *tmp;
221c5eb2 3265 struct io_kiocb *req;
78076bb6 3266 int i;
221c5eb2
JA		 3267
3268 spin_lock_irq(&ctx->completion_lock);
78076bb6
JA		 3269 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
3270 struct hlist_head *list;
3271
3272 list = &ctx->cancel_hash[i];
3273 hlist_for_each_entry_safe(req, tmp, list, hash_node)
3274 io_poll_remove_one(req);
221c5eb2
JA		 3275 }
3276 spin_unlock_irq(&ctx->completion_lock);
3277}
3278
47f46768
JA		 3279static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
3280{
78076bb6 3281 struct hlist_head *list;
47f46768
JA		 3282 struct io_kiocb *req;
3283
78076bb6
JA		 3284 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
3285 hlist_for_each_entry(req, list, hash_node) {
3286 if (sqe_addr == req->user_data) {
eac406c6
JA		 3287 io_poll_remove_one(req);
3288 return 0;
3289 }
47f46768
JA		 3290 }
3291
3292 return -ENOENT;
3293}
3294
3529d8c2
JA		 3295static int io_poll_remove_prep(struct io_kiocb *req,
3296 const struct io_uring_sqe *sqe)
0969e783 3297{
0969e783
JA		 3298 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3299 return -EINVAL;
3300 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
3301 sqe->poll_events)
3302 return -EINVAL;
3303
3304 req->poll.addr = READ_ONCE(sqe->addr);
0969e783
JA		 3305 return 0;
3306}
3307
221c5eb2
JA		 3308/*
3309 * Find a running poll command that matches one specified in sqe->addr,
3310 * and remove it if found.
3311 */
fc4df999 3312static int io_poll_remove(struct io_kiocb *req)
221c5eb2
JA		 3313{
3314 struct io_ring_ctx *ctx = req->ctx;
0969e783 3315 u64 addr;
47f46768 3316 int ret;
221c5eb2 3317
0969e783 3318 addr = req->poll.addr;
221c5eb2 3319 spin_lock_irq(&ctx->completion_lock);
0969e783 3320 ret = io_poll_cancel(ctx, addr);
221c5eb2
JA		 3321 spin_unlock_irq(&ctx->completion_lock);
3322
78e19bbe 3323 io_cqring_add_event(req, ret);
4e88d6e7
JA		 3324 if (ret < 0)
3325 req_set_fail_links(req);
e65ef56d 3326 io_put_req(req);
221c5eb2
JA		 3327 return 0;
3328}
3329
b0dd8a41 3330static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
221c5eb2 3331{
a197f664
JL		 3332 struct io_ring_ctx *ctx = req->ctx;
3333
8c838788 3334 req->poll.done = true;
b0dd8a41
JA		 3335 if (error)
3336 io_cqring_fill_event(req, error);
3337 else
3338 io_cqring_fill_event(req, mangle_poll(mask));
8c838788 3339 io_commit_cqring(ctx);
221c5eb2
JA		 3340}
3341
561fb04a 3342static void io_poll_complete_work(struct io_wq_work **workptr)
221c5eb2 3343{
561fb04a 3344 struct io_wq_work *work = *workptr;
221c5eb2
JA		 3345 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3346 struct io_poll_iocb *poll = &req->poll;
3347 struct poll_table_struct pt = { ._key = poll->events };
3348 struct io_ring_ctx *ctx = req->ctx;
89723d0b 3349 struct io_kiocb *nxt = NULL;
221c5eb2 3350 __poll_t mask = 0;
b0dd8a41 3351 int ret = 0;
221c5eb2 3352
b0dd8a41 3353 if (work->flags & IO_WQ_WORK_CANCEL) {
561fb04a 3354 WRITE_ONCE(poll->canceled, true);
b0dd8a41
JA		 3355 ret = -ECANCELED;
3356 } else if (READ_ONCE(poll->canceled)) {
3357 ret = -ECANCELED;
3358 }
561fb04a 3359
b0dd8a41 3360 if (ret != -ECANCELED)
221c5eb2
JA		 3361 mask = vfs_poll(poll->file, &pt) & poll->events;
3362
3363 /*
3364 * Note that ->ki_cancel callers also delete iocb from active_reqs after
3365 * calling ->ki_cancel. We need the ctx_lock roundtrip here to
3366 * synchronize with them. In the cancellation case the list_del_init
3367 * itself is not actually needed, but harmless so we keep it in to
3368 * avoid further branches in the fast path.
3369 */
3370 spin_lock_irq(&ctx->completion_lock);
b0dd8a41 3371 if (!mask && ret != -ECANCELED) {
392edb45 3372 add_wait_queue(poll->head, &poll->wait);
221c5eb2
JA		 3373 spin_unlock_irq(&ctx->completion_lock);
3374 return;
3375 }
78076bb6 3376 hash_del(&req->hash_node);
b0dd8a41 3377 io_poll_complete(req, mask, ret);
221c5eb2
JA		 3378 spin_unlock_irq(&ctx->completion_lock);
3379
8c838788 3380 io_cqring_ev_posted(ctx);
89723d0b 3381
4e88d6e7
JA		 3382 if (ret < 0)
3383 req_set_fail_links(req);
ec9c02ad 3384 io_put_req_find_next(req, &nxt);
89723d0b 3385 if (nxt)
78912934 3386 io_wq_assign_next(workptr, nxt);
221c5eb2
JA		 3387}
3388
e94f141b
JA		 3389static void __io_poll_flush(struct io_ring_ctx *ctx, struct llist_node *nodes)
3390{
e94f141b 3391 struct io_kiocb *req, *tmp;
8237e045 3392 struct req_batch rb;
e94f141b 3393
c6ca97b3 3394 rb.to_free = rb.need_iter = 0;
e94f141b
JA		 3395 spin_lock_irq(&ctx->completion_lock);
3396 llist_for_each_entry_safe(req, tmp, nodes, llist_node) {
3397 hash_del(&req->hash_node);
3398 io_poll_complete(req, req->result, 0);
3399
8237e045
JA		 3400 if (refcount_dec_and_test(&req->refs) &&
3401 !io_req_multi_free(&rb, req)) {
3402 req->flags |= REQ_F_COMP_LOCKED;
3403 io_free_req(req);
e94f141b
JA		 3404 }
3405 }
3406 spin_unlock_irq(&ctx->completion_lock);
3407
3408 io_cqring_ev_posted(ctx);
8237e045 3409 io_free_req_many(ctx, &rb);
e94f141b
JA		 3410}
3411
3412static void io_poll_flush(struct io_wq_work **workptr)
3413{
3414 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3415 struct llist_node *nodes;
3416
3417 nodes = llist_del_all(&req->ctx->poll_llist);
3418 if (nodes)
3419 __io_poll_flush(req->ctx, nodes);
3420}
3421
221c5eb2
JA		 3422static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
3423 void *key)
3424{
e944475e 3425 struct io_poll_iocb *poll = wait->private;
221c5eb2
JA		 3426 struct io_kiocb *req = container_of(poll, struct io_kiocb, poll);
3427 struct io_ring_ctx *ctx = req->ctx;
3428 __poll_t mask = key_to_poll(key);
221c5eb2
JA		 3429
3430 /* for instances that support it check for an event match first: */
8c838788
JA		 3431 if (mask && !(mask & poll->events))
3432 return 0;
221c5eb2 3433
392edb45 3434 list_del_init(&poll->wait.entry);
221c5eb2 3435
7c9e7f0f
JA		 3436 /*
3437 * Run completion inline if we can. We're using trylock here because
3438 * we are violating the completion_lock -> poll wq lock ordering.
3439 * If we have a link timeout we're going to need the completion_lock
3440 * for finalizing the request, mark us as having grabbed that already.
3441 */
e94f141b
JA		 3442 if (mask) {
3443 unsigned long flags;
221c5eb2 3444
e94f141b
JA		 3445 if (llist_empty(&ctx->poll_llist) &&
3446 spin_trylock_irqsave(&ctx->completion_lock, flags)) {
3447 hash_del(&req->hash_node);
3448 io_poll_complete(req, mask, 0);
3449 req->flags |= REQ_F_COMP_LOCKED;
3450 io_put_req(req);
3451 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3452
3453 io_cqring_ev_posted(ctx);
3454 req = NULL;
3455 } else {
3456 req->result = mask;
3457 req->llist_node.next = NULL;
3458 /* if the list wasn't empty, we're done */
3459 if (!llist_add(&req->llist_node, &ctx->poll_llist))
3460 req = NULL;
3461 else
3462 req->work.func = io_poll_flush;
3463 }
221c5eb2 3464 }
e94f141b
JA		 3465 if (req)
3466 io_queue_async_work(req);
221c5eb2 3467
221c5eb2
JA		 3468 return 1;
3469}
3470
3471struct io_poll_table {
3472 struct poll_table_struct pt;
3473 struct io_kiocb *req;
3474 int error;
3475};
3476
3477static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
3478 struct poll_table_struct *p)
3479{
3480 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
3481
3482 if (unlikely(pt->req->poll.head)) {
3483 pt->error = -EINVAL;
3484 return;
3485 }
3486
3487 pt->error = 0;
3488 pt->req->poll.head = head;
392edb45 3489 add_wait_queue(head, &pt->req->poll.wait);
221c5eb2
JA		 3490}
3491
eac406c6
JA		 3492static void io_poll_req_insert(struct io_kiocb *req)
3493{
3494 struct io_ring_ctx *ctx = req->ctx;
78076bb6
JA		 3495 struct hlist_head *list;
3496
3497 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
3498 hlist_add_head(&req->hash_node, list);
eac406c6
JA		 3499}
3500
3529d8c2 3501static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
221c5eb2
JA		 3502{
3503 struct io_poll_iocb *poll = &req->poll;
221c5eb2 3504 u16 events;
221c5eb2
JA		 3505
3506 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3507 return -EINVAL;
3508 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
3509 return -EINVAL;
09bb8394
JA		 3510 if (!poll->file)
3511 return -EBADF;
221c5eb2 3512
221c5eb2
JA		 3513 events = READ_ONCE(sqe->poll_events);
3514 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
0969e783
JA		 3515 return 0;
3516}
3517
3518static int io_poll_add(struct io_kiocb *req, struct io_kiocb **nxt)
3519{
3520 struct io_poll_iocb *poll = &req->poll;
3521 struct io_ring_ctx *ctx = req->ctx;
3522 struct io_poll_table ipt;
3523 bool cancel = false;
3524 __poll_t mask;
0969e783
JA		 3525
3526 INIT_IO_WORK(&req->work, io_poll_complete_work);
78076bb6 3527 INIT_HLIST_NODE(&req->hash_node);
221c5eb2 3528
221c5eb2 3529 poll->head = NULL;
8c838788 3530 poll->done = false;
221c5eb2
JA		 3531 poll->canceled = false;
3532
3533 ipt.pt._qproc = io_poll_queue_proc;
3534 ipt.pt._key = poll->events;
3535 ipt.req = req;
3536 ipt.error = -EINVAL; /* same as no support for IOCB_CMD_POLL */
3537
3538 /* initialized the list so that we can do list_empty checks */
392edb45
JA		 3539 INIT_LIST_HEAD(&poll->wait.entry);
3540 init_waitqueue_func_entry(&poll->wait, io_poll_wake);
3541 poll->wait.private = poll;
221c5eb2 3542
36703247
JA		 3543 INIT_LIST_HEAD(&req->list);
3544
221c5eb2 3545 mask = vfs_poll(poll->file, &ipt.pt) & poll->events;
221c5eb2
JA		 3546
3547 spin_lock_irq(&ctx->completion_lock);
8c838788
JA		 3548 if (likely(poll->head)) {
3549 spin_lock(&poll->head->lock);
392edb45 3550 if (unlikely(list_empty(&poll->wait.entry))) {
8c838788
JA		 3551 if (ipt.error)
3552 cancel = true;
3553 ipt.error = 0;
3554 mask = 0;
3555 }
3556 if (mask || ipt.error)
392edb45 3557 list_del_init(&poll->wait.entry);
8c838788
JA		 3558 else if (cancel)
3559 WRITE_ONCE(poll->canceled, true);
3560 else if (!poll->done) /* actually waiting for an event */
eac406c6 3561 io_poll_req_insert(req);
8c838788
JA		 3562 spin_unlock(&poll->head->lock);
3563 }
3564 if (mask) { /* no async, we'd stolen it */
221c5eb2 3565 ipt.error = 0;
b0dd8a41 3566 io_poll_complete(req, mask, 0);
221c5eb2 3567 }
221c5eb2
JA		 3568 spin_unlock_irq(&ctx->completion_lock);
3569
8c838788
JA		 3570 if (mask) {
3571 io_cqring_ev_posted(ctx);
ec9c02ad 3572 io_put_req_find_next(req, nxt);
221c5eb2 3573 }
8c838788 3574 return ipt.error;
221c5eb2
JA		 3575}
3576
5262f567
JA		 3577static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
3578{
ad8a48ac
JA		 3579 struct io_timeout_data *data = container_of(timer,
3580 struct io_timeout_data, timer);
3581 struct io_kiocb *req = data->req;
3582 struct io_ring_ctx *ctx = req->ctx;
5262f567
JA		 3583 unsigned long flags;
3584
5262f567
JA		 3585 atomic_inc(&ctx->cq_timeouts);
3586
3587 spin_lock_irqsave(&ctx->completion_lock, flags);
ef03681a 3588 /*
11365043
JA		 3589 * We could be racing with timeout deletion. If the list is empty,
3590 * then timeout lookup already found it and will be handling it.
ef03681a 3591 */
842f9612 3592 if (!list_empty(&req->list)) {
11365043 3593 struct io_kiocb *prev;
5262f567 3594
11365043
JA		 3595 /*
3596 * Adjust the reqs sequence before the current one because it
d195a66e 3597 * will consume a slot in the cq_ring and the cq_tail
11365043
JA		 3598 * pointer will be increased, otherwise other timeout reqs may
3599 * return in advance without waiting for enough wait_nr.
3600 */
3601 prev = req;
3602 list_for_each_entry_continue_reverse(prev, &ctx->timeout_list, list)
3603 prev->sequence++;
11365043 3604 list_del_init(&req->list);
11365043 3605 }
5262f567 3606
78e19bbe 3607 io_cqring_fill_event(req, -ETIME);
5262f567
JA		 3608 io_commit_cqring(ctx);
3609 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3610
3611 io_cqring_ev_posted(ctx);
4e88d6e7 3612 req_set_fail_links(req);
5262f567
JA		 3613 io_put_req(req);
3614 return HRTIMER_NORESTART;
3615}
3616
47f46768
JA		 3617static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
3618{
3619 struct io_kiocb *req;
3620 int ret = -ENOENT;
3621
3622 list_for_each_entry(req, &ctx->timeout_list, list) {
3623 if (user_data == req->user_data) {
3624 list_del_init(&req->list);
3625 ret = 0;
3626 break;
3627 }
3628 }
3629
3630 if (ret == -ENOENT)
3631 return ret;
3632
2d28390a 3633 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
47f46768
JA		 3634 if (ret == -1)
3635 return -EALREADY;
3636
4e88d6e7 3637 req_set_fail_links(req);
47f46768
JA		 3638 io_cqring_fill_event(req, -ECANCELED);
3639 io_put_req(req);
3640 return 0;
3641}
3642
3529d8c2
JA		 3643static int io_timeout_remove_prep(struct io_kiocb *req,
3644 const struct io_uring_sqe *sqe)
b29472ee 3645{
b29472ee
JA		 3646 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3647 return -EINVAL;
3648 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
3649 return -EINVAL;
3650
3651 req->timeout.addr = READ_ONCE(sqe->addr);
3652 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
3653 if (req->timeout.flags)
3654 return -EINVAL;
3655
b29472ee
JA		 3656 return 0;
3657}
3658
11365043
JA		 3659/*
3660 * Remove or update an existing timeout command
3661 */
fc4df999 3662static int io_timeout_remove(struct io_kiocb *req)
11365043
JA		 3663{
3664 struct io_ring_ctx *ctx = req->ctx;
47f46768 3665 int ret;
11365043 3666
11365043 3667 spin_lock_irq(&ctx->completion_lock);
b29472ee 3668 ret = io_timeout_cancel(ctx, req->timeout.addr);
11365043 3669
47f46768 3670 io_cqring_fill_event(req, ret);
11365043
JA		 3671 io_commit_cqring(ctx);
3672 spin_unlock_irq(&ctx->completion_lock);
5262f567 3673 io_cqring_ev_posted(ctx);
4e88d6e7
JA		 3674 if (ret < 0)
3675 req_set_fail_links(req);
ec9c02ad 3676 io_put_req(req);
11365043 3677 return 0;
5262f567
JA		 3678}
3679
3529d8c2 3680static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2d28390a 3681 bool is_timeout_link)
5262f567 3682{
ad8a48ac 3683 struct io_timeout_data *data;
a41525ab 3684 unsigned flags;
5262f567 3685
ad8a48ac 3686 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5262f567 3687 return -EINVAL;
ad8a48ac 3688 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
a41525ab 3689 return -EINVAL;
2d28390a
JA		 3690 if (sqe->off && is_timeout_link)
3691 return -EINVAL;
a41525ab
JA		 3692 flags = READ_ONCE(sqe->timeout_flags);
3693 if (flags & ~IORING_TIMEOUT_ABS)
5262f567 3694 return -EINVAL;
bdf20073 3695
26a61679
JA		 3696 req->timeout.count = READ_ONCE(sqe->off);
3697
3529d8c2 3698 if (!req->io && io_alloc_async_ctx(req))
26a61679
JA		 3699 return -ENOMEM;
3700
3701 data = &req->io->timeout;
ad8a48ac 3702 data->req = req;
ad8a48ac
JA		 3703 req->flags |= REQ_F_TIMEOUT;
3704
3705 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5262f567
JA		 3706 return -EFAULT;
3707
11365043 3708 if (flags & IORING_TIMEOUT_ABS)
ad8a48ac 3709 data->mode = HRTIMER_MODE_ABS;
11365043 3710 else
ad8a48ac 3711 data->mode = HRTIMER_MODE_REL;
11365043 3712
ad8a48ac
JA		 3713 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
3714 return 0;
3715}
3716
fc4df999 3717static int io_timeout(struct io_kiocb *req)
ad8a48ac
JA		 3718{
3719 unsigned count;
3720 struct io_ring_ctx *ctx = req->ctx;
3721 struct io_timeout_data *data;
3722 struct list_head *entry;
3723 unsigned span = 0;
ad8a48ac 3724
2d28390a 3725 data = &req->io->timeout;
93bd25bb 3726
5262f567
JA		 3727 /*
3728 * sqe->off holds how many events that need to occur for this
93bd25bb
JA		 3729 * timeout event to be satisfied. If it isn't set, then this is
3730 * a pure timeout request, sequence isn't used.
5262f567 3731 */
26a61679 3732 count = req->timeout.count;
93bd25bb
JA		 3733 if (!count) {
3734 req->flags |= REQ_F_TIMEOUT_NOSEQ;
3735 spin_lock_irq(&ctx->completion_lock);
3736 entry = ctx->timeout_list.prev;
3737 goto add;
3738 }
5262f567
JA		 3739
3740 req->sequence = ctx->cached_sq_head + count - 1;
2d28390a 3741 data->seq_offset = count;
5262f567
JA		 3742
3743 /*
3744 * Insertion sort, ensuring the first entry in the list is always
3745 * the one we need first.
3746 */
5262f567
JA		 3747 spin_lock_irq(&ctx->completion_lock);
3748 list_for_each_prev(entry, &ctx->timeout_list) {
3749 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
5da0fb1a 3750 unsigned nxt_sq_head;
3751 long long tmp, tmp_nxt;
2d28390a 3752 u32 nxt_offset = nxt->io->timeout.seq_offset;
5262f567 3753
93bd25bb
JA		 3754 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
3755 continue;
3756
5da0fb1a 3757 /*
3758 * Since cached_sq_head + count - 1 can overflow, use type long
3759 * long to store it.
3760 */
3761 tmp = (long long)ctx->cached_sq_head + count - 1;
cc42e0ac
PB		 3762 nxt_sq_head = nxt->sequence - nxt_offset + 1;
3763 tmp_nxt = (long long)nxt_sq_head + nxt_offset - 1;
5da0fb1a 3764
3765 /*
3766 * cached_sq_head may overflow, and it will never overflow twice
3767 * once there is some timeout req still be valid.
3768 */
3769 if (ctx->cached_sq_head < nxt_sq_head)
8b07a65a 3770 tmp += UINT_MAX;
5da0fb1a 3771
a1f58ba4 3772 if (tmp > tmp_nxt)
5262f567 3773 break;
a1f58ba4 3774
3775 /*
3776 * Sequence of reqs after the insert one and itself should
3777 * be adjusted because each timeout req consumes a slot.
3778 */
3779 span++;
3780 nxt->sequence++;
5262f567 3781 }
a1f58ba4 3782 req->sequence -= span;
93bd25bb 3783add:
5262f567 3784 list_add(&req->list, entry);
ad8a48ac
JA		 3785 data->timer.function = io_timeout_fn;
3786 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5262f567 3787 spin_unlock_irq(&ctx->completion_lock);
5262f567
JA		 3788 return 0;
3789}
5262f567 3790
62755e35
JA		 3791static bool io_cancel_cb(struct io_wq_work *work, void *data)
3792{
3793 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3794
3795 return req->user_data == (unsigned long) data;
3796}
3797
e977d6d3 3798static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
62755e35 3799{
62755e35 3800 enum io_wq_cancel cancel_ret;
62755e35
JA		 3801 int ret = 0;
3802
62755e35
JA		 3803 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr);
3804 switch (cancel_ret) {
3805 case IO_WQ_CANCEL_OK:
3806 ret = 0;
3807 break;
3808 case IO_WQ_CANCEL_RUNNING:
3809 ret = -EALREADY;
3810 break;
3811 case IO_WQ_CANCEL_NOTFOUND:
3812 ret = -ENOENT;
3813 break;
3814 }
3815
e977d6d3
JA		 3816 return ret;
3817}
3818
47f46768
JA		 3819static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
3820 struct io_kiocb *req, __u64 sqe_addr,
b0dd8a41 3821 struct io_kiocb **nxt, int success_ret)
47f46768
JA		 3822{
3823 unsigned long flags;
3824 int ret;
3825
3826 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
3827 if (ret != -ENOENT) {
3828 spin_lock_irqsave(&ctx->completion_lock, flags);
3829 goto done;
3830 }
3831
3832 spin_lock_irqsave(&ctx->completion_lock, flags);
3833 ret = io_timeout_cancel(ctx, sqe_addr);
3834 if (ret != -ENOENT)
3835 goto done;
3836 ret = io_poll_cancel(ctx, sqe_addr);
3837done:
b0dd8a41
JA		 3838 if (!ret)
3839 ret = success_ret;
47f46768
JA		 3840 io_cqring_fill_event(req, ret);
3841 io_commit_cqring(ctx);
3842 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3843 io_cqring_ev_posted(ctx);
3844
4e88d6e7
JA		 3845 if (ret < 0)
3846 req_set_fail_links(req);
47f46768
JA		 3847 io_put_req_find_next(req, nxt);
3848}
3849
3529d8c2
JA		 3850static int io_async_cancel_prep(struct io_kiocb *req,
3851 const struct io_uring_sqe *sqe)
e977d6d3 3852{
fbf23849 3853 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
e977d6d3
JA		 3854 return -EINVAL;
3855 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
3856 sqe->cancel_flags)
3857 return -EINVAL;
3858
fbf23849
JA		 3859 req->cancel.addr = READ_ONCE(sqe->addr);
3860 return 0;
3861}
3862
3863static int io_async_cancel(struct io_kiocb *req, struct io_kiocb **nxt)
3864{
3865 struct io_ring_ctx *ctx = req->ctx;
fbf23849
JA		 3866
3867 io_async_find_and_cancel(ctx, req, req->cancel.addr, nxt, 0);
5262f567
JA		 3868 return 0;
3869}
3870
05f3fb3c
JA		 3871static int io_files_update_prep(struct io_kiocb *req,
3872 const struct io_uring_sqe *sqe)
3873{
3874 if (sqe->flags || sqe->ioprio || sqe->rw_flags)
3875 return -EINVAL;
3876
3877 req->files_update.offset = READ_ONCE(sqe->off);
3878 req->files_update.nr_args = READ_ONCE(sqe->len);
3879 if (!req->files_update.nr_args)
3880 return -EINVAL;
3881 req->files_update.arg = READ_ONCE(sqe->addr);
3882 return 0;
3883}
3884
3885static int io_files_update(struct io_kiocb *req, bool force_nonblock)
3886{
3887 struct io_ring_ctx *ctx = req->ctx;
3888 struct io_uring_files_update up;
3889 int ret;
3890
3891 if (force_nonblock) {
3892 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
3893 return -EAGAIN;
3894 }
3895
3896 up.offset = req->files_update.offset;
3897 up.fds = req->files_update.arg;
3898
3899 mutex_lock(&ctx->uring_lock);
3900 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
3901 mutex_unlock(&ctx->uring_lock);
3902
3903 if (ret < 0)
3904 req_set_fail_links(req);
3905 io_cqring_add_event(req, ret);
3906 io_put_req(req);
3907 return 0;
3908}
3909
3529d8c2
JA		 3910static int io_req_defer_prep(struct io_kiocb *req,
3911 const struct io_uring_sqe *sqe)
f67676d1 3912{
e781573e 3913 ssize_t ret = 0;
f67676d1 3914
d625c6ee 3915 switch (req->opcode) {
e781573e
JA		 3916 case IORING_OP_NOP:
3917 break;
f67676d1
JA		 3918 case IORING_OP_READV:
3919 case IORING_OP_READ_FIXED:
3a6820f2 3920 case IORING_OP_READ:
3529d8c2 3921 ret = io_read_prep(req, sqe, true);
f67676d1
JA		 3922 break;
3923 case IORING_OP_WRITEV:
3924 case IORING_OP_WRITE_FIXED:
3a6820f2 3925 case IORING_OP_WRITE:
3529d8c2 3926 ret = io_write_prep(req, sqe, true);
f67676d1 3927 break;
0969e783 3928 case IORING_OP_POLL_ADD:
3529d8c2 3929 ret = io_poll_add_prep(req, sqe);
0969e783
JA		 3930 break;
3931 case IORING_OP_POLL_REMOVE:
3529d8c2 3932 ret = io_poll_remove_prep(req, sqe);
0969e783 3933 break;
8ed8d3c3 3934 case IORING_OP_FSYNC:
3529d8c2 3935 ret = io_prep_fsync(req, sqe);
8ed8d3c3
JA		 3936 break;
3937 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2 3938 ret = io_prep_sfr(req, sqe);
8ed8d3c3 3939 break;
03b1230c 3940 case IORING_OP_SENDMSG:
fddaface 3941 case IORING_OP_SEND:
3529d8c2 3942 ret = io_sendmsg_prep(req, sqe);
03b1230c
JA		 3943 break;
3944 case IORING_OP_RECVMSG:
fddaface 3945 case IORING_OP_RECV:
3529d8c2 3946 ret = io_recvmsg_prep(req, sqe);
03b1230c 3947 break;
f499a021 3948 case IORING_OP_CONNECT:
3529d8c2 3949 ret = io_connect_prep(req, sqe);
f499a021 3950 break;
2d28390a 3951 case IORING_OP_TIMEOUT:
3529d8c2 3952 ret = io_timeout_prep(req, sqe, false);
b7bb4f7d 3953 break;
b29472ee 3954 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2 3955 ret = io_timeout_remove_prep(req, sqe);
b29472ee 3956 break;
fbf23849 3957 case IORING_OP_ASYNC_CANCEL:
3529d8c2 3958 ret = io_async_cancel_prep(req, sqe);
fbf23849 3959 break;
2d28390a 3960 case IORING_OP_LINK_TIMEOUT:
3529d8c2 3961 ret = io_timeout_prep(req, sqe, true);
b7bb4f7d 3962 break;
8ed8d3c3 3963 case IORING_OP_ACCEPT:
3529d8c2 3964 ret = io_accept_prep(req, sqe);
8ed8d3c3 3965 break;
d63d1b5e
JA		 3966 case IORING_OP_FALLOCATE:
3967 ret = io_fallocate_prep(req, sqe);
3968 break;
15b71abe
JA		 3969 case IORING_OP_OPENAT:
3970 ret = io_openat_prep(req, sqe);
3971 break;
b5dba59e
JA		 3972 case IORING_OP_CLOSE:
3973 ret = io_close_prep(req, sqe);
3974 break;
05f3fb3c
JA		 3975 case IORING_OP_FILES_UPDATE:
3976 ret = io_files_update_prep(req, sqe);
3977 break;
eddc7ef5
JA		 3978 case IORING_OP_STATX:
3979 ret = io_statx_prep(req, sqe);
3980 break;
4840e418
JA		 3981 case IORING_OP_FADVISE:
3982 ret = io_fadvise_prep(req, sqe);
3983 break;
c1ca757b
JA		 3984 case IORING_OP_MADVISE:
3985 ret = io_madvise_prep(req, sqe);
3986 break;
f67676d1 3987 default:
e781573e
JA		 3988 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
3989 req->opcode);
3990 ret = -EINVAL;
b7bb4f7d 3991 break;
f67676d1
JA		 3992 }
3993
b7bb4f7d 3994 return ret;
f67676d1
JA		 3995}
3996
3529d8c2 3997static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
de0617e4 3998{
a197f664 3999 struct io_ring_ctx *ctx = req->ctx;
f67676d1 4000 int ret;
de0617e4 4001
9d858b21
BL		 4002 /* Still need defer if there is pending req in defer list. */
4003 if (!req_need_defer(req) && list_empty(&ctx->defer_list))
de0617e4
JA		 4004 return 0;
4005
3529d8c2 4006 if (!req->io && io_alloc_async_ctx(req))
de0617e4
JA		 4007 return -EAGAIN;
4008
3529d8c2 4009 ret = io_req_defer_prep(req, sqe);
b7bb4f7d 4010 if (ret < 0)
2d28390a 4011 return ret;
2d28390a 4012
de0617e4 4013 spin_lock_irq(&ctx->completion_lock);
9d858b21 4014 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
de0617e4 4015 spin_unlock_irq(&ctx->completion_lock);
de0617e4
JA		 4016 return 0;
4017 }
4018
915967f6 4019 trace_io_uring_defer(ctx, req, req->user_data);
de0617e4
JA		 4020 list_add_tail(&req->list, &ctx->defer_list);
4021 spin_unlock_irq(&ctx->completion_lock);
4022 return -EIOCBQUEUED;
4023}
4024
3529d8c2
JA		 4025static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4026 struct io_kiocb **nxt, bool force_nonblock)
2b188cc1 4027{
a197f664 4028 struct io_ring_ctx *ctx = req->ctx;
d625c6ee 4029 int ret;
2b188cc1 4030
d625c6ee 4031 switch (req->opcode) {
2b188cc1 4032 case IORING_OP_NOP:
78e19bbe 4033 ret = io_nop(req);
2b188cc1
JA		 4034 break;
4035 case IORING_OP_READV:
edafccee 4036 case IORING_OP_READ_FIXED:
3a6820f2 4037 case IORING_OP_READ:
3529d8c2
JA		 4038 if (sqe) {
4039 ret = io_read_prep(req, sqe, force_nonblock);
4040 if (ret < 0)
4041 break;
4042 }
267bc904 4043 ret = io_read(req, nxt, force_nonblock);
edafccee 4044 break;
3529d8c2 4045 case IORING_OP_WRITEV:
edafccee 4046 case IORING_OP_WRITE_FIXED:
3a6820f2 4047 case IORING_OP_WRITE:
3529d8c2
JA		 4048 if (sqe) {
4049 ret = io_write_prep(req, sqe, force_nonblock);
4050 if (ret < 0)
4051 break;
4052 }
267bc904 4053 ret = io_write(req, nxt, force_nonblock);
2b188cc1 4054 break;
c992fe29 4055 case IORING_OP_FSYNC:
3529d8c2
JA		 4056 if (sqe) {
4057 ret = io_prep_fsync(req, sqe);
4058 if (ret < 0)
4059 break;
4060 }
fc4df999 4061 ret = io_fsync(req, nxt, force_nonblock);
c992fe29 4062 break;
221c5eb2 4063 case IORING_OP_POLL_ADD:
3529d8c2
JA		 4064 if (sqe) {
4065 ret = io_poll_add_prep(req, sqe);
4066 if (ret)
4067 break;
4068 }
fc4df999 4069 ret = io_poll_add(req, nxt);
221c5eb2
JA		 4070 break;
4071 case IORING_OP_POLL_REMOVE:
3529d8c2
JA		 4072 if (sqe) {
4073 ret = io_poll_remove_prep(req, sqe);
4074 if (ret < 0)
4075 break;
4076 }
fc4df999 4077 ret = io_poll_remove(req);
221c5eb2 4078 break;
5d17b4a4 4079 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2
JA		 4080 if (sqe) {
4081 ret = io_prep_sfr(req, sqe);
4082 if (ret < 0)
4083 break;
4084 }
fc4df999 4085 ret = io_sync_file_range(req, nxt, force_nonblock);
5d17b4a4 4086 break;
0fa03c62 4087 case IORING_OP_SENDMSG:
fddaface 4088 case IORING_OP_SEND:
3529d8c2
JA		 4089 if (sqe) {
4090 ret = io_sendmsg_prep(req, sqe);
4091 if (ret < 0)
4092 break;
4093 }
fddaface
JA		 4094 if (req->opcode == IORING_OP_SENDMSG)
4095 ret = io_sendmsg(req, nxt, force_nonblock);
4096 else
4097 ret = io_send(req, nxt, force_nonblock);
0fa03c62 4098 break;
aa1fa28f 4099 case IORING_OP_RECVMSG:
fddaface 4100 case IORING_OP_RECV:
3529d8c2
JA		 4101 if (sqe) {
4102 ret = io_recvmsg_prep(req, sqe);
4103 if (ret)
4104 break;
4105 }
fddaface
JA		 4106 if (req->opcode == IORING_OP_RECVMSG)
4107 ret = io_recvmsg(req, nxt, force_nonblock);
4108 else
4109 ret = io_recv(req, nxt, force_nonblock);
aa1fa28f 4110 break;
5262f567 4111 case IORING_OP_TIMEOUT:
3529d8c2
JA		 4112 if (sqe) {
4113 ret = io_timeout_prep(req, sqe, false);
4114 if (ret)
4115 break;
4116 }
fc4df999 4117 ret = io_timeout(req);
5262f567 4118 break;
11365043 4119 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2
JA		 4120 if (sqe) {
4121 ret = io_timeout_remove_prep(req, sqe);
4122 if (ret)
4123 break;
4124 }
fc4df999 4125 ret = io_timeout_remove(req);
11365043 4126 break;
17f2fe35 4127 case IORING_OP_ACCEPT:
3529d8c2
JA		 4128 if (sqe) {
4129 ret = io_accept_prep(req, sqe);
4130 if (ret)
4131 break;
4132 }
fc4df999 4133 ret = io_accept(req, nxt, force_nonblock);
17f2fe35 4134 break;
f8e85cf2 4135 case IORING_OP_CONNECT:
3529d8c2
JA		 4136 if (sqe) {
4137 ret = io_connect_prep(req, sqe);
4138 if (ret)
4139 break;
4140 }
fc4df999 4141 ret = io_connect(req, nxt, force_nonblock);
f8e85cf2 4142 break;
62755e35 4143 case IORING_OP_ASYNC_CANCEL:
3529d8c2
JA		 4144 if (sqe) {
4145 ret = io_async_cancel_prep(req, sqe);
4146 if (ret)
4147 break;
4148 }
fc4df999 4149 ret = io_async_cancel(req, nxt);
62755e35 4150 break;
d63d1b5e
JA		 4151 case IORING_OP_FALLOCATE:
4152 if (sqe) {
4153 ret = io_fallocate_prep(req, sqe);
4154 if (ret)
4155 break;
4156 }
4157 ret = io_fallocate(req, nxt, force_nonblock);
4158 break;
15b71abe
JA		 4159 case IORING_OP_OPENAT:
4160 if (sqe) {
4161 ret = io_openat_prep(req, sqe);
4162 if (ret)
4163 break;
4164 }
4165 ret = io_openat(req, nxt, force_nonblock);
4166 break;
b5dba59e
JA		 4167 case IORING_OP_CLOSE:
4168 if (sqe) {
4169 ret = io_close_prep(req, sqe);
4170 if (ret)
4171 break;
4172 }
4173 ret = io_close(req, nxt, force_nonblock);
4174 break;
05f3fb3c
JA		 4175 case IORING_OP_FILES_UPDATE:
4176 if (sqe) {
4177 ret = io_files_update_prep(req, sqe);
4178 if (ret)
4179 break;
4180 }
4181 ret = io_files_update(req, force_nonblock);
4182 break;
eddc7ef5
JA		 4183 case IORING_OP_STATX:
4184 if (sqe) {
4185 ret = io_statx_prep(req, sqe);
4186 if (ret)
4187 break;
4188 }
4189 ret = io_statx(req, nxt, force_nonblock);
4190 break;
4840e418
JA		 4191 case IORING_OP_FADVISE:
4192 if (sqe) {
4193 ret = io_fadvise_prep(req, sqe);
4194 if (ret)
4195 break;
4196 }
4197 ret = io_fadvise(req, nxt, force_nonblock);
4198 break;
c1ca757b
JA		 4199 case IORING_OP_MADVISE:
4200 if (sqe) {
4201 ret = io_madvise_prep(req, sqe);
4202 if (ret)
4203 break;
4204 }
4205 ret = io_madvise(req, nxt, force_nonblock);
4206 break;
2b188cc1
JA		 4207 default:
4208 ret = -EINVAL;
4209 break;
4210 }
4211
def596e9
JA		 4212 if (ret)
4213 return ret;
4214
4215 if (ctx->flags & IORING_SETUP_IOPOLL) {
11ba820b
JA		 4216 const bool in_async = io_wq_current_is_worker();
4217
9e645e11 4218 if (req->result == -EAGAIN)
def596e9
JA		 4219 return -EAGAIN;
4220
11ba820b
JA		 4221 /* workqueue context doesn't hold uring_lock, grab it now */
4222 if (in_async)
4223 mutex_lock(&ctx->uring_lock);
4224
def596e9 4225 io_iopoll_req_issued(req);
11ba820b
JA		 4226
4227 if (in_async)
4228 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 4229 }
4230
4231 return 0;
2b188cc1
JA		 4232}
4233
561fb04a 4234static void io_wq_submit_work(struct io_wq_work **workptr)
2b188cc1 4235{
561fb04a 4236 struct io_wq_work *work = *workptr;
2b188cc1 4237 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
561fb04a
JA		 4238 struct io_kiocb *nxt = NULL;
4239 int ret = 0;
2b188cc1 4240
0c9d5ccd
JA		 4241 /* if NO_CANCEL is set, we must still run the work */
4242 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
4243 IO_WQ_WORK_CANCEL) {
561fb04a 4244 ret = -ECANCELED;
0c9d5ccd 4245 }
31b51510 4246
561fb04a 4247 if (!ret) {
cf6fd4bd
PB		 4248 req->has_user = (work->flags & IO_WQ_WORK_HAS_MM) != 0;
4249 req->in_async = true;
561fb04a 4250 do {
3529d8c2 4251 ret = io_issue_sqe(req, NULL, &nxt, false);
561fb04a
JA		 4252 /*
4253 * We can get EAGAIN for polled IO even though we're
4254 * forcing a sync submission from here, since we can't
4255 * wait for request slots on the block side.
4256 */
4257 if (ret != -EAGAIN)
4258 break;
4259 cond_resched();
4260 } while (1);
4261 }
31b51510 4262
561fb04a 4263 /* drop submission reference */
ec9c02ad 4264 io_put_req(req);
817869d2 4265
561fb04a 4266 if (ret) {
4e88d6e7 4267 req_set_fail_links(req);
78e19bbe 4268 io_cqring_add_event(req, ret);
817869d2 4269 io_put_req(req);
edafccee 4270 }
2b188cc1 4271
561fb04a 4272 /* if a dependent link is ready, pass it back */
78912934
JA		 4273 if (!ret && nxt)
4274 io_wq_assign_next(workptr, nxt);
2b188cc1
JA		 4275}
4276
15b71abe 4277static int io_req_needs_file(struct io_kiocb *req, int fd)
09bb8394 4278{
d3656344 4279 if (!io_op_defs[req->opcode].needs_file)
9e3aa61a 4280 return 0;
d3656344
JA		 4281 if (fd == -1 && io_op_defs[req->opcode].fd_non_neg)
4282 return 0;
4283 return 1;
09bb8394
JA		 4284}
4285
65e19f54
JA		 4286static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
4287 int index)
4288{
4289 struct fixed_file_table *table;
4290
05f3fb3c
JA		 4291 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
4292 return table->files[index & IORING_FILE_TABLE_MASK];;
65e19f54
JA		 4293}
4294
3529d8c2
JA		 4295static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
4296 const struct io_uring_sqe *sqe)
09bb8394 4297{
a197f664 4298 struct io_ring_ctx *ctx = req->ctx;
09bb8394 4299 unsigned flags;
d3656344 4300 int fd;
09bb8394 4301
3529d8c2
JA		 4302 flags = READ_ONCE(sqe->flags);
4303 fd = READ_ONCE(sqe->fd);
09bb8394 4304
4fe2c963 4305 if (flags & IOSQE_IO_DRAIN)
de0617e4 4306 req->flags |= REQ_F_IO_DRAIN;
de0617e4 4307
d3656344
JA		 4308 if (!io_req_needs_file(req, fd))
4309 return 0;
09bb8394
JA		 4310
4311 if (flags & IOSQE_FIXED_FILE) {
05f3fb3c 4312 if (unlikely(!ctx->file_data ||
09bb8394
JA		 4313 (unsigned) fd >= ctx->nr_user_files))
4314 return -EBADF;
b7620121 4315 fd = array_index_nospec(fd, ctx->nr_user_files);
65e19f54
JA		 4316 req->file = io_file_from_index(ctx, fd);
4317 if (!req->file)
08a45173 4318 return -EBADF;
09bb8394 4319 req->flags |= REQ_F_FIXED_FILE;
05f3fb3c 4320 percpu_ref_get(&ctx->file_data->refs);
09bb8394 4321 } else {
cf6fd4bd 4322 if (req->needs_fixed_file)
09bb8394 4323 return -EBADF;
c826bd7a 4324 trace_io_uring_file_get(ctx, fd);
09bb8394
JA		 4325 req->file = io_file_get(state, fd);
4326 if (unlikely(!req->file))
4327 return -EBADF;
4328 }
4329
4330 return 0;
4331}
4332
a197f664 4333static int io_grab_files(struct io_kiocb *req)
fcb323cc
JA		 4334{
4335 int ret = -EBADF;
a197f664 4336 struct io_ring_ctx *ctx = req->ctx;
fcb323cc 4337
b5dba59e
JA		 4338 if (!req->ring_file)
4339 return -EBADF;
4340
fcb323cc
JA		 4341 rcu_read_lock();
4342 spin_lock_irq(&ctx->inflight_lock);
4343 /*
4344 * We use the f_ops->flush() handler to ensure that we can flush
4345 * out work accessing these files if the fd is closed. Check if
4346 * the fd has changed since we started down this path, and disallow
4347 * this operation if it has.
4348 */
cf6fd4bd 4349 if (fcheck(req->ring_fd) == req->ring_file) {
fcb323cc
JA		 4350 list_add(&req->inflight_entry, &ctx->inflight_list);
4351 req->flags |= REQ_F_INFLIGHT;
4352 req->work.files = current->files;
4353 ret = 0;
4354 }
4355 spin_unlock_irq(&ctx->inflight_lock);
4356 rcu_read_unlock();
4357
4358 return ret;
4359}
4360
2665abfd 4361static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
2b188cc1 4362{
ad8a48ac
JA		 4363 struct io_timeout_data *data = container_of(timer,
4364 struct io_timeout_data, timer);
4365 struct io_kiocb *req = data->req;
2665abfd
JA		 4366 struct io_ring_ctx *ctx = req->ctx;
4367 struct io_kiocb *prev = NULL;
4368 unsigned long flags;
2665abfd
JA		 4369
4370 spin_lock_irqsave(&ctx->completion_lock, flags);
4371
4372 /*
4373 * We don't expect the list to be empty, that will only happen if we
4374 * race with the completion of the linked work.
4375 */
4493233e
PB		 4376 if (!list_empty(&req->link_list)) {
4377 prev = list_entry(req->link_list.prev, struct io_kiocb,
4378 link_list);
5d960724 4379 if (refcount_inc_not_zero(&prev->refs)) {
4493233e 4380 list_del_init(&req->link_list);
5d960724
JA		 4381 prev->flags &= ~REQ_F_LINK_TIMEOUT;
4382 } else
76a46e06 4383 prev = NULL;
2665abfd
JA		 4384 }
4385
4386 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4387
4388 if (prev) {
4e88d6e7 4389 req_set_fail_links(prev);
b0dd8a41
JA		 4390 io_async_find_and_cancel(ctx, req, prev->user_data, NULL,
4391 -ETIME);
76a46e06 4392 io_put_req(prev);
47f46768
JA		 4393 } else {
4394 io_cqring_add_event(req, -ETIME);
4395 io_put_req(req);
2665abfd 4396 }
2665abfd
JA		 4397 return HRTIMER_NORESTART;
4398}
4399
ad8a48ac 4400static void io_queue_linked_timeout(struct io_kiocb *req)
2665abfd 4401{
76a46e06 4402 struct io_ring_ctx *ctx = req->ctx;
2665abfd 4403
76a46e06
JA		 4404 /*
4405 * If the list is now empty, then our linked request finished before
4406 * we got a chance to setup the timer
4407 */
4408 spin_lock_irq(&ctx->completion_lock);
4493233e 4409 if (!list_empty(&req->link_list)) {
2d28390a 4410 struct io_timeout_data *data = &req->io->timeout;
94ae5e77 4411
ad8a48ac
JA		 4412 data->timer.function = io_link_timeout_fn;
4413 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
4414 data->mode);
2665abfd 4415 }
76a46e06 4416 spin_unlock_irq(&ctx->completion_lock);
2665abfd 4417
2665abfd 4418 /* drop submission reference */
76a46e06
JA		 4419 io_put_req(req);
4420}
2665abfd 4421
ad8a48ac 4422static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
2665abfd
JA		 4423{
4424 struct io_kiocb *nxt;
4425
4426 if (!(req->flags & REQ_F_LINK))
4427 return NULL;
4428
4493233e
PB		 4429 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
4430 link_list);
d625c6ee 4431 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
76a46e06 4432 return NULL;
2665abfd 4433
76a46e06 4434 req->flags |= REQ_F_LINK_TIMEOUT;
76a46e06 4435 return nxt;
2665abfd
JA		 4436}
4437
3529d8c2 4438static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2b188cc1 4439{
4a0a7a18 4440 struct io_kiocb *linked_timeout;
f9bd67f6 4441 struct io_kiocb *nxt = NULL;
e0c5c576 4442 int ret;
2b188cc1 4443
4a0a7a18
JA		 4444again:
4445 linked_timeout = io_prep_linked_timeout(req);
4446
3529d8c2 4447 ret = io_issue_sqe(req, sqe, &nxt, true);
491381ce
JA		 4448
4449 /*
4450 * We async punt it if the file wasn't marked NOWAIT, or if the file
4451 * doesn't support non-blocking read/write attempts
4452 */
4453 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
4454 (req->flags & REQ_F_MUST_PUNT))) {
bbad27b2
PB		 4455 if (req->work.flags & IO_WQ_WORK_NEEDS_FILES) {
4456 ret = io_grab_files(req);
4457 if (ret)
4458 goto err;
2b188cc1 4459 }
bbad27b2
PB		 4460
4461 /*
4462 * Queued up for async execution, worker will release
4463 * submit reference when the iocb is actually submitted.
4464 */
4465 io_queue_async_work(req);
4a0a7a18 4466 goto done_req;
2b188cc1 4467 }
e65ef56d 4468
fcb323cc 4469err:
76a46e06 4470 /* drop submission reference */
ec9c02ad 4471 io_put_req(req);
e65ef56d 4472
f9bd67f6 4473 if (linked_timeout) {
76a46e06 4474 if (!ret)
f9bd67f6 4475 io_queue_linked_timeout(linked_timeout);
76a46e06 4476 else
f9bd67f6 4477 io_put_req(linked_timeout);
76a46e06
JA		 4478 }
4479
e65ef56d 4480 /* and drop final reference, if we failed */
9e645e11 4481 if (ret) {
78e19bbe 4482 io_cqring_add_event(req, ret);
4e88d6e7 4483 req_set_fail_links(req);
e65ef56d 4484 io_put_req(req);
9e645e11 4485 }
4a0a7a18
JA		 4486done_req:
4487 if (nxt) {
4488 req = nxt;
4489 nxt = NULL;
4490 goto again;
4491 }
2b188cc1
JA		 4492}
4493
3529d8c2 4494static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4fe2c963
JL		 4495{
4496 int ret;
4497
1b4a51b6
PB		 4498 if (unlikely(req->ctx->drain_next)) {
4499 req->flags |= REQ_F_IO_DRAIN;
69b3e546 4500 req->ctx->drain_next = 0;
1b4a51b6 4501 }
69b3e546 4502 req->ctx->drain_next = (req->flags & REQ_F_DRAIN_LINK) != 0;
1b4a51b6 4503
3529d8c2 4504 ret = io_req_defer(req, sqe);
4fe2c963
JL		 4505 if (ret) {
4506 if (ret != -EIOCBQUEUED) {
78e19bbe 4507 io_cqring_add_event(req, ret);
4e88d6e7 4508 req_set_fail_links(req);
78e19bbe 4509 io_double_put_req(req);
4fe2c963 4510 }
2550878f 4511 } else if (req->flags & REQ_F_FORCE_ASYNC) {
ce35a47a
JA		 4512 /*
4513 * Never try inline submit of IOSQE_ASYNC is set, go straight
4514 * to async execution.
4515 */
4516 req->work.flags |= IO_WQ_WORK_CONCURRENT;
4517 io_queue_async_work(req);
4518 } else {
3529d8c2 4519 __io_queue_sqe(req, sqe);
ce35a47a 4520 }
4fe2c963
JL		 4521}
4522
1b4a51b6 4523static inline void io_queue_link_head(struct io_kiocb *req)
4fe2c963 4524{
94ae5e77 4525 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
1b4a51b6
PB		 4526 io_cqring_add_event(req, -ECANCELED);
4527 io_double_put_req(req);
4528 } else
3529d8c2 4529 io_queue_sqe(req, NULL);
4fe2c963
JL		 4530}
4531
4e88d6e7 4532#define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
ce35a47a 4533 IOSQE_IO_HARDLINK | IOSQE_ASYNC)
9e645e11 4534
3529d8c2
JA		 4535static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4536 struct io_submit_state *state, struct io_kiocb **link)
9e645e11 4537{
a197f664 4538 struct io_ring_ctx *ctx = req->ctx;
32fe525b 4539 unsigned int sqe_flags;
9e645e11
JA		 4540 int ret;
4541
32fe525b
PB		 4542 sqe_flags = READ_ONCE(sqe->flags);
4543
9e645e11 4544 /* enforce forwards compatibility on users */
32fe525b 4545 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS)) {
9e645e11 4546 ret = -EINVAL;
196be95c 4547 goto err_req;
9e645e11 4548 }
32fe525b 4549 if (sqe_flags & IOSQE_ASYNC)
ce35a47a 4550 req->flags |= REQ_F_FORCE_ASYNC;
9e645e11 4551
3529d8c2 4552 ret = io_req_set_file(state, req, sqe);
9e645e11
JA		 4553 if (unlikely(ret)) {
4554err_req:
78e19bbe
JA		 4555 io_cqring_add_event(req, ret);
4556 io_double_put_req(req);
2e6e1fde 4557 return false;
9e645e11
JA		 4558 }
4559
9e645e11
JA		 4560 /*
4561 * If we already have a head request, queue this one for async
4562 * submittal once the head completes. If we don't have a head but
4563 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
4564 * submitted sync once the chain is complete. If none of those
4565 * conditions are true (normal request), then just queue it.
4566 */
4567 if (*link) {
9d76377f 4568 struct io_kiocb *head = *link;
9e645e11 4569
32fe525b 4570 if (sqe_flags & IOSQE_IO_DRAIN)
9d76377f 4571 head->flags |= REQ_F_DRAIN_LINK | REQ_F_IO_DRAIN;
1b4a51b6 4572
32fe525b 4573 if (sqe_flags & IOSQE_IO_HARDLINK)
4e88d6e7
JA		 4574 req->flags |= REQ_F_HARDLINK;
4575
b7bb4f7d 4576 if (io_alloc_async_ctx(req)) {
9e645e11
JA		 4577 ret = -EAGAIN;
4578 goto err_req;
4579 }
4580
3529d8c2 4581 ret = io_req_defer_prep(req, sqe);
2d28390a 4582 if (ret) {
4e88d6e7 4583 /* fail even hard links since we don't submit */
9d76377f 4584 head->flags |= REQ_F_FAIL_LINK;
f67676d1 4585 goto err_req;
2d28390a 4586 }
9d76377f
PB		 4587 trace_io_uring_link(ctx, req, head);
4588 list_add_tail(&req->link_list, &head->link_list);
32fe525b
PB		 4589
4590 /* last request of a link, enqueue the link */
4591 if (!(sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK))) {
4592 io_queue_link_head(head);
4593 *link = NULL;
4594 }
4595 } else if (sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
9e645e11 4596 req->flags |= REQ_F_LINK;
32fe525b 4597 if (sqe_flags & IOSQE_IO_HARDLINK)
4e88d6e7 4598 req->flags |= REQ_F_HARDLINK;
9e645e11 4599
9e645e11 4600 INIT_LIST_HEAD(&req->link_list);
3529d8c2
JA		 4601 ret = io_req_defer_prep(req, sqe);
4602 if (ret)
4603 req->flags |= REQ_F_FAIL_LINK;
9e645e11
JA		 4604 *link = req;
4605 } else {
3529d8c2 4606 io_queue_sqe(req, sqe);
9e645e11 4607 }
2e6e1fde
PB		 4608
4609 return true;
9e645e11
JA		 4610}
4611
9a56a232
JA		 4612/*
4613 * Batched submission is done, ensure local IO is flushed out.
4614 */
4615static void io_submit_state_end(struct io_submit_state *state)
4616{
4617 blk_finish_plug(&state->plug);
3d6770fb 4618 io_file_put(state);
2579f913
JA		 4619 if (state->free_reqs)
4620 kmem_cache_free_bulk(req_cachep, state->free_reqs,
4621 &state->reqs[state->cur_req]);
9a56a232
JA		 4622}
4623
4624/*
4625 * Start submission side cache.
4626 */
4627static void io_submit_state_start(struct io_submit_state *state,
22efde59 4628 unsigned int max_ios)
9a56a232
JA		 4629{
4630 blk_start_plug(&state->plug);
2579f913 4631 state->free_reqs = 0;
9a56a232
JA		 4632 state->file = NULL;
4633 state->ios_left = max_ios;
4634}
4635
2b188cc1
JA		 4636static void io_commit_sqring(struct io_ring_ctx *ctx)
4637{
75b28aff 4638 struct io_rings *rings = ctx->rings;
2b188cc1 4639
caf582c6
PB		 4640 /*
4641 * Ensure any loads from the SQEs are done at this point,
4642 * since once we write the new head, the application could
4643 * write new data to them.
4644 */
4645 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
2b188cc1
JA		 4646}
4647
2b188cc1 4648/*
3529d8c2 4649 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
2b188cc1
JA		 4650 * that is mapped by userspace. This means that care needs to be taken to
4651 * ensure that reads are stable, as we cannot rely on userspace always
4652 * being a good citizen. If members of the sqe are validated and then later
4653 * used, it's important that those reads are done through READ_ONCE() to
4654 * prevent a re-load down the line.
4655 */
3529d8c2
JA		 4656static bool io_get_sqring(struct io_ring_ctx *ctx, struct io_kiocb *req,
4657 const struct io_uring_sqe **sqe_ptr)
2b188cc1 4658{
75b28aff 4659 u32 *sq_array = ctx->sq_array;
2b188cc1
JA		 4660 unsigned head;
4661
4662 /*
4663 * The cached sq head (or cq tail) serves two purposes:
4664 *
4665 * 1) allows us to batch the cost of updating the user visible
4666 * head updates.
4667 * 2) allows the kernel side to track the head on its own, even
4668 * though the application is the one updating it.
4669 */
ee7d46d9 4670 head = READ_ONCE(sq_array[ctx->cached_sq_head & ctx->sq_mask]);
9835d6fa 4671 if (likely(head < ctx->sq_entries)) {
cf6fd4bd
PB		 4672 /*
4673 * All io need record the previous position, if LINK vs DARIN,
4674 * it can be used to mark the position of the first IO in the
4675 * link list.
4676 */
4677 req->sequence = ctx->cached_sq_head;
3529d8c2
JA		 4678 *sqe_ptr = &ctx->sq_sqes[head];
4679 req->opcode = READ_ONCE((*sqe_ptr)->opcode);
4680 req->user_data = READ_ONCE((*sqe_ptr)->user_data);
2b188cc1
JA		 4681 ctx->cached_sq_head++;
4682 return true;
4683 }
4684
4685 /* drop invalid entries */
4686 ctx->cached_sq_head++;
498ccd9e 4687 ctx->cached_sq_dropped++;
ee7d46d9 4688 WRITE_ONCE(ctx->rings->sq_dropped, ctx->cached_sq_dropped);
2b188cc1
JA		 4689 return false;
4690}
4691
fb5ccc98 4692static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
ae9428ca
PB		 4693 struct file *ring_file, int ring_fd,
4694 struct mm_struct **mm, bool async)
6c271ce2
JA		 4695{
4696 struct io_submit_state state, *statep = NULL;
9e645e11 4697 struct io_kiocb *link = NULL;
9e645e11 4698 int i, submitted = 0;
95a1b3ff 4699 bool mm_fault = false;
6c271ce2 4700
c4a2ed72 4701 /* if we have a backlog and couldn't flush it all, return BUSY */
ad3eb2c8
JA		 4702 if (test_bit(0, &ctx->sq_check_overflow)) {
4703 if (!list_empty(&ctx->cq_overflow_list) &&
4704 !io_cqring_overflow_flush(ctx, false))
4705 return -EBUSY;
4706 }
6c271ce2 4707
ee7d46d9
PB		 4708 /* make sure SQ entry isn't read before tail */
4709 nr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));
9ef4f124 4710
2b85edfc
PB		 4711 if (!percpu_ref_tryget_many(&ctx->refs, nr))
4712 return -EAGAIN;
4713
6c271ce2 4714 if (nr > IO_PLUG_THRESHOLD) {
22efde59 4715 io_submit_state_start(&state, nr);
6c271ce2
JA		 4716 statep = &state;
4717 }
4718
4719 for (i = 0; i < nr; i++) {
3529d8c2 4720 const struct io_uring_sqe *sqe;
196be95c 4721 struct io_kiocb *req;
fb5ccc98 4722
196be95c
PB		 4723 req = io_get_req(ctx, statep);
4724 if (unlikely(!req)) {
4725 if (!submitted)
4726 submitted = -EAGAIN;
fb5ccc98 4727 break;
196be95c 4728 }
3529d8c2 4729 if (!io_get_sqring(ctx, req, &sqe)) {
2b85edfc 4730 __io_req_do_free(req);
196be95c
PB		 4731 break;
4732 }
fb5ccc98 4733
d3656344
JA		 4734 /* will complete beyond this point, count as submitted */
4735 submitted++;
4736
4737 if (unlikely(req->opcode >= IORING_OP_LAST)) {
4738 io_cqring_add_event(req, -EINVAL);
4739 io_double_put_req(req);
4740 break;
4741 }
4742
4743 if (io_op_defs[req->opcode].needs_mm && !*mm) {
95a1b3ff
PB		 4744 mm_fault = mm_fault || !mmget_not_zero(ctx->sqo_mm);
4745 if (!mm_fault) {
4746 use_mm(ctx->sqo_mm);
4747 *mm = ctx->sqo_mm;
4748 }
9e645e11 4749 }
9e645e11 4750
cf6fd4bd
PB		 4751 req->ring_file = ring_file;
4752 req->ring_fd = ring_fd;
4753 req->has_user = *mm != NULL;
4754 req->in_async = async;
4755 req->needs_fixed_file = async;
d625c6ee 4756 trace_io_uring_submit_sqe(ctx, req->user_data, true, async);
3529d8c2 4757 if (!io_submit_sqe(req, sqe, statep, &link))
2e6e1fde 4758 break;
6c271ce2
JA		 4759 }
4760
2b85edfc
PB		 4761 if (submitted != nr)
4762 percpu_ref_put_many(&ctx->refs, nr - submitted);
9e645e11 4763 if (link)
1b4a51b6 4764 io_queue_link_head(link);
6c271ce2
JA		 4765 if (statep)
4766 io_submit_state_end(&state);
4767
ae9428ca
PB		 4768 /* Commit SQ ring head once we've consumed and submitted all SQEs */
4769 io_commit_sqring(ctx);
4770
6c271ce2
JA		 4771 return submitted;
4772}
4773
4774static int io_sq_thread(void *data)
4775{
6c271ce2
JA		 4776 struct io_ring_ctx *ctx = data;
4777 struct mm_struct *cur_mm = NULL;
181e448d 4778 const struct cred *old_cred;
6c271ce2
JA		 4779 mm_segment_t old_fs;
4780 DEFINE_WAIT(wait);
4781 unsigned inflight;
4782 unsigned long timeout;
c1edbf5f 4783 int ret;
6c271ce2 4784
206aefde 4785 complete(&ctx->completions[1]);
a4c0b3de 4786
6c271ce2
JA		 4787 old_fs = get_fs();
4788 set_fs(USER_DS);
181e448d 4789 old_cred = override_creds(ctx->creds);
6c271ce2 4790
c1edbf5f 4791 ret = timeout = inflight = 0;
2bbcd6d3 4792 while (!kthread_should_park()) {
fb5ccc98 4793 unsigned int to_submit;
6c271ce2
JA		 4794
4795 if (inflight) {
4796 unsigned nr_events = 0;
4797
4798 if (ctx->flags & IORING_SETUP_IOPOLL) {
2b2ed975
JA		 4799 /*
4800 * inflight is the count of the maximum possible
4801 * entries we submitted, but it can be smaller
4802 * if we dropped some of them. If we don't have
4803 * poll entries available, then we know that we
4804 * have nothing left to poll for. Reset the
4805 * inflight count to zero in that case.
4806 */
4807 mutex_lock(&ctx->uring_lock);
4808 if (!list_empty(&ctx->poll_list))
4809 __io_iopoll_check(ctx, &nr_events, 0);
4810 else
4811 inflight = 0;
4812 mutex_unlock(&ctx->uring_lock);
6c271ce2
JA		 4813 } else {
4814 /*
4815 * Normal IO, just pretend everything completed.
4816 * We don't have to poll completions for that.
4817 */
4818 nr_events = inflight;
4819 }
4820
4821 inflight -= nr_events;
4822 if (!inflight)
4823 timeout = jiffies + ctx->sq_thread_idle;
4824 }
4825
fb5ccc98 4826 to_submit = io_sqring_entries(ctx);
c1edbf5f
JA		 4827
4828 /*
4829 * If submit got -EBUSY, flag us as needing the application
4830 * to enter the kernel to reap and flush events.
4831 */
4832 if (!to_submit || ret == -EBUSY) {
6c271ce2
JA		 4833 /*
4834 * We're polling. If we're within the defined idle
4835 * period, then let us spin without work before going
c1edbf5f
JA		 4836 * to sleep. The exception is if we got EBUSY doing
4837 * more IO, we should wait for the application to
4838 * reap events and wake us up.
6c271ce2 4839 */
c1edbf5f
JA		 4840 if (inflight ||
4841 (!time_after(jiffies, timeout) && ret != -EBUSY)) {
9831a90c 4842 cond_resched();
6c271ce2
JA		 4843 continue;
4844 }
4845
4846 /*
4847 * Drop cur_mm before scheduling, we can't hold it for
4848 * long periods (or over schedule()). Do this before
4849 * adding ourselves to the waitqueue, as the unuse/drop
4850 * may sleep.
4851 */
4852 if (cur_mm) {
4853 unuse_mm(cur_mm);
4854 mmput(cur_mm);
4855 cur_mm = NULL;
4856 }
4857
4858 prepare_to_wait(&ctx->sqo_wait, &wait,
4859 TASK_INTERRUPTIBLE);
4860
4861 /* Tell userspace we may need a wakeup call */
75b28aff 4862 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
0d7bae69
SB		 4863 /* make sure to read SQ tail after writing flags */
4864 smp_mb();
6c271ce2 4865
fb5ccc98 4866 to_submit = io_sqring_entries(ctx);
c1edbf5f 4867 if (!to_submit || ret == -EBUSY) {
2bbcd6d3 4868 if (kthread_should_park()) {
6c271ce2
JA		 4869 finish_wait(&ctx->sqo_wait, &wait);
4870 break;
4871 }
4872 if (signal_pending(current))
4873 flush_signals(current);
4874 schedule();
4875 finish_wait(&ctx->sqo_wait, &wait);
4876
75b28aff 4877 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 4878 continue;
4879 }
4880 finish_wait(&ctx->sqo_wait, &wait);
4881
75b28aff 4882 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 4883 }
4884
8a4955ff 4885 mutex_lock(&ctx->uring_lock);
1d7bb1d5 4886 ret = io_submit_sqes(ctx, to_submit, NULL, -1, &cur_mm, true);
8a4955ff 4887 mutex_unlock(&ctx->uring_lock);
1d7bb1d5
JA		 4888 if (ret > 0)
4889 inflight += ret;
6c271ce2
JA		 4890 }
4891
4892 set_fs(old_fs);
4893 if (cur_mm) {
4894 unuse_mm(cur_mm);
4895 mmput(cur_mm);
4896 }
181e448d 4897 revert_creds(old_cred);
06058632 4898
2bbcd6d3 4899 kthread_parkme();
06058632 4900
6c271ce2
JA		 4901 return 0;
4902}
4903
bda52162
JA		 4904struct io_wait_queue {
4905 struct wait_queue_entry wq;
4906 struct io_ring_ctx *ctx;
4907 unsigned to_wait;
4908 unsigned nr_timeouts;
4909};
4910
1d7bb1d5 4911static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
bda52162
JA		 4912{
4913 struct io_ring_ctx *ctx = iowq->ctx;
4914
4915 /*
d195a66e 4916 * Wake up if we have enough events, or if a timeout occurred since we
bda52162
JA		 4917 * started waiting. For timeouts, we always want to return to userspace,
4918 * regardless of event count.
4919 */
1d7bb1d5 4920 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
bda52162
JA		 4921 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
4922}
4923
4924static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
4925 int wake_flags, void *key)
4926{
4927 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
4928 wq);
4929
1d7bb1d5
JA		 4930 /* use noflush == true, as we can't safely rely on locking context */
4931 if (!io_should_wake(iowq, true))
bda52162
JA		 4932 return -1;
4933
4934 return autoremove_wake_function(curr, mode, wake_flags, key);
4935}
4936
2b188cc1
JA		 4937/*
4938 * Wait until events become available, if we don't already have some. The
4939 * application must reap them itself, as they reside on the shared cq ring.
4940 */
4941static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
4942 const sigset_t __user *sig, size_t sigsz)
4943{
bda52162
JA		 4944 struct io_wait_queue iowq = {
4945 .wq = {
4946 .private = current,
4947 .func = io_wake_function,
4948 .entry = LIST_HEAD_INIT(iowq.wq.entry),
4949 },
4950 .ctx = ctx,
4951 .to_wait = min_events,
4952 };
75b28aff 4953 struct io_rings *rings = ctx->rings;
e9ffa5c2 4954 int ret = 0;
2b188cc1 4955
1d7bb1d5 4956 if (io_cqring_events(ctx, false) >= min_events)
2b188cc1
JA		 4957 return 0;
4958
4959 if (sig) {
9e75ad5d
AB		 4960#ifdef CONFIG_COMPAT
4961 if (in_compat_syscall())
4962 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
b772434b 4963 sigsz);
9e75ad5d
AB		 4964 else
4965#endif
b772434b 4966 ret = set_user_sigmask(sig, sigsz);
9e75ad5d 4967
2b188cc1
JA		 4968 if (ret)
4969 return ret;
4970 }
4971
bda52162 4972 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
c826bd7a 4973 trace_io_uring_cqring_wait(ctx, min_events);
bda52162
JA		 4974 do {
4975 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
4976 TASK_INTERRUPTIBLE);
1d7bb1d5 4977 if (io_should_wake(&iowq, false))
bda52162
JA		 4978 break;
4979 schedule();
4980 if (signal_pending(current)) {
e9ffa5c2 4981 ret = -EINTR;
bda52162
JA		 4982 break;
4983 }
4984 } while (1);
4985 finish_wait(&ctx->wait, &iowq.wq);
4986
e9ffa5c2 4987 restore_saved_sigmask_unless(ret == -EINTR);
2b188cc1 4988
75b28aff 4989 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
2b188cc1
JA		 4990}
4991
6b06314c
JA		 4992static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
4993{
4994#if defined(CONFIG_UNIX)
4995 if (ctx->ring_sock) {
4996 struct sock *sock = ctx->ring_sock->sk;
4997 struct sk_buff *skb;
4998
4999 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
5000 kfree_skb(skb);
5001 }
5002#else
5003 int i;
5004
65e19f54
JA		 5005 for (i = 0; i < ctx->nr_user_files; i++) {
5006 struct file *file;
5007
5008 file = io_file_from_index(ctx, i);
5009 if (file)
5010 fput(file);
5011 }
6b06314c
JA		 5012#endif
5013}
5014
05f3fb3c
JA		 5015static void io_file_ref_kill(struct percpu_ref *ref)
5016{
5017 struct fixed_file_data *data;
5018
5019 data = container_of(ref, struct fixed_file_data, refs);
5020 complete(&data->done);
5021}
5022
6b06314c
JA		 5023static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
5024{
05f3fb3c 5025 struct fixed_file_data *data = ctx->file_data;
65e19f54
JA		 5026 unsigned nr_tables, i;
5027
05f3fb3c 5028 if (!data)
6b06314c
JA		 5029 return -ENXIO;
5030
05f3fb3c
JA		 5031 /* protect against inflight atomic switch, which drops the ref */
5032 flush_work(&data->ref_work);
5033 percpu_ref_get(&data->refs);
5034 percpu_ref_kill_and_confirm(&data->refs, io_file_ref_kill);
5035 wait_for_completion(&data->done);
5036 percpu_ref_put(&data->refs);
5037 percpu_ref_exit(&data->refs);
5038
6b06314c 5039 __io_sqe_files_unregister(ctx);
65e19f54
JA		 5040 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
5041 for (i = 0; i < nr_tables; i++)
05f3fb3c
JA		 5042 kfree(data->table[i].files);
5043 kfree(data->table);
5044 kfree(data);
5045 ctx->file_data = NULL;
6b06314c
JA		 5046 ctx->nr_user_files = 0;
5047 return 0;
5048}
5049
6c271ce2
JA		 5050static void io_sq_thread_stop(struct io_ring_ctx *ctx)
5051{
5052 if (ctx->sqo_thread) {
206aefde 5053 wait_for_completion(&ctx->completions[1]);
2bbcd6d3
RP		 5054 /*
5055 * The park is a bit of a work-around, without it we get
5056 * warning spews on shutdown with SQPOLL set and affinity
5057 * set to a single CPU.
5058 */
06058632 5059 kthread_park(ctx->sqo_thread);
6c271ce2
JA		 5060 kthread_stop(ctx->sqo_thread);
5061 ctx->sqo_thread = NULL;
5062 }
5063}
5064
6b06314c
JA		 5065static void io_finish_async(struct io_ring_ctx *ctx)
5066{
6c271ce2
JA		 5067 io_sq_thread_stop(ctx);
5068
561fb04a
JA		 5069 if (ctx->io_wq) {
5070 io_wq_destroy(ctx->io_wq);
5071 ctx->io_wq = NULL;
6b06314c
JA		 5072 }
5073}
5074
5075#if defined(CONFIG_UNIX)
6b06314c
JA		 5076/*
5077 * Ensure the UNIX gc is aware of our file set, so we are certain that
5078 * the io_uring can be safely unregistered on process exit, even if we have
5079 * loops in the file referencing.
5080 */
5081static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
5082{
5083 struct sock *sk = ctx->ring_sock->sk;
5084 struct scm_fp_list *fpl;
5085 struct sk_buff *skb;
08a45173 5086 int i, nr_files;
6b06314c
JA		 5087
5088 if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
5089 unsigned long inflight = ctx->user->unix_inflight + nr;
5090
5091 if (inflight > task_rlimit(current, RLIMIT_NOFILE))
5092 return -EMFILE;
5093 }
5094
5095 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
5096 if (!fpl)
5097 return -ENOMEM;
5098
5099 skb = alloc_skb(0, GFP_KERNEL);
5100 if (!skb) {
5101 kfree(fpl);
5102 return -ENOMEM;
5103 }
5104
5105 skb->sk = sk;
6b06314c 5106
08a45173 5107 nr_files = 0;
6b06314c
JA		 5108 fpl->user = get_uid(ctx->user);
5109 for (i = 0; i < nr; i++) {
65e19f54
JA		 5110 struct file *file = io_file_from_index(ctx, i + offset);
5111
5112 if (!file)
08a45173 5113 continue;
65e19f54 5114 fpl->fp[nr_files] = get_file(file);
08a45173
JA		 5115 unix_inflight(fpl->user, fpl->fp[nr_files]);
5116 nr_files++;
6b06314c
JA		 5117 }
5118
08a45173
JA		 5119 if (nr_files) {
5120 fpl->max = SCM_MAX_FD;
5121 fpl->count = nr_files;
5122 UNIXCB(skb).fp = fpl;
05f3fb3c 5123 skb->destructor = unix_destruct_scm;
08a45173
JA		 5124 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
5125 skb_queue_head(&sk->sk_receive_queue, skb);
6b06314c 5126
08a45173
JA		 5127 for (i = 0; i < nr_files; i++)
5128 fput(fpl->fp[i]);
5129 } else {
5130 kfree_skb(skb);
5131 kfree(fpl);
5132 }
6b06314c
JA		 5133
5134 return 0;
5135}
5136
5137/*
5138 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
5139 * causes regular reference counting to break down. We rely on the UNIX
5140 * garbage collection to take care of this problem for us.
5141 */
5142static int io_sqe_files_scm(struct io_ring_ctx *ctx)
5143{
5144 unsigned left, total;
5145 int ret = 0;
5146
5147 total = 0;
5148 left = ctx->nr_user_files;
5149 while (left) {
5150 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
6b06314c
JA		 5151
5152 ret = __io_sqe_files_scm(ctx, this_files, total);
5153 if (ret)
5154 break;
5155 left -= this_files;
5156 total += this_files;
5157 }
5158
5159 if (!ret)
5160 return 0;
5161
5162 while (total < ctx->nr_user_files) {
65e19f54
JA		 5163 struct file *file = io_file_from_index(ctx, total);
5164
5165 if (file)
5166 fput(file);
6b06314c
JA		 5167 total++;
5168 }
5169
5170 return ret;
5171}
5172#else
5173static int io_sqe_files_scm(struct io_ring_ctx *ctx)
5174{
5175 return 0;
5176}
5177#endif
5178
65e19f54
JA		 5179static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
5180 unsigned nr_files)
5181{
5182 int i;
5183
5184 for (i = 0; i < nr_tables; i++) {
05f3fb3c 5185 struct fixed_file_table *table = &ctx->file_data->table[i];
65e19f54
JA		 5186 unsigned this_files;
5187
5188 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
5189 table->files = kcalloc(this_files, sizeof(struct file *),
5190 GFP_KERNEL);
5191 if (!table->files)
5192 break;
5193 nr_files -= this_files;
5194 }
5195
5196 if (i == nr_tables)
5197 return 0;
5198
5199 for (i = 0; i < nr_tables; i++) {
05f3fb3c 5200 struct fixed_file_table *table = &ctx->file_data->table[i];
65e19f54
JA		 5201 kfree(table->files);
5202 }
5203 return 1;
5204}
5205
05f3fb3c
JA		 5206static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
5207{
5208#if defined(CONFIG_UNIX)
5209 struct sock *sock = ctx->ring_sock->sk;
5210 struct sk_buff_head list, *head = &sock->sk_receive_queue;
5211 struct sk_buff *skb;
5212 int i;
5213
5214 __skb_queue_head_init(&list);
5215
5216 /*
5217 * Find the skb that holds this file in its SCM_RIGHTS. When found,
5218 * remove this entry and rearrange the file array.
5219 */
5220 skb = skb_dequeue(head);
5221 while (skb) {
5222 struct scm_fp_list *fp;
5223
5224 fp = UNIXCB(skb).fp;
5225 for (i = 0; i < fp->count; i++) {
5226 int left;
5227
5228 if (fp->fp[i] != file)
5229 continue;
5230
5231 unix_notinflight(fp->user, fp->fp[i]);
5232 left = fp->count - 1 - i;
5233 if (left) {
5234 memmove(&fp->fp[i], &fp->fp[i + 1],
5235 left * sizeof(struct file *));
5236 }
5237 fp->count--;
5238 if (!fp->count) {
5239 kfree_skb(skb);
5240 skb = NULL;
5241 } else {
5242 __skb_queue_tail(&list, skb);
5243 }
5244 fput(file);
5245 file = NULL;
5246 break;
5247 }
5248
5249 if (!file)
5250 break;
5251
5252 __skb_queue_tail(&list, skb);
5253
5254 skb = skb_dequeue(head);
5255 }
5256
5257 if (skb_peek(&list)) {
5258 spin_lock_irq(&head->lock);
5259 while ((skb = __skb_dequeue(&list)) != NULL)
5260 __skb_queue_tail(head, skb);
5261 spin_unlock_irq(&head->lock);
5262 }
5263#else
5264 fput(file);
5265#endif
5266}
5267
5268struct io_file_put {
5269 struct llist_node llist;
5270 struct file *file;
5271 struct completion *done;
5272};
5273
5274static void io_ring_file_ref_switch(struct work_struct *work)
5275{
5276 struct io_file_put *pfile, *tmp;
5277 struct fixed_file_data *data;
5278 struct llist_node *node;
5279
5280 data = container_of(work, struct fixed_file_data, ref_work);
5281
5282 while ((node = llist_del_all(&data->put_llist)) != NULL) {
5283 llist_for_each_entry_safe(pfile, tmp, node, llist) {
5284 io_ring_file_put(data->ctx, pfile->file);
5285 if (pfile->done)
5286 complete(pfile->done);
5287 else
5288 kfree(pfile);
5289 }
5290 }
5291
5292 percpu_ref_get(&data->refs);
5293 percpu_ref_switch_to_percpu(&data->refs);
5294}
5295
5296static void io_file_data_ref_zero(struct percpu_ref *ref)
5297{
5298 struct fixed_file_data *data;
5299
5300 data = container_of(ref, struct fixed_file_data, refs);
5301
5302 /* we can't safely switch from inside this context, punt to wq */
5303 queue_work(system_wq, &data->ref_work);
5304}
5305
6b06314c
JA		 5306static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
5307 unsigned nr_args)
5308{
5309 __s32 __user *fds = (__s32 __user *) arg;
65e19f54 5310 unsigned nr_tables;
05f3fb3c 5311 struct file *file;
6b06314c
JA		 5312 int fd, ret = 0;
5313 unsigned i;
5314
05f3fb3c 5315 if (ctx->file_data)
6b06314c
JA		 5316 return -EBUSY;
5317 if (!nr_args)
5318 return -EINVAL;
5319 if (nr_args > IORING_MAX_FIXED_FILES)
5320 return -EMFILE;
5321
05f3fb3c
JA		 5322 ctx->file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
5323 if (!ctx->file_data)
5324 return -ENOMEM;
5325 ctx->file_data->ctx = ctx;
5326 init_completion(&ctx->file_data->done);
5327
65e19f54 5328 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
05f3fb3c
JA		 5329 ctx->file_data->table = kcalloc(nr_tables,
5330 sizeof(struct fixed_file_table),
65e19f54 5331 GFP_KERNEL);
05f3fb3c
JA		 5332 if (!ctx->file_data->table) {
5333 kfree(ctx->file_data);
5334 ctx->file_data = NULL;
6b06314c 5335 return -ENOMEM;
05f3fb3c
JA		 5336 }
5337
5338 if (percpu_ref_init(&ctx->file_data->refs, io_file_data_ref_zero,
5339 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
5340 kfree(ctx->file_data->table);
5341 kfree(ctx->file_data);
5342 ctx->file_data = NULL;
5343 return -ENOMEM;
5344 }
5345 ctx->file_data->put_llist.first = NULL;
5346 INIT_WORK(&ctx->file_data->ref_work, io_ring_file_ref_switch);
6b06314c 5347
65e19f54 5348 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
05f3fb3c
JA		 5349 percpu_ref_exit(&ctx->file_data->refs);
5350 kfree(ctx->file_data->table);
5351 kfree(ctx->file_data);
5352 ctx->file_data = NULL;
65e19f54
JA		 5353 return -ENOMEM;
5354 }
5355
08a45173 5356 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
65e19f54
JA		 5357 struct fixed_file_table *table;
5358 unsigned index;
5359
6b06314c
JA		 5360 ret = -EFAULT;
5361 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
5362 break;
08a45173
JA		 5363 /* allow sparse sets */
5364 if (fd == -1) {
5365 ret = 0;
5366 continue;
5367 }
6b06314c 5368
05f3fb3c 5369 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
65e19f54 5370 index = i & IORING_FILE_TABLE_MASK;
05f3fb3c 5371 file = fget(fd);
6b06314c
JA		 5372
5373 ret = -EBADF;
05f3fb3c 5374 if (!file)
6b06314c 5375 break;
05f3fb3c 5376
6b06314c
JA		 5377 /*
5378 * Don't allow io_uring instances to be registered. If UNIX
5379 * isn't enabled, then this causes a reference cycle and this
5380 * instance can never get freed. If UNIX is enabled we'll
5381 * handle it just fine, but there's still no point in allowing
5382 * a ring fd as it doesn't support regular read/write anyway.
5383 */
05f3fb3c
JA		 5384 if (file->f_op == &io_uring_fops) {
5385 fput(file);
6b06314c
JA		 5386 break;
5387 }
6b06314c 5388 ret = 0;
05f3fb3c 5389 table->files[index] = file;
6b06314c
JA		 5390 }
5391
5392 if (ret) {
65e19f54 5393 for (i = 0; i < ctx->nr_user_files; i++) {
65e19f54
JA		 5394 file = io_file_from_index(ctx, i);
5395 if (file)
5396 fput(file);
5397 }
5398 for (i = 0; i < nr_tables; i++)
05f3fb3c 5399 kfree(ctx->file_data->table[i].files);
6b06314c 5400
05f3fb3c
JA		 5401 kfree(ctx->file_data->table);
5402 kfree(ctx->file_data);
5403 ctx->file_data = NULL;
6b06314c
JA		 5404 ctx->nr_user_files = 0;
5405 return ret;
5406 }
5407
5408 ret = io_sqe_files_scm(ctx);
5409 if (ret)
5410 io_sqe_files_unregister(ctx);
5411
5412 return ret;
5413}
5414
c3a31e60
JA		 5415static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
5416 int index)
5417{
5418#if defined(CONFIG_UNIX)
5419 struct sock *sock = ctx->ring_sock->sk;
5420 struct sk_buff_head *head = &sock->sk_receive_queue;
5421 struct sk_buff *skb;
5422
5423 /*
5424 * See if we can merge this file into an existing skb SCM_RIGHTS
5425 * file set. If there's no room, fall back to allocating a new skb
5426 * and filling it in.
5427 */
5428 spin_lock_irq(&head->lock);
5429 skb = skb_peek(head);
5430 if (skb) {
5431 struct scm_fp_list *fpl = UNIXCB(skb).fp;
5432
5433 if (fpl->count < SCM_MAX_FD) {
5434 __skb_unlink(skb, head);
5435 spin_unlock_irq(&head->lock);
5436 fpl->fp[fpl->count] = get_file(file);
5437 unix_inflight(fpl->user, fpl->fp[fpl->count]);
5438 fpl->count++;
5439 spin_lock_irq(&head->lock);
5440 __skb_queue_head(head, skb);
5441 } else {
5442 skb = NULL;
5443 }
5444 }
5445 spin_unlock_irq(&head->lock);
5446
5447 if (skb) {
5448 fput(file);
5449 return 0;
5450 }
5451
5452 return __io_sqe_files_scm(ctx, 1, index);
5453#else
5454 return 0;
5455#endif
5456}
5457
05f3fb3c 5458static void io_atomic_switch(struct percpu_ref *ref)
c3a31e60 5459{
05f3fb3c
JA		 5460 struct fixed_file_data *data;
5461
5462 data = container_of(ref, struct fixed_file_data, refs);
5463 clear_bit(FFD_F_ATOMIC, &data->state);
5464}
5465
5466static bool io_queue_file_removal(struct fixed_file_data *data,
5467 struct file *file)
5468{
5469 struct io_file_put *pfile, pfile_stack;
5470 DECLARE_COMPLETION_ONSTACK(done);
5471
5472 /*
5473 * If we fail allocating the struct we need for doing async reomval
5474 * of this file, just punt to sync and wait for it.
5475 */
5476 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
5477 if (!pfile) {
5478 pfile = &pfile_stack;
5479 pfile->done = &done;
5480 }
5481
5482 pfile->file = file;
5483 llist_add(&pfile->llist, &data->put_llist);
5484
5485 if (pfile == &pfile_stack) {
5486 if (!test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
5487 percpu_ref_put(&data->refs);
5488 percpu_ref_switch_to_atomic(&data->refs,
5489 io_atomic_switch);
5490 }
5491 wait_for_completion(&done);
5492 flush_work(&data->ref_work);
5493 return false;
5494 }
5495
5496 return true;
5497}
5498
5499static int __io_sqe_files_update(struct io_ring_ctx *ctx,
5500 struct io_uring_files_update *up,
5501 unsigned nr_args)
5502{
5503 struct fixed_file_data *data = ctx->file_data;
5504 bool ref_switch = false;
5505 struct file *file;
c3a31e60
JA		 5506 __s32 __user *fds;
5507 int fd, i, err;
5508 __u32 done;
5509
05f3fb3c 5510 if (check_add_overflow(up->offset, nr_args, &done))
c3a31e60
JA		 5511 return -EOVERFLOW;
5512 if (done > ctx->nr_user_files)
5513 return -EINVAL;
5514
5515 done = 0;
05f3fb3c 5516 fds = u64_to_user_ptr(up->fds);
c3a31e60 5517 while (nr_args) {
65e19f54
JA		 5518 struct fixed_file_table *table;
5519 unsigned index;
5520
c3a31e60
JA		 5521 err = 0;
5522 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
5523 err = -EFAULT;
5524 break;
5525 }
05f3fb3c
JA		 5526 i = array_index_nospec(up->offset, ctx->nr_user_files);
5527 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
65e19f54
JA		 5528 index = i & IORING_FILE_TABLE_MASK;
5529 if (table->files[index]) {
05f3fb3c 5530 file = io_file_from_index(ctx, index);
65e19f54 5531 table->files[index] = NULL;
05f3fb3c
JA		 5532 if (io_queue_file_removal(data, file))
5533 ref_switch = true;
c3a31e60
JA		 5534 }
5535 if (fd != -1) {
c3a31e60
JA		 5536 file = fget(fd);
5537 if (!file) {
5538 err = -EBADF;
5539 break;
5540 }
5541 /*
5542 * Don't allow io_uring instances to be registered. If
5543 * UNIX isn't enabled, then this causes a reference
5544 * cycle and this instance can never get freed. If UNIX
5545 * is enabled we'll handle it just fine, but there's
5546 * still no point in allowing a ring fd as it doesn't
5547 * support regular read/write anyway.
5548 */
5549 if (file->f_op == &io_uring_fops) {
5550 fput(file);
5551 err = -EBADF;
5552 break;
5553 }
65e19f54 5554 table->files[index] = file;
c3a31e60
JA		 5555 err = io_sqe_file_register(ctx, file, i);
5556 if (err)
5557 break;
5558 }
5559 nr_args--;
5560 done++;
05f3fb3c
JA		 5561 up->offset++;
5562 }
5563
5564 if (ref_switch && !test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
5565 percpu_ref_put(&data->refs);
5566 percpu_ref_switch_to_atomic(&data->refs, io_atomic_switch);
c3a31e60
JA		 5567 }
5568
5569 return done ? done : err;
5570}
05f3fb3c
JA		 5571static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
5572 unsigned nr_args)
5573{
5574 struct io_uring_files_update up;
5575
5576 if (!ctx->file_data)
5577 return -ENXIO;
5578 if (!nr_args)
5579 return -EINVAL;
5580 if (copy_from_user(&up, arg, sizeof(up)))
5581 return -EFAULT;
5582 if (up.resv)
5583 return -EINVAL;
5584
5585 return __io_sqe_files_update(ctx, &up, nr_args);
5586}
c3a31e60 5587
7d723065
JA		 5588static void io_put_work(struct io_wq_work *work)
5589{
5590 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5591
5592 io_put_req(req);
5593}
5594
5595static void io_get_work(struct io_wq_work *work)
5596{
5597 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5598
5599 refcount_inc(&req->refs);
5600}
5601
6c271ce2
JA		 5602static int io_sq_offload_start(struct io_ring_ctx *ctx,
5603 struct io_uring_params *p)
2b188cc1 5604{
576a347b 5605 struct io_wq_data data;
561fb04a 5606 unsigned concurrency;
2b188cc1
JA		 5607 int ret;
5608
6c271ce2 5609 init_waitqueue_head(&ctx->sqo_wait);
2b188cc1
JA		 5610 mmgrab(current->mm);
5611 ctx->sqo_mm = current->mm;
5612
6c271ce2 5613 if (ctx->flags & IORING_SETUP_SQPOLL) {
3ec482d1
JA		 5614 ret = -EPERM;
5615 if (!capable(CAP_SYS_ADMIN))
5616 goto err;
5617
917257da
JA		 5618 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
5619 if (!ctx->sq_thread_idle)
5620 ctx->sq_thread_idle = HZ;
5621
6c271ce2 5622 if (p->flags & IORING_SETUP_SQ_AFF) {
44a9bd18 5623 int cpu = p->sq_thread_cpu;
6c271ce2 5624
917257da 5625 ret = -EINVAL;
44a9bd18
JA		 5626 if (cpu >= nr_cpu_ids)
5627 goto err;
7889f44d 5628 if (!cpu_online(cpu))
917257da
JA		 5629 goto err;
5630
6c271ce2
JA		 5631 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
5632 ctx, cpu,
5633 "io_uring-sq");
5634 } else {
5635 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
5636 "io_uring-sq");
5637 }
5638 if (IS_ERR(ctx->sqo_thread)) {
5639 ret = PTR_ERR(ctx->sqo_thread);
5640 ctx->sqo_thread = NULL;
5641 goto err;
5642 }
5643 wake_up_process(ctx->sqo_thread);
5644 } else if (p->flags & IORING_SETUP_SQ_AFF) {
5645 /* Can't have SQ_AFF without SQPOLL */
5646 ret = -EINVAL;
5647 goto err;
5648 }
5649
576a347b
JA		 5650 data.mm = ctx->sqo_mm;
5651 data.user = ctx->user;
181e448d 5652 data.creds = ctx->creds;
576a347b
JA		 5653 data.get_work = io_get_work;
5654 data.put_work = io_put_work;
5655
561fb04a
JA		 5656 /* Do QD, or 4 * CPUS, whatever is smallest */
5657 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
576a347b 5658 ctx->io_wq = io_wq_create(concurrency, &data);
975c99a5
JA		 5659 if (IS_ERR(ctx->io_wq)) {
5660 ret = PTR_ERR(ctx->io_wq);
5661 ctx->io_wq = NULL;
2b188cc1
JA		 5662 goto err;
5663 }
5664
5665 return 0;
5666err:
54a91f3b 5667 io_finish_async(ctx);
2b188cc1
JA		 5668 mmdrop(ctx->sqo_mm);
5669 ctx->sqo_mm = NULL;
5670 return ret;
5671}
5672
5673static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
5674{
5675 atomic_long_sub(nr_pages, &user->locked_vm);
5676}
5677
5678static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
5679{
5680 unsigned long page_limit, cur_pages, new_pages;
5681
5682 /* Don't allow more pages than we can safely lock */
5683 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
5684
5685 do {
5686 cur_pages = atomic_long_read(&user->locked_vm);
5687 new_pages = cur_pages + nr_pages;
5688 if (new_pages > page_limit)
5689 return -ENOMEM;
5690 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
5691 new_pages) != cur_pages);
5692
5693 return 0;
5694}
5695
5696static void io_mem_free(void *ptr)
5697{
52e04ef4
MR		 5698 struct page *page;
5699
5700 if (!ptr)
5701 return;
2b188cc1 5702
52e04ef4 5703 page = virt_to_head_page(ptr);
2b188cc1
JA		 5704 if (put_page_testzero(page))
5705 free_compound_page(page);
5706}
5707
5708static void *io_mem_alloc(size_t size)
5709{
5710 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
5711 __GFP_NORETRY;
5712
5713 return (void *) __get_free_pages(gfp_flags, get_order(size));
5714}
5715
75b28aff
HV		 5716static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
5717 size_t *sq_offset)
5718{
5719 struct io_rings *rings;
5720 size_t off, sq_array_size;
5721
5722 off = struct_size(rings, cqes, cq_entries);
5723 if (off == SIZE_MAX)
5724 return SIZE_MAX;
5725
5726#ifdef CONFIG_SMP
5727 off = ALIGN(off, SMP_CACHE_BYTES);
5728 if (off == 0)
5729 return SIZE_MAX;
5730#endif
5731
5732 sq_array_size = array_size(sizeof(u32), sq_entries);
5733 if (sq_array_size == SIZE_MAX)
5734 return SIZE_MAX;
5735
5736 if (check_add_overflow(off, sq_array_size, &off))
5737 return SIZE_MAX;
5738
5739 if (sq_offset)
5740 *sq_offset = off;
5741
5742 return off;
5743}
5744
2b188cc1
JA		 5745static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
5746{
75b28aff 5747 size_t pages;
2b188cc1 5748
75b28aff
HV		 5749 pages = (size_t)1 << get_order(
5750 rings_size(sq_entries, cq_entries, NULL));
5751 pages += (size_t)1 << get_order(
5752 array_size(sizeof(struct io_uring_sqe), sq_entries));
2b188cc1 5753
75b28aff 5754 return pages;
2b188cc1
JA		 5755}
5756
edafccee
JA		 5757static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
5758{
5759 int i, j;
5760
5761 if (!ctx->user_bufs)
5762 return -ENXIO;
5763
5764 for (i = 0; i < ctx->nr_user_bufs; i++) {
5765 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5766
5767 for (j = 0; j < imu->nr_bvecs; j++)
27c4d3a3 5768 put_user_page(imu->bvec[j].bv_page);
edafccee
JA		 5769
5770 if (ctx->account_mem)
5771 io_unaccount_mem(ctx->user, imu->nr_bvecs);
d4ef6475 5772 kvfree(imu->bvec);
edafccee
JA		 5773 imu->nr_bvecs = 0;
5774 }
5775
5776 kfree(ctx->user_bufs);
5777 ctx->user_bufs = NULL;
5778 ctx->nr_user_bufs = 0;
5779 return 0;
5780}
5781
5782static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
5783 void __user *arg, unsigned index)
5784{
5785 struct iovec __user *src;
5786
5787#ifdef CONFIG_COMPAT
5788 if (ctx->compat) {
5789 struct compat_iovec __user *ciovs;
5790 struct compat_iovec ciov;
5791
5792 ciovs = (struct compat_iovec __user *) arg;
5793 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
5794 return -EFAULT;
5795
d55e5f5b 5796 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
edafccee
JA		 5797 dst->iov_len = ciov.iov_len;
5798 return 0;
5799 }
5800#endif
5801 src = (struct iovec __user *) arg;
5802 if (copy_from_user(dst, &src[index], sizeof(*dst)))
5803 return -EFAULT;
5804 return 0;
5805}
5806
5807static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
5808 unsigned nr_args)
5809{
5810 struct vm_area_struct **vmas = NULL;
5811 struct page **pages = NULL;
5812 int i, j, got_pages = 0;
5813 int ret = -EINVAL;
5814
5815 if (ctx->user_bufs)
5816 return -EBUSY;
5817 if (!nr_args || nr_args > UIO_MAXIOV)
5818 return -EINVAL;
5819
5820 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
5821 GFP_KERNEL);
5822 if (!ctx->user_bufs)
5823 return -ENOMEM;
5824
5825 for (i = 0; i < nr_args; i++) {
5826 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5827 unsigned long off, start, end, ubuf;
5828 int pret, nr_pages;
5829 struct iovec iov;
5830 size_t size;
5831
5832 ret = io_copy_iov(ctx, &iov, arg, i);
5833 if (ret)
a278682d 5834 goto err;
edafccee
JA		 5835
5836 /*
5837 * Don't impose further limits on the size and buffer
5838 * constraints here, we'll -EINVAL later when IO is
5839 * submitted if they are wrong.
5840 */
5841 ret = -EFAULT;
5842 if (!iov.iov_base || !iov.iov_len)
5843 goto err;
5844
5845 /* arbitrary limit, but we need something */
5846 if (iov.iov_len > SZ_1G)
5847 goto err;
5848
5849 ubuf = (unsigned long) iov.iov_base;
5850 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
5851 start = ubuf >> PAGE_SHIFT;
5852 nr_pages = end - start;
5853
5854 if (ctx->account_mem) {
5855 ret = io_account_mem(ctx->user, nr_pages);
5856 if (ret)
5857 goto err;
5858 }
5859
5860 ret = 0;
5861 if (!pages || nr_pages > got_pages) {
5862 kfree(vmas);
5863 kfree(pages);
d4ef6475 5864 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
edafccee 5865 GFP_KERNEL);
d4ef6475 5866 vmas = kvmalloc_array(nr_pages,
edafccee
JA		 5867 sizeof(struct vm_area_struct *),
5868 GFP_KERNEL);
5869 if (!pages || !vmas) {
5870 ret = -ENOMEM;
5871 if (ctx->account_mem)
5872 io_unaccount_mem(ctx->user, nr_pages);
5873 goto err;
5874 }
5875 got_pages = nr_pages;
5876 }
5877
d4ef6475 5878 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
edafccee
JA		 5879 GFP_KERNEL);
5880 ret = -ENOMEM;
5881 if (!imu->bvec) {
5882 if (ctx->account_mem)
5883 io_unaccount_mem(ctx->user, nr_pages);
5884 goto err;
5885 }
5886
5887 ret = 0;
5888 down_read(&current->mm->mmap_sem);
932f4a63
IW		 5889 pret = get_user_pages(ubuf, nr_pages,
5890 FOLL_WRITE | FOLL_LONGTERM,
5891 pages, vmas);
edafccee
JA		 5892 if (pret == nr_pages) {
5893 /* don't support file backed memory */
5894 for (j = 0; j < nr_pages; j++) {
5895 struct vm_area_struct *vma = vmas[j];
5896
5897 if (vma->vm_file &&
5898 !is_file_hugepages(vma->vm_file)) {
5899 ret = -EOPNOTSUPP;
5900 break;
5901 }
5902 }
5903 } else {
5904 ret = pret < 0 ? pret : -EFAULT;
5905 }
5906 up_read(&current->mm->mmap_sem);
5907 if (ret) {
5908 /*
5909 * if we did partial map, or found file backed vmas,
5910 * release any pages we did get
5911 */
27c4d3a3
JH		 5912 if (pret > 0)
5913 put_user_pages(pages, pret);
edafccee
JA		 5914 if (ctx->account_mem)
5915 io_unaccount_mem(ctx->user, nr_pages);
d4ef6475 5916 kvfree(imu->bvec);
edafccee
JA		 5917 goto err;
5918 }
5919
5920 off = ubuf & ~PAGE_MASK;
5921 size = iov.iov_len;
5922 for (j = 0; j < nr_pages; j++) {
5923 size_t vec_len;
5924
5925 vec_len = min_t(size_t, size, PAGE_SIZE - off);
5926 imu->bvec[j].bv_page = pages[j];
5927 imu->bvec[j].bv_len = vec_len;
5928 imu->bvec[j].bv_offset = off;
5929 off = 0;
5930 size -= vec_len;
5931 }
5932 /* store original address for later verification */
5933 imu->ubuf = ubuf;
5934 imu->len = iov.iov_len;
5935 imu->nr_bvecs = nr_pages;
5936
5937 ctx->nr_user_bufs++;
5938 }
d4ef6475
MR		 5939 kvfree(pages);
5940 kvfree(vmas);
edafccee
JA		 5941 return 0;
5942err:
d4ef6475
MR		 5943 kvfree(pages);
5944 kvfree(vmas);
edafccee
JA		 5945 io_sqe_buffer_unregister(ctx);
5946 return ret;
5947}
5948
9b402849
JA		 5949static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
5950{
5951 __s32 __user *fds = arg;
5952 int fd;
5953
5954 if (ctx->cq_ev_fd)
5955 return -EBUSY;
5956
5957 if (copy_from_user(&fd, fds, sizeof(*fds)))
5958 return -EFAULT;
5959
5960 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
5961 if (IS_ERR(ctx->cq_ev_fd)) {
5962 int ret = PTR_ERR(ctx->cq_ev_fd);
5963 ctx->cq_ev_fd = NULL;
5964 return ret;
5965 }
5966
5967 return 0;
5968}
5969
5970static int io_eventfd_unregister(struct io_ring_ctx *ctx)
5971{
5972 if (ctx->cq_ev_fd) {
5973 eventfd_ctx_put(ctx->cq_ev_fd);
5974 ctx->cq_ev_fd = NULL;
5975 return 0;
5976 }
5977
5978 return -ENXIO;
5979}
5980
2b188cc1
JA		 5981static void io_ring_ctx_free(struct io_ring_ctx *ctx)
5982{
6b06314c 5983 io_finish_async(ctx);
2b188cc1
JA		 5984 if (ctx->sqo_mm)
5985 mmdrop(ctx->sqo_mm);
def596e9
JA		 5986
5987 io_iopoll_reap_events(ctx);
edafccee 5988 io_sqe_buffer_unregister(ctx);
6b06314c 5989 io_sqe_files_unregister(ctx);
9b402849 5990 io_eventfd_unregister(ctx);
def596e9 5991
2b188cc1 5992#if defined(CONFIG_UNIX)
355e8d26
EB		 5993 if (ctx->ring_sock) {
5994 ctx->ring_sock->file = NULL; /* so that iput() is called */
2b188cc1 5995 sock_release(ctx->ring_sock);
355e8d26 5996 }
2b188cc1
JA		 5997#endif
5998
75b28aff 5999 io_mem_free(ctx->rings);
2b188cc1 6000 io_mem_free(ctx->sq_sqes);
2b188cc1
JA		 6001
6002 percpu_ref_exit(&ctx->refs);
6003 if (ctx->account_mem)
6004 io_unaccount_mem(ctx->user,
6005 ring_pages(ctx->sq_entries, ctx->cq_entries));
6006 free_uid(ctx->user);
181e448d 6007 put_cred(ctx->creds);
206aefde 6008 kfree(ctx->completions);
78076bb6 6009 kfree(ctx->cancel_hash);
0ddf92e8 6010 kmem_cache_free(req_cachep, ctx->fallback_req);
2b188cc1
JA		 6011 kfree(ctx);
6012}
6013
6014static __poll_t io_uring_poll(struct file *file, poll_table *wait)
6015{
6016 struct io_ring_ctx *ctx = file->private_data;
6017 __poll_t mask = 0;
6018
6019 poll_wait(file, &ctx->cq_wait, wait);
4f7067c3
SB		 6020 /*
6021 * synchronizes with barrier from wq_has_sleeper call in
6022 * io_commit_cqring
6023 */
2b188cc1 6024 smp_rmb();
75b28aff
HV		 6025 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
6026 ctx->rings->sq_ring_entries)
2b188cc1 6027 mask |= EPOLLOUT | EPOLLWRNORM;
daa5de54 6028 if (READ_ONCE(ctx->rings->cq.head) != ctx->cached_cq_tail)
2b188cc1
JA		 6029 mask |= EPOLLIN | EPOLLRDNORM;
6030
6031 return mask;
6032}
6033
6034static int io_uring_fasync(int fd, struct file *file, int on)
6035{
6036 struct io_ring_ctx *ctx = file->private_data;
6037
6038 return fasync_helper(fd, file, on, &ctx->cq_fasync);
6039}
6040
6041static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
6042{
6043 mutex_lock(&ctx->uring_lock);
6044 percpu_ref_kill(&ctx->refs);
6045 mutex_unlock(&ctx->uring_lock);
6046
5262f567 6047 io_kill_timeouts(ctx);
221c5eb2 6048 io_poll_remove_all(ctx);
561fb04a
JA		 6049
6050 if (ctx->io_wq)
6051 io_wq_cancel_all(ctx->io_wq);
6052
def596e9 6053 io_iopoll_reap_events(ctx);
15dff286
JA		 6054 /* if we failed setting up the ctx, we might not have any rings */
6055 if (ctx->rings)
6056 io_cqring_overflow_flush(ctx, true);
206aefde 6057 wait_for_completion(&ctx->completions[0]);
2b188cc1
JA		 6058 io_ring_ctx_free(ctx);
6059}
6060
6061static int io_uring_release(struct inode *inode, struct file *file)
6062{
6063 struct io_ring_ctx *ctx = file->private_data;
6064
6065 file->private_data = NULL;
6066 io_ring_ctx_wait_and_kill(ctx);
6067 return 0;
6068}
6069
fcb323cc
JA		 6070static void io_uring_cancel_files(struct io_ring_ctx *ctx,
6071 struct files_struct *files)
6072{
6073 struct io_kiocb *req;
6074 DEFINE_WAIT(wait);
6075
6076 while (!list_empty_careful(&ctx->inflight_list)) {
768134d4 6077 struct io_kiocb *cancel_req = NULL;
fcb323cc
JA		 6078
6079 spin_lock_irq(&ctx->inflight_lock);
6080 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
768134d4
JA		 6081 if (req->work.files != files)
6082 continue;
6083 /* req is being completed, ignore */
6084 if (!refcount_inc_not_zero(&req->refs))
6085 continue;
6086 cancel_req = req;
6087 break;
fcb323cc 6088 }
768134d4 6089 if (cancel_req)
fcb323cc 6090 prepare_to_wait(&ctx->inflight_wait, &wait,
768134d4 6091 TASK_UNINTERRUPTIBLE);
fcb323cc
JA		 6092 spin_unlock_irq(&ctx->inflight_lock);
6093
768134d4
JA		 6094 /* We need to keep going until we don't find a matching req */
6095 if (!cancel_req)
fcb323cc 6096 break;
2f6d9b9d
BL		 6097
6098 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
6099 io_put_req(cancel_req);
fcb323cc
JA		 6100 schedule();
6101 }
768134d4 6102 finish_wait(&ctx->inflight_wait, &wait);
fcb323cc
JA		 6103}
6104
6105static int io_uring_flush(struct file *file, void *data)
6106{
6107 struct io_ring_ctx *ctx = file->private_data;
6108
6109 io_uring_cancel_files(ctx, data);
1d7bb1d5
JA		 6110 if (fatal_signal_pending(current) || (current->flags & PF_EXITING)) {
6111 io_cqring_overflow_flush(ctx, true);
fcb323cc 6112 io_wq_cancel_all(ctx->io_wq);
1d7bb1d5 6113 }
fcb323cc
JA		 6114 return 0;
6115}
6116
6c5c240e
RP		 6117static void *io_uring_validate_mmap_request(struct file *file,
6118 loff_t pgoff, size_t sz)
2b188cc1 6119{
2b188cc1 6120 struct io_ring_ctx *ctx = file->private_data;
6c5c240e 6121 loff_t offset = pgoff << PAGE_SHIFT;
2b188cc1
JA		 6122 struct page *page;
6123 void *ptr;
6124
6125 switch (offset) {
6126 case IORING_OFF_SQ_RING:
75b28aff
HV		 6127 case IORING_OFF_CQ_RING:
6128 ptr = ctx->rings;
2b188cc1
JA		 6129 break;
6130 case IORING_OFF_SQES:
6131 ptr = ctx->sq_sqes;
6132 break;
2b188cc1 6133 default:
6c5c240e 6134 return ERR_PTR(-EINVAL);
2b188cc1
JA		 6135 }
6136
6137 page = virt_to_head_page(ptr);
a50b854e 6138 if (sz > page_size(page))
6c5c240e
RP		 6139 return ERR_PTR(-EINVAL);
6140
6141 return ptr;
6142}
6143
6144#ifdef CONFIG_MMU
6145
6146static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
6147{
6148 size_t sz = vma->vm_end - vma->vm_start;
6149 unsigned long pfn;
6150 void *ptr;
6151
6152 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
6153 if (IS_ERR(ptr))
6154 return PTR_ERR(ptr);
2b188cc1
JA		 6155
6156 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
6157 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
6158}
6159
6c5c240e
RP		 6160#else /* !CONFIG_MMU */
6161
6162static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
6163{
6164 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
6165}
6166
6167static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
6168{
6169 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
6170}
6171
6172static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
6173 unsigned long addr, unsigned long len,
6174 unsigned long pgoff, unsigned long flags)
6175{
6176 void *ptr;
6177
6178 ptr = io_uring_validate_mmap_request(file, pgoff, len);
6179 if (IS_ERR(ptr))
6180 return PTR_ERR(ptr);
6181
6182 return (unsigned long) ptr;
6183}
6184
6185#endif /* !CONFIG_MMU */
6186
2b188cc1
JA		 6187SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
6188 u32, min_complete, u32, flags, const sigset_t __user *, sig,
6189 size_t, sigsz)
6190{
6191 struct io_ring_ctx *ctx;
6192 long ret = -EBADF;
6193 int submitted = 0;
6194 struct fd f;
6195
6c271ce2 6196 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
2b188cc1
JA		 6197 return -EINVAL;
6198
6199 f = fdget(fd);
6200 if (!f.file)
6201 return -EBADF;
6202
6203 ret = -EOPNOTSUPP;
6204 if (f.file->f_op != &io_uring_fops)
6205 goto out_fput;
6206
6207 ret = -ENXIO;
6208 ctx = f.file->private_data;
6209 if (!percpu_ref_tryget(&ctx->refs))
6210 goto out_fput;
6211
6c271ce2
JA		 6212 /*
6213 * For SQ polling, the thread will do all submissions and completions.
6214 * Just return the requested submit count, and wake the thread if
6215 * we were asked to.
6216 */
b2a9eada 6217 ret = 0;
6c271ce2 6218 if (ctx->flags & IORING_SETUP_SQPOLL) {
c1edbf5f
JA		 6219 if (!list_empty_careful(&ctx->cq_overflow_list))
6220 io_cqring_overflow_flush(ctx, false);
6c271ce2
JA		 6221 if (flags & IORING_ENTER_SQ_WAKEUP)
6222 wake_up(&ctx->sqo_wait);
6223 submitted = to_submit;
b2a9eada 6224 } else if (to_submit) {
ae9428ca 6225 struct mm_struct *cur_mm;
2b188cc1 6226
44d28279
JA		 6227 if (current->mm != ctx->sqo_mm ||
6228 current_cred() != ctx->creds) {
6229 ret = -EPERM;
6230 goto out;
6231 }
6232
2b188cc1 6233 mutex_lock(&ctx->uring_lock);
ae9428ca
PB		 6234 /* already have mm, so io_submit_sqes() won't try to grab it */
6235 cur_mm = ctx->sqo_mm;
6236 submitted = io_submit_sqes(ctx, to_submit, f.file, fd,
6237 &cur_mm, false);
2b188cc1 6238 mutex_unlock(&ctx->uring_lock);
7c504e65
PB		 6239
6240 if (submitted != to_submit)
6241 goto out;
2b188cc1
JA		 6242 }
6243 if (flags & IORING_ENTER_GETEVENTS) {
def596e9
JA		 6244 unsigned nr_events = 0;
6245
2b188cc1
JA		 6246 min_complete = min(min_complete, ctx->cq_entries);
6247
def596e9 6248 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9 6249 ret = io_iopoll_check(ctx, &nr_events, min_complete);
def596e9
JA		 6250 } else {
6251 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
6252 }
2b188cc1
JA		 6253 }
6254
7c504e65 6255out:
6805b32e 6256 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 6257out_fput:
6258 fdput(f);
6259 return submitted ? submitted : ret;
6260}
6261
6262static const struct file_operations io_uring_fops = {
6263 .release = io_uring_release,
fcb323cc 6264 .flush = io_uring_flush,
2b188cc1 6265 .mmap = io_uring_mmap,
6c5c240e
RP		 6266#ifndef CONFIG_MMU
6267 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
6268 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
6269#endif
2b188cc1
JA		 6270 .poll = io_uring_poll,
6271 .fasync = io_uring_fasync,
6272};
6273
6274static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
6275 struct io_uring_params *p)
6276{
75b28aff
HV		 6277 struct io_rings *rings;
6278 size_t size, sq_array_offset;
2b188cc1 6279
75b28aff
HV		 6280 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
6281 if (size == SIZE_MAX)
6282 return -EOVERFLOW;
6283
6284 rings = io_mem_alloc(size);
6285 if (!rings)
2b188cc1
JA		 6286 return -ENOMEM;
6287
75b28aff
HV		 6288 ctx->rings = rings;
6289 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
6290 rings->sq_ring_mask = p->sq_entries - 1;
6291 rings->cq_ring_mask = p->cq_entries - 1;
6292 rings->sq_ring_entries = p->sq_entries;
6293 rings->cq_ring_entries = p->cq_entries;
6294 ctx->sq_mask = rings->sq_ring_mask;
6295 ctx->cq_mask = rings->cq_ring_mask;
6296 ctx->sq_entries = rings->sq_ring_entries;
6297 ctx->cq_entries = rings->cq_ring_entries;
2b188cc1
JA		 6298
6299 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
eb065d30
JA		 6300 if (size == SIZE_MAX) {
6301 io_mem_free(ctx->rings);
6302 ctx->rings = NULL;
2b188cc1 6303 return -EOVERFLOW;
eb065d30 6304 }
2b188cc1
JA		 6305
6306 ctx->sq_sqes = io_mem_alloc(size);
eb065d30
JA		 6307 if (!ctx->sq_sqes) {
6308 io_mem_free(ctx->rings);
6309 ctx->rings = NULL;
2b188cc1 6310 return -ENOMEM;
eb065d30 6311 }
2b188cc1 6312
2b188cc1
JA		 6313 return 0;
6314}
6315
6316/*
6317 * Allocate an anonymous fd, this is what constitutes the application
6318 * visible backing of an io_uring instance. The application mmaps this
6319 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
6320 * we have to tie this fd to a socket for file garbage collection purposes.
6321 */
6322static int io_uring_get_fd(struct io_ring_ctx *ctx)
6323{
6324 struct file *file;
6325 int ret;
6326
6327#if defined(CONFIG_UNIX)
6328 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
6329 &ctx->ring_sock);
6330 if (ret)
6331 return ret;
6332#endif
6333
6334 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
6335 if (ret < 0)
6336 goto err;
6337
6338 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
6339 O_RDWR | O_CLOEXEC);
6340 if (IS_ERR(file)) {
6341 put_unused_fd(ret);
6342 ret = PTR_ERR(file);
6343 goto err;
6344 }
6345
6346#if defined(CONFIG_UNIX)
6347 ctx->ring_sock->file = file;
6348#endif
6349 fd_install(ret, file);
6350 return ret;
6351err:
6352#if defined(CONFIG_UNIX)
6353 sock_release(ctx->ring_sock);
6354 ctx->ring_sock = NULL;
6355#endif
6356 return ret;
6357}
6358
6359static int io_uring_create(unsigned entries, struct io_uring_params *p)
6360{
6361 struct user_struct *user = NULL;
6362 struct io_ring_ctx *ctx;
6363 bool account_mem;
6364 int ret;
6365
8110c1a6 6366 if (!entries)
2b188cc1 6367 return -EINVAL;
8110c1a6
JA		 6368 if (entries > IORING_MAX_ENTRIES) {
6369 if (!(p->flags & IORING_SETUP_CLAMP))
6370 return -EINVAL;
6371 entries = IORING_MAX_ENTRIES;
6372 }
2b188cc1
JA		 6373
6374 /*
6375 * Use twice as many entries for the CQ ring. It's possible for the
6376 * application to drive a higher depth than the size of the SQ ring,
6377 * since the sqes are only used at submission time. This allows for
33a107f0
JA		 6378 * some flexibility in overcommitting a bit. If the application has
6379 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
6380 * of CQ ring entries manually.
2b188cc1
JA		 6381 */
6382 p->sq_entries = roundup_pow_of_two(entries);
33a107f0
JA		 6383 if (p->flags & IORING_SETUP_CQSIZE) {
6384 /*
6385 * If IORING_SETUP_CQSIZE is set, we do the same roundup
6386 * to a power-of-two, if it isn't already. We do NOT impose
6387 * any cq vs sq ring sizing.
6388 */
8110c1a6 6389 if (p->cq_entries < p->sq_entries)
33a107f0 6390 return -EINVAL;
8110c1a6
JA		 6391 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
6392 if (!(p->flags & IORING_SETUP_CLAMP))
6393 return -EINVAL;
6394 p->cq_entries = IORING_MAX_CQ_ENTRIES;
6395 }
33a107f0
JA		 6396 p->cq_entries = roundup_pow_of_two(p->cq_entries);
6397 } else {
6398 p->cq_entries = 2 * p->sq_entries;
6399 }
2b188cc1
JA		 6400
6401 user = get_uid(current_user());
6402 account_mem = !capable(CAP_IPC_LOCK);
6403
6404 if (account_mem) {
6405 ret = io_account_mem(user,
6406 ring_pages(p->sq_entries, p->cq_entries));
6407 if (ret) {
6408 free_uid(user);
6409 return ret;
6410 }
6411 }
6412
6413 ctx = io_ring_ctx_alloc(p);
6414 if (!ctx) {
6415 if (account_mem)
6416 io_unaccount_mem(user, ring_pages(p->sq_entries,
6417 p->cq_entries));
6418 free_uid(user);
6419 return -ENOMEM;
6420 }
6421 ctx->compat = in_compat_syscall();
6422 ctx->account_mem = account_mem;
6423 ctx->user = user;
0b8c0ec7 6424 ctx->creds = get_current_cred();
2b188cc1
JA		 6425
6426 ret = io_allocate_scq_urings(ctx, p);
6427 if (ret)
6428 goto err;
6429
6c271ce2 6430 ret = io_sq_offload_start(ctx, p);
2b188cc1
JA		 6431 if (ret)
6432 goto err;
6433
2b188cc1 6434 memset(&p->sq_off, 0, sizeof(p->sq_off));
75b28aff
HV		 6435 p->sq_off.head = offsetof(struct io_rings, sq.head);
6436 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
6437 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
6438 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
6439 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
6440 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
6441 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
2b188cc1
JA		 6442
6443 memset(&p->cq_off, 0, sizeof(p->cq_off));
75b28aff
HV		 6444 p->cq_off.head = offsetof(struct io_rings, cq.head);
6445 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
6446 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
6447 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
6448 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
6449 p->cq_off.cqes = offsetof(struct io_rings, cqes);
ac90f249 6450
044c1ab3
JA		 6451 /*
6452 * Install ring fd as the very last thing, so we don't risk someone
6453 * having closed it before we finish setup
6454 */
6455 ret = io_uring_get_fd(ctx);
6456 if (ret < 0)
6457 goto err;
6458
da8c9690 6459 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
ba04291e 6460 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS;
c826bd7a 6461 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
2b188cc1
JA		 6462 return ret;
6463err:
6464 io_ring_ctx_wait_and_kill(ctx);
6465 return ret;
6466}
6467
6468/*
6469 * Sets up an aio uring context, and returns the fd. Applications asks for a
6470 * ring size, we return the actual sq/cq ring sizes (among other things) in the
6471 * params structure passed in.
6472 */
6473static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
6474{
6475 struct io_uring_params p;
6476 long ret;
6477 int i;
6478
6479 if (copy_from_user(&p, params, sizeof(p)))
6480 return -EFAULT;
6481 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
6482 if (p.resv[i])
6483 return -EINVAL;
6484 }
6485
6c271ce2 6486 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
8110c1a6
JA		 6487 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
6488 IORING_SETUP_CLAMP))
2b188cc1
JA		 6489 return -EINVAL;
6490
6491 ret = io_uring_create(entries, &p);
6492 if (ret < 0)
6493 return ret;
6494
6495 if (copy_to_user(params, &p, sizeof(p)))
6496 return -EFAULT;
6497
6498 return ret;
6499}
6500
6501SYSCALL_DEFINE2(io_uring_setup, u32, entries,
6502 struct io_uring_params __user *, params)
6503{
6504 return io_uring_setup(entries, params);
6505}
6506
edafccee
JA		 6507static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
6508 void __user *arg, unsigned nr_args)
b19062a5
JA		 6509 __releases(ctx->uring_lock)
6510 __acquires(ctx->uring_lock)
edafccee
JA		 6511{
6512 int ret;
6513
35fa71a0
JA		 6514 /*
6515 * We're inside the ring mutex, if the ref is already dying, then
6516 * someone else killed the ctx or is already going through
6517 * io_uring_register().
6518 */
6519 if (percpu_ref_is_dying(&ctx->refs))
6520 return -ENXIO;
6521
05f3fb3c
JA		 6522 if (opcode != IORING_UNREGISTER_FILES &&
6523 opcode != IORING_REGISTER_FILES_UPDATE) {
6524 percpu_ref_kill(&ctx->refs);
b19062a5 6525
05f3fb3c
JA		 6526 /*
6527 * Drop uring mutex before waiting for references to exit. If
6528 * another thread is currently inside io_uring_enter() it might
6529 * need to grab the uring_lock to make progress. If we hold it
6530 * here across the drain wait, then we can deadlock. It's safe
6531 * to drop the mutex here, since no new references will come in
6532 * after we've killed the percpu ref.
6533 */
6534 mutex_unlock(&ctx->uring_lock);
c150368b 6535 ret = wait_for_completion_interruptible(&ctx->completions[0]);
05f3fb3c 6536 mutex_lock(&ctx->uring_lock);
c150368b
JA		 6537 if (ret) {
6538 percpu_ref_resurrect(&ctx->refs);
6539 ret = -EINTR;
6540 goto out;
6541 }
05f3fb3c 6542 }
edafccee
JA		 6543
6544 switch (opcode) {
6545 case IORING_REGISTER_BUFFERS:
6546 ret = io_sqe_buffer_register(ctx, arg, nr_args);
6547 break;
6548 case IORING_UNREGISTER_BUFFERS:
6549 ret = -EINVAL;
6550 if (arg || nr_args)
6551 break;
6552 ret = io_sqe_buffer_unregister(ctx);
6553 break;
6b06314c
JA		 6554 case IORING_REGISTER_FILES:
6555 ret = io_sqe_files_register(ctx, arg, nr_args);
6556 break;
6557 case IORING_UNREGISTER_FILES:
6558 ret = -EINVAL;
6559 if (arg || nr_args)
6560 break;
6561 ret = io_sqe_files_unregister(ctx);
6562 break;
c3a31e60
JA		 6563 case IORING_REGISTER_FILES_UPDATE:
6564 ret = io_sqe_files_update(ctx, arg, nr_args);
6565 break;
9b402849 6566 case IORING_REGISTER_EVENTFD:
f2842ab5 6567 case IORING_REGISTER_EVENTFD_ASYNC:
9b402849
JA		 6568 ret = -EINVAL;
6569 if (nr_args != 1)
6570 break;
6571 ret = io_eventfd_register(ctx, arg);
f2842ab5
JA		 6572 if (ret)
6573 break;
6574 if (opcode == IORING_REGISTER_EVENTFD_ASYNC)
6575 ctx->eventfd_async = 1;
6576 else
6577 ctx->eventfd_async = 0;
9b402849
JA		 6578 break;
6579 case IORING_UNREGISTER_EVENTFD:
6580 ret = -EINVAL;
6581 if (arg || nr_args)
6582 break;
6583 ret = io_eventfd_unregister(ctx);
6584 break;
edafccee
JA		 6585 default:
6586 ret = -EINVAL;
6587 break;
6588 }
6589
05f3fb3c
JA		 6590
6591 if (opcode != IORING_UNREGISTER_FILES &&
6592 opcode != IORING_REGISTER_FILES_UPDATE) {
6593 /* bring the ctx back to life */
05f3fb3c 6594 percpu_ref_reinit(&ctx->refs);
c150368b
JA		 6595out:
6596 reinit_completion(&ctx->completions[0]);
05f3fb3c 6597 }
edafccee
JA		 6598 return ret;
6599}
6600
6601SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
6602 void __user *, arg, unsigned int, nr_args)
6603{
6604 struct io_ring_ctx *ctx;
6605 long ret = -EBADF;
6606 struct fd f;
6607
6608 f = fdget(fd);
6609 if (!f.file)
6610 return -EBADF;
6611
6612 ret = -EOPNOTSUPP;
6613 if (f.file->f_op != &io_uring_fops)
6614 goto out_fput;
6615
6616 ctx = f.file->private_data;
6617
6618 mutex_lock(&ctx->uring_lock);
6619 ret = __io_uring_register(ctx, opcode, arg, nr_args);
6620 mutex_unlock(&ctx->uring_lock);
c826bd7a
DD		 6621 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
6622 ctx->cq_ev_fd != NULL, ret);
edafccee
JA		 6623out_fput:
6624 fdput(f);
6625 return ret;
6626}
6627
2b188cc1
JA		 6628static int __init io_uring_init(void)
6629{
d3656344 6630 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
2b188cc1
JA		 6631 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
6632 return 0;
6633};
6634__initcall(io_uring_init);
Linux 6.x block layer and io_uring tree(s)