projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'soc-drivers-6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
[linux-block.git] / io_uring / kbuf.c
CommitLineData
3b77495a
JA		 1// SPDX-License-Identifier: GPL-2.0
2#include <linux/kernel.h>
3#include <linux/errno.h>
4#include <linux/fs.h>
5#include <linux/file.h>
6#include <linux/mm.h>
7#include <linux/slab.h>
8#include <linux/namei.h>
9#include <linux/poll.h>
10#include <linux/io_uring.h>
11
12#include <uapi/linux/io_uring.h>
13
3b77495a
JA		 14#include "io_uring.h"
15#include "opdef.h"
16#include "kbuf.h"
17
18#define IO_BUFFER_LIST_BUF_PER_PAGE (PAGE_SIZE / sizeof(struct io_uring_buf))
19
20#define BGID_ARRAY 64
21
f74c746e
GKB		 22/* BIDs are addressed by a 16-bit field in a CQE */
23#define MAX_BIDS_PER_BGID (1 << 16)
24
b3a4dbc8
GKB		 25struct kmem_cache *io_buf_cachep;
26
3b77495a
JA		 27struct io_provide_buf {
28 struct file *file;
29 __u64 addr;
30 __u32 len;
31 __u32 bgid;
f74c746e 32 __u32 nbufs;
3b77495a
JA		 33 __u16 bid;
34};
35
c392cbec
JA		 36struct io_buf_free {
37 struct hlist_node list;
38 void *mem;
b10b73c1
JA		 39 size_t size;
40 int inuse;
c392cbec
JA		 41};
42
5cf4f52e
JA		 43static struct io_buffer_list *__io_buffer_get_list(struct io_ring_ctx *ctx,
44 struct io_buffer_list *bl,
45 unsigned int bgid)
46{
47 if (bl && bgid < BGID_ARRAY)
48 return &bl[bgid];
49
50 return xa_load(&ctx->io_bl_xa, bgid);
51}
52
3b77495a
JA		 53static inline struct io_buffer_list *io_buffer_get_list(struct io_ring_ctx *ctx,
54 unsigned int bgid)
55{
5cf4f52e 56 lockdep_assert_held(&ctx->uring_lock);
3b77495a 57
5cf4f52e 58 return __io_buffer_get_list(ctx, ctx->io_bl, bgid);
3b77495a
JA		 59}
60
024b8fde
HX		 61static int io_buffer_add_list(struct io_ring_ctx *ctx,
62 struct io_buffer_list *bl, unsigned int bgid)
63{
5cf4f52e
JA		 64 /*
65 * Store buffer group ID and finally mark the list as visible.
66 * The normal lookup doesn't care about the visibility as we're
67 * always under the ->uring_lock, but the RCU lookup from mmap does.
68 */
024b8fde 69 bl->bgid = bgid;
5cf4f52e
JA		 70 smp_store_release(&bl->is_ready, 1);
71
024b8fde
HX		 72 if (bgid < BGID_ARRAY)
73 return 0;
74
75 return xa_err(xa_store(&ctx->io_bl_xa, bgid, bl, GFP_KERNEL));
76}
77
89d528ba 78bool io_kbuf_recycle_legacy(struct io_kiocb *req, unsigned issue_flags)
3b77495a
JA		 79{
80 struct io_ring_ctx *ctx = req->ctx;
81 struct io_buffer_list *bl;
82 struct io_buffer *buf;
83
3b77495a
JA		 84 io_ring_submit_lock(ctx, issue_flags);
85
86 buf = req->kbuf;
87 bl = io_buffer_get_list(ctx, buf->bgid);
88 list_add(&buf->list, &bl->buf_list);
89 req->flags &= ~REQ_F_BUFFER_SELECTED;
90 req->buf_index = buf->bgid;
91
92 io_ring_submit_unlock(ctx, issue_flags);
89d528ba 93 return true;
3b77495a
JA		 94}
95
8435c6f3 96void __io_put_kbuf(struct io_kiocb *req, unsigned issue_flags)
53ccf69b 97{
53ccf69b
PB		 98 /*
99 * We can add this buffer back to two lists:
100 *
101 * 1) The io_buffers_cache list. This one is protected by the
102 * ctx->uring_lock. If we already hold this lock, add back to this
103 * list as we can grab it from issue as well.
104 * 2) The io_buffers_comp list. This one is protected by the
105 * ctx->completion_lock.
106 *
107 * We migrate buffers from the comp_list to the issue cache list
108 * when we need one.
109 */
8435c6f3 110 if (issue_flags & IO_URING_F_UNLOCKED) {
53ccf69b
PB		 111 struct io_ring_ctx *ctx = req->ctx;
112
113 spin_lock(&ctx->completion_lock);
8435c6f3 114 __io_put_kbuf_list(req, &ctx->io_buffers_comp);
53ccf69b
PB		 115 spin_unlock(&ctx->completion_lock);
116 } else {
117 lockdep_assert_held(&req->ctx->uring_lock);
118
8435c6f3 119 __io_put_kbuf_list(req, &req->ctx->io_buffers_cache);
53ccf69b 120 }
53ccf69b
PB		 121}
122
3b77495a
JA		 123static void __user *io_provided_buffer_select(struct io_kiocb *req, size_t *len,
124 struct io_buffer_list *bl)
125{
126 if (!list_empty(&bl->buf_list)) {
127 struct io_buffer *kbuf;
128
129 kbuf = list_first_entry(&bl->buf_list, struct io_buffer, list);
130 list_del(&kbuf->list);
b8c01559 131 if (*len == 0 || *len > kbuf->len)
3b77495a 132 *len = kbuf->len;
c3f9109d
JA		 133 if (list_empty(&bl->buf_list))
134 req->flags |= REQ_F_BL_EMPTY;
3b77495a
JA		 135 req->flags |= REQ_F_BUFFER_SELECTED;
136 req->kbuf = kbuf;
137 req->buf_index = kbuf->bid;
138 return u64_to_user_ptr(kbuf->addr);
139 }
140 return NULL;
141}
142
143static void __user *io_ring_buffer_select(struct io_kiocb *req, size_t *len,
144 struct io_buffer_list *bl,
145 unsigned int issue_flags)
146{
147 struct io_uring_buf_ring *br = bl->buf_ring;
c3f9109d 148 __u16 tail, head = bl->head;
3b77495a 149 struct io_uring_buf *buf;
3b77495a 150
c3f9109d
JA		 151 tail = smp_load_acquire(&br->tail);
152 if (unlikely(tail == head))
3b77495a
JA		 153 return NULL;
154
c3f9109d
JA		 155 if (head + 1 == tail)
156 req->flags |= REQ_F_BL_EMPTY;
157
3b77495a 158 head &= bl->mask;
c56e022c
JA		 159 /* mmaped buffers are always contig */
160 if (bl->is_mmap || head < IO_BUFFER_LIST_BUF_PER_PAGE) {
3b77495a
JA		 161 buf = &br->bufs[head];
162 } else {
163 int off = head & (IO_BUFFER_LIST_BUF_PER_PAGE - 1);
164 int index = head / IO_BUFFER_LIST_BUF_PER_PAGE;
165 buf = page_address(bl->buf_pages[index]);
166 buf += off;
167 }
b8c01559 168 if (*len == 0 || *len > buf->len)
3b77495a
JA		 169 *len = buf->len;
170 req->flags |= REQ_F_BUFFER_RING;
171 req->buf_list = bl;
172 req->buf_index = buf->bid;
173
95041b93 174 if (issue_flags & IO_URING_F_UNLOCKED || !io_file_can_poll(req)) {
3b77495a
JA		 175 /*
176 * If we came in unlocked, we have no choice but to consume the
f09c8643
HX		 177 * buffer here, otherwise nothing ensures that the buffer won't
178 * get used by others. This does mean it'll be pinned until the
179 * IO completes, coming in unlocked means we're being called from
180 * io-wq context and there may be further retries in async hybrid
181 * mode. For the locked case, the caller must call commit when
182 * the transfer completes (or if we get -EAGAIN and must poll of
183 * retry).
3b77495a
JA		 184 */
185 req->buf_list = NULL;
186 bl->head++;
187 }
188 return u64_to_user_ptr(buf->addr);
189}
190
191void __user *io_buffer_select(struct io_kiocb *req, size_t *len,
192 unsigned int issue_flags)
193{
194 struct io_ring_ctx *ctx = req->ctx;
195 struct io_buffer_list *bl;
196 void __user *ret = NULL;
197
198 io_ring_submit_lock(req->ctx, issue_flags);
199
200 bl = io_buffer_get_list(ctx, req->buf_index);
201 if (likely(bl)) {
25a2c188 202 if (bl->is_mapped)
3b77495a
JA		 203 ret = io_ring_buffer_select(req, len, bl, issue_flags);
204 else
205 ret = io_provided_buffer_select(req, len, bl);
206 }
207 io_ring_submit_unlock(req->ctx, issue_flags);
208 return ret;
209}
210
211static __cold int io_init_bl_list(struct io_ring_ctx *ctx)
212{
5cf4f52e 213 struct io_buffer_list *bl;
3b77495a
JA		 214 int i;
215
5cf4f52e
JA		 216 bl = kcalloc(BGID_ARRAY, sizeof(struct io_buffer_list), GFP_KERNEL);
217 if (!bl)
3b77495a
JA		 218 return -ENOMEM;
219
220 for (i = 0; i < BGID_ARRAY; i++) {
5cf4f52e
JA		 221 INIT_LIST_HEAD(&bl[i].buf_list);
222 bl[i].bgid = i;
3b77495a
JA		 223 }
224
5cf4f52e 225 smp_store_release(&ctx->io_bl, bl);
3b77495a
JA		 226 return 0;
227}
228
b10b73c1
JA		 229/*
230 * Mark the given mapped range as free for reuse
231 */
232static void io_kbuf_mark_free(struct io_ring_ctx *ctx, struct io_buffer_list *bl)
233{
234 struct io_buf_free *ibf;
235
236 hlist_for_each_entry(ibf, &ctx->io_buf_list, list) {
237 if (bl->buf_ring == ibf->mem) {
238 ibf->inuse = 0;
239 return;
240 }
241 }
242
243 /* can't happen... */
244 WARN_ON_ONCE(1);
245}
246
3b77495a
JA		 247static int __io_remove_buffers(struct io_ring_ctx *ctx,
248 struct io_buffer_list *bl, unsigned nbufs)
249{
250 unsigned i = 0;
251
252 /* shouldn't happen */
253 if (!nbufs)
254 return 0;
255
c56e022c 256 if (bl->is_mapped) {
3b77495a 257 i = bl->buf_ring->tail - bl->head;
c56e022c 258 if (bl->is_mmap) {
c392cbec
JA		 259 /*
260 * io_kbuf_list_free() will free the page(s) at
261 * ->release() time.
262 */
b10b73c1 263 io_kbuf_mark_free(ctx, bl);
ceac766a 264 bl->buf_ring = NULL;
c56e022c
JA		 265 bl->is_mmap = 0;
266 } else if (bl->buf_nr_pages) {
267 int j;
268
269 for (j = 0; j < bl->buf_nr_pages; j++)
270 unpin_user_page(bl->buf_pages[j]);
271 kvfree(bl->buf_pages);
272 bl->buf_pages = NULL;
273 bl->buf_nr_pages = 0;
274 }
3b77495a
JA		 275 /* make sure it's seen as empty */
276 INIT_LIST_HEAD(&bl->buf_list);
25a2c188 277 bl->is_mapped = 0;
3b77495a
JA		 278 return i;
279 }
280
b4a72c05
WL		 281 /* protects io_buffers_cache */
282 lockdep_assert_held(&ctx->uring_lock);
283
3b77495a
JA		 284 while (!list_empty(&bl->buf_list)) {
285 struct io_buffer *nxt;
286
287 nxt = list_first_entry(&bl->buf_list, struct io_buffer, list);
b4a72c05 288 list_move(&nxt->list, &ctx->io_buffers_cache);
3b77495a
JA		 289 if (++i == nbufs)
290 return i;
291 cond_resched();
292 }
3b77495a
JA		 293
294 return i;
295}
296
297void io_destroy_buffers(struct io_ring_ctx *ctx)
298{
299 struct io_buffer_list *bl;
b3a4dbc8
GKB		 300 struct list_head *item, *tmp;
301 struct io_buffer *buf;
3b77495a
JA		 302 unsigned long index;
303 int i;
304
305 for (i = 0; i < BGID_ARRAY; i++) {
306 if (!ctx->io_bl)
307 break;
308 __io_remove_buffers(ctx, &ctx->io_bl[i], -1U);
309 }
310
311 xa_for_each(&ctx->io_bl_xa, index, bl) {
312 xa_erase(&ctx->io_bl_xa, bl->bgid);
313 __io_remove_buffers(ctx, bl, -1U);
5cf4f52e 314 kfree_rcu(bl, rcu);
3b77495a
JA		 315 }
316
07d6063d
JA		 317 /*
318 * Move deferred locked entries to cache before pruning
319 */
320 spin_lock(&ctx->completion_lock);
321 if (!list_empty(&ctx->io_buffers_comp))
322 list_splice_init(&ctx->io_buffers_comp, &ctx->io_buffers_cache);
323 spin_unlock(&ctx->completion_lock);
324
b3a4dbc8
GKB		 325 list_for_each_safe(item, tmp, &ctx->io_buffers_cache) {
326 buf = list_entry(item, struct io_buffer, list);
327 kmem_cache_free(io_buf_cachep, buf);
3b77495a
JA		 328 }
329}
330
331int io_remove_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
332{
f2ccb5ae 333 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
3b77495a
JA		 334 u64 tmp;
335
336 if (sqe->rw_flags || sqe->addr || sqe->len || sqe->off ||
337 sqe->splice_fd_in)
338 return -EINVAL;
339
340 tmp = READ_ONCE(sqe->fd);
f74c746e 341 if (!tmp || tmp > MAX_BIDS_PER_BGID)
3b77495a
JA		 342 return -EINVAL;
343
344 memset(p, 0, sizeof(*p));
345 p->nbufs = tmp;
346 p->bgid = READ_ONCE(sqe->buf_group);
347 return 0;
348}
349
350int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
351{
f2ccb5ae 352 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
3b77495a
JA		 353 struct io_ring_ctx *ctx = req->ctx;
354 struct io_buffer_list *bl;
355 int ret = 0;
356
357 io_ring_submit_lock(ctx, issue_flags);
358
359 ret = -ENOENT;
360 bl = io_buffer_get_list(ctx, p->bgid);
361 if (bl) {
362 ret = -EINVAL;
363 /* can't use provide/remove buffers command on mapped buffers */
25a2c188 364 if (!bl->is_mapped)
3b77495a
JA		 365 ret = __io_remove_buffers(ctx, bl, p->nbufs);
366 }
c3b49093 367 io_ring_submit_unlock(ctx, issue_flags);
3b77495a
JA		 368 if (ret < 0)
369 req_set_fail(req);
3b77495a 370 io_req_set_res(req, ret, 0);
c3b49093 371 return IOU_OK;
3b77495a
JA		 372}
373
374int io_provide_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
375{
376 unsigned long size, tmp_check;
f2ccb5ae 377 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
3b77495a
JA		 378 u64 tmp;
379
380 if (sqe->rw_flags || sqe->splice_fd_in)
381 return -EINVAL;
382
383 tmp = READ_ONCE(sqe->fd);
f74c746e 384 if (!tmp || tmp > MAX_BIDS_PER_BGID)
3b77495a
JA		 385 return -E2BIG;
386 p->nbufs = tmp;
387 p->addr = READ_ONCE(sqe->addr);
388 p->len = READ_ONCE(sqe->len);
389
390 if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
391 &size))
392 return -EOVERFLOW;
393 if (check_add_overflow((unsigned long)p->addr, size, &tmp_check))
394 return -EOVERFLOW;
395
396 size = (unsigned long)p->len * p->nbufs;
397 if (!access_ok(u64_to_user_ptr(p->addr), size))
398 return -EFAULT;
399
400 p->bgid = READ_ONCE(sqe->buf_group);
401 tmp = READ_ONCE(sqe->off);
402 if (tmp > USHRT_MAX)
403 return -E2BIG;
f74c746e 404 if (tmp + p->nbufs > MAX_BIDS_PER_BGID)
3851d25c 405 return -EINVAL;
3b77495a
JA		 406 p->bid = tmp;
407 return 0;
408}
409
b3a4dbc8
GKB		 410#define IO_BUFFER_ALLOC_BATCH 64
411
3b77495a
JA		 412static int io_refill_buffer_cache(struct io_ring_ctx *ctx)
413{
b3a4dbc8
GKB		 414 struct io_buffer *bufs[IO_BUFFER_ALLOC_BATCH];
415 int allocated;
3b77495a
JA		 416
417 /*
418 * Completions that don't happen inline (eg not under uring_lock) will
419 * add to ->io_buffers_comp. If we don't have any free buffers, check
420 * the completion list and splice those entries first.
421 */
422 if (!list_empty_careful(&ctx->io_buffers_comp)) {
423 spin_lock(&ctx->completion_lock);
424 if (!list_empty(&ctx->io_buffers_comp)) {
425 list_splice_init(&ctx->io_buffers_comp,
426 &ctx->io_buffers_cache);
427 spin_unlock(&ctx->completion_lock);
428 return 0;
429 }
430 spin_unlock(&ctx->completion_lock);
431 }
432
433 /*
434 * No free buffers and no completion entries either. Allocate a new
b3a4dbc8 435 * batch of buffer entries and add those to our freelist.
3b77495a 436 */
3b77495a 437
b3a4dbc8
GKB		 438 allocated = kmem_cache_alloc_bulk(io_buf_cachep, GFP_KERNEL_ACCOUNT,
439 ARRAY_SIZE(bufs), (void **) bufs);
440 if (unlikely(!allocated)) {
441 /*
442 * Bulk alloc is all-or-nothing. If we fail to get a batch,
443 * retry single alloc to be on the safe side.
444 */
445 bufs[0] = kmem_cache_alloc(io_buf_cachep, GFP_KERNEL);
446 if (!bufs[0])
447 return -ENOMEM;
448 allocated = 1;
3b77495a
JA		 449 }
450
b3a4dbc8
GKB		 451 while (allocated)
452 list_add_tail(&bufs[--allocated]->list, &ctx->io_buffers_cache);
453
3b77495a
JA		 454 return 0;
455}
456
457static int io_add_buffers(struct io_ring_ctx *ctx, struct io_provide_buf *pbuf,
458 struct io_buffer_list *bl)
459{
460 struct io_buffer *buf;
461 u64 addr = pbuf->addr;
462 int i, bid = pbuf->bid;
463
464 for (i = 0; i < pbuf->nbufs; i++) {
465 if (list_empty(&ctx->io_buffers_cache) &&
466 io_refill_buffer_cache(ctx))
467 break;
468 buf = list_first_entry(&ctx->io_buffers_cache, struct io_buffer,
469 list);
470 list_move_tail(&buf->list, &bl->buf_list);
471 buf->addr = addr;
472 buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT);
473 buf->bid = bid;
474 buf->bgid = pbuf->bgid;
475 addr += pbuf->len;
476 bid++;
477 cond_resched();
478 }
479
480 return i ? 0 : -ENOMEM;
481}
482
483int io_provide_buffers(struct io_kiocb *req, unsigned int issue_flags)
484{
f2ccb5ae 485 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
3b77495a
JA		 486 struct io_ring_ctx *ctx = req->ctx;
487 struct io_buffer_list *bl;
488 int ret = 0;
489
490 io_ring_submit_lock(ctx, issue_flags);
491
492 if (unlikely(p->bgid < BGID_ARRAY && !ctx->io_bl)) {
493 ret = io_init_bl_list(ctx);
494 if (ret)
495 goto err;
496 }
497
498 bl = io_buffer_get_list(ctx, p->bgid);
499 if (unlikely(!bl)) {
cc18cc5e 500 bl = kzalloc(sizeof(*bl), GFP_KERNEL_ACCOUNT);
3b77495a
JA		 501 if (!bl) {
502 ret = -ENOMEM;
503 goto err;
504 }
505 INIT_LIST_HEAD(&bl->buf_list);
506 ret = io_buffer_add_list(ctx, bl, p->bgid);
507 if (ret) {
5cf4f52e
JA		 508 /*
509 * Doesn't need rcu free as it was never visible, but
510 * let's keep it consistent throughout. Also can't
511 * be a lower indexed array group, as adding one
512 * where lookup failed cannot happen.
513 */
514 if (p->bgid >= BGID_ARRAY)
515 kfree_rcu(bl, rcu);
516 else
517 WARN_ON_ONCE(1);
3b77495a
JA		 518 goto err;
519 }
520 }
521 /* can't add buffers via this command for a mapped buffer ring */
25a2c188 522 if (bl->is_mapped) {
3b77495a
JA		 523 ret = -EINVAL;
524 goto err;
525 }
526
527 ret = io_add_buffers(ctx, p, bl);
528err:
c3b49093
PB		 529 io_ring_submit_unlock(ctx, issue_flags);
530
3b77495a
JA		 531 if (ret < 0)
532 req_set_fail(req);
3b77495a 533 io_req_set_res(req, ret, 0);
c3b49093 534 return IOU_OK;
3b77495a
JA		 535}
536
ba56b632
JA		 537static int io_pin_pbuf_ring(struct io_uring_buf_reg *reg,
538 struct io_buffer_list *bl)
3b77495a
JA		 539{
540 struct io_uring_buf_ring *br;
3b77495a 541 struct page **pages;
f8024f1f 542 int i, nr_pages;
3b77495a 543
ba56b632
JA		 544 pages = io_pin_pages(reg->ring_addr,
545 flex_array_size(br, bufs, reg->ring_entries),
546 &nr_pages);
547 if (IS_ERR(pages))
548 return PTR_ERR(pages);
549
f8024f1f
JA		 550 /*
551 * Apparently some 32-bit boxes (ARM) will return highmem pages,
552 * which then need to be mapped. We could support that, but it'd
553 * complicate the code and slowdown the common cases quite a bit.
554 * So just error out, returning -EINVAL just like we did on kernels
555 * that didn't support mapped buffer rings.
556 */
557 for (i = 0; i < nr_pages; i++)
558 if (PageHighMem(pages[i]))
559 goto error_unpin;
560
ba56b632 561 br = page_address(pages[0]);
fcb46c0c
JA		 562#ifdef SHM_COLOUR
563 /*
564 * On platforms that have specific aliasing requirements, SHM_COLOUR
565 * is set and we must guarantee that the kernel and user side align
566 * nicely. We cannot do that if IOU_PBUF_RING_MMAP isn't set and
567 * the application mmap's the provided ring buffer. Fail the request
568 * if we, by chance, don't end up with aligned addresses. The app
569 * should use IOU_PBUF_RING_MMAP instead, and liburing will handle
570 * this transparently.
571 */
f8024f1f
JA		 572 if ((reg->ring_addr | (unsigned long) br) & (SHM_COLOUR - 1))
573 goto error_unpin;
fcb46c0c 574#endif
ba56b632
JA		 575 bl->buf_pages = pages;
576 bl->buf_nr_pages = nr_pages;
577 bl->buf_ring = br;
25a2c188 578 bl->is_mapped = 1;
c56e022c
JA		 579 bl->is_mmap = 0;
580 return 0;
f8024f1f
JA		 581error_unpin:
582 for (i = 0; i < nr_pages; i++)
583 unpin_user_page(pages[i]);
584 kvfree(pages);
585 return -EINVAL;
c56e022c
JA		 586}
587
b10b73c1
JA		 588/*
589 * See if we have a suitable region that we can reuse, rather than allocate
590 * both a new io_buf_free and mem region again. We leave it on the list as
591 * even a reused entry will need freeing at ring release.
592 */
593static struct io_buf_free *io_lookup_buf_free_entry(struct io_ring_ctx *ctx,
594 size_t ring_size)
595{
596 struct io_buf_free *ibf, *best = NULL;
597 size_t best_dist;
598
599 hlist_for_each_entry(ibf, &ctx->io_buf_list, list) {
600 size_t dist;
601
602 if (ibf->inuse || ibf->size < ring_size)
603 continue;
604 dist = ibf->size - ring_size;
605 if (!best || dist < best_dist) {
606 best = ibf;
607 if (!dist)
608 break;
609 best_dist = dist;
610 }
611 }
612
613 return best;
614}
615
c392cbec
JA		 616static int io_alloc_pbuf_ring(struct io_ring_ctx *ctx,
617 struct io_uring_buf_reg *reg,
c56e022c
JA		 618 struct io_buffer_list *bl)
619{
c392cbec 620 struct io_buf_free *ibf;
c56e022c
JA		 621 size_t ring_size;
622 void *ptr;
623
624 ring_size = reg->ring_entries * sizeof(struct io_uring_buf_ring);
c56e022c 625
b10b73c1
JA		 626 /* Reuse existing entry, if we can */
627 ibf = io_lookup_buf_free_entry(ctx, ring_size);
c392cbec 628 if (!ibf) {
b10b73c1 629 ptr = io_mem_alloc(ring_size);
e53f7b54
DC		 630 if (IS_ERR(ptr))
631 return PTR_ERR(ptr);
c392cbec 632
b10b73c1
JA		 633 /* Allocate and store deferred free entry */
634 ibf = kmalloc(sizeof(*ibf), GFP_KERNEL_ACCOUNT);
635 if (!ibf) {
636 io_mem_free(ptr);
637 return -ENOMEM;
638 }
639 ibf->mem = ptr;
640 ibf->size = ring_size;
641 hlist_add_head(&ibf->list, &ctx->io_buf_list);
642 }
643 ibf->inuse = 1;
644 bl->buf_ring = ibf->mem;
c56e022c
JA		 645 bl->is_mapped = 1;
646 bl->is_mmap = 1;
ba56b632
JA		 647 return 0;
648}
649
650int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
651{
652 struct io_uring_buf_reg reg;
653 struct io_buffer_list *bl, *free_bl = NULL;
654 int ret;
655
5cf4f52e
JA		 656 lockdep_assert_held(&ctx->uring_lock);
657
3b77495a
JA		 658 if (copy_from_user(&reg, arg, sizeof(reg)))
659 return -EFAULT;
660
81cf17cd 661 if (reg.resv[0] || reg.resv[1] || reg.resv[2])
3b77495a 662 return -EINVAL;
c56e022c 663 if (reg.flags & ~IOU_PBUF_RING_MMAP)
3b77495a 664 return -EINVAL;
c56e022c
JA		 665 if (!(reg.flags & IOU_PBUF_RING_MMAP)) {
666 if (!reg.ring_addr)
667 return -EFAULT;
668 if (reg.ring_addr & ~PAGE_MASK)
669 return -EINVAL;
670 } else {
671 if (reg.ring_addr)
672 return -EINVAL;
673 }
674
3b77495a
JA		 675 if (!is_power_of_2(reg.ring_entries))
676 return -EINVAL;
677
678 /* cannot disambiguate full vs empty due to head/tail size */
679 if (reg.ring_entries >= 65536)
680 return -EINVAL;
681
682 if (unlikely(reg.bgid < BGID_ARRAY && !ctx->io_bl)) {
683 int ret = io_init_bl_list(ctx);
684 if (ret)
685 return ret;
686 }
687
688 bl = io_buffer_get_list(ctx, reg.bgid);
689 if (bl) {
690 /* if mapped buffer ring OR classic exists, don't allow */
25a2c188 691 if (bl->is_mapped || !list_empty(&bl->buf_list))
3b77495a
JA		 692 return -EEXIST;
693 } else {
694 free_bl = bl = kzalloc(sizeof(*bl), GFP_KERNEL);
695 if (!bl)
696 return -ENOMEM;
697 }
698
c56e022c
JA		 699 if (!(reg.flags & IOU_PBUF_RING_MMAP))
700 ret = io_pin_pbuf_ring(&reg, bl);
701 else
c392cbec 702 ret = io_alloc_pbuf_ring(ctx, &reg, bl);
3b77495a 703
c56e022c
JA		 704 if (!ret) {
705 bl->nr_entries = reg.ring_entries;
706 bl->mask = reg.ring_entries - 1;
ba56b632 707
c56e022c
JA		 708 io_buffer_add_list(ctx, bl, reg.bgid);
709 return 0;
3b77495a
JA		 710 }
711
5cf4f52e 712 kfree_rcu(free_bl, rcu);
c56e022c 713 return ret;
3b77495a
JA		 714}
715
716int io_unregister_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
717{
718 struct io_uring_buf_reg reg;
719 struct io_buffer_list *bl;
720
5cf4f52e
JA		 721 lockdep_assert_held(&ctx->uring_lock);
722
3b77495a
JA		 723 if (copy_from_user(&reg, arg, sizeof(reg)))
724 return -EFAULT;
81cf17cd
JA		 725 if (reg.resv[0] || reg.resv[1] || reg.resv[2])
726 return -EINVAL;
727 if (reg.flags)
3b77495a
JA		 728 return -EINVAL;
729
730 bl = io_buffer_get_list(ctx, reg.bgid);
731 if (!bl)
732 return -ENOENT;
25a2c188 733 if (!bl->is_mapped)
3b77495a
JA		 734 return -EINVAL;
735
736 __io_remove_buffers(ctx, bl, -1U);
737 if (bl->bgid >= BGID_ARRAY) {
738 xa_erase(&ctx->io_bl_xa, bl->bgid);
5cf4f52e 739 kfree_rcu(bl, rcu);
3b77495a
JA		 740 }
741 return 0;
742}
c56e022c 743
d293b1a8
JA		 744int io_register_pbuf_status(struct io_ring_ctx *ctx, void __user *arg)
745{
746 struct io_uring_buf_status buf_status;
747 struct io_buffer_list *bl;
748 int i;
749
750 if (copy_from_user(&buf_status, arg, sizeof(buf_status)))
751 return -EFAULT;
752
753 for (i = 0; i < ARRAY_SIZE(buf_status.resv); i++)
754 if (buf_status.resv[i])
755 return -EINVAL;
756
757 bl = io_buffer_get_list(ctx, buf_status.buf_group);
758 if (!bl)
759 return -ENOENT;
760 if (!bl->is_mapped)
761 return -EINVAL;
762
763 buf_status.head = bl->head;
764 if (copy_to_user(arg, &buf_status, sizeof(buf_status)))
765 return -EFAULT;
766
767 return 0;
768}
769
c56e022c
JA		 770void *io_pbuf_get_address(struct io_ring_ctx *ctx, unsigned long bgid)
771{
772 struct io_buffer_list *bl;
773
5cf4f52e
JA		 774 bl = __io_buffer_get_list(ctx, smp_load_acquire(&ctx->io_bl), bgid);
775
9865346b
JA		 776 if (!bl || !bl->is_mmap)
777 return NULL;
5cf4f52e
JA		 778 /*
779 * Ensure the list is fully setup. Only strictly needed for RCU lookup
780 * via mmap, and in that case only for the array indexed groups. For
781 * the xarray lookups, it's either visible and ready, or not at all.
782 */
783 if (!smp_load_acquire(&bl->is_ready))
784 return NULL;
c56e022c
JA		 785
786 return bl->buf_ring;
787}
c392cbec
JA		 788
789/*
790 * Called at or after ->release(), free the mmap'ed buffers that we used
791 * for memory mapped provided buffer rings.
792 */
793void io_kbuf_mmap_list_free(struct io_ring_ctx *ctx)
794{
795 struct io_buf_free *ibf;
796 struct hlist_node *tmp;
797
798 hlist_for_each_entry_safe(ibf, tmp, &ctx->io_buf_list, list) {
799 hlist_del(&ibf->list);
800 io_mem_free(ibf->mem);
801 kfree(ibf);
802 }
803}
Linux 6.x block layer and io_uring tree(s)