1 // SPDX-License-Identifier: GPL-2.0
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
6 * A note on the read/write ordering memory barriers that are matched between
7 * the application and kernel side.
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
30 * Also see the examples in the liburing library:
32 * git://git.kernel.dk/liburing
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
39 * Copyright (C) 2018-2019 Jens Axboe
40 * Copyright (c) 2018-2019 Christoph Hellwig
42 #include <linux/kernel.h>
43 #include <linux/init.h>
44 #include <linux/errno.h>
45 #include <linux/syscalls.h>
46 #include <linux/compat.h>
47 #include <linux/refcount.h>
48 #include <linux/uio.h>
50 #include <linux/sched/signal.h>
52 #include <linux/file.h>
53 #include <linux/fdtable.h>
55 #include <linux/mman.h>
56 #include <linux/mmu_context.h>
57 #include <linux/percpu.h>
58 #include <linux/slab.h>
59 #include <linux/kthread.h>
60 #include <linux/blkdev.h>
61 #include <linux/bvec.h>
62 #include <linux/net.h>
64 #include <net/af_unix.h>
66 #include <linux/anon_inodes.h>
67 #include <linux/sched/mm.h>
68 #include <linux/uaccess.h>
69 #include <linux/nospec.h>
70 #include <linux/sizes.h>
71 #include <linux/hugetlb.h>
72 #include <linux/highmem.h>
73 #include <linux/namei.h>
74 #include <linux/fsnotify.h>
75 #include <linux/fadvise.h>
77 #define CREATE_TRACE_POINTS
78 #include <trace/events/io_uring.h>
80 #include <uapi/linux/io_uring.h>
85 #define IORING_MAX_ENTRIES 32768
86 #define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
89 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
91 #define IORING_FILE_TABLE_SHIFT 9
92 #define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
93 #define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
94 #define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
97 u32 head ____cacheline_aligned_in_smp;
98 u32 tail ____cacheline_aligned_in_smp;
102 * This data is shared with the application through the mmap at offsets
103 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
105 * The offsets to the member fields are published through struct
106 * io_sqring_offsets when calling io_uring_setup.
110 * Head and tail offsets into the ring; the offsets need to be
111 * masked to get valid indices.
113 * The kernel controls head of the sq ring and the tail of the cq ring,
114 * and the application controls tail of the sq ring and the head of the
117 struct io_uring sq, cq;
119 * Bitmasks to apply to head and tail offsets (constant, equals
122 u32 sq_ring_mask, cq_ring_mask;
123 /* Ring sizes (constant, power of 2) */
124 u32 sq_ring_entries, cq_ring_entries;
126 * Number of invalid entries dropped by the kernel due to
127 * invalid index stored in array
129 * Written by the kernel, shouldn't be modified by the
130 * application (i.e. get number of "new events" by comparing to
133 * After a new SQ head value was read by the application this
134 * counter includes all submissions that were dropped reaching
135 * the new SQ head (and possibly more).
141 * Written by the kernel, shouldn't be modified by the
144 * The application needs a full memory barrier before checking
145 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
149 * Number of completion events lost because the queue was full;
150 * this should be avoided by the application by making sure
151 * there are not more requests pending than there is space in
152 * the completion queue.
154 * Written by the kernel, shouldn't be modified by the
155 * application (i.e. get number of "new events" by comparing to
158 * As completion events come in out of order this counter is not
159 * ordered with any other data.
163 * Ring buffer of completion events.
165 * The kernel writes completion events fresh every time they are
166 * produced, so the application is allowed to modify pending
169 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
172 struct io_mapped_ubuf {
175 struct bio_vec *bvec;
176 unsigned int nr_bvecs;
179 struct fixed_file_table {
187 struct fixed_file_data {
188 struct fixed_file_table *table;
189 struct io_ring_ctx *ctx;
191 struct percpu_ref refs;
192 struct llist_head put_llist;
194 struct work_struct ref_work;
195 struct completion done;
200 struct percpu_ref refs;
201 } ____cacheline_aligned_in_smp;
207 bool cq_overflow_flushed;
211 * Ring buffer of indices into array of io_uring_sqe, which is
212 * mmapped by the application using the IORING_OFF_SQES offset.
214 * This indirection could e.g. be used to assign fixed
215 * io_uring_sqe entries to operations and only submit them to
216 * the queue when needed.
218 * The kernel modifies neither the indices array nor the entries
222 unsigned cached_sq_head;
225 unsigned sq_thread_idle;
226 unsigned cached_sq_dropped;
227 atomic_t cached_cq_overflow;
228 unsigned long sq_check_overflow;
230 struct list_head defer_list;
231 struct list_head timeout_list;
232 struct list_head cq_overflow_list;
234 wait_queue_head_t inflight_wait;
235 struct io_uring_sqe *sq_sqes;
236 } ____cacheline_aligned_in_smp;
238 struct io_rings *rings;
242 struct task_struct *sqo_thread; /* if using sq thread polling */
243 struct mm_struct *sqo_mm;
244 wait_queue_head_t sqo_wait;
247 * If used, fixed file set. Writers must ensure that ->refs is dead,
248 * readers must ensure that ->refs is alive as long as the file* is
249 * used. Only updated through io_uring_register(2).
251 struct fixed_file_data *file_data;
252 unsigned nr_user_files;
254 /* if used, fixed mapped user buffers */
255 unsigned nr_user_bufs;
256 struct io_mapped_ubuf *user_bufs;
258 struct user_struct *user;
260 const struct cred *creds;
262 /* 0 is for ctx quiesce/reinit/free, 1 is for sqo_thread started */
263 struct completion *completions;
265 /* if all else fails... */
266 struct io_kiocb *fallback_req;
268 #if defined(CONFIG_UNIX)
269 struct socket *ring_sock;
273 unsigned cached_cq_tail;
276 atomic_t cq_timeouts;
277 unsigned long cq_check_overflow;
278 struct wait_queue_head cq_wait;
279 struct fasync_struct *cq_fasync;
280 struct eventfd_ctx *cq_ev_fd;
281 } ____cacheline_aligned_in_smp;
284 struct mutex uring_lock;
285 wait_queue_head_t wait;
286 } ____cacheline_aligned_in_smp;
289 spinlock_t completion_lock;
290 struct llist_head poll_llist;
293 * ->poll_list is protected by the ctx->uring_lock for
294 * io_uring instances that don't use IORING_SETUP_SQPOLL.
295 * For SQPOLL, only the single threaded io_sq_thread() will
296 * manipulate the list, hence no extra locking is needed there.
298 struct list_head poll_list;
299 struct hlist_head *cancel_hash;
300 unsigned cancel_hash_bits;
301 bool poll_multi_file;
303 spinlock_t inflight_lock;
304 struct list_head inflight_list;
305 } ____cacheline_aligned_in_smp;
309 * First field must be the file pointer in all the
310 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
312 struct io_poll_iocb {
315 struct wait_queue_head *head;
321 struct wait_queue_entry wait;
326 struct file *put_file;
330 struct io_timeout_data {
331 struct io_kiocb *req;
332 struct hrtimer timer;
333 struct timespec64 ts;
334 enum hrtimer_mode mode;
340 struct sockaddr __user *addr;
341 int __user *addr_len;
366 /* NOTE: kiocb has the file as the first member, so don't do it here */
374 struct sockaddr __user *addr;
380 struct user_msghdr __user *msg;
391 const char __user *fname;
392 struct filename *filename;
393 struct statx __user *buffer;
397 struct io_files_update {
418 struct io_async_connect {
419 struct sockaddr_storage address;
422 struct io_async_msghdr {
423 struct iovec fast_iov[UIO_FASTIOV];
425 struct sockaddr __user *uaddr;
430 struct iovec fast_iov[UIO_FASTIOV];
436 struct io_async_open {
437 struct filename *filename;
440 struct io_async_ctx {
442 struct io_async_rw rw;
443 struct io_async_msghdr msg;
444 struct io_async_connect connect;
445 struct io_timeout_data timeout;
446 struct io_async_open open;
451 * NOTE! Each of the iocb union members has the file pointer
452 * as the first entry in their struct definition. So you can
453 * access the file pointer through any of the sub-structs,
454 * or directly as just 'ki_filp' in this struct.
460 struct io_poll_iocb poll;
461 struct io_accept accept;
463 struct io_cancel cancel;
464 struct io_timeout timeout;
465 struct io_connect connect;
466 struct io_sr_msg sr_msg;
468 struct io_close close;
469 struct io_files_update files_update;
470 struct io_fadvise fadvise;
471 struct io_madvise madvise;
474 struct io_async_ctx *io;
477 * ring_file is only used in the submission path, and
478 * llist_node is only used for poll deferred completions
480 struct file *ring_file;
481 struct llist_node llist_node;
486 bool needs_fixed_file;
489 struct io_ring_ctx *ctx;
491 struct list_head list;
492 struct hlist_node hash_node;
494 struct list_head link_list;
497 #define REQ_F_NOWAIT 1 /* must not punt to workers */
498 #define REQ_F_IOPOLL_COMPLETED 2 /* polled IO has completed */
499 #define REQ_F_FIXED_FILE 4 /* ctx owns file */
500 #define REQ_F_LINK_NEXT 8 /* already grabbed next link */
501 #define REQ_F_IO_DRAIN 16 /* drain existing IO first */
502 #define REQ_F_IO_DRAINED 32 /* drain done */
503 #define REQ_F_LINK 64 /* linked sqes */
504 #define REQ_F_LINK_TIMEOUT 128 /* has linked timeout */
505 #define REQ_F_FAIL_LINK 256 /* fail rest of links */
506 #define REQ_F_DRAIN_LINK 512 /* link should be fully drained */
507 #define REQ_F_TIMEOUT 1024 /* timeout request */
508 #define REQ_F_ISREG 2048 /* regular file */
509 #define REQ_F_MUST_PUNT 4096 /* must be punted even for NONBLOCK */
510 #define REQ_F_TIMEOUT_NOSEQ 8192 /* no timeout sequence */
511 #define REQ_F_INFLIGHT 16384 /* on inflight list */
512 #define REQ_F_COMP_LOCKED 32768 /* completion under lock */
513 #define REQ_F_HARDLINK 65536 /* doesn't sever on completion < 0 */
514 #define REQ_F_FORCE_ASYNC 131072 /* IOSQE_ASYNC */
515 #define REQ_F_CUR_POS 262144 /* read/write uses file position */
520 struct list_head inflight_entry;
522 struct io_wq_work work;
525 #define IO_PLUG_THRESHOLD 2
526 #define IO_IOPOLL_BATCH 8
528 struct io_submit_state {
529 struct blk_plug plug;
532 * io_kiocb alloc cache
534 void *reqs[IO_IOPOLL_BATCH];
535 unsigned int free_reqs;
536 unsigned int cur_req;
539 * File reference cache
543 unsigned int has_refs;
544 unsigned int used_refs;
545 unsigned int ios_left;
549 /* needs req->io allocated for deferral/async */
550 unsigned async_ctx : 1;
551 /* needs current->mm setup, does mm access */
552 unsigned needs_mm : 1;
553 /* needs req->file assigned */
554 unsigned needs_file : 1;
555 /* needs req->file assigned IFF fd is >= 0 */
556 unsigned fd_non_neg : 1;
557 /* hash wq insertion if file is a regular file */
558 unsigned hash_reg_file : 1;
559 /* unbound wq insertion if file is a non-regular file */
560 unsigned unbound_nonreg_file : 1;
563 static const struct io_op_def io_op_defs[] = {
568 /* IORING_OP_READV */
572 .unbound_nonreg_file = 1,
575 /* IORING_OP_WRITEV */
580 .unbound_nonreg_file = 1,
583 /* IORING_OP_FSYNC */
587 /* IORING_OP_READ_FIXED */
589 .unbound_nonreg_file = 1,
592 /* IORING_OP_WRITE_FIXED */
595 .unbound_nonreg_file = 1,
598 /* IORING_OP_POLL_ADD */
600 .unbound_nonreg_file = 1,
603 /* IORING_OP_POLL_REMOVE */
606 /* IORING_OP_SYNC_FILE_RANGE */
610 /* IORING_OP_SENDMSG */
614 .unbound_nonreg_file = 1,
617 /* IORING_OP_RECVMSG */
621 .unbound_nonreg_file = 1,
624 /* IORING_OP_TIMEOUT */
629 /* IORING_OP_TIMEOUT_REMOVE */
632 /* IORING_OP_ACCEPT */
635 .unbound_nonreg_file = 1,
638 /* IORING_OP_ASYNC_CANCEL */
641 /* IORING_OP_LINK_TIMEOUT */
646 /* IORING_OP_CONNECT */
650 .unbound_nonreg_file = 1,
653 /* IORING_OP_FALLOCATE */
657 /* IORING_OP_OPENAT */
662 /* IORING_OP_CLOSE */
666 /* IORING_OP_FILES_UPDATE */
670 /* IORING_OP_STATX */
679 .unbound_nonreg_file = 1,
682 /* IORING_OP_WRITE */
685 .unbound_nonreg_file = 1,
688 /* IORING_OP_FADVISE */
692 /* IORING_OP_MADVISE */
697 static void io_wq_submit_work(struct io_wq_work **workptr);
698 static void io_cqring_fill_event(struct io_kiocb *req, long res);
699 static void io_put_req(struct io_kiocb *req);
700 static void __io_double_put_req(struct io_kiocb *req);
701 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
702 static void io_queue_linked_timeout(struct io_kiocb *req);
703 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
704 struct io_uring_files_update *ip,
707 static struct kmem_cache *req_cachep;
709 static const struct file_operations io_uring_fops;
711 struct sock *io_uring_get_socket(struct file *file)
713 #if defined(CONFIG_UNIX)
714 if (file->f_op == &io_uring_fops) {
715 struct io_ring_ctx *ctx = file->private_data;
717 return ctx->ring_sock->sk;
722 EXPORT_SYMBOL(io_uring_get_socket);
724 static void io_ring_ctx_ref_free(struct percpu_ref *ref)
726 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
728 complete(&ctx->completions[0]);
731 static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
733 struct io_ring_ctx *ctx;
736 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
740 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
741 if (!ctx->fallback_req)
744 ctx->completions = kmalloc(2 * sizeof(struct completion), GFP_KERNEL);
745 if (!ctx->completions)
749 * Use 5 bits less than the max cq entries, that should give us around
750 * 32 entries per hash list if totally full and uniformly spread.
752 hash_bits = ilog2(p->cq_entries);
756 ctx->cancel_hash_bits = hash_bits;
757 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
759 if (!ctx->cancel_hash)
761 __hash_init(ctx->cancel_hash, 1U << hash_bits);
763 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
764 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
767 ctx->flags = p->flags;
768 init_waitqueue_head(&ctx->cq_wait);
769 INIT_LIST_HEAD(&ctx->cq_overflow_list);
770 init_completion(&ctx->completions[0]);
771 init_completion(&ctx->completions[1]);
772 mutex_init(&ctx->uring_lock);
773 init_waitqueue_head(&ctx->wait);
774 spin_lock_init(&ctx->completion_lock);
775 init_llist_head(&ctx->poll_llist);
776 INIT_LIST_HEAD(&ctx->poll_list);
777 INIT_LIST_HEAD(&ctx->defer_list);
778 INIT_LIST_HEAD(&ctx->timeout_list);
779 init_waitqueue_head(&ctx->inflight_wait);
780 spin_lock_init(&ctx->inflight_lock);
781 INIT_LIST_HEAD(&ctx->inflight_list);
784 if (ctx->fallback_req)
785 kmem_cache_free(req_cachep, ctx->fallback_req);
786 kfree(ctx->completions);
787 kfree(ctx->cancel_hash);
792 static inline bool __req_need_defer(struct io_kiocb *req)
794 struct io_ring_ctx *ctx = req->ctx;
796 return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
797 + atomic_read(&ctx->cached_cq_overflow);
800 static inline bool req_need_defer(struct io_kiocb *req)
802 if ((req->flags & (REQ_F_IO_DRAIN|REQ_F_IO_DRAINED)) == REQ_F_IO_DRAIN)
803 return __req_need_defer(req);
808 static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)
810 struct io_kiocb *req;
812 req = list_first_entry_or_null(&ctx->defer_list, struct io_kiocb, list);
813 if (req && !req_need_defer(req)) {
814 list_del_init(&req->list);
821 static struct io_kiocb *io_get_timeout_req(struct io_ring_ctx *ctx)
823 struct io_kiocb *req;
825 req = list_first_entry_or_null(&ctx->timeout_list, struct io_kiocb, list);
827 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
829 if (!__req_need_defer(req)) {
830 list_del_init(&req->list);
838 static void __io_commit_cqring(struct io_ring_ctx *ctx)
840 struct io_rings *rings = ctx->rings;
842 if (ctx->cached_cq_tail != READ_ONCE(rings->cq.tail)) {
843 /* order cqe stores with ring update */
844 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
846 if (wq_has_sleeper(&ctx->cq_wait)) {
847 wake_up_interruptible(&ctx->cq_wait);
848 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
853 static inline bool io_prep_async_work(struct io_kiocb *req,
854 struct io_kiocb **link)
856 const struct io_op_def *def = &io_op_defs[req->opcode];
857 bool do_hashed = false;
859 if (req->flags & REQ_F_ISREG) {
860 if (def->hash_reg_file)
863 if (def->unbound_nonreg_file)
864 req->work.flags |= IO_WQ_WORK_UNBOUND;
867 req->work.flags |= IO_WQ_WORK_NEEDS_USER;
869 *link = io_prep_linked_timeout(req);
873 static inline void io_queue_async_work(struct io_kiocb *req)
875 struct io_ring_ctx *ctx = req->ctx;
876 struct io_kiocb *link;
879 do_hashed = io_prep_async_work(req, &link);
881 trace_io_uring_queue_async_work(ctx, do_hashed, req, &req->work,
884 io_wq_enqueue(ctx->io_wq, &req->work);
886 io_wq_enqueue_hashed(ctx->io_wq, &req->work,
887 file_inode(req->file));
891 io_queue_linked_timeout(link);
894 static void io_kill_timeout(struct io_kiocb *req)
898 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
900 atomic_inc(&req->ctx->cq_timeouts);
901 list_del_init(&req->list);
902 io_cqring_fill_event(req, 0);
907 static void io_kill_timeouts(struct io_ring_ctx *ctx)
909 struct io_kiocb *req, *tmp;
911 spin_lock_irq(&ctx->completion_lock);
912 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
913 io_kill_timeout(req);
914 spin_unlock_irq(&ctx->completion_lock);
917 static void io_commit_cqring(struct io_ring_ctx *ctx)
919 struct io_kiocb *req;
921 while ((req = io_get_timeout_req(ctx)) != NULL)
922 io_kill_timeout(req);
924 __io_commit_cqring(ctx);
926 while ((req = io_get_deferred_req(ctx)) != NULL) {
927 req->flags |= REQ_F_IO_DRAINED;
928 io_queue_async_work(req);
932 static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
934 struct io_rings *rings = ctx->rings;
937 tail = ctx->cached_cq_tail;
939 * writes to the cq entry need to come after reading head; the
940 * control dependency is enough as we're using WRITE_ONCE to
943 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
946 ctx->cached_cq_tail++;
947 return &rings->cqes[tail & ctx->cq_mask];
950 static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
952 if (waitqueue_active(&ctx->wait))
954 if (waitqueue_active(&ctx->sqo_wait))
955 wake_up(&ctx->sqo_wait);
957 eventfd_signal(ctx->cq_ev_fd, 1);
960 /* Returns true if there are no backlogged entries after the flush */
961 static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
963 struct io_rings *rings = ctx->rings;
964 struct io_uring_cqe *cqe;
965 struct io_kiocb *req;
970 if (list_empty_careful(&ctx->cq_overflow_list))
972 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
973 rings->cq_ring_entries))
977 spin_lock_irqsave(&ctx->completion_lock, flags);
979 /* if force is set, the ring is going away. always drop after that */
981 ctx->cq_overflow_flushed = true;
984 while (!list_empty(&ctx->cq_overflow_list)) {
985 cqe = io_get_cqring(ctx);
989 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
991 list_move(&req->list, &list);
993 WRITE_ONCE(cqe->user_data, req->user_data);
994 WRITE_ONCE(cqe->res, req->result);
995 WRITE_ONCE(cqe->flags, 0);
997 WRITE_ONCE(ctx->rings->cq_overflow,
998 atomic_inc_return(&ctx->cached_cq_overflow));
1002 io_commit_cqring(ctx);
1004 clear_bit(0, &ctx->sq_check_overflow);
1005 clear_bit(0, &ctx->cq_check_overflow);
1007 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1008 io_cqring_ev_posted(ctx);
1010 while (!list_empty(&list)) {
1011 req = list_first_entry(&list, struct io_kiocb, list);
1012 list_del(&req->list);
1019 static void io_cqring_fill_event(struct io_kiocb *req, long res)
1021 struct io_ring_ctx *ctx = req->ctx;
1022 struct io_uring_cqe *cqe;
1024 trace_io_uring_complete(ctx, req->user_data, res);
1027 * If we can't get a cq entry, userspace overflowed the
1028 * submission (by quite a lot). Increment the overflow count in
1031 cqe = io_get_cqring(ctx);
1033 WRITE_ONCE(cqe->user_data, req->user_data);
1034 WRITE_ONCE(cqe->res, res);
1035 WRITE_ONCE(cqe->flags, 0);
1036 } else if (ctx->cq_overflow_flushed) {
1037 WRITE_ONCE(ctx->rings->cq_overflow,
1038 atomic_inc_return(&ctx->cached_cq_overflow));
1040 if (list_empty(&ctx->cq_overflow_list)) {
1041 set_bit(0, &ctx->sq_check_overflow);
1042 set_bit(0, &ctx->cq_check_overflow);
1044 refcount_inc(&req->refs);
1046 list_add_tail(&req->list, &ctx->cq_overflow_list);
1050 static void io_cqring_add_event(struct io_kiocb *req, long res)
1052 struct io_ring_ctx *ctx = req->ctx;
1053 unsigned long flags;
1055 spin_lock_irqsave(&ctx->completion_lock, flags);
1056 io_cqring_fill_event(req, res);
1057 io_commit_cqring(ctx);
1058 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1060 io_cqring_ev_posted(ctx);
1063 static inline bool io_is_fallback_req(struct io_kiocb *req)
1065 return req == (struct io_kiocb *)
1066 ((unsigned long) req->ctx->fallback_req & ~1UL);
1069 static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1071 struct io_kiocb *req;
1073 req = ctx->fallback_req;
1074 if (!test_and_set_bit_lock(0, (unsigned long *) ctx->fallback_req))
1080 static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
1081 struct io_submit_state *state)
1083 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
1084 struct io_kiocb *req;
1087 req = kmem_cache_alloc(req_cachep, gfp);
1090 } else if (!state->free_reqs) {
1094 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
1095 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1098 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1099 * retry single alloc to be on the safe side.
1101 if (unlikely(ret <= 0)) {
1102 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1103 if (!state->reqs[0])
1107 state->free_reqs = ret - 1;
1109 req = state->reqs[0];
1111 req = state->reqs[state->cur_req];
1118 req->ring_file = NULL;
1122 /* one is dropped after submission, the other at completion */
1123 refcount_set(&req->refs, 2);
1125 INIT_IO_WORK(&req->work, io_wq_submit_work);
1128 req = io_get_fallback_req(ctx);
1131 percpu_ref_put(&ctx->refs);
1136 void *reqs[IO_IOPOLL_BATCH];
1140 static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
1144 kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
1145 percpu_ref_put_many(&ctx->refs, rb->to_free);
1146 percpu_ref_put_many(&ctx->file_data->refs, rb->to_free);
1150 static void __io_req_do_free(struct io_kiocb *req)
1152 if (likely(!io_is_fallback_req(req)))
1153 kmem_cache_free(req_cachep, req);
1155 clear_bit_unlock(0, (unsigned long *) req->ctx->fallback_req);
1158 static void __io_free_req(struct io_kiocb *req)
1160 struct io_ring_ctx *ctx = req->ctx;
1165 if (req->flags & REQ_F_FIXED_FILE)
1166 percpu_ref_put(&ctx->file_data->refs);
1170 if (req->flags & REQ_F_INFLIGHT) {
1171 unsigned long flags;
1173 spin_lock_irqsave(&ctx->inflight_lock, flags);
1174 list_del(&req->inflight_entry);
1175 if (waitqueue_active(&ctx->inflight_wait))
1176 wake_up(&ctx->inflight_wait);
1177 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1180 percpu_ref_put(&req->ctx->refs);
1181 __io_req_do_free(req);
1184 static bool io_link_cancel_timeout(struct io_kiocb *req)
1186 struct io_ring_ctx *ctx = req->ctx;
1189 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
1191 io_cqring_fill_event(req, -ECANCELED);
1192 io_commit_cqring(ctx);
1193 req->flags &= ~REQ_F_LINK;
1201 static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
1203 struct io_ring_ctx *ctx = req->ctx;
1204 bool wake_ev = false;
1206 /* Already got next link */
1207 if (req->flags & REQ_F_LINK_NEXT)
1211 * The list should never be empty when we are called here. But could
1212 * potentially happen if the chain is messed up, check to be on the
1215 while (!list_empty(&req->link_list)) {
1216 struct io_kiocb *nxt = list_first_entry(&req->link_list,
1217 struct io_kiocb, link_list);
1219 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
1220 (nxt->flags & REQ_F_TIMEOUT))) {
1221 list_del_init(&nxt->link_list);
1222 wake_ev |= io_link_cancel_timeout(nxt);
1223 req->flags &= ~REQ_F_LINK_TIMEOUT;
1227 list_del_init(&req->link_list);
1228 if (!list_empty(&nxt->link_list))
1229 nxt->flags |= REQ_F_LINK;
1234 req->flags |= REQ_F_LINK_NEXT;
1236 io_cqring_ev_posted(ctx);
1240 * Called if REQ_F_LINK is set, and we fail the head request
1242 static void io_fail_links(struct io_kiocb *req)
1244 struct io_ring_ctx *ctx = req->ctx;
1245 unsigned long flags;
1247 spin_lock_irqsave(&ctx->completion_lock, flags);
1249 while (!list_empty(&req->link_list)) {
1250 struct io_kiocb *link = list_first_entry(&req->link_list,
1251 struct io_kiocb, link_list);
1253 list_del_init(&link->link_list);
1254 trace_io_uring_fail_link(req, link);
1256 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
1257 link->opcode == IORING_OP_LINK_TIMEOUT) {
1258 io_link_cancel_timeout(link);
1260 io_cqring_fill_event(link, -ECANCELED);
1261 __io_double_put_req(link);
1263 req->flags &= ~REQ_F_LINK_TIMEOUT;
1266 io_commit_cqring(ctx);
1267 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1268 io_cqring_ev_posted(ctx);
1271 static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
1273 if (likely(!(req->flags & REQ_F_LINK)))
1277 * If LINK is set, we have dependent requests in this chain. If we
1278 * didn't fail this request, queue the first one up, moving any other
1279 * dependencies to the next request. In case of failure, fail the rest
1282 if (req->flags & REQ_F_FAIL_LINK) {
1284 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1285 REQ_F_LINK_TIMEOUT) {
1286 struct io_ring_ctx *ctx = req->ctx;
1287 unsigned long flags;
1290 * If this is a timeout link, we could be racing with the
1291 * timeout timer. Grab the completion lock for this case to
1292 * protect against that.
1294 spin_lock_irqsave(&ctx->completion_lock, flags);
1295 io_req_link_next(req, nxt);
1296 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1298 io_req_link_next(req, nxt);
1302 static void io_free_req(struct io_kiocb *req)
1304 struct io_kiocb *nxt = NULL;
1306 io_req_find_next(req, &nxt);
1310 io_queue_async_work(nxt);
1314 * Drop reference to request, return next in chain (if there is one) if this
1315 * was the last reference to this request.
1317 __attribute__((nonnull))
1318 static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
1320 io_req_find_next(req, nxtptr);
1322 if (refcount_dec_and_test(&req->refs))
1326 static void io_put_req(struct io_kiocb *req)
1328 if (refcount_dec_and_test(&req->refs))
1333 * Must only be used if we don't need to care about links, usually from
1334 * within the completion handling itself.
1336 static void __io_double_put_req(struct io_kiocb *req)
1338 /* drop both submit and complete references */
1339 if (refcount_sub_and_test(2, &req->refs))
1343 static void io_double_put_req(struct io_kiocb *req)
1345 /* drop both submit and complete references */
1346 if (refcount_sub_and_test(2, &req->refs))
1350 static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
1352 struct io_rings *rings = ctx->rings;
1354 if (test_bit(0, &ctx->cq_check_overflow)) {
1356 * noflush == true is from the waitqueue handler, just ensure
1357 * we wake up the task, and the next invocation will flush the
1358 * entries. We cannot safely to it from here.
1360 if (noflush && !list_empty(&ctx->cq_overflow_list))
1363 io_cqring_overflow_flush(ctx, false);
1366 /* See comment at the top of this file */
1368 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
1371 static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1373 struct io_rings *rings = ctx->rings;
1375 /* make sure SQ entry isn't read before tail */
1376 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1379 static inline bool io_req_multi_free(struct req_batch *rb, struct io_kiocb *req)
1382 * If we're not using fixed files, we have to pair the completion part
1383 * with the file put. Use regular completions for those, only batch
1384 * free for fixed file and non-linked commands.
1386 if (((req->flags & (REQ_F_FIXED_FILE|REQ_F_LINK)) == REQ_F_FIXED_FILE)
1387 && !io_is_fallback_req(req) && !req->io) {
1388 rb->reqs[rb->to_free++] = req;
1389 if (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))
1390 io_free_req_many(req->ctx, rb);
1398 * Find and free completed poll iocbs
1400 static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1401 struct list_head *done)
1403 struct req_batch rb;
1404 struct io_kiocb *req;
1407 while (!list_empty(done)) {
1408 req = list_first_entry(done, struct io_kiocb, list);
1409 list_del(&req->list);
1411 io_cqring_fill_event(req, req->result);
1414 if (refcount_dec_and_test(&req->refs) &&
1415 !io_req_multi_free(&rb, req))
1419 io_commit_cqring(ctx);
1420 io_free_req_many(ctx, &rb);
1423 static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1426 struct io_kiocb *req, *tmp;
1432 * Only spin for completions if we don't have multiple devices hanging
1433 * off our complete list, and we're under the requested amount.
1435 spin = !ctx->poll_multi_file && *nr_events < min;
1438 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
1439 struct kiocb *kiocb = &req->rw.kiocb;
1442 * Move completed entries to our local list. If we find a
1443 * request that requires polling, break out and complete
1444 * the done list first, if we have entries there.
1446 if (req->flags & REQ_F_IOPOLL_COMPLETED) {
1447 list_move_tail(&req->list, &done);
1450 if (!list_empty(&done))
1453 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1462 if (!list_empty(&done))
1463 io_iopoll_complete(ctx, nr_events, &done);
1469 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
1470 * non-spinning poll check - we'll still enter the driver poll loop, but only
1471 * as a non-spinning completion check.
1473 static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1476 while (!list_empty(&ctx->poll_list) && !need_resched()) {
1479 ret = io_do_iopoll(ctx, nr_events, min);
1482 if (!min || *nr_events >= min)
1490 * We can't just wait for polled events to come to us, we have to actively
1491 * find and complete them.
1493 static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1495 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1498 mutex_lock(&ctx->uring_lock);
1499 while (!list_empty(&ctx->poll_list)) {
1500 unsigned int nr_events = 0;
1502 io_iopoll_getevents(ctx, &nr_events, 1);
1505 * Ensure we allow local-to-the-cpu processing to take place,
1506 * in this case we need to ensure that we reap all events.
1510 mutex_unlock(&ctx->uring_lock);
1513 static int __io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1516 int iters = 0, ret = 0;
1522 * Don't enter poll loop if we already have events pending.
1523 * If we do, we can potentially be spinning for commands that
1524 * already triggered a CQE (eg in error).
1526 if (io_cqring_events(ctx, false))
1530 * If a submit got punted to a workqueue, we can have the
1531 * application entering polling for a command before it gets
1532 * issued. That app will hold the uring_lock for the duration
1533 * of the poll right here, so we need to take a breather every
1534 * now and then to ensure that the issue has a chance to add
1535 * the poll to the issued list. Otherwise we can spin here
1536 * forever, while the workqueue is stuck trying to acquire the
1539 if (!(++iters & 7)) {
1540 mutex_unlock(&ctx->uring_lock);
1541 mutex_lock(&ctx->uring_lock);
1544 if (*nr_events < min)
1545 tmin = min - *nr_events;
1547 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1551 } while (min && !*nr_events && !need_resched());
1556 static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1562 * We disallow the app entering submit/complete with polling, but we
1563 * still need to lock the ring to prevent racing with polled issue
1564 * that got punted to a workqueue.
1566 mutex_lock(&ctx->uring_lock);
1567 ret = __io_iopoll_check(ctx, nr_events, min);
1568 mutex_unlock(&ctx->uring_lock);
1572 static void kiocb_end_write(struct io_kiocb *req)
1575 * Tell lockdep we inherited freeze protection from submission
1578 if (req->flags & REQ_F_ISREG) {
1579 struct inode *inode = file_inode(req->file);
1581 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
1583 file_end_write(req->file);
1586 static inline void req_set_fail_links(struct io_kiocb *req)
1588 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1589 req->flags |= REQ_F_FAIL_LINK;
1592 static void io_complete_rw_common(struct kiocb *kiocb, long res)
1594 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1596 if (kiocb->ki_flags & IOCB_WRITE)
1597 kiocb_end_write(req);
1599 if (res != req->result)
1600 req_set_fail_links(req);
1601 io_cqring_add_event(req, res);
1604 static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1606 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1608 io_complete_rw_common(kiocb, res);
1612 static struct io_kiocb *__io_complete_rw(struct kiocb *kiocb, long res)
1614 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1615 struct io_kiocb *nxt = NULL;
1617 io_complete_rw_common(kiocb, res);
1618 io_put_req_find_next(req, &nxt);
1623 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1625 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1627 if (kiocb->ki_flags & IOCB_WRITE)
1628 kiocb_end_write(req);
1630 if (res != req->result)
1631 req_set_fail_links(req);
1634 req->flags |= REQ_F_IOPOLL_COMPLETED;
1638 * After the iocb has been issued, it's safe to be found on the poll list.
1639 * Adding the kiocb to the list AFTER submission ensures that we don't
1640 * find it from a io_iopoll_getevents() thread before the issuer is done
1641 * accessing the kiocb cookie.
1643 static void io_iopoll_req_issued(struct io_kiocb *req)
1645 struct io_ring_ctx *ctx = req->ctx;
1648 * Track whether we have multiple files in our lists. This will impact
1649 * how we do polling eventually, not spinning if we're on potentially
1650 * different devices.
1652 if (list_empty(&ctx->poll_list)) {
1653 ctx->poll_multi_file = false;
1654 } else if (!ctx->poll_multi_file) {
1655 struct io_kiocb *list_req;
1657 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
1659 if (list_req->file != req->file)
1660 ctx->poll_multi_file = true;
1664 * For fast devices, IO may have already completed. If it has, add
1665 * it to the front so we find it first.
1667 if (req->flags & REQ_F_IOPOLL_COMPLETED)
1668 list_add(&req->list, &ctx->poll_list);
1670 list_add_tail(&req->list, &ctx->poll_list);
1673 static void io_file_put(struct io_submit_state *state)
1676 int diff = state->has_refs - state->used_refs;
1679 fput_many(state->file, diff);
1685 * Get as many references to a file as we have IOs left in this submission,
1686 * assuming most submissions are for one file, or at least that each file
1687 * has more than one submission.
1689 static struct file *io_file_get(struct io_submit_state *state, int fd)
1695 if (state->fd == fd) {
1702 state->file = fget_many(fd, state->ios_left);
1707 state->has_refs = state->ios_left;
1708 state->used_refs = 1;
1714 * If we tracked the file through the SCM inflight mechanism, we could support
1715 * any file. For now, just ensure that anything potentially problematic is done
1718 static bool io_file_supports_async(struct file *file)
1720 umode_t mode = file_inode(file)->i_mode;
1722 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
1724 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
1730 static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1731 bool force_nonblock)
1733 struct io_ring_ctx *ctx = req->ctx;
1734 struct kiocb *kiocb = &req->rw.kiocb;
1741 if (S_ISREG(file_inode(req->file)->i_mode))
1742 req->flags |= REQ_F_ISREG;
1744 kiocb->ki_pos = READ_ONCE(sqe->off);
1745 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
1746 req->flags |= REQ_F_CUR_POS;
1747 kiocb->ki_pos = req->file->f_pos;
1749 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
1750 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
1752 ioprio = READ_ONCE(sqe->ioprio);
1754 ret = ioprio_check_cap(ioprio);
1758 kiocb->ki_ioprio = ioprio;
1760 kiocb->ki_ioprio = get_current_ioprio();
1762 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
1766 /* don't allow async punt if RWF_NOWAIT was requested */
1767 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
1768 (req->file->f_flags & O_NONBLOCK))
1769 req->flags |= REQ_F_NOWAIT;
1772 kiocb->ki_flags |= IOCB_NOWAIT;
1774 if (ctx->flags & IORING_SETUP_IOPOLL) {
1775 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
1776 !kiocb->ki_filp->f_op->iopoll)
1779 kiocb->ki_flags |= IOCB_HIPRI;
1780 kiocb->ki_complete = io_complete_rw_iopoll;
1783 if (kiocb->ki_flags & IOCB_HIPRI)
1785 kiocb->ki_complete = io_complete_rw;
1788 req->rw.addr = READ_ONCE(sqe->addr);
1789 req->rw.len = READ_ONCE(sqe->len);
1790 /* we own ->private, reuse it for the buffer index */
1791 req->rw.kiocb.private = (void *) (unsigned long)
1792 READ_ONCE(sqe->buf_index);
1796 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
1802 case -ERESTARTNOINTR:
1803 case -ERESTARTNOHAND:
1804 case -ERESTART_RESTARTBLOCK:
1806 * We can't just restart the syscall, since previously
1807 * submitted sqes may already be in progress. Just fail this
1813 kiocb->ki_complete(kiocb, ret, 0);
1817 static void kiocb_done(struct kiocb *kiocb, ssize_t ret, struct io_kiocb **nxt,
1820 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1822 if (req->flags & REQ_F_CUR_POS)
1823 req->file->f_pos = kiocb->ki_pos;
1824 if (in_async && ret >= 0 && kiocb->ki_complete == io_complete_rw)
1825 *nxt = __io_complete_rw(kiocb, ret);
1827 io_rw_done(kiocb, ret);
1830 static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
1831 struct iov_iter *iter)
1833 struct io_ring_ctx *ctx = req->ctx;
1834 size_t len = req->rw.len;
1835 struct io_mapped_ubuf *imu;
1836 unsigned index, buf_index;
1840 /* attempt to use fixed buffers without having provided iovecs */
1841 if (unlikely(!ctx->user_bufs))
1844 buf_index = (unsigned long) req->rw.kiocb.private;
1845 if (unlikely(buf_index >= ctx->nr_user_bufs))
1848 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
1849 imu = &ctx->user_bufs[index];
1850 buf_addr = req->rw.addr;
1853 if (buf_addr + len < buf_addr)
1855 /* not inside the mapped region */
1856 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
1860 * May not be a start of buffer, set size appropriately
1861 * and advance us to the beginning.
1863 offset = buf_addr - imu->ubuf;
1864 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
1868 * Don't use iov_iter_advance() here, as it's really slow for
1869 * using the latter parts of a big fixed buffer - it iterates
1870 * over each segment manually. We can cheat a bit here, because
1873 * 1) it's a BVEC iter, we set it up
1874 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1875 * first and last bvec
1877 * So just find our index, and adjust the iterator afterwards.
1878 * If the offset is within the first bvec (or the whole first
1879 * bvec, just use iov_iter_advance(). This makes it easier
1880 * since we can just skip the first segment, which may not
1881 * be PAGE_SIZE aligned.
1883 const struct bio_vec *bvec = imu->bvec;
1885 if (offset <= bvec->bv_len) {
1886 iov_iter_advance(iter, offset);
1888 unsigned long seg_skip;
1890 /* skip first vec */
1891 offset -= bvec->bv_len;
1892 seg_skip = 1 + (offset >> PAGE_SHIFT);
1894 iter->bvec = bvec + seg_skip;
1895 iter->nr_segs -= seg_skip;
1896 iter->count -= bvec->bv_len + offset;
1897 iter->iov_offset = offset & ~PAGE_MASK;
1904 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
1905 struct iovec **iovec, struct iov_iter *iter)
1907 void __user *buf = u64_to_user_ptr(req->rw.addr);
1908 size_t sqe_len = req->rw.len;
1911 opcode = req->opcode;
1912 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
1914 return io_import_fixed(req, rw, iter);
1917 /* buffer index only valid with fixed read/write */
1918 if (req->rw.kiocb.private)
1921 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
1923 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
1929 struct io_async_rw *iorw = &req->io->rw;
1932 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
1933 if (iorw->iov == iorw->fast_iov)
1941 #ifdef CONFIG_COMPAT
1942 if (req->ctx->compat)
1943 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
1947 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
1951 * For files that don't have ->read_iter() and ->write_iter(), handle them
1952 * by looping over ->read() or ->write() manually.
1954 static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
1955 struct iov_iter *iter)
1960 * Don't support polled IO through this interface, and we can't
1961 * support non-blocking either. For the latter, this just causes
1962 * the kiocb to be handled from an async context.
1964 if (kiocb->ki_flags & IOCB_HIPRI)
1966 if (kiocb->ki_flags & IOCB_NOWAIT)
1969 while (iov_iter_count(iter)) {
1973 if (!iov_iter_is_bvec(iter)) {
1974 iovec = iov_iter_iovec(iter);
1976 /* fixed buffers import bvec */
1977 iovec.iov_base = kmap(iter->bvec->bv_page)
1979 iovec.iov_len = min(iter->count,
1980 iter->bvec->bv_len - iter->iov_offset);
1984 nr = file->f_op->read(file, iovec.iov_base,
1985 iovec.iov_len, &kiocb->ki_pos);
1987 nr = file->f_op->write(file, iovec.iov_base,
1988 iovec.iov_len, &kiocb->ki_pos);
1991 if (iov_iter_is_bvec(iter))
1992 kunmap(iter->bvec->bv_page);
2000 if (nr != iovec.iov_len)
2002 iov_iter_advance(iter, nr);
2008 static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
2009 struct iovec *iovec, struct iovec *fast_iov,
2010 struct iov_iter *iter)
2012 req->io->rw.nr_segs = iter->nr_segs;
2013 req->io->rw.size = io_size;
2014 req->io->rw.iov = iovec;
2015 if (!req->io->rw.iov) {
2016 req->io->rw.iov = req->io->rw.fast_iov;
2017 memcpy(req->io->rw.iov, fast_iov,
2018 sizeof(struct iovec) * iter->nr_segs);
2022 static int io_alloc_async_ctx(struct io_kiocb *req)
2024 if (!io_op_defs[req->opcode].async_ctx)
2026 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
2027 return req->io == NULL;
2030 static void io_rw_async(struct io_wq_work **workptr)
2032 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2033 struct iovec *iov = NULL;
2035 if (req->io->rw.iov != req->io->rw.fast_iov)
2036 iov = req->io->rw.iov;
2037 io_wq_submit_work(workptr);
2041 static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
2042 struct iovec *iovec, struct iovec *fast_iov,
2043 struct iov_iter *iter)
2045 if (req->opcode == IORING_OP_READ_FIXED ||
2046 req->opcode == IORING_OP_WRITE_FIXED)
2048 if (!req->io && io_alloc_async_ctx(req))
2051 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
2052 req->work.func = io_rw_async;
2056 static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2057 bool force_nonblock)
2059 struct io_async_ctx *io;
2060 struct iov_iter iter;
2063 ret = io_prep_rw(req, sqe, force_nonblock);
2067 if (unlikely(!(req->file->f_mode & FMODE_READ)))
2074 io->rw.iov = io->rw.fast_iov;
2076 ret = io_import_iovec(READ, req, &io->rw.iov, &iter);
2081 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2085 static int io_read(struct io_kiocb *req, struct io_kiocb **nxt,
2086 bool force_nonblock)
2088 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2089 struct kiocb *kiocb = &req->rw.kiocb;
2090 struct iov_iter iter;
2092 ssize_t io_size, ret;
2094 ret = io_import_iovec(READ, req, &iovec, &iter);
2098 /* Ensure we clear previously set non-block flag */
2099 if (!force_nonblock)
2100 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
2104 if (req->flags & REQ_F_LINK)
2105 req->result = io_size;
2108 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2109 * we know to async punt it even if it was opened O_NONBLOCK
2111 if (force_nonblock && !io_file_supports_async(req->file)) {
2112 req->flags |= REQ_F_MUST_PUNT;
2116 iov_count = iov_iter_count(&iter);
2117 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
2121 if (req->file->f_op->read_iter)
2122 ret2 = call_read_iter(req->file, kiocb, &iter);
2124 ret2 = loop_rw_iter(READ, req->file, kiocb, &iter);
2126 /* Catch -EAGAIN return for forced non-blocking submission */
2127 if (!force_nonblock || ret2 != -EAGAIN) {
2128 kiocb_done(kiocb, ret2, nxt, req->in_async);
2131 ret = io_setup_async_rw(req, io_size, iovec,
2132 inline_vecs, &iter);
2139 if (!io_wq_current_is_worker())
2144 static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2145 bool force_nonblock)
2147 struct io_async_ctx *io;
2148 struct iov_iter iter;
2151 ret = io_prep_rw(req, sqe, force_nonblock);
2155 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
2162 io->rw.iov = io->rw.fast_iov;
2164 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter);
2169 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2173 static int io_write(struct io_kiocb *req, struct io_kiocb **nxt,
2174 bool force_nonblock)
2176 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2177 struct kiocb *kiocb = &req->rw.kiocb;
2178 struct iov_iter iter;
2180 ssize_t ret, io_size;
2182 ret = io_import_iovec(WRITE, req, &iovec, &iter);
2186 /* Ensure we clear previously set non-block flag */
2187 if (!force_nonblock)
2188 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
2192 if (req->flags & REQ_F_LINK)
2193 req->result = io_size;
2196 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2197 * we know to async punt it even if it was opened O_NONBLOCK
2199 if (force_nonblock && !io_file_supports_async(req->file)) {
2200 req->flags |= REQ_F_MUST_PUNT;
2204 /* file path doesn't support NOWAIT for non-direct_IO */
2205 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
2206 (req->flags & REQ_F_ISREG))
2209 iov_count = iov_iter_count(&iter);
2210 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
2215 * Open-code file_start_write here to grab freeze protection,
2216 * which will be released by another thread in
2217 * io_complete_rw(). Fool lockdep by telling it the lock got
2218 * released so that it doesn't complain about the held lock when
2219 * we return to userspace.
2221 if (req->flags & REQ_F_ISREG) {
2222 __sb_start_write(file_inode(req->file)->i_sb,
2223 SB_FREEZE_WRITE, true);
2224 __sb_writers_release(file_inode(req->file)->i_sb,
2227 kiocb->ki_flags |= IOCB_WRITE;
2229 if (req->file->f_op->write_iter)
2230 ret2 = call_write_iter(req->file, kiocb, &iter);
2232 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
2233 if (!force_nonblock || ret2 != -EAGAIN) {
2234 kiocb_done(kiocb, ret2, nxt, req->in_async);
2237 ret = io_setup_async_rw(req, io_size, iovec,
2238 inline_vecs, &iter);
2245 if (!io_wq_current_is_worker())
2251 * IORING_OP_NOP just posts a completion event, nothing else.
2253 static int io_nop(struct io_kiocb *req)
2255 struct io_ring_ctx *ctx = req->ctx;
2257 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2260 io_cqring_add_event(req, 0);
2265 static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2267 struct io_ring_ctx *ctx = req->ctx;
2272 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2274 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2277 req->sync.flags = READ_ONCE(sqe->fsync_flags);
2278 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
2281 req->sync.off = READ_ONCE(sqe->off);
2282 req->sync.len = READ_ONCE(sqe->len);
2286 static bool io_req_cancelled(struct io_kiocb *req)
2288 if (req->work.flags & IO_WQ_WORK_CANCEL) {
2289 req_set_fail_links(req);
2290 io_cqring_add_event(req, -ECANCELED);
2298 static void io_link_work_cb(struct io_wq_work **workptr)
2300 struct io_wq_work *work = *workptr;
2301 struct io_kiocb *link = work->data;
2303 io_queue_linked_timeout(link);
2304 work->func = io_wq_submit_work;
2307 static void io_wq_assign_next(struct io_wq_work **workptr, struct io_kiocb *nxt)
2309 struct io_kiocb *link;
2311 io_prep_async_work(nxt, &link);
2312 *workptr = &nxt->work;
2314 nxt->work.flags |= IO_WQ_WORK_CB;
2315 nxt->work.func = io_link_work_cb;
2316 nxt->work.data = link;
2320 static void io_fsync_finish(struct io_wq_work **workptr)
2322 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2323 loff_t end = req->sync.off + req->sync.len;
2324 struct io_kiocb *nxt = NULL;
2327 if (io_req_cancelled(req))
2330 ret = vfs_fsync_range(req->file, req->sync.off,
2331 end > 0 ? end : LLONG_MAX,
2332 req->sync.flags & IORING_FSYNC_DATASYNC);
2334 req_set_fail_links(req);
2335 io_cqring_add_event(req, ret);
2336 io_put_req_find_next(req, &nxt);
2338 io_wq_assign_next(workptr, nxt);
2341 static int io_fsync(struct io_kiocb *req, struct io_kiocb **nxt,
2342 bool force_nonblock)
2344 struct io_wq_work *work, *old_work;
2346 /* fsync always requires a blocking context */
2347 if (force_nonblock) {
2349 req->work.func = io_fsync_finish;
2353 work = old_work = &req->work;
2354 io_fsync_finish(&work);
2355 if (work && work != old_work)
2356 *nxt = container_of(work, struct io_kiocb, work);
2360 static void io_fallocate_finish(struct io_wq_work **workptr)
2362 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2363 struct io_kiocb *nxt = NULL;
2366 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
2369 req_set_fail_links(req);
2370 io_cqring_add_event(req, ret);
2371 io_put_req_find_next(req, &nxt);
2373 io_wq_assign_next(workptr, nxt);
2376 static int io_fallocate_prep(struct io_kiocb *req,
2377 const struct io_uring_sqe *sqe)
2379 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
2382 req->sync.off = READ_ONCE(sqe->off);
2383 req->sync.len = READ_ONCE(sqe->addr);
2384 req->sync.mode = READ_ONCE(sqe->len);
2388 static int io_fallocate(struct io_kiocb *req, struct io_kiocb **nxt,
2389 bool force_nonblock)
2391 struct io_wq_work *work, *old_work;
2393 /* fallocate always requiring blocking context */
2394 if (force_nonblock) {
2396 req->work.func = io_fallocate_finish;
2400 work = old_work = &req->work;
2401 io_fallocate_finish(&work);
2402 if (work && work != old_work)
2403 *nxt = container_of(work, struct io_kiocb, work);
2408 static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2412 if (sqe->ioprio || sqe->buf_index)
2415 req->open.dfd = READ_ONCE(sqe->fd);
2416 req->open.mode = READ_ONCE(sqe->len);
2417 req->open.fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2418 req->open.flags = READ_ONCE(sqe->open_flags);
2420 req->open.filename = getname(req->open.fname);
2421 if (IS_ERR(req->open.filename)) {
2422 ret = PTR_ERR(req->open.filename);
2423 req->open.filename = NULL;
2430 static int io_openat(struct io_kiocb *req, struct io_kiocb **nxt,
2431 bool force_nonblock)
2433 struct open_flags op;
2434 struct open_how how;
2438 if (force_nonblock) {
2439 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2443 how = build_open_how(req->open.flags, req->open.mode);
2444 ret = build_open_flags(&how, &op);
2448 ret = get_unused_fd_flags(how.flags);
2452 file = do_filp_open(req->open.dfd, req->open.filename, &op);
2455 ret = PTR_ERR(file);
2457 fsnotify_open(file);
2458 fd_install(ret, file);
2461 putname(req->open.filename);
2463 req_set_fail_links(req);
2464 io_cqring_add_event(req, ret);
2465 io_put_req_find_next(req, nxt);
2469 static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2471 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2472 if (sqe->ioprio || sqe->buf_index || sqe->off)
2475 req->madvise.addr = READ_ONCE(sqe->addr);
2476 req->madvise.len = READ_ONCE(sqe->len);
2477 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
2484 static int io_madvise(struct io_kiocb *req, struct io_kiocb **nxt,
2485 bool force_nonblock)
2487 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2488 struct io_madvise *ma = &req->madvise;
2494 ret = do_madvise(ma->addr, ma->len, ma->advice);
2496 req_set_fail_links(req);
2497 io_cqring_add_event(req, ret);
2498 io_put_req_find_next(req, nxt);
2505 static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2507 if (sqe->ioprio || sqe->buf_index || sqe->addr)
2510 req->fadvise.offset = READ_ONCE(sqe->off);
2511 req->fadvise.len = READ_ONCE(sqe->len);
2512 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
2516 static int io_fadvise(struct io_kiocb *req, struct io_kiocb **nxt,
2517 bool force_nonblock)
2519 struct io_fadvise *fa = &req->fadvise;
2522 /* DONTNEED may block, others _should_ not */
2523 if (fa->advice == POSIX_FADV_DONTNEED && force_nonblock)
2526 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
2528 req_set_fail_links(req);
2529 io_cqring_add_event(req, ret);
2530 io_put_req_find_next(req, nxt);
2534 static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2536 unsigned lookup_flags;
2539 if (sqe->ioprio || sqe->buf_index)
2542 req->open.dfd = READ_ONCE(sqe->fd);
2543 req->open.mask = READ_ONCE(sqe->len);
2544 req->open.fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2545 req->open.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
2546 req->open.flags = READ_ONCE(sqe->statx_flags);
2548 if (vfs_stat_set_lookup_flags(&lookup_flags, req->open.flags))
2551 req->open.filename = getname_flags(req->open.fname, lookup_flags, NULL);
2552 if (IS_ERR(req->open.filename)) {
2553 ret = PTR_ERR(req->open.filename);
2554 req->open.filename = NULL;
2561 static int io_statx(struct io_kiocb *req, struct io_kiocb **nxt,
2562 bool force_nonblock)
2564 struct io_open *ctx = &req->open;
2565 unsigned lookup_flags;
2573 if (vfs_stat_set_lookup_flags(&lookup_flags, ctx->flags))
2577 /* filename_lookup() drops it, keep a reference */
2578 ctx->filename->refcnt++;
2580 ret = filename_lookup(ctx->dfd, ctx->filename, lookup_flags, &path,
2585 ret = vfs_getattr(&path, &stat, ctx->mask, ctx->flags);
2587 if (retry_estale(ret, lookup_flags)) {
2588 lookup_flags |= LOOKUP_REVAL;
2592 ret = cp_statx(&stat, ctx->buffer);
2594 putname(ctx->filename);
2596 req_set_fail_links(req);
2597 io_cqring_add_event(req, ret);
2598 io_put_req_find_next(req, nxt);
2602 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2605 * If we queue this for async, it must not be cancellable. That would
2606 * leave the 'file' in an undeterminate state.
2608 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
2610 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
2611 sqe->rw_flags || sqe->buf_index)
2613 if (sqe->flags & IOSQE_FIXED_FILE)
2616 req->close.fd = READ_ONCE(sqe->fd);
2617 if (req->file->f_op == &io_uring_fops ||
2618 req->close.fd == req->ring_fd)
2624 static void io_close_finish(struct io_wq_work **workptr)
2626 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2627 struct io_kiocb *nxt = NULL;
2629 /* Invoked with files, we need to do the close */
2630 if (req->work.files) {
2633 ret = filp_close(req->close.put_file, req->work.files);
2635 req_set_fail_links(req);
2637 io_cqring_add_event(req, ret);
2640 fput(req->close.put_file);
2642 /* we bypassed the re-issue, drop the submission reference */
2644 io_put_req_find_next(req, &nxt);
2646 io_wq_assign_next(workptr, nxt);
2649 static int io_close(struct io_kiocb *req, struct io_kiocb **nxt,
2650 bool force_nonblock)
2654 req->close.put_file = NULL;
2655 ret = __close_fd_get_file(req->close.fd, &req->close.put_file);
2659 /* if the file has a flush method, be safe and punt to async */
2660 if (req->close.put_file->f_op->flush && !io_wq_current_is_worker()) {
2661 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2666 * No ->flush(), safely close from here and just punt the
2667 * fput() to async context.
2669 ret = filp_close(req->close.put_file, current->files);
2672 req_set_fail_links(req);
2673 io_cqring_add_event(req, ret);
2675 if (io_wq_current_is_worker()) {
2676 struct io_wq_work *old_work, *work;
2678 old_work = work = &req->work;
2679 io_close_finish(&work);
2680 if (work && work != old_work)
2681 *nxt = container_of(work, struct io_kiocb, work);
2686 req->work.func = io_close_finish;
2690 static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2692 struct io_ring_ctx *ctx = req->ctx;
2697 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2699 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2702 req->sync.off = READ_ONCE(sqe->off);
2703 req->sync.len = READ_ONCE(sqe->len);
2704 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
2708 static void io_sync_file_range_finish(struct io_wq_work **workptr)
2710 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2711 struct io_kiocb *nxt = NULL;
2714 if (io_req_cancelled(req))
2717 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
2720 req_set_fail_links(req);
2721 io_cqring_add_event(req, ret);
2722 io_put_req_find_next(req, &nxt);
2724 io_wq_assign_next(workptr, nxt);
2727 static int io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt,
2728 bool force_nonblock)
2730 struct io_wq_work *work, *old_work;
2732 /* sync_file_range always requires a blocking context */
2733 if (force_nonblock) {
2735 req->work.func = io_sync_file_range_finish;
2739 work = old_work = &req->work;
2740 io_sync_file_range_finish(&work);
2741 if (work && work != old_work)
2742 *nxt = container_of(work, struct io_kiocb, work);
2746 #if defined(CONFIG_NET)
2747 static void io_sendrecv_async(struct io_wq_work **workptr)
2749 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2750 struct iovec *iov = NULL;
2752 if (req->io->rw.iov != req->io->rw.fast_iov)
2753 iov = req->io->msg.iov;
2754 io_wq_submit_work(workptr);
2759 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2761 #if defined(CONFIG_NET)
2762 struct io_sr_msg *sr = &req->sr_msg;
2763 struct io_async_ctx *io = req->io;
2765 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2766 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
2771 io->msg.iov = io->msg.fast_iov;
2772 return sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
2779 static int io_sendmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2780 bool force_nonblock)
2782 #if defined(CONFIG_NET)
2783 struct io_async_msghdr *kmsg = NULL;
2784 struct socket *sock;
2787 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2790 sock = sock_from_file(req->file, &ret);
2792 struct io_async_ctx io;
2793 struct sockaddr_storage addr;
2797 kmsg = &req->io->msg;
2798 kmsg->msg.msg_name = &addr;
2799 /* if iov is set, it's allocated already */
2801 kmsg->iov = kmsg->fast_iov;
2802 kmsg->msg.msg_iter.iov = kmsg->iov;
2804 struct io_sr_msg *sr = &req->sr_msg;
2807 kmsg->msg.msg_name = &addr;
2809 io.msg.iov = io.msg.fast_iov;
2810 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
2811 sr->msg_flags, &io.msg.iov);
2816 flags = req->sr_msg.msg_flags;
2817 if (flags & MSG_DONTWAIT)
2818 req->flags |= REQ_F_NOWAIT;
2819 else if (force_nonblock)
2820 flags |= MSG_DONTWAIT;
2822 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
2823 if (force_nonblock && ret == -EAGAIN) {
2826 if (io_alloc_async_ctx(req))
2828 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2829 req->work.func = io_sendrecv_async;
2832 if (ret == -ERESTARTSYS)
2836 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
2838 io_cqring_add_event(req, ret);
2840 req_set_fail_links(req);
2841 io_put_req_find_next(req, nxt);
2848 static int io_recvmsg_prep(struct io_kiocb *req,
2849 const struct io_uring_sqe *sqe)
2851 #if defined(CONFIG_NET)
2852 struct io_sr_msg *sr = &req->sr_msg;
2853 struct io_async_ctx *io = req->io;
2855 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2856 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
2861 io->msg.iov = io->msg.fast_iov;
2862 return recvmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
2863 &io->msg.uaddr, &io->msg.iov);
2869 static int io_recvmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2870 bool force_nonblock)
2872 #if defined(CONFIG_NET)
2873 struct io_async_msghdr *kmsg = NULL;
2874 struct socket *sock;
2877 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2880 sock = sock_from_file(req->file, &ret);
2882 struct io_async_ctx io;
2883 struct sockaddr_storage addr;
2887 kmsg = &req->io->msg;
2888 kmsg->msg.msg_name = &addr;
2889 /* if iov is set, it's allocated already */
2891 kmsg->iov = kmsg->fast_iov;
2892 kmsg->msg.msg_iter.iov = kmsg->iov;
2894 struct io_sr_msg *sr = &req->sr_msg;
2897 kmsg->msg.msg_name = &addr;
2899 io.msg.iov = io.msg.fast_iov;
2900 ret = recvmsg_copy_msghdr(&io.msg.msg, sr->msg,
2901 sr->msg_flags, &io.msg.uaddr,
2907 flags = req->sr_msg.msg_flags;
2908 if (flags & MSG_DONTWAIT)
2909 req->flags |= REQ_F_NOWAIT;
2910 else if (force_nonblock)
2911 flags |= MSG_DONTWAIT;
2913 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
2914 kmsg->uaddr, flags);
2915 if (force_nonblock && ret == -EAGAIN) {
2918 if (io_alloc_async_ctx(req))
2920 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2921 req->work.func = io_sendrecv_async;
2924 if (ret == -ERESTARTSYS)
2928 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
2930 io_cqring_add_event(req, ret);
2932 req_set_fail_links(req);
2933 io_put_req_find_next(req, nxt);
2940 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2942 #if defined(CONFIG_NET)
2943 struct io_accept *accept = &req->accept;
2945 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
2947 if (sqe->ioprio || sqe->len || sqe->buf_index)
2950 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
2951 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
2952 accept->flags = READ_ONCE(sqe->accept_flags);
2959 #if defined(CONFIG_NET)
2960 static int __io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2961 bool force_nonblock)
2963 struct io_accept *accept = &req->accept;
2964 unsigned file_flags;
2967 file_flags = force_nonblock ? O_NONBLOCK : 0;
2968 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
2969 accept->addr_len, accept->flags);
2970 if (ret == -EAGAIN && force_nonblock)
2972 if (ret == -ERESTARTSYS)
2975 req_set_fail_links(req);
2976 io_cqring_add_event(req, ret);
2977 io_put_req_find_next(req, nxt);
2981 static void io_accept_finish(struct io_wq_work **workptr)
2983 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2984 struct io_kiocb *nxt = NULL;
2986 if (io_req_cancelled(req))
2988 __io_accept(req, &nxt, false);
2990 io_wq_assign_next(workptr, nxt);
2994 static int io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2995 bool force_nonblock)
2997 #if defined(CONFIG_NET)
3000 ret = __io_accept(req, nxt, force_nonblock);
3001 if (ret == -EAGAIN && force_nonblock) {
3002 req->work.func = io_accept_finish;
3003 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
3013 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3015 #if defined(CONFIG_NET)
3016 struct io_connect *conn = &req->connect;
3017 struct io_async_ctx *io = req->io;
3019 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3021 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
3024 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3025 conn->addr_len = READ_ONCE(sqe->addr2);
3030 return move_addr_to_kernel(conn->addr, conn->addr_len,
3031 &io->connect.address);
3037 static int io_connect(struct io_kiocb *req, struct io_kiocb **nxt,
3038 bool force_nonblock)
3040 #if defined(CONFIG_NET)
3041 struct io_async_ctx __io, *io;
3042 unsigned file_flags;
3048 ret = move_addr_to_kernel(req->connect.addr,
3049 req->connect.addr_len,
3050 &__io.connect.address);
3056 file_flags = force_nonblock ? O_NONBLOCK : 0;
3058 ret = __sys_connect_file(req->file, &io->connect.address,
3059 req->connect.addr_len, file_flags);
3060 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
3063 if (io_alloc_async_ctx(req)) {
3067 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
3070 if (ret == -ERESTARTSYS)
3074 req_set_fail_links(req);
3075 io_cqring_add_event(req, ret);
3076 io_put_req_find_next(req, nxt);
3083 static void io_poll_remove_one(struct io_kiocb *req)
3085 struct io_poll_iocb *poll = &req->poll;
3087 spin_lock(&poll->head->lock);
3088 WRITE_ONCE(poll->canceled, true);
3089 if (!list_empty(&poll->wait.entry)) {
3090 list_del_init(&poll->wait.entry);
3091 io_queue_async_work(req);
3093 spin_unlock(&poll->head->lock);
3094 hash_del(&req->hash_node);
3097 static void io_poll_remove_all(struct io_ring_ctx *ctx)
3099 struct hlist_node *tmp;
3100 struct io_kiocb *req;
3103 spin_lock_irq(&ctx->completion_lock);
3104 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
3105 struct hlist_head *list;
3107 list = &ctx->cancel_hash[i];
3108 hlist_for_each_entry_safe(req, tmp, list, hash_node)
3109 io_poll_remove_one(req);
3111 spin_unlock_irq(&ctx->completion_lock);
3114 static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
3116 struct hlist_head *list;
3117 struct io_kiocb *req;
3119 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
3120 hlist_for_each_entry(req, list, hash_node) {
3121 if (sqe_addr == req->user_data) {
3122 io_poll_remove_one(req);
3130 static int io_poll_remove_prep(struct io_kiocb *req,
3131 const struct io_uring_sqe *sqe)
3133 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3135 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
3139 req->poll.addr = READ_ONCE(sqe->addr);
3144 * Find a running poll command that matches one specified in sqe->addr,
3145 * and remove it if found.
3147 static int io_poll_remove(struct io_kiocb *req)
3149 struct io_ring_ctx *ctx = req->ctx;
3153 addr = req->poll.addr;
3154 spin_lock_irq(&ctx->completion_lock);
3155 ret = io_poll_cancel(ctx, addr);
3156 spin_unlock_irq(&ctx->completion_lock);
3158 io_cqring_add_event(req, ret);
3160 req_set_fail_links(req);
3165 static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
3167 struct io_ring_ctx *ctx = req->ctx;
3169 req->poll.done = true;
3171 io_cqring_fill_event(req, error);
3173 io_cqring_fill_event(req, mangle_poll(mask));
3174 io_commit_cqring(ctx);
3177 static void io_poll_complete_work(struct io_wq_work **workptr)
3179 struct io_wq_work *work = *workptr;
3180 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3181 struct io_poll_iocb *poll = &req->poll;
3182 struct poll_table_struct pt = { ._key = poll->events };
3183 struct io_ring_ctx *ctx = req->ctx;
3184 struct io_kiocb *nxt = NULL;
3188 if (work->flags & IO_WQ_WORK_CANCEL) {
3189 WRITE_ONCE(poll->canceled, true);
3191 } else if (READ_ONCE(poll->canceled)) {
3195 if (ret != -ECANCELED)
3196 mask = vfs_poll(poll->file, &pt) & poll->events;
3199 * Note that ->ki_cancel callers also delete iocb from active_reqs after
3200 * calling ->ki_cancel. We need the ctx_lock roundtrip here to
3201 * synchronize with them. In the cancellation case the list_del_init
3202 * itself is not actually needed, but harmless so we keep it in to
3203 * avoid further branches in the fast path.
3205 spin_lock_irq(&ctx->completion_lock);
3206 if (!mask && ret != -ECANCELED) {
3207 add_wait_queue(poll->head, &poll->wait);
3208 spin_unlock_irq(&ctx->completion_lock);
3211 hash_del(&req->hash_node);
3212 io_poll_complete(req, mask, ret);
3213 spin_unlock_irq(&ctx->completion_lock);
3215 io_cqring_ev_posted(ctx);
3218 req_set_fail_links(req);
3219 io_put_req_find_next(req, &nxt);
3221 io_wq_assign_next(workptr, nxt);
3224 static void __io_poll_flush(struct io_ring_ctx *ctx, struct llist_node *nodes)
3226 struct io_kiocb *req, *tmp;
3227 struct req_batch rb;
3230 spin_lock_irq(&ctx->completion_lock);
3231 llist_for_each_entry_safe(req, tmp, nodes, llist_node) {
3232 hash_del(&req->hash_node);
3233 io_poll_complete(req, req->result, 0);
3235 if (refcount_dec_and_test(&req->refs) &&
3236 !io_req_multi_free(&rb, req)) {
3237 req->flags |= REQ_F_COMP_LOCKED;
3241 spin_unlock_irq(&ctx->completion_lock);
3243 io_cqring_ev_posted(ctx);
3244 io_free_req_many(ctx, &rb);
3247 static void io_poll_flush(struct io_wq_work **workptr)
3249 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3250 struct llist_node *nodes;
3252 nodes = llist_del_all(&req->ctx->poll_llist);
3254 __io_poll_flush(req->ctx, nodes);
3257 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
3260 struct io_poll_iocb *poll = wait->private;
3261 struct io_kiocb *req = container_of(poll, struct io_kiocb, poll);
3262 struct io_ring_ctx *ctx = req->ctx;
3263 __poll_t mask = key_to_poll(key);
3265 /* for instances that support it check for an event match first: */
3266 if (mask && !(mask & poll->events))
3269 list_del_init(&poll->wait.entry);
3272 * Run completion inline if we can. We're using trylock here because
3273 * we are violating the completion_lock -> poll wq lock ordering.
3274 * If we have a link timeout we're going to need the completion_lock
3275 * for finalizing the request, mark us as having grabbed that already.
3278 unsigned long flags;
3280 if (llist_empty(&ctx->poll_llist) &&
3281 spin_trylock_irqsave(&ctx->completion_lock, flags)) {
3282 hash_del(&req->hash_node);
3283 io_poll_complete(req, mask, 0);
3284 req->flags |= REQ_F_COMP_LOCKED;
3286 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3288 io_cqring_ev_posted(ctx);
3292 req->llist_node.next = NULL;
3293 /* if the list wasn't empty, we're done */
3294 if (!llist_add(&req->llist_node, &ctx->poll_llist))
3297 req->work.func = io_poll_flush;
3301 io_queue_async_work(req);
3306 struct io_poll_table {
3307 struct poll_table_struct pt;
3308 struct io_kiocb *req;
3312 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
3313 struct poll_table_struct *p)
3315 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
3317 if (unlikely(pt->req->poll.head)) {
3318 pt->error = -EINVAL;
3323 pt->req->poll.head = head;
3324 add_wait_queue(head, &pt->req->poll.wait);
3327 static void io_poll_req_insert(struct io_kiocb *req)
3329 struct io_ring_ctx *ctx = req->ctx;
3330 struct hlist_head *list;
3332 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
3333 hlist_add_head(&req->hash_node, list);
3336 static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3338 struct io_poll_iocb *poll = &req->poll;
3341 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3343 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
3348 events = READ_ONCE(sqe->poll_events);
3349 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
3353 static int io_poll_add(struct io_kiocb *req, struct io_kiocb **nxt)
3355 struct io_poll_iocb *poll = &req->poll;
3356 struct io_ring_ctx *ctx = req->ctx;
3357 struct io_poll_table ipt;
3358 bool cancel = false;
3361 INIT_IO_WORK(&req->work, io_poll_complete_work);
3362 INIT_HLIST_NODE(&req->hash_node);
3366 poll->canceled = false;
3368 ipt.pt._qproc = io_poll_queue_proc;
3369 ipt.pt._key = poll->events;
3371 ipt.error = -EINVAL; /* same as no support for IOCB_CMD_POLL */
3373 /* initialized the list so that we can do list_empty checks */
3374 INIT_LIST_HEAD(&poll->wait.entry);
3375 init_waitqueue_func_entry(&poll->wait, io_poll_wake);
3376 poll->wait.private = poll;
3378 INIT_LIST_HEAD(&req->list);
3380 mask = vfs_poll(poll->file, &ipt.pt) & poll->events;
3382 spin_lock_irq(&ctx->completion_lock);
3383 if (likely(poll->head)) {
3384 spin_lock(&poll->head->lock);
3385 if (unlikely(list_empty(&poll->wait.entry))) {
3391 if (mask || ipt.error)
3392 list_del_init(&poll->wait.entry);
3394 WRITE_ONCE(poll->canceled, true);
3395 else if (!poll->done) /* actually waiting for an event */
3396 io_poll_req_insert(req);
3397 spin_unlock(&poll->head->lock);
3399 if (mask) { /* no async, we'd stolen it */
3401 io_poll_complete(req, mask, 0);
3403 spin_unlock_irq(&ctx->completion_lock);
3406 io_cqring_ev_posted(ctx);
3407 io_put_req_find_next(req, nxt);
3412 static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
3414 struct io_timeout_data *data = container_of(timer,
3415 struct io_timeout_data, timer);
3416 struct io_kiocb *req = data->req;
3417 struct io_ring_ctx *ctx = req->ctx;
3418 unsigned long flags;
3420 atomic_inc(&ctx->cq_timeouts);
3422 spin_lock_irqsave(&ctx->completion_lock, flags);
3424 * We could be racing with timeout deletion. If the list is empty,
3425 * then timeout lookup already found it and will be handling it.
3427 if (!list_empty(&req->list)) {
3428 struct io_kiocb *prev;
3431 * Adjust the reqs sequence before the current one because it
3432 * will consume a slot in the cq_ring and the cq_tail
3433 * pointer will be increased, otherwise other timeout reqs may
3434 * return in advance without waiting for enough wait_nr.
3437 list_for_each_entry_continue_reverse(prev, &ctx->timeout_list, list)
3439 list_del_init(&req->list);
3442 io_cqring_fill_event(req, -ETIME);
3443 io_commit_cqring(ctx);
3444 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3446 io_cqring_ev_posted(ctx);
3447 req_set_fail_links(req);
3449 return HRTIMER_NORESTART;
3452 static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
3454 struct io_kiocb *req;
3457 list_for_each_entry(req, &ctx->timeout_list, list) {
3458 if (user_data == req->user_data) {
3459 list_del_init(&req->list);
3468 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
3472 req_set_fail_links(req);
3473 io_cqring_fill_event(req, -ECANCELED);
3478 static int io_timeout_remove_prep(struct io_kiocb *req,
3479 const struct io_uring_sqe *sqe)
3481 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3483 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
3486 req->timeout.addr = READ_ONCE(sqe->addr);
3487 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
3488 if (req->timeout.flags)
3495 * Remove or update an existing timeout command
3497 static int io_timeout_remove(struct io_kiocb *req)
3499 struct io_ring_ctx *ctx = req->ctx;
3502 spin_lock_irq(&ctx->completion_lock);
3503 ret = io_timeout_cancel(ctx, req->timeout.addr);
3505 io_cqring_fill_event(req, ret);
3506 io_commit_cqring(ctx);
3507 spin_unlock_irq(&ctx->completion_lock);
3508 io_cqring_ev_posted(ctx);
3510 req_set_fail_links(req);
3515 static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
3516 bool is_timeout_link)
3518 struct io_timeout_data *data;
3521 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3523 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
3525 if (sqe->off && is_timeout_link)
3527 flags = READ_ONCE(sqe->timeout_flags);
3528 if (flags & ~IORING_TIMEOUT_ABS)
3531 req->timeout.count = READ_ONCE(sqe->off);
3533 if (!req->io && io_alloc_async_ctx(req))
3536 data = &req->io->timeout;
3538 req->flags |= REQ_F_TIMEOUT;
3540 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
3543 if (flags & IORING_TIMEOUT_ABS)
3544 data->mode = HRTIMER_MODE_ABS;
3546 data->mode = HRTIMER_MODE_REL;
3548 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
3552 static int io_timeout(struct io_kiocb *req)
3555 struct io_ring_ctx *ctx = req->ctx;
3556 struct io_timeout_data *data;
3557 struct list_head *entry;
3560 data = &req->io->timeout;
3563 * sqe->off holds how many events that need to occur for this
3564 * timeout event to be satisfied. If it isn't set, then this is
3565 * a pure timeout request, sequence isn't used.
3567 count = req->timeout.count;
3569 req->flags |= REQ_F_TIMEOUT_NOSEQ;
3570 spin_lock_irq(&ctx->completion_lock);
3571 entry = ctx->timeout_list.prev;
3575 req->sequence = ctx->cached_sq_head + count - 1;
3576 data->seq_offset = count;
3579 * Insertion sort, ensuring the first entry in the list is always
3580 * the one we need first.
3582 spin_lock_irq(&ctx->completion_lock);
3583 list_for_each_prev(entry, &ctx->timeout_list) {
3584 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
3585 unsigned nxt_sq_head;
3586 long long tmp, tmp_nxt;
3587 u32 nxt_offset = nxt->io->timeout.seq_offset;
3589 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
3593 * Since cached_sq_head + count - 1 can overflow, use type long
3596 tmp = (long long)ctx->cached_sq_head + count - 1;
3597 nxt_sq_head = nxt->sequence - nxt_offset + 1;
3598 tmp_nxt = (long long)nxt_sq_head + nxt_offset - 1;
3601 * cached_sq_head may overflow, and it will never overflow twice
3602 * once there is some timeout req still be valid.
3604 if (ctx->cached_sq_head < nxt_sq_head)
3611 * Sequence of reqs after the insert one and itself should
3612 * be adjusted because each timeout req consumes a slot.
3617 req->sequence -= span;
3619 list_add(&req->list, entry);
3620 data->timer.function = io_timeout_fn;
3621 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
3622 spin_unlock_irq(&ctx->completion_lock);
3626 static bool io_cancel_cb(struct io_wq_work *work, void *data)
3628 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3630 return req->user_data == (unsigned long) data;
3633 static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
3635 enum io_wq_cancel cancel_ret;
3638 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr);
3639 switch (cancel_ret) {
3640 case IO_WQ_CANCEL_OK:
3643 case IO_WQ_CANCEL_RUNNING:
3646 case IO_WQ_CANCEL_NOTFOUND:
3654 static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
3655 struct io_kiocb *req, __u64 sqe_addr,
3656 struct io_kiocb **nxt, int success_ret)
3658 unsigned long flags;
3661 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
3662 if (ret != -ENOENT) {
3663 spin_lock_irqsave(&ctx->completion_lock, flags);
3667 spin_lock_irqsave(&ctx->completion_lock, flags);
3668 ret = io_timeout_cancel(ctx, sqe_addr);
3671 ret = io_poll_cancel(ctx, sqe_addr);
3675 io_cqring_fill_event(req, ret);
3676 io_commit_cqring(ctx);
3677 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3678 io_cqring_ev_posted(ctx);
3681 req_set_fail_links(req);
3682 io_put_req_find_next(req, nxt);
3685 static int io_async_cancel_prep(struct io_kiocb *req,
3686 const struct io_uring_sqe *sqe)
3688 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3690 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
3694 req->cancel.addr = READ_ONCE(sqe->addr);
3698 static int io_async_cancel(struct io_kiocb *req, struct io_kiocb **nxt)
3700 struct io_ring_ctx *ctx = req->ctx;
3702 io_async_find_and_cancel(ctx, req, req->cancel.addr, nxt, 0);
3706 static int io_files_update_prep(struct io_kiocb *req,
3707 const struct io_uring_sqe *sqe)
3709 if (sqe->flags || sqe->ioprio || sqe->rw_flags)
3712 req->files_update.offset = READ_ONCE(sqe->off);
3713 req->files_update.nr_args = READ_ONCE(sqe->len);
3714 if (!req->files_update.nr_args)
3716 req->files_update.arg = READ_ONCE(sqe->addr);
3720 static int io_files_update(struct io_kiocb *req, bool force_nonblock)
3722 struct io_ring_ctx *ctx = req->ctx;
3723 struct io_uring_files_update up;
3726 if (force_nonblock) {
3727 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
3731 up.offset = req->files_update.offset;
3732 up.fds = req->files_update.arg;
3734 mutex_lock(&ctx->uring_lock);
3735 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
3736 mutex_unlock(&ctx->uring_lock);
3739 req_set_fail_links(req);
3740 io_cqring_add_event(req, ret);
3745 static int io_req_defer_prep(struct io_kiocb *req,
3746 const struct io_uring_sqe *sqe)
3750 switch (req->opcode) {
3753 case IORING_OP_READV:
3754 case IORING_OP_READ_FIXED:
3755 case IORING_OP_READ:
3756 ret = io_read_prep(req, sqe, true);
3758 case IORING_OP_WRITEV:
3759 case IORING_OP_WRITE_FIXED:
3760 case IORING_OP_WRITE:
3761 ret = io_write_prep(req, sqe, true);
3763 case IORING_OP_POLL_ADD:
3764 ret = io_poll_add_prep(req, sqe);
3766 case IORING_OP_POLL_REMOVE:
3767 ret = io_poll_remove_prep(req, sqe);
3769 case IORING_OP_FSYNC:
3770 ret = io_prep_fsync(req, sqe);
3772 case IORING_OP_SYNC_FILE_RANGE:
3773 ret = io_prep_sfr(req, sqe);
3775 case IORING_OP_SENDMSG:
3776 ret = io_sendmsg_prep(req, sqe);
3778 case IORING_OP_RECVMSG:
3779 ret = io_recvmsg_prep(req, sqe);
3781 case IORING_OP_CONNECT:
3782 ret = io_connect_prep(req, sqe);
3784 case IORING_OP_TIMEOUT:
3785 ret = io_timeout_prep(req, sqe, false);
3787 case IORING_OP_TIMEOUT_REMOVE:
3788 ret = io_timeout_remove_prep(req, sqe);
3790 case IORING_OP_ASYNC_CANCEL:
3791 ret = io_async_cancel_prep(req, sqe);
3793 case IORING_OP_LINK_TIMEOUT:
3794 ret = io_timeout_prep(req, sqe, true);
3796 case IORING_OP_ACCEPT:
3797 ret = io_accept_prep(req, sqe);
3799 case IORING_OP_FALLOCATE:
3800 ret = io_fallocate_prep(req, sqe);
3802 case IORING_OP_OPENAT:
3803 ret = io_openat_prep(req, sqe);
3805 case IORING_OP_CLOSE:
3806 ret = io_close_prep(req, sqe);
3808 case IORING_OP_FILES_UPDATE:
3809 ret = io_files_update_prep(req, sqe);
3811 case IORING_OP_STATX:
3812 ret = io_statx_prep(req, sqe);
3814 case IORING_OP_FADVISE:
3815 ret = io_fadvise_prep(req, sqe);
3817 case IORING_OP_MADVISE:
3818 ret = io_madvise_prep(req, sqe);
3821 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
3830 static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3832 struct io_ring_ctx *ctx = req->ctx;
3835 /* Still need defer if there is pending req in defer list. */
3836 if (!req_need_defer(req) && list_empty(&ctx->defer_list))
3839 if (!req->io && io_alloc_async_ctx(req))
3842 ret = io_req_defer_prep(req, sqe);
3846 spin_lock_irq(&ctx->completion_lock);
3847 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
3848 spin_unlock_irq(&ctx->completion_lock);
3852 trace_io_uring_defer(ctx, req, req->user_data);
3853 list_add_tail(&req->list, &ctx->defer_list);
3854 spin_unlock_irq(&ctx->completion_lock);
3855 return -EIOCBQUEUED;
3858 static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
3859 struct io_kiocb **nxt, bool force_nonblock)
3861 struct io_ring_ctx *ctx = req->ctx;
3864 switch (req->opcode) {
3868 case IORING_OP_READV:
3869 case IORING_OP_READ_FIXED:
3870 case IORING_OP_READ:
3872 ret = io_read_prep(req, sqe, force_nonblock);
3876 ret = io_read(req, nxt, force_nonblock);
3878 case IORING_OP_WRITEV:
3879 case IORING_OP_WRITE_FIXED:
3880 case IORING_OP_WRITE:
3882 ret = io_write_prep(req, sqe, force_nonblock);
3886 ret = io_write(req, nxt, force_nonblock);
3888 case IORING_OP_FSYNC:
3890 ret = io_prep_fsync(req, sqe);
3894 ret = io_fsync(req, nxt, force_nonblock);
3896 case IORING_OP_POLL_ADD:
3898 ret = io_poll_add_prep(req, sqe);
3902 ret = io_poll_add(req, nxt);
3904 case IORING_OP_POLL_REMOVE:
3906 ret = io_poll_remove_prep(req, sqe);
3910 ret = io_poll_remove(req);
3912 case IORING_OP_SYNC_FILE_RANGE:
3914 ret = io_prep_sfr(req, sqe);
3918 ret = io_sync_file_range(req, nxt, force_nonblock);
3920 case IORING_OP_SENDMSG:
3922 ret = io_sendmsg_prep(req, sqe);
3926 ret = io_sendmsg(req, nxt, force_nonblock);
3928 case IORING_OP_RECVMSG:
3930 ret = io_recvmsg_prep(req, sqe);
3934 ret = io_recvmsg(req, nxt, force_nonblock);
3936 case IORING_OP_TIMEOUT:
3938 ret = io_timeout_prep(req, sqe, false);
3942 ret = io_timeout(req);
3944 case IORING_OP_TIMEOUT_REMOVE:
3946 ret = io_timeout_remove_prep(req, sqe);
3950 ret = io_timeout_remove(req);
3952 case IORING_OP_ACCEPT:
3954 ret = io_accept_prep(req, sqe);
3958 ret = io_accept(req, nxt, force_nonblock);
3960 case IORING_OP_CONNECT:
3962 ret = io_connect_prep(req, sqe);
3966 ret = io_connect(req, nxt, force_nonblock);
3968 case IORING_OP_ASYNC_CANCEL:
3970 ret = io_async_cancel_prep(req, sqe);
3974 ret = io_async_cancel(req, nxt);
3976 case IORING_OP_FALLOCATE:
3978 ret = io_fallocate_prep(req, sqe);
3982 ret = io_fallocate(req, nxt, force_nonblock);
3984 case IORING_OP_OPENAT:
3986 ret = io_openat_prep(req, sqe);
3990 ret = io_openat(req, nxt, force_nonblock);
3992 case IORING_OP_CLOSE:
3994 ret = io_close_prep(req, sqe);
3998 ret = io_close(req, nxt, force_nonblock);
4000 case IORING_OP_FILES_UPDATE:
4002 ret = io_files_update_prep(req, sqe);
4006 ret = io_files_update(req, force_nonblock);
4008 case IORING_OP_STATX:
4010 ret = io_statx_prep(req, sqe);
4014 ret = io_statx(req, nxt, force_nonblock);
4016 case IORING_OP_FADVISE:
4018 ret = io_fadvise_prep(req, sqe);
4022 ret = io_fadvise(req, nxt, force_nonblock);
4024 case IORING_OP_MADVISE:
4026 ret = io_madvise_prep(req, sqe);
4030 ret = io_madvise(req, nxt, force_nonblock);
4040 if (ctx->flags & IORING_SETUP_IOPOLL) {
4041 const bool in_async = io_wq_current_is_worker();
4043 if (req->result == -EAGAIN)
4046 /* workqueue context doesn't hold uring_lock, grab it now */
4048 mutex_lock(&ctx->uring_lock);
4050 io_iopoll_req_issued(req);
4053 mutex_unlock(&ctx->uring_lock);
4059 static void io_wq_submit_work(struct io_wq_work **workptr)
4061 struct io_wq_work *work = *workptr;
4062 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
4063 struct io_kiocb *nxt = NULL;
4066 /* if NO_CANCEL is set, we must still run the work */
4067 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
4068 IO_WQ_WORK_CANCEL) {
4073 req->has_user = (work->flags & IO_WQ_WORK_HAS_MM) != 0;
4074 req->in_async = true;
4076 ret = io_issue_sqe(req, NULL, &nxt, false);
4078 * We can get EAGAIN for polled IO even though we're
4079 * forcing a sync submission from here, since we can't
4080 * wait for request slots on the block side.
4088 /* drop submission reference */
4092 req_set_fail_links(req);
4093 io_cqring_add_event(req, ret);
4097 /* if a dependent link is ready, pass it back */
4099 io_wq_assign_next(workptr, nxt);
4102 static int io_req_needs_file(struct io_kiocb *req, int fd)
4104 if (!io_op_defs[req->opcode].needs_file)
4106 if (fd == -1 && io_op_defs[req->opcode].fd_non_neg)
4111 static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
4114 struct fixed_file_table *table;
4116 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
4117 return table->files[index & IORING_FILE_TABLE_MASK];;
4120 static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
4121 const struct io_uring_sqe *sqe)
4123 struct io_ring_ctx *ctx = req->ctx;
4127 flags = READ_ONCE(sqe->flags);
4128 fd = READ_ONCE(sqe->fd);
4130 if (flags & IOSQE_IO_DRAIN)
4131 req->flags |= REQ_F_IO_DRAIN;
4133 if (!io_req_needs_file(req, fd))
4136 if (flags & IOSQE_FIXED_FILE) {
4137 if (unlikely(!ctx->file_data ||
4138 (unsigned) fd >= ctx->nr_user_files))
4140 fd = array_index_nospec(fd, ctx->nr_user_files);
4141 req->file = io_file_from_index(ctx, fd);
4144 req->flags |= REQ_F_FIXED_FILE;
4145 percpu_ref_get(&ctx->file_data->refs);
4147 if (req->needs_fixed_file)
4149 trace_io_uring_file_get(ctx, fd);
4150 req->file = io_file_get(state, fd);
4151 if (unlikely(!req->file))
4158 static int io_grab_files(struct io_kiocb *req)
4161 struct io_ring_ctx *ctx = req->ctx;
4163 if (!req->ring_file)
4167 spin_lock_irq(&ctx->inflight_lock);
4169 * We use the f_ops->flush() handler to ensure that we can flush
4170 * out work accessing these files if the fd is closed. Check if
4171 * the fd has changed since we started down this path, and disallow
4172 * this operation if it has.
4174 if (fcheck(req->ring_fd) == req->ring_file) {
4175 list_add(&req->inflight_entry, &ctx->inflight_list);
4176 req->flags |= REQ_F_INFLIGHT;
4177 req->work.files = current->files;
4180 spin_unlock_irq(&ctx->inflight_lock);
4186 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
4188 struct io_timeout_data *data = container_of(timer,
4189 struct io_timeout_data, timer);
4190 struct io_kiocb *req = data->req;
4191 struct io_ring_ctx *ctx = req->ctx;
4192 struct io_kiocb *prev = NULL;
4193 unsigned long flags;
4195 spin_lock_irqsave(&ctx->completion_lock, flags);
4198 * We don't expect the list to be empty, that will only happen if we
4199 * race with the completion of the linked work.
4201 if (!list_empty(&req->link_list)) {
4202 prev = list_entry(req->link_list.prev, struct io_kiocb,
4204 if (refcount_inc_not_zero(&prev->refs)) {
4205 list_del_init(&req->link_list);
4206 prev->flags &= ~REQ_F_LINK_TIMEOUT;
4211 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4214 req_set_fail_links(prev);
4215 io_async_find_and_cancel(ctx, req, prev->user_data, NULL,
4219 io_cqring_add_event(req, -ETIME);
4222 return HRTIMER_NORESTART;
4225 static void io_queue_linked_timeout(struct io_kiocb *req)
4227 struct io_ring_ctx *ctx = req->ctx;
4230 * If the list is now empty, then our linked request finished before
4231 * we got a chance to setup the timer
4233 spin_lock_irq(&ctx->completion_lock);
4234 if (!list_empty(&req->link_list)) {
4235 struct io_timeout_data *data = &req->io->timeout;
4237 data->timer.function = io_link_timeout_fn;
4238 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
4241 spin_unlock_irq(&ctx->completion_lock);
4243 /* drop submission reference */
4247 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
4249 struct io_kiocb *nxt;
4251 if (!(req->flags & REQ_F_LINK))
4254 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
4256 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
4259 req->flags |= REQ_F_LINK_TIMEOUT;
4263 static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4265 struct io_kiocb *linked_timeout;
4266 struct io_kiocb *nxt = NULL;
4270 linked_timeout = io_prep_linked_timeout(req);
4272 ret = io_issue_sqe(req, sqe, &nxt, true);
4275 * We async punt it if the file wasn't marked NOWAIT, or if the file
4276 * doesn't support non-blocking read/write attempts
4278 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
4279 (req->flags & REQ_F_MUST_PUNT))) {
4280 if (req->work.flags & IO_WQ_WORK_NEEDS_FILES) {
4281 ret = io_grab_files(req);
4287 * Queued up for async execution, worker will release
4288 * submit reference when the iocb is actually submitted.
4290 io_queue_async_work(req);
4295 /* drop submission reference */
4298 if (linked_timeout) {
4300 io_queue_linked_timeout(linked_timeout);
4302 io_put_req(linked_timeout);
4305 /* and drop final reference, if we failed */
4307 io_cqring_add_event(req, ret);
4308 req_set_fail_links(req);
4319 static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4323 if (unlikely(req->ctx->drain_next)) {
4324 req->flags |= REQ_F_IO_DRAIN;
4325 req->ctx->drain_next = false;
4327 req->ctx->drain_next = (req->flags & REQ_F_DRAIN_LINK);
4329 ret = io_req_defer(req, sqe);
4331 if (ret != -EIOCBQUEUED) {
4332 io_cqring_add_event(req, ret);
4333 req_set_fail_links(req);
4334 io_double_put_req(req);
4336 } else if ((req->flags & REQ_F_FORCE_ASYNC) &&
4337 !io_wq_current_is_worker()) {
4339 * Never try inline submit of IOSQE_ASYNC is set, go straight
4340 * to async execution.
4342 req->work.flags |= IO_WQ_WORK_CONCURRENT;
4343 io_queue_async_work(req);
4345 __io_queue_sqe(req, sqe);
4349 static inline void io_queue_link_head(struct io_kiocb *req)
4351 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
4352 io_cqring_add_event(req, -ECANCELED);
4353 io_double_put_req(req);
4355 io_queue_sqe(req, NULL);
4358 #define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
4359 IOSQE_IO_HARDLINK | IOSQE_ASYNC)
4361 static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4362 struct io_submit_state *state, struct io_kiocb **link)
4364 struct io_ring_ctx *ctx = req->ctx;
4365 unsigned int sqe_flags;
4368 sqe_flags = READ_ONCE(sqe->flags);
4370 /* enforce forwards compatibility on users */
4371 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS)) {
4375 if (sqe_flags & IOSQE_ASYNC)
4376 req->flags |= REQ_F_FORCE_ASYNC;
4378 ret = io_req_set_file(state, req, sqe);
4379 if (unlikely(ret)) {
4381 io_cqring_add_event(req, ret);
4382 io_double_put_req(req);
4387 * If we already have a head request, queue this one for async
4388 * submittal once the head completes. If we don't have a head but
4389 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
4390 * submitted sync once the chain is complete. If none of those
4391 * conditions are true (normal request), then just queue it.
4394 struct io_kiocb *head = *link;
4396 if (sqe_flags & IOSQE_IO_DRAIN)
4397 head->flags |= REQ_F_DRAIN_LINK | REQ_F_IO_DRAIN;
4399 if (sqe_flags & IOSQE_IO_HARDLINK)
4400 req->flags |= REQ_F_HARDLINK;
4402 if (io_alloc_async_ctx(req)) {
4407 ret = io_req_defer_prep(req, sqe);
4409 /* fail even hard links since we don't submit */
4410 head->flags |= REQ_F_FAIL_LINK;
4413 trace_io_uring_link(ctx, req, head);
4414 list_add_tail(&req->link_list, &head->link_list);
4416 /* last request of a link, enqueue the link */
4417 if (!(sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK))) {
4418 io_queue_link_head(head);
4421 } else if (sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
4422 req->flags |= REQ_F_LINK;
4423 if (sqe_flags & IOSQE_IO_HARDLINK)
4424 req->flags |= REQ_F_HARDLINK;
4426 INIT_LIST_HEAD(&req->link_list);
4427 ret = io_req_defer_prep(req, sqe);
4429 req->flags |= REQ_F_FAIL_LINK;
4432 io_queue_sqe(req, sqe);
4439 * Batched submission is done, ensure local IO is flushed out.
4441 static void io_submit_state_end(struct io_submit_state *state)
4443 blk_finish_plug(&state->plug);
4445 if (state->free_reqs)
4446 kmem_cache_free_bulk(req_cachep, state->free_reqs,
4447 &state->reqs[state->cur_req]);
4451 * Start submission side cache.
4453 static void io_submit_state_start(struct io_submit_state *state,
4454 unsigned int max_ios)
4456 blk_start_plug(&state->plug);
4457 state->free_reqs = 0;
4459 state->ios_left = max_ios;
4462 static void io_commit_sqring(struct io_ring_ctx *ctx)
4464 struct io_rings *rings = ctx->rings;
4466 if (ctx->cached_sq_head != READ_ONCE(rings->sq.head)) {
4468 * Ensure any loads from the SQEs are done at this point,
4469 * since once we write the new head, the application could
4470 * write new data to them.
4472 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
4477 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
4478 * that is mapped by userspace. This means that care needs to be taken to
4479 * ensure that reads are stable, as we cannot rely on userspace always
4480 * being a good citizen. If members of the sqe are validated and then later
4481 * used, it's important that those reads are done through READ_ONCE() to
4482 * prevent a re-load down the line.
4484 static bool io_get_sqring(struct io_ring_ctx *ctx, struct io_kiocb *req,
4485 const struct io_uring_sqe **sqe_ptr)
4487 struct io_rings *rings = ctx->rings;
4488 u32 *sq_array = ctx->sq_array;
4492 * The cached sq head (or cq tail) serves two purposes:
4494 * 1) allows us to batch the cost of updating the user visible
4496 * 2) allows the kernel side to track the head on its own, even
4497 * though the application is the one updating it.
4499 head = ctx->cached_sq_head;
4500 /* make sure SQ entry isn't read before tail */
4501 if (unlikely(head == smp_load_acquire(&rings->sq.tail)))
4504 head = READ_ONCE(sq_array[head & ctx->sq_mask]);
4505 if (likely(head < ctx->sq_entries)) {
4507 * All io need record the previous position, if LINK vs DARIN,
4508 * it can be used to mark the position of the first IO in the
4511 req->sequence = ctx->cached_sq_head;
4512 *sqe_ptr = &ctx->sq_sqes[head];
4513 req->opcode = READ_ONCE((*sqe_ptr)->opcode);
4514 req->user_data = READ_ONCE((*sqe_ptr)->user_data);
4515 ctx->cached_sq_head++;
4519 /* drop invalid entries */
4520 ctx->cached_sq_head++;
4521 ctx->cached_sq_dropped++;
4522 WRITE_ONCE(rings->sq_dropped, ctx->cached_sq_dropped);
4526 static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
4527 struct file *ring_file, int ring_fd,
4528 struct mm_struct **mm, bool async)
4530 struct io_submit_state state, *statep = NULL;
4531 struct io_kiocb *link = NULL;
4532 int i, submitted = 0;
4533 bool mm_fault = false;
4535 /* if we have a backlog and couldn't flush it all, return BUSY */
4536 if (test_bit(0, &ctx->sq_check_overflow)) {
4537 if (!list_empty(&ctx->cq_overflow_list) &&
4538 !io_cqring_overflow_flush(ctx, false))
4542 if (!percpu_ref_tryget_many(&ctx->refs, nr))
4545 if (nr > IO_PLUG_THRESHOLD) {
4546 io_submit_state_start(&state, nr);
4550 for (i = 0; i < nr; i++) {
4551 const struct io_uring_sqe *sqe;
4552 struct io_kiocb *req;
4554 req = io_get_req(ctx, statep);
4555 if (unlikely(!req)) {
4557 submitted = -EAGAIN;
4560 if (!io_get_sqring(ctx, req, &sqe)) {
4561 __io_req_do_free(req);
4565 /* will complete beyond this point, count as submitted */
4568 if (unlikely(req->opcode >= IORING_OP_LAST)) {
4569 io_cqring_add_event(req, -EINVAL);
4570 io_double_put_req(req);
4574 if (io_op_defs[req->opcode].needs_mm && !*mm) {
4575 mm_fault = mm_fault || !mmget_not_zero(ctx->sqo_mm);
4577 use_mm(ctx->sqo_mm);
4582 req->ring_file = ring_file;
4583 req->ring_fd = ring_fd;
4584 req->has_user = *mm != NULL;
4585 req->in_async = async;
4586 req->needs_fixed_file = async;
4587 trace_io_uring_submit_sqe(ctx, req->user_data, true, async);
4588 if (!io_submit_sqe(req, sqe, statep, &link))
4592 if (submitted != nr)
4593 percpu_ref_put_many(&ctx->refs, nr - submitted);
4595 io_queue_link_head(link);
4597 io_submit_state_end(&state);
4599 /* Commit SQ ring head once we've consumed and submitted all SQEs */
4600 io_commit_sqring(ctx);
4605 static int io_sq_thread(void *data)
4607 struct io_ring_ctx *ctx = data;
4608 struct mm_struct *cur_mm = NULL;
4609 const struct cred *old_cred;
4610 mm_segment_t old_fs;
4613 unsigned long timeout;
4616 complete(&ctx->completions[1]);
4620 old_cred = override_creds(ctx->creds);
4622 ret = timeout = inflight = 0;
4623 while (!kthread_should_park()) {
4624 unsigned int to_submit;
4627 unsigned nr_events = 0;
4629 if (ctx->flags & IORING_SETUP_IOPOLL) {
4631 * inflight is the count of the maximum possible
4632 * entries we submitted, but it can be smaller
4633 * if we dropped some of them. If we don't have
4634 * poll entries available, then we know that we
4635 * have nothing left to poll for. Reset the
4636 * inflight count to zero in that case.
4638 mutex_lock(&ctx->uring_lock);
4639 if (!list_empty(&ctx->poll_list))
4640 __io_iopoll_check(ctx, &nr_events, 0);
4643 mutex_unlock(&ctx->uring_lock);
4646 * Normal IO, just pretend everything completed.
4647 * We don't have to poll completions for that.
4649 nr_events = inflight;
4652 inflight -= nr_events;
4654 timeout = jiffies + ctx->sq_thread_idle;
4657 to_submit = io_sqring_entries(ctx);
4660 * If submit got -EBUSY, flag us as needing the application
4661 * to enter the kernel to reap and flush events.
4663 if (!to_submit || ret == -EBUSY) {
4665 * We're polling. If we're within the defined idle
4666 * period, then let us spin without work before going
4667 * to sleep. The exception is if we got EBUSY doing
4668 * more IO, we should wait for the application to
4669 * reap events and wake us up.
4672 (!time_after(jiffies, timeout) && ret != -EBUSY)) {
4678 * Drop cur_mm before scheduling, we can't hold it for
4679 * long periods (or over schedule()). Do this before
4680 * adding ourselves to the waitqueue, as the unuse/drop
4689 prepare_to_wait(&ctx->sqo_wait, &wait,
4690 TASK_INTERRUPTIBLE);
4692 /* Tell userspace we may need a wakeup call */
4693 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
4694 /* make sure to read SQ tail after writing flags */
4697 to_submit = io_sqring_entries(ctx);
4698 if (!to_submit || ret == -EBUSY) {
4699 if (kthread_should_park()) {
4700 finish_wait(&ctx->sqo_wait, &wait);
4703 if (signal_pending(current))
4704 flush_signals(current);
4706 finish_wait(&ctx->sqo_wait, &wait);
4708 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
4711 finish_wait(&ctx->sqo_wait, &wait);
4713 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
4716 to_submit = min(to_submit, ctx->sq_entries);
4717 mutex_lock(&ctx->uring_lock);
4718 ret = io_submit_sqes(ctx, to_submit, NULL, -1, &cur_mm, true);
4719 mutex_unlock(&ctx->uring_lock);
4729 revert_creds(old_cred);
4736 struct io_wait_queue {
4737 struct wait_queue_entry wq;
4738 struct io_ring_ctx *ctx;
4740 unsigned nr_timeouts;
4743 static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
4745 struct io_ring_ctx *ctx = iowq->ctx;
4748 * Wake up if we have enough events, or if a timeout occurred since we
4749 * started waiting. For timeouts, we always want to return to userspace,
4750 * regardless of event count.
4752 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
4753 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
4756 static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
4757 int wake_flags, void *key)
4759 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
4762 /* use noflush == true, as we can't safely rely on locking context */
4763 if (!io_should_wake(iowq, true))
4766 return autoremove_wake_function(curr, mode, wake_flags, key);
4770 * Wait until events become available, if we don't already have some. The
4771 * application must reap them itself, as they reside on the shared cq ring.
4773 static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
4774 const sigset_t __user *sig, size_t sigsz)
4776 struct io_wait_queue iowq = {
4779 .func = io_wake_function,
4780 .entry = LIST_HEAD_INIT(iowq.wq.entry),
4783 .to_wait = min_events,
4785 struct io_rings *rings = ctx->rings;
4788 if (io_cqring_events(ctx, false) >= min_events)
4792 #ifdef CONFIG_COMPAT
4793 if (in_compat_syscall())
4794 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
4798 ret = set_user_sigmask(sig, sigsz);
4804 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
4805 trace_io_uring_cqring_wait(ctx, min_events);
4807 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
4808 TASK_INTERRUPTIBLE);
4809 if (io_should_wake(&iowq, false))
4812 if (signal_pending(current)) {
4817 finish_wait(&ctx->wait, &iowq.wq);
4819 restore_saved_sigmask_unless(ret == -EINTR);
4821 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
4824 static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
4826 #if defined(CONFIG_UNIX)
4827 if (ctx->ring_sock) {
4828 struct sock *sock = ctx->ring_sock->sk;
4829 struct sk_buff *skb;
4831 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
4837 for (i = 0; i < ctx->nr_user_files; i++) {
4840 file = io_file_from_index(ctx, i);
4847 static void io_file_ref_kill(struct percpu_ref *ref)
4849 struct fixed_file_data *data;
4851 data = container_of(ref, struct fixed_file_data, refs);
4852 complete(&data->done);
4855 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
4857 struct fixed_file_data *data = ctx->file_data;
4858 unsigned nr_tables, i;
4863 /* protect against inflight atomic switch, which drops the ref */
4864 flush_work(&data->ref_work);
4865 percpu_ref_get(&data->refs);
4866 percpu_ref_kill_and_confirm(&data->refs, io_file_ref_kill);
4867 wait_for_completion(&data->done);
4868 percpu_ref_put(&data->refs);
4869 percpu_ref_exit(&data->refs);
4871 __io_sqe_files_unregister(ctx);
4872 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
4873 for (i = 0; i < nr_tables; i++)
4874 kfree(data->table[i].files);
4877 ctx->file_data = NULL;
4878 ctx->nr_user_files = 0;
4882 static void io_sq_thread_stop(struct io_ring_ctx *ctx)
4884 if (ctx->sqo_thread) {
4885 wait_for_completion(&ctx->completions[1]);
4887 * The park is a bit of a work-around, without it we get
4888 * warning spews on shutdown with SQPOLL set and affinity
4889 * set to a single CPU.
4891 kthread_park(ctx->sqo_thread);
4892 kthread_stop(ctx->sqo_thread);
4893 ctx->sqo_thread = NULL;
4897 static void io_finish_async(struct io_ring_ctx *ctx)
4899 io_sq_thread_stop(ctx);
4902 io_wq_destroy(ctx->io_wq);
4907 #if defined(CONFIG_UNIX)
4909 * Ensure the UNIX gc is aware of our file set, so we are certain that
4910 * the io_uring can be safely unregistered on process exit, even if we have
4911 * loops in the file referencing.
4913 static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
4915 struct sock *sk = ctx->ring_sock->sk;
4916 struct scm_fp_list *fpl;
4917 struct sk_buff *skb;
4920 if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
4921 unsigned long inflight = ctx->user->unix_inflight + nr;
4923 if (inflight > task_rlimit(current, RLIMIT_NOFILE))
4927 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
4931 skb = alloc_skb(0, GFP_KERNEL);
4940 fpl->user = get_uid(ctx->user);
4941 for (i = 0; i < nr; i++) {
4942 struct file *file = io_file_from_index(ctx, i + offset);
4946 fpl->fp[nr_files] = get_file(file);
4947 unix_inflight(fpl->user, fpl->fp[nr_files]);
4952 fpl->max = SCM_MAX_FD;
4953 fpl->count = nr_files;
4954 UNIXCB(skb).fp = fpl;
4955 skb->destructor = unix_destruct_scm;
4956 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
4957 skb_queue_head(&sk->sk_receive_queue, skb);
4959 for (i = 0; i < nr_files; i++)
4970 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
4971 * causes regular reference counting to break down. We rely on the UNIX
4972 * garbage collection to take care of this problem for us.
4974 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
4976 unsigned left, total;
4980 left = ctx->nr_user_files;
4982 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
4984 ret = __io_sqe_files_scm(ctx, this_files, total);
4988 total += this_files;
4994 while (total < ctx->nr_user_files) {
4995 struct file *file = io_file_from_index(ctx, total);
5005 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
5011 static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
5016 for (i = 0; i < nr_tables; i++) {
5017 struct fixed_file_table *table = &ctx->file_data->table[i];
5018 unsigned this_files;
5020 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
5021 table->files = kcalloc(this_files, sizeof(struct file *),
5025 nr_files -= this_files;
5031 for (i = 0; i < nr_tables; i++) {
5032 struct fixed_file_table *table = &ctx->file_data->table[i];
5033 kfree(table->files);
5038 static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
5040 #if defined(CONFIG_UNIX)
5041 struct sock *sock = ctx->ring_sock->sk;
5042 struct sk_buff_head list, *head = &sock->sk_receive_queue;
5043 struct sk_buff *skb;
5046 __skb_queue_head_init(&list);
5049 * Find the skb that holds this file in its SCM_RIGHTS. When found,
5050 * remove this entry and rearrange the file array.
5052 skb = skb_dequeue(head);
5054 struct scm_fp_list *fp;
5056 fp = UNIXCB(skb).fp;
5057 for (i = 0; i < fp->count; i++) {
5060 if (fp->fp[i] != file)
5063 unix_notinflight(fp->user, fp->fp[i]);
5064 left = fp->count - 1 - i;
5066 memmove(&fp->fp[i], &fp->fp[i + 1],
5067 left * sizeof(struct file *));
5074 __skb_queue_tail(&list, skb);
5084 __skb_queue_tail(&list, skb);
5086 skb = skb_dequeue(head);
5089 if (skb_peek(&list)) {
5090 spin_lock_irq(&head->lock);
5091 while ((skb = __skb_dequeue(&list)) != NULL)
5092 __skb_queue_tail(head, skb);
5093 spin_unlock_irq(&head->lock);
5100 struct io_file_put {
5101 struct llist_node llist;
5103 struct completion *done;
5106 static void io_ring_file_ref_switch(struct work_struct *work)
5108 struct io_file_put *pfile, *tmp;
5109 struct fixed_file_data *data;
5110 struct llist_node *node;
5112 data = container_of(work, struct fixed_file_data, ref_work);
5114 while ((node = llist_del_all(&data->put_llist)) != NULL) {
5115 llist_for_each_entry_safe(pfile, tmp, node, llist) {
5116 io_ring_file_put(data->ctx, pfile->file);
5118 complete(pfile->done);
5124 percpu_ref_get(&data->refs);
5125 percpu_ref_switch_to_percpu(&data->refs);
5128 static void io_file_data_ref_zero(struct percpu_ref *ref)
5130 struct fixed_file_data *data;
5132 data = container_of(ref, struct fixed_file_data, refs);
5134 /* we can't safely switch from inside this context, punt to wq */
5135 queue_work(system_wq, &data->ref_work);
5138 static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
5141 __s32 __user *fds = (__s32 __user *) arg;
5151 if (nr_args > IORING_MAX_FIXED_FILES)
5154 ctx->file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
5155 if (!ctx->file_data)
5157 ctx->file_data->ctx = ctx;
5158 init_completion(&ctx->file_data->done);
5160 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
5161 ctx->file_data->table = kcalloc(nr_tables,
5162 sizeof(struct fixed_file_table),
5164 if (!ctx->file_data->table) {
5165 kfree(ctx->file_data);
5166 ctx->file_data = NULL;
5170 if (percpu_ref_init(&ctx->file_data->refs, io_file_data_ref_zero,
5171 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
5172 kfree(ctx->file_data->table);
5173 kfree(ctx->file_data);
5174 ctx->file_data = NULL;
5177 ctx->file_data->put_llist.first = NULL;
5178 INIT_WORK(&ctx->file_data->ref_work, io_ring_file_ref_switch);
5180 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
5181 percpu_ref_exit(&ctx->file_data->refs);
5182 kfree(ctx->file_data->table);
5183 kfree(ctx->file_data);
5184 ctx->file_data = NULL;
5188 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
5189 struct fixed_file_table *table;
5193 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
5195 /* allow sparse sets */
5201 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
5202 index = i & IORING_FILE_TABLE_MASK;
5210 * Don't allow io_uring instances to be registered. If UNIX
5211 * isn't enabled, then this causes a reference cycle and this
5212 * instance can never get freed. If UNIX is enabled we'll
5213 * handle it just fine, but there's still no point in allowing
5214 * a ring fd as it doesn't support regular read/write anyway.
5216 if (file->f_op == &io_uring_fops) {
5221 table->files[index] = file;
5225 for (i = 0; i < ctx->nr_user_files; i++) {
5226 file = io_file_from_index(ctx, i);
5230 for (i = 0; i < nr_tables; i++)
5231 kfree(ctx->file_data->table[i].files);
5233 kfree(ctx->file_data->table);
5234 kfree(ctx->file_data);
5235 ctx->file_data = NULL;
5236 ctx->nr_user_files = 0;
5240 ret = io_sqe_files_scm(ctx);
5242 io_sqe_files_unregister(ctx);
5247 static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
5250 #if defined(CONFIG_UNIX)
5251 struct sock *sock = ctx->ring_sock->sk;
5252 struct sk_buff_head *head = &sock->sk_receive_queue;
5253 struct sk_buff *skb;
5256 * See if we can merge this file into an existing skb SCM_RIGHTS
5257 * file set. If there's no room, fall back to allocating a new skb
5258 * and filling it in.
5260 spin_lock_irq(&head->lock);
5261 skb = skb_peek(head);
5263 struct scm_fp_list *fpl = UNIXCB(skb).fp;
5265 if (fpl->count < SCM_MAX_FD) {
5266 __skb_unlink(skb, head);
5267 spin_unlock_irq(&head->lock);
5268 fpl->fp[fpl->count] = get_file(file);
5269 unix_inflight(fpl->user, fpl->fp[fpl->count]);
5271 spin_lock_irq(&head->lock);
5272 __skb_queue_head(head, skb);
5277 spin_unlock_irq(&head->lock);
5284 return __io_sqe_files_scm(ctx, 1, index);
5290 static void io_atomic_switch(struct percpu_ref *ref)
5292 struct fixed_file_data *data;
5294 data = container_of(ref, struct fixed_file_data, refs);
5295 clear_bit(FFD_F_ATOMIC, &data->state);
5298 static bool io_queue_file_removal(struct fixed_file_data *data,
5301 struct io_file_put *pfile, pfile_stack;
5302 DECLARE_COMPLETION_ONSTACK(done);
5305 * If we fail allocating the struct we need for doing async reomval
5306 * of this file, just punt to sync and wait for it.
5308 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
5310 pfile = &pfile_stack;
5311 pfile->done = &done;
5315 llist_add(&pfile->llist, &data->put_llist);
5317 if (pfile == &pfile_stack) {
5318 if (!test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
5319 percpu_ref_put(&data->refs);
5320 percpu_ref_switch_to_atomic(&data->refs,
5323 wait_for_completion(&done);
5324 flush_work(&data->ref_work);
5331 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
5332 struct io_uring_files_update *up,
5335 struct fixed_file_data *data = ctx->file_data;
5336 bool ref_switch = false;
5342 if (check_add_overflow(up->offset, nr_args, &done))
5344 if (done > ctx->nr_user_files)
5348 fds = u64_to_user_ptr(up->fds);
5350 struct fixed_file_table *table;
5354 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
5358 i = array_index_nospec(up->offset, ctx->nr_user_files);
5359 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
5360 index = i & IORING_FILE_TABLE_MASK;
5361 if (table->files[index]) {
5362 file = io_file_from_index(ctx, index);
5363 table->files[index] = NULL;
5364 if (io_queue_file_removal(data, file))
5374 * Don't allow io_uring instances to be registered. If
5375 * UNIX isn't enabled, then this causes a reference
5376 * cycle and this instance can never get freed. If UNIX
5377 * is enabled we'll handle it just fine, but there's
5378 * still no point in allowing a ring fd as it doesn't
5379 * support regular read/write anyway.
5381 if (file->f_op == &io_uring_fops) {
5386 table->files[index] = file;
5387 err = io_sqe_file_register(ctx, file, i);
5396 if (ref_switch && !test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
5397 percpu_ref_put(&data->refs);
5398 percpu_ref_switch_to_atomic(&data->refs, io_atomic_switch);
5401 return done ? done : err;
5403 static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
5406 struct io_uring_files_update up;
5408 if (!ctx->file_data)
5412 if (copy_from_user(&up, arg, sizeof(up)))
5417 return __io_sqe_files_update(ctx, &up, nr_args);
5420 static void io_put_work(struct io_wq_work *work)
5422 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5427 static void io_get_work(struct io_wq_work *work)
5429 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5431 refcount_inc(&req->refs);
5434 static int io_sq_offload_start(struct io_ring_ctx *ctx,
5435 struct io_uring_params *p)
5437 struct io_wq_data data;
5438 unsigned concurrency;
5441 init_waitqueue_head(&ctx->sqo_wait);
5442 mmgrab(current->mm);
5443 ctx->sqo_mm = current->mm;
5445 if (ctx->flags & IORING_SETUP_SQPOLL) {
5447 if (!capable(CAP_SYS_ADMIN))
5450 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
5451 if (!ctx->sq_thread_idle)
5452 ctx->sq_thread_idle = HZ;
5454 if (p->flags & IORING_SETUP_SQ_AFF) {
5455 int cpu = p->sq_thread_cpu;
5458 if (cpu >= nr_cpu_ids)
5460 if (!cpu_online(cpu))
5463 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
5467 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
5470 if (IS_ERR(ctx->sqo_thread)) {
5471 ret = PTR_ERR(ctx->sqo_thread);
5472 ctx->sqo_thread = NULL;
5475 wake_up_process(ctx->sqo_thread);
5476 } else if (p->flags & IORING_SETUP_SQ_AFF) {
5477 /* Can't have SQ_AFF without SQPOLL */
5482 data.mm = ctx->sqo_mm;
5483 data.user = ctx->user;
5484 data.creds = ctx->creds;
5485 data.get_work = io_get_work;
5486 data.put_work = io_put_work;
5488 /* Do QD, or 4 * CPUS, whatever is smallest */
5489 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
5490 ctx->io_wq = io_wq_create(concurrency, &data);
5491 if (IS_ERR(ctx->io_wq)) {
5492 ret = PTR_ERR(ctx->io_wq);
5499 io_finish_async(ctx);
5500 mmdrop(ctx->sqo_mm);
5505 static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
5507 atomic_long_sub(nr_pages, &user->locked_vm);
5510 static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
5512 unsigned long page_limit, cur_pages, new_pages;
5514 /* Don't allow more pages than we can safely lock */
5515 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
5518 cur_pages = atomic_long_read(&user->locked_vm);
5519 new_pages = cur_pages + nr_pages;
5520 if (new_pages > page_limit)
5522 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
5523 new_pages) != cur_pages);
5528 static void io_mem_free(void *ptr)
5535 page = virt_to_head_page(ptr);
5536 if (put_page_testzero(page))
5537 free_compound_page(page);
5540 static void *io_mem_alloc(size_t size)
5542 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
5545 return (void *) __get_free_pages(gfp_flags, get_order(size));
5548 static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
5551 struct io_rings *rings;
5552 size_t off, sq_array_size;
5554 off = struct_size(rings, cqes, cq_entries);
5555 if (off == SIZE_MAX)
5559 off = ALIGN(off, SMP_CACHE_BYTES);
5564 sq_array_size = array_size(sizeof(u32), sq_entries);
5565 if (sq_array_size == SIZE_MAX)
5568 if (check_add_overflow(off, sq_array_size, &off))
5577 static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
5581 pages = (size_t)1 << get_order(
5582 rings_size(sq_entries, cq_entries, NULL));
5583 pages += (size_t)1 << get_order(
5584 array_size(sizeof(struct io_uring_sqe), sq_entries));
5589 static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
5593 if (!ctx->user_bufs)
5596 for (i = 0; i < ctx->nr_user_bufs; i++) {
5597 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5599 for (j = 0; j < imu->nr_bvecs; j++)
5600 put_user_page(imu->bvec[j].bv_page);
5602 if (ctx->account_mem)
5603 io_unaccount_mem(ctx->user, imu->nr_bvecs);
5608 kfree(ctx->user_bufs);
5609 ctx->user_bufs = NULL;
5610 ctx->nr_user_bufs = 0;
5614 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
5615 void __user *arg, unsigned index)
5617 struct iovec __user *src;
5619 #ifdef CONFIG_COMPAT
5621 struct compat_iovec __user *ciovs;
5622 struct compat_iovec ciov;
5624 ciovs = (struct compat_iovec __user *) arg;
5625 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
5628 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
5629 dst->iov_len = ciov.iov_len;
5633 src = (struct iovec __user *) arg;
5634 if (copy_from_user(dst, &src[index], sizeof(*dst)))
5639 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
5642 struct vm_area_struct **vmas = NULL;
5643 struct page **pages = NULL;
5644 int i, j, got_pages = 0;
5649 if (!nr_args || nr_args > UIO_MAXIOV)
5652 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
5654 if (!ctx->user_bufs)
5657 for (i = 0; i < nr_args; i++) {
5658 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5659 unsigned long off, start, end, ubuf;
5664 ret = io_copy_iov(ctx, &iov, arg, i);
5669 * Don't impose further limits on the size and buffer
5670 * constraints here, we'll -EINVAL later when IO is
5671 * submitted if they are wrong.
5674 if (!iov.iov_base || !iov.iov_len)
5677 /* arbitrary limit, but we need something */
5678 if (iov.iov_len > SZ_1G)
5681 ubuf = (unsigned long) iov.iov_base;
5682 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
5683 start = ubuf >> PAGE_SHIFT;
5684 nr_pages = end - start;
5686 if (ctx->account_mem) {
5687 ret = io_account_mem(ctx->user, nr_pages);
5693 if (!pages || nr_pages > got_pages) {
5696 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
5698 vmas = kvmalloc_array(nr_pages,
5699 sizeof(struct vm_area_struct *),
5701 if (!pages || !vmas) {
5703 if (ctx->account_mem)
5704 io_unaccount_mem(ctx->user, nr_pages);
5707 got_pages = nr_pages;
5710 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
5714 if (ctx->account_mem)
5715 io_unaccount_mem(ctx->user, nr_pages);
5720 down_read(¤t->mm->mmap_sem);
5721 pret = get_user_pages(ubuf, nr_pages,
5722 FOLL_WRITE | FOLL_LONGTERM,
5724 if (pret == nr_pages) {
5725 /* don't support file backed memory */
5726 for (j = 0; j < nr_pages; j++) {
5727 struct vm_area_struct *vma = vmas[j];
5730 !is_file_hugepages(vma->vm_file)) {
5736 ret = pret < 0 ? pret : -EFAULT;
5738 up_read(¤t->mm->mmap_sem);
5741 * if we did partial map, or found file backed vmas,
5742 * release any pages we did get
5745 put_user_pages(pages, pret);
5746 if (ctx->account_mem)
5747 io_unaccount_mem(ctx->user, nr_pages);
5752 off = ubuf & ~PAGE_MASK;
5754 for (j = 0; j < nr_pages; j++) {
5757 vec_len = min_t(size_t, size, PAGE_SIZE - off);
5758 imu->bvec[j].bv_page = pages[j];
5759 imu->bvec[j].bv_len = vec_len;
5760 imu->bvec[j].bv_offset = off;
5764 /* store original address for later verification */
5766 imu->len = iov.iov_len;
5767 imu->nr_bvecs = nr_pages;
5769 ctx->nr_user_bufs++;
5777 io_sqe_buffer_unregister(ctx);
5781 static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
5783 __s32 __user *fds = arg;
5789 if (copy_from_user(&fd, fds, sizeof(*fds)))
5792 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
5793 if (IS_ERR(ctx->cq_ev_fd)) {
5794 int ret = PTR_ERR(ctx->cq_ev_fd);
5795 ctx->cq_ev_fd = NULL;
5802 static int io_eventfd_unregister(struct io_ring_ctx *ctx)
5804 if (ctx->cq_ev_fd) {
5805 eventfd_ctx_put(ctx->cq_ev_fd);
5806 ctx->cq_ev_fd = NULL;
5813 static void io_ring_ctx_free(struct io_ring_ctx *ctx)
5815 io_finish_async(ctx);
5817 mmdrop(ctx->sqo_mm);
5819 io_iopoll_reap_events(ctx);
5820 io_sqe_buffer_unregister(ctx);
5821 io_sqe_files_unregister(ctx);
5822 io_eventfd_unregister(ctx);
5824 #if defined(CONFIG_UNIX)
5825 if (ctx->ring_sock) {
5826 ctx->ring_sock->file = NULL; /* so that iput() is called */
5827 sock_release(ctx->ring_sock);
5831 io_mem_free(ctx->rings);
5832 io_mem_free(ctx->sq_sqes);
5834 percpu_ref_exit(&ctx->refs);
5835 if (ctx->account_mem)
5836 io_unaccount_mem(ctx->user,
5837 ring_pages(ctx->sq_entries, ctx->cq_entries));
5838 free_uid(ctx->user);
5839 put_cred(ctx->creds);
5840 kfree(ctx->completions);
5841 kfree(ctx->cancel_hash);
5842 kmem_cache_free(req_cachep, ctx->fallback_req);
5846 static __poll_t io_uring_poll(struct file *file, poll_table *wait)
5848 struct io_ring_ctx *ctx = file->private_data;
5851 poll_wait(file, &ctx->cq_wait, wait);
5853 * synchronizes with barrier from wq_has_sleeper call in
5857 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
5858 ctx->rings->sq_ring_entries)
5859 mask |= EPOLLOUT | EPOLLWRNORM;
5860 if (READ_ONCE(ctx->rings->cq.head) != ctx->cached_cq_tail)
5861 mask |= EPOLLIN | EPOLLRDNORM;
5866 static int io_uring_fasync(int fd, struct file *file, int on)
5868 struct io_ring_ctx *ctx = file->private_data;
5870 return fasync_helper(fd, file, on, &ctx->cq_fasync);
5873 static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
5875 mutex_lock(&ctx->uring_lock);
5876 percpu_ref_kill(&ctx->refs);
5877 mutex_unlock(&ctx->uring_lock);
5879 io_kill_timeouts(ctx);
5880 io_poll_remove_all(ctx);
5883 io_wq_cancel_all(ctx->io_wq);
5885 io_iopoll_reap_events(ctx);
5886 /* if we failed setting up the ctx, we might not have any rings */
5888 io_cqring_overflow_flush(ctx, true);
5889 wait_for_completion(&ctx->completions[0]);
5890 io_ring_ctx_free(ctx);
5893 static int io_uring_release(struct inode *inode, struct file *file)
5895 struct io_ring_ctx *ctx = file->private_data;
5897 file->private_data = NULL;
5898 io_ring_ctx_wait_and_kill(ctx);
5902 static void io_uring_cancel_files(struct io_ring_ctx *ctx,
5903 struct files_struct *files)
5905 struct io_kiocb *req;
5908 while (!list_empty_careful(&ctx->inflight_list)) {
5909 struct io_kiocb *cancel_req = NULL;
5911 spin_lock_irq(&ctx->inflight_lock);
5912 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
5913 if (req->work.files != files)
5915 /* req is being completed, ignore */
5916 if (!refcount_inc_not_zero(&req->refs))
5922 prepare_to_wait(&ctx->inflight_wait, &wait,
5923 TASK_UNINTERRUPTIBLE);
5924 spin_unlock_irq(&ctx->inflight_lock);
5926 /* We need to keep going until we don't find a matching req */
5930 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
5931 io_put_req(cancel_req);
5934 finish_wait(&ctx->inflight_wait, &wait);
5937 static int io_uring_flush(struct file *file, void *data)
5939 struct io_ring_ctx *ctx = file->private_data;
5941 io_uring_cancel_files(ctx, data);
5942 if (fatal_signal_pending(current) || (current->flags & PF_EXITING)) {
5943 io_cqring_overflow_flush(ctx, true);
5944 io_wq_cancel_all(ctx->io_wq);
5949 static void *io_uring_validate_mmap_request(struct file *file,
5950 loff_t pgoff, size_t sz)
5952 struct io_ring_ctx *ctx = file->private_data;
5953 loff_t offset = pgoff << PAGE_SHIFT;
5958 case IORING_OFF_SQ_RING:
5959 case IORING_OFF_CQ_RING:
5962 case IORING_OFF_SQES:
5966 return ERR_PTR(-EINVAL);
5969 page = virt_to_head_page(ptr);
5970 if (sz > page_size(page))
5971 return ERR_PTR(-EINVAL);
5978 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5980 size_t sz = vma->vm_end - vma->vm_start;
5984 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
5986 return PTR_ERR(ptr);
5988 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
5989 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
5992 #else /* !CONFIG_MMU */
5994 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5996 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
5999 static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
6001 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
6004 static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
6005 unsigned long addr, unsigned long len,
6006 unsigned long pgoff, unsigned long flags)
6010 ptr = io_uring_validate_mmap_request(file, pgoff, len);
6012 return PTR_ERR(ptr);
6014 return (unsigned long) ptr;
6017 #endif /* !CONFIG_MMU */
6019 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
6020 u32, min_complete, u32, flags, const sigset_t __user *, sig,
6023 struct io_ring_ctx *ctx;
6028 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
6036 if (f.file->f_op != &io_uring_fops)
6040 ctx = f.file->private_data;
6041 if (!percpu_ref_tryget(&ctx->refs))
6045 * For SQ polling, the thread will do all submissions and completions.
6046 * Just return the requested submit count, and wake the thread if
6050 if (ctx->flags & IORING_SETUP_SQPOLL) {
6051 if (!list_empty_careful(&ctx->cq_overflow_list))
6052 io_cqring_overflow_flush(ctx, false);
6053 if (flags & IORING_ENTER_SQ_WAKEUP)
6054 wake_up(&ctx->sqo_wait);
6055 submitted = to_submit;
6056 } else if (to_submit) {
6057 struct mm_struct *cur_mm;
6059 if (current->mm != ctx->sqo_mm ||
6060 current_cred() != ctx->creds) {
6065 to_submit = min(to_submit, ctx->sq_entries);
6066 mutex_lock(&ctx->uring_lock);
6067 /* already have mm, so io_submit_sqes() won't try to grab it */
6068 cur_mm = ctx->sqo_mm;
6069 submitted = io_submit_sqes(ctx, to_submit, f.file, fd,
6071 mutex_unlock(&ctx->uring_lock);
6073 if (submitted != to_submit)
6076 if (flags & IORING_ENTER_GETEVENTS) {
6077 unsigned nr_events = 0;
6079 min_complete = min(min_complete, ctx->cq_entries);
6081 if (ctx->flags & IORING_SETUP_IOPOLL) {
6082 ret = io_iopoll_check(ctx, &nr_events, min_complete);
6084 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
6089 percpu_ref_put(&ctx->refs);
6092 return submitted ? submitted : ret;
6095 static const struct file_operations io_uring_fops = {
6096 .release = io_uring_release,
6097 .flush = io_uring_flush,
6098 .mmap = io_uring_mmap,
6100 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
6101 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
6103 .poll = io_uring_poll,
6104 .fasync = io_uring_fasync,
6107 static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
6108 struct io_uring_params *p)
6110 struct io_rings *rings;
6111 size_t size, sq_array_offset;
6113 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
6114 if (size == SIZE_MAX)
6117 rings = io_mem_alloc(size);
6122 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
6123 rings->sq_ring_mask = p->sq_entries - 1;
6124 rings->cq_ring_mask = p->cq_entries - 1;
6125 rings->sq_ring_entries = p->sq_entries;
6126 rings->cq_ring_entries = p->cq_entries;
6127 ctx->sq_mask = rings->sq_ring_mask;
6128 ctx->cq_mask = rings->cq_ring_mask;
6129 ctx->sq_entries = rings->sq_ring_entries;
6130 ctx->cq_entries = rings->cq_ring_entries;
6132 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
6133 if (size == SIZE_MAX) {
6134 io_mem_free(ctx->rings);
6139 ctx->sq_sqes = io_mem_alloc(size);
6140 if (!ctx->sq_sqes) {
6141 io_mem_free(ctx->rings);
6150 * Allocate an anonymous fd, this is what constitutes the application
6151 * visible backing of an io_uring instance. The application mmaps this
6152 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
6153 * we have to tie this fd to a socket for file garbage collection purposes.
6155 static int io_uring_get_fd(struct io_ring_ctx *ctx)
6160 #if defined(CONFIG_UNIX)
6161 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
6167 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
6171 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
6172 O_RDWR | O_CLOEXEC);
6175 ret = PTR_ERR(file);
6179 #if defined(CONFIG_UNIX)
6180 ctx->ring_sock->file = file;
6182 fd_install(ret, file);
6185 #if defined(CONFIG_UNIX)
6186 sock_release(ctx->ring_sock);
6187 ctx->ring_sock = NULL;
6192 static int io_uring_create(unsigned entries, struct io_uring_params *p)
6194 struct user_struct *user = NULL;
6195 struct io_ring_ctx *ctx;
6199 if (!entries || entries > IORING_MAX_ENTRIES)
6203 * Use twice as many entries for the CQ ring. It's possible for the
6204 * application to drive a higher depth than the size of the SQ ring,
6205 * since the sqes are only used at submission time. This allows for
6206 * some flexibility in overcommitting a bit. If the application has
6207 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
6208 * of CQ ring entries manually.
6210 p->sq_entries = roundup_pow_of_two(entries);
6211 if (p->flags & IORING_SETUP_CQSIZE) {
6213 * If IORING_SETUP_CQSIZE is set, we do the same roundup
6214 * to a power-of-two, if it isn't already. We do NOT impose
6215 * any cq vs sq ring sizing.
6217 if (p->cq_entries < p->sq_entries || p->cq_entries > IORING_MAX_CQ_ENTRIES)
6219 p->cq_entries = roundup_pow_of_two(p->cq_entries);
6221 p->cq_entries = 2 * p->sq_entries;
6224 user = get_uid(current_user());
6225 account_mem = !capable(CAP_IPC_LOCK);
6228 ret = io_account_mem(user,
6229 ring_pages(p->sq_entries, p->cq_entries));
6236 ctx = io_ring_ctx_alloc(p);
6239 io_unaccount_mem(user, ring_pages(p->sq_entries,
6244 ctx->compat = in_compat_syscall();
6245 ctx->account_mem = account_mem;
6247 ctx->creds = get_current_cred();
6249 ret = io_allocate_scq_urings(ctx, p);
6253 ret = io_sq_offload_start(ctx, p);
6257 memset(&p->sq_off, 0, sizeof(p->sq_off));
6258 p->sq_off.head = offsetof(struct io_rings, sq.head);
6259 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
6260 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
6261 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
6262 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
6263 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
6264 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
6266 memset(&p->cq_off, 0, sizeof(p->cq_off));
6267 p->cq_off.head = offsetof(struct io_rings, cq.head);
6268 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
6269 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
6270 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
6271 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
6272 p->cq_off.cqes = offsetof(struct io_rings, cqes);
6275 * Install ring fd as the very last thing, so we don't risk someone
6276 * having closed it before we finish setup
6278 ret = io_uring_get_fd(ctx);
6282 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
6283 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS;
6284 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
6287 io_ring_ctx_wait_and_kill(ctx);
6292 * Sets up an aio uring context, and returns the fd. Applications asks for a
6293 * ring size, we return the actual sq/cq ring sizes (among other things) in the
6294 * params structure passed in.
6296 static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
6298 struct io_uring_params p;
6302 if (copy_from_user(&p, params, sizeof(p)))
6304 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
6309 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
6310 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE))
6313 ret = io_uring_create(entries, &p);
6317 if (copy_to_user(params, &p, sizeof(p)))
6323 SYSCALL_DEFINE2(io_uring_setup, u32, entries,
6324 struct io_uring_params __user *, params)
6326 return io_uring_setup(entries, params);
6329 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
6330 void __user *arg, unsigned nr_args)
6331 __releases(ctx->uring_lock)
6332 __acquires(ctx->uring_lock)
6337 * We're inside the ring mutex, if the ref is already dying, then
6338 * someone else killed the ctx or is already going through
6339 * io_uring_register().
6341 if (percpu_ref_is_dying(&ctx->refs))
6344 if (opcode != IORING_UNREGISTER_FILES &&
6345 opcode != IORING_REGISTER_FILES_UPDATE) {
6346 percpu_ref_kill(&ctx->refs);
6349 * Drop uring mutex before waiting for references to exit. If
6350 * another thread is currently inside io_uring_enter() it might
6351 * need to grab the uring_lock to make progress. If we hold it
6352 * here across the drain wait, then we can deadlock. It's safe
6353 * to drop the mutex here, since no new references will come in
6354 * after we've killed the percpu ref.
6356 mutex_unlock(&ctx->uring_lock);
6357 wait_for_completion(&ctx->completions[0]);
6358 mutex_lock(&ctx->uring_lock);
6362 case IORING_REGISTER_BUFFERS:
6363 ret = io_sqe_buffer_register(ctx, arg, nr_args);
6365 case IORING_UNREGISTER_BUFFERS:
6369 ret = io_sqe_buffer_unregister(ctx);
6371 case IORING_REGISTER_FILES:
6372 ret = io_sqe_files_register(ctx, arg, nr_args);
6374 case IORING_UNREGISTER_FILES:
6378 ret = io_sqe_files_unregister(ctx);
6380 case IORING_REGISTER_FILES_UPDATE:
6381 ret = io_sqe_files_update(ctx, arg, nr_args);
6383 case IORING_REGISTER_EVENTFD:
6387 ret = io_eventfd_register(ctx, arg);
6389 case IORING_UNREGISTER_EVENTFD:
6393 ret = io_eventfd_unregister(ctx);
6401 if (opcode != IORING_UNREGISTER_FILES &&
6402 opcode != IORING_REGISTER_FILES_UPDATE) {
6403 /* bring the ctx back to life */
6404 reinit_completion(&ctx->completions[0]);
6405 percpu_ref_reinit(&ctx->refs);
6410 SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
6411 void __user *, arg, unsigned int, nr_args)
6413 struct io_ring_ctx *ctx;
6422 if (f.file->f_op != &io_uring_fops)
6425 ctx = f.file->private_data;
6427 mutex_lock(&ctx->uring_lock);
6428 ret = __io_uring_register(ctx, opcode, arg, nr_args);
6429 mutex_unlock(&ctx->uring_lock);
6430 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
6431 ctx->cq_ev_fd != NULL, ret);
6437 static int __init io_uring_init(void)
6439 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
6440 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
6443 __initcall(io_uring_init);
projects / linux-2.6-block.git / blob