1 // SPDX-License-Identifier: GPL-2.0
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
6 * A note on the read/write ordering memory barriers that are matched between
7 * the application and kernel side.
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
30 * Also see the examples in the liburing library:
32 * git://git.kernel.dk/liburing
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
39 * Copyright (C) 2018-2019 Jens Axboe
40 * Copyright (c) 2018-2019 Christoph Hellwig
42 #include <linux/kernel.h>
43 #include <linux/init.h>
44 #include <linux/errno.h>
45 #include <linux/syscalls.h>
46 #include <linux/compat.h>
47 #include <net/compat.h>
48 #include <linux/refcount.h>
49 #include <linux/uio.h>
50 #include <linux/bits.h>
52 #include <linux/sched/signal.h>
54 #include <linux/file.h>
55 #include <linux/fdtable.h>
57 #include <linux/mman.h>
58 #include <linux/percpu.h>
59 #include <linux/slab.h>
60 #include <linux/kthread.h>
61 #include <linux/blkdev.h>
62 #include <linux/bvec.h>
63 #include <linux/net.h>
65 #include <net/af_unix.h>
67 #include <linux/anon_inodes.h>
68 #include <linux/sched/mm.h>
69 #include <linux/uaccess.h>
70 #include <linux/nospec.h>
71 #include <linux/sizes.h>
72 #include <linux/hugetlb.h>
73 #include <linux/highmem.h>
74 #include <linux/namei.h>
75 #include <linux/fsnotify.h>
76 #include <linux/fadvise.h>
77 #include <linux/eventpoll.h>
78 #include <linux/fs_struct.h>
79 #include <linux/splice.h>
80 #include <linux/task_work.h>
81 #include <linux/pagemap.h>
83 #define CREATE_TRACE_POINTS
84 #include <trace/events/io_uring.h>
86 #include <uapi/linux/io_uring.h>
91 #define IORING_MAX_ENTRIES 32768
92 #define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
95 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
97 #define IORING_FILE_TABLE_SHIFT 9
98 #define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
99 #define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
100 #define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
103 u32 head ____cacheline_aligned_in_smp;
104 u32 tail ____cacheline_aligned_in_smp;
108 * This data is shared with the application through the mmap at offsets
109 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
111 * The offsets to the member fields are published through struct
112 * io_sqring_offsets when calling io_uring_setup.
116 * Head and tail offsets into the ring; the offsets need to be
117 * masked to get valid indices.
119 * The kernel controls head of the sq ring and the tail of the cq ring,
120 * and the application controls tail of the sq ring and the head of the
123 struct io_uring sq, cq;
125 * Bitmasks to apply to head and tail offsets (constant, equals
128 u32 sq_ring_mask, cq_ring_mask;
129 /* Ring sizes (constant, power of 2) */
130 u32 sq_ring_entries, cq_ring_entries;
132 * Number of invalid entries dropped by the kernel due to
133 * invalid index stored in array
135 * Written by the kernel, shouldn't be modified by the
136 * application (i.e. get number of "new events" by comparing to
139 * After a new SQ head value was read by the application this
140 * counter includes all submissions that were dropped reaching
141 * the new SQ head (and possibly more).
147 * Written by the kernel, shouldn't be modified by the
150 * The application needs a full memory barrier before checking
151 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
157 * Written by the application, shouldn't be modified by the
162 * Number of completion events lost because the queue was full;
163 * this should be avoided by the application by making sure
164 * there are not more requests pending than there is space in
165 * the completion queue.
167 * Written by the kernel, shouldn't be modified by the
168 * application (i.e. get number of "new events" by comparing to
171 * As completion events come in out of order this counter is not
172 * ordered with any other data.
176 * Ring buffer of completion events.
178 * The kernel writes completion events fresh every time they are
179 * produced, so the application is allowed to modify pending
182 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
185 struct io_mapped_ubuf {
188 struct bio_vec *bvec;
189 unsigned int nr_bvecs;
192 struct fixed_file_table {
196 struct fixed_file_ref_node {
197 struct percpu_ref refs;
198 struct list_head node;
199 struct list_head file_list;
200 struct fixed_file_data *file_data;
201 struct llist_node llist;
204 struct fixed_file_data {
205 struct fixed_file_table *table;
206 struct io_ring_ctx *ctx;
208 struct percpu_ref *cur_refs;
209 struct percpu_ref refs;
210 struct completion done;
211 struct list_head ref_list;
216 struct list_head list;
224 struct percpu_ref refs;
225 } ____cacheline_aligned_in_smp;
229 unsigned int compat: 1;
230 unsigned int limit_mem: 1;
231 unsigned int cq_overflow_flushed: 1;
232 unsigned int drain_next: 1;
233 unsigned int eventfd_async: 1;
236 * Ring buffer of indices into array of io_uring_sqe, which is
237 * mmapped by the application using the IORING_OFF_SQES offset.
239 * This indirection could e.g. be used to assign fixed
240 * io_uring_sqe entries to operations and only submit them to
241 * the queue when needed.
243 * The kernel modifies neither the indices array nor the entries
247 unsigned cached_sq_head;
250 unsigned sq_thread_idle;
251 unsigned cached_sq_dropped;
252 atomic_t cached_cq_overflow;
253 unsigned long sq_check_overflow;
255 struct list_head defer_list;
256 struct list_head timeout_list;
257 struct list_head cq_overflow_list;
259 wait_queue_head_t inflight_wait;
260 struct io_uring_sqe *sq_sqes;
261 } ____cacheline_aligned_in_smp;
263 struct io_rings *rings;
267 struct task_struct *sqo_thread; /* if using sq thread polling */
268 struct mm_struct *sqo_mm;
269 wait_queue_head_t sqo_wait;
272 * If used, fixed file set. Writers must ensure that ->refs is dead,
273 * readers must ensure that ->refs is alive as long as the file* is
274 * used. Only updated through io_uring_register(2).
276 struct fixed_file_data *file_data;
277 unsigned nr_user_files;
279 struct file *ring_file;
281 /* if used, fixed mapped user buffers */
282 unsigned nr_user_bufs;
283 struct io_mapped_ubuf *user_bufs;
285 struct user_struct *user;
287 const struct cred *creds;
289 struct completion ref_comp;
290 struct completion sq_thread_comp;
292 /* if all else fails... */
293 struct io_kiocb *fallback_req;
295 #if defined(CONFIG_UNIX)
296 struct socket *ring_sock;
299 struct idr io_buffer_idr;
301 struct idr personality_idr;
304 unsigned cached_cq_tail;
307 atomic_t cq_timeouts;
308 unsigned long cq_check_overflow;
309 struct wait_queue_head cq_wait;
310 struct fasync_struct *cq_fasync;
311 struct eventfd_ctx *cq_ev_fd;
312 } ____cacheline_aligned_in_smp;
315 struct mutex uring_lock;
316 wait_queue_head_t wait;
317 } ____cacheline_aligned_in_smp;
320 spinlock_t completion_lock;
323 * ->poll_list is protected by the ctx->uring_lock for
324 * io_uring instances that don't use IORING_SETUP_SQPOLL.
325 * For SQPOLL, only the single threaded io_sq_thread() will
326 * manipulate the list, hence no extra locking is needed there.
328 struct list_head poll_list;
329 struct hlist_head *cancel_hash;
330 unsigned cancel_hash_bits;
331 bool poll_multi_file;
333 spinlock_t inflight_lock;
334 struct list_head inflight_list;
335 } ____cacheline_aligned_in_smp;
337 struct delayed_work file_put_work;
338 struct llist_head file_put_llist;
340 struct work_struct exit_work;
344 * First field must be the file pointer in all the
345 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
347 struct io_poll_iocb {
350 struct wait_queue_head *head;
356 struct wait_queue_entry wait;
361 struct file *put_file;
365 struct io_timeout_data {
366 struct io_kiocb *req;
367 struct hrtimer timer;
368 struct timespec64 ts;
369 enum hrtimer_mode mode;
374 struct sockaddr __user *addr;
375 int __user *addr_len;
377 unsigned long nofile;
402 /* NOTE: kiocb has the file as the first member, so don't do it here */
410 struct sockaddr __user *addr;
417 struct user_msghdr __user *msg;
423 struct io_buffer *kbuf;
429 struct filename *filename;
431 unsigned long nofile;
434 struct io_files_update {
460 struct epoll_event event;
464 struct file *file_out;
465 struct file *file_in;
472 struct io_provide_buf {
486 const char __user *filename;
487 struct statx __user *buffer;
490 struct io_async_connect {
491 struct sockaddr_storage address;
494 struct io_async_msghdr {
495 struct iovec fast_iov[UIO_FASTIOV];
497 struct sockaddr __user *uaddr;
499 struct sockaddr_storage addr;
503 struct iovec fast_iov[UIO_FASTIOV];
507 struct wait_page_queue wpq;
508 struct callback_head task_work;
511 struct io_async_ctx {
513 struct io_async_rw rw;
514 struct io_async_msghdr msg;
515 struct io_async_connect connect;
516 struct io_timeout_data timeout;
521 REQ_F_FIXED_FILE_BIT = IOSQE_FIXED_FILE_BIT,
522 REQ_F_IO_DRAIN_BIT = IOSQE_IO_DRAIN_BIT,
523 REQ_F_LINK_BIT = IOSQE_IO_LINK_BIT,
524 REQ_F_HARDLINK_BIT = IOSQE_IO_HARDLINK_BIT,
525 REQ_F_FORCE_ASYNC_BIT = IOSQE_ASYNC_BIT,
526 REQ_F_BUFFER_SELECT_BIT = IOSQE_BUFFER_SELECT_BIT,
533 REQ_F_LINK_TIMEOUT_BIT,
535 REQ_F_COMP_LOCKED_BIT,
536 REQ_F_NEED_CLEANUP_BIT,
539 REQ_F_BUFFER_SELECTED_BIT,
540 REQ_F_NO_FILE_TABLE_BIT,
541 REQ_F_QUEUE_TIMEOUT_BIT,
542 REQ_F_WORK_INITIALIZED_BIT,
543 REQ_F_TASK_PINNED_BIT,
545 /* not a real bit, just to check we're not overflowing the space */
551 REQ_F_FIXED_FILE = BIT(REQ_F_FIXED_FILE_BIT),
552 /* drain existing IO first */
553 REQ_F_IO_DRAIN = BIT(REQ_F_IO_DRAIN_BIT),
555 REQ_F_LINK = BIT(REQ_F_LINK_BIT),
556 /* doesn't sever on completion < 0 */
557 REQ_F_HARDLINK = BIT(REQ_F_HARDLINK_BIT),
559 REQ_F_FORCE_ASYNC = BIT(REQ_F_FORCE_ASYNC_BIT),
560 /* IOSQE_BUFFER_SELECT */
561 REQ_F_BUFFER_SELECT = BIT(REQ_F_BUFFER_SELECT_BIT),
564 REQ_F_LINK_HEAD = BIT(REQ_F_LINK_HEAD_BIT),
565 /* fail rest of links */
566 REQ_F_FAIL_LINK = BIT(REQ_F_FAIL_LINK_BIT),
567 /* on inflight list */
568 REQ_F_INFLIGHT = BIT(REQ_F_INFLIGHT_BIT),
569 /* read/write uses file position */
570 REQ_F_CUR_POS = BIT(REQ_F_CUR_POS_BIT),
571 /* must not punt to workers */
572 REQ_F_NOWAIT = BIT(REQ_F_NOWAIT_BIT),
573 /* has linked timeout */
574 REQ_F_LINK_TIMEOUT = BIT(REQ_F_LINK_TIMEOUT_BIT),
576 REQ_F_ISREG = BIT(REQ_F_ISREG_BIT),
577 /* completion under lock */
578 REQ_F_COMP_LOCKED = BIT(REQ_F_COMP_LOCKED_BIT),
580 REQ_F_NEED_CLEANUP = BIT(REQ_F_NEED_CLEANUP_BIT),
581 /* in overflow list */
582 REQ_F_OVERFLOW = BIT(REQ_F_OVERFLOW_BIT),
583 /* already went through poll handler */
584 REQ_F_POLLED = BIT(REQ_F_POLLED_BIT),
585 /* buffer already selected */
586 REQ_F_BUFFER_SELECTED = BIT(REQ_F_BUFFER_SELECTED_BIT),
587 /* doesn't need file table for this request */
588 REQ_F_NO_FILE_TABLE = BIT(REQ_F_NO_FILE_TABLE_BIT),
589 /* needs to queue linked timeout */
590 REQ_F_QUEUE_TIMEOUT = BIT(REQ_F_QUEUE_TIMEOUT_BIT),
591 /* io_wq_work is initialized */
592 REQ_F_WORK_INITIALIZED = BIT(REQ_F_WORK_INITIALIZED_BIT),
593 /* req->task is refcounted */
594 REQ_F_TASK_PINNED = BIT(REQ_F_TASK_PINNED_BIT),
598 struct io_poll_iocb poll;
599 struct io_wq_work work;
603 * NOTE! Each of the iocb union members has the file pointer
604 * as the first entry in their struct definition. So you can
605 * access the file pointer through any of the sub-structs,
606 * or directly as just 'ki_filp' in this struct.
612 struct io_poll_iocb poll;
613 struct io_accept accept;
615 struct io_cancel cancel;
616 struct io_timeout timeout;
617 struct io_connect connect;
618 struct io_sr_msg sr_msg;
620 struct io_close close;
621 struct io_files_update files_update;
622 struct io_fadvise fadvise;
623 struct io_madvise madvise;
624 struct io_epoll epoll;
625 struct io_splice splice;
626 struct io_provide_buf pbuf;
627 struct io_statx statx;
630 struct io_async_ctx *io;
633 /* polled IO has completed */
638 struct io_ring_ctx *ctx;
639 struct list_head list;
642 struct task_struct *task;
648 struct list_head link_list;
650 struct list_head inflight_entry;
652 struct percpu_ref *fixed_file_refs;
656 * Only commands that never go async can use the below fields,
657 * obviously. Right now only IORING_OP_POLL_ADD uses them, and
658 * async armed poll handlers for regular commands. The latter
659 * restore the work, if needed.
662 struct hlist_node hash_node;
663 struct async_poll *apoll;
665 struct io_wq_work work;
667 struct callback_head task_work;
670 #define IO_IOPOLL_BATCH 8
672 struct io_comp_state {
674 struct list_head list;
675 struct io_ring_ctx *ctx;
678 struct io_submit_state {
679 struct blk_plug plug;
682 * io_kiocb alloc cache
684 void *reqs[IO_IOPOLL_BATCH];
685 unsigned int free_reqs;
688 * Batch completion logic
690 struct io_comp_state comp;
693 * File reference cache
697 unsigned int has_refs;
698 unsigned int used_refs;
699 unsigned int ios_left;
703 /* needs req->io allocated for deferral/async */
704 unsigned async_ctx : 1;
705 /* needs current->mm setup, does mm access */
706 unsigned needs_mm : 1;
707 /* needs req->file assigned */
708 unsigned needs_file : 1;
709 /* don't fail if file grab fails */
710 unsigned needs_file_no_error : 1;
711 /* hash wq insertion if file is a regular file */
712 unsigned hash_reg_file : 1;
713 /* unbound wq insertion if file is a non-regular file */
714 unsigned unbound_nonreg_file : 1;
715 /* opcode is not supported by this kernel */
716 unsigned not_supported : 1;
717 /* needs file table */
718 unsigned file_table : 1;
720 unsigned needs_fs : 1;
721 /* set if opcode supports polled "wait" */
723 unsigned pollout : 1;
724 /* op supports buffer selection */
725 unsigned buffer_select : 1;
728 static const struct io_op_def io_op_defs[] = {
729 [IORING_OP_NOP] = {},
730 [IORING_OP_READV] = {
734 .unbound_nonreg_file = 1,
738 [IORING_OP_WRITEV] = {
743 .unbound_nonreg_file = 1,
746 [IORING_OP_FSYNC] = {
749 [IORING_OP_READ_FIXED] = {
751 .unbound_nonreg_file = 1,
754 [IORING_OP_WRITE_FIXED] = {
757 .unbound_nonreg_file = 1,
760 [IORING_OP_POLL_ADD] = {
762 .unbound_nonreg_file = 1,
764 [IORING_OP_POLL_REMOVE] = {},
765 [IORING_OP_SYNC_FILE_RANGE] = {
768 [IORING_OP_SENDMSG] = {
772 .unbound_nonreg_file = 1,
776 [IORING_OP_RECVMSG] = {
780 .unbound_nonreg_file = 1,
785 [IORING_OP_TIMEOUT] = {
789 [IORING_OP_TIMEOUT_REMOVE] = {},
790 [IORING_OP_ACCEPT] = {
793 .unbound_nonreg_file = 1,
797 [IORING_OP_ASYNC_CANCEL] = {},
798 [IORING_OP_LINK_TIMEOUT] = {
802 [IORING_OP_CONNECT] = {
806 .unbound_nonreg_file = 1,
809 [IORING_OP_FALLOCATE] = {
812 [IORING_OP_OPENAT] = {
816 [IORING_OP_CLOSE] = {
818 .needs_file_no_error = 1,
821 [IORING_OP_FILES_UPDATE] = {
825 [IORING_OP_STATX] = {
833 .unbound_nonreg_file = 1,
837 [IORING_OP_WRITE] = {
840 .unbound_nonreg_file = 1,
843 [IORING_OP_FADVISE] = {
846 [IORING_OP_MADVISE] = {
852 .unbound_nonreg_file = 1,
858 .unbound_nonreg_file = 1,
862 [IORING_OP_OPENAT2] = {
866 [IORING_OP_EPOLL_CTL] = {
867 .unbound_nonreg_file = 1,
870 [IORING_OP_SPLICE] = {
873 .unbound_nonreg_file = 1,
875 [IORING_OP_PROVIDE_BUFFERS] = {},
876 [IORING_OP_REMOVE_BUFFERS] = {},
880 .unbound_nonreg_file = 1,
884 enum io_mem_account {
889 static bool io_rw_reissue(struct io_kiocb *req, long res);
890 static void io_cqring_fill_event(struct io_kiocb *req, long res);
891 static void io_put_req(struct io_kiocb *req);
892 static void io_double_put_req(struct io_kiocb *req);
893 static void __io_double_put_req(struct io_kiocb *req);
894 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
895 static void io_queue_linked_timeout(struct io_kiocb *req);
896 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
897 struct io_uring_files_update *ip,
899 static int io_grab_files(struct io_kiocb *req);
900 static void io_complete_rw_common(struct kiocb *kiocb, long res,
901 struct io_comp_state *cs);
902 static void io_cleanup_req(struct io_kiocb *req);
903 static int io_file_get(struct io_submit_state *state, struct io_kiocb *req,
904 int fd, struct file **out_file, bool fixed);
905 static void __io_queue_sqe(struct io_kiocb *req,
906 const struct io_uring_sqe *sqe,
907 struct io_comp_state *cs);
909 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
910 struct iovec **iovec, struct iov_iter *iter,
912 static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
913 struct iovec *iovec, struct iovec *fast_iov,
914 struct iov_iter *iter);
916 static struct kmem_cache *req_cachep;
918 static const struct file_operations io_uring_fops;
920 struct sock *io_uring_get_socket(struct file *file)
922 #if defined(CONFIG_UNIX)
923 if (file->f_op == &io_uring_fops) {
924 struct io_ring_ctx *ctx = file->private_data;
926 return ctx->ring_sock->sk;
931 EXPORT_SYMBOL(io_uring_get_socket);
933 static void io_get_req_task(struct io_kiocb *req)
935 if (req->flags & REQ_F_TASK_PINNED)
937 get_task_struct(req->task);
938 req->flags |= REQ_F_TASK_PINNED;
941 /* not idempotent -- it doesn't clear REQ_F_TASK_PINNED */
942 static void __io_put_req_task(struct io_kiocb *req)
944 if (req->flags & REQ_F_TASK_PINNED)
945 put_task_struct(req->task);
948 static void io_sq_thread_drop_mm(struct io_ring_ctx *ctx)
950 struct mm_struct *mm = current->mm;
953 kthread_unuse_mm(mm);
958 static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx)
961 if (unlikely(!mmget_not_zero(ctx->sqo_mm)))
963 kthread_use_mm(ctx->sqo_mm);
969 static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx,
970 struct io_kiocb *req)
972 if (!io_op_defs[req->opcode].needs_mm)
974 return __io_sq_thread_acquire_mm(ctx);
977 static inline void req_set_fail_links(struct io_kiocb *req)
979 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
980 req->flags |= REQ_F_FAIL_LINK;
983 static void io_file_put_work(struct work_struct *work);
986 * Note: must call io_req_init_async() for the first time you
987 * touch any members of io_wq_work.
989 static inline void io_req_init_async(struct io_kiocb *req)
991 if (req->flags & REQ_F_WORK_INITIALIZED)
994 memset(&req->work, 0, sizeof(req->work));
995 req->flags |= REQ_F_WORK_INITIALIZED;
998 static inline bool io_async_submit(struct io_ring_ctx *ctx)
1000 return ctx->flags & IORING_SETUP_SQPOLL;
1003 static void io_ring_ctx_ref_free(struct percpu_ref *ref)
1005 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
1007 complete(&ctx->ref_comp);
1010 static inline bool io_is_timeout_noseq(struct io_kiocb *req)
1012 return !req->timeout.off;
1015 static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
1017 struct io_ring_ctx *ctx;
1020 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
1024 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
1025 if (!ctx->fallback_req)
1029 * Use 5 bits less than the max cq entries, that should give us around
1030 * 32 entries per hash list if totally full and uniformly spread.
1032 hash_bits = ilog2(p->cq_entries);
1036 ctx->cancel_hash_bits = hash_bits;
1037 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
1039 if (!ctx->cancel_hash)
1041 __hash_init(ctx->cancel_hash, 1U << hash_bits);
1043 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
1044 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
1047 ctx->flags = p->flags;
1048 init_waitqueue_head(&ctx->sqo_wait);
1049 init_waitqueue_head(&ctx->cq_wait);
1050 INIT_LIST_HEAD(&ctx->cq_overflow_list);
1051 init_completion(&ctx->ref_comp);
1052 init_completion(&ctx->sq_thread_comp);
1053 idr_init(&ctx->io_buffer_idr);
1054 idr_init(&ctx->personality_idr);
1055 mutex_init(&ctx->uring_lock);
1056 init_waitqueue_head(&ctx->wait);
1057 spin_lock_init(&ctx->completion_lock);
1058 INIT_LIST_HEAD(&ctx->poll_list);
1059 INIT_LIST_HEAD(&ctx->defer_list);
1060 INIT_LIST_HEAD(&ctx->timeout_list);
1061 init_waitqueue_head(&ctx->inflight_wait);
1062 spin_lock_init(&ctx->inflight_lock);
1063 INIT_LIST_HEAD(&ctx->inflight_list);
1064 INIT_DELAYED_WORK(&ctx->file_put_work, io_file_put_work);
1065 init_llist_head(&ctx->file_put_llist);
1068 if (ctx->fallback_req)
1069 kmem_cache_free(req_cachep, ctx->fallback_req);
1070 kfree(ctx->cancel_hash);
1075 static inline bool __req_need_defer(struct io_kiocb *req)
1077 struct io_ring_ctx *ctx = req->ctx;
1079 return req->sequence != ctx->cached_cq_tail
1080 + atomic_read(&ctx->cached_cq_overflow);
1083 static inline bool req_need_defer(struct io_kiocb *req)
1085 if (unlikely(req->flags & REQ_F_IO_DRAIN))
1086 return __req_need_defer(req);
1091 static void __io_commit_cqring(struct io_ring_ctx *ctx)
1093 struct io_rings *rings = ctx->rings;
1095 /* order cqe stores with ring update */
1096 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
1098 if (wq_has_sleeper(&ctx->cq_wait)) {
1099 wake_up_interruptible(&ctx->cq_wait);
1100 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
1104 static void io_req_work_grab_env(struct io_kiocb *req)
1106 const struct io_op_def *def = &io_op_defs[req->opcode];
1108 io_req_init_async(req);
1110 if (!req->work.mm && def->needs_mm) {
1111 mmgrab(current->mm);
1112 req->work.mm = current->mm;
1114 if (!req->work.creds)
1115 req->work.creds = get_current_cred();
1116 if (!req->work.fs && def->needs_fs) {
1117 spin_lock(¤t->fs->lock);
1118 if (!current->fs->in_exec) {
1119 req->work.fs = current->fs;
1120 req->work.fs->users++;
1122 req->work.flags |= IO_WQ_WORK_CANCEL;
1124 spin_unlock(¤t->fs->lock);
1128 static inline void io_req_work_drop_env(struct io_kiocb *req)
1130 if (!(req->flags & REQ_F_WORK_INITIALIZED))
1134 mmdrop(req->work.mm);
1135 req->work.mm = NULL;
1137 if (req->work.creds) {
1138 put_cred(req->work.creds);
1139 req->work.creds = NULL;
1142 struct fs_struct *fs = req->work.fs;
1144 spin_lock(&req->work.fs->lock);
1147 spin_unlock(&req->work.fs->lock);
1153 static void io_prep_async_work(struct io_kiocb *req)
1155 const struct io_op_def *def = &io_op_defs[req->opcode];
1157 if (req->flags & REQ_F_ISREG) {
1158 if (def->hash_reg_file)
1159 io_wq_hash_work(&req->work, file_inode(req->file));
1161 if (def->unbound_nonreg_file)
1162 req->work.flags |= IO_WQ_WORK_UNBOUND;
1165 io_req_work_grab_env(req);
1168 static void io_prep_async_link(struct io_kiocb *req)
1170 struct io_kiocb *cur;
1172 io_prep_async_work(req);
1173 if (req->flags & REQ_F_LINK_HEAD)
1174 list_for_each_entry(cur, &req->link_list, link_list)
1175 io_prep_async_work(cur);
1178 static void __io_queue_async_work(struct io_kiocb *req)
1180 struct io_ring_ctx *ctx = req->ctx;
1181 struct io_kiocb *link = io_prep_linked_timeout(req);
1183 trace_io_uring_queue_async_work(ctx, io_wq_is_hashed(&req->work), req,
1184 &req->work, req->flags);
1185 io_wq_enqueue(ctx->io_wq, &req->work);
1188 io_queue_linked_timeout(link);
1191 static void io_queue_async_work(struct io_kiocb *req)
1193 /* init ->work of the whole link before punting */
1194 io_prep_async_link(req);
1195 __io_queue_async_work(req);
1198 static void io_kill_timeout(struct io_kiocb *req)
1202 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
1204 atomic_inc(&req->ctx->cq_timeouts);
1205 list_del_init(&req->list);
1206 req->flags |= REQ_F_COMP_LOCKED;
1207 io_cqring_fill_event(req, 0);
1212 static void io_kill_timeouts(struct io_ring_ctx *ctx)
1214 struct io_kiocb *req, *tmp;
1216 spin_lock_irq(&ctx->completion_lock);
1217 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
1218 io_kill_timeout(req);
1219 spin_unlock_irq(&ctx->completion_lock);
1222 static void __io_queue_deferred(struct io_ring_ctx *ctx)
1225 struct io_kiocb *req = list_first_entry(&ctx->defer_list,
1226 struct io_kiocb, list);
1228 if (req_need_defer(req))
1230 list_del_init(&req->list);
1231 /* punt-init is done before queueing for defer */
1232 __io_queue_async_work(req);
1233 } while (!list_empty(&ctx->defer_list));
1236 static void io_flush_timeouts(struct io_ring_ctx *ctx)
1238 while (!list_empty(&ctx->timeout_list)) {
1239 struct io_kiocb *req = list_first_entry(&ctx->timeout_list,
1240 struct io_kiocb, list);
1242 if (io_is_timeout_noseq(req))
1244 if (req->timeout.target_seq != ctx->cached_cq_tail
1245 - atomic_read(&ctx->cq_timeouts))
1248 list_del_init(&req->list);
1249 io_kill_timeout(req);
1253 static void io_commit_cqring(struct io_ring_ctx *ctx)
1255 io_flush_timeouts(ctx);
1256 __io_commit_cqring(ctx);
1258 if (unlikely(!list_empty(&ctx->defer_list)))
1259 __io_queue_deferred(ctx);
1262 static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
1264 struct io_rings *rings = ctx->rings;
1267 tail = ctx->cached_cq_tail;
1269 * writes to the cq entry need to come after reading head; the
1270 * control dependency is enough as we're using WRITE_ONCE to
1273 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
1276 ctx->cached_cq_tail++;
1277 return &rings->cqes[tail & ctx->cq_mask];
1280 static inline bool io_should_trigger_evfd(struct io_ring_ctx *ctx)
1284 if (READ_ONCE(ctx->rings->cq_flags) & IORING_CQ_EVENTFD_DISABLED)
1286 if (!ctx->eventfd_async)
1288 return io_wq_current_is_worker();
1291 static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
1293 if (waitqueue_active(&ctx->wait))
1294 wake_up(&ctx->wait);
1295 if (waitqueue_active(&ctx->sqo_wait))
1296 wake_up(&ctx->sqo_wait);
1297 if (io_should_trigger_evfd(ctx))
1298 eventfd_signal(ctx->cq_ev_fd, 1);
1301 /* Returns true if there are no backlogged entries after the flush */
1302 static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1304 struct io_rings *rings = ctx->rings;
1305 struct io_uring_cqe *cqe;
1306 struct io_kiocb *req;
1307 unsigned long flags;
1311 if (list_empty_careful(&ctx->cq_overflow_list))
1313 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
1314 rings->cq_ring_entries))
1318 spin_lock_irqsave(&ctx->completion_lock, flags);
1320 /* if force is set, the ring is going away. always drop after that */
1322 ctx->cq_overflow_flushed = 1;
1325 while (!list_empty(&ctx->cq_overflow_list)) {
1326 cqe = io_get_cqring(ctx);
1330 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
1332 list_move(&req->list, &list);
1333 req->flags &= ~REQ_F_OVERFLOW;
1335 WRITE_ONCE(cqe->user_data, req->user_data);
1336 WRITE_ONCE(cqe->res, req->result);
1337 WRITE_ONCE(cqe->flags, req->cflags);
1339 WRITE_ONCE(ctx->rings->cq_overflow,
1340 atomic_inc_return(&ctx->cached_cq_overflow));
1344 io_commit_cqring(ctx);
1346 clear_bit(0, &ctx->sq_check_overflow);
1347 clear_bit(0, &ctx->cq_check_overflow);
1349 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1350 io_cqring_ev_posted(ctx);
1352 while (!list_empty(&list)) {
1353 req = list_first_entry(&list, struct io_kiocb, list);
1354 list_del(&req->list);
1361 static void __io_cqring_fill_event(struct io_kiocb *req, long res, long cflags)
1363 struct io_ring_ctx *ctx = req->ctx;
1364 struct io_uring_cqe *cqe;
1366 trace_io_uring_complete(ctx, req->user_data, res);
1369 * If we can't get a cq entry, userspace overflowed the
1370 * submission (by quite a lot). Increment the overflow count in
1373 cqe = io_get_cqring(ctx);
1375 WRITE_ONCE(cqe->user_data, req->user_data);
1376 WRITE_ONCE(cqe->res, res);
1377 WRITE_ONCE(cqe->flags, cflags);
1378 } else if (ctx->cq_overflow_flushed) {
1379 WRITE_ONCE(ctx->rings->cq_overflow,
1380 atomic_inc_return(&ctx->cached_cq_overflow));
1382 if (list_empty(&ctx->cq_overflow_list)) {
1383 set_bit(0, &ctx->sq_check_overflow);
1384 set_bit(0, &ctx->cq_check_overflow);
1386 req->flags |= REQ_F_OVERFLOW;
1387 refcount_inc(&req->refs);
1389 req->cflags = cflags;
1390 list_add_tail(&req->list, &ctx->cq_overflow_list);
1394 static void io_cqring_fill_event(struct io_kiocb *req, long res)
1396 __io_cqring_fill_event(req, res, 0);
1399 static void io_cqring_add_event(struct io_kiocb *req, long res, long cflags)
1401 struct io_ring_ctx *ctx = req->ctx;
1402 unsigned long flags;
1404 spin_lock_irqsave(&ctx->completion_lock, flags);
1405 __io_cqring_fill_event(req, res, cflags);
1406 io_commit_cqring(ctx);
1407 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1409 io_cqring_ev_posted(ctx);
1412 static void io_submit_flush_completions(struct io_comp_state *cs)
1414 struct io_ring_ctx *ctx = cs->ctx;
1416 spin_lock_irq(&ctx->completion_lock);
1417 while (!list_empty(&cs->list)) {
1418 struct io_kiocb *req;
1420 req = list_first_entry(&cs->list, struct io_kiocb, list);
1421 list_del(&req->list);
1422 io_cqring_fill_event(req, req->result);
1423 if (!(req->flags & REQ_F_LINK_HEAD)) {
1424 req->flags |= REQ_F_COMP_LOCKED;
1427 spin_unlock_irq(&ctx->completion_lock);
1429 spin_lock_irq(&ctx->completion_lock);
1432 io_commit_cqring(ctx);
1433 spin_unlock_irq(&ctx->completion_lock);
1435 io_cqring_ev_posted(ctx);
1439 static void __io_req_complete(struct io_kiocb *req, long res, unsigned cflags,
1440 struct io_comp_state *cs)
1443 io_cqring_add_event(req, res, cflags);
1447 list_add_tail(&req->list, &cs->list);
1449 io_submit_flush_completions(cs);
1453 static void io_req_complete(struct io_kiocb *req, long res)
1455 __io_req_complete(req, res, 0, NULL);
1458 static inline bool io_is_fallback_req(struct io_kiocb *req)
1460 return req == (struct io_kiocb *)
1461 ((unsigned long) req->ctx->fallback_req & ~1UL);
1464 static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1466 struct io_kiocb *req;
1468 req = ctx->fallback_req;
1469 if (!test_and_set_bit_lock(0, (unsigned long *) &ctx->fallback_req))
1475 static struct io_kiocb *io_alloc_req(struct io_ring_ctx *ctx,
1476 struct io_submit_state *state)
1478 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
1479 struct io_kiocb *req;
1481 if (!state->free_reqs) {
1485 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
1486 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1489 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1490 * retry single alloc to be on the safe side.
1492 if (unlikely(ret <= 0)) {
1493 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1494 if (!state->reqs[0])
1498 state->free_reqs = ret - 1;
1499 req = state->reqs[ret - 1];
1502 req = state->reqs[state->free_reqs];
1507 return io_get_fallback_req(ctx);
1510 static inline void io_put_file(struct io_kiocb *req, struct file *file,
1514 percpu_ref_put(req->fixed_file_refs);
1519 static void io_dismantle_req(struct io_kiocb *req)
1521 if (req->flags & REQ_F_NEED_CLEANUP)
1522 io_cleanup_req(req);
1526 io_put_file(req, req->file, (req->flags & REQ_F_FIXED_FILE));
1527 __io_put_req_task(req);
1528 io_req_work_drop_env(req);
1530 if (req->flags & REQ_F_INFLIGHT) {
1531 struct io_ring_ctx *ctx = req->ctx;
1532 unsigned long flags;
1534 spin_lock_irqsave(&ctx->inflight_lock, flags);
1535 list_del(&req->inflight_entry);
1536 if (waitqueue_active(&ctx->inflight_wait))
1537 wake_up(&ctx->inflight_wait);
1538 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1542 static void __io_free_req(struct io_kiocb *req)
1544 struct io_ring_ctx *ctx;
1546 io_dismantle_req(req);
1548 if (likely(!io_is_fallback_req(req)))
1549 kmem_cache_free(req_cachep, req);
1551 clear_bit_unlock(0, (unsigned long *) &ctx->fallback_req);
1552 percpu_ref_put(&ctx->refs);
1555 static bool io_link_cancel_timeout(struct io_kiocb *req)
1557 struct io_ring_ctx *ctx = req->ctx;
1560 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
1562 io_cqring_fill_event(req, -ECANCELED);
1563 io_commit_cqring(ctx);
1564 req->flags &= ~REQ_F_LINK_HEAD;
1572 static bool __io_kill_linked_timeout(struct io_kiocb *req)
1574 struct io_kiocb *link;
1577 if (list_empty(&req->link_list))
1579 link = list_first_entry(&req->link_list, struct io_kiocb, link_list);
1580 if (link->opcode != IORING_OP_LINK_TIMEOUT)
1583 list_del_init(&link->link_list);
1584 wake_ev = io_link_cancel_timeout(link);
1585 req->flags &= ~REQ_F_LINK_TIMEOUT;
1589 static void io_kill_linked_timeout(struct io_kiocb *req)
1591 struct io_ring_ctx *ctx = req->ctx;
1594 if (!(req->flags & REQ_F_COMP_LOCKED)) {
1595 unsigned long flags;
1597 spin_lock_irqsave(&ctx->completion_lock, flags);
1598 wake_ev = __io_kill_linked_timeout(req);
1599 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1601 wake_ev = __io_kill_linked_timeout(req);
1605 io_cqring_ev_posted(ctx);
1608 static struct io_kiocb *io_req_link_next(struct io_kiocb *req)
1610 struct io_kiocb *nxt;
1613 * The list should never be empty when we are called here. But could
1614 * potentially happen if the chain is messed up, check to be on the
1617 if (unlikely(list_empty(&req->link_list)))
1620 nxt = list_first_entry(&req->link_list, struct io_kiocb, link_list);
1621 list_del_init(&req->link_list);
1622 if (!list_empty(&nxt->link_list))
1623 nxt->flags |= REQ_F_LINK_HEAD;
1628 * Called if REQ_F_LINK_HEAD is set, and we fail the head request
1630 static void __io_fail_links(struct io_kiocb *req)
1632 struct io_ring_ctx *ctx = req->ctx;
1634 while (!list_empty(&req->link_list)) {
1635 struct io_kiocb *link = list_first_entry(&req->link_list,
1636 struct io_kiocb, link_list);
1638 list_del_init(&link->link_list);
1639 trace_io_uring_fail_link(req, link);
1641 io_cqring_fill_event(link, -ECANCELED);
1642 __io_double_put_req(link);
1643 req->flags &= ~REQ_F_LINK_TIMEOUT;
1646 io_commit_cqring(ctx);
1647 io_cqring_ev_posted(ctx);
1650 static void io_fail_links(struct io_kiocb *req)
1652 struct io_ring_ctx *ctx = req->ctx;
1654 if (!(req->flags & REQ_F_COMP_LOCKED)) {
1655 unsigned long flags;
1657 spin_lock_irqsave(&ctx->completion_lock, flags);
1658 __io_fail_links(req);
1659 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1661 __io_fail_links(req);
1664 io_cqring_ev_posted(ctx);
1667 static struct io_kiocb *__io_req_find_next(struct io_kiocb *req)
1669 req->flags &= ~REQ_F_LINK_HEAD;
1670 if (req->flags & REQ_F_LINK_TIMEOUT)
1671 io_kill_linked_timeout(req);
1674 * If LINK is set, we have dependent requests in this chain. If we
1675 * didn't fail this request, queue the first one up, moving any other
1676 * dependencies to the next request. In case of failure, fail the rest
1679 if (likely(!(req->flags & REQ_F_FAIL_LINK)))
1680 return io_req_link_next(req);
1685 static struct io_kiocb *io_req_find_next(struct io_kiocb *req)
1687 if (likely(!(req->flags & REQ_F_LINK_HEAD)))
1689 return __io_req_find_next(req);
1692 static void __io_req_task_cancel(struct io_kiocb *req, int error)
1694 struct io_ring_ctx *ctx = req->ctx;
1696 spin_lock_irq(&ctx->completion_lock);
1697 io_cqring_fill_event(req, error);
1698 io_commit_cqring(ctx);
1699 spin_unlock_irq(&ctx->completion_lock);
1701 io_cqring_ev_posted(ctx);
1702 req_set_fail_links(req);
1703 io_double_put_req(req);
1706 static void io_req_task_cancel(struct callback_head *cb)
1708 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
1710 __io_req_task_cancel(req, -ECANCELED);
1713 static void __io_req_task_submit(struct io_kiocb *req)
1715 struct io_ring_ctx *ctx = req->ctx;
1717 __set_current_state(TASK_RUNNING);
1718 if (!__io_sq_thread_acquire_mm(ctx)) {
1719 mutex_lock(&ctx->uring_lock);
1720 __io_queue_sqe(req, NULL, NULL);
1721 mutex_unlock(&ctx->uring_lock);
1723 __io_req_task_cancel(req, -EFAULT);
1727 static void io_req_task_submit(struct callback_head *cb)
1729 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
1731 __io_req_task_submit(req);
1734 static void io_req_task_queue(struct io_kiocb *req)
1736 struct task_struct *tsk = req->task;
1739 init_task_work(&req->task_work, io_req_task_submit);
1741 ret = task_work_add(tsk, &req->task_work, true);
1742 if (unlikely(ret)) {
1743 init_task_work(&req->task_work, io_req_task_cancel);
1744 tsk = io_wq_get_task(req->ctx->io_wq);
1745 task_work_add(tsk, &req->task_work, true);
1747 wake_up_process(tsk);
1750 static void io_queue_next(struct io_kiocb *req)
1752 struct io_kiocb *nxt = io_req_find_next(req);
1755 io_req_task_queue(nxt);
1758 static void io_free_req(struct io_kiocb *req)
1765 void *reqs[IO_IOPOLL_BATCH];
1769 static void __io_req_free_batch_flush(struct io_ring_ctx *ctx,
1770 struct req_batch *rb)
1772 kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
1773 percpu_ref_put_many(&ctx->refs, rb->to_free);
1777 static void io_req_free_batch_finish(struct io_ring_ctx *ctx,
1778 struct req_batch *rb)
1781 __io_req_free_batch_flush(ctx, rb);
1784 static void io_req_free_batch(struct req_batch *rb, struct io_kiocb *req)
1786 if (unlikely(io_is_fallback_req(req))) {
1790 if (req->flags & REQ_F_LINK_HEAD)
1793 io_dismantle_req(req);
1794 rb->reqs[rb->to_free++] = req;
1795 if (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))
1796 __io_req_free_batch_flush(req->ctx, rb);
1800 * Drop reference to request, return next in chain (if there is one) if this
1801 * was the last reference to this request.
1803 static struct io_kiocb *io_put_req_find_next(struct io_kiocb *req)
1805 struct io_kiocb *nxt = NULL;
1807 if (refcount_dec_and_test(&req->refs)) {
1808 nxt = io_req_find_next(req);
1814 static void io_put_req(struct io_kiocb *req)
1816 if (refcount_dec_and_test(&req->refs))
1820 static struct io_wq_work *io_steal_work(struct io_kiocb *req)
1822 struct io_kiocb *timeout, *nxt = NULL;
1825 * A ref is owned by io-wq in which context we're. So, if that's the
1826 * last one, it's safe to steal next work. False negatives are Ok,
1827 * it just will be re-punted async in io_put_work()
1829 if (refcount_read(&req->refs) != 1)
1832 nxt = io_req_find_next(req);
1836 timeout = io_prep_linked_timeout(nxt);
1838 nxt->flags |= REQ_F_QUEUE_TIMEOUT;
1843 * Must only be used if we don't need to care about links, usually from
1844 * within the completion handling itself.
1846 static void __io_double_put_req(struct io_kiocb *req)
1848 /* drop both submit and complete references */
1849 if (refcount_sub_and_test(2, &req->refs))
1853 static void io_double_put_req(struct io_kiocb *req)
1855 /* drop both submit and complete references */
1856 if (refcount_sub_and_test(2, &req->refs))
1860 static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
1862 struct io_rings *rings = ctx->rings;
1864 if (test_bit(0, &ctx->cq_check_overflow)) {
1866 * noflush == true is from the waitqueue handler, just ensure
1867 * we wake up the task, and the next invocation will flush the
1868 * entries. We cannot safely to it from here.
1870 if (noflush && !list_empty(&ctx->cq_overflow_list))
1873 io_cqring_overflow_flush(ctx, false);
1876 /* See comment at the top of this file */
1878 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
1881 static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1883 struct io_rings *rings = ctx->rings;
1885 /* make sure SQ entry isn't read before tail */
1886 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1889 static int io_put_kbuf(struct io_kiocb *req)
1891 struct io_buffer *kbuf;
1894 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
1895 cflags = kbuf->bid << IORING_CQE_BUFFER_SHIFT;
1896 cflags |= IORING_CQE_F_BUFFER;
1902 static void io_iopoll_queue(struct list_head *again)
1904 struct io_kiocb *req;
1907 req = list_first_entry(again, struct io_kiocb, list);
1908 list_del(&req->list);
1909 if (!io_rw_reissue(req, -EAGAIN))
1910 io_complete_rw_common(&req->rw.kiocb, -EAGAIN, NULL);
1911 } while (!list_empty(again));
1915 * Find and free completed poll iocbs
1917 static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1918 struct list_head *done)
1920 struct req_batch rb;
1921 struct io_kiocb *req;
1924 /* order with ->result store in io_complete_rw_iopoll() */
1928 while (!list_empty(done)) {
1931 req = list_first_entry(done, struct io_kiocb, list);
1932 if (READ_ONCE(req->result) == -EAGAIN) {
1933 req->iopoll_completed = 0;
1934 list_move_tail(&req->list, &again);
1937 list_del(&req->list);
1939 if (req->flags & REQ_F_BUFFER_SELECTED)
1940 cflags = io_put_kbuf(req);
1942 __io_cqring_fill_event(req, req->result, cflags);
1945 if (refcount_dec_and_test(&req->refs))
1946 io_req_free_batch(&rb, req);
1949 io_commit_cqring(ctx);
1950 if (ctx->flags & IORING_SETUP_SQPOLL)
1951 io_cqring_ev_posted(ctx);
1952 io_req_free_batch_finish(ctx, &rb);
1954 if (!list_empty(&again))
1955 io_iopoll_queue(&again);
1958 static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1961 struct io_kiocb *req, *tmp;
1967 * Only spin for completions if we don't have multiple devices hanging
1968 * off our complete list, and we're under the requested amount.
1970 spin = !ctx->poll_multi_file && *nr_events < min;
1973 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
1974 struct kiocb *kiocb = &req->rw.kiocb;
1977 * Move completed and retryable entries to our local lists.
1978 * If we find a request that requires polling, break out
1979 * and complete those lists first, if we have entries there.
1981 if (READ_ONCE(req->iopoll_completed)) {
1982 list_move_tail(&req->list, &done);
1985 if (!list_empty(&done))
1988 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1997 if (!list_empty(&done))
1998 io_iopoll_complete(ctx, nr_events, &done);
2004 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
2005 * non-spinning poll check - we'll still enter the driver poll loop, but only
2006 * as a non-spinning completion check.
2008 static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
2011 while (!list_empty(&ctx->poll_list) && !need_resched()) {
2014 ret = io_do_iopoll(ctx, nr_events, min);
2017 if (!min || *nr_events >= min)
2025 * We can't just wait for polled events to come to us, we have to actively
2026 * find and complete them.
2028 static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
2030 if (!(ctx->flags & IORING_SETUP_IOPOLL))
2033 mutex_lock(&ctx->uring_lock);
2034 while (!list_empty(&ctx->poll_list)) {
2035 unsigned int nr_events = 0;
2037 io_iopoll_getevents(ctx, &nr_events, 1);
2040 * Ensure we allow local-to-the-cpu processing to take place,
2041 * in this case we need to ensure that we reap all events.
2045 mutex_unlock(&ctx->uring_lock);
2048 static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
2051 int iters = 0, ret = 0;
2054 * We disallow the app entering submit/complete with polling, but we
2055 * still need to lock the ring to prevent racing with polled issue
2056 * that got punted to a workqueue.
2058 mutex_lock(&ctx->uring_lock);
2063 * Don't enter poll loop if we already have events pending.
2064 * If we do, we can potentially be spinning for commands that
2065 * already triggered a CQE (eg in error).
2067 if (io_cqring_events(ctx, false))
2071 * If a submit got punted to a workqueue, we can have the
2072 * application entering polling for a command before it gets
2073 * issued. That app will hold the uring_lock for the duration
2074 * of the poll right here, so we need to take a breather every
2075 * now and then to ensure that the issue has a chance to add
2076 * the poll to the issued list. Otherwise we can spin here
2077 * forever, while the workqueue is stuck trying to acquire the
2080 if (!(++iters & 7)) {
2081 mutex_unlock(&ctx->uring_lock);
2082 if (current->task_works)
2084 mutex_lock(&ctx->uring_lock);
2087 if (*nr_events < min)
2088 tmin = min - *nr_events;
2090 ret = io_iopoll_getevents(ctx, nr_events, tmin);
2094 } while (min && !*nr_events && !need_resched());
2096 mutex_unlock(&ctx->uring_lock);
2100 static void kiocb_end_write(struct io_kiocb *req)
2103 * Tell lockdep we inherited freeze protection from submission
2106 if (req->flags & REQ_F_ISREG) {
2107 struct inode *inode = file_inode(req->file);
2109 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2111 file_end_write(req->file);
2114 static void io_complete_rw_common(struct kiocb *kiocb, long res,
2115 struct io_comp_state *cs)
2117 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2120 if (kiocb->ki_flags & IOCB_WRITE)
2121 kiocb_end_write(req);
2123 if (res != req->result)
2124 req_set_fail_links(req);
2125 if (req->flags & REQ_F_BUFFER_SELECTED)
2126 cflags = io_put_kbuf(req);
2127 __io_req_complete(req, res, cflags, cs);
2131 static bool io_resubmit_prep(struct io_kiocb *req, int error)
2133 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2134 ssize_t ret = -ECANCELED;
2135 struct iov_iter iter;
2143 switch (req->opcode) {
2144 case IORING_OP_READV:
2145 case IORING_OP_READ_FIXED:
2146 case IORING_OP_READ:
2149 case IORING_OP_WRITEV:
2150 case IORING_OP_WRITE_FIXED:
2151 case IORING_OP_WRITE:
2155 printk_once(KERN_WARNING "io_uring: bad opcode in resubmit %d\n",
2160 ret = io_import_iovec(rw, req, &iovec, &iter, false);
2163 ret = io_setup_async_rw(req, ret, iovec, inline_vecs, &iter);
2168 req_set_fail_links(req);
2169 io_req_complete(req, ret);
2173 static void io_rw_resubmit(struct callback_head *cb)
2175 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
2176 struct io_ring_ctx *ctx = req->ctx;
2179 __set_current_state(TASK_RUNNING);
2181 err = io_sq_thread_acquire_mm(ctx, req);
2183 if (io_resubmit_prep(req, err)) {
2184 refcount_inc(&req->refs);
2185 io_queue_async_work(req);
2190 static bool io_rw_reissue(struct io_kiocb *req, long res)
2193 struct task_struct *tsk;
2196 if ((res != -EAGAIN && res != -EOPNOTSUPP) || io_wq_current_is_worker())
2200 init_task_work(&req->task_work, io_rw_resubmit);
2201 ret = task_work_add(tsk, &req->task_work, true);
2203 wake_up_process(tsk);
2210 static void __io_complete_rw(struct io_kiocb *req, long res, long res2,
2211 struct io_comp_state *cs)
2213 if (!io_rw_reissue(req, res))
2214 io_complete_rw_common(&req->rw.kiocb, res, cs);
2217 static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
2219 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2221 __io_complete_rw(req, res, res2, NULL);
2224 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
2226 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2228 if (kiocb->ki_flags & IOCB_WRITE)
2229 kiocb_end_write(req);
2231 if (res != -EAGAIN && res != req->result)
2232 req_set_fail_links(req);
2234 WRITE_ONCE(req->result, res);
2235 /* order with io_poll_complete() checking ->result */
2237 WRITE_ONCE(req->iopoll_completed, 1);
2241 * After the iocb has been issued, it's safe to be found on the poll list.
2242 * Adding the kiocb to the list AFTER submission ensures that we don't
2243 * find it from a io_iopoll_getevents() thread before the issuer is done
2244 * accessing the kiocb cookie.
2246 static void io_iopoll_req_issued(struct io_kiocb *req)
2248 struct io_ring_ctx *ctx = req->ctx;
2251 * Track whether we have multiple files in our lists. This will impact
2252 * how we do polling eventually, not spinning if we're on potentially
2253 * different devices.
2255 if (list_empty(&ctx->poll_list)) {
2256 ctx->poll_multi_file = false;
2257 } else if (!ctx->poll_multi_file) {
2258 struct io_kiocb *list_req;
2260 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
2262 if (list_req->file != req->file)
2263 ctx->poll_multi_file = true;
2267 * For fast devices, IO may have already completed. If it has, add
2268 * it to the front so we find it first.
2270 if (READ_ONCE(req->iopoll_completed))
2271 list_add(&req->list, &ctx->poll_list);
2273 list_add_tail(&req->list, &ctx->poll_list);
2275 if ((ctx->flags & IORING_SETUP_SQPOLL) &&
2276 wq_has_sleeper(&ctx->sqo_wait))
2277 wake_up(&ctx->sqo_wait);
2280 static void __io_state_file_put(struct io_submit_state *state)
2282 int diff = state->has_refs - state->used_refs;
2285 fput_many(state->file, diff);
2289 static inline void io_state_file_put(struct io_submit_state *state)
2292 __io_state_file_put(state);
2296 * Get as many references to a file as we have IOs left in this submission,
2297 * assuming most submissions are for one file, or at least that each file
2298 * has more than one submission.
2300 static struct file *__io_file_get(struct io_submit_state *state, int fd)
2306 if (state->fd == fd) {
2311 __io_state_file_put(state);
2313 state->file = fget_many(fd, state->ios_left);
2318 state->has_refs = state->ios_left;
2319 state->used_refs = 1;
2324 static bool io_bdev_nowait(struct block_device *bdev)
2327 return !bdev || queue_is_mq(bdev_get_queue(bdev));
2334 * If we tracked the file through the SCM inflight mechanism, we could support
2335 * any file. For now, just ensure that anything potentially problematic is done
2338 static bool io_file_supports_async(struct file *file, int rw)
2340 umode_t mode = file_inode(file)->i_mode;
2342 if (S_ISBLK(mode)) {
2343 if (io_bdev_nowait(file->f_inode->i_bdev))
2347 if (S_ISCHR(mode) || S_ISSOCK(mode))
2349 if (S_ISREG(mode)) {
2350 if (io_bdev_nowait(file->f_inode->i_sb->s_bdev) &&
2351 file->f_op != &io_uring_fops)
2356 /* any ->read/write should understand O_NONBLOCK */
2357 if (file->f_flags & O_NONBLOCK)
2360 if (!(file->f_mode & FMODE_NOWAIT))
2364 return file->f_op->read_iter != NULL;
2366 return file->f_op->write_iter != NULL;
2369 static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2370 bool force_nonblock)
2372 struct io_ring_ctx *ctx = req->ctx;
2373 struct kiocb *kiocb = &req->rw.kiocb;
2377 if (S_ISREG(file_inode(req->file)->i_mode))
2378 req->flags |= REQ_F_ISREG;
2380 kiocb->ki_pos = READ_ONCE(sqe->off);
2381 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
2382 req->flags |= REQ_F_CUR_POS;
2383 kiocb->ki_pos = req->file->f_pos;
2385 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
2386 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
2387 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
2391 ioprio = READ_ONCE(sqe->ioprio);
2393 ret = ioprio_check_cap(ioprio);
2397 kiocb->ki_ioprio = ioprio;
2399 kiocb->ki_ioprio = get_current_ioprio();
2401 /* don't allow async punt if RWF_NOWAIT was requested */
2402 if (kiocb->ki_flags & IOCB_NOWAIT)
2403 req->flags |= REQ_F_NOWAIT;
2405 if (kiocb->ki_flags & IOCB_DIRECT)
2406 io_get_req_task(req);
2409 kiocb->ki_flags |= IOCB_NOWAIT;
2411 if (ctx->flags & IORING_SETUP_IOPOLL) {
2412 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
2413 !kiocb->ki_filp->f_op->iopoll)
2416 kiocb->ki_flags |= IOCB_HIPRI;
2417 kiocb->ki_complete = io_complete_rw_iopoll;
2418 req->iopoll_completed = 0;
2419 io_get_req_task(req);
2421 if (kiocb->ki_flags & IOCB_HIPRI)
2423 kiocb->ki_complete = io_complete_rw;
2426 req->rw.addr = READ_ONCE(sqe->addr);
2427 req->rw.len = READ_ONCE(sqe->len);
2428 req->buf_index = READ_ONCE(sqe->buf_index);
2432 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
2438 case -ERESTARTNOINTR:
2439 case -ERESTARTNOHAND:
2440 case -ERESTART_RESTARTBLOCK:
2442 * We can't just restart the syscall, since previously
2443 * submitted sqes may already be in progress. Just fail this
2449 kiocb->ki_complete(kiocb, ret, 0);
2453 static void kiocb_done(struct kiocb *kiocb, ssize_t ret,
2454 struct io_comp_state *cs)
2456 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2458 if (req->flags & REQ_F_CUR_POS)
2459 req->file->f_pos = kiocb->ki_pos;
2460 if (ret >= 0 && kiocb->ki_complete == io_complete_rw)
2461 __io_complete_rw(req, ret, 0, cs);
2463 io_rw_done(kiocb, ret);
2466 static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
2467 struct iov_iter *iter)
2469 struct io_ring_ctx *ctx = req->ctx;
2470 size_t len = req->rw.len;
2471 struct io_mapped_ubuf *imu;
2472 u16 index, buf_index;
2476 /* attempt to use fixed buffers without having provided iovecs */
2477 if (unlikely(!ctx->user_bufs))
2480 buf_index = req->buf_index;
2481 if (unlikely(buf_index >= ctx->nr_user_bufs))
2484 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
2485 imu = &ctx->user_bufs[index];
2486 buf_addr = req->rw.addr;
2489 if (buf_addr + len < buf_addr)
2491 /* not inside the mapped region */
2492 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
2496 * May not be a start of buffer, set size appropriately
2497 * and advance us to the beginning.
2499 offset = buf_addr - imu->ubuf;
2500 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
2504 * Don't use iov_iter_advance() here, as it's really slow for
2505 * using the latter parts of a big fixed buffer - it iterates
2506 * over each segment manually. We can cheat a bit here, because
2509 * 1) it's a BVEC iter, we set it up
2510 * 2) all bvecs are PAGE_SIZE in size, except potentially the
2511 * first and last bvec
2513 * So just find our index, and adjust the iterator afterwards.
2514 * If the offset is within the first bvec (or the whole first
2515 * bvec, just use iov_iter_advance(). This makes it easier
2516 * since we can just skip the first segment, which may not
2517 * be PAGE_SIZE aligned.
2519 const struct bio_vec *bvec = imu->bvec;
2521 if (offset <= bvec->bv_len) {
2522 iov_iter_advance(iter, offset);
2524 unsigned long seg_skip;
2526 /* skip first vec */
2527 offset -= bvec->bv_len;
2528 seg_skip = 1 + (offset >> PAGE_SHIFT);
2530 iter->bvec = bvec + seg_skip;
2531 iter->nr_segs -= seg_skip;
2532 iter->count -= bvec->bv_len + offset;
2533 iter->iov_offset = offset & ~PAGE_MASK;
2540 static void io_ring_submit_unlock(struct io_ring_ctx *ctx, bool needs_lock)
2543 mutex_unlock(&ctx->uring_lock);
2546 static void io_ring_submit_lock(struct io_ring_ctx *ctx, bool needs_lock)
2549 * "Normal" inline submissions always hold the uring_lock, since we
2550 * grab it from the system call. Same is true for the SQPOLL offload.
2551 * The only exception is when we've detached the request and issue it
2552 * from an async worker thread, grab the lock for that case.
2555 mutex_lock(&ctx->uring_lock);
2558 static struct io_buffer *io_buffer_select(struct io_kiocb *req, size_t *len,
2559 int bgid, struct io_buffer *kbuf,
2562 struct io_buffer *head;
2564 if (req->flags & REQ_F_BUFFER_SELECTED)
2567 io_ring_submit_lock(req->ctx, needs_lock);
2569 lockdep_assert_held(&req->ctx->uring_lock);
2571 head = idr_find(&req->ctx->io_buffer_idr, bgid);
2573 if (!list_empty(&head->list)) {
2574 kbuf = list_last_entry(&head->list, struct io_buffer,
2576 list_del(&kbuf->list);
2579 idr_remove(&req->ctx->io_buffer_idr, bgid);
2581 if (*len > kbuf->len)
2584 kbuf = ERR_PTR(-ENOBUFS);
2587 io_ring_submit_unlock(req->ctx, needs_lock);
2592 static void __user *io_rw_buffer_select(struct io_kiocb *req, size_t *len,
2595 struct io_buffer *kbuf;
2598 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2599 bgid = req->buf_index;
2600 kbuf = io_buffer_select(req, len, bgid, kbuf, needs_lock);
2603 req->rw.addr = (u64) (unsigned long) kbuf;
2604 req->flags |= REQ_F_BUFFER_SELECTED;
2605 return u64_to_user_ptr(kbuf->addr);
2608 #ifdef CONFIG_COMPAT
2609 static ssize_t io_compat_import(struct io_kiocb *req, struct iovec *iov,
2612 struct compat_iovec __user *uiov;
2613 compat_ssize_t clen;
2617 uiov = u64_to_user_ptr(req->rw.addr);
2618 if (!access_ok(uiov, sizeof(*uiov)))
2620 if (__get_user(clen, &uiov->iov_len))
2626 buf = io_rw_buffer_select(req, &len, needs_lock);
2628 return PTR_ERR(buf);
2629 iov[0].iov_base = buf;
2630 iov[0].iov_len = (compat_size_t) len;
2635 static ssize_t __io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
2638 struct iovec __user *uiov = u64_to_user_ptr(req->rw.addr);
2642 if (copy_from_user(iov, uiov, sizeof(*uiov)))
2645 len = iov[0].iov_len;
2648 buf = io_rw_buffer_select(req, &len, needs_lock);
2650 return PTR_ERR(buf);
2651 iov[0].iov_base = buf;
2652 iov[0].iov_len = len;
2656 static ssize_t io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
2659 if (req->flags & REQ_F_BUFFER_SELECTED) {
2660 struct io_buffer *kbuf;
2662 kbuf = (struct io_buffer *) (unsigned long) req->rw.addr;
2663 iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
2664 iov[0].iov_len = kbuf->len;
2669 else if (req->rw.len > 1)
2672 #ifdef CONFIG_COMPAT
2673 if (req->ctx->compat)
2674 return io_compat_import(req, iov, needs_lock);
2677 return __io_iov_buffer_select(req, iov, needs_lock);
2680 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
2681 struct iovec **iovec, struct iov_iter *iter,
2684 void __user *buf = u64_to_user_ptr(req->rw.addr);
2685 size_t sqe_len = req->rw.len;
2689 opcode = req->opcode;
2690 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
2692 return io_import_fixed(req, rw, iter);
2695 /* buffer index only valid with fixed read/write, or buffer select */
2696 if (req->buf_index && !(req->flags & REQ_F_BUFFER_SELECT))
2699 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
2700 if (req->flags & REQ_F_BUFFER_SELECT) {
2701 buf = io_rw_buffer_select(req, &sqe_len, needs_lock);
2704 return PTR_ERR(buf);
2706 req->rw.len = sqe_len;
2709 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
2711 return ret < 0 ? ret : sqe_len;
2715 struct io_async_rw *iorw = &req->io->rw;
2718 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
2719 if (iorw->iov == iorw->fast_iov)
2724 if (req->flags & REQ_F_BUFFER_SELECT) {
2725 ret = io_iov_buffer_select(req, *iovec, needs_lock);
2727 ret = (*iovec)->iov_len;
2728 iov_iter_init(iter, rw, *iovec, 1, ret);
2734 #ifdef CONFIG_COMPAT
2735 if (req->ctx->compat)
2736 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
2740 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
2744 * For files that don't have ->read_iter() and ->write_iter(), handle them
2745 * by looping over ->read() or ->write() manually.
2747 static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
2748 struct iov_iter *iter)
2753 * Don't support polled IO through this interface, and we can't
2754 * support non-blocking either. For the latter, this just causes
2755 * the kiocb to be handled from an async context.
2757 if (kiocb->ki_flags & IOCB_HIPRI)
2759 if (kiocb->ki_flags & IOCB_NOWAIT)
2762 while (iov_iter_count(iter)) {
2766 if (!iov_iter_is_bvec(iter)) {
2767 iovec = iov_iter_iovec(iter);
2769 /* fixed buffers import bvec */
2770 iovec.iov_base = kmap(iter->bvec->bv_page)
2772 iovec.iov_len = min(iter->count,
2773 iter->bvec->bv_len - iter->iov_offset);
2777 nr = file->f_op->read(file, iovec.iov_base,
2778 iovec.iov_len, &kiocb->ki_pos);
2780 nr = file->f_op->write(file, iovec.iov_base,
2781 iovec.iov_len, &kiocb->ki_pos);
2784 if (iov_iter_is_bvec(iter))
2785 kunmap(iter->bvec->bv_page);
2793 if (nr != iovec.iov_len)
2795 iov_iter_advance(iter, nr);
2801 static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
2802 struct iovec *iovec, struct iovec *fast_iov,
2803 struct iov_iter *iter)
2805 req->io->rw.nr_segs = iter->nr_segs;
2806 req->io->rw.size = io_size;
2807 req->io->rw.iov = iovec;
2808 if (!req->io->rw.iov) {
2809 req->io->rw.iov = req->io->rw.fast_iov;
2810 if (req->io->rw.iov != fast_iov)
2811 memcpy(req->io->rw.iov, fast_iov,
2812 sizeof(struct iovec) * iter->nr_segs);
2814 req->flags |= REQ_F_NEED_CLEANUP;
2818 static inline int __io_alloc_async_ctx(struct io_kiocb *req)
2820 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
2821 return req->io == NULL;
2824 static int io_alloc_async_ctx(struct io_kiocb *req)
2826 if (!io_op_defs[req->opcode].async_ctx)
2829 return __io_alloc_async_ctx(req);
2832 static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
2833 struct iovec *iovec, struct iovec *fast_iov,
2834 struct iov_iter *iter)
2836 if (!io_op_defs[req->opcode].async_ctx)
2839 if (__io_alloc_async_ctx(req))
2842 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
2847 static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2848 bool force_nonblock)
2850 struct io_async_ctx *io;
2851 struct iov_iter iter;
2854 ret = io_prep_rw(req, sqe, force_nonblock);
2858 if (unlikely(!(req->file->f_mode & FMODE_READ)))
2861 /* either don't need iovec imported or already have it */
2862 if (!req->io || req->flags & REQ_F_NEED_CLEANUP)
2866 io->rw.iov = io->rw.fast_iov;
2868 ret = io_import_iovec(READ, req, &io->rw.iov, &iter, !force_nonblock);
2873 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2877 static void io_async_buf_cancel(struct callback_head *cb)
2879 struct io_async_rw *rw;
2880 struct io_kiocb *req;
2882 rw = container_of(cb, struct io_async_rw, task_work);
2883 req = rw->wpq.wait.private;
2884 __io_req_task_cancel(req, -ECANCELED);
2887 static void io_async_buf_retry(struct callback_head *cb)
2889 struct io_async_rw *rw;
2890 struct io_kiocb *req;
2892 rw = container_of(cb, struct io_async_rw, task_work);
2893 req = rw->wpq.wait.private;
2895 __io_req_task_submit(req);
2898 static int io_async_buf_func(struct wait_queue_entry *wait, unsigned mode,
2899 int sync, void *arg)
2901 struct wait_page_queue *wpq;
2902 struct io_kiocb *req = wait->private;
2903 struct io_async_rw *rw = &req->io->rw;
2904 struct wait_page_key *key = arg;
2905 struct task_struct *tsk;
2908 wpq = container_of(wait, struct wait_page_queue, wait);
2910 ret = wake_page_match(wpq, key);
2914 list_del_init(&wait->entry);
2916 init_task_work(&rw->task_work, io_async_buf_retry);
2917 /* submit ref gets dropped, acquire a new one */
2918 refcount_inc(&req->refs);
2920 ret = task_work_add(tsk, &rw->task_work, true);
2921 if (unlikely(ret)) {
2922 /* queue just for cancelation */
2923 init_task_work(&rw->task_work, io_async_buf_cancel);
2924 tsk = io_wq_get_task(req->ctx->io_wq);
2925 task_work_add(tsk, &rw->task_work, true);
2927 wake_up_process(tsk);
2931 static bool io_rw_should_retry(struct io_kiocb *req)
2933 struct kiocb *kiocb = &req->rw.kiocb;
2936 /* never retry for NOWAIT, we just complete with -EAGAIN */
2937 if (req->flags & REQ_F_NOWAIT)
2940 /* already tried, or we're doing O_DIRECT */
2941 if (kiocb->ki_flags & (IOCB_DIRECT | IOCB_WAITQ))
2944 * just use poll if we can, and don't attempt if the fs doesn't
2945 * support callback based unlocks
2947 if (file_can_poll(req->file) || !(req->file->f_mode & FMODE_BUF_RASYNC))
2951 * If request type doesn't require req->io to defer in general,
2952 * we need to allocate it here
2954 if (!req->io && __io_alloc_async_ctx(req))
2957 ret = kiocb_wait_page_queue_init(kiocb, &req->io->rw.wpq,
2958 io_async_buf_func, req);
2960 io_get_req_task(req);
2967 static int io_iter_do_read(struct io_kiocb *req, struct iov_iter *iter)
2969 if (req->file->f_op->read_iter)
2970 return call_read_iter(req->file, &req->rw.kiocb, iter);
2971 return loop_rw_iter(READ, req->file, &req->rw.kiocb, iter);
2974 static int io_read(struct io_kiocb *req, bool force_nonblock,
2975 struct io_comp_state *cs)
2977 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
2978 struct kiocb *kiocb = &req->rw.kiocb;
2979 struct iov_iter iter;
2981 ssize_t io_size, ret;
2983 ret = io_import_iovec(READ, req, &iovec, &iter, !force_nonblock);
2987 /* Ensure we clear previously set non-block flag */
2988 if (!force_nonblock)
2989 kiocb->ki_flags &= ~IOCB_NOWAIT;
2992 req->result = io_size;
2994 /* If the file doesn't support async, just async punt */
2995 if (force_nonblock && !io_file_supports_async(req->file, READ))
2998 iov_count = iov_iter_count(&iter);
2999 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
3001 unsigned long nr_segs = iter.nr_segs;
3004 ret2 = io_iter_do_read(req, &iter);
3006 /* Catch -EAGAIN return for forced non-blocking submission */
3007 if (!force_nonblock || (ret2 != -EAGAIN && ret2 != -EIO)) {
3008 kiocb_done(kiocb, ret2, cs);
3010 iter.count = iov_count;
3011 iter.nr_segs = nr_segs;
3013 ret = io_setup_async_rw(req, io_size, iovec,
3014 inline_vecs, &iter);
3017 /* if we can retry, do so with the callbacks armed */
3018 if (io_rw_should_retry(req)) {
3019 ret2 = io_iter_do_read(req, &iter);
3020 if (ret2 == -EIOCBQUEUED) {
3022 } else if (ret2 != -EAGAIN) {
3023 kiocb_done(kiocb, ret2, cs);
3027 kiocb->ki_flags &= ~IOCB_WAITQ;
3032 if (!(req->flags & REQ_F_NEED_CLEANUP))
3037 static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
3038 bool force_nonblock)
3040 struct io_async_ctx *io;
3041 struct iov_iter iter;
3044 ret = io_prep_rw(req, sqe, force_nonblock);
3048 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
3051 req->fsize = rlimit(RLIMIT_FSIZE);
3053 /* either don't need iovec imported or already have it */
3054 if (!req->io || req->flags & REQ_F_NEED_CLEANUP)
3058 io->rw.iov = io->rw.fast_iov;
3060 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter, !force_nonblock);
3065 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
3069 static int io_write(struct io_kiocb *req, bool force_nonblock,
3070 struct io_comp_state *cs)
3072 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
3073 struct kiocb *kiocb = &req->rw.kiocb;
3074 struct iov_iter iter;
3076 ssize_t ret, io_size;
3078 ret = io_import_iovec(WRITE, req, &iovec, &iter, !force_nonblock);
3082 /* Ensure we clear previously set non-block flag */
3083 if (!force_nonblock)
3084 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
3087 req->result = io_size;
3089 /* If the file doesn't support async, just async punt */
3090 if (force_nonblock && !io_file_supports_async(req->file, WRITE))
3093 /* file path doesn't support NOWAIT for non-direct_IO */
3094 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
3095 (req->flags & REQ_F_ISREG))
3098 iov_count = iov_iter_count(&iter);
3099 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
3101 unsigned long nr_segs = iter.nr_segs;
3105 * Open-code file_start_write here to grab freeze protection,
3106 * which will be released by another thread in
3107 * io_complete_rw(). Fool lockdep by telling it the lock got
3108 * released so that it doesn't complain about the held lock when
3109 * we return to userspace.
3111 if (req->flags & REQ_F_ISREG) {
3112 __sb_start_write(file_inode(req->file)->i_sb,
3113 SB_FREEZE_WRITE, true);
3114 __sb_writers_release(file_inode(req->file)->i_sb,
3117 kiocb->ki_flags |= IOCB_WRITE;
3119 if (!force_nonblock)
3120 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = req->fsize;
3122 if (req->file->f_op->write_iter)
3123 ret2 = call_write_iter(req->file, kiocb, &iter);
3125 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
3127 if (!force_nonblock)
3128 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
3131 * Raw bdev writes will return -EOPNOTSUPP for IOCB_NOWAIT. Just
3132 * retry them without IOCB_NOWAIT.
3134 if (ret2 == -EOPNOTSUPP && (kiocb->ki_flags & IOCB_NOWAIT))
3136 if (!force_nonblock || ret2 != -EAGAIN) {
3137 kiocb_done(kiocb, ret2, cs);
3139 iter.count = iov_count;
3140 iter.nr_segs = nr_segs;
3142 ret = io_setup_async_rw(req, io_size, iovec,
3143 inline_vecs, &iter);
3150 if (!(req->flags & REQ_F_NEED_CLEANUP))
3155 static int __io_splice_prep(struct io_kiocb *req,
3156 const struct io_uring_sqe *sqe)
3158 struct io_splice* sp = &req->splice;
3159 unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL;
3162 if (req->flags & REQ_F_NEED_CLEANUP)
3164 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3168 sp->len = READ_ONCE(sqe->len);
3169 sp->flags = READ_ONCE(sqe->splice_flags);
3171 if (unlikely(sp->flags & ~valid_flags))
3174 ret = io_file_get(NULL, req, READ_ONCE(sqe->splice_fd_in), &sp->file_in,
3175 (sp->flags & SPLICE_F_FD_IN_FIXED));
3178 req->flags |= REQ_F_NEED_CLEANUP;
3180 if (!S_ISREG(file_inode(sp->file_in)->i_mode)) {
3182 * Splice operation will be punted aync, and here need to
3183 * modify io_wq_work.flags, so initialize io_wq_work firstly.
3185 io_req_init_async(req);
3186 req->work.flags |= IO_WQ_WORK_UNBOUND;
3192 static int io_tee_prep(struct io_kiocb *req,
3193 const struct io_uring_sqe *sqe)
3195 if (READ_ONCE(sqe->splice_off_in) || READ_ONCE(sqe->off))
3197 return __io_splice_prep(req, sqe);
3200 static int io_tee(struct io_kiocb *req, bool force_nonblock)
3202 struct io_splice *sp = &req->splice;
3203 struct file *in = sp->file_in;
3204 struct file *out = sp->file_out;
3205 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
3211 ret = do_tee(in, out, sp->len, flags);
3213 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
3214 req->flags &= ~REQ_F_NEED_CLEANUP;
3217 req_set_fail_links(req);
3218 io_req_complete(req, ret);
3222 static int io_splice_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3224 struct io_splice* sp = &req->splice;
3226 sp->off_in = READ_ONCE(sqe->splice_off_in);
3227 sp->off_out = READ_ONCE(sqe->off);
3228 return __io_splice_prep(req, sqe);
3231 static int io_splice(struct io_kiocb *req, bool force_nonblock)
3233 struct io_splice *sp = &req->splice;
3234 struct file *in = sp->file_in;
3235 struct file *out = sp->file_out;
3236 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
3237 loff_t *poff_in, *poff_out;
3243 poff_in = (sp->off_in == -1) ? NULL : &sp->off_in;
3244 poff_out = (sp->off_out == -1) ? NULL : &sp->off_out;
3247 ret = do_splice(in, poff_in, out, poff_out, sp->len, flags);
3249 io_put_file(req, in, (sp->flags & SPLICE_F_FD_IN_FIXED));
3250 req->flags &= ~REQ_F_NEED_CLEANUP;
3253 req_set_fail_links(req);
3254 io_req_complete(req, ret);
3259 * IORING_OP_NOP just posts a completion event, nothing else.
3261 static int io_nop(struct io_kiocb *req, struct io_comp_state *cs)
3263 struct io_ring_ctx *ctx = req->ctx;
3265 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3268 __io_req_complete(req, 0, 0, cs);
3272 static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3274 struct io_ring_ctx *ctx = req->ctx;
3279 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3281 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
3284 req->sync.flags = READ_ONCE(sqe->fsync_flags);
3285 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
3288 req->sync.off = READ_ONCE(sqe->off);
3289 req->sync.len = READ_ONCE(sqe->len);
3293 static int io_fsync(struct io_kiocb *req, bool force_nonblock)
3295 loff_t end = req->sync.off + req->sync.len;
3298 /* fsync always requires a blocking context */
3302 ret = vfs_fsync_range(req->file, req->sync.off,
3303 end > 0 ? end : LLONG_MAX,
3304 req->sync.flags & IORING_FSYNC_DATASYNC);
3306 req_set_fail_links(req);
3307 io_req_complete(req, ret);
3311 static int io_fallocate_prep(struct io_kiocb *req,
3312 const struct io_uring_sqe *sqe)
3314 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
3316 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3319 req->sync.off = READ_ONCE(sqe->off);
3320 req->sync.len = READ_ONCE(sqe->addr);
3321 req->sync.mode = READ_ONCE(sqe->len);
3322 req->fsize = rlimit(RLIMIT_FSIZE);
3326 static int io_fallocate(struct io_kiocb *req, bool force_nonblock)
3330 /* fallocate always requiring blocking context */
3334 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = req->fsize;
3335 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
3337 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
3339 req_set_fail_links(req);
3340 io_req_complete(req, ret);
3344 static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3346 const char __user *fname;
3349 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3351 if (unlikely(sqe->ioprio || sqe->buf_index))
3353 if (unlikely(req->flags & REQ_F_FIXED_FILE))
3356 /* open.how should be already initialised */
3357 if (!(req->open.how.flags & O_PATH) && force_o_largefile())
3358 req->open.how.flags |= O_LARGEFILE;
3360 req->open.dfd = READ_ONCE(sqe->fd);
3361 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
3362 req->open.filename = getname(fname);
3363 if (IS_ERR(req->open.filename)) {
3364 ret = PTR_ERR(req->open.filename);
3365 req->open.filename = NULL;
3368 req->open.nofile = rlimit(RLIMIT_NOFILE);
3369 req->flags |= REQ_F_NEED_CLEANUP;
3373 static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3377 if (req->flags & REQ_F_NEED_CLEANUP)
3379 mode = READ_ONCE(sqe->len);
3380 flags = READ_ONCE(sqe->open_flags);
3381 req->open.how = build_open_how(flags, mode);
3382 return __io_openat_prep(req, sqe);
3385 static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3387 struct open_how __user *how;
3391 if (req->flags & REQ_F_NEED_CLEANUP)
3393 how = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3394 len = READ_ONCE(sqe->len);
3395 if (len < OPEN_HOW_SIZE_VER0)
3398 ret = copy_struct_from_user(&req->open.how, sizeof(req->open.how), how,
3403 return __io_openat_prep(req, sqe);
3406 static int io_openat2(struct io_kiocb *req, bool force_nonblock)
3408 struct open_flags op;
3415 ret = build_open_flags(&req->open.how, &op);
3419 ret = __get_unused_fd_flags(req->open.how.flags, req->open.nofile);
3423 file = do_filp_open(req->open.dfd, req->open.filename, &op);
3426 ret = PTR_ERR(file);
3428 fsnotify_open(file);
3429 fd_install(ret, file);
3432 putname(req->open.filename);
3433 req->flags &= ~REQ_F_NEED_CLEANUP;
3435 req_set_fail_links(req);
3436 io_req_complete(req, ret);
3440 static int io_openat(struct io_kiocb *req, bool force_nonblock)
3442 return io_openat2(req, force_nonblock);
3445 static int io_remove_buffers_prep(struct io_kiocb *req,
3446 const struct io_uring_sqe *sqe)
3448 struct io_provide_buf *p = &req->pbuf;
3451 if (sqe->ioprio || sqe->rw_flags || sqe->addr || sqe->len || sqe->off)
3454 tmp = READ_ONCE(sqe->fd);
3455 if (!tmp || tmp > USHRT_MAX)
3458 memset(p, 0, sizeof(*p));
3460 p->bgid = READ_ONCE(sqe->buf_group);
3464 static int __io_remove_buffers(struct io_ring_ctx *ctx, struct io_buffer *buf,
3465 int bgid, unsigned nbufs)
3469 /* shouldn't happen */
3473 /* the head kbuf is the list itself */
3474 while (!list_empty(&buf->list)) {
3475 struct io_buffer *nxt;
3477 nxt = list_first_entry(&buf->list, struct io_buffer, list);
3478 list_del(&nxt->list);
3485 idr_remove(&ctx->io_buffer_idr, bgid);
3490 static int io_remove_buffers(struct io_kiocb *req, bool force_nonblock,
3491 struct io_comp_state *cs)
3493 struct io_provide_buf *p = &req->pbuf;
3494 struct io_ring_ctx *ctx = req->ctx;
3495 struct io_buffer *head;
3498 io_ring_submit_lock(ctx, !force_nonblock);
3500 lockdep_assert_held(&ctx->uring_lock);
3503 head = idr_find(&ctx->io_buffer_idr, p->bgid);
3505 ret = __io_remove_buffers(ctx, head, p->bgid, p->nbufs);
3507 io_ring_submit_lock(ctx, !force_nonblock);
3509 req_set_fail_links(req);
3510 __io_req_complete(req, ret, 0, cs);
3514 static int io_provide_buffers_prep(struct io_kiocb *req,
3515 const struct io_uring_sqe *sqe)
3517 struct io_provide_buf *p = &req->pbuf;
3520 if (sqe->ioprio || sqe->rw_flags)
3523 tmp = READ_ONCE(sqe->fd);
3524 if (!tmp || tmp > USHRT_MAX)
3527 p->addr = READ_ONCE(sqe->addr);
3528 p->len = READ_ONCE(sqe->len);
3530 if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
3533 p->bgid = READ_ONCE(sqe->buf_group);
3534 tmp = READ_ONCE(sqe->off);
3535 if (tmp > USHRT_MAX)
3541 static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head)
3543 struct io_buffer *buf;
3544 u64 addr = pbuf->addr;
3545 int i, bid = pbuf->bid;
3547 for (i = 0; i < pbuf->nbufs; i++) {
3548 buf = kmalloc(sizeof(*buf), GFP_KERNEL);
3553 buf->len = pbuf->len;
3558 INIT_LIST_HEAD(&buf->list);
3561 list_add_tail(&buf->list, &(*head)->list);
3565 return i ? i : -ENOMEM;
3568 static int io_provide_buffers(struct io_kiocb *req, bool force_nonblock,
3569 struct io_comp_state *cs)
3571 struct io_provide_buf *p = &req->pbuf;
3572 struct io_ring_ctx *ctx = req->ctx;
3573 struct io_buffer *head, *list;
3576 io_ring_submit_lock(ctx, !force_nonblock);
3578 lockdep_assert_held(&ctx->uring_lock);
3580 list = head = idr_find(&ctx->io_buffer_idr, p->bgid);
3582 ret = io_add_buffers(p, &head);
3587 ret = idr_alloc(&ctx->io_buffer_idr, head, p->bgid, p->bgid + 1,
3590 __io_remove_buffers(ctx, head, p->bgid, -1U);
3595 io_ring_submit_unlock(ctx, !force_nonblock);
3597 req_set_fail_links(req);
3598 __io_req_complete(req, ret, 0, cs);
3602 static int io_epoll_ctl_prep(struct io_kiocb *req,
3603 const struct io_uring_sqe *sqe)
3605 #if defined(CONFIG_EPOLL)
3606 if (sqe->ioprio || sqe->buf_index)
3608 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3611 req->epoll.epfd = READ_ONCE(sqe->fd);
3612 req->epoll.op = READ_ONCE(sqe->len);
3613 req->epoll.fd = READ_ONCE(sqe->off);
3615 if (ep_op_has_event(req->epoll.op)) {
3616 struct epoll_event __user *ev;
3618 ev = u64_to_user_ptr(READ_ONCE(sqe->addr));
3619 if (copy_from_user(&req->epoll.event, ev, sizeof(*ev)))
3629 static int io_epoll_ctl(struct io_kiocb *req, bool force_nonblock,
3630 struct io_comp_state *cs)
3632 #if defined(CONFIG_EPOLL)
3633 struct io_epoll *ie = &req->epoll;
3636 ret = do_epoll_ctl(ie->epfd, ie->op, ie->fd, &ie->event, force_nonblock);
3637 if (force_nonblock && ret == -EAGAIN)
3641 req_set_fail_links(req);
3642 __io_req_complete(req, ret, 0, cs);
3649 static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3651 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
3652 if (sqe->ioprio || sqe->buf_index || sqe->off)
3654 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3657 req->madvise.addr = READ_ONCE(sqe->addr);
3658 req->madvise.len = READ_ONCE(sqe->len);
3659 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
3666 static int io_madvise(struct io_kiocb *req, bool force_nonblock)
3668 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
3669 struct io_madvise *ma = &req->madvise;
3675 ret = do_madvise(ma->addr, ma->len, ma->advice);
3677 req_set_fail_links(req);
3678 io_req_complete(req, ret);
3685 static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3687 if (sqe->ioprio || sqe->buf_index || sqe->addr)
3689 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3692 req->fadvise.offset = READ_ONCE(sqe->off);
3693 req->fadvise.len = READ_ONCE(sqe->len);
3694 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
3698 static int io_fadvise(struct io_kiocb *req, bool force_nonblock)
3700 struct io_fadvise *fa = &req->fadvise;
3703 if (force_nonblock) {
3704 switch (fa->advice) {
3705 case POSIX_FADV_NORMAL:
3706 case POSIX_FADV_RANDOM:
3707 case POSIX_FADV_SEQUENTIAL:
3714 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
3716 req_set_fail_links(req);
3717 io_req_complete(req, ret);
3721 static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3723 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3725 if (sqe->ioprio || sqe->buf_index)
3727 if (req->flags & REQ_F_FIXED_FILE)
3730 req->statx.dfd = READ_ONCE(sqe->fd);
3731 req->statx.mask = READ_ONCE(sqe->len);
3732 req->statx.filename = u64_to_user_ptr(READ_ONCE(sqe->addr));
3733 req->statx.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
3734 req->statx.flags = READ_ONCE(sqe->statx_flags);
3739 static int io_statx(struct io_kiocb *req, bool force_nonblock)
3741 struct io_statx *ctx = &req->statx;
3744 if (force_nonblock) {
3745 /* only need file table for an actual valid fd */
3746 if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD)
3747 req->flags |= REQ_F_NO_FILE_TABLE;
3751 ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
3755 req_set_fail_links(req);
3756 io_req_complete(req, ret);
3760 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3763 * If we queue this for async, it must not be cancellable. That would
3764 * leave the 'file' in an undeterminate state, and here need to modify
3765 * io_wq_work.flags, so initialize io_wq_work firstly.
3767 io_req_init_async(req);
3768 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
3770 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3772 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
3773 sqe->rw_flags || sqe->buf_index)
3775 if (req->flags & REQ_F_FIXED_FILE)
3778 req->close.fd = READ_ONCE(sqe->fd);
3779 if ((req->file && req->file->f_op == &io_uring_fops) ||
3780 req->close.fd == req->ctx->ring_fd)
3783 req->close.put_file = NULL;
3787 static int io_close(struct io_kiocb *req, bool force_nonblock,
3788 struct io_comp_state *cs)
3790 struct io_close *close = &req->close;
3793 /* might be already done during nonblock submission */
3794 if (!close->put_file) {
3795 ret = __close_fd_get_file(close->fd, &close->put_file);
3797 return (ret == -ENOENT) ? -EBADF : ret;
3800 /* if the file has a flush method, be safe and punt to async */
3801 if (close->put_file->f_op->flush && force_nonblock) {
3802 /* was never set, but play safe */
3803 req->flags &= ~REQ_F_NOWAIT;
3804 /* avoid grabbing files - we don't need the files */
3805 req->flags |= REQ_F_NO_FILE_TABLE;
3809 /* No ->flush() or already async, safely close from here */
3810 ret = filp_close(close->put_file, req->work.files);
3812 req_set_fail_links(req);
3813 fput(close->put_file);
3814 close->put_file = NULL;
3815 __io_req_complete(req, ret, 0, cs);
3819 static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3821 struct io_ring_ctx *ctx = req->ctx;
3826 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3828 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
3831 req->sync.off = READ_ONCE(sqe->off);
3832 req->sync.len = READ_ONCE(sqe->len);
3833 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
3837 static int io_sync_file_range(struct io_kiocb *req, bool force_nonblock)
3841 /* sync_file_range always requires a blocking context */
3845 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
3848 req_set_fail_links(req);
3849 io_req_complete(req, ret);
3853 #if defined(CONFIG_NET)
3854 static int io_setup_async_msg(struct io_kiocb *req,
3855 struct io_async_msghdr *kmsg)
3859 if (io_alloc_async_ctx(req)) {
3860 if (kmsg->iov != kmsg->fast_iov)
3864 req->flags |= REQ_F_NEED_CLEANUP;
3865 memcpy(&req->io->msg, kmsg, sizeof(*kmsg));
3869 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3871 struct io_sr_msg *sr = &req->sr_msg;
3872 struct io_async_ctx *io = req->io;
3875 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3878 sr->msg_flags = READ_ONCE(sqe->msg_flags);
3879 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
3880 sr->len = READ_ONCE(sqe->len);
3882 #ifdef CONFIG_COMPAT
3883 if (req->ctx->compat)
3884 sr->msg_flags |= MSG_CMSG_COMPAT;
3887 if (!io || req->opcode == IORING_OP_SEND)
3889 /* iovec is already imported */
3890 if (req->flags & REQ_F_NEED_CLEANUP)
3893 io->msg.iov = io->msg.fast_iov;
3894 ret = sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
3897 req->flags |= REQ_F_NEED_CLEANUP;
3901 static int io_sendmsg(struct io_kiocb *req, bool force_nonblock,
3902 struct io_comp_state *cs)
3904 struct io_async_msghdr *kmsg = NULL;
3905 struct socket *sock;
3908 sock = sock_from_file(req->file, &ret);
3910 struct io_async_ctx io;
3914 kmsg = &req->io->msg;
3915 kmsg->msg.msg_name = &req->io->msg.addr;
3916 /* if iov is set, it's allocated already */
3918 kmsg->iov = kmsg->fast_iov;
3919 kmsg->msg.msg_iter.iov = kmsg->iov;
3921 struct io_sr_msg *sr = &req->sr_msg;
3924 kmsg->msg.msg_name = &io.msg.addr;
3926 io.msg.iov = io.msg.fast_iov;
3927 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
3928 sr->msg_flags, &io.msg.iov);
3933 flags = req->sr_msg.msg_flags;
3934 if (flags & MSG_DONTWAIT)
3935 req->flags |= REQ_F_NOWAIT;
3936 else if (force_nonblock)
3937 flags |= MSG_DONTWAIT;
3939 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
3940 if (force_nonblock && ret == -EAGAIN)
3941 return io_setup_async_msg(req, kmsg);
3942 if (ret == -ERESTARTSYS)
3946 if (kmsg && kmsg->iov != kmsg->fast_iov)
3948 req->flags &= ~REQ_F_NEED_CLEANUP;
3950 req_set_fail_links(req);
3951 __io_req_complete(req, ret, 0, cs);
3955 static int io_send(struct io_kiocb *req, bool force_nonblock,
3956 struct io_comp_state *cs)
3958 struct socket *sock;
3961 sock = sock_from_file(req->file, &ret);
3963 struct io_sr_msg *sr = &req->sr_msg;
3968 ret = import_single_range(WRITE, sr->buf, sr->len, &iov,
3973 msg.msg_name = NULL;
3974 msg.msg_control = NULL;
3975 msg.msg_controllen = 0;
3976 msg.msg_namelen = 0;
3978 flags = req->sr_msg.msg_flags;
3979 if (flags & MSG_DONTWAIT)
3980 req->flags |= REQ_F_NOWAIT;
3981 else if (force_nonblock)
3982 flags |= MSG_DONTWAIT;
3984 msg.msg_flags = flags;
3985 ret = sock_sendmsg(sock, &msg);
3986 if (force_nonblock && ret == -EAGAIN)
3988 if (ret == -ERESTARTSYS)
3993 req_set_fail_links(req);
3994 __io_req_complete(req, ret, 0, cs);
3998 static int __io_recvmsg_copy_hdr(struct io_kiocb *req, struct io_async_ctx *io)
4000 struct io_sr_msg *sr = &req->sr_msg;
4001 struct iovec __user *uiov;
4005 ret = __copy_msghdr_from_user(&io->msg.msg, sr->msg, &io->msg.uaddr,
4010 if (req->flags & REQ_F_BUFFER_SELECT) {
4013 if (copy_from_user(io->msg.iov, uiov, sizeof(*uiov)))
4015 sr->len = io->msg.iov[0].iov_len;
4016 iov_iter_init(&io->msg.msg.msg_iter, READ, io->msg.iov, 1,
4020 ret = import_iovec(READ, uiov, iov_len, UIO_FASTIOV,
4021 &io->msg.iov, &io->msg.msg.msg_iter);
4029 #ifdef CONFIG_COMPAT
4030 static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req,
4031 struct io_async_ctx *io)
4033 struct compat_msghdr __user *msg_compat;
4034 struct io_sr_msg *sr = &req->sr_msg;
4035 struct compat_iovec __user *uiov;
4040 msg_compat = (struct compat_msghdr __user *) sr->msg;
4041 ret = __get_compat_msghdr(&io->msg.msg, msg_compat, &io->msg.uaddr,
4046 uiov = compat_ptr(ptr);
4047 if (req->flags & REQ_F_BUFFER_SELECT) {
4048 compat_ssize_t clen;
4052 if (!access_ok(uiov, sizeof(*uiov)))
4054 if (__get_user(clen, &uiov->iov_len))
4058 sr->len = io->msg.iov[0].iov_len;
4061 ret = compat_import_iovec(READ, uiov, len, UIO_FASTIOV,
4063 &io->msg.msg.msg_iter);
4072 static int io_recvmsg_copy_hdr(struct io_kiocb *req, struct io_async_ctx *io)
4074 io->msg.iov = io->msg.fast_iov;
4076 #ifdef CONFIG_COMPAT
4077 if (req->ctx->compat)
4078 return __io_compat_recvmsg_copy_hdr(req, io);
4081 return __io_recvmsg_copy_hdr(req, io);
4084 static struct io_buffer *io_recv_buffer_select(struct io_kiocb *req,
4085 int *cflags, bool needs_lock)
4087 struct io_sr_msg *sr = &req->sr_msg;
4088 struct io_buffer *kbuf;
4090 if (!(req->flags & REQ_F_BUFFER_SELECT))
4093 kbuf = io_buffer_select(req, &sr->len, sr->bgid, sr->kbuf, needs_lock);
4098 req->flags |= REQ_F_BUFFER_SELECTED;
4100 *cflags = kbuf->bid << IORING_CQE_BUFFER_SHIFT;
4101 *cflags |= IORING_CQE_F_BUFFER;
4105 static int io_recvmsg_prep(struct io_kiocb *req,
4106 const struct io_uring_sqe *sqe)
4108 struct io_sr_msg *sr = &req->sr_msg;
4109 struct io_async_ctx *io = req->io;
4112 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4115 sr->msg_flags = READ_ONCE(sqe->msg_flags);
4116 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
4117 sr->len = READ_ONCE(sqe->len);
4118 sr->bgid = READ_ONCE(sqe->buf_group);
4120 #ifdef CONFIG_COMPAT
4121 if (req->ctx->compat)
4122 sr->msg_flags |= MSG_CMSG_COMPAT;
4125 if (!io || req->opcode == IORING_OP_RECV)
4127 /* iovec is already imported */
4128 if (req->flags & REQ_F_NEED_CLEANUP)
4131 ret = io_recvmsg_copy_hdr(req, io);
4133 req->flags |= REQ_F_NEED_CLEANUP;
4137 static int io_recvmsg(struct io_kiocb *req, bool force_nonblock,
4138 struct io_comp_state *cs)
4140 struct io_async_msghdr *kmsg = NULL;
4141 struct socket *sock;
4142 int ret, cflags = 0;
4144 sock = sock_from_file(req->file, &ret);
4146 struct io_buffer *kbuf;
4147 struct io_async_ctx io;
4151 kmsg = &req->io->msg;
4152 kmsg->msg.msg_name = &req->io->msg.addr;
4153 /* if iov is set, it's allocated already */
4155 kmsg->iov = kmsg->fast_iov;
4156 kmsg->msg.msg_iter.iov = kmsg->iov;
4159 kmsg->msg.msg_name = &io.msg.addr;
4161 ret = io_recvmsg_copy_hdr(req, &io);
4166 kbuf = io_recv_buffer_select(req, &cflags, !force_nonblock);
4168 return PTR_ERR(kbuf);
4170 kmsg->fast_iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
4171 iov_iter_init(&kmsg->msg.msg_iter, READ, kmsg->iov,
4172 1, req->sr_msg.len);
4175 flags = req->sr_msg.msg_flags;
4176 if (flags & MSG_DONTWAIT)
4177 req->flags |= REQ_F_NOWAIT;
4178 else if (force_nonblock)
4179 flags |= MSG_DONTWAIT;
4181 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
4182 kmsg->uaddr, flags);
4183 if (force_nonblock && ret == -EAGAIN)
4184 return io_setup_async_msg(req, kmsg);
4185 if (ret == -ERESTARTSYS)
4189 if (kmsg && kmsg->iov != kmsg->fast_iov)
4191 req->flags &= ~REQ_F_NEED_CLEANUP;
4193 req_set_fail_links(req);
4194 __io_req_complete(req, ret, cflags, cs);
4198 static int io_recv(struct io_kiocb *req, bool force_nonblock,
4199 struct io_comp_state *cs)
4201 struct io_buffer *kbuf = NULL;
4202 struct socket *sock;
4203 int ret, cflags = 0;
4205 sock = sock_from_file(req->file, &ret);
4207 struct io_sr_msg *sr = &req->sr_msg;
4208 void __user *buf = sr->buf;
4213 kbuf = io_recv_buffer_select(req, &cflags, !force_nonblock);
4215 return PTR_ERR(kbuf);
4217 buf = u64_to_user_ptr(kbuf->addr);
4219 ret = import_single_range(READ, buf, sr->len, &iov,
4226 req->flags |= REQ_F_NEED_CLEANUP;
4227 msg.msg_name = NULL;
4228 msg.msg_control = NULL;
4229 msg.msg_controllen = 0;
4230 msg.msg_namelen = 0;
4231 msg.msg_iocb = NULL;
4234 flags = req->sr_msg.msg_flags;
4235 if (flags & MSG_DONTWAIT)
4236 req->flags |= REQ_F_NOWAIT;
4237 else if (force_nonblock)
4238 flags |= MSG_DONTWAIT;
4240 ret = sock_recvmsg(sock, &msg, flags);
4241 if (force_nonblock && ret == -EAGAIN)
4243 if (ret == -ERESTARTSYS)
4248 req->flags &= ~REQ_F_NEED_CLEANUP;
4250 req_set_fail_links(req);
4251 __io_req_complete(req, ret, cflags, cs);
4255 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4257 struct io_accept *accept = &req->accept;
4259 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
4261 if (sqe->ioprio || sqe->len || sqe->buf_index)
4264 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
4265 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4266 accept->flags = READ_ONCE(sqe->accept_flags);
4267 accept->nofile = rlimit(RLIMIT_NOFILE);
4271 static int io_accept(struct io_kiocb *req, bool force_nonblock,
4272 struct io_comp_state *cs)
4274 struct io_accept *accept = &req->accept;
4275 unsigned int file_flags = force_nonblock ? O_NONBLOCK : 0;
4278 if (req->file->f_flags & O_NONBLOCK)
4279 req->flags |= REQ_F_NOWAIT;
4281 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
4282 accept->addr_len, accept->flags,
4284 if (ret == -EAGAIN && force_nonblock)
4287 if (ret == -ERESTARTSYS)
4289 req_set_fail_links(req);
4291 __io_req_complete(req, ret, 0, cs);
4295 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4297 struct io_connect *conn = &req->connect;
4298 struct io_async_ctx *io = req->io;
4300 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
4302 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
4305 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
4306 conn->addr_len = READ_ONCE(sqe->addr2);
4311 return move_addr_to_kernel(conn->addr, conn->addr_len,
4312 &io->connect.address);
4315 static int io_connect(struct io_kiocb *req, bool force_nonblock,
4316 struct io_comp_state *cs)
4318 struct io_async_ctx __io, *io;
4319 unsigned file_flags;
4325 ret = move_addr_to_kernel(req->connect.addr,
4326 req->connect.addr_len,
4327 &__io.connect.address);
4333 file_flags = force_nonblock ? O_NONBLOCK : 0;
4335 ret = __sys_connect_file(req->file, &io->connect.address,
4336 req->connect.addr_len, file_flags);
4337 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
4340 if (io_alloc_async_ctx(req)) {
4344 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
4347 if (ret == -ERESTARTSYS)
4351 req_set_fail_links(req);
4352 __io_req_complete(req, ret, 0, cs);
4355 #else /* !CONFIG_NET */
4356 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4361 static int io_sendmsg(struct io_kiocb *req, bool force_nonblock,
4362 struct io_comp_state *cs)
4367 static int io_send(struct io_kiocb *req, bool force_nonblock,
4368 struct io_comp_state *cs)
4373 static int io_recvmsg_prep(struct io_kiocb *req,
4374 const struct io_uring_sqe *sqe)
4379 static int io_recvmsg(struct io_kiocb *req, bool force_nonblock,
4380 struct io_comp_state *cs)
4385 static int io_recv(struct io_kiocb *req, bool force_nonblock,
4386 struct io_comp_state *cs)
4391 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4396 static int io_accept(struct io_kiocb *req, bool force_nonblock,
4397 struct io_comp_state *cs)
4402 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4407 static int io_connect(struct io_kiocb *req, bool force_nonblock,
4408 struct io_comp_state *cs)
4412 #endif /* CONFIG_NET */
4414 struct io_poll_table {
4415 struct poll_table_struct pt;
4416 struct io_kiocb *req;
4420 static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,
4421 __poll_t mask, task_work_func_t func)
4423 struct task_struct *tsk;
4426 /* for instances that support it check for an event match first: */
4427 if (mask && !(mask & poll->events))
4430 trace_io_uring_task_add(req->ctx, req->opcode, req->user_data, mask);
4432 list_del_init(&poll->wait.entry);
4436 init_task_work(&req->task_work, func);
4438 * If this fails, then the task is exiting. When a task exits, the
4439 * work gets canceled, so just cancel this request as well instead
4440 * of executing it. We can't safely execute it anyway, as we may not
4441 * have the needed state needed for it anyway.
4443 ret = task_work_add(tsk, &req->task_work, true);
4444 if (unlikely(ret)) {
4445 WRITE_ONCE(poll->canceled, true);
4446 tsk = io_wq_get_task(req->ctx->io_wq);
4447 task_work_add(tsk, &req->task_work, true);
4449 wake_up_process(tsk);
4453 static bool io_poll_rewait(struct io_kiocb *req, struct io_poll_iocb *poll)
4454 __acquires(&req->ctx->completion_lock)
4456 struct io_ring_ctx *ctx = req->ctx;
4458 if (!req->result && !READ_ONCE(poll->canceled)) {
4459 struct poll_table_struct pt = { ._key = poll->events };
4461 req->result = vfs_poll(req->file, &pt) & poll->events;
4464 spin_lock_irq(&ctx->completion_lock);
4465 if (!req->result && !READ_ONCE(poll->canceled)) {
4466 add_wait_queue(poll->head, &poll->wait);
4473 static void io_poll_remove_double(struct io_kiocb *req)
4475 struct io_poll_iocb *poll = (struct io_poll_iocb *) req->io;
4477 lockdep_assert_held(&req->ctx->completion_lock);
4479 if (poll && poll->head) {
4480 struct wait_queue_head *head = poll->head;
4482 spin_lock(&head->lock);
4483 list_del_init(&poll->wait.entry);
4484 if (poll->wait.private)
4485 refcount_dec(&req->refs);
4487 spin_unlock(&head->lock);
4491 static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
4493 struct io_ring_ctx *ctx = req->ctx;
4495 io_poll_remove_double(req);
4496 req->poll.done = true;
4497 io_cqring_fill_event(req, error ? error : mangle_poll(mask));
4498 io_commit_cqring(ctx);
4501 static void io_poll_task_handler(struct io_kiocb *req, struct io_kiocb **nxt)
4503 struct io_ring_ctx *ctx = req->ctx;
4505 if (io_poll_rewait(req, &req->poll)) {
4506 spin_unlock_irq(&ctx->completion_lock);
4510 hash_del(&req->hash_node);
4511 io_poll_complete(req, req->result, 0);
4512 req->flags |= REQ_F_COMP_LOCKED;
4513 *nxt = io_put_req_find_next(req);
4514 spin_unlock_irq(&ctx->completion_lock);
4516 io_cqring_ev_posted(ctx);
4519 static void io_poll_task_func(struct callback_head *cb)
4521 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
4522 struct io_kiocb *nxt = NULL;
4524 io_poll_task_handler(req, &nxt);
4526 __io_req_task_submit(nxt);
4529 static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,
4530 int sync, void *key)
4532 struct io_kiocb *req = wait->private;
4533 struct io_poll_iocb *poll = (struct io_poll_iocb *) req->io;
4534 __poll_t mask = key_to_poll(key);
4536 /* for instances that support it check for an event match first: */
4537 if (mask && !(mask & poll->events))
4540 if (req->poll.head) {
4543 spin_lock(&req->poll.head->lock);
4544 done = list_empty(&req->poll.wait.entry);
4546 list_del_init(&req->poll.wait.entry);
4547 spin_unlock(&req->poll.head->lock);
4549 __io_async_wake(req, poll, mask, io_poll_task_func);
4551 refcount_dec(&req->refs);
4555 static void io_init_poll_iocb(struct io_poll_iocb *poll, __poll_t events,
4556 wait_queue_func_t wake_func)
4560 poll->canceled = false;
4561 poll->events = events;
4562 INIT_LIST_HEAD(&poll->wait.entry);
4563 init_waitqueue_func_entry(&poll->wait, wake_func);
4566 static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
4567 struct wait_queue_head *head)
4569 struct io_kiocb *req = pt->req;
4572 * If poll->head is already set, it's because the file being polled
4573 * uses multiple waitqueues for poll handling (eg one for read, one
4574 * for write). Setup a separate io_poll_iocb if this happens.
4576 if (unlikely(poll->head)) {
4577 /* already have a 2nd entry, fail a third attempt */
4579 pt->error = -EINVAL;
4582 poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
4584 pt->error = -ENOMEM;
4587 io_init_poll_iocb(poll, req->poll.events, io_poll_double_wake);
4588 refcount_inc(&req->refs);
4589 poll->wait.private = req;
4590 req->io = (void *) poll;
4596 if (poll->events & EPOLLEXCLUSIVE)
4597 add_wait_queue_exclusive(head, &poll->wait);
4599 add_wait_queue(head, &poll->wait);
4602 static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
4603 struct poll_table_struct *p)
4605 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
4607 __io_queue_proc(&pt->req->apoll->poll, pt, head);
4610 static void io_async_task_func(struct callback_head *cb)
4612 struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
4613 struct async_poll *apoll = req->apoll;
4614 struct io_ring_ctx *ctx = req->ctx;
4616 trace_io_uring_task_run(req->ctx, req->opcode, req->user_data);
4618 if (io_poll_rewait(req, &apoll->poll)) {
4619 spin_unlock_irq(&ctx->completion_lock);
4623 /* If req is still hashed, it cannot have been canceled. Don't check. */
4624 if (hash_hashed(&req->hash_node))
4625 hash_del(&req->hash_node);
4627 spin_unlock_irq(&ctx->completion_lock);
4629 /* restore ->work in case we need to retry again */
4630 if (req->flags & REQ_F_WORK_INITIALIZED)
4631 memcpy(&req->work, &apoll->work, sizeof(req->work));
4634 if (!READ_ONCE(apoll->poll.canceled))
4635 __io_req_task_submit(req);
4637 __io_req_task_cancel(req, -ECANCELED);
4640 static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
4643 struct io_kiocb *req = wait->private;
4644 struct io_poll_iocb *poll = &req->apoll->poll;
4646 trace_io_uring_poll_wake(req->ctx, req->opcode, req->user_data,
4649 return __io_async_wake(req, poll, key_to_poll(key), io_async_task_func);
4652 static void io_poll_req_insert(struct io_kiocb *req)
4654 struct io_ring_ctx *ctx = req->ctx;
4655 struct hlist_head *list;
4657 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
4658 hlist_add_head(&req->hash_node, list);
4661 static __poll_t __io_arm_poll_handler(struct io_kiocb *req,
4662 struct io_poll_iocb *poll,
4663 struct io_poll_table *ipt, __poll_t mask,
4664 wait_queue_func_t wake_func)
4665 __acquires(&ctx->completion_lock)
4667 struct io_ring_ctx *ctx = req->ctx;
4668 bool cancel = false;
4670 io_init_poll_iocb(poll, mask, wake_func);
4671 poll->file = req->file;
4672 poll->wait.private = req;
4674 ipt->pt._key = mask;
4676 ipt->error = -EINVAL;
4678 mask = vfs_poll(req->file, &ipt->pt) & poll->events;
4680 spin_lock_irq(&ctx->completion_lock);
4681 if (likely(poll->head)) {
4682 spin_lock(&poll->head->lock);
4683 if (unlikely(list_empty(&poll->wait.entry))) {
4689 if (mask || ipt->error)
4690 list_del_init(&poll->wait.entry);
4692 WRITE_ONCE(poll->canceled, true);
4693 else if (!poll->done) /* actually waiting for an event */
4694 io_poll_req_insert(req);
4695 spin_unlock(&poll->head->lock);
4701 static bool io_arm_poll_handler(struct io_kiocb *req)
4703 const struct io_op_def *def = &io_op_defs[req->opcode];
4704 struct io_ring_ctx *ctx = req->ctx;
4705 struct async_poll *apoll;
4706 struct io_poll_table ipt;
4710 if (!req->file || !file_can_poll(req->file))
4712 if (req->flags & REQ_F_POLLED)
4714 if (!def->pollin && !def->pollout)
4717 apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
4718 if (unlikely(!apoll))
4721 req->flags |= REQ_F_POLLED;
4722 if (req->flags & REQ_F_WORK_INITIALIZED)
4723 memcpy(&apoll->work, &req->work, sizeof(req->work));
4724 had_io = req->io != NULL;
4726 io_get_req_task(req);
4728 INIT_HLIST_NODE(&req->hash_node);
4732 mask |= POLLIN | POLLRDNORM;
4734 mask |= POLLOUT | POLLWRNORM;
4735 mask |= POLLERR | POLLPRI;
4737 ipt.pt._qproc = io_async_queue_proc;
4739 ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
4743 /* only remove double add if we did it here */
4745 io_poll_remove_double(req);
4746 spin_unlock_irq(&ctx->completion_lock);
4747 if (req->flags & REQ_F_WORK_INITIALIZED)
4748 memcpy(&req->work, &apoll->work, sizeof(req->work));
4752 spin_unlock_irq(&ctx->completion_lock);
4753 trace_io_uring_poll_arm(ctx, req->opcode, req->user_data, mask,
4754 apoll->poll.events);
4758 static bool __io_poll_remove_one(struct io_kiocb *req,
4759 struct io_poll_iocb *poll)
4761 bool do_complete = false;
4763 spin_lock(&poll->head->lock);
4764 WRITE_ONCE(poll->canceled, true);
4765 if (!list_empty(&poll->wait.entry)) {
4766 list_del_init(&poll->wait.entry);
4769 spin_unlock(&poll->head->lock);
4770 hash_del(&req->hash_node);
4774 static bool io_poll_remove_one(struct io_kiocb *req)
4778 if (req->opcode == IORING_OP_POLL_ADD) {
4779 io_poll_remove_double(req);
4780 do_complete = __io_poll_remove_one(req, &req->poll);
4782 struct async_poll *apoll = req->apoll;
4784 /* non-poll requests have submit ref still */
4785 do_complete = __io_poll_remove_one(req, &apoll->poll);
4789 * restore ->work because we will call
4790 * io_req_work_drop_env below when dropping the
4793 if (req->flags & REQ_F_WORK_INITIALIZED)
4794 memcpy(&req->work, &apoll->work,
4801 io_cqring_fill_event(req, -ECANCELED);
4802 io_commit_cqring(req->ctx);
4803 req->flags |= REQ_F_COMP_LOCKED;
4810 static void io_poll_remove_all(struct io_ring_ctx *ctx)
4812 struct hlist_node *tmp;
4813 struct io_kiocb *req;
4816 spin_lock_irq(&ctx->completion_lock);
4817 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
4818 struct hlist_head *list;
4820 list = &ctx->cancel_hash[i];
4821 hlist_for_each_entry_safe(req, tmp, list, hash_node)
4822 posted += io_poll_remove_one(req);
4824 spin_unlock_irq(&ctx->completion_lock);
4827 io_cqring_ev_posted(ctx);
4830 static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
4832 struct hlist_head *list;
4833 struct io_kiocb *req;
4835 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
4836 hlist_for_each_entry(req, list, hash_node) {
4837 if (sqe_addr != req->user_data)
4839 if (io_poll_remove_one(req))
4847 static int io_poll_remove_prep(struct io_kiocb *req,
4848 const struct io_uring_sqe *sqe)
4850 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4852 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
4856 req->poll.addr = READ_ONCE(sqe->addr);
4861 * Find a running poll command that matches one specified in sqe->addr,
4862 * and remove it if found.
4864 static int io_poll_remove(struct io_kiocb *req)
4866 struct io_ring_ctx *ctx = req->ctx;
4870 addr = req->poll.addr;
4871 spin_lock_irq(&ctx->completion_lock);
4872 ret = io_poll_cancel(ctx, addr);
4873 spin_unlock_irq(&ctx->completion_lock);
4876 req_set_fail_links(req);
4877 io_req_complete(req, ret);
4881 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
4884 struct io_kiocb *req = wait->private;
4885 struct io_poll_iocb *poll = &req->poll;
4887 return __io_async_wake(req, poll, key_to_poll(key), io_poll_task_func);
4890 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
4891 struct poll_table_struct *p)
4893 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
4895 __io_queue_proc(&pt->req->poll, pt, head);
4898 static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4900 struct io_poll_iocb *poll = &req->poll;
4903 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4905 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
4910 events = READ_ONCE(sqe->poll32_events);
4912 events = swahw32(events);
4914 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP |
4915 (events & EPOLLEXCLUSIVE);
4917 io_get_req_task(req);
4921 static int io_poll_add(struct io_kiocb *req)
4923 struct io_poll_iocb *poll = &req->poll;
4924 struct io_ring_ctx *ctx = req->ctx;
4925 struct io_poll_table ipt;
4928 INIT_HLIST_NODE(&req->hash_node);
4929 INIT_LIST_HEAD(&req->list);
4930 ipt.pt._qproc = io_poll_queue_proc;
4932 mask = __io_arm_poll_handler(req, &req->poll, &ipt, poll->events,
4935 if (mask) { /* no async, we'd stolen it */
4937 io_poll_complete(req, mask, 0);
4939 spin_unlock_irq(&ctx->completion_lock);
4942 io_cqring_ev_posted(ctx);
4948 static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
4950 struct io_timeout_data *data = container_of(timer,
4951 struct io_timeout_data, timer);
4952 struct io_kiocb *req = data->req;
4953 struct io_ring_ctx *ctx = req->ctx;
4954 unsigned long flags;
4956 atomic_inc(&ctx->cq_timeouts);
4958 spin_lock_irqsave(&ctx->completion_lock, flags);
4960 * We could be racing with timeout deletion. If the list is empty,
4961 * then timeout lookup already found it and will be handling it.
4963 if (!list_empty(&req->list))
4964 list_del_init(&req->list);
4966 io_cqring_fill_event(req, -ETIME);
4967 io_commit_cqring(ctx);
4968 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4970 io_cqring_ev_posted(ctx);
4971 req_set_fail_links(req);
4973 return HRTIMER_NORESTART;
4976 static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
4978 struct io_kiocb *req;
4981 list_for_each_entry(req, &ctx->timeout_list, list) {
4982 if (user_data == req->user_data) {
4983 list_del_init(&req->list);
4992 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
4996 req_set_fail_links(req);
4997 io_cqring_fill_event(req, -ECANCELED);
5002 static int io_timeout_remove_prep(struct io_kiocb *req,
5003 const struct io_uring_sqe *sqe)
5005 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5007 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
5010 req->timeout.addr = READ_ONCE(sqe->addr);
5011 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
5012 if (req->timeout.flags)
5019 * Remove or update an existing timeout command
5021 static int io_timeout_remove(struct io_kiocb *req)
5023 struct io_ring_ctx *ctx = req->ctx;
5026 spin_lock_irq(&ctx->completion_lock);
5027 ret = io_timeout_cancel(ctx, req->timeout.addr);
5029 io_cqring_fill_event(req, ret);
5030 io_commit_cqring(ctx);
5031 spin_unlock_irq(&ctx->completion_lock);
5032 io_cqring_ev_posted(ctx);
5034 req_set_fail_links(req);
5039 static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5040 bool is_timeout_link)
5042 struct io_timeout_data *data;
5044 u32 off = READ_ONCE(sqe->off);
5046 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5048 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
5050 if (off && is_timeout_link)
5052 flags = READ_ONCE(sqe->timeout_flags);
5053 if (flags & ~IORING_TIMEOUT_ABS)
5056 req->timeout.off = off;
5058 if (!req->io && io_alloc_async_ctx(req))
5061 data = &req->io->timeout;
5064 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5067 if (flags & IORING_TIMEOUT_ABS)
5068 data->mode = HRTIMER_MODE_ABS;
5070 data->mode = HRTIMER_MODE_REL;
5072 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
5076 static int io_timeout(struct io_kiocb *req)
5078 struct io_ring_ctx *ctx = req->ctx;
5079 struct io_timeout_data *data = &req->io->timeout;
5080 struct list_head *entry;
5081 u32 tail, off = req->timeout.off;
5083 spin_lock_irq(&ctx->completion_lock);
5086 * sqe->off holds how many events that need to occur for this
5087 * timeout event to be satisfied. If it isn't set, then this is
5088 * a pure timeout request, sequence isn't used.
5090 if (io_is_timeout_noseq(req)) {
5091 entry = ctx->timeout_list.prev;
5095 tail = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
5096 req->timeout.target_seq = tail + off;
5099 * Insertion sort, ensuring the first entry in the list is always
5100 * the one we need first.
5102 list_for_each_prev(entry, &ctx->timeout_list) {
5103 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
5105 if (io_is_timeout_noseq(nxt))
5107 /* nxt.seq is behind @tail, otherwise would've been completed */
5108 if (off >= nxt->timeout.target_seq - tail)
5112 list_add(&req->list, entry);
5113 data->timer.function = io_timeout_fn;
5114 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5115 spin_unlock_irq(&ctx->completion_lock);
5119 static bool io_cancel_cb(struct io_wq_work *work, void *data)
5121 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5123 return req->user_data == (unsigned long) data;
5126 static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
5128 enum io_wq_cancel cancel_ret;
5131 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr, false);
5132 switch (cancel_ret) {
5133 case IO_WQ_CANCEL_OK:
5136 case IO_WQ_CANCEL_RUNNING:
5139 case IO_WQ_CANCEL_NOTFOUND:
5147 static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
5148 struct io_kiocb *req, __u64 sqe_addr,
5151 unsigned long flags;
5154 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
5155 if (ret != -ENOENT) {
5156 spin_lock_irqsave(&ctx->completion_lock, flags);
5160 spin_lock_irqsave(&ctx->completion_lock, flags);
5161 ret = io_timeout_cancel(ctx, sqe_addr);
5164 ret = io_poll_cancel(ctx, sqe_addr);
5168 io_cqring_fill_event(req, ret);
5169 io_commit_cqring(ctx);
5170 spin_unlock_irqrestore(&ctx->completion_lock, flags);
5171 io_cqring_ev_posted(ctx);
5174 req_set_fail_links(req);
5178 static int io_async_cancel_prep(struct io_kiocb *req,
5179 const struct io_uring_sqe *sqe)
5181 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5183 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
5187 req->cancel.addr = READ_ONCE(sqe->addr);
5191 static int io_async_cancel(struct io_kiocb *req)
5193 struct io_ring_ctx *ctx = req->ctx;
5195 io_async_find_and_cancel(ctx, req, req->cancel.addr, 0);
5199 static int io_files_update_prep(struct io_kiocb *req,
5200 const struct io_uring_sqe *sqe)
5202 if (sqe->flags || sqe->ioprio || sqe->rw_flags)
5205 req->files_update.offset = READ_ONCE(sqe->off);
5206 req->files_update.nr_args = READ_ONCE(sqe->len);
5207 if (!req->files_update.nr_args)
5209 req->files_update.arg = READ_ONCE(sqe->addr);
5213 static int io_files_update(struct io_kiocb *req, bool force_nonblock,
5214 struct io_comp_state *cs)
5216 struct io_ring_ctx *ctx = req->ctx;
5217 struct io_uring_files_update up;
5223 up.offset = req->files_update.offset;
5224 up.fds = req->files_update.arg;
5226 mutex_lock(&ctx->uring_lock);
5227 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
5228 mutex_unlock(&ctx->uring_lock);
5231 req_set_fail_links(req);
5232 __io_req_complete(req, ret, 0, cs);
5236 static int io_req_defer_prep(struct io_kiocb *req,
5237 const struct io_uring_sqe *sqe)
5244 if (io_op_defs[req->opcode].file_table) {
5245 io_req_init_async(req);
5246 ret = io_grab_files(req);
5251 switch (req->opcode) {
5254 case IORING_OP_READV:
5255 case IORING_OP_READ_FIXED:
5256 case IORING_OP_READ:
5257 ret = io_read_prep(req, sqe, true);
5259 case IORING_OP_WRITEV:
5260 case IORING_OP_WRITE_FIXED:
5261 case IORING_OP_WRITE:
5262 ret = io_write_prep(req, sqe, true);
5264 case IORING_OP_POLL_ADD:
5265 ret = io_poll_add_prep(req, sqe);
5267 case IORING_OP_POLL_REMOVE:
5268 ret = io_poll_remove_prep(req, sqe);
5270 case IORING_OP_FSYNC:
5271 ret = io_prep_fsync(req, sqe);
5273 case IORING_OP_SYNC_FILE_RANGE:
5274 ret = io_prep_sfr(req, sqe);
5276 case IORING_OP_SENDMSG:
5277 case IORING_OP_SEND:
5278 ret = io_sendmsg_prep(req, sqe);
5280 case IORING_OP_RECVMSG:
5281 case IORING_OP_RECV:
5282 ret = io_recvmsg_prep(req, sqe);
5284 case IORING_OP_CONNECT:
5285 ret = io_connect_prep(req, sqe);
5287 case IORING_OP_TIMEOUT:
5288 ret = io_timeout_prep(req, sqe, false);
5290 case IORING_OP_TIMEOUT_REMOVE:
5291 ret = io_timeout_remove_prep(req, sqe);
5293 case IORING_OP_ASYNC_CANCEL:
5294 ret = io_async_cancel_prep(req, sqe);
5296 case IORING_OP_LINK_TIMEOUT:
5297 ret = io_timeout_prep(req, sqe, true);
5299 case IORING_OP_ACCEPT:
5300 ret = io_accept_prep(req, sqe);
5302 case IORING_OP_FALLOCATE:
5303 ret = io_fallocate_prep(req, sqe);
5305 case IORING_OP_OPENAT:
5306 ret = io_openat_prep(req, sqe);
5308 case IORING_OP_CLOSE:
5309 ret = io_close_prep(req, sqe);
5311 case IORING_OP_FILES_UPDATE:
5312 ret = io_files_update_prep(req, sqe);
5314 case IORING_OP_STATX:
5315 ret = io_statx_prep(req, sqe);
5317 case IORING_OP_FADVISE:
5318 ret = io_fadvise_prep(req, sqe);
5320 case IORING_OP_MADVISE:
5321 ret = io_madvise_prep(req, sqe);
5323 case IORING_OP_OPENAT2:
5324 ret = io_openat2_prep(req, sqe);
5326 case IORING_OP_EPOLL_CTL:
5327 ret = io_epoll_ctl_prep(req, sqe);
5329 case IORING_OP_SPLICE:
5330 ret = io_splice_prep(req, sqe);
5332 case IORING_OP_PROVIDE_BUFFERS:
5333 ret = io_provide_buffers_prep(req, sqe);
5335 case IORING_OP_REMOVE_BUFFERS:
5336 ret = io_remove_buffers_prep(req, sqe);
5339 ret = io_tee_prep(req, sqe);
5342 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
5351 static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5353 struct io_ring_ctx *ctx = req->ctx;
5356 /* Still need defer if there is pending req in defer list. */
5357 if (!req_need_defer(req) && list_empty_careful(&ctx->defer_list))
5361 if (io_alloc_async_ctx(req))
5363 ret = io_req_defer_prep(req, sqe);
5367 io_prep_async_link(req);
5369 spin_lock_irq(&ctx->completion_lock);
5370 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
5371 spin_unlock_irq(&ctx->completion_lock);
5375 trace_io_uring_defer(ctx, req, req->user_data);
5376 list_add_tail(&req->list, &ctx->defer_list);
5377 spin_unlock_irq(&ctx->completion_lock);
5378 return -EIOCBQUEUED;
5381 static void io_cleanup_req(struct io_kiocb *req)
5383 struct io_async_ctx *io = req->io;
5385 switch (req->opcode) {
5386 case IORING_OP_READV:
5387 case IORING_OP_READ_FIXED:
5388 case IORING_OP_READ:
5389 if (req->flags & REQ_F_BUFFER_SELECTED)
5390 kfree((void *)(unsigned long)req->rw.addr);
5392 case IORING_OP_WRITEV:
5393 case IORING_OP_WRITE_FIXED:
5394 case IORING_OP_WRITE:
5395 if (io->rw.iov != io->rw.fast_iov)
5398 case IORING_OP_RECVMSG:
5399 if (req->flags & REQ_F_BUFFER_SELECTED)
5400 kfree(req->sr_msg.kbuf);
5402 case IORING_OP_SENDMSG:
5403 if (io->msg.iov != io->msg.fast_iov)
5406 case IORING_OP_RECV:
5407 if (req->flags & REQ_F_BUFFER_SELECTED)
5408 kfree(req->sr_msg.kbuf);
5410 case IORING_OP_OPENAT:
5411 case IORING_OP_OPENAT2:
5413 case IORING_OP_SPLICE:
5415 io_put_file(req, req->splice.file_in,
5416 (req->splice.flags & SPLICE_F_FD_IN_FIXED));
5420 req->flags &= ~REQ_F_NEED_CLEANUP;
5423 static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5424 bool force_nonblock, struct io_comp_state *cs)
5426 struct io_ring_ctx *ctx = req->ctx;
5429 switch (req->opcode) {
5431 ret = io_nop(req, cs);
5433 case IORING_OP_READV:
5434 case IORING_OP_READ_FIXED:
5435 case IORING_OP_READ:
5437 ret = io_read_prep(req, sqe, force_nonblock);
5441 ret = io_read(req, force_nonblock, cs);
5443 case IORING_OP_WRITEV:
5444 case IORING_OP_WRITE_FIXED:
5445 case IORING_OP_WRITE:
5447 ret = io_write_prep(req, sqe, force_nonblock);
5451 ret = io_write(req, force_nonblock, cs);
5453 case IORING_OP_FSYNC:
5455 ret = io_prep_fsync(req, sqe);
5459 ret = io_fsync(req, force_nonblock);
5461 case IORING_OP_POLL_ADD:
5463 ret = io_poll_add_prep(req, sqe);
5467 ret = io_poll_add(req);
5469 case IORING_OP_POLL_REMOVE:
5471 ret = io_poll_remove_prep(req, sqe);
5475 ret = io_poll_remove(req);
5477 case IORING_OP_SYNC_FILE_RANGE:
5479 ret = io_prep_sfr(req, sqe);
5483 ret = io_sync_file_range(req, force_nonblock);
5485 case IORING_OP_SENDMSG:
5486 case IORING_OP_SEND:
5488 ret = io_sendmsg_prep(req, sqe);
5492 if (req->opcode == IORING_OP_SENDMSG)
5493 ret = io_sendmsg(req, force_nonblock, cs);
5495 ret = io_send(req, force_nonblock, cs);
5497 case IORING_OP_RECVMSG:
5498 case IORING_OP_RECV:
5500 ret = io_recvmsg_prep(req, sqe);
5504 if (req->opcode == IORING_OP_RECVMSG)
5505 ret = io_recvmsg(req, force_nonblock, cs);
5507 ret = io_recv(req, force_nonblock, cs);
5509 case IORING_OP_TIMEOUT:
5511 ret = io_timeout_prep(req, sqe, false);
5515 ret = io_timeout(req);
5517 case IORING_OP_TIMEOUT_REMOVE:
5519 ret = io_timeout_remove_prep(req, sqe);
5523 ret = io_timeout_remove(req);
5525 case IORING_OP_ACCEPT:
5527 ret = io_accept_prep(req, sqe);
5531 ret = io_accept(req, force_nonblock, cs);
5533 case IORING_OP_CONNECT:
5535 ret = io_connect_prep(req, sqe);
5539 ret = io_connect(req, force_nonblock, cs);
5541 case IORING_OP_ASYNC_CANCEL:
5543 ret = io_async_cancel_prep(req, sqe);
5547 ret = io_async_cancel(req);
5549 case IORING_OP_FALLOCATE:
5551 ret = io_fallocate_prep(req, sqe);
5555 ret = io_fallocate(req, force_nonblock);
5557 case IORING_OP_OPENAT:
5559 ret = io_openat_prep(req, sqe);
5563 ret = io_openat(req, force_nonblock);
5565 case IORING_OP_CLOSE:
5567 ret = io_close_prep(req, sqe);
5571 ret = io_close(req, force_nonblock, cs);
5573 case IORING_OP_FILES_UPDATE:
5575 ret = io_files_update_prep(req, sqe);
5579 ret = io_files_update(req, force_nonblock, cs);
5581 case IORING_OP_STATX:
5583 ret = io_statx_prep(req, sqe);
5587 ret = io_statx(req, force_nonblock);
5589 case IORING_OP_FADVISE:
5591 ret = io_fadvise_prep(req, sqe);
5595 ret = io_fadvise(req, force_nonblock);
5597 case IORING_OP_MADVISE:
5599 ret = io_madvise_prep(req, sqe);
5603 ret = io_madvise(req, force_nonblock);
5605 case IORING_OP_OPENAT2:
5607 ret = io_openat2_prep(req, sqe);
5611 ret = io_openat2(req, force_nonblock);
5613 case IORING_OP_EPOLL_CTL:
5615 ret = io_epoll_ctl_prep(req, sqe);
5619 ret = io_epoll_ctl(req, force_nonblock, cs);
5621 case IORING_OP_SPLICE:
5623 ret = io_splice_prep(req, sqe);
5627 ret = io_splice(req, force_nonblock);
5629 case IORING_OP_PROVIDE_BUFFERS:
5631 ret = io_provide_buffers_prep(req, sqe);
5635 ret = io_provide_buffers(req, force_nonblock, cs);
5637 case IORING_OP_REMOVE_BUFFERS:
5639 ret = io_remove_buffers_prep(req, sqe);
5643 ret = io_remove_buffers(req, force_nonblock, cs);
5647 ret = io_tee_prep(req, sqe);
5651 ret = io_tee(req, force_nonblock);
5661 /* If the op doesn't have a file, we're not polling for it */
5662 if ((ctx->flags & IORING_SETUP_IOPOLL) && req->file) {
5663 const bool in_async = io_wq_current_is_worker();
5665 /* workqueue context doesn't hold uring_lock, grab it now */
5667 mutex_lock(&ctx->uring_lock);
5669 io_iopoll_req_issued(req);
5672 mutex_unlock(&ctx->uring_lock);
5678 static void io_arm_async_linked_timeout(struct io_kiocb *req)
5680 struct io_kiocb *link;
5682 /* link head's timeout is queued in io_queue_async_work() */
5683 if (!(req->flags & REQ_F_QUEUE_TIMEOUT))
5686 link = list_first_entry(&req->link_list, struct io_kiocb, link_list);
5687 io_queue_linked_timeout(link);
5690 static struct io_wq_work *io_wq_submit_work(struct io_wq_work *work)
5692 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5695 io_arm_async_linked_timeout(req);
5697 /* if NO_CANCEL is set, we must still run the work */
5698 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
5699 IO_WQ_WORK_CANCEL) {
5705 ret = io_issue_sqe(req, NULL, false, NULL);
5707 * We can get EAGAIN for polled IO even though we're
5708 * forcing a sync submission from here, since we can't
5709 * wait for request slots on the block side.
5718 req_set_fail_links(req);
5719 io_req_complete(req, ret);
5722 return io_steal_work(req);
5725 static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
5728 struct fixed_file_table *table;
5730 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
5731 return table->files[index & IORING_FILE_TABLE_MASK];
5734 static int io_file_get(struct io_submit_state *state, struct io_kiocb *req,
5735 int fd, struct file **out_file, bool fixed)
5737 struct io_ring_ctx *ctx = req->ctx;
5741 if (unlikely(!ctx->file_data ||
5742 (unsigned) fd >= ctx->nr_user_files))
5744 fd = array_index_nospec(fd, ctx->nr_user_files);
5745 file = io_file_from_index(ctx, fd);
5747 req->fixed_file_refs = ctx->file_data->cur_refs;
5748 percpu_ref_get(req->fixed_file_refs);
5751 trace_io_uring_file_get(ctx, fd);
5752 file = __io_file_get(state, fd);
5755 if (file || io_op_defs[req->opcode].needs_file_no_error) {
5762 static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
5767 fixed = (req->flags & REQ_F_FIXED_FILE) != 0;
5768 if (unlikely(!fixed && io_async_submit(req->ctx)))
5771 return io_file_get(state, req, fd, &req->file, fixed);
5774 static int io_grab_files(struct io_kiocb *req)
5777 struct io_ring_ctx *ctx = req->ctx;
5779 if (req->work.files || (req->flags & REQ_F_NO_FILE_TABLE))
5781 if (!ctx->ring_file)
5785 spin_lock_irq(&ctx->inflight_lock);
5787 * We use the f_ops->flush() handler to ensure that we can flush
5788 * out work accessing these files if the fd is closed. Check if
5789 * the fd has changed since we started down this path, and disallow
5790 * this operation if it has.
5792 if (fcheck(ctx->ring_fd) == ctx->ring_file) {
5793 list_add(&req->inflight_entry, &ctx->inflight_list);
5794 req->flags |= REQ_F_INFLIGHT;
5795 req->work.files = current->files;
5798 spin_unlock_irq(&ctx->inflight_lock);
5804 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
5806 struct io_timeout_data *data = container_of(timer,
5807 struct io_timeout_data, timer);
5808 struct io_kiocb *req = data->req;
5809 struct io_ring_ctx *ctx = req->ctx;
5810 struct io_kiocb *prev = NULL;
5811 unsigned long flags;
5813 spin_lock_irqsave(&ctx->completion_lock, flags);
5816 * We don't expect the list to be empty, that will only happen if we
5817 * race with the completion of the linked work.
5819 if (!list_empty(&req->link_list)) {
5820 prev = list_entry(req->link_list.prev, struct io_kiocb,
5822 if (refcount_inc_not_zero(&prev->refs)) {
5823 list_del_init(&req->link_list);
5824 prev->flags &= ~REQ_F_LINK_TIMEOUT;
5829 spin_unlock_irqrestore(&ctx->completion_lock, flags);
5832 req_set_fail_links(prev);
5833 io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME);
5836 io_req_complete(req, -ETIME);
5838 return HRTIMER_NORESTART;
5841 static void io_queue_linked_timeout(struct io_kiocb *req)
5843 struct io_ring_ctx *ctx = req->ctx;
5846 * If the list is now empty, then our linked request finished before
5847 * we got a chance to setup the timer
5849 spin_lock_irq(&ctx->completion_lock);
5850 if (!list_empty(&req->link_list)) {
5851 struct io_timeout_data *data = &req->io->timeout;
5853 data->timer.function = io_link_timeout_fn;
5854 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
5857 spin_unlock_irq(&ctx->completion_lock);
5859 /* drop submission reference */
5863 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
5865 struct io_kiocb *nxt;
5867 if (!(req->flags & REQ_F_LINK_HEAD))
5869 /* for polled retry, if flag is set, we already went through here */
5870 if (req->flags & REQ_F_POLLED)
5873 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
5875 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
5878 req->flags |= REQ_F_LINK_TIMEOUT;
5882 static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5883 struct io_comp_state *cs)
5885 struct io_kiocb *linked_timeout;
5886 struct io_kiocb *nxt;
5887 const struct cred *old_creds = NULL;
5891 linked_timeout = io_prep_linked_timeout(req);
5893 if ((req->flags & REQ_F_WORK_INITIALIZED) && req->work.creds &&
5894 req->work.creds != current_cred()) {
5896 revert_creds(old_creds);
5897 if (old_creds == req->work.creds)
5898 old_creds = NULL; /* restored original creds */
5900 old_creds = override_creds(req->work.creds);
5903 ret = io_issue_sqe(req, sqe, true, cs);
5906 * We async punt it if the file wasn't marked NOWAIT, or if the file
5907 * doesn't support non-blocking read/write attempts
5909 if (ret == -EAGAIN && !(req->flags & REQ_F_NOWAIT)) {
5910 if (io_arm_poll_handler(req)) {
5912 io_queue_linked_timeout(linked_timeout);
5916 io_req_init_async(req);
5918 if (io_op_defs[req->opcode].file_table) {
5919 ret = io_grab_files(req);
5925 * Queued up for async execution, worker will release
5926 * submit reference when the iocb is actually submitted.
5928 io_queue_async_work(req);
5933 /* drop submission reference */
5934 nxt = io_put_req_find_next(req);
5936 if (linked_timeout) {
5938 io_queue_linked_timeout(linked_timeout);
5940 io_put_req(linked_timeout);
5943 /* and drop final reference, if we failed */
5945 req_set_fail_links(req);
5946 io_req_complete(req, ret);
5951 if (req->flags & REQ_F_FORCE_ASYNC)
5957 revert_creds(old_creds);
5960 static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
5961 struct io_comp_state *cs)
5965 ret = io_req_defer(req, sqe);
5967 if (ret != -EIOCBQUEUED) {
5969 req_set_fail_links(req);
5971 io_req_complete(req, ret);
5973 } else if (req->flags & REQ_F_FORCE_ASYNC) {
5976 if (io_alloc_async_ctx(req))
5978 ret = io_req_defer_prep(req, sqe);
5979 if (unlikely(ret < 0))
5984 * Never try inline submit of IOSQE_ASYNC is set, go straight
5985 * to async execution.
5987 req->work.flags |= IO_WQ_WORK_CONCURRENT;
5988 io_queue_async_work(req);
5990 __io_queue_sqe(req, sqe, cs);
5994 static inline void io_queue_link_head(struct io_kiocb *req,
5995 struct io_comp_state *cs)
5997 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
5999 io_req_complete(req, -ECANCELED);
6001 io_queue_sqe(req, NULL, cs);
6004 static int io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
6005 struct io_kiocb **link, struct io_comp_state *cs)
6007 struct io_ring_ctx *ctx = req->ctx;
6011 * If we already have a head request, queue this one for async
6012 * submittal once the head completes. If we don't have a head but
6013 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
6014 * submitted sync once the chain is complete. If none of those
6015 * conditions are true (normal request), then just queue it.
6018 struct io_kiocb *head = *link;
6021 * Taking sequential execution of a link, draining both sides
6022 * of the link also fullfils IOSQE_IO_DRAIN semantics for all
6023 * requests in the link. So, it drains the head and the
6024 * next after the link request. The last one is done via
6025 * drain_next flag to persist the effect across calls.
6027 if (req->flags & REQ_F_IO_DRAIN) {
6028 head->flags |= REQ_F_IO_DRAIN;
6029 ctx->drain_next = 1;
6031 if (io_alloc_async_ctx(req))
6034 ret = io_req_defer_prep(req, sqe);
6036 /* fail even hard links since we don't submit */
6037 head->flags |= REQ_F_FAIL_LINK;
6040 trace_io_uring_link(ctx, req, head);
6041 io_get_req_task(req);
6042 list_add_tail(&req->link_list, &head->link_list);
6044 /* last request of a link, enqueue the link */
6045 if (!(req->flags & (REQ_F_LINK | REQ_F_HARDLINK))) {
6046 io_queue_link_head(head, cs);
6050 if (unlikely(ctx->drain_next)) {
6051 req->flags |= REQ_F_IO_DRAIN;
6052 ctx->drain_next = 0;
6054 if (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {
6055 req->flags |= REQ_F_LINK_HEAD;
6056 INIT_LIST_HEAD(&req->link_list);
6058 if (io_alloc_async_ctx(req))
6061 ret = io_req_defer_prep(req, sqe);
6063 req->flags |= REQ_F_FAIL_LINK;
6066 io_queue_sqe(req, sqe, cs);
6074 * Batched submission is done, ensure local IO is flushed out.
6076 static void io_submit_state_end(struct io_submit_state *state)
6078 if (!list_empty(&state->comp.list))
6079 io_submit_flush_completions(&state->comp);
6080 blk_finish_plug(&state->plug);
6081 io_state_file_put(state);
6082 if (state->free_reqs)
6083 kmem_cache_free_bulk(req_cachep, state->free_reqs, state->reqs);
6087 * Start submission side cache.
6089 static void io_submit_state_start(struct io_submit_state *state,
6090 struct io_ring_ctx *ctx, unsigned int max_ios)
6092 blk_start_plug(&state->plug);
6094 state->plug.nowait = true;
6097 INIT_LIST_HEAD(&state->comp.list);
6098 state->comp.ctx = ctx;
6099 state->free_reqs = 0;
6101 state->ios_left = max_ios;
6104 static void io_commit_sqring(struct io_ring_ctx *ctx)
6106 struct io_rings *rings = ctx->rings;
6109 * Ensure any loads from the SQEs are done at this point,
6110 * since once we write the new head, the application could
6111 * write new data to them.
6113 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
6117 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
6118 * that is mapped by userspace. This means that care needs to be taken to
6119 * ensure that reads are stable, as we cannot rely on userspace always
6120 * being a good citizen. If members of the sqe are validated and then later
6121 * used, it's important that those reads are done through READ_ONCE() to
6122 * prevent a re-load down the line.
6124 static const struct io_uring_sqe *io_get_sqe(struct io_ring_ctx *ctx)
6126 u32 *sq_array = ctx->sq_array;
6130 * The cached sq head (or cq tail) serves two purposes:
6132 * 1) allows us to batch the cost of updating the user visible
6134 * 2) allows the kernel side to track the head on its own, even
6135 * though the application is the one updating it.
6137 head = READ_ONCE(sq_array[ctx->cached_sq_head & ctx->sq_mask]);
6138 if (likely(head < ctx->sq_entries))
6139 return &ctx->sq_sqes[head];
6141 /* drop invalid entries */
6142 ctx->cached_sq_dropped++;
6143 WRITE_ONCE(ctx->rings->sq_dropped, ctx->cached_sq_dropped);
6147 static inline void io_consume_sqe(struct io_ring_ctx *ctx)
6149 ctx->cached_sq_head++;
6152 #define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
6153 IOSQE_IO_HARDLINK | IOSQE_ASYNC | \
6154 IOSQE_BUFFER_SELECT)
6156 static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
6157 const struct io_uring_sqe *sqe,
6158 struct io_submit_state *state)
6160 unsigned int sqe_flags;
6164 * All io need record the previous position, if LINK vs DARIN,
6165 * it can be used to mark the position of the first IO in the
6168 req->sequence = ctx->cached_sq_head - ctx->cached_sq_dropped;
6169 req->opcode = READ_ONCE(sqe->opcode);
6170 req->user_data = READ_ONCE(sqe->user_data);
6175 /* one is dropped after submission, the other at completion */
6176 refcount_set(&req->refs, 2);
6177 req->task = current;
6180 if (unlikely(req->opcode >= IORING_OP_LAST))
6183 if (unlikely(io_sq_thread_acquire_mm(ctx, req)))
6186 sqe_flags = READ_ONCE(sqe->flags);
6187 /* enforce forwards compatibility on users */
6188 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS))
6191 if ((sqe_flags & IOSQE_BUFFER_SELECT) &&
6192 !io_op_defs[req->opcode].buffer_select)
6195 id = READ_ONCE(sqe->personality);
6197 io_req_init_async(req);
6198 req->work.creds = idr_find(&ctx->personality_idr, id);
6199 if (unlikely(!req->work.creds))
6201 get_cred(req->work.creds);
6204 /* same numerical values with corresponding REQ_F_*, safe to copy */
6205 req->flags |= sqe_flags;
6207 if (!io_op_defs[req->opcode].needs_file)
6210 return io_req_set_file(state, req, READ_ONCE(sqe->fd));
6213 static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
6214 struct file *ring_file, int ring_fd)
6216 struct io_submit_state state;
6217 struct io_kiocb *link = NULL;
6218 int i, submitted = 0;
6220 /* if we have a backlog and couldn't flush it all, return BUSY */
6221 if (test_bit(0, &ctx->sq_check_overflow)) {
6222 if (!list_empty(&ctx->cq_overflow_list) &&
6223 !io_cqring_overflow_flush(ctx, false))
6227 /* make sure SQ entry isn't read before tail */
6228 nr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));
6230 if (!percpu_ref_tryget_many(&ctx->refs, nr))
6233 io_submit_state_start(&state, ctx, nr);
6235 ctx->ring_fd = ring_fd;
6236 ctx->ring_file = ring_file;
6238 for (i = 0; i < nr; i++) {
6239 const struct io_uring_sqe *sqe;
6240 struct io_kiocb *req;
6243 sqe = io_get_sqe(ctx);
6244 if (unlikely(!sqe)) {
6245 io_consume_sqe(ctx);
6248 req = io_alloc_req(ctx, &state);
6249 if (unlikely(!req)) {
6251 submitted = -EAGAIN;
6255 err = io_init_req(ctx, req, sqe, &state);
6256 io_consume_sqe(ctx);
6257 /* will complete beyond this point, count as submitted */
6260 if (unlikely(err)) {
6263 io_req_complete(req, err);
6267 trace_io_uring_submit_sqe(ctx, req->opcode, req->user_data,
6268 true, io_async_submit(ctx));
6269 err = io_submit_sqe(req, sqe, &link, &state.comp);
6274 if (unlikely(submitted != nr)) {
6275 int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
6277 percpu_ref_put_many(&ctx->refs, nr - ref_used);
6280 io_queue_link_head(link, &state.comp);
6281 io_submit_state_end(&state);
6283 /* Commit SQ ring head once we've consumed and submitted all SQEs */
6284 io_commit_sqring(ctx);
6289 static int io_sq_thread(void *data)
6291 struct io_ring_ctx *ctx = data;
6292 const struct cred *old_cred;
6294 unsigned long timeout;
6297 complete(&ctx->sq_thread_comp);
6299 old_cred = override_creds(ctx->creds);
6301 timeout = jiffies + ctx->sq_thread_idle;
6302 while (!kthread_should_park()) {
6303 unsigned int to_submit;
6305 if (!list_empty(&ctx->poll_list)) {
6306 unsigned nr_events = 0;
6308 mutex_lock(&ctx->uring_lock);
6309 if (!list_empty(&ctx->poll_list))
6310 io_iopoll_getevents(ctx, &nr_events, 0);
6312 timeout = jiffies + ctx->sq_thread_idle;
6313 mutex_unlock(&ctx->uring_lock);
6316 to_submit = io_sqring_entries(ctx);
6319 * If submit got -EBUSY, flag us as needing the application
6320 * to enter the kernel to reap and flush events.
6322 if (!to_submit || ret == -EBUSY || need_resched()) {
6324 * Drop cur_mm before scheduling, we can't hold it for
6325 * long periods (or over schedule()). Do this before
6326 * adding ourselves to the waitqueue, as the unuse/drop
6329 io_sq_thread_drop_mm(ctx);
6332 * We're polling. If we're within the defined idle
6333 * period, then let us spin without work before going
6334 * to sleep. The exception is if we got EBUSY doing
6335 * more IO, we should wait for the application to
6336 * reap events and wake us up.
6338 if (!list_empty(&ctx->poll_list) || need_resched() ||
6339 (!time_after(jiffies, timeout) && ret != -EBUSY &&
6340 !percpu_ref_is_dying(&ctx->refs))) {
6341 if (current->task_works)
6347 prepare_to_wait(&ctx->sqo_wait, &wait,
6348 TASK_INTERRUPTIBLE);
6351 * While doing polled IO, before going to sleep, we need
6352 * to check if there are new reqs added to poll_list, it
6353 * is because reqs may have been punted to io worker and
6354 * will be added to poll_list later, hence check the
6357 if ((ctx->flags & IORING_SETUP_IOPOLL) &&
6358 !list_empty_careful(&ctx->poll_list)) {
6359 finish_wait(&ctx->sqo_wait, &wait);
6363 /* Tell userspace we may need a wakeup call */
6364 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
6365 /* make sure to read SQ tail after writing flags */
6368 to_submit = io_sqring_entries(ctx);
6369 if (!to_submit || ret == -EBUSY) {
6370 if (kthread_should_park()) {
6371 finish_wait(&ctx->sqo_wait, &wait);
6374 if (current->task_works) {
6376 finish_wait(&ctx->sqo_wait, &wait);
6379 if (signal_pending(current))
6380 flush_signals(current);
6382 finish_wait(&ctx->sqo_wait, &wait);
6384 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6388 finish_wait(&ctx->sqo_wait, &wait);
6390 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6393 mutex_lock(&ctx->uring_lock);
6394 if (likely(!percpu_ref_is_dying(&ctx->refs)))
6395 ret = io_submit_sqes(ctx, to_submit, NULL, -1);
6396 mutex_unlock(&ctx->uring_lock);
6397 timeout = jiffies + ctx->sq_thread_idle;
6400 if (current->task_works)
6403 io_sq_thread_drop_mm(ctx);
6404 revert_creds(old_cred);
6411 struct io_wait_queue {
6412 struct wait_queue_entry wq;
6413 struct io_ring_ctx *ctx;
6415 unsigned nr_timeouts;
6418 static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
6420 struct io_ring_ctx *ctx = iowq->ctx;
6423 * Wake up if we have enough events, or if a timeout occurred since we
6424 * started waiting. For timeouts, we always want to return to userspace,
6425 * regardless of event count.
6427 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
6428 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
6431 static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
6432 int wake_flags, void *key)
6434 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
6437 /* use noflush == true, as we can't safely rely on locking context */
6438 if (!io_should_wake(iowq, true))
6441 return autoremove_wake_function(curr, mode, wake_flags, key);
6445 * Wait until events become available, if we don't already have some. The
6446 * application must reap them itself, as they reside on the shared cq ring.
6448 static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
6449 const sigset_t __user *sig, size_t sigsz)
6451 struct io_wait_queue iowq = {
6454 .func = io_wake_function,
6455 .entry = LIST_HEAD_INIT(iowq.wq.entry),
6458 .to_wait = min_events,
6460 struct io_rings *rings = ctx->rings;
6464 if (io_cqring_events(ctx, false) >= min_events)
6466 if (!current->task_works)
6472 #ifdef CONFIG_COMPAT
6473 if (in_compat_syscall())
6474 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
6478 ret = set_user_sigmask(sig, sigsz);
6484 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
6485 trace_io_uring_cqring_wait(ctx, min_events);
6487 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
6488 TASK_INTERRUPTIBLE);
6489 if (current->task_works)
6491 if (io_should_wake(&iowq, false))
6494 if (signal_pending(current)) {
6499 finish_wait(&ctx->wait, &iowq.wq);
6501 restore_saved_sigmask_unless(ret == -EINTR);
6503 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
6506 static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
6508 #if defined(CONFIG_UNIX)
6509 if (ctx->ring_sock) {
6510 struct sock *sock = ctx->ring_sock->sk;
6511 struct sk_buff *skb;
6513 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
6519 for (i = 0; i < ctx->nr_user_files; i++) {
6522 file = io_file_from_index(ctx, i);
6529 static void io_file_ref_kill(struct percpu_ref *ref)
6531 struct fixed_file_data *data;
6533 data = container_of(ref, struct fixed_file_data, refs);
6534 complete(&data->done);
6537 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
6539 struct fixed_file_data *data = ctx->file_data;
6540 struct fixed_file_ref_node *ref_node = NULL;
6541 unsigned nr_tables, i;
6546 spin_lock(&data->lock);
6547 if (!list_empty(&data->ref_list))
6548 ref_node = list_first_entry(&data->ref_list,
6549 struct fixed_file_ref_node, node);
6550 spin_unlock(&data->lock);
6552 percpu_ref_kill(&ref_node->refs);
6554 percpu_ref_kill(&data->refs);
6556 /* wait for all refs nodes to complete */
6557 flush_delayed_work(&ctx->file_put_work);
6558 wait_for_completion(&data->done);
6560 __io_sqe_files_unregister(ctx);
6561 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
6562 for (i = 0; i < nr_tables; i++)
6563 kfree(data->table[i].files);
6565 percpu_ref_exit(&data->refs);
6567 ctx->file_data = NULL;
6568 ctx->nr_user_files = 0;
6572 static void io_sq_thread_stop(struct io_ring_ctx *ctx)
6574 if (ctx->sqo_thread) {
6575 wait_for_completion(&ctx->sq_thread_comp);
6577 * The park is a bit of a work-around, without it we get
6578 * warning spews on shutdown with SQPOLL set and affinity
6579 * set to a single CPU.
6581 kthread_park(ctx->sqo_thread);
6582 kthread_stop(ctx->sqo_thread);
6583 ctx->sqo_thread = NULL;
6587 static void io_finish_async(struct io_ring_ctx *ctx)
6589 io_sq_thread_stop(ctx);
6592 io_wq_destroy(ctx->io_wq);
6597 #if defined(CONFIG_UNIX)
6599 * Ensure the UNIX gc is aware of our file set, so we are certain that
6600 * the io_uring can be safely unregistered on process exit, even if we have
6601 * loops in the file referencing.
6603 static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
6605 struct sock *sk = ctx->ring_sock->sk;
6606 struct scm_fp_list *fpl;
6607 struct sk_buff *skb;
6610 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
6614 skb = alloc_skb(0, GFP_KERNEL);
6623 fpl->user = get_uid(ctx->user);
6624 for (i = 0; i < nr; i++) {
6625 struct file *file = io_file_from_index(ctx, i + offset);
6629 fpl->fp[nr_files] = get_file(file);
6630 unix_inflight(fpl->user, fpl->fp[nr_files]);
6635 fpl->max = SCM_MAX_FD;
6636 fpl->count = nr_files;
6637 UNIXCB(skb).fp = fpl;
6638 skb->destructor = unix_destruct_scm;
6639 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
6640 skb_queue_head(&sk->sk_receive_queue, skb);
6642 for (i = 0; i < nr_files; i++)
6653 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
6654 * causes regular reference counting to break down. We rely on the UNIX
6655 * garbage collection to take care of this problem for us.
6657 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
6659 unsigned left, total;
6663 left = ctx->nr_user_files;
6665 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
6667 ret = __io_sqe_files_scm(ctx, this_files, total);
6671 total += this_files;
6677 while (total < ctx->nr_user_files) {
6678 struct file *file = io_file_from_index(ctx, total);
6688 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
6694 static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
6699 for (i = 0; i < nr_tables; i++) {
6700 struct fixed_file_table *table = &ctx->file_data->table[i];
6701 unsigned this_files;
6703 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
6704 table->files = kcalloc(this_files, sizeof(struct file *),
6708 nr_files -= this_files;
6714 for (i = 0; i < nr_tables; i++) {
6715 struct fixed_file_table *table = &ctx->file_data->table[i];
6716 kfree(table->files);
6721 static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
6723 #if defined(CONFIG_UNIX)
6724 struct sock *sock = ctx->ring_sock->sk;
6725 struct sk_buff_head list, *head = &sock->sk_receive_queue;
6726 struct sk_buff *skb;
6729 __skb_queue_head_init(&list);
6732 * Find the skb that holds this file in its SCM_RIGHTS. When found,
6733 * remove this entry and rearrange the file array.
6735 skb = skb_dequeue(head);
6737 struct scm_fp_list *fp;
6739 fp = UNIXCB(skb).fp;
6740 for (i = 0; i < fp->count; i++) {
6743 if (fp->fp[i] != file)
6746 unix_notinflight(fp->user, fp->fp[i]);
6747 left = fp->count - 1 - i;
6749 memmove(&fp->fp[i], &fp->fp[i + 1],
6750 left * sizeof(struct file *));
6757 __skb_queue_tail(&list, skb);
6767 __skb_queue_tail(&list, skb);
6769 skb = skb_dequeue(head);
6772 if (skb_peek(&list)) {
6773 spin_lock_irq(&head->lock);
6774 while ((skb = __skb_dequeue(&list)) != NULL)
6775 __skb_queue_tail(head, skb);
6776 spin_unlock_irq(&head->lock);
6783 struct io_file_put {
6784 struct list_head list;
6788 static void __io_file_put_work(struct fixed_file_ref_node *ref_node)
6790 struct fixed_file_data *file_data = ref_node->file_data;
6791 struct io_ring_ctx *ctx = file_data->ctx;
6792 struct io_file_put *pfile, *tmp;
6794 list_for_each_entry_safe(pfile, tmp, &ref_node->file_list, list) {
6795 list_del(&pfile->list);
6796 io_ring_file_put(ctx, pfile->file);
6800 spin_lock(&file_data->lock);
6801 list_del(&ref_node->node);
6802 spin_unlock(&file_data->lock);
6804 percpu_ref_exit(&ref_node->refs);
6806 percpu_ref_put(&file_data->refs);
6809 static void io_file_put_work(struct work_struct *work)
6811 struct io_ring_ctx *ctx;
6812 struct llist_node *node;
6814 ctx = container_of(work, struct io_ring_ctx, file_put_work.work);
6815 node = llist_del_all(&ctx->file_put_llist);
6818 struct fixed_file_ref_node *ref_node;
6819 struct llist_node *next = node->next;
6821 ref_node = llist_entry(node, struct fixed_file_ref_node, llist);
6822 __io_file_put_work(ref_node);
6827 static void io_file_data_ref_zero(struct percpu_ref *ref)
6829 struct fixed_file_ref_node *ref_node;
6830 struct io_ring_ctx *ctx;
6834 ref_node = container_of(ref, struct fixed_file_ref_node, refs);
6835 ctx = ref_node->file_data->ctx;
6837 if (percpu_ref_is_dying(&ctx->file_data->refs))
6840 first_add = llist_add(&ref_node->llist, &ctx->file_put_llist);
6842 mod_delayed_work(system_wq, &ctx->file_put_work, 0);
6844 queue_delayed_work(system_wq, &ctx->file_put_work, delay);
6847 static struct fixed_file_ref_node *alloc_fixed_file_ref_node(
6848 struct io_ring_ctx *ctx)
6850 struct fixed_file_ref_node *ref_node;
6852 ref_node = kzalloc(sizeof(*ref_node), GFP_KERNEL);
6854 return ERR_PTR(-ENOMEM);
6856 if (percpu_ref_init(&ref_node->refs, io_file_data_ref_zero,
6859 return ERR_PTR(-ENOMEM);
6861 INIT_LIST_HEAD(&ref_node->node);
6862 INIT_LIST_HEAD(&ref_node->file_list);
6863 ref_node->file_data = ctx->file_data;
6867 static void destroy_fixed_file_ref_node(struct fixed_file_ref_node *ref_node)
6869 percpu_ref_exit(&ref_node->refs);
6873 static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
6876 __s32 __user *fds = (__s32 __user *) arg;
6881 struct fixed_file_ref_node *ref_node;
6887 if (nr_args > IORING_MAX_FIXED_FILES)
6890 ctx->file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
6891 if (!ctx->file_data)
6893 ctx->file_data->ctx = ctx;
6894 init_completion(&ctx->file_data->done);
6895 INIT_LIST_HEAD(&ctx->file_data->ref_list);
6896 spin_lock_init(&ctx->file_data->lock);
6898 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
6899 ctx->file_data->table = kcalloc(nr_tables,
6900 sizeof(struct fixed_file_table),
6902 if (!ctx->file_data->table) {
6903 kfree(ctx->file_data);
6904 ctx->file_data = NULL;
6908 if (percpu_ref_init(&ctx->file_data->refs, io_file_ref_kill,
6909 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
6910 kfree(ctx->file_data->table);
6911 kfree(ctx->file_data);
6912 ctx->file_data = NULL;
6916 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
6917 percpu_ref_exit(&ctx->file_data->refs);
6918 kfree(ctx->file_data->table);
6919 kfree(ctx->file_data);
6920 ctx->file_data = NULL;
6924 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
6925 struct fixed_file_table *table;
6929 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
6931 /* allow sparse sets */
6937 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
6938 index = i & IORING_FILE_TABLE_MASK;
6946 * Don't allow io_uring instances to be registered. If UNIX
6947 * isn't enabled, then this causes a reference cycle and this
6948 * instance can never get freed. If UNIX is enabled we'll
6949 * handle it just fine, but there's still no point in allowing
6950 * a ring fd as it doesn't support regular read/write anyway.
6952 if (file->f_op == &io_uring_fops) {
6957 table->files[index] = file;
6961 for (i = 0; i < ctx->nr_user_files; i++) {
6962 file = io_file_from_index(ctx, i);
6966 for (i = 0; i < nr_tables; i++)
6967 kfree(ctx->file_data->table[i].files);
6969 kfree(ctx->file_data->table);
6970 kfree(ctx->file_data);
6971 ctx->file_data = NULL;
6972 ctx->nr_user_files = 0;
6976 ret = io_sqe_files_scm(ctx);
6978 io_sqe_files_unregister(ctx);
6982 ref_node = alloc_fixed_file_ref_node(ctx);
6983 if (IS_ERR(ref_node)) {
6984 io_sqe_files_unregister(ctx);
6985 return PTR_ERR(ref_node);
6988 ctx->file_data->cur_refs = &ref_node->refs;
6989 spin_lock(&ctx->file_data->lock);
6990 list_add(&ref_node->node, &ctx->file_data->ref_list);
6991 spin_unlock(&ctx->file_data->lock);
6992 percpu_ref_get(&ctx->file_data->refs);
6996 static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
6999 #if defined(CONFIG_UNIX)
7000 struct sock *sock = ctx->ring_sock->sk;
7001 struct sk_buff_head *head = &sock->sk_receive_queue;
7002 struct sk_buff *skb;
7005 * See if we can merge this file into an existing skb SCM_RIGHTS
7006 * file set. If there's no room, fall back to allocating a new skb
7007 * and filling it in.
7009 spin_lock_irq(&head->lock);
7010 skb = skb_peek(head);
7012 struct scm_fp_list *fpl = UNIXCB(skb).fp;
7014 if (fpl->count < SCM_MAX_FD) {
7015 __skb_unlink(skb, head);
7016 spin_unlock_irq(&head->lock);
7017 fpl->fp[fpl->count] = get_file(file);
7018 unix_inflight(fpl->user, fpl->fp[fpl->count]);
7020 spin_lock_irq(&head->lock);
7021 __skb_queue_head(head, skb);
7026 spin_unlock_irq(&head->lock);
7033 return __io_sqe_files_scm(ctx, 1, index);
7039 static int io_queue_file_removal(struct fixed_file_data *data,
7042 struct io_file_put *pfile;
7043 struct percpu_ref *refs = data->cur_refs;
7044 struct fixed_file_ref_node *ref_node;
7046 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
7050 ref_node = container_of(refs, struct fixed_file_ref_node, refs);
7052 list_add(&pfile->list, &ref_node->file_list);
7057 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
7058 struct io_uring_files_update *up,
7061 struct fixed_file_data *data = ctx->file_data;
7062 struct fixed_file_ref_node *ref_node;
7067 bool needs_switch = false;
7069 if (check_add_overflow(up->offset, nr_args, &done))
7071 if (done > ctx->nr_user_files)
7074 ref_node = alloc_fixed_file_ref_node(ctx);
7075 if (IS_ERR(ref_node))
7076 return PTR_ERR(ref_node);
7079 fds = u64_to_user_ptr(up->fds);
7081 struct fixed_file_table *table;
7085 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
7089 i = array_index_nospec(up->offset, ctx->nr_user_files);
7090 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
7091 index = i & IORING_FILE_TABLE_MASK;
7092 if (table->files[index]) {
7093 file = io_file_from_index(ctx, index);
7094 err = io_queue_file_removal(data, file);
7097 table->files[index] = NULL;
7098 needs_switch = true;
7107 * Don't allow io_uring instances to be registered. If
7108 * UNIX isn't enabled, then this causes a reference
7109 * cycle and this instance can never get freed. If UNIX
7110 * is enabled we'll handle it just fine, but there's
7111 * still no point in allowing a ring fd as it doesn't
7112 * support regular read/write anyway.
7114 if (file->f_op == &io_uring_fops) {
7119 table->files[index] = file;
7120 err = io_sqe_file_register(ctx, file, i);
7130 percpu_ref_kill(data->cur_refs);
7131 spin_lock(&data->lock);
7132 list_add(&ref_node->node, &data->ref_list);
7133 data->cur_refs = &ref_node->refs;
7134 spin_unlock(&data->lock);
7135 percpu_ref_get(&ctx->file_data->refs);
7137 destroy_fixed_file_ref_node(ref_node);
7139 return done ? done : err;
7142 static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
7145 struct io_uring_files_update up;
7147 if (!ctx->file_data)
7151 if (copy_from_user(&up, arg, sizeof(up)))
7156 return __io_sqe_files_update(ctx, &up, nr_args);
7159 static void io_free_work(struct io_wq_work *work)
7161 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
7163 /* Consider that io_steal_work() relies on this ref */
7167 static int io_init_wq_offload(struct io_ring_ctx *ctx,
7168 struct io_uring_params *p)
7170 struct io_wq_data data;
7172 struct io_ring_ctx *ctx_attach;
7173 unsigned int concurrency;
7176 data.user = ctx->user;
7177 data.free_work = io_free_work;
7178 data.do_work = io_wq_submit_work;
7180 if (!(p->flags & IORING_SETUP_ATTACH_WQ)) {
7181 /* Do QD, or 4 * CPUS, whatever is smallest */
7182 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
7184 ctx->io_wq = io_wq_create(concurrency, &data);
7185 if (IS_ERR(ctx->io_wq)) {
7186 ret = PTR_ERR(ctx->io_wq);
7192 f = fdget(p->wq_fd);
7196 if (f.file->f_op != &io_uring_fops) {
7201 ctx_attach = f.file->private_data;
7202 /* @io_wq is protected by holding the fd */
7203 if (!io_wq_get(ctx_attach->io_wq, &data)) {
7208 ctx->io_wq = ctx_attach->io_wq;
7214 static int io_sq_offload_start(struct io_ring_ctx *ctx,
7215 struct io_uring_params *p)
7219 mmgrab(current->mm);
7220 ctx->sqo_mm = current->mm;
7222 if (ctx->flags & IORING_SETUP_SQPOLL) {
7224 if (!capable(CAP_SYS_ADMIN))
7227 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
7228 if (!ctx->sq_thread_idle)
7229 ctx->sq_thread_idle = HZ;
7231 if (p->flags & IORING_SETUP_SQ_AFF) {
7232 int cpu = p->sq_thread_cpu;
7235 if (cpu >= nr_cpu_ids)
7237 if (!cpu_online(cpu))
7240 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
7244 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
7247 if (IS_ERR(ctx->sqo_thread)) {
7248 ret = PTR_ERR(ctx->sqo_thread);
7249 ctx->sqo_thread = NULL;
7252 wake_up_process(ctx->sqo_thread);
7253 } else if (p->flags & IORING_SETUP_SQ_AFF) {
7254 /* Can't have SQ_AFF without SQPOLL */
7259 ret = io_init_wq_offload(ctx, p);
7265 io_finish_async(ctx);
7266 mmdrop(ctx->sqo_mm);
7271 static inline void __io_unaccount_mem(struct user_struct *user,
7272 unsigned long nr_pages)
7274 atomic_long_sub(nr_pages, &user->locked_vm);
7277 static inline int __io_account_mem(struct user_struct *user,
7278 unsigned long nr_pages)
7280 unsigned long page_limit, cur_pages, new_pages;
7282 /* Don't allow more pages than we can safely lock */
7283 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
7286 cur_pages = atomic_long_read(&user->locked_vm);
7287 new_pages = cur_pages + nr_pages;
7288 if (new_pages > page_limit)
7290 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
7291 new_pages) != cur_pages);
7296 static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages,
7297 enum io_mem_account acct)
7300 __io_unaccount_mem(ctx->user, nr_pages);
7303 if (acct == ACCT_LOCKED)
7304 ctx->sqo_mm->locked_vm -= nr_pages;
7305 else if (acct == ACCT_PINNED)
7306 atomic64_sub(nr_pages, &ctx->sqo_mm->pinned_vm);
7310 static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages,
7311 enum io_mem_account acct)
7315 if (ctx->limit_mem) {
7316 ret = __io_account_mem(ctx->user, nr_pages);
7322 if (acct == ACCT_LOCKED)
7323 ctx->sqo_mm->locked_vm += nr_pages;
7324 else if (acct == ACCT_PINNED)
7325 atomic64_add(nr_pages, &ctx->sqo_mm->pinned_vm);
7331 static void io_mem_free(void *ptr)
7338 page = virt_to_head_page(ptr);
7339 if (put_page_testzero(page))
7340 free_compound_page(page);
7343 static void *io_mem_alloc(size_t size)
7345 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
7348 return (void *) __get_free_pages(gfp_flags, get_order(size));
7351 static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
7354 struct io_rings *rings;
7355 size_t off, sq_array_size;
7357 off = struct_size(rings, cqes, cq_entries);
7358 if (off == SIZE_MAX)
7362 off = ALIGN(off, SMP_CACHE_BYTES);
7367 sq_array_size = array_size(sizeof(u32), sq_entries);
7368 if (sq_array_size == SIZE_MAX)
7371 if (check_add_overflow(off, sq_array_size, &off))
7380 static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
7384 pages = (size_t)1 << get_order(
7385 rings_size(sq_entries, cq_entries, NULL));
7386 pages += (size_t)1 << get_order(
7387 array_size(sizeof(struct io_uring_sqe), sq_entries));
7392 static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
7396 if (!ctx->user_bufs)
7399 for (i = 0; i < ctx->nr_user_bufs; i++) {
7400 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
7402 for (j = 0; j < imu->nr_bvecs; j++)
7403 unpin_user_page(imu->bvec[j].bv_page);
7405 io_unaccount_mem(ctx, imu->nr_bvecs, ACCT_PINNED);
7410 kfree(ctx->user_bufs);
7411 ctx->user_bufs = NULL;
7412 ctx->nr_user_bufs = 0;
7416 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
7417 void __user *arg, unsigned index)
7419 struct iovec __user *src;
7421 #ifdef CONFIG_COMPAT
7423 struct compat_iovec __user *ciovs;
7424 struct compat_iovec ciov;
7426 ciovs = (struct compat_iovec __user *) arg;
7427 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
7430 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
7431 dst->iov_len = ciov.iov_len;
7435 src = (struct iovec __user *) arg;
7436 if (copy_from_user(dst, &src[index], sizeof(*dst)))
7441 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
7444 struct vm_area_struct **vmas = NULL;
7445 struct page **pages = NULL;
7446 int i, j, got_pages = 0;
7451 if (!nr_args || nr_args > UIO_MAXIOV)
7454 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
7456 if (!ctx->user_bufs)
7459 for (i = 0; i < nr_args; i++) {
7460 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
7461 unsigned long off, start, end, ubuf;
7466 ret = io_copy_iov(ctx, &iov, arg, i);
7471 * Don't impose further limits on the size and buffer
7472 * constraints here, we'll -EINVAL later when IO is
7473 * submitted if they are wrong.
7476 if (!iov.iov_base || !iov.iov_len)
7479 /* arbitrary limit, but we need something */
7480 if (iov.iov_len > SZ_1G)
7483 ubuf = (unsigned long) iov.iov_base;
7484 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
7485 start = ubuf >> PAGE_SHIFT;
7486 nr_pages = end - start;
7488 ret = io_account_mem(ctx, nr_pages, ACCT_PINNED);
7493 if (!pages || nr_pages > got_pages) {
7496 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
7498 vmas = kvmalloc_array(nr_pages,
7499 sizeof(struct vm_area_struct *),
7501 if (!pages || !vmas) {
7503 io_unaccount_mem(ctx, nr_pages, ACCT_PINNED);
7506 got_pages = nr_pages;
7509 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
7513 io_unaccount_mem(ctx, nr_pages, ACCT_PINNED);
7518 mmap_read_lock(current->mm);
7519 pret = pin_user_pages(ubuf, nr_pages,
7520 FOLL_WRITE | FOLL_LONGTERM,
7522 if (pret == nr_pages) {
7523 /* don't support file backed memory */
7524 for (j = 0; j < nr_pages; j++) {
7525 struct vm_area_struct *vma = vmas[j];
7528 !is_file_hugepages(vma->vm_file)) {
7534 ret = pret < 0 ? pret : -EFAULT;
7536 mmap_read_unlock(current->mm);
7539 * if we did partial map, or found file backed vmas,
7540 * release any pages we did get
7543 unpin_user_pages(pages, pret);
7544 io_unaccount_mem(ctx, nr_pages, ACCT_PINNED);
7549 off = ubuf & ~PAGE_MASK;
7551 for (j = 0; j < nr_pages; j++) {
7554 vec_len = min_t(size_t, size, PAGE_SIZE - off);
7555 imu->bvec[j].bv_page = pages[j];
7556 imu->bvec[j].bv_len = vec_len;
7557 imu->bvec[j].bv_offset = off;
7561 /* store original address for later verification */
7563 imu->len = iov.iov_len;
7564 imu->nr_bvecs = nr_pages;
7566 ctx->nr_user_bufs++;
7574 io_sqe_buffer_unregister(ctx);
7578 static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
7580 __s32 __user *fds = arg;
7586 if (copy_from_user(&fd, fds, sizeof(*fds)))
7589 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
7590 if (IS_ERR(ctx->cq_ev_fd)) {
7591 int ret = PTR_ERR(ctx->cq_ev_fd);
7592 ctx->cq_ev_fd = NULL;
7599 static int io_eventfd_unregister(struct io_ring_ctx *ctx)
7601 if (ctx->cq_ev_fd) {
7602 eventfd_ctx_put(ctx->cq_ev_fd);
7603 ctx->cq_ev_fd = NULL;
7610 static int __io_destroy_buffers(int id, void *p, void *data)
7612 struct io_ring_ctx *ctx = data;
7613 struct io_buffer *buf = p;
7615 __io_remove_buffers(ctx, buf, id, -1U);
7619 static void io_destroy_buffers(struct io_ring_ctx *ctx)
7621 idr_for_each(&ctx->io_buffer_idr, __io_destroy_buffers, ctx);
7622 idr_destroy(&ctx->io_buffer_idr);
7625 static void io_ring_ctx_free(struct io_ring_ctx *ctx)
7627 io_finish_async(ctx);
7629 mmdrop(ctx->sqo_mm);
7633 io_iopoll_reap_events(ctx);
7634 io_sqe_buffer_unregister(ctx);
7635 io_sqe_files_unregister(ctx);
7636 io_eventfd_unregister(ctx);
7637 io_destroy_buffers(ctx);
7638 idr_destroy(&ctx->personality_idr);
7640 #if defined(CONFIG_UNIX)
7641 if (ctx->ring_sock) {
7642 ctx->ring_sock->file = NULL; /* so that iput() is called */
7643 sock_release(ctx->ring_sock);
7647 io_mem_free(ctx->rings);
7648 io_mem_free(ctx->sq_sqes);
7650 percpu_ref_exit(&ctx->refs);
7651 io_unaccount_mem(ctx, ring_pages(ctx->sq_entries, ctx->cq_entries),
7653 free_uid(ctx->user);
7654 put_cred(ctx->creds);
7655 kfree(ctx->cancel_hash);
7656 kmem_cache_free(req_cachep, ctx->fallback_req);
7660 static __poll_t io_uring_poll(struct file *file, poll_table *wait)
7662 struct io_ring_ctx *ctx = file->private_data;
7665 poll_wait(file, &ctx->cq_wait, wait);
7667 * synchronizes with barrier from wq_has_sleeper call in
7671 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
7672 ctx->rings->sq_ring_entries)
7673 mask |= EPOLLOUT | EPOLLWRNORM;
7674 if (io_cqring_events(ctx, false))
7675 mask |= EPOLLIN | EPOLLRDNORM;
7680 static int io_uring_fasync(int fd, struct file *file, int on)
7682 struct io_ring_ctx *ctx = file->private_data;
7684 return fasync_helper(fd, file, on, &ctx->cq_fasync);
7687 static int io_remove_personalities(int id, void *p, void *data)
7689 struct io_ring_ctx *ctx = data;
7690 const struct cred *cred;
7692 cred = idr_remove(&ctx->personality_idr, id);
7698 static void io_ring_exit_work(struct work_struct *work)
7700 struct io_ring_ctx *ctx;
7702 ctx = container_of(work, struct io_ring_ctx, exit_work);
7704 io_cqring_overflow_flush(ctx, true);
7707 * If we're doing polled IO and end up having requests being
7708 * submitted async (out-of-line), then completions can come in while
7709 * we're waiting for refs to drop. We need to reap these manually,
7710 * as nobody else will be looking for them.
7712 while (!wait_for_completion_timeout(&ctx->ref_comp, HZ/20)) {
7713 io_iopoll_reap_events(ctx);
7715 io_cqring_overflow_flush(ctx, true);
7717 io_ring_ctx_free(ctx);
7720 static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
7722 mutex_lock(&ctx->uring_lock);
7723 percpu_ref_kill(&ctx->refs);
7724 mutex_unlock(&ctx->uring_lock);
7726 io_kill_timeouts(ctx);
7727 io_poll_remove_all(ctx);
7730 io_wq_cancel_all(ctx->io_wq);
7732 io_iopoll_reap_events(ctx);
7733 /* if we failed setting up the ctx, we might not have any rings */
7735 io_cqring_overflow_flush(ctx, true);
7736 idr_for_each(&ctx->personality_idr, io_remove_personalities, ctx);
7737 INIT_WORK(&ctx->exit_work, io_ring_exit_work);
7738 queue_work(system_wq, &ctx->exit_work);
7741 static int io_uring_release(struct inode *inode, struct file *file)
7743 struct io_ring_ctx *ctx = file->private_data;
7745 file->private_data = NULL;
7746 io_ring_ctx_wait_and_kill(ctx);
7750 static bool io_wq_files_match(struct io_wq_work *work, void *data)
7752 struct files_struct *files = data;
7754 return work->files == files;
7757 static void io_uring_cancel_files(struct io_ring_ctx *ctx,
7758 struct files_struct *files)
7760 if (list_empty_careful(&ctx->inflight_list))
7763 /* cancel all at once, should be faster than doing it one by one*/
7764 io_wq_cancel_cb(ctx->io_wq, io_wq_files_match, files, true);
7766 while (!list_empty_careful(&ctx->inflight_list)) {
7767 struct io_kiocb *cancel_req = NULL, *req;
7770 spin_lock_irq(&ctx->inflight_lock);
7771 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
7772 if (req->work.files != files)
7774 /* req is being completed, ignore */
7775 if (!refcount_inc_not_zero(&req->refs))
7781 prepare_to_wait(&ctx->inflight_wait, &wait,
7782 TASK_UNINTERRUPTIBLE);
7783 spin_unlock_irq(&ctx->inflight_lock);
7785 /* We need to keep going until we don't find a matching req */
7789 if (cancel_req->flags & REQ_F_OVERFLOW) {
7790 spin_lock_irq(&ctx->completion_lock);
7791 list_del(&cancel_req->list);
7792 cancel_req->flags &= ~REQ_F_OVERFLOW;
7793 if (list_empty(&ctx->cq_overflow_list)) {
7794 clear_bit(0, &ctx->sq_check_overflow);
7795 clear_bit(0, &ctx->cq_check_overflow);
7797 spin_unlock_irq(&ctx->completion_lock);
7799 WRITE_ONCE(ctx->rings->cq_overflow,
7800 atomic_inc_return(&ctx->cached_cq_overflow));
7803 * Put inflight ref and overflow ref. If that's
7804 * all we had, then we're done with this request.
7806 if (refcount_sub_and_test(2, &cancel_req->refs)) {
7807 io_free_req(cancel_req);
7808 finish_wait(&ctx->inflight_wait, &wait);
7812 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
7813 io_put_req(cancel_req);
7817 finish_wait(&ctx->inflight_wait, &wait);
7821 static bool io_cancel_task_cb(struct io_wq_work *work, void *data)
7823 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
7824 struct task_struct *task = data;
7826 return req->task == task;
7829 static int io_uring_flush(struct file *file, void *data)
7831 struct io_ring_ctx *ctx = file->private_data;
7833 io_uring_cancel_files(ctx, data);
7836 * If the task is going away, cancel work it may have pending
7838 if (fatal_signal_pending(current) || (current->flags & PF_EXITING))
7839 io_wq_cancel_cb(ctx->io_wq, io_cancel_task_cb, current, true);
7844 static void *io_uring_validate_mmap_request(struct file *file,
7845 loff_t pgoff, size_t sz)
7847 struct io_ring_ctx *ctx = file->private_data;
7848 loff_t offset = pgoff << PAGE_SHIFT;
7853 case IORING_OFF_SQ_RING:
7854 case IORING_OFF_CQ_RING:
7857 case IORING_OFF_SQES:
7861 return ERR_PTR(-EINVAL);
7864 page = virt_to_head_page(ptr);
7865 if (sz > page_size(page))
7866 return ERR_PTR(-EINVAL);
7873 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
7875 size_t sz = vma->vm_end - vma->vm_start;
7879 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
7881 return PTR_ERR(ptr);
7883 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
7884 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
7887 #else /* !CONFIG_MMU */
7889 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
7891 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
7894 static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
7896 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
7899 static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
7900 unsigned long addr, unsigned long len,
7901 unsigned long pgoff, unsigned long flags)
7905 ptr = io_uring_validate_mmap_request(file, pgoff, len);
7907 return PTR_ERR(ptr);
7909 return (unsigned long) ptr;
7912 #endif /* !CONFIG_MMU */
7914 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
7915 u32, min_complete, u32, flags, const sigset_t __user *, sig,
7918 struct io_ring_ctx *ctx;
7923 if (current->task_works)
7926 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
7934 if (f.file->f_op != &io_uring_fops)
7938 ctx = f.file->private_data;
7939 if (!percpu_ref_tryget(&ctx->refs))
7943 * For SQ polling, the thread will do all submissions and completions.
7944 * Just return the requested submit count, and wake the thread if
7948 if (ctx->flags & IORING_SETUP_SQPOLL) {
7949 if (!list_empty_careful(&ctx->cq_overflow_list))
7950 io_cqring_overflow_flush(ctx, false);
7951 if (flags & IORING_ENTER_SQ_WAKEUP)
7952 wake_up(&ctx->sqo_wait);
7953 submitted = to_submit;
7954 } else if (to_submit) {
7955 mutex_lock(&ctx->uring_lock);
7956 submitted = io_submit_sqes(ctx, to_submit, f.file, fd);
7957 mutex_unlock(&ctx->uring_lock);
7959 if (submitted != to_submit)
7962 if (flags & IORING_ENTER_GETEVENTS) {
7963 unsigned nr_events = 0;
7965 min_complete = min(min_complete, ctx->cq_entries);
7968 * When SETUP_IOPOLL and SETUP_SQPOLL are both enabled, user
7969 * space applications don't need to do io completion events
7970 * polling again, they can rely on io_sq_thread to do polling
7971 * work, which can reduce cpu usage and uring_lock contention.
7973 if (ctx->flags & IORING_SETUP_IOPOLL &&
7974 !(ctx->flags & IORING_SETUP_SQPOLL)) {
7975 ret = io_iopoll_check(ctx, &nr_events, min_complete);
7977 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
7982 percpu_ref_put(&ctx->refs);
7985 return submitted ? submitted : ret;
7988 #ifdef CONFIG_PROC_FS
7989 static int io_uring_show_cred(int id, void *p, void *data)
7991 const struct cred *cred = p;
7992 struct seq_file *m = data;
7993 struct user_namespace *uns = seq_user_ns(m);
7994 struct group_info *gi;
7999 seq_printf(m, "%5d\n", id);
8000 seq_put_decimal_ull(m, "\tUid:\t", from_kuid_munged(uns, cred->uid));
8001 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->euid));
8002 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->suid));
8003 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->fsuid));
8004 seq_put_decimal_ull(m, "\n\tGid:\t", from_kgid_munged(uns, cred->gid));
8005 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->egid));
8006 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->sgid));
8007 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->fsgid));
8008 seq_puts(m, "\n\tGroups:\t");
8009 gi = cred->group_info;
8010 for (g = 0; g < gi->ngroups; g++) {
8011 seq_put_decimal_ull(m, g ? " " : "",
8012 from_kgid_munged(uns, gi->gid[g]));
8014 seq_puts(m, "\n\tCapEff:\t");
8015 cap = cred->cap_effective;
8016 CAP_FOR_EACH_U32(__capi)
8017 seq_put_hex_ll(m, NULL, cap.cap[CAP_LAST_U32 - __capi], 8);
8022 static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
8026 mutex_lock(&ctx->uring_lock);
8027 seq_printf(m, "UserFiles:\t%u\n", ctx->nr_user_files);
8028 for (i = 0; i < ctx->nr_user_files; i++) {
8029 struct fixed_file_table *table;
8032 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
8033 f = table->files[i & IORING_FILE_TABLE_MASK];
8035 seq_printf(m, "%5u: %s\n", i, file_dentry(f)->d_iname);
8037 seq_printf(m, "%5u: <none>\n", i);
8039 seq_printf(m, "UserBufs:\t%u\n", ctx->nr_user_bufs);
8040 for (i = 0; i < ctx->nr_user_bufs; i++) {
8041 struct io_mapped_ubuf *buf = &ctx->user_bufs[i];
8043 seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf,
8044 (unsigned int) buf->len);
8046 if (!idr_is_empty(&ctx->personality_idr)) {
8047 seq_printf(m, "Personalities:\n");
8048 idr_for_each(&ctx->personality_idr, io_uring_show_cred, m);
8050 seq_printf(m, "PollList:\n");
8051 spin_lock_irq(&ctx->completion_lock);
8052 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
8053 struct hlist_head *list = &ctx->cancel_hash[i];
8054 struct io_kiocb *req;
8056 hlist_for_each_entry(req, list, hash_node)
8057 seq_printf(m, " op=%d, task_works=%d\n", req->opcode,
8058 req->task->task_works != NULL);
8060 spin_unlock_irq(&ctx->completion_lock);
8061 mutex_unlock(&ctx->uring_lock);
8064 static void io_uring_show_fdinfo(struct seq_file *m, struct file *f)
8066 struct io_ring_ctx *ctx = f->private_data;
8068 if (percpu_ref_tryget(&ctx->refs)) {
8069 __io_uring_show_fdinfo(ctx, m);
8070 percpu_ref_put(&ctx->refs);
8075 static const struct file_operations io_uring_fops = {
8076 .release = io_uring_release,
8077 .flush = io_uring_flush,
8078 .mmap = io_uring_mmap,
8080 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
8081 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
8083 .poll = io_uring_poll,
8084 .fasync = io_uring_fasync,
8085 #ifdef CONFIG_PROC_FS
8086 .show_fdinfo = io_uring_show_fdinfo,
8090 static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
8091 struct io_uring_params *p)
8093 struct io_rings *rings;
8094 size_t size, sq_array_offset;
8096 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
8097 if (size == SIZE_MAX)
8100 rings = io_mem_alloc(size);
8105 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
8106 rings->sq_ring_mask = p->sq_entries - 1;
8107 rings->cq_ring_mask = p->cq_entries - 1;
8108 rings->sq_ring_entries = p->sq_entries;
8109 rings->cq_ring_entries = p->cq_entries;
8110 ctx->sq_mask = rings->sq_ring_mask;
8111 ctx->cq_mask = rings->cq_ring_mask;
8112 ctx->sq_entries = rings->sq_ring_entries;
8113 ctx->cq_entries = rings->cq_ring_entries;
8115 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
8116 if (size == SIZE_MAX) {
8117 io_mem_free(ctx->rings);
8122 ctx->sq_sqes = io_mem_alloc(size);
8123 if (!ctx->sq_sqes) {
8124 io_mem_free(ctx->rings);
8133 * Allocate an anonymous fd, this is what constitutes the application
8134 * visible backing of an io_uring instance. The application mmaps this
8135 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
8136 * we have to tie this fd to a socket for file garbage collection purposes.
8138 static int io_uring_get_fd(struct io_ring_ctx *ctx)
8143 #if defined(CONFIG_UNIX)
8144 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
8150 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
8154 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
8155 O_RDWR | O_CLOEXEC);
8158 ret = PTR_ERR(file);
8162 #if defined(CONFIG_UNIX)
8163 ctx->ring_sock->file = file;
8165 fd_install(ret, file);
8168 #if defined(CONFIG_UNIX)
8169 sock_release(ctx->ring_sock);
8170 ctx->ring_sock = NULL;
8175 static int io_uring_create(unsigned entries, struct io_uring_params *p,
8176 struct io_uring_params __user *params)
8178 struct user_struct *user = NULL;
8179 struct io_ring_ctx *ctx;
8185 if (entries > IORING_MAX_ENTRIES) {
8186 if (!(p->flags & IORING_SETUP_CLAMP))
8188 entries = IORING_MAX_ENTRIES;
8192 * Use twice as many entries for the CQ ring. It's possible for the
8193 * application to drive a higher depth than the size of the SQ ring,
8194 * since the sqes are only used at submission time. This allows for
8195 * some flexibility in overcommitting a bit. If the application has
8196 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
8197 * of CQ ring entries manually.
8199 p->sq_entries = roundup_pow_of_two(entries);
8200 if (p->flags & IORING_SETUP_CQSIZE) {
8202 * If IORING_SETUP_CQSIZE is set, we do the same roundup
8203 * to a power-of-two, if it isn't already. We do NOT impose
8204 * any cq vs sq ring sizing.
8206 if (p->cq_entries < p->sq_entries)
8208 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
8209 if (!(p->flags & IORING_SETUP_CLAMP))
8211 p->cq_entries = IORING_MAX_CQ_ENTRIES;
8213 p->cq_entries = roundup_pow_of_two(p->cq_entries);
8215 p->cq_entries = 2 * p->sq_entries;
8218 user = get_uid(current_user());
8219 limit_mem = !capable(CAP_IPC_LOCK);
8222 ret = __io_account_mem(user,
8223 ring_pages(p->sq_entries, p->cq_entries));
8230 ctx = io_ring_ctx_alloc(p);
8233 __io_unaccount_mem(user, ring_pages(p->sq_entries,
8238 ctx->compat = in_compat_syscall();
8240 ctx->creds = get_current_cred();
8242 ret = io_allocate_scq_urings(ctx, p);
8246 ret = io_sq_offload_start(ctx, p);
8250 memset(&p->sq_off, 0, sizeof(p->sq_off));
8251 p->sq_off.head = offsetof(struct io_rings, sq.head);
8252 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
8253 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
8254 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
8255 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
8256 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
8257 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
8259 memset(&p->cq_off, 0, sizeof(p->cq_off));
8260 p->cq_off.head = offsetof(struct io_rings, cq.head);
8261 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
8262 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
8263 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
8264 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
8265 p->cq_off.cqes = offsetof(struct io_rings, cqes);
8266 p->cq_off.flags = offsetof(struct io_rings, cq_flags);
8268 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
8269 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS |
8270 IORING_FEAT_CUR_PERSONALITY | IORING_FEAT_FAST_POLL |
8271 IORING_FEAT_POLL_32BITS;
8273 if (copy_to_user(params, p, sizeof(*p))) {
8278 * Install ring fd as the very last thing, so we don't risk someone
8279 * having closed it before we finish setup
8281 ret = io_uring_get_fd(ctx);
8285 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
8286 io_account_mem(ctx, ring_pages(p->sq_entries, p->cq_entries),
8288 ctx->limit_mem = limit_mem;
8291 io_ring_ctx_wait_and_kill(ctx);
8296 * Sets up an aio uring context, and returns the fd. Applications asks for a
8297 * ring size, we return the actual sq/cq ring sizes (among other things) in the
8298 * params structure passed in.
8300 static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
8302 struct io_uring_params p;
8305 if (copy_from_user(&p, params, sizeof(p)))
8307 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
8312 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
8313 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
8314 IORING_SETUP_CLAMP | IORING_SETUP_ATTACH_WQ))
8317 return io_uring_create(entries, &p, params);
8320 SYSCALL_DEFINE2(io_uring_setup, u32, entries,
8321 struct io_uring_params __user *, params)
8323 return io_uring_setup(entries, params);
8326 static int io_probe(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
8328 struct io_uring_probe *p;
8332 size = struct_size(p, ops, nr_args);
8333 if (size == SIZE_MAX)
8335 p = kzalloc(size, GFP_KERNEL);
8340 if (copy_from_user(p, arg, size))
8343 if (memchr_inv(p, 0, size))
8346 p->last_op = IORING_OP_LAST - 1;
8347 if (nr_args > IORING_OP_LAST)
8348 nr_args = IORING_OP_LAST;
8350 for (i = 0; i < nr_args; i++) {
8352 if (!io_op_defs[i].not_supported)
8353 p->ops[i].flags = IO_URING_OP_SUPPORTED;
8358 if (copy_to_user(arg, p, size))
8365 static int io_register_personality(struct io_ring_ctx *ctx)
8367 const struct cred *creds = get_current_cred();
8370 id = idr_alloc_cyclic(&ctx->personality_idr, (void *) creds, 1,
8371 USHRT_MAX, GFP_KERNEL);
8377 static int io_unregister_personality(struct io_ring_ctx *ctx, unsigned id)
8379 const struct cred *old_creds;
8381 old_creds = idr_remove(&ctx->personality_idr, id);
8383 put_cred(old_creds);
8390 static bool io_register_op_must_quiesce(int op)
8393 case IORING_UNREGISTER_FILES:
8394 case IORING_REGISTER_FILES_UPDATE:
8395 case IORING_REGISTER_PROBE:
8396 case IORING_REGISTER_PERSONALITY:
8397 case IORING_UNREGISTER_PERSONALITY:
8404 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
8405 void __user *arg, unsigned nr_args)
8406 __releases(ctx->uring_lock)
8407 __acquires(ctx->uring_lock)
8412 * We're inside the ring mutex, if the ref is already dying, then
8413 * someone else killed the ctx or is already going through
8414 * io_uring_register().
8416 if (percpu_ref_is_dying(&ctx->refs))
8419 if (io_register_op_must_quiesce(opcode)) {
8420 percpu_ref_kill(&ctx->refs);
8423 * Drop uring mutex before waiting for references to exit. If
8424 * another thread is currently inside io_uring_enter() it might
8425 * need to grab the uring_lock to make progress. If we hold it
8426 * here across the drain wait, then we can deadlock. It's safe
8427 * to drop the mutex here, since no new references will come in
8428 * after we've killed the percpu ref.
8430 mutex_unlock(&ctx->uring_lock);
8431 ret = wait_for_completion_interruptible(&ctx->ref_comp);
8432 mutex_lock(&ctx->uring_lock);
8434 percpu_ref_resurrect(&ctx->refs);
8441 case IORING_REGISTER_BUFFERS:
8442 ret = io_sqe_buffer_register(ctx, arg, nr_args);
8444 case IORING_UNREGISTER_BUFFERS:
8448 ret = io_sqe_buffer_unregister(ctx);
8450 case IORING_REGISTER_FILES:
8451 ret = io_sqe_files_register(ctx, arg, nr_args);
8453 case IORING_UNREGISTER_FILES:
8457 ret = io_sqe_files_unregister(ctx);
8459 case IORING_REGISTER_FILES_UPDATE:
8460 ret = io_sqe_files_update(ctx, arg, nr_args);
8462 case IORING_REGISTER_EVENTFD:
8463 case IORING_REGISTER_EVENTFD_ASYNC:
8467 ret = io_eventfd_register(ctx, arg);
8470 if (opcode == IORING_REGISTER_EVENTFD_ASYNC)
8471 ctx->eventfd_async = 1;
8473 ctx->eventfd_async = 0;
8475 case IORING_UNREGISTER_EVENTFD:
8479 ret = io_eventfd_unregister(ctx);
8481 case IORING_REGISTER_PROBE:
8483 if (!arg || nr_args > 256)
8485 ret = io_probe(ctx, arg, nr_args);
8487 case IORING_REGISTER_PERSONALITY:
8491 ret = io_register_personality(ctx);
8493 case IORING_UNREGISTER_PERSONALITY:
8497 ret = io_unregister_personality(ctx, nr_args);
8504 if (io_register_op_must_quiesce(opcode)) {
8505 /* bring the ctx back to life */
8506 percpu_ref_reinit(&ctx->refs);
8508 reinit_completion(&ctx->ref_comp);
8513 SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
8514 void __user *, arg, unsigned int, nr_args)
8516 struct io_ring_ctx *ctx;
8525 if (f.file->f_op != &io_uring_fops)
8528 ctx = f.file->private_data;
8530 mutex_lock(&ctx->uring_lock);
8531 ret = __io_uring_register(ctx, opcode, arg, nr_args);
8532 mutex_unlock(&ctx->uring_lock);
8533 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
8534 ctx->cq_ev_fd != NULL, ret);
8540 static int __init io_uring_init(void)
8542 #define __BUILD_BUG_VERIFY_ELEMENT(stype, eoffset, etype, ename) do { \
8543 BUILD_BUG_ON(offsetof(stype, ename) != eoffset); \
8544 BUILD_BUG_ON(sizeof(etype) != sizeof_field(stype, ename)); \
8547 #define BUILD_BUG_SQE_ELEM(eoffset, etype, ename) \
8548 __BUILD_BUG_VERIFY_ELEMENT(struct io_uring_sqe, eoffset, etype, ename)
8549 BUILD_BUG_ON(sizeof(struct io_uring_sqe) != 64);
8550 BUILD_BUG_SQE_ELEM(0, __u8, opcode);
8551 BUILD_BUG_SQE_ELEM(1, __u8, flags);
8552 BUILD_BUG_SQE_ELEM(2, __u16, ioprio);
8553 BUILD_BUG_SQE_ELEM(4, __s32, fd);
8554 BUILD_BUG_SQE_ELEM(8, __u64, off);
8555 BUILD_BUG_SQE_ELEM(8, __u64, addr2);
8556 BUILD_BUG_SQE_ELEM(16, __u64, addr);
8557 BUILD_BUG_SQE_ELEM(16, __u64, splice_off_in);
8558 BUILD_BUG_SQE_ELEM(24, __u32, len);
8559 BUILD_BUG_SQE_ELEM(28, __kernel_rwf_t, rw_flags);
8560 BUILD_BUG_SQE_ELEM(28, /* compat */ int, rw_flags);
8561 BUILD_BUG_SQE_ELEM(28, /* compat */ __u32, rw_flags);
8562 BUILD_BUG_SQE_ELEM(28, __u32, fsync_flags);
8563 BUILD_BUG_SQE_ELEM(28, /* compat */ __u16, poll_events);
8564 BUILD_BUG_SQE_ELEM(28, __u32, poll32_events);
8565 BUILD_BUG_SQE_ELEM(28, __u32, sync_range_flags);
8566 BUILD_BUG_SQE_ELEM(28, __u32, msg_flags);
8567 BUILD_BUG_SQE_ELEM(28, __u32, timeout_flags);
8568 BUILD_BUG_SQE_ELEM(28, __u32, accept_flags);
8569 BUILD_BUG_SQE_ELEM(28, __u32, cancel_flags);
8570 BUILD_BUG_SQE_ELEM(28, __u32, open_flags);
8571 BUILD_BUG_SQE_ELEM(28, __u32, statx_flags);
8572 BUILD_BUG_SQE_ELEM(28, __u32, fadvise_advice);
8573 BUILD_BUG_SQE_ELEM(28, __u32, splice_flags);
8574 BUILD_BUG_SQE_ELEM(32, __u64, user_data);
8575 BUILD_BUG_SQE_ELEM(40, __u16, buf_index);
8576 BUILD_BUG_SQE_ELEM(42, __u16, personality);
8577 BUILD_BUG_SQE_ELEM(44, __s32, splice_fd_in);
8579 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
8580 BUILD_BUG_ON(__REQ_F_LAST_BIT >= 8 * sizeof(int));
8581 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
8584 __initcall(io_uring_init);
projects / linux-block.git / blob