1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
5 #include <linux/file.h>
7 #include <linux/slab.h>
8 #include <linux/poll.h>
9 #include <linux/hashtable.h>
10 #include <linux/io_uring.h>
12 #include <trace/events/io_uring.h>
14 #include <uapi/linux/io_uring.h>
16 #include "io_uring_types.h"
24 struct io_poll_update {
30 bool update_user_data;
33 struct io_poll_table {
34 struct poll_table_struct pt;
40 #define IO_POLL_CANCEL_FLAG BIT(31)
41 #define IO_POLL_REF_MASK GENMASK(30, 0)
44 * If refs part of ->poll_refs (see IO_POLL_REF_MASK) is 0, it's free. We can
45 * bump it and acquire ownership. It's disallowed to modify requests while not
46 * owning it, that prevents from races for enqueueing task_work's and b/w
47 * arming poll and wakeups.
49 static inline bool io_poll_get_ownership(struct io_kiocb *req)
51 return !(atomic_fetch_inc(&req->poll_refs) & IO_POLL_REF_MASK);
54 static void io_poll_mark_cancelled(struct io_kiocb *req)
56 atomic_or(IO_POLL_CANCEL_FLAG, &req->poll_refs);
59 static struct io_poll *io_poll_get_double(struct io_kiocb *req)
61 /* pure poll stashes this in ->async_data, poll driven retry elsewhere */
62 if (req->opcode == IORING_OP_POLL_ADD)
63 return req->async_data;
64 return req->apoll->double_poll;
67 static struct io_poll *io_poll_get_single(struct io_kiocb *req)
69 if (req->opcode == IORING_OP_POLL_ADD)
70 return io_kiocb_to_cmd(req);
71 return &req->apoll->poll;
74 static void io_poll_req_insert(struct io_kiocb *req)
76 struct io_ring_ctx *ctx = req->ctx;
77 u32 index = hash_long(req->cqe.user_data, ctx->cancel_hash_bits);
78 struct io_hash_bucket *hb = &ctx->cancel_hash[index];
81 hlist_add_head(&req->hash_node, &hb->list);
82 spin_unlock(&hb->lock);
85 static void io_poll_req_delete(struct io_kiocb *req, struct io_ring_ctx *ctx)
87 u32 index = hash_long(req->cqe.user_data, ctx->cancel_hash_bits);
88 spinlock_t *lock = &ctx->cancel_hash[index].lock;
91 hash_del(&req->hash_node);
95 static void io_init_poll_iocb(struct io_poll *poll, __poll_t events,
96 wait_queue_func_t wake_func)
99 #define IO_POLL_UNMASK (EPOLLERR|EPOLLHUP|EPOLLNVAL|EPOLLRDHUP)
100 /* mask in events that we always want/need */
101 poll->events = events | IO_POLL_UNMASK;
102 INIT_LIST_HEAD(&poll->wait.entry);
103 init_waitqueue_func_entry(&poll->wait, wake_func);
106 static inline void io_poll_remove_entry(struct io_poll *poll)
108 struct wait_queue_head *head = smp_load_acquire(&poll->head);
111 spin_lock_irq(&head->lock);
112 list_del_init(&poll->wait.entry);
114 spin_unlock_irq(&head->lock);
118 static void io_poll_remove_entries(struct io_kiocb *req)
121 * Nothing to do if neither of those flags are set. Avoid dipping
122 * into the poll/apoll/double cachelines if we can.
124 if (!(req->flags & (REQ_F_SINGLE_POLL | REQ_F_DOUBLE_POLL)))
128 * While we hold the waitqueue lock and the waitqueue is nonempty,
129 * wake_up_pollfree() will wait for us. However, taking the waitqueue
130 * lock in the first place can race with the waitqueue being freed.
132 * We solve this as eventpoll does: by taking advantage of the fact that
133 * all users of wake_up_pollfree() will RCU-delay the actual free. If
134 * we enter rcu_read_lock() and see that the pointer to the queue is
135 * non-NULL, we can then lock it without the memory being freed out from
138 * Keep holding rcu_read_lock() as long as we hold the queue lock, in
139 * case the caller deletes the entry from the queue, leaving it empty.
140 * In that case, only RCU prevents the queue memory from being freed.
143 if (req->flags & REQ_F_SINGLE_POLL)
144 io_poll_remove_entry(io_poll_get_single(req));
145 if (req->flags & REQ_F_DOUBLE_POLL)
146 io_poll_remove_entry(io_poll_get_double(req));
151 * All poll tw should go through this. Checks for poll events, manages
152 * references, does rewait, etc.
154 * Returns a negative error on failure. >0 when no action require, which is
155 * either spurious wakeup or multishot CQE is served. 0 when it's done with
156 * the request, then the mask is stored in req->cqe.res.
158 static int io_poll_check_events(struct io_kiocb *req, bool *locked)
160 struct io_ring_ctx *ctx = req->ctx;
163 /* req->task == current here, checking PF_EXITING is safe */
164 if (unlikely(req->task->flags & PF_EXITING))
168 v = atomic_read(&req->poll_refs);
170 /* tw handler should be the owner, and so have some references */
171 if (WARN_ON_ONCE(!(v & IO_POLL_REF_MASK)))
173 if (v & IO_POLL_CANCEL_FLAG)
177 struct poll_table_struct pt = { ._key = req->apoll_events };
178 req->cqe.res = vfs_poll(req->file, &pt) & req->apoll_events;
181 if ((unlikely(!req->cqe.res)))
183 if (req->apoll_events & EPOLLONESHOT)
186 /* multishot, just fill a CQE and proceed */
187 if (!(req->flags & REQ_F_APOLL_MULTISHOT)) {
188 __poll_t mask = mangle_poll(req->cqe.res &
192 spin_lock(&ctx->completion_lock);
193 filled = io_fill_cqe_aux(ctx, req->cqe.user_data,
194 mask, IORING_CQE_F_MORE);
195 io_commit_cqring(ctx);
196 spin_unlock(&ctx->completion_lock);
198 io_cqring_ev_posted(ctx);
204 ret = io_poll_issue(req, locked);
209 * Release all references, retry if someone tried to restart
210 * task_work while we were executing it.
212 } while (atomic_sub_return(v & IO_POLL_REF_MASK, &req->poll_refs));
217 static void io_poll_task_func(struct io_kiocb *req, bool *locked)
219 struct io_ring_ctx *ctx = req->ctx;
222 ret = io_poll_check_events(req, locked);
227 struct io_poll *poll = io_kiocb_to_cmd(req);
229 req->cqe.res = mangle_poll(req->cqe.res & poll->events);
235 io_poll_remove_entries(req);
236 io_poll_req_delete(req, ctx);
237 spin_lock(&ctx->completion_lock);
239 __io_req_complete_post(req);
240 io_commit_cqring(ctx);
241 spin_unlock(&ctx->completion_lock);
242 io_cqring_ev_posted(ctx);
245 static void io_apoll_task_func(struct io_kiocb *req, bool *locked)
249 ret = io_poll_check_events(req, locked);
253 io_poll_remove_entries(req);
254 io_poll_req_delete(req, req->ctx);
257 io_req_task_submit(req, locked);
259 io_req_complete_failed(req, ret);
262 static void __io_poll_execute(struct io_kiocb *req, int mask,
263 __poll_t __maybe_unused events)
265 io_req_set_res(req, mask, 0);
267 * This is useful for poll that is armed on behalf of another
268 * request, and where the wakeup path could be on a different
269 * CPU. We want to avoid pulling in req->apoll->events for that
272 if (req->opcode == IORING_OP_POLL_ADD)
273 req->io_task_work.func = io_poll_task_func;
275 req->io_task_work.func = io_apoll_task_func;
277 trace_io_uring_task_add(req->ctx, req, req->cqe.user_data, req->opcode, mask);
278 io_req_task_work_add(req);
281 static inline void io_poll_execute(struct io_kiocb *req, int res,
284 if (io_poll_get_ownership(req))
285 __io_poll_execute(req, res, events);
288 static void io_poll_cancel_req(struct io_kiocb *req)
290 io_poll_mark_cancelled(req);
291 /* kick tw, which should complete the request */
292 io_poll_execute(req, 0, 0);
295 #define wqe_to_req(wait) ((void *)((unsigned long) (wait)->private & ~1))
296 #define wqe_is_double(wait) ((unsigned long) (wait)->private & 1)
297 #define IO_ASYNC_POLL_COMMON (EPOLLONESHOT | EPOLLPRI)
299 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
302 struct io_kiocb *req = wqe_to_req(wait);
303 struct io_poll *poll = container_of(wait, struct io_poll, wait);
304 __poll_t mask = key_to_poll(key);
306 if (unlikely(mask & POLLFREE)) {
307 io_poll_mark_cancelled(req);
308 /* we have to kick tw in case it's not already */
309 io_poll_execute(req, 0, poll->events);
312 * If the waitqueue is being freed early but someone is already
313 * holds ownership over it, we have to tear down the request as
314 * best we can. That means immediately removing the request from
315 * its waitqueue and preventing all further accesses to the
316 * waitqueue via the request.
318 list_del_init(&poll->wait.entry);
321 * Careful: this *must* be the last step, since as soon
322 * as req->head is NULL'ed out, the request can be
323 * completed and freed, since aio_poll_complete_work()
324 * will no longer need to take the waitqueue lock.
326 smp_store_release(&poll->head, NULL);
330 /* for instances that support it check for an event match first */
331 if (mask && !(mask & (poll->events & ~IO_ASYNC_POLL_COMMON)))
334 if (io_poll_get_ownership(req)) {
335 /* optional, saves extra locking for removal in tw handler */
336 if (mask && poll->events & EPOLLONESHOT) {
337 list_del_init(&poll->wait.entry);
339 if (wqe_is_double(wait))
340 req->flags &= ~REQ_F_DOUBLE_POLL;
342 req->flags &= ~REQ_F_SINGLE_POLL;
344 __io_poll_execute(req, mask, poll->events);
349 static void __io_queue_proc(struct io_poll *poll, struct io_poll_table *pt,
350 struct wait_queue_head *head,
351 struct io_poll **poll_ptr)
353 struct io_kiocb *req = pt->req;
354 unsigned long wqe_private = (unsigned long) req;
357 * The file being polled uses multiple waitqueues for poll handling
358 * (e.g. one for read, one for write). Setup a separate io_poll
361 if (unlikely(pt->nr_entries)) {
362 struct io_poll *first = poll;
364 /* double add on the same waitqueue head, ignore */
365 if (first->head == head)
367 /* already have a 2nd entry, fail a third attempt */
369 if ((*poll_ptr)->head == head)
375 poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
380 /* mark as double wq entry */
382 req->flags |= REQ_F_DOUBLE_POLL;
383 io_init_poll_iocb(poll, first->events, first->wait.func);
385 if (req->opcode == IORING_OP_POLL_ADD)
386 req->flags |= REQ_F_ASYNC_DATA;
389 req->flags |= REQ_F_SINGLE_POLL;
392 poll->wait.private = (void *) wqe_private;
394 if (poll->events & EPOLLEXCLUSIVE)
395 add_wait_queue_exclusive(head, &poll->wait);
397 add_wait_queue(head, &poll->wait);
400 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
401 struct poll_table_struct *p)
403 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
404 struct io_poll *poll = io_kiocb_to_cmd(pt->req);
406 __io_queue_proc(poll, pt, head,
407 (struct io_poll **) &pt->req->async_data);
410 static int __io_arm_poll_handler(struct io_kiocb *req,
411 struct io_poll *poll,
412 struct io_poll_table *ipt, __poll_t mask)
414 struct io_ring_ctx *ctx = req->ctx;
417 INIT_HLIST_NODE(&req->hash_node);
418 req->work.cancel_seq = atomic_read(&ctx->cancel_seq);
419 io_init_poll_iocb(poll, mask, io_poll_wake);
420 poll->file = req->file;
422 req->apoll_events = poll->events;
430 * Take the ownership to delay any tw execution up until we're done
431 * with poll arming. see io_poll_get_ownership().
433 atomic_set(&req->poll_refs, 1);
434 mask = vfs_poll(req->file, &ipt->pt) & poll->events;
437 ((poll->events & (EPOLLET|EPOLLONESHOT)) == (EPOLLET|EPOLLONESHOT))) {
438 io_poll_remove_entries(req);
439 /* no one else has access to the req, forget about the ref */
443 if (!mask && unlikely(ipt->error || !ipt->nr_entries)) {
444 io_poll_remove_entries(req);
446 ipt->error = -EINVAL;
450 io_poll_req_insert(req);
452 if (mask && (poll->events & EPOLLET)) {
453 /* can't multishot if failed, just queue the event we've got */
454 if (unlikely(ipt->error || !ipt->nr_entries)) {
455 poll->events |= EPOLLONESHOT;
456 req->apoll_events |= EPOLLONESHOT;
459 __io_poll_execute(req, mask, poll->events);
464 * Release ownership. If someone tried to queue a tw while it was
465 * locked, kick it off for them.
467 v = atomic_dec_return(&req->poll_refs);
468 if (unlikely(v & IO_POLL_REF_MASK))
469 __io_poll_execute(req, 0, poll->events);
473 static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
474 struct poll_table_struct *p)
476 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
477 struct async_poll *apoll = pt->req->apoll;
479 __io_queue_proc(&apoll->poll, pt, head, &apoll->double_poll);
482 int io_arm_poll_handler(struct io_kiocb *req, unsigned issue_flags)
484 const struct io_op_def *def = &io_op_defs[req->opcode];
485 struct io_ring_ctx *ctx = req->ctx;
486 struct async_poll *apoll;
487 struct io_poll_table ipt;
488 __poll_t mask = POLLPRI | POLLERR | EPOLLET;
491 if (!def->pollin && !def->pollout)
492 return IO_APOLL_ABORTED;
493 if (!file_can_poll(req->file))
494 return IO_APOLL_ABORTED;
495 if ((req->flags & (REQ_F_POLLED|REQ_F_PARTIAL_IO)) == REQ_F_POLLED)
496 return IO_APOLL_ABORTED;
497 if (!(req->flags & REQ_F_APOLL_MULTISHOT))
498 mask |= EPOLLONESHOT;
501 mask |= EPOLLIN | EPOLLRDNORM;
503 /* If reading from MSG_ERRQUEUE using recvmsg, ignore POLLIN */
504 if (req->flags & REQ_F_CLEAR_POLLIN)
507 mask |= EPOLLOUT | EPOLLWRNORM;
509 if (def->poll_exclusive)
510 mask |= EPOLLEXCLUSIVE;
511 if (req->flags & REQ_F_POLLED) {
513 kfree(apoll->double_poll);
514 } else if (!(issue_flags & IO_URING_F_UNLOCKED) &&
515 !list_empty(&ctx->apoll_cache)) {
516 apoll = list_first_entry(&ctx->apoll_cache, struct async_poll,
518 list_del_init(&apoll->poll.wait.entry);
520 apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
521 if (unlikely(!apoll))
522 return IO_APOLL_ABORTED;
524 apoll->double_poll = NULL;
526 req->flags |= REQ_F_POLLED;
527 ipt.pt._qproc = io_async_queue_proc;
529 io_kbuf_recycle(req, issue_flags);
531 ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask);
532 if (ret || ipt.error)
533 return ret ? IO_APOLL_READY : IO_APOLL_ABORTED;
535 trace_io_uring_poll_arm(ctx, req, req->cqe.user_data, req->opcode,
536 mask, apoll->poll.events);
541 * Returns true if we found and killed one or more poll requests
543 __cold bool io_poll_remove_all(struct io_ring_ctx *ctx, struct task_struct *tsk,
546 struct hlist_node *tmp;
547 struct io_kiocb *req;
551 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
552 struct io_hash_bucket *hb = &ctx->cancel_hash[i];
554 spin_lock(&hb->lock);
555 hlist_for_each_entry_safe(req, tmp, &hb->list, hash_node) {
556 if (io_match_task_safe(req, tsk, cancel_all)) {
557 hlist_del_init(&req->hash_node);
558 io_poll_cancel_req(req);
562 spin_unlock(&hb->lock);
567 static struct io_kiocb *io_poll_find(struct io_ring_ctx *ctx, bool poll_only,
568 struct io_cancel_data *cd)
570 struct io_kiocb *req;
571 u32 index = hash_long(cd->data, ctx->cancel_hash_bits);
572 struct io_hash_bucket *hb = &ctx->cancel_hash[index];
574 spin_lock(&hb->lock);
575 hlist_for_each_entry(req, &hb->list, hash_node) {
576 if (cd->data != req->cqe.user_data)
578 if (poll_only && req->opcode != IORING_OP_POLL_ADD)
580 if (cd->flags & IORING_ASYNC_CANCEL_ALL) {
581 if (cd->seq == req->work.cancel_seq)
583 req->work.cancel_seq = cd->seq;
587 spin_unlock(&hb->lock);
591 static struct io_kiocb *io_poll_file_find(struct io_ring_ctx *ctx,
592 struct io_cancel_data *cd)
594 struct io_kiocb *req;
597 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
598 struct io_hash_bucket *hb = &ctx->cancel_hash[i];
600 spin_lock(&hb->lock);
601 hlist_for_each_entry(req, &hb->list, hash_node) {
602 if (!(cd->flags & IORING_ASYNC_CANCEL_ANY) &&
603 req->file != cd->file)
605 if (cd->seq == req->work.cancel_seq)
607 req->work.cancel_seq = cd->seq;
610 spin_unlock(&hb->lock);
615 static bool io_poll_disarm(struct io_kiocb *req)
617 if (!io_poll_get_ownership(req))
619 io_poll_remove_entries(req);
620 hash_del(&req->hash_node);
624 int io_poll_cancel(struct io_ring_ctx *ctx, struct io_cancel_data *cd)
626 struct io_kiocb *req;
630 if (cd->flags & (IORING_ASYNC_CANCEL_FD|IORING_ASYNC_CANCEL_ANY))
631 req = io_poll_file_find(ctx, cd);
633 req = io_poll_find(ctx, false, cd);
637 index = hash_long(req->cqe.user_data, ctx->cancel_hash_bits);
638 lock = &ctx->cancel_hash[index].lock;
640 io_poll_cancel_req(req);
645 static __poll_t io_poll_parse_events(const struct io_uring_sqe *sqe,
650 events = READ_ONCE(sqe->poll32_events);
652 events = swahw32(events);
654 if (!(flags & IORING_POLL_ADD_MULTI))
655 events |= EPOLLONESHOT;
656 if (!(flags & IORING_POLL_ADD_LEVEL))
658 return demangle_poll(events) |
659 (events & (EPOLLEXCLUSIVE|EPOLLONESHOT|EPOLLET));
662 int io_poll_remove_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
664 struct io_poll_update *upd = io_kiocb_to_cmd(req);
667 if (sqe->buf_index || sqe->splice_fd_in)
669 flags = READ_ONCE(sqe->len);
670 if (flags & ~(IORING_POLL_UPDATE_EVENTS | IORING_POLL_UPDATE_USER_DATA |
671 IORING_POLL_ADD_MULTI))
673 /* meaningless without update */
674 if (flags == IORING_POLL_ADD_MULTI)
677 upd->old_user_data = READ_ONCE(sqe->addr);
678 upd->update_events = flags & IORING_POLL_UPDATE_EVENTS;
679 upd->update_user_data = flags & IORING_POLL_UPDATE_USER_DATA;
681 upd->new_user_data = READ_ONCE(sqe->off);
682 if (!upd->update_user_data && upd->new_user_data)
684 if (upd->update_events)
685 upd->events = io_poll_parse_events(sqe, flags);
686 else if (sqe->poll32_events)
692 int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
694 struct io_poll *poll = io_kiocb_to_cmd(req);
697 if (sqe->buf_index || sqe->off || sqe->addr)
699 flags = READ_ONCE(sqe->len);
700 if (flags & ~(IORING_POLL_ADD_MULTI|IORING_POLL_ADD_LEVEL))
702 if ((flags & IORING_POLL_ADD_MULTI) && (req->flags & REQ_F_CQE_SKIP))
705 poll->events = io_poll_parse_events(sqe, flags);
709 int io_poll_add(struct io_kiocb *req, unsigned int issue_flags)
711 struct io_poll *poll = io_kiocb_to_cmd(req);
712 struct io_poll_table ipt;
715 ipt.pt._qproc = io_poll_queue_proc;
717 ret = __io_arm_poll_handler(req, poll, &ipt, poll->events);
719 io_req_set_res(req, ret, 0);
727 return IOU_ISSUE_SKIP_COMPLETE;
730 int io_poll_remove(struct io_kiocb *req, unsigned int issue_flags)
732 struct io_poll_update *poll_update = io_kiocb_to_cmd(req);
733 struct io_cancel_data cd = { .data = poll_update->old_user_data, };
734 struct io_ring_ctx *ctx = req->ctx;
735 u32 index = hash_long(cd.data, ctx->cancel_hash_bits);
736 spinlock_t *lock = &ctx->cancel_hash[index].lock;
737 struct io_kiocb *preq;
741 preq = io_poll_find(ctx, true, &cd);
746 ret2 = io_poll_disarm(preq);
753 if (poll_update->update_events || poll_update->update_user_data) {
754 /* only mask one event flags, keep behavior flags */
755 if (poll_update->update_events) {
756 struct io_poll *poll = io_kiocb_to_cmd(preq);
758 poll->events &= ~0xffff;
759 poll->events |= poll_update->events & 0xffff;
760 poll->events |= IO_POLL_UNMASK;
762 if (poll_update->update_user_data)
763 preq->cqe.user_data = poll_update->new_user_data;
765 ret2 = io_poll_add(preq, issue_flags);
766 /* successfully updated, don't complete poll request */
767 if (!ret2 || ret2 == -EIOCBQUEUED)
772 io_req_set_res(preq, -ECANCELED, 0);
773 locked = !(issue_flags & IO_URING_F_UNLOCKED);
774 io_req_task_complete(preq, &locked);
780 /* complete update request, we're done with it */
781 io_req_set_res(req, ret, 0);