]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blame - fs/io_uring.c
projects / mirror_ubuntu-jammy-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
io_uring: account fixed file references correctly in batch
[mirror_ubuntu-jammy-kernel.git] / fs / io_uring.c
CommitLineData
2b188cc1
JA		 1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
5 *
6 * A note on the read/write ordering memory barriers that are matched between
1e84b97b
SB		 7 * the application and kernel side.
8 *
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
16 * CQ entries.
17 *
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
23 * head will do).
24 *
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
28 * between.
2b188cc1
JA		 29 *
30 * Also see the examples in the liburing library:
31 *
32 * git://git.kernel.dk/liburing
33 *
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
38 *
39 * Copyright (C) 2018-2019 Jens Axboe
c992fe29 40 * Copyright (c) 2018-2019 Christoph Hellwig
2b188cc1
JA		 41 */
42#include <linux/kernel.h>
43#include <linux/init.h>
44#include <linux/errno.h>
45#include <linux/syscalls.h>
46#include <linux/compat.h>
47#include <linux/refcount.h>
48#include <linux/uio.h>
49
50#include <linux/sched/signal.h>
51#include <linux/fs.h>
52#include <linux/file.h>
53#include <linux/fdtable.h>
54#include <linux/mm.h>
55#include <linux/mman.h>
56#include <linux/mmu_context.h>
57#include <linux/percpu.h>
58#include <linux/slab.h>
6c271ce2 59#include <linux/kthread.h>
2b188cc1 60#include <linux/blkdev.h>
edafccee 61#include <linux/bvec.h>
2b188cc1
JA		 62#include <linux/net.h>
63#include <net/sock.h>
64#include <net/af_unix.h>
6b06314c 65#include <net/scm.h>
2b188cc1
JA		 66#include <linux/anon_inodes.h>
67#include <linux/sched/mm.h>
68#include <linux/uaccess.h>
69#include <linux/nospec.h>
edafccee
JA		 70#include <linux/sizes.h>
71#include <linux/hugetlb.h>
aa4c3967 72#include <linux/highmem.h>
15b71abe
JA		 73#include <linux/namei.h>
74#include <linux/fsnotify.h>
4840e418 75#include <linux/fadvise.h>
2b188cc1 76
c826bd7a
DD		 77#define CREATE_TRACE_POINTS
78#include <trace/events/io_uring.h>
79
2b188cc1
JA		 80#include <uapi/linux/io_uring.h>
81
82#include "internal.h"
561fb04a 83#include "io-wq.h"
2b188cc1 84
5277deaa 85#define IORING_MAX_ENTRIES 32768
33a107f0 86#define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
65e19f54
JA		 87
88/*
89 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
90 */
91#define IORING_FILE_TABLE_SHIFT 9
92#define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
93#define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
94#define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
2b188cc1
JA		 95
96struct io_uring {
97 u32 head ____cacheline_aligned_in_smp;
98 u32 tail ____cacheline_aligned_in_smp;
99};
100
1e84b97b 101/*
75b28aff
HV		 102 * This data is shared with the application through the mmap at offsets
103 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
1e84b97b
SB		 104 *
105 * The offsets to the member fields are published through struct
106 * io_sqring_offsets when calling io_uring_setup.
107 */
75b28aff 108struct io_rings {
1e84b97b
SB		 109 /*
110 * Head and tail offsets into the ring; the offsets need to be
111 * masked to get valid indices.
112 *
75b28aff
HV		 113 * The kernel controls head of the sq ring and the tail of the cq ring,
114 * and the application controls tail of the sq ring and the head of the
115 * cq ring.
1e84b97b 116 */
75b28aff 117 struct io_uring sq, cq;
1e84b97b 118 /*
75b28aff 119 * Bitmasks to apply to head and tail offsets (constant, equals
1e84b97b
SB		 120 * ring_entries - 1)
121 */
75b28aff
HV		 122 u32 sq_ring_mask, cq_ring_mask;
123 /* Ring sizes (constant, power of 2) */
124 u32 sq_ring_entries, cq_ring_entries;
1e84b97b
SB		 125 /*
126 * Number of invalid entries dropped by the kernel due to
127 * invalid index stored in array
128 *
129 * Written by the kernel, shouldn't be modified by the
130 * application (i.e. get number of "new events" by comparing to
131 * cached value).
132 *
133 * After a new SQ head value was read by the application this
134 * counter includes all submissions that were dropped reaching
135 * the new SQ head (and possibly more).
136 */
75b28aff 137 u32 sq_dropped;
1e84b97b
SB		 138 /*
139 * Runtime flags
140 *
141 * Written by the kernel, shouldn't be modified by the
142 * application.
143 *
144 * The application needs a full memory barrier before checking
145 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
146 */
75b28aff 147 u32 sq_flags;
1e84b97b
SB		 148 /*
149 * Number of completion events lost because the queue was full;
150 * this should be avoided by the application by making sure
0b4295b5 151 * there are not more requests pending than there is space in
1e84b97b
SB		 152 * the completion queue.
153 *
154 * Written by the kernel, shouldn't be modified by the
155 * application (i.e. get number of "new events" by comparing to
156 * cached value).
157 *
158 * As completion events come in out of order this counter is not
159 * ordered with any other data.
160 */
75b28aff 161 u32 cq_overflow;
1e84b97b
SB		 162 /*
163 * Ring buffer of completion events.
164 *
165 * The kernel writes completion events fresh every time they are
166 * produced, so the application is allowed to modify pending
167 * entries.
168 */
75b28aff 169 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
2b188cc1
JA		 170};
171
edafccee
JA		 172struct io_mapped_ubuf {
173 u64 ubuf;
174 size_t len;
175 struct bio_vec *bvec;
176 unsigned int nr_bvecs;
177};
178
65e19f54
JA		 179struct fixed_file_table {
180 struct file **files;
31b51510
JA		 181};
182
05f3fb3c
JA		 183enum {
184 FFD_F_ATOMIC,
185};
186
187struct fixed_file_data {
188 struct fixed_file_table *table;
189 struct io_ring_ctx *ctx;
190
191 struct percpu_ref refs;
192 struct llist_head put_llist;
193 unsigned long state;
194 struct work_struct ref_work;
195 struct completion done;
196};
197
2b188cc1
JA		 198struct io_ring_ctx {
199 struct {
200 struct percpu_ref refs;
201 } ____cacheline_aligned_in_smp;
202
203 struct {
204 unsigned int flags;
69b3e546
JA		 205 int compat: 1;
206 int account_mem: 1;
207 int cq_overflow_flushed: 1;
208 int drain_next: 1;
f2842ab5 209 int eventfd_async: 1;
2b188cc1 210
75b28aff
HV		 211 /*
212 * Ring buffer of indices into array of io_uring_sqe, which is
213 * mmapped by the application using the IORING_OFF_SQES offset.
214 *
215 * This indirection could e.g. be used to assign fixed
216 * io_uring_sqe entries to operations and only submit them to
217 * the queue when needed.
218 *
219 * The kernel modifies neither the indices array nor the entries
220 * array.
221 */
222 u32 *sq_array;
2b188cc1
JA		 223 unsigned cached_sq_head;
224 unsigned sq_entries;
225 unsigned sq_mask;
6c271ce2 226 unsigned sq_thread_idle;
498ccd9e 227 unsigned cached_sq_dropped;
206aefde 228 atomic_t cached_cq_overflow;
ad3eb2c8 229 unsigned long sq_check_overflow;
de0617e4
JA		 230
231 struct list_head defer_list;
5262f567 232 struct list_head timeout_list;
1d7bb1d5 233 struct list_head cq_overflow_list;
fcb323cc
JA		 234
235 wait_queue_head_t inflight_wait;
ad3eb2c8 236 struct io_uring_sqe *sq_sqes;
2b188cc1
JA		 237 } ____cacheline_aligned_in_smp;
238
206aefde
JA		 239 struct io_rings *rings;
240
2b188cc1 241 /* IO offload */
561fb04a 242 struct io_wq *io_wq;
6c271ce2 243 struct task_struct *sqo_thread; /* if using sq thread polling */
2b188cc1 244 struct mm_struct *sqo_mm;
6c271ce2 245 wait_queue_head_t sqo_wait;
75b28aff 246
6b06314c
JA		 247 /*
248 * If used, fixed file set. Writers must ensure that ->refs is dead,
249 * readers must ensure that ->refs is alive as long as the file* is
250 * used. Only updated through io_uring_register(2).
251 */
05f3fb3c 252 struct fixed_file_data *file_data;
6b06314c
JA		 253 unsigned nr_user_files;
254
edafccee
JA		 255 /* if used, fixed mapped user buffers */
256 unsigned nr_user_bufs;
257 struct io_mapped_ubuf *user_bufs;
258
2b188cc1
JA		 259 struct user_struct *user;
260
0b8c0ec7 261 const struct cred *creds;
181e448d 262
206aefde
JA		 263 /* 0 is for ctx quiesce/reinit/free, 1 is for sqo_thread started */
264 struct completion *completions;
265
0ddf92e8
JA		 266 /* if all else fails... */
267 struct io_kiocb *fallback_req;
268
206aefde
JA		 269#if defined(CONFIG_UNIX)
270 struct socket *ring_sock;
271#endif
272
273 struct {
274 unsigned cached_cq_tail;
275 unsigned cq_entries;
276 unsigned cq_mask;
277 atomic_t cq_timeouts;
ad3eb2c8 278 unsigned long cq_check_overflow;
206aefde
JA		 279 struct wait_queue_head cq_wait;
280 struct fasync_struct *cq_fasync;
281 struct eventfd_ctx *cq_ev_fd;
282 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 283
284 struct {
285 struct mutex uring_lock;
286 wait_queue_head_t wait;
287 } ____cacheline_aligned_in_smp;
288
289 struct {
290 spinlock_t completion_lock;
e94f141b
JA		 291 struct llist_head poll_llist;
292
def596e9
JA		 293 /*
294 * ->poll_list is protected by the ctx->uring_lock for
295 * io_uring instances that don't use IORING_SETUP_SQPOLL.
296 * For SQPOLL, only the single threaded io_sq_thread() will
297 * manipulate the list, hence no extra locking is needed there.
298 */
299 struct list_head poll_list;
78076bb6
JA		 300 struct hlist_head *cancel_hash;
301 unsigned cancel_hash_bits;
e94f141b 302 bool poll_multi_file;
31b51510 303
fcb323cc
JA		 304 spinlock_t inflight_lock;
305 struct list_head inflight_list;
2b188cc1 306 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 307};
308
09bb8394
JA		 309/*
310 * First field must be the file pointer in all the
311 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
312 */
221c5eb2
JA		 313struct io_poll_iocb {
314 struct file *file;
0969e783
JA		 315 union {
316 struct wait_queue_head *head;
317 u64 addr;
318 };
221c5eb2 319 __poll_t events;
8c838788 320 bool done;
221c5eb2 321 bool canceled;
392edb45 322 struct wait_queue_entry wait;
221c5eb2
JA		 323};
324
b5dba59e
JA		 325struct io_close {
326 struct file *file;
327 struct file *put_file;
328 int fd;
329};
330
ad8a48ac
JA		 331struct io_timeout_data {
332 struct io_kiocb *req;
333 struct hrtimer timer;
334 struct timespec64 ts;
335 enum hrtimer_mode mode;
cc42e0ac 336 u32 seq_offset;
ad8a48ac
JA		 337};
338
8ed8d3c3
JA		 339struct io_accept {
340 struct file *file;
341 struct sockaddr __user *addr;
342 int __user *addr_len;
343 int flags;
344};
345
346struct io_sync {
347 struct file *file;
348 loff_t len;
349 loff_t off;
350 int flags;
d63d1b5e 351 int mode;
8ed8d3c3
JA		 352};
353
fbf23849
JA		 354struct io_cancel {
355 struct file *file;
356 u64 addr;
357};
358
b29472ee
JA		 359struct io_timeout {
360 struct file *file;
361 u64 addr;
362 int flags;
26a61679 363 unsigned count;
b29472ee
JA		 364};
365
9adbd45d
JA		 366struct io_rw {
367 /* NOTE: kiocb has the file as the first member, so don't do it here */
368 struct kiocb kiocb;
369 u64 addr;
370 u64 len;
371};
372
3fbb51c1
JA		 373struct io_connect {
374 struct file *file;
375 struct sockaddr __user *addr;
376 int addr_len;
377};
378
e47293fd
JA		 379struct io_sr_msg {
380 struct file *file;
fddaface
JA		 381 union {
382 struct user_msghdr __user *msg;
383 void __user *buf;
384 };
e47293fd 385 int msg_flags;
fddaface 386 size_t len;
e47293fd
JA		 387};
388
15b71abe
JA		 389struct io_open {
390 struct file *file;
391 int dfd;
eddc7ef5 392 union {
eddc7ef5
JA		 393 unsigned mask;
394 };
15b71abe 395 struct filename *filename;
eddc7ef5 396 struct statx __user *buffer;
c12cedf2 397 struct open_how how;
15b71abe
JA		 398};
399
05f3fb3c
JA		 400struct io_files_update {
401 struct file *file;
402 u64 arg;
403 u32 nr_args;
404 u32 offset;
405};
406
4840e418
JA		 407struct io_fadvise {
408 struct file *file;
409 u64 offset;
410 u32 len;
411 u32 advice;
412};
413
c1ca757b
JA		 414struct io_madvise {
415 struct file *file;
416 u64 addr;
417 u32 len;
418 u32 advice;
419};
420
f499a021
JA		 421struct io_async_connect {
422 struct sockaddr_storage address;
423};
424
03b1230c
JA		 425struct io_async_msghdr {
426 struct iovec fast_iov[UIO_FASTIOV];
427 struct iovec *iov;
428 struct sockaddr __user *uaddr;
429 struct msghdr msg;
430};
431
f67676d1
JA		 432struct io_async_rw {
433 struct iovec fast_iov[UIO_FASTIOV];
434 struct iovec *iov;
435 ssize_t nr_segs;
436 ssize_t size;
437};
438
15b71abe
JA		 439struct io_async_open {
440 struct filename *filename;
441};
442
1a6b74fc 443struct io_async_ctx {
f67676d1
JA		 444 union {
445 struct io_async_rw rw;
03b1230c 446 struct io_async_msghdr msg;
f499a021 447 struct io_async_connect connect;
2d28390a 448 struct io_timeout_data timeout;
15b71abe 449 struct io_async_open open;
f67676d1 450 };
1a6b74fc
JA		 451};
452
09bb8394
JA		 453/*
454 * NOTE! Each of the iocb union members has the file pointer
455 * as the first entry in their struct definition. So you can
456 * access the file pointer through any of the sub-structs,
457 * or directly as just 'ki_filp' in this struct.
458 */
2b188cc1 459struct io_kiocb {
221c5eb2 460 union {
09bb8394 461 struct file *file;
9adbd45d 462 struct io_rw rw;
221c5eb2 463 struct io_poll_iocb poll;
8ed8d3c3
JA		 464 struct io_accept accept;
465 struct io_sync sync;
fbf23849 466 struct io_cancel cancel;
b29472ee 467 struct io_timeout timeout;
3fbb51c1 468 struct io_connect connect;
e47293fd 469 struct io_sr_msg sr_msg;
15b71abe 470 struct io_open open;
b5dba59e 471 struct io_close close;
05f3fb3c 472 struct io_files_update files_update;
4840e418 473 struct io_fadvise fadvise;
c1ca757b 474 struct io_madvise madvise;
221c5eb2 475 };
2b188cc1 476
1a6b74fc 477 struct io_async_ctx *io;
e94f141b
JA		 478 union {
479 /*
480 * ring_file is only used in the submission path, and
481 * llist_node is only used for poll deferred completions
482 */
483 struct file *ring_file;
484 struct llist_node llist_node;
485 };
cf6fd4bd
PB		 486 int ring_fd;
487 bool has_user;
488 bool in_async;
489 bool needs_fixed_file;
d625c6ee 490 u8 opcode;
2b188cc1
JA		 491
492 struct io_ring_ctx *ctx;
eac406c6
JA		 493 union {
494 struct list_head list;
78076bb6 495 struct hlist_node hash_node;
eac406c6 496 };
9e645e11 497 struct list_head link_list;
2b188cc1 498 unsigned int flags;
c16361c1 499 refcount_t refs;
8449eeda 500#define REQ_F_NOWAIT 1 /* must not punt to workers */
def596e9 501#define REQ_F_IOPOLL_COMPLETED 2 /* polled IO has completed */
6b06314c 502#define REQ_F_FIXED_FILE 4 /* ctx owns file */
4d7dd462 503#define REQ_F_LINK_NEXT 8 /* already grabbed next link */
e2033e33
SB		 504#define REQ_F_IO_DRAIN 16 /* drain existing IO first */
505#define REQ_F_IO_DRAINED 32 /* drain done */
9e645e11 506#define REQ_F_LINK 64 /* linked sqes */
2665abfd 507#define REQ_F_LINK_TIMEOUT 128 /* has linked timeout */
f7b76ac9 508#define REQ_F_FAIL_LINK 256 /* fail rest of links */
1b4a51b6 509#define REQ_F_DRAIN_LINK 512 /* link should be fully drained */
5262f567 510#define REQ_F_TIMEOUT 1024 /* timeout request */
491381ce
JA		 511#define REQ_F_ISREG 2048 /* regular file */
512#define REQ_F_MUST_PUNT 4096 /* must be punted even for NONBLOCK */
93bd25bb 513#define REQ_F_TIMEOUT_NOSEQ 8192 /* no timeout sequence */
fb4b3d3f
LT		 514#define REQ_F_INFLIGHT 16384 /* on inflight list */
515#define REQ_F_COMP_LOCKED 32768 /* completion under lock */
4e88d6e7 516#define REQ_F_HARDLINK 65536 /* doesn't sever on completion < 0 */
ce35a47a 517#define REQ_F_FORCE_ASYNC 131072 /* IOSQE_ASYNC */
ba04291e 518#define REQ_F_CUR_POS 262144 /* read/write uses file position */
2b188cc1 519 u64 user_data;
9e645e11 520 u32 result;
de0617e4 521 u32 sequence;
2b188cc1 522
fcb323cc
JA		 523 struct list_head inflight_entry;
524
561fb04a 525 struct io_wq_work work;
2b188cc1
JA		 526};
527
528#define IO_PLUG_THRESHOLD 2
def596e9 529#define IO_IOPOLL_BATCH 8
2b188cc1 530
9a56a232
JA		 531struct io_submit_state {
532 struct blk_plug plug;
533
2579f913
JA		 534 /*
535 * io_kiocb alloc cache
536 */
537 void *reqs[IO_IOPOLL_BATCH];
538 unsigned int free_reqs;
539 unsigned int cur_req;
540
9a56a232
JA		 541 /*
542 * File reference cache
543 */
544 struct file *file;
545 unsigned int fd;
546 unsigned int has_refs;
547 unsigned int used_refs;
548 unsigned int ios_left;
549};
550
d3656344
JA		 551struct io_op_def {
552 /* needs req->io allocated for deferral/async */
553 unsigned async_ctx : 1;
554 /* needs current->mm setup, does mm access */
555 unsigned needs_mm : 1;
556 /* needs req->file assigned */
557 unsigned needs_file : 1;
558 /* needs req->file assigned IFF fd is >= 0 */
559 unsigned fd_non_neg : 1;
560 /* hash wq insertion if file is a regular file */
561 unsigned hash_reg_file : 1;
562 /* unbound wq insertion if file is a non-regular file */
563 unsigned unbound_nonreg_file : 1;
564};
565
566static const struct io_op_def io_op_defs[] = {
567 {
568 /* IORING_OP_NOP */
569 },
570 {
571 /* IORING_OP_READV */
572 .async_ctx = 1,
573 .needs_mm = 1,
574 .needs_file = 1,
575 .unbound_nonreg_file = 1,
576 },
577 {
578 /* IORING_OP_WRITEV */
579 .async_ctx = 1,
580 .needs_mm = 1,
581 .needs_file = 1,
582 .hash_reg_file = 1,
583 .unbound_nonreg_file = 1,
584 },
585 {
586 /* IORING_OP_FSYNC */
587 .needs_file = 1,
588 },
589 {
590 /* IORING_OP_READ_FIXED */
591 .needs_file = 1,
592 .unbound_nonreg_file = 1,
593 },
594 {
595 /* IORING_OP_WRITE_FIXED */
596 .needs_file = 1,
597 .hash_reg_file = 1,
598 .unbound_nonreg_file = 1,
599 },
600 {
601 /* IORING_OP_POLL_ADD */
602 .needs_file = 1,
603 .unbound_nonreg_file = 1,
604 },
605 {
606 /* IORING_OP_POLL_REMOVE */
607 },
608 {
609 /* IORING_OP_SYNC_FILE_RANGE */
610 .needs_file = 1,
611 },
612 {
613 /* IORING_OP_SENDMSG */
614 .async_ctx = 1,
615 .needs_mm = 1,
616 .needs_file = 1,
617 .unbound_nonreg_file = 1,
618 },
619 {
620 /* IORING_OP_RECVMSG */
621 .async_ctx = 1,
622 .needs_mm = 1,
623 .needs_file = 1,
624 .unbound_nonreg_file = 1,
625 },
626 {
627 /* IORING_OP_TIMEOUT */
628 .async_ctx = 1,
629 .needs_mm = 1,
630 },
631 {
632 /* IORING_OP_TIMEOUT_REMOVE */
633 },
634 {
635 /* IORING_OP_ACCEPT */
636 .needs_mm = 1,
637 .needs_file = 1,
638 .unbound_nonreg_file = 1,
639 },
640 {
641 /* IORING_OP_ASYNC_CANCEL */
642 },
643 {
644 /* IORING_OP_LINK_TIMEOUT */
645 .async_ctx = 1,
646 .needs_mm = 1,
647 },
648 {
649 /* IORING_OP_CONNECT */
650 .async_ctx = 1,
651 .needs_mm = 1,
652 .needs_file = 1,
653 .unbound_nonreg_file = 1,
654 },
655 {
656 /* IORING_OP_FALLOCATE */
657 .needs_file = 1,
658 },
659 {
660 /* IORING_OP_OPENAT */
661 .needs_file = 1,
662 .fd_non_neg = 1,
663 },
664 {
665 /* IORING_OP_CLOSE */
666 .needs_file = 1,
667 },
668 {
669 /* IORING_OP_FILES_UPDATE */
670 .needs_mm = 1,
671 },
672 {
673 /* IORING_OP_STATX */
674 .needs_mm = 1,
675 .needs_file = 1,
676 .fd_non_neg = 1,
677 },
3a6820f2
JA		 678 {
679 /* IORING_OP_READ */
680 .needs_mm = 1,
681 .needs_file = 1,
682 .unbound_nonreg_file = 1,
683 },
684 {
685 /* IORING_OP_WRITE */
686 .needs_mm = 1,
687 .needs_file = 1,
688 .unbound_nonreg_file = 1,
689 },
4840e418
JA		 690 {
691 /* IORING_OP_FADVISE */
692 .needs_file = 1,
693 },
c1ca757b
JA		 694 {
695 /* IORING_OP_MADVISE */
696 .needs_mm = 1,
697 },
fddaface
JA		 698 {
699 /* IORING_OP_SEND */
700 .needs_mm = 1,
701 .needs_file = 1,
702 .unbound_nonreg_file = 1,
703 },
704 {
705 /* IORING_OP_RECV */
706 .needs_mm = 1,
707 .needs_file = 1,
708 .unbound_nonreg_file = 1,
709 },
cebdb986
JA		 710 {
711 /* IORING_OP_OPENAT2 */
712 .needs_file = 1,
713 .fd_non_neg = 1,
714 },
d3656344
JA		 715};
716
561fb04a 717static void io_wq_submit_work(struct io_wq_work **workptr);
78e19bbe 718static void io_cqring_fill_event(struct io_kiocb *req, long res);
ec9c02ad 719static void io_put_req(struct io_kiocb *req);
978db57e 720static void __io_double_put_req(struct io_kiocb *req);
94ae5e77
JA		 721static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
722static void io_queue_linked_timeout(struct io_kiocb *req);
05f3fb3c
JA		 723static int __io_sqe_files_update(struct io_ring_ctx *ctx,
724 struct io_uring_files_update *ip,
725 unsigned nr_args);
de0617e4 726
2b188cc1
JA		 727static struct kmem_cache *req_cachep;
728
729static const struct file_operations io_uring_fops;
730
731struct sock *io_uring_get_socket(struct file *file)
732{
733#if defined(CONFIG_UNIX)
734 if (file->f_op == &io_uring_fops) {
735 struct io_ring_ctx *ctx = file->private_data;
736
737 return ctx->ring_sock->sk;
738 }
739#endif
740 return NULL;
741}
742EXPORT_SYMBOL(io_uring_get_socket);
743
744static void io_ring_ctx_ref_free(struct percpu_ref *ref)
745{
746 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
747
206aefde 748 complete(&ctx->completions[0]);
2b188cc1
JA		 749}
750
751static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
752{
753 struct io_ring_ctx *ctx;
78076bb6 754 int hash_bits;
2b188cc1
JA		 755
756 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
757 if (!ctx)
758 return NULL;
759
0ddf92e8
JA		 760 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
761 if (!ctx->fallback_req)
762 goto err;
763
206aefde
JA		 764 ctx->completions = kmalloc(2 * sizeof(struct completion), GFP_KERNEL);
765 if (!ctx->completions)
766 goto err;
767
78076bb6
JA		 768 /*
769 * Use 5 bits less than the max cq entries, that should give us around
770 * 32 entries per hash list if totally full and uniformly spread.
771 */
772 hash_bits = ilog2(p->cq_entries);
773 hash_bits -= 5;
774 if (hash_bits <= 0)
775 hash_bits = 1;
776 ctx->cancel_hash_bits = hash_bits;
777 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
778 GFP_KERNEL);
779 if (!ctx->cancel_hash)
780 goto err;
781 __hash_init(ctx->cancel_hash, 1U << hash_bits);
782
21482896 783 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
206aefde
JA		 784 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
785 goto err;
2b188cc1
JA		 786
787 ctx->flags = p->flags;
788 init_waitqueue_head(&ctx->cq_wait);
1d7bb1d5 789 INIT_LIST_HEAD(&ctx->cq_overflow_list);
206aefde
JA		 790 init_completion(&ctx->completions[0]);
791 init_completion(&ctx->completions[1]);
2b188cc1
JA		 792 mutex_init(&ctx->uring_lock);
793 init_waitqueue_head(&ctx->wait);
794 spin_lock_init(&ctx->completion_lock);
e94f141b 795 init_llist_head(&ctx->poll_llist);
def596e9 796 INIT_LIST_HEAD(&ctx->poll_list);
de0617e4 797 INIT_LIST_HEAD(&ctx->defer_list);
5262f567 798 INIT_LIST_HEAD(&ctx->timeout_list);
fcb323cc
JA		 799 init_waitqueue_head(&ctx->inflight_wait);
800 spin_lock_init(&ctx->inflight_lock);
801 INIT_LIST_HEAD(&ctx->inflight_list);
2b188cc1 802 return ctx;
206aefde 803err:
0ddf92e8
JA		 804 if (ctx->fallback_req)
805 kmem_cache_free(req_cachep, ctx->fallback_req);
206aefde 806 kfree(ctx->completions);
78076bb6 807 kfree(ctx->cancel_hash);
206aefde
JA		 808 kfree(ctx);
809 return NULL;
2b188cc1
JA		 810}
811
9d858b21 812static inline bool __req_need_defer(struct io_kiocb *req)
7adf4eaf 813{
a197f664
JL		 814 struct io_ring_ctx *ctx = req->ctx;
815
498ccd9e
JA		 816 return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
817 + atomic_read(&ctx->cached_cq_overflow);
7adf4eaf
JA		 818}
819
9d858b21 820static inline bool req_need_defer(struct io_kiocb *req)
de0617e4 821{
9d858b21
BL		 822 if ((req->flags & (REQ_F_IO_DRAIN|REQ_F_IO_DRAINED)) == REQ_F_IO_DRAIN)
823 return __req_need_defer(req);
de0617e4 824
9d858b21 825 return false;
de0617e4
JA		 826}
827
7adf4eaf 828static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)
de0617e4
JA		 829{
830 struct io_kiocb *req;
831
7adf4eaf 832 req = list_first_entry_or_null(&ctx->defer_list, struct io_kiocb, list);
9d858b21 833 if (req && !req_need_defer(req)) {
de0617e4
JA		 834 list_del_init(&req->list);
835 return req;
836 }
837
838 return NULL;
839}
840
5262f567
JA		 841static struct io_kiocb *io_get_timeout_req(struct io_ring_ctx *ctx)
842{
7adf4eaf
JA		 843 struct io_kiocb *req;
844
845 req = list_first_entry_or_null(&ctx->timeout_list, struct io_kiocb, list);
93bd25bb
JA		 846 if (req) {
847 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
848 return NULL;
fb4b3d3f 849 if (!__req_need_defer(req)) {
93bd25bb
JA		 850 list_del_init(&req->list);
851 return req;
852 }
7adf4eaf
JA		 853 }
854
855 return NULL;
5262f567
JA		 856}
857
de0617e4 858static void __io_commit_cqring(struct io_ring_ctx *ctx)
2b188cc1 859{
75b28aff 860 struct io_rings *rings = ctx->rings;
2b188cc1 861
75b28aff 862 if (ctx->cached_cq_tail != READ_ONCE(rings->cq.tail)) {
2b188cc1 863 /* order cqe stores with ring update */
75b28aff 864 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
2b188cc1 865
2b188cc1
JA		 866 if (wq_has_sleeper(&ctx->cq_wait)) {
867 wake_up_interruptible(&ctx->cq_wait);
868 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
869 }
870 }
871}
872
94ae5e77
JA		 873static inline bool io_prep_async_work(struct io_kiocb *req,
874 struct io_kiocb **link)
18d9be1a 875{
d3656344 876 const struct io_op_def *def = &io_op_defs[req->opcode];
561fb04a 877 bool do_hashed = false;
54a91f3b 878
d3656344
JA		 879 if (req->flags & REQ_F_ISREG) {
880 if (def->hash_reg_file)
3529d8c2 881 do_hashed = true;
d3656344
JA		 882 } else {
883 if (def->unbound_nonreg_file)
3529d8c2 884 req->work.flags |= IO_WQ_WORK_UNBOUND;
54a91f3b 885 }
d3656344 886 if (def->needs_mm)
3529d8c2 887 req->work.flags |= IO_WQ_WORK_NEEDS_USER;
54a91f3b 888
94ae5e77 889 *link = io_prep_linked_timeout(req);
561fb04a
JA		 890 return do_hashed;
891}
892
a197f664 893static inline void io_queue_async_work(struct io_kiocb *req)
561fb04a 894{
a197f664 895 struct io_ring_ctx *ctx = req->ctx;
94ae5e77
JA		 896 struct io_kiocb *link;
897 bool do_hashed;
898
899 do_hashed = io_prep_async_work(req, &link);
561fb04a
JA		 900
901 trace_io_uring_queue_async_work(ctx, do_hashed, req, &req->work,
902 req->flags);
903 if (!do_hashed) {
904 io_wq_enqueue(ctx->io_wq, &req->work);
905 } else {
906 io_wq_enqueue_hashed(ctx->io_wq, &req->work,
907 file_inode(req->file));
908 }
94ae5e77
JA		 909
910 if (link)
911 io_queue_linked_timeout(link);
18d9be1a
JA		 912}
913
5262f567
JA		 914static void io_kill_timeout(struct io_kiocb *req)
915{
916 int ret;
917
2d28390a 918 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
5262f567
JA		 919 if (ret != -1) {
920 atomic_inc(&req->ctx->cq_timeouts);
842f9612 921 list_del_init(&req->list);
78e19bbe 922 io_cqring_fill_event(req, 0);
ec9c02ad 923 io_put_req(req);
5262f567
JA		 924 }
925}
926
927static void io_kill_timeouts(struct io_ring_ctx *ctx)
928{
929 struct io_kiocb *req, *tmp;
930
931 spin_lock_irq(&ctx->completion_lock);
932 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
933 io_kill_timeout(req);
934 spin_unlock_irq(&ctx->completion_lock);
935}
936
de0617e4
JA		 937static void io_commit_cqring(struct io_ring_ctx *ctx)
938{
939 struct io_kiocb *req;
940
5262f567
JA		 941 while ((req = io_get_timeout_req(ctx)) != NULL)
942 io_kill_timeout(req);
943
de0617e4
JA		 944 __io_commit_cqring(ctx);
945
946 while ((req = io_get_deferred_req(ctx)) != NULL) {
947 req->flags |= REQ_F_IO_DRAINED;
a197f664 948 io_queue_async_work(req);
de0617e4
JA		 949 }
950}
951
2b188cc1
JA		 952static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
953{
75b28aff 954 struct io_rings *rings = ctx->rings;
2b188cc1
JA		 955 unsigned tail;
956
957 tail = ctx->cached_cq_tail;
115e12e5
SB		 958 /*
959 * writes to the cq entry need to come after reading head; the
960 * control dependency is enough as we're using WRITE_ONCE to
961 * fill the cq entry
962 */
75b28aff 963 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
2b188cc1
JA		 964 return NULL;
965
966 ctx->cached_cq_tail++;
75b28aff 967 return &rings->cqes[tail & ctx->cq_mask];
2b188cc1
JA		 968}
969
f2842ab5
JA		 970static inline bool io_should_trigger_evfd(struct io_ring_ctx *ctx)
971{
972 if (!ctx->eventfd_async)
973 return true;
974 return io_wq_current_is_worker() || in_interrupt();
975}
976
1d7bb1d5
JA		 977static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
978{
979 if (waitqueue_active(&ctx->wait))
980 wake_up(&ctx->wait);
981 if (waitqueue_active(&ctx->sqo_wait))
982 wake_up(&ctx->sqo_wait);
f2842ab5 983 if (ctx->cq_ev_fd && io_should_trigger_evfd(ctx))
1d7bb1d5
JA		 984 eventfd_signal(ctx->cq_ev_fd, 1);
985}
986
c4a2ed72
JA		 987/* Returns true if there are no backlogged entries after the flush */
988static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1d7bb1d5
JA		 989{
990 struct io_rings *rings = ctx->rings;
991 struct io_uring_cqe *cqe;
992 struct io_kiocb *req;
993 unsigned long flags;
994 LIST_HEAD(list);
995
996 if (!force) {
997 if (list_empty_careful(&ctx->cq_overflow_list))
c4a2ed72 998 return true;
1d7bb1d5
JA		 999 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
1000 rings->cq_ring_entries))
c4a2ed72 1001 return false;
1d7bb1d5
JA		 1002 }
1003
1004 spin_lock_irqsave(&ctx->completion_lock, flags);
1005
1006 /* if force is set, the ring is going away. always drop after that */
1007 if (force)
69b3e546 1008 ctx->cq_overflow_flushed = 1;
1d7bb1d5 1009
c4a2ed72 1010 cqe = NULL;
1d7bb1d5
JA		 1011 while (!list_empty(&ctx->cq_overflow_list)) {
1012 cqe = io_get_cqring(ctx);
1013 if (!cqe && !force)
1014 break;
1015
1016 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
1017 list);
1018 list_move(&req->list, &list);
1019 if (cqe) {
1020 WRITE_ONCE(cqe->user_data, req->user_data);
1021 WRITE_ONCE(cqe->res, req->result);
1022 WRITE_ONCE(cqe->flags, 0);
1023 } else {
1024 WRITE_ONCE(ctx->rings->cq_overflow,
1025 atomic_inc_return(&ctx->cached_cq_overflow));
1026 }
1027 }
1028
1029 io_commit_cqring(ctx);
ad3eb2c8
JA		 1030 if (cqe) {
1031 clear_bit(0, &ctx->sq_check_overflow);
1032 clear_bit(0, &ctx->cq_check_overflow);
1033 }
1d7bb1d5
JA		 1034 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1035 io_cqring_ev_posted(ctx);
1036
1037 while (!list_empty(&list)) {
1038 req = list_first_entry(&list, struct io_kiocb, list);
1039 list_del(&req->list);
ec9c02ad 1040 io_put_req(req);
1d7bb1d5 1041 }
c4a2ed72
JA		 1042
1043 return cqe != NULL;
1d7bb1d5
JA		 1044}
1045
78e19bbe 1046static void io_cqring_fill_event(struct io_kiocb *req, long res)
2b188cc1 1047{
78e19bbe 1048 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 1049 struct io_uring_cqe *cqe;
1050
78e19bbe 1051 trace_io_uring_complete(ctx, req->user_data, res);
51c3ff62 1052
2b188cc1
JA		 1053 /*
1054 * If we can't get a cq entry, userspace overflowed the
1055 * submission (by quite a lot). Increment the overflow count in
1056 * the ring.
1057 */
1058 cqe = io_get_cqring(ctx);
1d7bb1d5 1059 if (likely(cqe)) {
78e19bbe 1060 WRITE_ONCE(cqe->user_data, req->user_data);
2b188cc1 1061 WRITE_ONCE(cqe->res, res);
c71ffb67 1062 WRITE_ONCE(cqe->flags, 0);
1d7bb1d5 1063 } else if (ctx->cq_overflow_flushed) {
498ccd9e
JA		 1064 WRITE_ONCE(ctx->rings->cq_overflow,
1065 atomic_inc_return(&ctx->cached_cq_overflow));
1d7bb1d5 1066 } else {
ad3eb2c8
JA		 1067 if (list_empty(&ctx->cq_overflow_list)) {
1068 set_bit(0, &ctx->sq_check_overflow);
1069 set_bit(0, &ctx->cq_check_overflow);
1070 }
1d7bb1d5
JA		 1071 refcount_inc(&req->refs);
1072 req->result = res;
1073 list_add_tail(&req->list, &ctx->cq_overflow_list);
2b188cc1
JA		 1074 }
1075}
1076
78e19bbe 1077static void io_cqring_add_event(struct io_kiocb *req, long res)
2b188cc1 1078{
78e19bbe 1079 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 1080 unsigned long flags;
1081
1082 spin_lock_irqsave(&ctx->completion_lock, flags);
78e19bbe 1083 io_cqring_fill_event(req, res);
2b188cc1
JA		 1084 io_commit_cqring(ctx);
1085 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1086
8c838788 1087 io_cqring_ev_posted(ctx);
2b188cc1
JA		 1088}
1089
0ddf92e8
JA		 1090static inline bool io_is_fallback_req(struct io_kiocb *req)
1091{
1092 return req == (struct io_kiocb *)
1093 ((unsigned long) req->ctx->fallback_req & ~1UL);
1094}
1095
1096static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1097{
1098 struct io_kiocb *req;
1099
1100 req = ctx->fallback_req;
1101 if (!test_and_set_bit_lock(0, (unsigned long *) ctx->fallback_req))
1102 return req;
1103
1104 return NULL;
1105}
1106
2579f913
JA		 1107static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
1108 struct io_submit_state *state)
2b188cc1 1109{
fd6fab2c 1110 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
2b188cc1
JA		 1111 struct io_kiocb *req;
1112
2579f913 1113 if (!state) {
fd6fab2c 1114 req = kmem_cache_alloc(req_cachep, gfp);
2579f913 1115 if (unlikely(!req))
0ddf92e8 1116 goto fallback;
2579f913
JA		 1117 } else if (!state->free_reqs) {
1118 size_t sz;
1119 int ret;
1120
1121 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
fd6fab2c
JA		 1122 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1123
1124 /*
1125 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1126 * retry single alloc to be on the safe side.
1127 */
1128 if (unlikely(ret <= 0)) {
1129 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1130 if (!state->reqs[0])
0ddf92e8 1131 goto fallback;
fd6fab2c
JA		 1132 ret = 1;
1133 }
2579f913
JA		 1134 state->free_reqs = ret - 1;
1135 state->cur_req = 1;
1136 req = state->reqs[0];
1137 } else {
1138 req = state->reqs[state->cur_req];
1139 state->free_reqs--;
1140 state->cur_req++;
2b188cc1
JA		 1141 }
1142
0ddf92e8 1143got_it:
1a6b74fc 1144 req->io = NULL;
cf6fd4bd 1145 req->ring_file = NULL;
60c112b0 1146 req->file = NULL;
2579f913
JA		 1147 req->ctx = ctx;
1148 req->flags = 0;
e65ef56d
JA		 1149 /* one is dropped after submission, the other at completion */
1150 refcount_set(&req->refs, 2);
9e645e11 1151 req->result = 0;
561fb04a 1152 INIT_IO_WORK(&req->work, io_wq_submit_work);
2579f913 1153 return req;
0ddf92e8
JA		 1154fallback:
1155 req = io_get_fallback_req(ctx);
1156 if (req)
1157 goto got_it;
6805b32e 1158 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 1159 return NULL;
1160}
1161
2b85edfc
PB		 1162static void __io_req_do_free(struct io_kiocb *req)
1163{
1164 if (likely(!io_is_fallback_req(req)))
1165 kmem_cache_free(req_cachep, req);
1166 else
1167 clear_bit_unlock(0, (unsigned long *) req->ctx->fallback_req);
1168}
1169
c6ca97b3 1170static void __io_req_aux_free(struct io_kiocb *req)
2b188cc1 1171{
fcb323cc
JA		 1172 struct io_ring_ctx *ctx = req->ctx;
1173
96fd84d8 1174 kfree(req->io);
05f3fb3c
JA		 1175 if (req->file) {
1176 if (req->flags & REQ_F_FIXED_FILE)
1177 percpu_ref_put(&ctx->file_data->refs);
1178 else
1179 fput(req->file);
1180 }
c6ca97b3
JA		 1181}
1182
1183static void __io_free_req(struct io_kiocb *req)
1184{
1185 __io_req_aux_free(req);
1186
fcb323cc 1187 if (req->flags & REQ_F_INFLIGHT) {
c6ca97b3 1188 struct io_ring_ctx *ctx = req->ctx;
fcb323cc
JA		 1189 unsigned long flags;
1190
1191 spin_lock_irqsave(&ctx->inflight_lock, flags);
1192 list_del(&req->inflight_entry);
1193 if (waitqueue_active(&ctx->inflight_wait))
1194 wake_up(&ctx->inflight_wait);
1195 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1196 }
2b85edfc
PB		 1197
1198 percpu_ref_put(&req->ctx->refs);
1199 __io_req_do_free(req);
e65ef56d
JA		 1200}
1201
c6ca97b3
JA		 1202struct req_batch {
1203 void *reqs[IO_IOPOLL_BATCH];
1204 int to_free;
1205 int need_iter;
1206};
1207
1208static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
1209{
10fef4be
JA		 1210 int fixed_refs = rb->to_free;
1211
c6ca97b3
JA		 1212 if (!rb->to_free)
1213 return;
1214 if (rb->need_iter) {
1215 int i, inflight = 0;
1216 unsigned long flags;
1217
10fef4be 1218 fixed_refs = 0;
c6ca97b3
JA		 1219 for (i = 0; i < rb->to_free; i++) {
1220 struct io_kiocb *req = rb->reqs[i];
1221
10fef4be 1222 if (req->flags & REQ_F_FIXED_FILE) {
c6ca97b3 1223 req->file = NULL;
10fef4be
JA		 1224 fixed_refs++;
1225 }
c6ca97b3
JA		 1226 if (req->flags & REQ_F_INFLIGHT)
1227 inflight++;
c6ca97b3
JA		 1228 __io_req_aux_free(req);
1229 }
1230 if (!inflight)
1231 goto do_free;
1232
1233 spin_lock_irqsave(&ctx->inflight_lock, flags);
1234 for (i = 0; i < rb->to_free; i++) {
1235 struct io_kiocb *req = rb->reqs[i];
1236
10fef4be 1237 if (req->flags & REQ_F_INFLIGHT) {
c6ca97b3
JA		 1238 list_del(&req->inflight_entry);
1239 if (!--inflight)
1240 break;
1241 }
1242 }
1243 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1244
1245 if (waitqueue_active(&ctx->inflight_wait))
1246 wake_up(&ctx->inflight_wait);
1247 }
1248do_free:
1249 kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
10fef4be
JA		 1250 if (fixed_refs)
1251 percpu_ref_put_many(&ctx->file_data->refs, fixed_refs);
c6ca97b3 1252 percpu_ref_put_many(&ctx->refs, rb->to_free);
c6ca97b3
JA		 1253 rb->to_free = rb->need_iter = 0;
1254}
1255
a197f664 1256static bool io_link_cancel_timeout(struct io_kiocb *req)
2665abfd 1257{
a197f664 1258 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 1259 int ret;
1260
2d28390a 1261 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
2665abfd 1262 if (ret != -1) {
78e19bbe 1263 io_cqring_fill_event(req, -ECANCELED);
2665abfd
JA		 1264 io_commit_cqring(ctx);
1265 req->flags &= ~REQ_F_LINK;
ec9c02ad 1266 io_put_req(req);
2665abfd
JA		 1267 return true;
1268 }
1269
1270 return false;
e65ef56d
JA		 1271}
1272
ba816ad6 1273static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
9e645e11 1274{
2665abfd 1275 struct io_ring_ctx *ctx = req->ctx;
2665abfd 1276 bool wake_ev = false;
9e645e11 1277
4d7dd462
JA		 1278 /* Already got next link */
1279 if (req->flags & REQ_F_LINK_NEXT)
1280 return;
1281
9e645e11
JA		 1282 /*
1283 * The list should never be empty when we are called here. But could
1284 * potentially happen if the chain is messed up, check to be on the
1285 * safe side.
1286 */
4493233e
PB		 1287 while (!list_empty(&req->link_list)) {
1288 struct io_kiocb *nxt = list_first_entry(&req->link_list,
1289 struct io_kiocb, link_list);
94ae5e77 1290
4493233e
PB		 1291 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
1292 (nxt->flags & REQ_F_TIMEOUT))) {
1293 list_del_init(&nxt->link_list);
94ae5e77 1294 wake_ev |= io_link_cancel_timeout(nxt);
94ae5e77
JA		 1295 req->flags &= ~REQ_F_LINK_TIMEOUT;
1296 continue;
1297 }
9e645e11 1298
4493233e
PB		 1299 list_del_init(&req->link_list);
1300 if (!list_empty(&nxt->link_list))
1301 nxt->flags |= REQ_F_LINK;
b18fdf71 1302 *nxtptr = nxt;
94ae5e77 1303 break;
9e645e11 1304 }
2665abfd 1305
4d7dd462 1306 req->flags |= REQ_F_LINK_NEXT;
2665abfd
JA		 1307 if (wake_ev)
1308 io_cqring_ev_posted(ctx);
9e645e11
JA		 1309}
1310
1311/*
1312 * Called if REQ_F_LINK is set, and we fail the head request
1313 */
1314static void io_fail_links(struct io_kiocb *req)
1315{
2665abfd 1316 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 1317 unsigned long flags;
1318
1319 spin_lock_irqsave(&ctx->completion_lock, flags);
9e645e11
JA		 1320
1321 while (!list_empty(&req->link_list)) {
4493233e
PB		 1322 struct io_kiocb *link = list_first_entry(&req->link_list,
1323 struct io_kiocb, link_list);
9e645e11 1324
4493233e 1325 list_del_init(&link->link_list);
c826bd7a 1326 trace_io_uring_fail_link(req, link);
2665abfd
JA		 1327
1328 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
d625c6ee 1329 link->opcode == IORING_OP_LINK_TIMEOUT) {
a197f664 1330 io_link_cancel_timeout(link);
2665abfd 1331 } else {
78e19bbe 1332 io_cqring_fill_event(link, -ECANCELED);
978db57e 1333 __io_double_put_req(link);
2665abfd 1334 }
5d960724 1335 req->flags &= ~REQ_F_LINK_TIMEOUT;
9e645e11 1336 }
2665abfd
JA		 1337
1338 io_commit_cqring(ctx);
1339 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1340 io_cqring_ev_posted(ctx);
9e645e11
JA		 1341}
1342
4d7dd462 1343static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
9e645e11 1344{
4d7dd462 1345 if (likely(!(req->flags & REQ_F_LINK)))
2665abfd 1346 return;
2665abfd 1347
9e645e11
JA		 1348 /*
1349 * If LINK is set, we have dependent requests in this chain. If we
1350 * didn't fail this request, queue the first one up, moving any other
1351 * dependencies to the next request. In case of failure, fail the rest
1352 * of the chain.
1353 */
2665abfd
JA		 1354 if (req->flags & REQ_F_FAIL_LINK) {
1355 io_fail_links(req);
7c9e7f0f
JA		 1356 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1357 REQ_F_LINK_TIMEOUT) {
2665abfd
JA		 1358 struct io_ring_ctx *ctx = req->ctx;
1359 unsigned long flags;
1360
1361 /*
1362 * If this is a timeout link, we could be racing with the
1363 * timeout timer. Grab the completion lock for this case to
7c9e7f0f 1364 * protect against that.
2665abfd
JA		 1365 */
1366 spin_lock_irqsave(&ctx->completion_lock, flags);
1367 io_req_link_next(req, nxt);
1368 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1369 } else {
1370 io_req_link_next(req, nxt);
9e645e11 1371 }
4d7dd462 1372}
9e645e11 1373
c69f8dbe
JL		 1374static void io_free_req(struct io_kiocb *req)
1375{
944e58bf
PB		 1376 struct io_kiocb *nxt = NULL;
1377
1378 io_req_find_next(req, &nxt);
70cf9f32 1379 __io_free_req(req);
944e58bf
PB		 1380
1381 if (nxt)
1382 io_queue_async_work(nxt);
c69f8dbe
JL		 1383}
1384
ba816ad6
JA		 1385/*
1386 * Drop reference to request, return next in chain (if there is one) if this
1387 * was the last reference to this request.
1388 */
f9bd67f6 1389__attribute__((nonnull))
ec9c02ad 1390static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
e65ef56d 1391{
f9bd67f6 1392 io_req_find_next(req, nxtptr);
4d7dd462 1393
e65ef56d 1394 if (refcount_dec_and_test(&req->refs))
4d7dd462 1395 __io_free_req(req);
2b188cc1
JA		 1396}
1397
e65ef56d
JA		 1398static void io_put_req(struct io_kiocb *req)
1399{
1400 if (refcount_dec_and_test(&req->refs))
1401 io_free_req(req);
2b188cc1
JA		 1402}
1403
978db57e
JA		 1404/*
1405 * Must only be used if we don't need to care about links, usually from
1406 * within the completion handling itself.
1407 */
1408static void __io_double_put_req(struct io_kiocb *req)
78e19bbe
JA		 1409{
1410 /* drop both submit and complete references */
1411 if (refcount_sub_and_test(2, &req->refs))
1412 __io_free_req(req);
1413}
1414
978db57e
JA		 1415static void io_double_put_req(struct io_kiocb *req)
1416{
1417 /* drop both submit and complete references */
1418 if (refcount_sub_and_test(2, &req->refs))
1419 io_free_req(req);
1420}
1421
1d7bb1d5 1422static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
a3a0e43f 1423{
84f97dc2
JA		 1424 struct io_rings *rings = ctx->rings;
1425
ad3eb2c8
JA		 1426 if (test_bit(0, &ctx->cq_check_overflow)) {
1427 /*
1428 * noflush == true is from the waitqueue handler, just ensure
1429 * we wake up the task, and the next invocation will flush the
1430 * entries. We cannot safely to it from here.
1431 */
1432 if (noflush && !list_empty(&ctx->cq_overflow_list))
1433 return -1U;
1d7bb1d5 1434
ad3eb2c8
JA		 1435 io_cqring_overflow_flush(ctx, false);
1436 }
1d7bb1d5 1437
a3a0e43f
JA		 1438 /* See comment at the top of this file */
1439 smp_rmb();
ad3eb2c8 1440 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
a3a0e43f
JA		 1441}
1442
fb5ccc98
PB		 1443static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1444{
1445 struct io_rings *rings = ctx->rings;
1446
1447 /* make sure SQ entry isn't read before tail */
1448 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1449}
1450
8237e045 1451static inline bool io_req_multi_free(struct req_batch *rb, struct io_kiocb *req)
e94f141b 1452{
c6ca97b3
JA		 1453 if ((req->flags & REQ_F_LINK) || io_is_fallback_req(req))
1454 return false;
e94f141b 1455
c6ca97b3
JA		 1456 if (!(req->flags & REQ_F_FIXED_FILE) || req->io)
1457 rb->need_iter++;
1458
1459 rb->reqs[rb->to_free++] = req;
1460 if (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))
1461 io_free_req_many(req->ctx, rb);
1462 return true;
e94f141b
JA		 1463}
1464
def596e9
JA		 1465/*
1466 * Find and free completed poll iocbs
1467 */
1468static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1469 struct list_head *done)
1470{
8237e045 1471 struct req_batch rb;
def596e9 1472 struct io_kiocb *req;
def596e9 1473
c6ca97b3 1474 rb.to_free = rb.need_iter = 0;
def596e9
JA		 1475 while (!list_empty(done)) {
1476 req = list_first_entry(done, struct io_kiocb, list);
1477 list_del(&req->list);
1478
78e19bbe 1479 io_cqring_fill_event(req, req->result);
def596e9
JA		 1480 (*nr_events)++;
1481
8237e045
JA		 1482 if (refcount_dec_and_test(&req->refs) &&
1483 !io_req_multi_free(&rb, req))
1484 io_free_req(req);
def596e9 1485 }
def596e9 1486
09bb8394 1487 io_commit_cqring(ctx);
8237e045 1488 io_free_req_many(ctx, &rb);
def596e9
JA		 1489}
1490
1491static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1492 long min)
1493{
1494 struct io_kiocb *req, *tmp;
1495 LIST_HEAD(done);
1496 bool spin;
1497 int ret;
1498
1499 /*
1500 * Only spin for completions if we don't have multiple devices hanging
1501 * off our complete list, and we're under the requested amount.
1502 */
1503 spin = !ctx->poll_multi_file && *nr_events < min;
1504
1505 ret = 0;
1506 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
9adbd45d 1507 struct kiocb *kiocb = &req->rw.kiocb;
def596e9
JA		 1508
1509 /*
1510 * Move completed entries to our local list. If we find a
1511 * request that requires polling, break out and complete
1512 * the done list first, if we have entries there.
1513 */
1514 if (req->flags & REQ_F_IOPOLL_COMPLETED) {
1515 list_move_tail(&req->list, &done);
1516 continue;
1517 }
1518 if (!list_empty(&done))
1519 break;
1520
1521 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1522 if (ret < 0)
1523 break;
1524
1525 if (ret && spin)
1526 spin = false;
1527 ret = 0;
1528 }
1529
1530 if (!list_empty(&done))
1531 io_iopoll_complete(ctx, nr_events, &done);
1532
1533 return ret;
1534}
1535
1536/*
d195a66e 1537 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
def596e9
JA		 1538 * non-spinning poll check - we'll still enter the driver poll loop, but only
1539 * as a non-spinning completion check.
1540 */
1541static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1542 long min)
1543{
08f5439f 1544 while (!list_empty(&ctx->poll_list) && !need_resched()) {
def596e9
JA		 1545 int ret;
1546
1547 ret = io_do_iopoll(ctx, nr_events, min);
1548 if (ret < 0)
1549 return ret;
1550 if (!min || *nr_events >= min)
1551 return 0;
1552 }
1553
1554 return 1;
1555}
1556
1557/*
1558 * We can't just wait for polled events to come to us, we have to actively
1559 * find and complete them.
1560 */
1561static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1562{
1563 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1564 return;
1565
1566 mutex_lock(&ctx->uring_lock);
1567 while (!list_empty(&ctx->poll_list)) {
1568 unsigned int nr_events = 0;
1569
1570 io_iopoll_getevents(ctx, &nr_events, 1);
08f5439f
JA		 1571
1572 /*
1573 * Ensure we allow local-to-the-cpu processing to take place,
1574 * in this case we need to ensure that we reap all events.
1575 */
1576 cond_resched();
def596e9
JA		 1577 }
1578 mutex_unlock(&ctx->uring_lock);
1579}
1580
2b2ed975
JA		 1581static int __io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1582 long min)
def596e9 1583{
2b2ed975 1584 int iters = 0, ret = 0;
500f9fba 1585
def596e9
JA		 1586 do {
1587 int tmin = 0;
1588
a3a0e43f
JA		 1589 /*
1590 * Don't enter poll loop if we already have events pending.
1591 * If we do, we can potentially be spinning for commands that
1592 * already triggered a CQE (eg in error).
1593 */
1d7bb1d5 1594 if (io_cqring_events(ctx, false))
a3a0e43f
JA		 1595 break;
1596
500f9fba
JA		 1597 /*
1598 * If a submit got punted to a workqueue, we can have the
1599 * application entering polling for a command before it gets
1600 * issued. That app will hold the uring_lock for the duration
1601 * of the poll right here, so we need to take a breather every
1602 * now and then to ensure that the issue has a chance to add
1603 * the poll to the issued list. Otherwise we can spin here
1604 * forever, while the workqueue is stuck trying to acquire the
1605 * very same mutex.
1606 */
1607 if (!(++iters & 7)) {
1608 mutex_unlock(&ctx->uring_lock);
1609 mutex_lock(&ctx->uring_lock);
1610 }
1611
def596e9
JA		 1612 if (*nr_events < min)
1613 tmin = min - *nr_events;
1614
1615 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1616 if (ret <= 0)
1617 break;
1618 ret = 0;
1619 } while (min && !*nr_events && !need_resched());
1620
2b2ed975
JA		 1621 return ret;
1622}
1623
1624static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1625 long min)
1626{
1627 int ret;
1628
1629 /*
1630 * We disallow the app entering submit/complete with polling, but we
1631 * still need to lock the ring to prevent racing with polled issue
1632 * that got punted to a workqueue.
1633 */
1634 mutex_lock(&ctx->uring_lock);
1635 ret = __io_iopoll_check(ctx, nr_events, min);
500f9fba 1636 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 1637 return ret;
1638}
1639
491381ce 1640static void kiocb_end_write(struct io_kiocb *req)
2b188cc1 1641{
491381ce
JA		 1642 /*
1643 * Tell lockdep we inherited freeze protection from submission
1644 * thread.
1645 */
1646 if (req->flags & REQ_F_ISREG) {
1647 struct inode *inode = file_inode(req->file);
2b188cc1 1648
491381ce 1649 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2b188cc1 1650 }
491381ce 1651 file_end_write(req->file);
2b188cc1
JA		 1652}
1653
4e88d6e7
JA		 1654static inline void req_set_fail_links(struct io_kiocb *req)
1655{
1656 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1657 req->flags |= REQ_F_FAIL_LINK;
1658}
1659
ba816ad6 1660static void io_complete_rw_common(struct kiocb *kiocb, long res)
2b188cc1 1661{
9adbd45d 1662 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2b188cc1 1663
491381ce
JA		 1664 if (kiocb->ki_flags & IOCB_WRITE)
1665 kiocb_end_write(req);
2b188cc1 1666
4e88d6e7
JA		 1667 if (res != req->result)
1668 req_set_fail_links(req);
78e19bbe 1669 io_cqring_add_event(req, res);
ba816ad6
JA		 1670}
1671
1672static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1673{
9adbd45d 1674 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ba816ad6
JA		 1675
1676 io_complete_rw_common(kiocb, res);
e65ef56d 1677 io_put_req(req);
2b188cc1
JA		 1678}
1679
ba816ad6
JA		 1680static struct io_kiocb *__io_complete_rw(struct kiocb *kiocb, long res)
1681{
9adbd45d 1682 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ec9c02ad 1683 struct io_kiocb *nxt = NULL;
ba816ad6
JA		 1684
1685 io_complete_rw_common(kiocb, res);
ec9c02ad
JL		 1686 io_put_req_find_next(req, &nxt);
1687
1688 return nxt;
2b188cc1
JA		 1689}
1690
def596e9
JA		 1691static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1692{
9adbd45d 1693 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
def596e9 1694
491381ce
JA		 1695 if (kiocb->ki_flags & IOCB_WRITE)
1696 kiocb_end_write(req);
def596e9 1697
4e88d6e7
JA		 1698 if (res != req->result)
1699 req_set_fail_links(req);
9e645e11 1700 req->result = res;
def596e9
JA		 1701 if (res != -EAGAIN)
1702 req->flags |= REQ_F_IOPOLL_COMPLETED;
1703}
1704
1705/*
1706 * After the iocb has been issued, it's safe to be found on the poll list.
1707 * Adding the kiocb to the list AFTER submission ensures that we don't
1708 * find it from a io_iopoll_getevents() thread before the issuer is done
1709 * accessing the kiocb cookie.
1710 */
1711static void io_iopoll_req_issued(struct io_kiocb *req)
1712{
1713 struct io_ring_ctx *ctx = req->ctx;
1714
1715 /*
1716 * Track whether we have multiple files in our lists. This will impact
1717 * how we do polling eventually, not spinning if we're on potentially
1718 * different devices.
1719 */
1720 if (list_empty(&ctx->poll_list)) {
1721 ctx->poll_multi_file = false;
1722 } else if (!ctx->poll_multi_file) {
1723 struct io_kiocb *list_req;
1724
1725 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
1726 list);
9adbd45d 1727 if (list_req->file != req->file)
def596e9
JA		 1728 ctx->poll_multi_file = true;
1729 }
1730
1731 /*
1732 * For fast devices, IO may have already completed. If it has, add
1733 * it to the front so we find it first.
1734 */
1735 if (req->flags & REQ_F_IOPOLL_COMPLETED)
1736 list_add(&req->list, &ctx->poll_list);
1737 else
1738 list_add_tail(&req->list, &ctx->poll_list);
1739}
1740
3d6770fb 1741static void io_file_put(struct io_submit_state *state)
9a56a232 1742{
3d6770fb 1743 if (state->file) {
9a56a232
JA		 1744 int diff = state->has_refs - state->used_refs;
1745
1746 if (diff)
1747 fput_many(state->file, diff);
1748 state->file = NULL;
1749 }
1750}
1751
1752/*
1753 * Get as many references to a file as we have IOs left in this submission,
1754 * assuming most submissions are for one file, or at least that each file
1755 * has more than one submission.
1756 */
1757static struct file *io_file_get(struct io_submit_state *state, int fd)
1758{
1759 if (!state)
1760 return fget(fd);
1761
1762 if (state->file) {
1763 if (state->fd == fd) {
1764 state->used_refs++;
1765 state->ios_left--;
1766 return state->file;
1767 }
3d6770fb 1768 io_file_put(state);
9a56a232
JA		 1769 }
1770 state->file = fget_many(fd, state->ios_left);
1771 if (!state->file)
1772 return NULL;
1773
1774 state->fd = fd;
1775 state->has_refs = state->ios_left;
1776 state->used_refs = 1;
1777 state->ios_left--;
1778 return state->file;
1779}
1780
2b188cc1
JA		 1781/*
1782 * If we tracked the file through the SCM inflight mechanism, we could support
1783 * any file. For now, just ensure that anything potentially problematic is done
1784 * inline.
1785 */
1786static bool io_file_supports_async(struct file *file)
1787{
1788 umode_t mode = file_inode(file)->i_mode;
1789
10d59345 1790 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
2b188cc1
JA		 1791 return true;
1792 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
1793 return true;
1794
1795 return false;
1796}
1797
3529d8c2
JA		 1798static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1799 bool force_nonblock)
2b188cc1 1800{
def596e9 1801 struct io_ring_ctx *ctx = req->ctx;
9adbd45d 1802 struct kiocb *kiocb = &req->rw.kiocb;
09bb8394
JA		 1803 unsigned ioprio;
1804 int ret;
2b188cc1 1805
09bb8394
JA		 1806 if (!req->file)
1807 return -EBADF;
2b188cc1 1808
491381ce
JA		 1809 if (S_ISREG(file_inode(req->file)->i_mode))
1810 req->flags |= REQ_F_ISREG;
1811
2b188cc1 1812 kiocb->ki_pos = READ_ONCE(sqe->off);
ba04291e
JA		 1813 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
1814 req->flags |= REQ_F_CUR_POS;
1815 kiocb->ki_pos = req->file->f_pos;
1816 }
2b188cc1
JA		 1817 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
1818 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
1819
1820 ioprio = READ_ONCE(sqe->ioprio);
1821 if (ioprio) {
1822 ret = ioprio_check_cap(ioprio);
1823 if (ret)
09bb8394 1824 return ret;
2b188cc1
JA		 1825
1826 kiocb->ki_ioprio = ioprio;
1827 } else
1828 kiocb->ki_ioprio = get_current_ioprio();
1829
1830 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
1831 if (unlikely(ret))
09bb8394 1832 return ret;
8449eeda
SB		 1833
1834 /* don't allow async punt if RWF_NOWAIT was requested */
491381ce
JA		 1835 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
1836 (req->file->f_flags & O_NONBLOCK))
8449eeda
SB		 1837 req->flags |= REQ_F_NOWAIT;
1838
1839 if (force_nonblock)
2b188cc1 1840 kiocb->ki_flags |= IOCB_NOWAIT;
8449eeda 1841
def596e9 1842 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9
JA		 1843 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
1844 !kiocb->ki_filp->f_op->iopoll)
09bb8394 1845 return -EOPNOTSUPP;
2b188cc1 1846
def596e9
JA		 1847 kiocb->ki_flags |= IOCB_HIPRI;
1848 kiocb->ki_complete = io_complete_rw_iopoll;
6873e0bd 1849 req->result = 0;
def596e9 1850 } else {
09bb8394
JA		 1851 if (kiocb->ki_flags & IOCB_HIPRI)
1852 return -EINVAL;
def596e9
JA		 1853 kiocb->ki_complete = io_complete_rw;
1854 }
9adbd45d 1855
3529d8c2
JA		 1856 req->rw.addr = READ_ONCE(sqe->addr);
1857 req->rw.len = READ_ONCE(sqe->len);
9adbd45d
JA		 1858 /* we own ->private, reuse it for the buffer index */
1859 req->rw.kiocb.private = (void *) (unsigned long)
3529d8c2 1860 READ_ONCE(sqe->buf_index);
2b188cc1 1861 return 0;
2b188cc1
JA		 1862}
1863
1864static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
1865{
1866 switch (ret) {
1867 case -EIOCBQUEUED:
1868 break;
1869 case -ERESTARTSYS:
1870 case -ERESTARTNOINTR:
1871 case -ERESTARTNOHAND:
1872 case -ERESTART_RESTARTBLOCK:
1873 /*
1874 * We can't just restart the syscall, since previously
1875 * submitted sqes may already be in progress. Just fail this
1876 * IO with EINTR.
1877 */
1878 ret = -EINTR;
1879 /* fall through */
1880 default:
1881 kiocb->ki_complete(kiocb, ret, 0);
1882 }
1883}
1884
ba816ad6
JA		 1885static void kiocb_done(struct kiocb *kiocb, ssize_t ret, struct io_kiocb **nxt,
1886 bool in_async)
1887{
ba04291e
JA		 1888 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1889
1890 if (req->flags & REQ_F_CUR_POS)
1891 req->file->f_pos = kiocb->ki_pos;
f9bd67f6 1892 if (in_async && ret >= 0 && kiocb->ki_complete == io_complete_rw)
ba816ad6
JA		 1893 *nxt = __io_complete_rw(kiocb, ret);
1894 else
1895 io_rw_done(kiocb, ret);
1896}
1897
9adbd45d 1898static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
7d009165 1899 struct iov_iter *iter)
edafccee 1900{
9adbd45d
JA		 1901 struct io_ring_ctx *ctx = req->ctx;
1902 size_t len = req->rw.len;
edafccee
JA		 1903 struct io_mapped_ubuf *imu;
1904 unsigned index, buf_index;
1905 size_t offset;
1906 u64 buf_addr;
1907
1908 /* attempt to use fixed buffers without having provided iovecs */
1909 if (unlikely(!ctx->user_bufs))
1910 return -EFAULT;
1911
9adbd45d 1912 buf_index = (unsigned long) req->rw.kiocb.private;
edafccee
JA		 1913 if (unlikely(buf_index >= ctx->nr_user_bufs))
1914 return -EFAULT;
1915
1916 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
1917 imu = &ctx->user_bufs[index];
9adbd45d 1918 buf_addr = req->rw.addr;
edafccee
JA		 1919
1920 /* overflow */
1921 if (buf_addr + len < buf_addr)
1922 return -EFAULT;
1923 /* not inside the mapped region */
1924 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
1925 return -EFAULT;
1926
1927 /*
1928 * May not be a start of buffer, set size appropriately
1929 * and advance us to the beginning.
1930 */
1931 offset = buf_addr - imu->ubuf;
1932 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
bd11b3a3
JA		 1933
1934 if (offset) {
1935 /*
1936 * Don't use iov_iter_advance() here, as it's really slow for
1937 * using the latter parts of a big fixed buffer - it iterates
1938 * over each segment manually. We can cheat a bit here, because
1939 * we know that:
1940 *
1941 * 1) it's a BVEC iter, we set it up
1942 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1943 * first and last bvec
1944 *
1945 * So just find our index, and adjust the iterator afterwards.
1946 * If the offset is within the first bvec (or the whole first
1947 * bvec, just use iov_iter_advance(). This makes it easier
1948 * since we can just skip the first segment, which may not
1949 * be PAGE_SIZE aligned.
1950 */
1951 const struct bio_vec *bvec = imu->bvec;
1952
1953 if (offset <= bvec->bv_len) {
1954 iov_iter_advance(iter, offset);
1955 } else {
1956 unsigned long seg_skip;
1957
1958 /* skip first vec */
1959 offset -= bvec->bv_len;
1960 seg_skip = 1 + (offset >> PAGE_SHIFT);
1961
1962 iter->bvec = bvec + seg_skip;
1963 iter->nr_segs -= seg_skip;
99c79f66 1964 iter->count -= bvec->bv_len + offset;
bd11b3a3 1965 iter->iov_offset = offset & ~PAGE_MASK;
bd11b3a3
JA		 1966 }
1967 }
1968
5e559561 1969 return len;
edafccee
JA		 1970}
1971
cf6fd4bd
PB		 1972static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
1973 struct iovec **iovec, struct iov_iter *iter)
2b188cc1 1974{
9adbd45d
JA		 1975 void __user *buf = u64_to_user_ptr(req->rw.addr);
1976 size_t sqe_len = req->rw.len;
edafccee
JA		 1977 u8 opcode;
1978
d625c6ee 1979 opcode = req->opcode;
7d009165 1980 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
edafccee 1981 *iovec = NULL;
9adbd45d 1982 return io_import_fixed(req, rw, iter);
edafccee 1983 }
2b188cc1 1984
9adbd45d
JA		 1985 /* buffer index only valid with fixed read/write */
1986 if (req->rw.kiocb.private)
1987 return -EINVAL;
1988
3a6820f2
JA		 1989 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
1990 ssize_t ret;
1991 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
1992 *iovec = NULL;
1993 return ret;
1994 }
1995
f67676d1
JA		 1996 if (req->io) {
1997 struct io_async_rw *iorw = &req->io->rw;
1998
1999 *iovec = iorw->iov;
2000 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
2001 if (iorw->iov == iorw->fast_iov)
2002 *iovec = NULL;
2003 return iorw->size;
2004 }
2005
cf6fd4bd 2006 if (!req->has_user)
2b188cc1
JA		 2007 return -EFAULT;
2008
2009#ifdef CONFIG_COMPAT
cf6fd4bd 2010 if (req->ctx->compat)
2b188cc1
JA		 2011 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
2012 iovec, iter);
2013#endif
2014
2015 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
2016}
2017
31b51510 2018/*
32960613
JA		 2019 * For files that don't have ->read_iter() and ->write_iter(), handle them
2020 * by looping over ->read() or ->write() manually.
31b51510 2021 */
32960613
JA		 2022static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
2023 struct iov_iter *iter)
2024{
2025 ssize_t ret = 0;
2026
2027 /*
2028 * Don't support polled IO through this interface, and we can't
2029 * support non-blocking either. For the latter, this just causes
2030 * the kiocb to be handled from an async context.
2031 */
2032 if (kiocb->ki_flags & IOCB_HIPRI)
2033 return -EOPNOTSUPP;
2034 if (kiocb->ki_flags & IOCB_NOWAIT)
2035 return -EAGAIN;
2036
2037 while (iov_iter_count(iter)) {
311ae9e1 2038 struct iovec iovec;
32960613
JA		 2039 ssize_t nr;
2040
311ae9e1
PB		 2041 if (!iov_iter_is_bvec(iter)) {
2042 iovec = iov_iter_iovec(iter);
2043 } else {
2044 /* fixed buffers import bvec */
2045 iovec.iov_base = kmap(iter->bvec->bv_page)
2046 + iter->iov_offset;
2047 iovec.iov_len = min(iter->count,
2048 iter->bvec->bv_len - iter->iov_offset);
2049 }
2050
32960613
JA		 2051 if (rw == READ) {
2052 nr = file->f_op->read(file, iovec.iov_base,
2053 iovec.iov_len, &kiocb->ki_pos);
2054 } else {
2055 nr = file->f_op->write(file, iovec.iov_base,
2056 iovec.iov_len, &kiocb->ki_pos);
2057 }
2058
311ae9e1
PB		 2059 if (iov_iter_is_bvec(iter))
2060 kunmap(iter->bvec->bv_page);
2061
32960613
JA		 2062 if (nr < 0) {
2063 if (!ret)
2064 ret = nr;
2065 break;
2066 }
2067 ret += nr;
2068 if (nr != iovec.iov_len)
2069 break;
2070 iov_iter_advance(iter, nr);
2071 }
2072
2073 return ret;
2074}
2075
b7bb4f7d 2076static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
f67676d1
JA		 2077 struct iovec *iovec, struct iovec *fast_iov,
2078 struct iov_iter *iter)
2079{
2080 req->io->rw.nr_segs = iter->nr_segs;
2081 req->io->rw.size = io_size;
2082 req->io->rw.iov = iovec;
2083 if (!req->io->rw.iov) {
2084 req->io->rw.iov = req->io->rw.fast_iov;
2085 memcpy(req->io->rw.iov, fast_iov,
2086 sizeof(struct iovec) * iter->nr_segs);
2087 }
2088}
2089
b7bb4f7d 2090static int io_alloc_async_ctx(struct io_kiocb *req)
f67676d1 2091{
d3656344
JA		 2092 if (!io_op_defs[req->opcode].async_ctx)
2093 return 0;
f67676d1 2094 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
06b76d44 2095 return req->io == NULL;
b7bb4f7d
JA		 2096}
2097
2098static void io_rw_async(struct io_wq_work **workptr)
2099{
2100 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2101 struct iovec *iov = NULL;
2102
2103 if (req->io->rw.iov != req->io->rw.fast_iov)
2104 iov = req->io->rw.iov;
2105 io_wq_submit_work(workptr);
2106 kfree(iov);
2107}
2108
2109static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
2110 struct iovec *iovec, struct iovec *fast_iov,
2111 struct iov_iter *iter)
2112{
74566df3
JA		 2113 if (req->opcode == IORING_OP_READ_FIXED ||
2114 req->opcode == IORING_OP_WRITE_FIXED)
2115 return 0;
b7bb4f7d
JA		 2116 if (!req->io && io_alloc_async_ctx(req))
2117 return -ENOMEM;
2118
2119 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
2120 req->work.func = io_rw_async;
2121 return 0;
f67676d1
JA		 2122}
2123
3529d8c2
JA		 2124static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2125 bool force_nonblock)
f67676d1 2126{
3529d8c2
JA		 2127 struct io_async_ctx *io;
2128 struct iov_iter iter;
f67676d1
JA		 2129 ssize_t ret;
2130
3529d8c2
JA		 2131 ret = io_prep_rw(req, sqe, force_nonblock);
2132 if (ret)
2133 return ret;
f67676d1 2134
3529d8c2
JA		 2135 if (unlikely(!(req->file->f_mode & FMODE_READ)))
2136 return -EBADF;
f67676d1 2137
3529d8c2
JA		 2138 if (!req->io)
2139 return 0;
2140
2141 io = req->io;
2142 io->rw.iov = io->rw.fast_iov;
2143 req->io = NULL;
2144 ret = io_import_iovec(READ, req, &io->rw.iov, &iter);
2145 req->io = io;
2146 if (ret < 0)
2147 return ret;
2148
2149 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2150 return 0;
f67676d1
JA		 2151}
2152
267bc904 2153static int io_read(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 2154 bool force_nonblock)
2b188cc1
JA		 2155{
2156 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 2157 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 2158 struct iov_iter iter;
31b51510 2159 size_t iov_count;
f67676d1 2160 ssize_t io_size, ret;
2b188cc1 2161
3529d8c2 2162 ret = io_import_iovec(READ, req, &iovec, &iter);
06b76d44
JA		 2163 if (ret < 0)
2164 return ret;
2b188cc1 2165
fd6c2e4c
JA		 2166 /* Ensure we clear previously set non-block flag */
2167 if (!force_nonblock)
9adbd45d 2168 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 2169
797f3f53 2170 req->result = 0;
f67676d1 2171 io_size = ret;
9e645e11 2172 if (req->flags & REQ_F_LINK)
f67676d1
JA		 2173 req->result = io_size;
2174
2175 /*
2176 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2177 * we know to async punt it even if it was opened O_NONBLOCK
2178 */
9adbd45d 2179 if (force_nonblock && !io_file_supports_async(req->file)) {
f67676d1
JA		 2180 req->flags |= REQ_F_MUST_PUNT;
2181 goto copy_iov;
2182 }
9e645e11 2183
31b51510 2184 iov_count = iov_iter_count(&iter);
9adbd45d 2185 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
2b188cc1
JA		 2186 if (!ret) {
2187 ssize_t ret2;
2188
9adbd45d
JA		 2189 if (req->file->f_op->read_iter)
2190 ret2 = call_read_iter(req->file, kiocb, &iter);
32960613 2191 else
9adbd45d 2192 ret2 = loop_rw_iter(READ, req->file, kiocb, &iter);
32960613 2193
9d93a3f5 2194 /* Catch -EAGAIN return for forced non-blocking submission */
f67676d1 2195 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 2196 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 2197 } else {
2198copy_iov:
b7bb4f7d 2199 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 2200 inline_vecs, &iter);
2201 if (ret)
2202 goto out_free;
2203 return -EAGAIN;
2204 }
2b188cc1 2205 }
f67676d1 2206out_free:
b7bb4f7d
JA		 2207 if (!io_wq_current_is_worker())
2208 kfree(iovec);
2b188cc1
JA		 2209 return ret;
2210}
2211
3529d8c2
JA		 2212static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2213 bool force_nonblock)
f67676d1 2214{
3529d8c2
JA		 2215 struct io_async_ctx *io;
2216 struct iov_iter iter;
f67676d1
JA		 2217 ssize_t ret;
2218
3529d8c2
JA		 2219 ret = io_prep_rw(req, sqe, force_nonblock);
2220 if (ret)
2221 return ret;
f67676d1 2222
3529d8c2
JA		 2223 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
2224 return -EBADF;
f67676d1 2225
3529d8c2
JA		 2226 if (!req->io)
2227 return 0;
2228
2229 io = req->io;
2230 io->rw.iov = io->rw.fast_iov;
2231 req->io = NULL;
2232 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter);
2233 req->io = io;
2234 if (ret < 0)
2235 return ret;
2236
2237 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2238 return 0;
f67676d1
JA		 2239}
2240
267bc904 2241static int io_write(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 2242 bool force_nonblock)
2b188cc1
JA		 2243{
2244 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 2245 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 2246 struct iov_iter iter;
31b51510 2247 size_t iov_count;
f67676d1 2248 ssize_t ret, io_size;
2b188cc1 2249
3529d8c2 2250 ret = io_import_iovec(WRITE, req, &iovec, &iter);
06b76d44
JA		 2251 if (ret < 0)
2252 return ret;
2b188cc1 2253
fd6c2e4c
JA		 2254 /* Ensure we clear previously set non-block flag */
2255 if (!force_nonblock)
9adbd45d 2256 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 2257
797f3f53 2258 req->result = 0;
f67676d1 2259 io_size = ret;
9e645e11 2260 if (req->flags & REQ_F_LINK)
f67676d1 2261 req->result = io_size;
9e645e11 2262
f67676d1
JA		 2263 /*
2264 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2265 * we know to async punt it even if it was opened O_NONBLOCK
2266 */
2267 if (force_nonblock && !io_file_supports_async(req->file)) {
2268 req->flags |= REQ_F_MUST_PUNT;
2269 goto copy_iov;
2270 }
31b51510 2271
10d59345
JA		 2272 /* file path doesn't support NOWAIT for non-direct_IO */
2273 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
2274 (req->flags & REQ_F_ISREG))
f67676d1 2275 goto copy_iov;
31b51510 2276
f67676d1 2277 iov_count = iov_iter_count(&iter);
9adbd45d 2278 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
2b188cc1 2279 if (!ret) {
9bf7933f
RP		 2280 ssize_t ret2;
2281
2b188cc1
JA		 2282 /*
2283 * Open-code file_start_write here to grab freeze protection,
2284 * which will be released by another thread in
2285 * io_complete_rw(). Fool lockdep by telling it the lock got
2286 * released so that it doesn't complain about the held lock when
2287 * we return to userspace.
2288 */
491381ce 2289 if (req->flags & REQ_F_ISREG) {
9adbd45d 2290 __sb_start_write(file_inode(req->file)->i_sb,
2b188cc1 2291 SB_FREEZE_WRITE, true);
9adbd45d 2292 __sb_writers_release(file_inode(req->file)->i_sb,
2b188cc1
JA		 2293 SB_FREEZE_WRITE);
2294 }
2295 kiocb->ki_flags |= IOCB_WRITE;
9bf7933f 2296
9adbd45d
JA		 2297 if (req->file->f_op->write_iter)
2298 ret2 = call_write_iter(req->file, kiocb, &iter);
32960613 2299 else
9adbd45d 2300 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
f67676d1 2301 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 2302 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 2303 } else {
2304copy_iov:
b7bb4f7d 2305 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 2306 inline_vecs, &iter);
2307 if (ret)
2308 goto out_free;
2309 return -EAGAIN;
2310 }
2b188cc1 2311 }
31b51510 2312out_free:
b7bb4f7d
JA		 2313 if (!io_wq_current_is_worker())
2314 kfree(iovec);
2b188cc1
JA		 2315 return ret;
2316}
2317
2318/*
2319 * IORING_OP_NOP just posts a completion event, nothing else.
2320 */
78e19bbe 2321static int io_nop(struct io_kiocb *req)
2b188cc1
JA		 2322{
2323 struct io_ring_ctx *ctx = req->ctx;
2b188cc1 2324
def596e9
JA		 2325 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2326 return -EINVAL;
2327
78e19bbe 2328 io_cqring_add_event(req, 0);
e65ef56d 2329 io_put_req(req);
2b188cc1
JA		 2330 return 0;
2331}
2332
3529d8c2 2333static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
c992fe29 2334{
6b06314c 2335 struct io_ring_ctx *ctx = req->ctx;
c992fe29 2336
09bb8394
JA		 2337 if (!req->file)
2338 return -EBADF;
c992fe29 2339
6b06314c 2340 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
def596e9 2341 return -EINVAL;
edafccee 2342 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
c992fe29
CH		 2343 return -EINVAL;
2344
8ed8d3c3
JA		 2345 req->sync.flags = READ_ONCE(sqe->fsync_flags);
2346 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
2347 return -EINVAL;
2348
2349 req->sync.off = READ_ONCE(sqe->off);
2350 req->sync.len = READ_ONCE(sqe->len);
c992fe29
CH		 2351 return 0;
2352}
2353
8ed8d3c3
JA		 2354static bool io_req_cancelled(struct io_kiocb *req)
2355{
2356 if (req->work.flags & IO_WQ_WORK_CANCEL) {
2357 req_set_fail_links(req);
2358 io_cqring_add_event(req, -ECANCELED);
2359 io_put_req(req);
2360 return true;
2361 }
2362
2363 return false;
2364}
2365
78912934
JA		 2366static void io_link_work_cb(struct io_wq_work **workptr)
2367{
2368 struct io_wq_work *work = *workptr;
2369 struct io_kiocb *link = work->data;
2370
2371 io_queue_linked_timeout(link);
2372 work->func = io_wq_submit_work;
2373}
2374
2375static void io_wq_assign_next(struct io_wq_work **workptr, struct io_kiocb *nxt)
2376{
2377 struct io_kiocb *link;
2378
2379 io_prep_async_work(nxt, &link);
2380 *workptr = &nxt->work;
2381 if (link) {
2382 nxt->work.flags |= IO_WQ_WORK_CB;
2383 nxt->work.func = io_link_work_cb;
2384 nxt->work.data = link;
2385 }
2386}
2387
8ed8d3c3
JA		 2388static void io_fsync_finish(struct io_wq_work **workptr)
2389{
2390 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2391 loff_t end = req->sync.off + req->sync.len;
2392 struct io_kiocb *nxt = NULL;
2393 int ret;
2394
2395 if (io_req_cancelled(req))
2396 return;
2397
9adbd45d 2398 ret = vfs_fsync_range(req->file, req->sync.off,
8ed8d3c3
JA		 2399 end > 0 ? end : LLONG_MAX,
2400 req->sync.flags & IORING_FSYNC_DATASYNC);
2401 if (ret < 0)
2402 req_set_fail_links(req);
2403 io_cqring_add_event(req, ret);
2404 io_put_req_find_next(req, &nxt);
2405 if (nxt)
78912934 2406 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 2407}
2408
fc4df999
JA		 2409static int io_fsync(struct io_kiocb *req, struct io_kiocb **nxt,
2410 bool force_nonblock)
c992fe29 2411{
8ed8d3c3 2412 struct io_wq_work *work, *old_work;
c992fe29
CH		 2413
2414 /* fsync always requires a blocking context */
8ed8d3c3
JA		 2415 if (force_nonblock) {
2416 io_put_req(req);
2417 req->work.func = io_fsync_finish;
c992fe29 2418 return -EAGAIN;
8ed8d3c3 2419 }
c992fe29 2420
8ed8d3c3
JA		 2421 work = old_work = &req->work;
2422 io_fsync_finish(&work);
2423 if (work && work != old_work)
2424 *nxt = container_of(work, struct io_kiocb, work);
c992fe29
CH		 2425 return 0;
2426}
2427
d63d1b5e
JA		 2428static void io_fallocate_finish(struct io_wq_work **workptr)
2429{
2430 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2431 struct io_kiocb *nxt = NULL;
2432 int ret;
2433
2434 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
2435 req->sync.len);
2436 if (ret < 0)
2437 req_set_fail_links(req);
2438 io_cqring_add_event(req, ret);
2439 io_put_req_find_next(req, &nxt);
2440 if (nxt)
2441 io_wq_assign_next(workptr, nxt);
2442}
2443
2444static int io_fallocate_prep(struct io_kiocb *req,
2445 const struct io_uring_sqe *sqe)
2446{
2447 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
2448 return -EINVAL;
2449
2450 req->sync.off = READ_ONCE(sqe->off);
2451 req->sync.len = READ_ONCE(sqe->addr);
2452 req->sync.mode = READ_ONCE(sqe->len);
2453 return 0;
2454}
2455
2456static int io_fallocate(struct io_kiocb *req, struct io_kiocb **nxt,
2457 bool force_nonblock)
2458{
2459 struct io_wq_work *work, *old_work;
2460
2461 /* fallocate always requiring blocking context */
2462 if (force_nonblock) {
2463 io_put_req(req);
2464 req->work.func = io_fallocate_finish;
2465 return -EAGAIN;
2466 }
2467
2468 work = old_work = &req->work;
2469 io_fallocate_finish(&work);
2470 if (work && work != old_work)
2471 *nxt = container_of(work, struct io_kiocb, work);
2472
2473 return 0;
2474}
2475
15b71abe
JA		 2476static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2477{
f8748881 2478 const char __user *fname;
15b71abe
JA		 2479 int ret;
2480
2481 if (sqe->ioprio || sqe->buf_index)
2482 return -EINVAL;
2483
2484 req->open.dfd = READ_ONCE(sqe->fd);
c12cedf2 2485 req->open.how.mode = READ_ONCE(sqe->len);
f8748881 2486 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
c12cedf2 2487 req->open.how.flags = READ_ONCE(sqe->open_flags);
15b71abe 2488
f8748881 2489 req->open.filename = getname(fname);
15b71abe
JA		 2490 if (IS_ERR(req->open.filename)) {
2491 ret = PTR_ERR(req->open.filename);
2492 req->open.filename = NULL;
2493 return ret;
2494 }
2495
2496 return 0;
2497}
2498
cebdb986
JA		 2499static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2500{
2501 struct open_how __user *how;
2502 const char __user *fname;
2503 size_t len;
2504 int ret;
2505
2506 if (sqe->ioprio || sqe->buf_index)
2507 return -EINVAL;
2508
2509 req->open.dfd = READ_ONCE(sqe->fd);
2510 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2511 how = u64_to_user_ptr(READ_ONCE(sqe->addr2));
2512 len = READ_ONCE(sqe->len);
2513
2514 if (len < OPEN_HOW_SIZE_VER0)
2515 return -EINVAL;
2516
2517 ret = copy_struct_from_user(&req->open.how, sizeof(req->open.how), how,
2518 len);
2519 if (ret)
2520 return ret;
2521
2522 if (!(req->open.how.flags & O_PATH) && force_o_largefile())
2523 req->open.how.flags |= O_LARGEFILE;
2524
2525 req->open.filename = getname(fname);
2526 if (IS_ERR(req->open.filename)) {
2527 ret = PTR_ERR(req->open.filename);
2528 req->open.filename = NULL;
2529 return ret;
2530 }
2531
2532 return 0;
2533}
2534
2535static int io_openat2(struct io_kiocb *req, struct io_kiocb **nxt,
2536 bool force_nonblock)
15b71abe
JA		 2537{
2538 struct open_flags op;
15b71abe
JA		 2539 struct file *file;
2540 int ret;
2541
2542 if (force_nonblock) {
2543 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2544 return -EAGAIN;
2545 }
2546
cebdb986 2547 ret = build_open_flags(&req->open.how, &op);
15b71abe
JA		 2548 if (ret)
2549 goto err;
2550
cebdb986 2551 ret = get_unused_fd_flags(req->open.how.flags);
15b71abe
JA		 2552 if (ret < 0)
2553 goto err;
2554
2555 file = do_filp_open(req->open.dfd, req->open.filename, &op);
2556 if (IS_ERR(file)) {
2557 put_unused_fd(ret);
2558 ret = PTR_ERR(file);
2559 } else {
2560 fsnotify_open(file);
2561 fd_install(ret, file);
2562 }
2563err:
2564 putname(req->open.filename);
2565 if (ret < 0)
2566 req_set_fail_links(req);
2567 io_cqring_add_event(req, ret);
2568 io_put_req_find_next(req, nxt);
2569 return 0;
2570}
2571
cebdb986
JA		 2572static int io_openat(struct io_kiocb *req, struct io_kiocb **nxt,
2573 bool force_nonblock)
2574{
2575 req->open.how = build_open_how(req->open.how.flags, req->open.how.mode);
2576 return io_openat2(req, nxt, force_nonblock);
2577}
2578
c1ca757b
JA		 2579static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2580{
2581#if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2582 if (sqe->ioprio || sqe->buf_index || sqe->off)
2583 return -EINVAL;
2584
2585 req->madvise.addr = READ_ONCE(sqe->addr);
2586 req->madvise.len = READ_ONCE(sqe->len);
2587 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
2588 return 0;
2589#else
2590 return -EOPNOTSUPP;
2591#endif
2592}
2593
2594static int io_madvise(struct io_kiocb *req, struct io_kiocb **nxt,
2595 bool force_nonblock)
2596{
2597#if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
2598 struct io_madvise *ma = &req->madvise;
2599 int ret;
2600
2601 if (force_nonblock)
2602 return -EAGAIN;
2603
2604 ret = do_madvise(ma->addr, ma->len, ma->advice);
2605 if (ret < 0)
2606 req_set_fail_links(req);
2607 io_cqring_add_event(req, ret);
2608 io_put_req_find_next(req, nxt);
2609 return 0;
2610#else
2611 return -EOPNOTSUPP;
2612#endif
2613}
2614
4840e418
JA		 2615static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2616{
2617 if (sqe->ioprio || sqe->buf_index || sqe->addr)
2618 return -EINVAL;
2619
2620 req->fadvise.offset = READ_ONCE(sqe->off);
2621 req->fadvise.len = READ_ONCE(sqe->len);
2622 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
2623 return 0;
2624}
2625
2626static int io_fadvise(struct io_kiocb *req, struct io_kiocb **nxt,
2627 bool force_nonblock)
2628{
2629 struct io_fadvise *fa = &req->fadvise;
2630 int ret;
2631
2632 /* DONTNEED may block, others _should_ not */
2633 if (fa->advice == POSIX_FADV_DONTNEED && force_nonblock)
2634 return -EAGAIN;
2635
2636 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
2637 if (ret < 0)
2638 req_set_fail_links(req);
2639 io_cqring_add_event(req, ret);
2640 io_put_req_find_next(req, nxt);
2641 return 0;
2642}
2643
eddc7ef5
JA		 2644static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2645{
f8748881 2646 const char __user *fname;
eddc7ef5
JA		 2647 unsigned lookup_flags;
2648 int ret;
2649
2650 if (sqe->ioprio || sqe->buf_index)
2651 return -EINVAL;
2652
2653 req->open.dfd = READ_ONCE(sqe->fd);
2654 req->open.mask = READ_ONCE(sqe->len);
f8748881 2655 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
eddc7ef5 2656 req->open.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
c12cedf2 2657 req->open.how.flags = READ_ONCE(sqe->statx_flags);
eddc7ef5 2658
c12cedf2 2659 if (vfs_stat_set_lookup_flags(&lookup_flags, req->open.how.flags))
eddc7ef5
JA		 2660 return -EINVAL;
2661
f8748881 2662 req->open.filename = getname_flags(fname, lookup_flags, NULL);
eddc7ef5
JA		 2663 if (IS_ERR(req->open.filename)) {
2664 ret = PTR_ERR(req->open.filename);
2665 req->open.filename = NULL;
2666 return ret;
2667 }
2668
2669 return 0;
2670}
2671
2672static int io_statx(struct io_kiocb *req, struct io_kiocb **nxt,
2673 bool force_nonblock)
2674{
2675 struct io_open *ctx = &req->open;
2676 unsigned lookup_flags;
2677 struct path path;
2678 struct kstat stat;
2679 int ret;
2680
2681 if (force_nonblock)
2682 return -EAGAIN;
2683
c12cedf2 2684 if (vfs_stat_set_lookup_flags(&lookup_flags, ctx->how.flags))
eddc7ef5
JA		 2685 return -EINVAL;
2686
2687retry:
2688 /* filename_lookup() drops it, keep a reference */
2689 ctx->filename->refcnt++;
2690
2691 ret = filename_lookup(ctx->dfd, ctx->filename, lookup_flags, &path,
2692 NULL);
2693 if (ret)
2694 goto err;
2695
c12cedf2 2696 ret = vfs_getattr(&path, &stat, ctx->mask, ctx->how.flags);
eddc7ef5
JA		 2697 path_put(&path);
2698 if (retry_estale(ret, lookup_flags)) {
2699 lookup_flags |= LOOKUP_REVAL;
2700 goto retry;
2701 }
2702 if (!ret)
2703 ret = cp_statx(&stat, ctx->buffer);
2704err:
2705 putname(ctx->filename);
2706 if (ret < 0)
2707 req_set_fail_links(req);
2708 io_cqring_add_event(req, ret);
2709 io_put_req_find_next(req, nxt);
2710 return 0;
2711}
2712
b5dba59e
JA		 2713static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2714{
2715 /*
2716 * If we queue this for async, it must not be cancellable. That would
2717 * leave the 'file' in an undeterminate state.
2718 */
2719 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
2720
2721 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
2722 sqe->rw_flags || sqe->buf_index)
2723 return -EINVAL;
2724 if (sqe->flags & IOSQE_FIXED_FILE)
2725 return -EINVAL;
2726
2727 req->close.fd = READ_ONCE(sqe->fd);
2728 if (req->file->f_op == &io_uring_fops ||
2729 req->close.fd == req->ring_fd)
2730 return -EBADF;
2731
2732 return 0;
2733}
2734
2735static void io_close_finish(struct io_wq_work **workptr)
2736{
2737 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2738 struct io_kiocb *nxt = NULL;
2739
2740 /* Invoked with files, we need to do the close */
2741 if (req->work.files) {
2742 int ret;
2743
2744 ret = filp_close(req->close.put_file, req->work.files);
2745 if (ret < 0) {
2746 req_set_fail_links(req);
2747 }
2748 io_cqring_add_event(req, ret);
2749 }
2750
2751 fput(req->close.put_file);
2752
2753 /* we bypassed the re-issue, drop the submission reference */
2754 io_put_req(req);
2755 io_put_req_find_next(req, &nxt);
2756 if (nxt)
2757 io_wq_assign_next(workptr, nxt);
2758}
2759
2760static int io_close(struct io_kiocb *req, struct io_kiocb **nxt,
2761 bool force_nonblock)
2762{
2763 int ret;
2764
2765 req->close.put_file = NULL;
2766 ret = __close_fd_get_file(req->close.fd, &req->close.put_file);
2767 if (ret < 0)
2768 return ret;
2769
2770 /* if the file has a flush method, be safe and punt to async */
2771 if (req->close.put_file->f_op->flush && !io_wq_current_is_worker()) {
2772 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2773 goto eagain;
2774 }
2775
2776 /*
2777 * No ->flush(), safely close from here and just punt the
2778 * fput() to async context.
2779 */
2780 ret = filp_close(req->close.put_file, current->files);
2781
2782 if (ret < 0)
2783 req_set_fail_links(req);
2784 io_cqring_add_event(req, ret);
2785
2786 if (io_wq_current_is_worker()) {
2787 struct io_wq_work *old_work, *work;
2788
2789 old_work = work = &req->work;
2790 io_close_finish(&work);
2791 if (work && work != old_work)
2792 *nxt = container_of(work, struct io_kiocb, work);
2793 return 0;
2794 }
2795
2796eagain:
2797 req->work.func = io_close_finish;
2798 return -EAGAIN;
2799}
2800
3529d8c2 2801static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5d17b4a4
JA		 2802{
2803 struct io_ring_ctx *ctx = req->ctx;
5d17b4a4
JA		 2804
2805 if (!req->file)
2806 return -EBADF;
5d17b4a4
JA		 2807
2808 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2809 return -EINVAL;
2810 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2811 return -EINVAL;
2812
8ed8d3c3
JA		 2813 req->sync.off = READ_ONCE(sqe->off);
2814 req->sync.len = READ_ONCE(sqe->len);
2815 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
8ed8d3c3
JA		 2816 return 0;
2817}
2818
2819static void io_sync_file_range_finish(struct io_wq_work **workptr)
2820{
2821 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2822 struct io_kiocb *nxt = NULL;
2823 int ret;
2824
2825 if (io_req_cancelled(req))
2826 return;
2827
9adbd45d 2828 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
8ed8d3c3
JA		 2829 req->sync.flags);
2830 if (ret < 0)
2831 req_set_fail_links(req);
2832 io_cqring_add_event(req, ret);
2833 io_put_req_find_next(req, &nxt);
2834 if (nxt)
78912934 2835 io_wq_assign_next(workptr, nxt);
5d17b4a4
JA		 2836}
2837
fc4df999 2838static int io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt,
5d17b4a4
JA		 2839 bool force_nonblock)
2840{
8ed8d3c3 2841 struct io_wq_work *work, *old_work;
5d17b4a4
JA		 2842
2843 /* sync_file_range always requires a blocking context */
8ed8d3c3
JA		 2844 if (force_nonblock) {
2845 io_put_req(req);
2846 req->work.func = io_sync_file_range_finish;
5d17b4a4 2847 return -EAGAIN;
8ed8d3c3 2848 }
5d17b4a4 2849
8ed8d3c3
JA		 2850 work = old_work = &req->work;
2851 io_sync_file_range_finish(&work);
2852 if (work && work != old_work)
2853 *nxt = container_of(work, struct io_kiocb, work);
5d17b4a4
JA		 2854 return 0;
2855}
2856
b7bb4f7d
JA		 2857#if defined(CONFIG_NET)
2858static void io_sendrecv_async(struct io_wq_work **workptr)
2859{
2860 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2861 struct iovec *iov = NULL;
2862
2863 if (req->io->rw.iov != req->io->rw.fast_iov)
2864 iov = req->io->msg.iov;
2865 io_wq_submit_work(workptr);
2866 kfree(iov);
2867}
2868#endif
2869
3529d8c2 2870static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
03b1230c 2871{
0fa03c62 2872#if defined(CONFIG_NET)
e47293fd 2873 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2 2874 struct io_async_ctx *io = req->io;
03b1230c 2875
e47293fd
JA		 2876 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2877 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
fddaface 2878 sr->len = READ_ONCE(sqe->len);
3529d8c2 2879
fddaface 2880 if (!io || req->opcode == IORING_OP_SEND)
3529d8c2
JA		 2881 return 0;
2882
d9688565 2883 io->msg.iov = io->msg.fast_iov;
3529d8c2 2884 return sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 2885 &io->msg.iov);
03b1230c 2886#else
e47293fd 2887 return -EOPNOTSUPP;
03b1230c
JA		 2888#endif
2889}
2890
fc4df999
JA		 2891static int io_sendmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2892 bool force_nonblock)
aa1fa28f 2893{
03b1230c 2894#if defined(CONFIG_NET)
0b416c3e 2895 struct io_async_msghdr *kmsg = NULL;
0fa03c62
JA		 2896 struct socket *sock;
2897 int ret;
2898
2899 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2900 return -EINVAL;
2901
2902 sock = sock_from_file(req->file, &ret);
2903 if (sock) {
b7bb4f7d 2904 struct io_async_ctx io;
03b1230c 2905 struct sockaddr_storage addr;
0fa03c62
JA		 2906 unsigned flags;
2907
03b1230c 2908 if (req->io) {
0b416c3e
JA		 2909 kmsg = &req->io->msg;
2910 kmsg->msg.msg_name = &addr;
2911 /* if iov is set, it's allocated already */
2912 if (!kmsg->iov)
2913 kmsg->iov = kmsg->fast_iov;
2914 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 2915 } else {
3529d8c2
JA		 2916 struct io_sr_msg *sr = &req->sr_msg;
2917
0b416c3e
JA		 2918 kmsg = &io.msg;
2919 kmsg->msg.msg_name = &addr;
3529d8c2
JA		 2920
2921 io.msg.iov = io.msg.fast_iov;
2922 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
2923 sr->msg_flags, &io.msg.iov);
03b1230c 2924 if (ret)
3529d8c2 2925 return ret;
03b1230c 2926 }
0fa03c62 2927
e47293fd
JA		 2928 flags = req->sr_msg.msg_flags;
2929 if (flags & MSG_DONTWAIT)
2930 req->flags |= REQ_F_NOWAIT;
2931 else if (force_nonblock)
2932 flags |= MSG_DONTWAIT;
2933
0b416c3e 2934 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
03b1230c 2935 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 2936 if (req->io)
2937 return -EAGAIN;
2938 if (io_alloc_async_ctx(req))
2939 return -ENOMEM;
2940 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2941 req->work.func = io_sendrecv_async;
0b416c3e 2942 return -EAGAIN;
03b1230c 2943 }
441cdbd5
JA		 2944 if (ret == -ERESTARTSYS)
2945 ret = -EINTR;
0fa03c62
JA		 2946 }
2947
b7bb4f7d 2948 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 2949 kfree(kmsg->iov);
78e19bbe 2950 io_cqring_add_event(req, ret);
4e88d6e7
JA		 2951 if (ret < 0)
2952 req_set_fail_links(req);
ec9c02ad 2953 io_put_req_find_next(req, nxt);
5d17b4a4 2954 return 0;
03b1230c
JA		 2955#else
2956 return -EOPNOTSUPP;
aa1fa28f 2957#endif
03b1230c 2958}
aa1fa28f 2959
fddaface
JA		 2960static int io_send(struct io_kiocb *req, struct io_kiocb **nxt,
2961 bool force_nonblock)
2962{
2963#if defined(CONFIG_NET)
2964 struct socket *sock;
2965 int ret;
2966
2967 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2968 return -EINVAL;
2969
2970 sock = sock_from_file(req->file, &ret);
2971 if (sock) {
2972 struct io_sr_msg *sr = &req->sr_msg;
2973 struct msghdr msg;
2974 struct iovec iov;
2975 unsigned flags;
2976
2977 ret = import_single_range(WRITE, sr->buf, sr->len, &iov,
2978 &msg.msg_iter);
2979 if (ret)
2980 return ret;
2981
2982 msg.msg_name = NULL;
2983 msg.msg_control = NULL;
2984 msg.msg_controllen = 0;
2985 msg.msg_namelen = 0;
2986
2987 flags = req->sr_msg.msg_flags;
2988 if (flags & MSG_DONTWAIT)
2989 req->flags |= REQ_F_NOWAIT;
2990 else if (force_nonblock)
2991 flags |= MSG_DONTWAIT;
2992
2993 ret = __sys_sendmsg_sock(sock, &msg, flags);
2994 if (force_nonblock && ret == -EAGAIN)
2995 return -EAGAIN;
2996 if (ret == -ERESTARTSYS)
2997 ret = -EINTR;
2998 }
2999
3000 io_cqring_add_event(req, ret);
3001 if (ret < 0)
3002 req_set_fail_links(req);
3003 io_put_req_find_next(req, nxt);
3004 return 0;
3005#else
3006 return -EOPNOTSUPP;
3007#endif
3008}
3009
3529d8c2
JA		 3010static int io_recvmsg_prep(struct io_kiocb *req,
3011 const struct io_uring_sqe *sqe)
aa1fa28f
JA		 3012{
3013#if defined(CONFIG_NET)
e47293fd 3014 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2
JA		 3015 struct io_async_ctx *io = req->io;
3016
3017 sr->msg_flags = READ_ONCE(sqe->msg_flags);
3018 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
06b76d44 3019
fddaface 3020 if (!io || req->opcode == IORING_OP_RECV)
06b76d44 3021 return 0;
03b1230c 3022
d9688565 3023 io->msg.iov = io->msg.fast_iov;
3529d8c2 3024 return recvmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 3025 &io->msg.uaddr, &io->msg.iov);
aa1fa28f 3026#else
e47293fd 3027 return -EOPNOTSUPP;
aa1fa28f
JA		 3028#endif
3029}
3030
fc4df999
JA		 3031static int io_recvmsg(struct io_kiocb *req, struct io_kiocb **nxt,
3032 bool force_nonblock)
aa1fa28f
JA		 3033{
3034#if defined(CONFIG_NET)
0b416c3e 3035 struct io_async_msghdr *kmsg = NULL;
03b1230c
JA		 3036 struct socket *sock;
3037 int ret;
3038
3039 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3040 return -EINVAL;
3041
3042 sock = sock_from_file(req->file, &ret);
3043 if (sock) {
b7bb4f7d 3044 struct io_async_ctx io;
03b1230c 3045 struct sockaddr_storage addr;
03b1230c
JA		 3046 unsigned flags;
3047
03b1230c 3048 if (req->io) {
0b416c3e
JA		 3049 kmsg = &req->io->msg;
3050 kmsg->msg.msg_name = &addr;
3051 /* if iov is set, it's allocated already */
3052 if (!kmsg->iov)
3053 kmsg->iov = kmsg->fast_iov;
3054 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 3055 } else {
3529d8c2
JA		 3056 struct io_sr_msg *sr = &req->sr_msg;
3057
0b416c3e
JA		 3058 kmsg = &io.msg;
3059 kmsg->msg.msg_name = &addr;
3529d8c2
JA		 3060
3061 io.msg.iov = io.msg.fast_iov;
3062 ret = recvmsg_copy_msghdr(&io.msg.msg, sr->msg,
3063 sr->msg_flags, &io.msg.uaddr,
3064 &io.msg.iov);
03b1230c 3065 if (ret)
3529d8c2 3066 return ret;
03b1230c
JA		 3067 }
3068
e47293fd
JA		 3069 flags = req->sr_msg.msg_flags;
3070 if (flags & MSG_DONTWAIT)
3071 req->flags |= REQ_F_NOWAIT;
3072 else if (force_nonblock)
3073 flags |= MSG_DONTWAIT;
3074
3075 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
3076 kmsg->uaddr, flags);
03b1230c 3077 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 3078 if (req->io)
3079 return -EAGAIN;
3080 if (io_alloc_async_ctx(req))
3081 return -ENOMEM;
3082 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
3083 req->work.func = io_sendrecv_async;
0b416c3e 3084 return -EAGAIN;
03b1230c
JA		 3085 }
3086 if (ret == -ERESTARTSYS)
3087 ret = -EINTR;
3088 }
3089
b7bb4f7d 3090 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 3091 kfree(kmsg->iov);
03b1230c 3092 io_cqring_add_event(req, ret);
4e88d6e7
JA		 3093 if (ret < 0)
3094 req_set_fail_links(req);
03b1230c
JA		 3095 io_put_req_find_next(req, nxt);
3096 return 0;
0fa03c62
JA		 3097#else
3098 return -EOPNOTSUPP;
3099#endif
3100}
5d17b4a4 3101
fddaface
JA		 3102static int io_recv(struct io_kiocb *req, struct io_kiocb **nxt,
3103 bool force_nonblock)
3104{
3105#if defined(CONFIG_NET)
3106 struct socket *sock;
3107 int ret;
3108
3109 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3110 return -EINVAL;
3111
3112 sock = sock_from_file(req->file, &ret);
3113 if (sock) {
3114 struct io_sr_msg *sr = &req->sr_msg;
3115 struct msghdr msg;
3116 struct iovec iov;
3117 unsigned flags;
3118
3119 ret = import_single_range(READ, sr->buf, sr->len, &iov,
3120 &msg.msg_iter);
3121 if (ret)
3122 return ret;
3123
3124 msg.msg_name = NULL;
3125 msg.msg_control = NULL;
3126 msg.msg_controllen = 0;
3127 msg.msg_namelen = 0;
3128 msg.msg_iocb = NULL;
3129 msg.msg_flags = 0;
3130
3131 flags = req->sr_msg.msg_flags;
3132 if (flags & MSG_DONTWAIT)
3133 req->flags |= REQ_F_NOWAIT;
3134 else if (force_nonblock)
3135 flags |= MSG_DONTWAIT;
3136
3137 ret = __sys_recvmsg_sock(sock, &msg, NULL, NULL, flags);
3138 if (force_nonblock && ret == -EAGAIN)
3139 return -EAGAIN;
3140 if (ret == -ERESTARTSYS)
3141 ret = -EINTR;
3142 }
3143
3144 io_cqring_add_event(req, ret);
3145 if (ret < 0)
3146 req_set_fail_links(req);
3147 io_put_req_find_next(req, nxt);
3148 return 0;
3149#else
3150 return -EOPNOTSUPP;
3151#endif
3152}
3153
3154
3529d8c2 3155static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
17f2fe35
JA		 3156{
3157#if defined(CONFIG_NET)
8ed8d3c3
JA		 3158 struct io_accept *accept = &req->accept;
3159
17f2fe35
JA		 3160 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3161 return -EINVAL;
8042d6ce 3162 if (sqe->ioprio || sqe->len || sqe->buf_index)
17f2fe35
JA		 3163 return -EINVAL;
3164
d55e5f5b
JA		 3165 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3166 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
8ed8d3c3 3167 accept->flags = READ_ONCE(sqe->accept_flags);
8ed8d3c3
JA		 3168 return 0;
3169#else
3170 return -EOPNOTSUPP;
3171#endif
3172}
17f2fe35 3173
8ed8d3c3
JA		 3174#if defined(CONFIG_NET)
3175static int __io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
3176 bool force_nonblock)
3177{
3178 struct io_accept *accept = &req->accept;
3179 unsigned file_flags;
3180 int ret;
3181
3182 file_flags = force_nonblock ? O_NONBLOCK : 0;
3183 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
3184 accept->addr_len, accept->flags);
3185 if (ret == -EAGAIN && force_nonblock)
17f2fe35 3186 return -EAGAIN;
8e3cca12
JA		 3187 if (ret == -ERESTARTSYS)
3188 ret = -EINTR;
4e88d6e7
JA		 3189 if (ret < 0)
3190 req_set_fail_links(req);
78e19bbe 3191 io_cqring_add_event(req, ret);
ec9c02ad 3192 io_put_req_find_next(req, nxt);
17f2fe35 3193 return 0;
8ed8d3c3
JA		 3194}
3195
3196static void io_accept_finish(struct io_wq_work **workptr)
3197{
3198 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3199 struct io_kiocb *nxt = NULL;
3200
3201 if (io_req_cancelled(req))
3202 return;
3203 __io_accept(req, &nxt, false);
3204 if (nxt)
78912934 3205 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 3206}
3207#endif
3208
3209static int io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
3210 bool force_nonblock)
3211{
3212#if defined(CONFIG_NET)
3213 int ret;
3214
8ed8d3c3
JA		 3215 ret = __io_accept(req, nxt, force_nonblock);
3216 if (ret == -EAGAIN && force_nonblock) {
3217 req->work.func = io_accept_finish;
3218 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
3219 io_put_req(req);
3220 return -EAGAIN;
3221 }
3222 return 0;
0fa03c62
JA		 3223#else
3224 return -EOPNOTSUPP;
3225#endif
3226}
5d17b4a4 3227
3529d8c2 3228static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
f499a021
JA		 3229{
3230#if defined(CONFIG_NET)
3529d8c2
JA		 3231 struct io_connect *conn = &req->connect;
3232 struct io_async_ctx *io = req->io;
f499a021 3233
3fbb51c1
JA		 3234 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
3235 return -EINVAL;
3236 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
3237 return -EINVAL;
3238
3529d8c2
JA		 3239 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
3240 conn->addr_len = READ_ONCE(sqe->addr2);
3241
3242 if (!io)
3243 return 0;
3244
3245 return move_addr_to_kernel(conn->addr, conn->addr_len,
3fbb51c1 3246 &io->connect.address);
f499a021 3247#else
3fbb51c1 3248 return -EOPNOTSUPP;
f499a021
JA		 3249#endif
3250}
3251
fc4df999
JA		 3252static int io_connect(struct io_kiocb *req, struct io_kiocb **nxt,
3253 bool force_nonblock)
f8e85cf2
JA		 3254{
3255#if defined(CONFIG_NET)
f499a021 3256 struct io_async_ctx __io, *io;
f8e85cf2 3257 unsigned file_flags;
3fbb51c1 3258 int ret;
f8e85cf2 3259
f499a021
JA		 3260 if (req->io) {
3261 io = req->io;
3262 } else {
3529d8c2
JA		 3263 ret = move_addr_to_kernel(req->connect.addr,
3264 req->connect.addr_len,
3265 &__io.connect.address);
f499a021
JA		 3266 if (ret)
3267 goto out;
3268 io = &__io;
3269 }
3270
3fbb51c1
JA		 3271 file_flags = force_nonblock ? O_NONBLOCK : 0;
3272
3273 ret = __sys_connect_file(req->file, &io->connect.address,
3274 req->connect.addr_len, file_flags);
87f80d62 3275 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
b7bb4f7d
JA		 3276 if (req->io)
3277 return -EAGAIN;
3278 if (io_alloc_async_ctx(req)) {
f499a021
JA		 3279 ret = -ENOMEM;
3280 goto out;
3281 }
b7bb4f7d 3282 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
f8e85cf2 3283 return -EAGAIN;
f499a021 3284 }
f8e85cf2
JA		 3285 if (ret == -ERESTARTSYS)
3286 ret = -EINTR;
f499a021 3287out:
4e88d6e7
JA		 3288 if (ret < 0)
3289 req_set_fail_links(req);
f8e85cf2
JA		 3290 io_cqring_add_event(req, ret);
3291 io_put_req_find_next(req, nxt);
3292 return 0;
3293#else
3294 return -EOPNOTSUPP;
3295#endif
3296}
3297
221c5eb2
JA		 3298static void io_poll_remove_one(struct io_kiocb *req)
3299{
3300 struct io_poll_iocb *poll = &req->poll;
3301
3302 spin_lock(&poll->head->lock);
3303 WRITE_ONCE(poll->canceled, true);
392edb45
JA		 3304 if (!list_empty(&poll->wait.entry)) {
3305 list_del_init(&poll->wait.entry);
a197f664 3306 io_queue_async_work(req);
221c5eb2
JA		 3307 }
3308 spin_unlock(&poll->head->lock);
78076bb6 3309 hash_del(&req->hash_node);
221c5eb2
JA		 3310}
3311
3312static void io_poll_remove_all(struct io_ring_ctx *ctx)
3313{
78076bb6 3314 struct hlist_node *tmp;
221c5eb2 3315 struct io_kiocb *req;
78076bb6 3316 int i;
221c5eb2
JA		 3317
3318 spin_lock_irq(&ctx->completion_lock);
78076bb6
JA		 3319 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
3320 struct hlist_head *list;
3321
3322 list = &ctx->cancel_hash[i];
3323 hlist_for_each_entry_safe(req, tmp, list, hash_node)
3324 io_poll_remove_one(req);
221c5eb2
JA		 3325 }
3326 spin_unlock_irq(&ctx->completion_lock);
3327}
3328
47f46768
JA		 3329static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
3330{
78076bb6 3331 struct hlist_head *list;
47f46768
JA		 3332 struct io_kiocb *req;
3333
78076bb6
JA		 3334 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
3335 hlist_for_each_entry(req, list, hash_node) {
3336 if (sqe_addr == req->user_data) {
eac406c6
JA		 3337 io_poll_remove_one(req);
3338 return 0;
3339 }
47f46768
JA		 3340 }
3341
3342 return -ENOENT;
3343}
3344
3529d8c2
JA		 3345static int io_poll_remove_prep(struct io_kiocb *req,
3346 const struct io_uring_sqe *sqe)
0969e783 3347{
0969e783
JA		 3348 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3349 return -EINVAL;
3350 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
3351 sqe->poll_events)
3352 return -EINVAL;
3353
3354 req->poll.addr = READ_ONCE(sqe->addr);
0969e783
JA		 3355 return 0;
3356}
3357
221c5eb2
JA		 3358/*
3359 * Find a running poll command that matches one specified in sqe->addr,
3360 * and remove it if found.
3361 */
fc4df999 3362static int io_poll_remove(struct io_kiocb *req)
221c5eb2
JA		 3363{
3364 struct io_ring_ctx *ctx = req->ctx;
0969e783 3365 u64 addr;
47f46768 3366 int ret;
221c5eb2 3367
0969e783 3368 addr = req->poll.addr;
221c5eb2 3369 spin_lock_irq(&ctx->completion_lock);
0969e783 3370 ret = io_poll_cancel(ctx, addr);
221c5eb2
JA		 3371 spin_unlock_irq(&ctx->completion_lock);
3372
78e19bbe 3373 io_cqring_add_event(req, ret);
4e88d6e7
JA		 3374 if (ret < 0)
3375 req_set_fail_links(req);
e65ef56d 3376 io_put_req(req);
221c5eb2
JA		 3377 return 0;
3378}
3379
b0dd8a41 3380static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
221c5eb2 3381{
a197f664
JL		 3382 struct io_ring_ctx *ctx = req->ctx;
3383
8c838788 3384 req->poll.done = true;
b0dd8a41
JA		 3385 if (error)
3386 io_cqring_fill_event(req, error);
3387 else
3388 io_cqring_fill_event(req, mangle_poll(mask));
8c838788 3389 io_commit_cqring(ctx);
221c5eb2
JA		 3390}
3391
561fb04a 3392static void io_poll_complete_work(struct io_wq_work **workptr)
221c5eb2 3393{
561fb04a 3394 struct io_wq_work *work = *workptr;
221c5eb2
JA		 3395 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3396 struct io_poll_iocb *poll = &req->poll;
3397 struct poll_table_struct pt = { ._key = poll->events };
3398 struct io_ring_ctx *ctx = req->ctx;
89723d0b 3399 struct io_kiocb *nxt = NULL;
221c5eb2 3400 __poll_t mask = 0;
b0dd8a41 3401 int ret = 0;
221c5eb2 3402
b0dd8a41 3403 if (work->flags & IO_WQ_WORK_CANCEL) {
561fb04a 3404 WRITE_ONCE(poll->canceled, true);
b0dd8a41
JA		 3405 ret = -ECANCELED;
3406 } else if (READ_ONCE(poll->canceled)) {
3407 ret = -ECANCELED;
3408 }
561fb04a 3409
b0dd8a41 3410 if (ret != -ECANCELED)
221c5eb2
JA		 3411 mask = vfs_poll(poll->file, &pt) & poll->events;
3412
3413 /*
3414 * Note that ->ki_cancel callers also delete iocb from active_reqs after
3415 * calling ->ki_cancel. We need the ctx_lock roundtrip here to
3416 * synchronize with them. In the cancellation case the list_del_init
3417 * itself is not actually needed, but harmless so we keep it in to
3418 * avoid further branches in the fast path.
3419 */
3420 spin_lock_irq(&ctx->completion_lock);
b0dd8a41 3421 if (!mask && ret != -ECANCELED) {
392edb45 3422 add_wait_queue(poll->head, &poll->wait);
221c5eb2
JA		 3423 spin_unlock_irq(&ctx->completion_lock);
3424 return;
3425 }
78076bb6 3426 hash_del(&req->hash_node);
b0dd8a41 3427 io_poll_complete(req, mask, ret);
221c5eb2
JA		 3428 spin_unlock_irq(&ctx->completion_lock);
3429
8c838788 3430 io_cqring_ev_posted(ctx);
89723d0b 3431
4e88d6e7
JA		 3432 if (ret < 0)
3433 req_set_fail_links(req);
ec9c02ad 3434 io_put_req_find_next(req, &nxt);
89723d0b 3435 if (nxt)
78912934 3436 io_wq_assign_next(workptr, nxt);
221c5eb2
JA		 3437}
3438
e94f141b
JA		 3439static void __io_poll_flush(struct io_ring_ctx *ctx, struct llist_node *nodes)
3440{
e94f141b 3441 struct io_kiocb *req, *tmp;
8237e045 3442 struct req_batch rb;
e94f141b 3443
c6ca97b3 3444 rb.to_free = rb.need_iter = 0;
e94f141b
JA		 3445 spin_lock_irq(&ctx->completion_lock);
3446 llist_for_each_entry_safe(req, tmp, nodes, llist_node) {
3447 hash_del(&req->hash_node);
3448 io_poll_complete(req, req->result, 0);
3449
8237e045
JA		 3450 if (refcount_dec_and_test(&req->refs) &&
3451 !io_req_multi_free(&rb, req)) {
3452 req->flags |= REQ_F_COMP_LOCKED;
3453 io_free_req(req);
e94f141b
JA		 3454 }
3455 }
3456 spin_unlock_irq(&ctx->completion_lock);
3457
3458 io_cqring_ev_posted(ctx);
8237e045 3459 io_free_req_many(ctx, &rb);
e94f141b
JA		 3460}
3461
3462static void io_poll_flush(struct io_wq_work **workptr)
3463{
3464 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3465 struct llist_node *nodes;
3466
3467 nodes = llist_del_all(&req->ctx->poll_llist);
3468 if (nodes)
3469 __io_poll_flush(req->ctx, nodes);
3470}
3471
221c5eb2
JA		 3472static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
3473 void *key)
3474{
e944475e 3475 struct io_poll_iocb *poll = wait->private;
221c5eb2
JA		 3476 struct io_kiocb *req = container_of(poll, struct io_kiocb, poll);
3477 struct io_ring_ctx *ctx = req->ctx;
3478 __poll_t mask = key_to_poll(key);
221c5eb2
JA		 3479
3480 /* for instances that support it check for an event match first: */
8c838788
JA		 3481 if (mask && !(mask & poll->events))
3482 return 0;
221c5eb2 3483
392edb45 3484 list_del_init(&poll->wait.entry);
221c5eb2 3485
7c9e7f0f
JA		 3486 /*
3487 * Run completion inline if we can. We're using trylock here because
3488 * we are violating the completion_lock -> poll wq lock ordering.
3489 * If we have a link timeout we're going to need the completion_lock
3490 * for finalizing the request, mark us as having grabbed that already.
3491 */
e94f141b
JA		 3492 if (mask) {
3493 unsigned long flags;
221c5eb2 3494
e94f141b
JA		 3495 if (llist_empty(&ctx->poll_llist) &&
3496 spin_trylock_irqsave(&ctx->completion_lock, flags)) {
3497 hash_del(&req->hash_node);
3498 io_poll_complete(req, mask, 0);
3499 req->flags |= REQ_F_COMP_LOCKED;
3500 io_put_req(req);
3501 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3502
3503 io_cqring_ev_posted(ctx);
3504 req = NULL;
3505 } else {
3506 req->result = mask;
3507 req->llist_node.next = NULL;
3508 /* if the list wasn't empty, we're done */
3509 if (!llist_add(&req->llist_node, &ctx->poll_llist))
3510 req = NULL;
3511 else
3512 req->work.func = io_poll_flush;
3513 }
221c5eb2 3514 }
e94f141b
JA		 3515 if (req)
3516 io_queue_async_work(req);
221c5eb2 3517
221c5eb2
JA		 3518 return 1;
3519}
3520
3521struct io_poll_table {
3522 struct poll_table_struct pt;
3523 struct io_kiocb *req;
3524 int error;
3525};
3526
3527static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
3528 struct poll_table_struct *p)
3529{
3530 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
3531
3532 if (unlikely(pt->req->poll.head)) {
3533 pt->error = -EINVAL;
3534 return;
3535 }
3536
3537 pt->error = 0;
3538 pt->req->poll.head = head;
392edb45 3539 add_wait_queue(head, &pt->req->poll.wait);
221c5eb2
JA		 3540}
3541
eac406c6
JA		 3542static void io_poll_req_insert(struct io_kiocb *req)
3543{
3544 struct io_ring_ctx *ctx = req->ctx;
78076bb6
JA		 3545 struct hlist_head *list;
3546
3547 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
3548 hlist_add_head(&req->hash_node, list);
eac406c6
JA		 3549}
3550
3529d8c2 3551static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
221c5eb2
JA		 3552{
3553 struct io_poll_iocb *poll = &req->poll;
221c5eb2 3554 u16 events;
221c5eb2
JA		 3555
3556 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3557 return -EINVAL;
3558 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
3559 return -EINVAL;
09bb8394
JA		 3560 if (!poll->file)
3561 return -EBADF;
221c5eb2 3562
221c5eb2
JA		 3563 events = READ_ONCE(sqe->poll_events);
3564 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
0969e783
JA		 3565 return 0;
3566}
3567
3568static int io_poll_add(struct io_kiocb *req, struct io_kiocb **nxt)
3569{
3570 struct io_poll_iocb *poll = &req->poll;
3571 struct io_ring_ctx *ctx = req->ctx;
3572 struct io_poll_table ipt;
3573 bool cancel = false;
3574 __poll_t mask;
0969e783
JA		 3575
3576 INIT_IO_WORK(&req->work, io_poll_complete_work);
78076bb6 3577 INIT_HLIST_NODE(&req->hash_node);
221c5eb2 3578
221c5eb2 3579 poll->head = NULL;
8c838788 3580 poll->done = false;
221c5eb2
JA		 3581 poll->canceled = false;
3582
3583 ipt.pt._qproc = io_poll_queue_proc;
3584 ipt.pt._key = poll->events;
3585 ipt.req = req;
3586 ipt.error = -EINVAL; /* same as no support for IOCB_CMD_POLL */
3587
3588 /* initialized the list so that we can do list_empty checks */
392edb45
JA		 3589 INIT_LIST_HEAD(&poll->wait.entry);
3590 init_waitqueue_func_entry(&poll->wait, io_poll_wake);
3591 poll->wait.private = poll;
221c5eb2 3592
36703247
JA		 3593 INIT_LIST_HEAD(&req->list);
3594
221c5eb2 3595 mask = vfs_poll(poll->file, &ipt.pt) & poll->events;
221c5eb2
JA		 3596
3597 spin_lock_irq(&ctx->completion_lock);
8c838788
JA		 3598 if (likely(poll->head)) {
3599 spin_lock(&poll->head->lock);
392edb45 3600 if (unlikely(list_empty(&poll->wait.entry))) {
8c838788
JA		 3601 if (ipt.error)
3602 cancel = true;
3603 ipt.error = 0;
3604 mask = 0;
3605 }
3606 if (mask || ipt.error)
392edb45 3607 list_del_init(&poll->wait.entry);
8c838788
JA		 3608 else if (cancel)
3609 WRITE_ONCE(poll->canceled, true);
3610 else if (!poll->done) /* actually waiting for an event */
eac406c6 3611 io_poll_req_insert(req);
8c838788
JA		 3612 spin_unlock(&poll->head->lock);
3613 }
3614 if (mask) { /* no async, we'd stolen it */
221c5eb2 3615 ipt.error = 0;
b0dd8a41 3616 io_poll_complete(req, mask, 0);
221c5eb2 3617 }
221c5eb2
JA		 3618 spin_unlock_irq(&ctx->completion_lock);
3619
8c838788
JA		 3620 if (mask) {
3621 io_cqring_ev_posted(ctx);
ec9c02ad 3622 io_put_req_find_next(req, nxt);
221c5eb2 3623 }
8c838788 3624 return ipt.error;
221c5eb2
JA		 3625}
3626
5262f567
JA		 3627static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
3628{
ad8a48ac
JA		 3629 struct io_timeout_data *data = container_of(timer,
3630 struct io_timeout_data, timer);
3631 struct io_kiocb *req = data->req;
3632 struct io_ring_ctx *ctx = req->ctx;
5262f567
JA		 3633 unsigned long flags;
3634
5262f567
JA		 3635 atomic_inc(&ctx->cq_timeouts);
3636
3637 spin_lock_irqsave(&ctx->completion_lock, flags);
ef03681a 3638 /*
11365043
JA		 3639 * We could be racing with timeout deletion. If the list is empty,
3640 * then timeout lookup already found it and will be handling it.
ef03681a 3641 */
842f9612 3642 if (!list_empty(&req->list)) {
11365043 3643 struct io_kiocb *prev;
5262f567 3644
11365043
JA		 3645 /*
3646 * Adjust the reqs sequence before the current one because it
d195a66e 3647 * will consume a slot in the cq_ring and the cq_tail
11365043
JA		 3648 * pointer will be increased, otherwise other timeout reqs may
3649 * return in advance without waiting for enough wait_nr.
3650 */
3651 prev = req;
3652 list_for_each_entry_continue_reverse(prev, &ctx->timeout_list, list)
3653 prev->sequence++;
11365043 3654 list_del_init(&req->list);
11365043 3655 }
5262f567 3656
78e19bbe 3657 io_cqring_fill_event(req, -ETIME);
5262f567
JA		 3658 io_commit_cqring(ctx);
3659 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3660
3661 io_cqring_ev_posted(ctx);
4e88d6e7 3662 req_set_fail_links(req);
5262f567
JA		 3663 io_put_req(req);
3664 return HRTIMER_NORESTART;
3665}
3666
47f46768
JA		 3667static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
3668{
3669 struct io_kiocb *req;
3670 int ret = -ENOENT;
3671
3672 list_for_each_entry(req, &ctx->timeout_list, list) {
3673 if (user_data == req->user_data) {
3674 list_del_init(&req->list);
3675 ret = 0;
3676 break;
3677 }
3678 }
3679
3680 if (ret == -ENOENT)
3681 return ret;
3682
2d28390a 3683 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
47f46768
JA		 3684 if (ret == -1)
3685 return -EALREADY;
3686
4e88d6e7 3687 req_set_fail_links(req);
47f46768
JA		 3688 io_cqring_fill_event(req, -ECANCELED);
3689 io_put_req(req);
3690 return 0;
3691}
3692
3529d8c2
JA		 3693static int io_timeout_remove_prep(struct io_kiocb *req,
3694 const struct io_uring_sqe *sqe)
b29472ee 3695{
b29472ee
JA		 3696 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3697 return -EINVAL;
3698 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
3699 return -EINVAL;
3700
3701 req->timeout.addr = READ_ONCE(sqe->addr);
3702 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
3703 if (req->timeout.flags)
3704 return -EINVAL;
3705
b29472ee
JA		 3706 return 0;
3707}
3708
11365043
JA		 3709/*
3710 * Remove or update an existing timeout command
3711 */
fc4df999 3712static int io_timeout_remove(struct io_kiocb *req)
11365043
JA		 3713{
3714 struct io_ring_ctx *ctx = req->ctx;
47f46768 3715 int ret;
11365043 3716
11365043 3717 spin_lock_irq(&ctx->completion_lock);
b29472ee 3718 ret = io_timeout_cancel(ctx, req->timeout.addr);
11365043 3719
47f46768 3720 io_cqring_fill_event(req, ret);
11365043
JA		 3721 io_commit_cqring(ctx);
3722 spin_unlock_irq(&ctx->completion_lock);
5262f567 3723 io_cqring_ev_posted(ctx);
4e88d6e7
JA		 3724 if (ret < 0)
3725 req_set_fail_links(req);
ec9c02ad 3726 io_put_req(req);
11365043 3727 return 0;
5262f567
JA		 3728}
3729
3529d8c2 3730static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2d28390a 3731 bool is_timeout_link)
5262f567 3732{
ad8a48ac 3733 struct io_timeout_data *data;
a41525ab 3734 unsigned flags;
5262f567 3735
ad8a48ac 3736 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5262f567 3737 return -EINVAL;
ad8a48ac 3738 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
a41525ab 3739 return -EINVAL;
2d28390a
JA		 3740 if (sqe->off && is_timeout_link)
3741 return -EINVAL;
a41525ab
JA		 3742 flags = READ_ONCE(sqe->timeout_flags);
3743 if (flags & ~IORING_TIMEOUT_ABS)
5262f567 3744 return -EINVAL;
bdf20073 3745
26a61679
JA		 3746 req->timeout.count = READ_ONCE(sqe->off);
3747
3529d8c2 3748 if (!req->io && io_alloc_async_ctx(req))
26a61679
JA		 3749 return -ENOMEM;
3750
3751 data = &req->io->timeout;
ad8a48ac 3752 data->req = req;
ad8a48ac
JA		 3753 req->flags |= REQ_F_TIMEOUT;
3754
3755 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5262f567
JA		 3756 return -EFAULT;
3757
11365043 3758 if (flags & IORING_TIMEOUT_ABS)
ad8a48ac 3759 data->mode = HRTIMER_MODE_ABS;
11365043 3760 else
ad8a48ac 3761 data->mode = HRTIMER_MODE_REL;
11365043 3762
ad8a48ac
JA		 3763 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
3764 return 0;
3765}
3766
fc4df999 3767static int io_timeout(struct io_kiocb *req)
ad8a48ac
JA		 3768{
3769 unsigned count;
3770 struct io_ring_ctx *ctx = req->ctx;
3771 struct io_timeout_data *data;
3772 struct list_head *entry;
3773 unsigned span = 0;
ad8a48ac 3774
2d28390a 3775 data = &req->io->timeout;
93bd25bb 3776
5262f567
JA		 3777 /*
3778 * sqe->off holds how many events that need to occur for this
93bd25bb
JA		 3779 * timeout event to be satisfied. If it isn't set, then this is
3780 * a pure timeout request, sequence isn't used.
5262f567 3781 */
26a61679 3782 count = req->timeout.count;
93bd25bb
JA		 3783 if (!count) {
3784 req->flags |= REQ_F_TIMEOUT_NOSEQ;
3785 spin_lock_irq(&ctx->completion_lock);
3786 entry = ctx->timeout_list.prev;
3787 goto add;
3788 }
5262f567
JA		 3789
3790 req->sequence = ctx->cached_sq_head + count - 1;
2d28390a 3791 data->seq_offset = count;
5262f567
JA		 3792
3793 /*
3794 * Insertion sort, ensuring the first entry in the list is always
3795 * the one we need first.
3796 */
5262f567
JA		 3797 spin_lock_irq(&ctx->completion_lock);
3798 list_for_each_prev(entry, &ctx->timeout_list) {
3799 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
5da0fb1a 3800 unsigned nxt_sq_head;
3801 long long tmp, tmp_nxt;
2d28390a 3802 u32 nxt_offset = nxt->io->timeout.seq_offset;
5262f567 3803
93bd25bb
JA		 3804 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
3805 continue;
3806
5da0fb1a 3807 /*
3808 * Since cached_sq_head + count - 1 can overflow, use type long
3809 * long to store it.
3810 */
3811 tmp = (long long)ctx->cached_sq_head + count - 1;
cc42e0ac
PB		 3812 nxt_sq_head = nxt->sequence - nxt_offset + 1;
3813 tmp_nxt = (long long)nxt_sq_head + nxt_offset - 1;
5da0fb1a 3814
3815 /*
3816 * cached_sq_head may overflow, and it will never overflow twice
3817 * once there is some timeout req still be valid.
3818 */
3819 if (ctx->cached_sq_head < nxt_sq_head)
8b07a65a 3820 tmp += UINT_MAX;
5da0fb1a 3821
a1f58ba4 3822 if (tmp > tmp_nxt)
5262f567 3823 break;
a1f58ba4 3824
3825 /*
3826 * Sequence of reqs after the insert one and itself should
3827 * be adjusted because each timeout req consumes a slot.
3828 */
3829 span++;
3830 nxt->sequence++;
5262f567 3831 }
a1f58ba4 3832 req->sequence -= span;
93bd25bb 3833add:
5262f567 3834 list_add(&req->list, entry);
ad8a48ac
JA		 3835 data->timer.function = io_timeout_fn;
3836 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5262f567 3837 spin_unlock_irq(&ctx->completion_lock);
5262f567
JA		 3838 return 0;
3839}
5262f567 3840
62755e35
JA		 3841static bool io_cancel_cb(struct io_wq_work *work, void *data)
3842{
3843 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3844
3845 return req->user_data == (unsigned long) data;
3846}
3847
e977d6d3 3848static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
62755e35 3849{
62755e35 3850 enum io_wq_cancel cancel_ret;
62755e35
JA		 3851 int ret = 0;
3852
62755e35
JA		 3853 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr);
3854 switch (cancel_ret) {
3855 case IO_WQ_CANCEL_OK:
3856 ret = 0;
3857 break;
3858 case IO_WQ_CANCEL_RUNNING:
3859 ret = -EALREADY;
3860 break;
3861 case IO_WQ_CANCEL_NOTFOUND:
3862 ret = -ENOENT;
3863 break;
3864 }
3865
e977d6d3
JA		 3866 return ret;
3867}
3868
47f46768
JA		 3869static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
3870 struct io_kiocb *req, __u64 sqe_addr,
b0dd8a41 3871 struct io_kiocb **nxt, int success_ret)
47f46768
JA		 3872{
3873 unsigned long flags;
3874 int ret;
3875
3876 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
3877 if (ret != -ENOENT) {
3878 spin_lock_irqsave(&ctx->completion_lock, flags);
3879 goto done;
3880 }
3881
3882 spin_lock_irqsave(&ctx->completion_lock, flags);
3883 ret = io_timeout_cancel(ctx, sqe_addr);
3884 if (ret != -ENOENT)
3885 goto done;
3886 ret = io_poll_cancel(ctx, sqe_addr);
3887done:
b0dd8a41
JA		 3888 if (!ret)
3889 ret = success_ret;
47f46768
JA		 3890 io_cqring_fill_event(req, ret);
3891 io_commit_cqring(ctx);
3892 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3893 io_cqring_ev_posted(ctx);
3894
4e88d6e7
JA		 3895 if (ret < 0)
3896 req_set_fail_links(req);
47f46768
JA		 3897 io_put_req_find_next(req, nxt);
3898}
3899
3529d8c2
JA		 3900static int io_async_cancel_prep(struct io_kiocb *req,
3901 const struct io_uring_sqe *sqe)
e977d6d3 3902{
fbf23849 3903 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
e977d6d3
JA		 3904 return -EINVAL;
3905 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
3906 sqe->cancel_flags)
3907 return -EINVAL;
3908
fbf23849
JA		 3909 req->cancel.addr = READ_ONCE(sqe->addr);
3910 return 0;
3911}
3912
3913static int io_async_cancel(struct io_kiocb *req, struct io_kiocb **nxt)
3914{
3915 struct io_ring_ctx *ctx = req->ctx;
fbf23849
JA		 3916
3917 io_async_find_and_cancel(ctx, req, req->cancel.addr, nxt, 0);
5262f567
JA		 3918 return 0;
3919}
3920
05f3fb3c
JA		 3921static int io_files_update_prep(struct io_kiocb *req,
3922 const struct io_uring_sqe *sqe)
3923{
3924 if (sqe->flags || sqe->ioprio || sqe->rw_flags)
3925 return -EINVAL;
3926
3927 req->files_update.offset = READ_ONCE(sqe->off);
3928 req->files_update.nr_args = READ_ONCE(sqe->len);
3929 if (!req->files_update.nr_args)
3930 return -EINVAL;
3931 req->files_update.arg = READ_ONCE(sqe->addr);
3932 return 0;
3933}
3934
3935static int io_files_update(struct io_kiocb *req, bool force_nonblock)
3936{
3937 struct io_ring_ctx *ctx = req->ctx;
3938 struct io_uring_files_update up;
3939 int ret;
3940
3941 if (force_nonblock) {
3942 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
3943 return -EAGAIN;
3944 }
3945
3946 up.offset = req->files_update.offset;
3947 up.fds = req->files_update.arg;
3948
3949 mutex_lock(&ctx->uring_lock);
3950 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
3951 mutex_unlock(&ctx->uring_lock);
3952
3953 if (ret < 0)
3954 req_set_fail_links(req);
3955 io_cqring_add_event(req, ret);
3956 io_put_req(req);
3957 return 0;
3958}
3959
3529d8c2
JA		 3960static int io_req_defer_prep(struct io_kiocb *req,
3961 const struct io_uring_sqe *sqe)
f67676d1 3962{
e781573e 3963 ssize_t ret = 0;
f67676d1 3964
d625c6ee 3965 switch (req->opcode) {
e781573e
JA		 3966 case IORING_OP_NOP:
3967 break;
f67676d1
JA		 3968 case IORING_OP_READV:
3969 case IORING_OP_READ_FIXED:
3a6820f2 3970 case IORING_OP_READ:
3529d8c2 3971 ret = io_read_prep(req, sqe, true);
f67676d1
JA		 3972 break;
3973 case IORING_OP_WRITEV:
3974 case IORING_OP_WRITE_FIXED:
3a6820f2 3975 case IORING_OP_WRITE:
3529d8c2 3976 ret = io_write_prep(req, sqe, true);
f67676d1 3977 break;
0969e783 3978 case IORING_OP_POLL_ADD:
3529d8c2 3979 ret = io_poll_add_prep(req, sqe);
0969e783
JA		 3980 break;
3981 case IORING_OP_POLL_REMOVE:
3529d8c2 3982 ret = io_poll_remove_prep(req, sqe);
0969e783 3983 break;
8ed8d3c3 3984 case IORING_OP_FSYNC:
3529d8c2 3985 ret = io_prep_fsync(req, sqe);
8ed8d3c3
JA		 3986 break;
3987 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2 3988 ret = io_prep_sfr(req, sqe);
8ed8d3c3 3989 break;
03b1230c 3990 case IORING_OP_SENDMSG:
fddaface 3991 case IORING_OP_SEND:
3529d8c2 3992 ret = io_sendmsg_prep(req, sqe);
03b1230c
JA		 3993 break;
3994 case IORING_OP_RECVMSG:
fddaface 3995 case IORING_OP_RECV:
3529d8c2 3996 ret = io_recvmsg_prep(req, sqe);
03b1230c 3997 break;
f499a021 3998 case IORING_OP_CONNECT:
3529d8c2 3999 ret = io_connect_prep(req, sqe);
f499a021 4000 break;
2d28390a 4001 case IORING_OP_TIMEOUT:
3529d8c2 4002 ret = io_timeout_prep(req, sqe, false);
b7bb4f7d 4003 break;
b29472ee 4004 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2 4005 ret = io_timeout_remove_prep(req, sqe);
b29472ee 4006 break;
fbf23849 4007 case IORING_OP_ASYNC_CANCEL:
3529d8c2 4008 ret = io_async_cancel_prep(req, sqe);
fbf23849 4009 break;
2d28390a 4010 case IORING_OP_LINK_TIMEOUT:
3529d8c2 4011 ret = io_timeout_prep(req, sqe, true);
b7bb4f7d 4012 break;
8ed8d3c3 4013 case IORING_OP_ACCEPT:
3529d8c2 4014 ret = io_accept_prep(req, sqe);
8ed8d3c3 4015 break;
d63d1b5e
JA		 4016 case IORING_OP_FALLOCATE:
4017 ret = io_fallocate_prep(req, sqe);
4018 break;
15b71abe
JA		 4019 case IORING_OP_OPENAT:
4020 ret = io_openat_prep(req, sqe);
4021 break;
b5dba59e
JA		 4022 case IORING_OP_CLOSE:
4023 ret = io_close_prep(req, sqe);
4024 break;
05f3fb3c
JA		 4025 case IORING_OP_FILES_UPDATE:
4026 ret = io_files_update_prep(req, sqe);
4027 break;
eddc7ef5
JA		 4028 case IORING_OP_STATX:
4029 ret = io_statx_prep(req, sqe);
4030 break;
4840e418
JA		 4031 case IORING_OP_FADVISE:
4032 ret = io_fadvise_prep(req, sqe);
4033 break;
c1ca757b
JA		 4034 case IORING_OP_MADVISE:
4035 ret = io_madvise_prep(req, sqe);
4036 break;
cebdb986
JA		 4037 case IORING_OP_OPENAT2:
4038 ret = io_openat2_prep(req, sqe);
4039 break;
f67676d1 4040 default:
e781573e
JA		 4041 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
4042 req->opcode);
4043 ret = -EINVAL;
b7bb4f7d 4044 break;
f67676d1
JA		 4045 }
4046
b7bb4f7d 4047 return ret;
f67676d1
JA		 4048}
4049
3529d8c2 4050static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
de0617e4 4051{
a197f664 4052 struct io_ring_ctx *ctx = req->ctx;
f67676d1 4053 int ret;
de0617e4 4054
9d858b21
BL		 4055 /* Still need defer if there is pending req in defer list. */
4056 if (!req_need_defer(req) && list_empty(&ctx->defer_list))
de0617e4
JA		 4057 return 0;
4058
3529d8c2 4059 if (!req->io && io_alloc_async_ctx(req))
de0617e4
JA		 4060 return -EAGAIN;
4061
3529d8c2 4062 ret = io_req_defer_prep(req, sqe);
b7bb4f7d 4063 if (ret < 0)
2d28390a 4064 return ret;
2d28390a 4065
de0617e4 4066 spin_lock_irq(&ctx->completion_lock);
9d858b21 4067 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
de0617e4 4068 spin_unlock_irq(&ctx->completion_lock);
de0617e4
JA		 4069 return 0;
4070 }
4071
915967f6 4072 trace_io_uring_defer(ctx, req, req->user_data);
de0617e4
JA		 4073 list_add_tail(&req->list, &ctx->defer_list);
4074 spin_unlock_irq(&ctx->completion_lock);
4075 return -EIOCBQUEUED;
4076}
4077
3529d8c2
JA		 4078static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4079 struct io_kiocb **nxt, bool force_nonblock)
2b188cc1 4080{
a197f664 4081 struct io_ring_ctx *ctx = req->ctx;
d625c6ee 4082 int ret;
2b188cc1 4083
d625c6ee 4084 switch (req->opcode) {
2b188cc1 4085 case IORING_OP_NOP:
78e19bbe 4086 ret = io_nop(req);
2b188cc1
JA		 4087 break;
4088 case IORING_OP_READV:
edafccee 4089 case IORING_OP_READ_FIXED:
3a6820f2 4090 case IORING_OP_READ:
3529d8c2
JA		 4091 if (sqe) {
4092 ret = io_read_prep(req, sqe, force_nonblock);
4093 if (ret < 0)
4094 break;
4095 }
267bc904 4096 ret = io_read(req, nxt, force_nonblock);
edafccee 4097 break;
3529d8c2 4098 case IORING_OP_WRITEV:
edafccee 4099 case IORING_OP_WRITE_FIXED:
3a6820f2 4100 case IORING_OP_WRITE:
3529d8c2
JA		 4101 if (sqe) {
4102 ret = io_write_prep(req, sqe, force_nonblock);
4103 if (ret < 0)
4104 break;
4105 }
267bc904 4106 ret = io_write(req, nxt, force_nonblock);
2b188cc1 4107 break;
c992fe29 4108 case IORING_OP_FSYNC:
3529d8c2
JA		 4109 if (sqe) {
4110 ret = io_prep_fsync(req, sqe);
4111 if (ret < 0)
4112 break;
4113 }
fc4df999 4114 ret = io_fsync(req, nxt, force_nonblock);
c992fe29 4115 break;
221c5eb2 4116 case IORING_OP_POLL_ADD:
3529d8c2
JA		 4117 if (sqe) {
4118 ret = io_poll_add_prep(req, sqe);
4119 if (ret)
4120 break;
4121 }
fc4df999 4122 ret = io_poll_add(req, nxt);
221c5eb2
JA		 4123 break;
4124 case IORING_OP_POLL_REMOVE:
3529d8c2
JA		 4125 if (sqe) {
4126 ret = io_poll_remove_prep(req, sqe);
4127 if (ret < 0)
4128 break;
4129 }
fc4df999 4130 ret = io_poll_remove(req);
221c5eb2 4131 break;
5d17b4a4 4132 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2
JA		 4133 if (sqe) {
4134 ret = io_prep_sfr(req, sqe);
4135 if (ret < 0)
4136 break;
4137 }
fc4df999 4138 ret = io_sync_file_range(req, nxt, force_nonblock);
5d17b4a4 4139 break;
0fa03c62 4140 case IORING_OP_SENDMSG:
fddaface 4141 case IORING_OP_SEND:
3529d8c2
JA		 4142 if (sqe) {
4143 ret = io_sendmsg_prep(req, sqe);
4144 if (ret < 0)
4145 break;
4146 }
fddaface
JA		 4147 if (req->opcode == IORING_OP_SENDMSG)
4148 ret = io_sendmsg(req, nxt, force_nonblock);
4149 else
4150 ret = io_send(req, nxt, force_nonblock);
0fa03c62 4151 break;
aa1fa28f 4152 case IORING_OP_RECVMSG:
fddaface 4153 case IORING_OP_RECV:
3529d8c2
JA		 4154 if (sqe) {
4155 ret = io_recvmsg_prep(req, sqe);
4156 if (ret)
4157 break;
4158 }
fddaface
JA		 4159 if (req->opcode == IORING_OP_RECVMSG)
4160 ret = io_recvmsg(req, nxt, force_nonblock);
4161 else
4162 ret = io_recv(req, nxt, force_nonblock);
aa1fa28f 4163 break;
5262f567 4164 case IORING_OP_TIMEOUT:
3529d8c2
JA		 4165 if (sqe) {
4166 ret = io_timeout_prep(req, sqe, false);
4167 if (ret)
4168 break;
4169 }
fc4df999 4170 ret = io_timeout(req);
5262f567 4171 break;
11365043 4172 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2
JA		 4173 if (sqe) {
4174 ret = io_timeout_remove_prep(req, sqe);
4175 if (ret)
4176 break;
4177 }
fc4df999 4178 ret = io_timeout_remove(req);
11365043 4179 break;
17f2fe35 4180 case IORING_OP_ACCEPT:
3529d8c2
JA		 4181 if (sqe) {
4182 ret = io_accept_prep(req, sqe);
4183 if (ret)
4184 break;
4185 }
fc4df999 4186 ret = io_accept(req, nxt, force_nonblock);
17f2fe35 4187 break;
f8e85cf2 4188 case IORING_OP_CONNECT:
3529d8c2
JA		 4189 if (sqe) {
4190 ret = io_connect_prep(req, sqe);
4191 if (ret)
4192 break;
4193 }
fc4df999 4194 ret = io_connect(req, nxt, force_nonblock);
f8e85cf2 4195 break;
62755e35 4196 case IORING_OP_ASYNC_CANCEL:
3529d8c2
JA		 4197 if (sqe) {
4198 ret = io_async_cancel_prep(req, sqe);
4199 if (ret)
4200 break;
4201 }
fc4df999 4202 ret = io_async_cancel(req, nxt);
62755e35 4203 break;
d63d1b5e
JA		 4204 case IORING_OP_FALLOCATE:
4205 if (sqe) {
4206 ret = io_fallocate_prep(req, sqe);
4207 if (ret)
4208 break;
4209 }
4210 ret = io_fallocate(req, nxt, force_nonblock);
4211 break;
15b71abe
JA		 4212 case IORING_OP_OPENAT:
4213 if (sqe) {
4214 ret = io_openat_prep(req, sqe);
4215 if (ret)
4216 break;
4217 }
4218 ret = io_openat(req, nxt, force_nonblock);
4219 break;
b5dba59e
JA		 4220 case IORING_OP_CLOSE:
4221 if (sqe) {
4222 ret = io_close_prep(req, sqe);
4223 if (ret)
4224 break;
4225 }
4226 ret = io_close(req, nxt, force_nonblock);
4227 break;
05f3fb3c
JA		 4228 case IORING_OP_FILES_UPDATE:
4229 if (sqe) {
4230 ret = io_files_update_prep(req, sqe);
4231 if (ret)
4232 break;
4233 }
4234 ret = io_files_update(req, force_nonblock);
4235 break;
eddc7ef5
JA		 4236 case IORING_OP_STATX:
4237 if (sqe) {
4238 ret = io_statx_prep(req, sqe);
4239 if (ret)
4240 break;
4241 }
4242 ret = io_statx(req, nxt, force_nonblock);
4243 break;
4840e418
JA		 4244 case IORING_OP_FADVISE:
4245 if (sqe) {
4246 ret = io_fadvise_prep(req, sqe);
4247 if (ret)
4248 break;
4249 }
4250 ret = io_fadvise(req, nxt, force_nonblock);
4251 break;
c1ca757b
JA		 4252 case IORING_OP_MADVISE:
4253 if (sqe) {
4254 ret = io_madvise_prep(req, sqe);
4255 if (ret)
4256 break;
4257 }
4258 ret = io_madvise(req, nxt, force_nonblock);
4259 break;
cebdb986
JA		 4260 case IORING_OP_OPENAT2:
4261 if (sqe) {
4262 ret = io_openat2_prep(req, sqe);
4263 if (ret)
4264 break;
4265 }
4266 ret = io_openat2(req, nxt, force_nonblock);
4267 break;
2b188cc1
JA		 4268 default:
4269 ret = -EINVAL;
4270 break;
4271 }
4272
def596e9
JA		 4273 if (ret)
4274 return ret;
4275
4276 if (ctx->flags & IORING_SETUP_IOPOLL) {
11ba820b
JA		 4277 const bool in_async = io_wq_current_is_worker();
4278
9e645e11 4279 if (req->result == -EAGAIN)
def596e9
JA		 4280 return -EAGAIN;
4281
11ba820b
JA		 4282 /* workqueue context doesn't hold uring_lock, grab it now */
4283 if (in_async)
4284 mutex_lock(&ctx->uring_lock);
4285
def596e9 4286 io_iopoll_req_issued(req);
11ba820b
JA		 4287
4288 if (in_async)
4289 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 4290 }
4291
4292 return 0;
2b188cc1
JA		 4293}
4294
561fb04a 4295static void io_wq_submit_work(struct io_wq_work **workptr)
2b188cc1 4296{
561fb04a 4297 struct io_wq_work *work = *workptr;
2b188cc1 4298 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
561fb04a
JA		 4299 struct io_kiocb *nxt = NULL;
4300 int ret = 0;
2b188cc1 4301
0c9d5ccd
JA		 4302 /* if NO_CANCEL is set, we must still run the work */
4303 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
4304 IO_WQ_WORK_CANCEL) {
561fb04a 4305 ret = -ECANCELED;
0c9d5ccd 4306 }
31b51510 4307
561fb04a 4308 if (!ret) {
cf6fd4bd
PB		 4309 req->has_user = (work->flags & IO_WQ_WORK_HAS_MM) != 0;
4310 req->in_async = true;
561fb04a 4311 do {
3529d8c2 4312 ret = io_issue_sqe(req, NULL, &nxt, false);
561fb04a
JA		 4313 /*
4314 * We can get EAGAIN for polled IO even though we're
4315 * forcing a sync submission from here, since we can't
4316 * wait for request slots on the block side.
4317 */
4318 if (ret != -EAGAIN)
4319 break;
4320 cond_resched();
4321 } while (1);
4322 }
31b51510 4323
561fb04a 4324 /* drop submission reference */
ec9c02ad 4325 io_put_req(req);
817869d2 4326
561fb04a 4327 if (ret) {
4e88d6e7 4328 req_set_fail_links(req);
78e19bbe 4329 io_cqring_add_event(req, ret);
817869d2 4330 io_put_req(req);
edafccee 4331 }
2b188cc1 4332
561fb04a 4333 /* if a dependent link is ready, pass it back */
78912934
JA		 4334 if (!ret && nxt)
4335 io_wq_assign_next(workptr, nxt);
2b188cc1
JA		 4336}
4337
15b71abe 4338static int io_req_needs_file(struct io_kiocb *req, int fd)
09bb8394 4339{
d3656344 4340 if (!io_op_defs[req->opcode].needs_file)
9e3aa61a 4341 return 0;
d3656344
JA		 4342 if (fd == -1 && io_op_defs[req->opcode].fd_non_neg)
4343 return 0;
4344 return 1;
09bb8394
JA		 4345}
4346
65e19f54
JA		 4347static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
4348 int index)
4349{
4350 struct fixed_file_table *table;
4351
05f3fb3c
JA		 4352 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
4353 return table->files[index & IORING_FILE_TABLE_MASK];;
65e19f54
JA		 4354}
4355
3529d8c2
JA		 4356static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
4357 const struct io_uring_sqe *sqe)
09bb8394 4358{
a197f664 4359 struct io_ring_ctx *ctx = req->ctx;
09bb8394 4360 unsigned flags;
d3656344 4361 int fd;
09bb8394 4362
3529d8c2
JA		 4363 flags = READ_ONCE(sqe->flags);
4364 fd = READ_ONCE(sqe->fd);
09bb8394 4365
4fe2c963 4366 if (flags & IOSQE_IO_DRAIN)
de0617e4 4367 req->flags |= REQ_F_IO_DRAIN;
de0617e4 4368
d3656344
JA		 4369 if (!io_req_needs_file(req, fd))
4370 return 0;
09bb8394
JA		 4371
4372 if (flags & IOSQE_FIXED_FILE) {
05f3fb3c 4373 if (unlikely(!ctx->file_data ||
09bb8394
JA		 4374 (unsigned) fd >= ctx->nr_user_files))
4375 return -EBADF;
b7620121 4376 fd = array_index_nospec(fd, ctx->nr_user_files);
65e19f54
JA		 4377 req->file = io_file_from_index(ctx, fd);
4378 if (!req->file)
08a45173 4379 return -EBADF;
09bb8394 4380 req->flags |= REQ_F_FIXED_FILE;
05f3fb3c 4381 percpu_ref_get(&ctx->file_data->refs);
09bb8394 4382 } else {
cf6fd4bd 4383 if (req->needs_fixed_file)
09bb8394 4384 return -EBADF;
c826bd7a 4385 trace_io_uring_file_get(ctx, fd);
09bb8394
JA		 4386 req->file = io_file_get(state, fd);
4387 if (unlikely(!req->file))
4388 return -EBADF;
4389 }
4390
4391 return 0;
4392}
4393
a197f664 4394static int io_grab_files(struct io_kiocb *req)
fcb323cc
JA		 4395{
4396 int ret = -EBADF;
a197f664 4397 struct io_ring_ctx *ctx = req->ctx;
fcb323cc 4398
b5dba59e
JA		 4399 if (!req->ring_file)
4400 return -EBADF;
4401
fcb323cc
JA		 4402 rcu_read_lock();
4403 spin_lock_irq(&ctx->inflight_lock);
4404 /*
4405 * We use the f_ops->flush() handler to ensure that we can flush
4406 * out work accessing these files if the fd is closed. Check if
4407 * the fd has changed since we started down this path, and disallow
4408 * this operation if it has.
4409 */
cf6fd4bd 4410 if (fcheck(req->ring_fd) == req->ring_file) {
fcb323cc
JA		 4411 list_add(&req->inflight_entry, &ctx->inflight_list);
4412 req->flags |= REQ_F_INFLIGHT;
4413 req->work.files = current->files;
4414 ret = 0;
4415 }
4416 spin_unlock_irq(&ctx->inflight_lock);
4417 rcu_read_unlock();
4418
4419 return ret;
4420}
4421
2665abfd 4422static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
2b188cc1 4423{
ad8a48ac
JA		 4424 struct io_timeout_data *data = container_of(timer,
4425 struct io_timeout_data, timer);
4426 struct io_kiocb *req = data->req;
2665abfd
JA		 4427 struct io_ring_ctx *ctx = req->ctx;
4428 struct io_kiocb *prev = NULL;
4429 unsigned long flags;
2665abfd
JA		 4430
4431 spin_lock_irqsave(&ctx->completion_lock, flags);
4432
4433 /*
4434 * We don't expect the list to be empty, that will only happen if we
4435 * race with the completion of the linked work.
4436 */
4493233e
PB		 4437 if (!list_empty(&req->link_list)) {
4438 prev = list_entry(req->link_list.prev, struct io_kiocb,
4439 link_list);
5d960724 4440 if (refcount_inc_not_zero(&prev->refs)) {
4493233e 4441 list_del_init(&req->link_list);
5d960724
JA		 4442 prev->flags &= ~REQ_F_LINK_TIMEOUT;
4443 } else
76a46e06 4444 prev = NULL;
2665abfd
JA		 4445 }
4446
4447 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4448
4449 if (prev) {
4e88d6e7 4450 req_set_fail_links(prev);
b0dd8a41
JA		 4451 io_async_find_and_cancel(ctx, req, prev->user_data, NULL,
4452 -ETIME);
76a46e06 4453 io_put_req(prev);
47f46768
JA		 4454 } else {
4455 io_cqring_add_event(req, -ETIME);
4456 io_put_req(req);
2665abfd 4457 }
2665abfd
JA		 4458 return HRTIMER_NORESTART;
4459}
4460
ad8a48ac 4461static void io_queue_linked_timeout(struct io_kiocb *req)
2665abfd 4462{
76a46e06 4463 struct io_ring_ctx *ctx = req->ctx;
2665abfd 4464
76a46e06
JA		 4465 /*
4466 * If the list is now empty, then our linked request finished before
4467 * we got a chance to setup the timer
4468 */
4469 spin_lock_irq(&ctx->completion_lock);
4493233e 4470 if (!list_empty(&req->link_list)) {
2d28390a 4471 struct io_timeout_data *data = &req->io->timeout;
94ae5e77 4472
ad8a48ac
JA		 4473 data->timer.function = io_link_timeout_fn;
4474 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
4475 data->mode);
2665abfd 4476 }
76a46e06 4477 spin_unlock_irq(&ctx->completion_lock);
2665abfd 4478
2665abfd 4479 /* drop submission reference */
76a46e06
JA		 4480 io_put_req(req);
4481}
2665abfd 4482
ad8a48ac 4483static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
2665abfd
JA		 4484{
4485 struct io_kiocb *nxt;
4486
4487 if (!(req->flags & REQ_F_LINK))
4488 return NULL;
4489
4493233e
PB		 4490 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
4491 link_list);
d625c6ee 4492 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
76a46e06 4493 return NULL;
2665abfd 4494
76a46e06 4495 req->flags |= REQ_F_LINK_TIMEOUT;
76a46e06 4496 return nxt;
2665abfd
JA		 4497}
4498
3529d8c2 4499static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2b188cc1 4500{
4a0a7a18 4501 struct io_kiocb *linked_timeout;
f9bd67f6 4502 struct io_kiocb *nxt = NULL;
e0c5c576 4503 int ret;
2b188cc1 4504
4a0a7a18
JA		 4505again:
4506 linked_timeout = io_prep_linked_timeout(req);
4507
3529d8c2 4508 ret = io_issue_sqe(req, sqe, &nxt, true);
491381ce
JA		 4509
4510 /*
4511 * We async punt it if the file wasn't marked NOWAIT, or if the file
4512 * doesn't support non-blocking read/write attempts
4513 */
4514 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
4515 (req->flags & REQ_F_MUST_PUNT))) {
bbad27b2
PB		 4516 if (req->work.flags & IO_WQ_WORK_NEEDS_FILES) {
4517 ret = io_grab_files(req);
4518 if (ret)
4519 goto err;
2b188cc1 4520 }
bbad27b2
PB		 4521
4522 /*
4523 * Queued up for async execution, worker will release
4524 * submit reference when the iocb is actually submitted.
4525 */
4526 io_queue_async_work(req);
4a0a7a18 4527 goto done_req;
2b188cc1 4528 }
e65ef56d 4529
fcb323cc 4530err:
76a46e06 4531 /* drop submission reference */
ec9c02ad 4532 io_put_req(req);
e65ef56d 4533
f9bd67f6 4534 if (linked_timeout) {
76a46e06 4535 if (!ret)
f9bd67f6 4536 io_queue_linked_timeout(linked_timeout);
76a46e06 4537 else
f9bd67f6 4538 io_put_req(linked_timeout);
76a46e06
JA		 4539 }
4540
e65ef56d 4541 /* and drop final reference, if we failed */
9e645e11 4542 if (ret) {
78e19bbe 4543 io_cqring_add_event(req, ret);
4e88d6e7 4544 req_set_fail_links(req);
e65ef56d 4545 io_put_req(req);
9e645e11 4546 }
4a0a7a18
JA		 4547done_req:
4548 if (nxt) {
4549 req = nxt;
4550 nxt = NULL;
4551 goto again;
4552 }
2b188cc1
JA		 4553}
4554
3529d8c2 4555static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4fe2c963
JL		 4556{
4557 int ret;
4558
1b4a51b6
PB		 4559 if (unlikely(req->ctx->drain_next)) {
4560 req->flags |= REQ_F_IO_DRAIN;
69b3e546 4561 req->ctx->drain_next = 0;
1b4a51b6 4562 }
69b3e546 4563 req->ctx->drain_next = (req->flags & REQ_F_DRAIN_LINK) != 0;
1b4a51b6 4564
3529d8c2 4565 ret = io_req_defer(req, sqe);
4fe2c963
JL		 4566 if (ret) {
4567 if (ret != -EIOCBQUEUED) {
78e19bbe 4568 io_cqring_add_event(req, ret);
4e88d6e7 4569 req_set_fail_links(req);
78e19bbe 4570 io_double_put_req(req);
4fe2c963 4571 }
2550878f 4572 } else if (req->flags & REQ_F_FORCE_ASYNC) {
ce35a47a
JA		 4573 /*
4574 * Never try inline submit of IOSQE_ASYNC is set, go straight
4575 * to async execution.
4576 */
4577 req->work.flags |= IO_WQ_WORK_CONCURRENT;
4578 io_queue_async_work(req);
4579 } else {
3529d8c2 4580 __io_queue_sqe(req, sqe);
ce35a47a 4581 }
4fe2c963
JL		 4582}
4583
1b4a51b6 4584static inline void io_queue_link_head(struct io_kiocb *req)
4fe2c963 4585{
94ae5e77 4586 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
1b4a51b6
PB		 4587 io_cqring_add_event(req, -ECANCELED);
4588 io_double_put_req(req);
4589 } else
3529d8c2 4590 io_queue_sqe(req, NULL);
4fe2c963
JL		 4591}
4592
4e88d6e7 4593#define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
ce35a47a 4594 IOSQE_IO_HARDLINK | IOSQE_ASYNC)
9e645e11 4595
3529d8c2
JA		 4596static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4597 struct io_submit_state *state, struct io_kiocb **link)
9e645e11 4598{
a197f664 4599 struct io_ring_ctx *ctx = req->ctx;
32fe525b 4600 unsigned int sqe_flags;
9e645e11
JA		 4601 int ret;
4602
32fe525b
PB		 4603 sqe_flags = READ_ONCE(sqe->flags);
4604
9e645e11 4605 /* enforce forwards compatibility on users */
32fe525b 4606 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS)) {
9e645e11 4607 ret = -EINVAL;
196be95c 4608 goto err_req;
9e645e11 4609 }
32fe525b 4610 if (sqe_flags & IOSQE_ASYNC)
ce35a47a 4611 req->flags |= REQ_F_FORCE_ASYNC;
9e645e11 4612
3529d8c2 4613 ret = io_req_set_file(state, req, sqe);
9e645e11
JA		 4614 if (unlikely(ret)) {
4615err_req:
78e19bbe
JA		 4616 io_cqring_add_event(req, ret);
4617 io_double_put_req(req);
2e6e1fde 4618 return false;
9e645e11
JA		 4619 }
4620
9e645e11
JA		 4621 /*
4622 * If we already have a head request, queue this one for async
4623 * submittal once the head completes. If we don't have a head but
4624 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
4625 * submitted sync once the chain is complete. If none of those
4626 * conditions are true (normal request), then just queue it.
4627 */
4628 if (*link) {
9d76377f 4629 struct io_kiocb *head = *link;
9e645e11 4630
32fe525b 4631 if (sqe_flags & IOSQE_IO_DRAIN)
9d76377f 4632 head->flags |= REQ_F_DRAIN_LINK | REQ_F_IO_DRAIN;
1b4a51b6 4633
32fe525b 4634 if (sqe_flags & IOSQE_IO_HARDLINK)
4e88d6e7
JA		 4635 req->flags |= REQ_F_HARDLINK;
4636
b7bb4f7d 4637 if (io_alloc_async_ctx(req)) {
9e645e11
JA		 4638 ret = -EAGAIN;
4639 goto err_req;
4640 }
4641
3529d8c2 4642 ret = io_req_defer_prep(req, sqe);
2d28390a 4643 if (ret) {
4e88d6e7 4644 /* fail even hard links since we don't submit */
9d76377f 4645 head->flags |= REQ_F_FAIL_LINK;
f67676d1 4646 goto err_req;
2d28390a 4647 }
9d76377f
PB		 4648 trace_io_uring_link(ctx, req, head);
4649 list_add_tail(&req->link_list, &head->link_list);
32fe525b
PB		 4650
4651 /* last request of a link, enqueue the link */
4652 if (!(sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK))) {
4653 io_queue_link_head(head);
4654 *link = NULL;
4655 }
4656 } else if (sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
9e645e11 4657 req->flags |= REQ_F_LINK;
32fe525b 4658 if (sqe_flags & IOSQE_IO_HARDLINK)
4e88d6e7 4659 req->flags |= REQ_F_HARDLINK;
9e645e11 4660
9e645e11 4661 INIT_LIST_HEAD(&req->link_list);
3529d8c2
JA		 4662 ret = io_req_defer_prep(req, sqe);
4663 if (ret)
4664 req->flags |= REQ_F_FAIL_LINK;
9e645e11
JA		 4665 *link = req;
4666 } else {
3529d8c2 4667 io_queue_sqe(req, sqe);
9e645e11 4668 }
2e6e1fde
PB		 4669
4670 return true;
9e645e11
JA		 4671}
4672
9a56a232
JA		 4673/*
4674 * Batched submission is done, ensure local IO is flushed out.
4675 */
4676static void io_submit_state_end(struct io_submit_state *state)
4677{
4678 blk_finish_plug(&state->plug);
3d6770fb 4679 io_file_put(state);
2579f913
JA		 4680 if (state->free_reqs)
4681 kmem_cache_free_bulk(req_cachep, state->free_reqs,
4682 &state->reqs[state->cur_req]);
9a56a232
JA		 4683}
4684
4685/*
4686 * Start submission side cache.
4687 */
4688static void io_submit_state_start(struct io_submit_state *state,
22efde59 4689 unsigned int max_ios)
9a56a232
JA		 4690{
4691 blk_start_plug(&state->plug);
2579f913 4692 state->free_reqs = 0;
9a56a232
JA		 4693 state->file = NULL;
4694 state->ios_left = max_ios;
4695}
4696
2b188cc1
JA		 4697static void io_commit_sqring(struct io_ring_ctx *ctx)
4698{
75b28aff 4699 struct io_rings *rings = ctx->rings;
2b188cc1 4700
caf582c6
PB		 4701 /*
4702 * Ensure any loads from the SQEs are done at this point,
4703 * since once we write the new head, the application could
4704 * write new data to them.
4705 */
4706 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
2b188cc1
JA		 4707}
4708
2b188cc1 4709/*
3529d8c2 4710 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
2b188cc1
JA		 4711 * that is mapped by userspace. This means that care needs to be taken to
4712 * ensure that reads are stable, as we cannot rely on userspace always
4713 * being a good citizen. If members of the sqe are validated and then later
4714 * used, it's important that those reads are done through READ_ONCE() to
4715 * prevent a re-load down the line.
4716 */
3529d8c2
JA		 4717static bool io_get_sqring(struct io_ring_ctx *ctx, struct io_kiocb *req,
4718 const struct io_uring_sqe **sqe_ptr)
2b188cc1 4719{
75b28aff 4720 u32 *sq_array = ctx->sq_array;
2b188cc1
JA		 4721 unsigned head;
4722
4723 /*
4724 * The cached sq head (or cq tail) serves two purposes:
4725 *
4726 * 1) allows us to batch the cost of updating the user visible
4727 * head updates.
4728 * 2) allows the kernel side to track the head on its own, even
4729 * though the application is the one updating it.
4730 */
ee7d46d9 4731 head = READ_ONCE(sq_array[ctx->cached_sq_head & ctx->sq_mask]);
9835d6fa 4732 if (likely(head < ctx->sq_entries)) {
cf6fd4bd
PB		 4733 /*
4734 * All io need record the previous position, if LINK vs DARIN,
4735 * it can be used to mark the position of the first IO in the
4736 * link list.
4737 */
4738 req->sequence = ctx->cached_sq_head;
3529d8c2
JA		 4739 *sqe_ptr = &ctx->sq_sqes[head];
4740 req->opcode = READ_ONCE((*sqe_ptr)->opcode);
4741 req->user_data = READ_ONCE((*sqe_ptr)->user_data);
2b188cc1
JA		 4742 ctx->cached_sq_head++;
4743 return true;
4744 }
4745
4746 /* drop invalid entries */
4747 ctx->cached_sq_head++;
498ccd9e 4748 ctx->cached_sq_dropped++;
ee7d46d9 4749 WRITE_ONCE(ctx->rings->sq_dropped, ctx->cached_sq_dropped);
2b188cc1
JA		 4750 return false;
4751}
4752
fb5ccc98 4753static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
ae9428ca
PB		 4754 struct file *ring_file, int ring_fd,
4755 struct mm_struct **mm, bool async)
6c271ce2
JA		 4756{
4757 struct io_submit_state state, *statep = NULL;
9e645e11 4758 struct io_kiocb *link = NULL;
9e645e11 4759 int i, submitted = 0;
95a1b3ff 4760 bool mm_fault = false;
6c271ce2 4761
c4a2ed72 4762 /* if we have a backlog and couldn't flush it all, return BUSY */
ad3eb2c8
JA		 4763 if (test_bit(0, &ctx->sq_check_overflow)) {
4764 if (!list_empty(&ctx->cq_overflow_list) &&
4765 !io_cqring_overflow_flush(ctx, false))
4766 return -EBUSY;
4767 }
6c271ce2 4768
ee7d46d9
PB		 4769 /* make sure SQ entry isn't read before tail */
4770 nr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));
9ef4f124 4771
2b85edfc
PB		 4772 if (!percpu_ref_tryget_many(&ctx->refs, nr))
4773 return -EAGAIN;
4774
6c271ce2 4775 if (nr > IO_PLUG_THRESHOLD) {
22efde59 4776 io_submit_state_start(&state, nr);
6c271ce2
JA		 4777 statep = &state;
4778 }
4779
4780 for (i = 0; i < nr; i++) {
3529d8c2 4781 const struct io_uring_sqe *sqe;
196be95c 4782 struct io_kiocb *req;
fb5ccc98 4783
196be95c
PB		 4784 req = io_get_req(ctx, statep);
4785 if (unlikely(!req)) {
4786 if (!submitted)
4787 submitted = -EAGAIN;
fb5ccc98 4788 break;
196be95c 4789 }
3529d8c2 4790 if (!io_get_sqring(ctx, req, &sqe)) {
2b85edfc 4791 __io_req_do_free(req);
196be95c
PB		 4792 break;
4793 }
fb5ccc98 4794
d3656344
JA		 4795 /* will complete beyond this point, count as submitted */
4796 submitted++;
4797
4798 if (unlikely(req->opcode >= IORING_OP_LAST)) {
4799 io_cqring_add_event(req, -EINVAL);
4800 io_double_put_req(req);
4801 break;
4802 }
4803
4804 if (io_op_defs[req->opcode].needs_mm && !*mm) {
95a1b3ff
PB		 4805 mm_fault = mm_fault || !mmget_not_zero(ctx->sqo_mm);
4806 if (!mm_fault) {
4807 use_mm(ctx->sqo_mm);
4808 *mm = ctx->sqo_mm;
4809 }
9e645e11 4810 }
9e645e11 4811
cf6fd4bd
PB		 4812 req->ring_file = ring_file;
4813 req->ring_fd = ring_fd;
4814 req->has_user = *mm != NULL;
4815 req->in_async = async;
4816 req->needs_fixed_file = async;
354420f7
JA		 4817 trace_io_uring_submit_sqe(ctx, req->opcode, req->user_data,
4818 true, async);
3529d8c2 4819 if (!io_submit_sqe(req, sqe, statep, &link))
2e6e1fde 4820 break;
6c271ce2
JA		 4821 }
4822
2b85edfc
PB		 4823 if (submitted != nr)
4824 percpu_ref_put_many(&ctx->refs, nr - submitted);
9e645e11 4825 if (link)
1b4a51b6 4826 io_queue_link_head(link);
6c271ce2
JA		 4827 if (statep)
4828 io_submit_state_end(&state);
4829
ae9428ca
PB		 4830 /* Commit SQ ring head once we've consumed and submitted all SQEs */
4831 io_commit_sqring(ctx);
4832
6c271ce2
JA		 4833 return submitted;
4834}
4835
4836static int io_sq_thread(void *data)
4837{
6c271ce2
JA		 4838 struct io_ring_ctx *ctx = data;
4839 struct mm_struct *cur_mm = NULL;
181e448d 4840 const struct cred *old_cred;
6c271ce2
JA		 4841 mm_segment_t old_fs;
4842 DEFINE_WAIT(wait);
4843 unsigned inflight;
4844 unsigned long timeout;
c1edbf5f 4845 int ret;
6c271ce2 4846
206aefde 4847 complete(&ctx->completions[1]);
a4c0b3de 4848
6c271ce2
JA		 4849 old_fs = get_fs();
4850 set_fs(USER_DS);
181e448d 4851 old_cred = override_creds(ctx->creds);
6c271ce2 4852
c1edbf5f 4853 ret = timeout = inflight = 0;
2bbcd6d3 4854 while (!kthread_should_park()) {
fb5ccc98 4855 unsigned int to_submit;
6c271ce2
JA		 4856
4857 if (inflight) {
4858 unsigned nr_events = 0;
4859
4860 if (ctx->flags & IORING_SETUP_IOPOLL) {
2b2ed975
JA		 4861 /*
4862 * inflight is the count of the maximum possible
4863 * entries we submitted, but it can be smaller
4864 * if we dropped some of them. If we don't have
4865 * poll entries available, then we know that we
4866 * have nothing left to poll for. Reset the
4867 * inflight count to zero in that case.
4868 */
4869 mutex_lock(&ctx->uring_lock);
4870 if (!list_empty(&ctx->poll_list))
4871 __io_iopoll_check(ctx, &nr_events, 0);
4872 else
4873 inflight = 0;
4874 mutex_unlock(&ctx->uring_lock);
6c271ce2
JA		 4875 } else {
4876 /*
4877 * Normal IO, just pretend everything completed.
4878 * We don't have to poll completions for that.
4879 */
4880 nr_events = inflight;
4881 }
4882
4883 inflight -= nr_events;
4884 if (!inflight)
4885 timeout = jiffies + ctx->sq_thread_idle;
4886 }
4887
fb5ccc98 4888 to_submit = io_sqring_entries(ctx);
c1edbf5f
JA		 4889
4890 /*
4891 * If submit got -EBUSY, flag us as needing the application
4892 * to enter the kernel to reap and flush events.
4893 */
4894 if (!to_submit || ret == -EBUSY) {
6c271ce2
JA		 4895 /*
4896 * We're polling. If we're within the defined idle
4897 * period, then let us spin without work before going
c1edbf5f
JA		 4898 * to sleep. The exception is if we got EBUSY doing
4899 * more IO, we should wait for the application to
4900 * reap events and wake us up.
6c271ce2 4901 */
c1edbf5f
JA		 4902 if (inflight ||
4903 (!time_after(jiffies, timeout) && ret != -EBUSY)) {
9831a90c 4904 cond_resched();
6c271ce2
JA		 4905 continue;
4906 }
4907
4908 /*
4909 * Drop cur_mm before scheduling, we can't hold it for
4910 * long periods (or over schedule()). Do this before
4911 * adding ourselves to the waitqueue, as the unuse/drop
4912 * may sleep.
4913 */
4914 if (cur_mm) {
4915 unuse_mm(cur_mm);
4916 mmput(cur_mm);
4917 cur_mm = NULL;
4918 }
4919
4920 prepare_to_wait(&ctx->sqo_wait, &wait,
4921 TASK_INTERRUPTIBLE);
4922
4923 /* Tell userspace we may need a wakeup call */
75b28aff 4924 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
0d7bae69
SB		 4925 /* make sure to read SQ tail after writing flags */
4926 smp_mb();
6c271ce2 4927
fb5ccc98 4928 to_submit = io_sqring_entries(ctx);
c1edbf5f 4929 if (!to_submit || ret == -EBUSY) {
2bbcd6d3 4930 if (kthread_should_park()) {
6c271ce2
JA		 4931 finish_wait(&ctx->sqo_wait, &wait);
4932 break;
4933 }
4934 if (signal_pending(current))
4935 flush_signals(current);
4936 schedule();
4937 finish_wait(&ctx->sqo_wait, &wait);
4938
75b28aff 4939 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 4940 continue;
4941 }
4942 finish_wait(&ctx->sqo_wait, &wait);
4943
75b28aff 4944 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 4945 }
4946
8a4955ff 4947 mutex_lock(&ctx->uring_lock);
1d7bb1d5 4948 ret = io_submit_sqes(ctx, to_submit, NULL, -1, &cur_mm, true);
8a4955ff 4949 mutex_unlock(&ctx->uring_lock);
1d7bb1d5
JA		 4950 if (ret > 0)
4951 inflight += ret;
6c271ce2
JA		 4952 }
4953
4954 set_fs(old_fs);
4955 if (cur_mm) {
4956 unuse_mm(cur_mm);
4957 mmput(cur_mm);
4958 }
181e448d 4959 revert_creds(old_cred);
06058632 4960
2bbcd6d3 4961 kthread_parkme();
06058632 4962
6c271ce2
JA		 4963 return 0;
4964}
4965
bda52162
JA		 4966struct io_wait_queue {
4967 struct wait_queue_entry wq;
4968 struct io_ring_ctx *ctx;
4969 unsigned to_wait;
4970 unsigned nr_timeouts;
4971};
4972
1d7bb1d5 4973static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
bda52162
JA		 4974{
4975 struct io_ring_ctx *ctx = iowq->ctx;
4976
4977 /*
d195a66e 4978 * Wake up if we have enough events, or if a timeout occurred since we
bda52162
JA		 4979 * started waiting. For timeouts, we always want to return to userspace,
4980 * regardless of event count.
4981 */
1d7bb1d5 4982 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
bda52162
JA		 4983 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
4984}
4985
4986static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
4987 int wake_flags, void *key)
4988{
4989 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
4990 wq);
4991
1d7bb1d5
JA		 4992 /* use noflush == true, as we can't safely rely on locking context */
4993 if (!io_should_wake(iowq, true))
bda52162
JA		 4994 return -1;
4995
4996 return autoremove_wake_function(curr, mode, wake_flags, key);
4997}
4998
2b188cc1
JA		 4999/*
5000 * Wait until events become available, if we don't already have some. The
5001 * application must reap them itself, as they reside on the shared cq ring.
5002 */
5003static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
5004 const sigset_t __user *sig, size_t sigsz)
5005{
bda52162
JA		 5006 struct io_wait_queue iowq = {
5007 .wq = {
5008 .private = current,
5009 .func = io_wake_function,
5010 .entry = LIST_HEAD_INIT(iowq.wq.entry),
5011 },
5012 .ctx = ctx,
5013 .to_wait = min_events,
5014 };
75b28aff 5015 struct io_rings *rings = ctx->rings;
e9ffa5c2 5016 int ret = 0;
2b188cc1 5017
1d7bb1d5 5018 if (io_cqring_events(ctx, false) >= min_events)
2b188cc1
JA		 5019 return 0;
5020
5021 if (sig) {
9e75ad5d
AB		 5022#ifdef CONFIG_COMPAT
5023 if (in_compat_syscall())
5024 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
b772434b 5025 sigsz);
9e75ad5d
AB		 5026 else
5027#endif
b772434b 5028 ret = set_user_sigmask(sig, sigsz);
9e75ad5d 5029
2b188cc1
JA		 5030 if (ret)
5031 return ret;
5032 }
5033
bda52162 5034 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
c826bd7a 5035 trace_io_uring_cqring_wait(ctx, min_events);
bda52162
JA		 5036 do {
5037 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
5038 TASK_INTERRUPTIBLE);
1d7bb1d5 5039 if (io_should_wake(&iowq, false))
bda52162
JA		 5040 break;
5041 schedule();
5042 if (signal_pending(current)) {
e9ffa5c2 5043 ret = -EINTR;
bda52162
JA		 5044 break;
5045 }
5046 } while (1);
5047 finish_wait(&ctx->wait, &iowq.wq);
5048
e9ffa5c2 5049 restore_saved_sigmask_unless(ret == -EINTR);
2b188cc1 5050
75b28aff 5051 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
2b188cc1
JA		 5052}
5053
6b06314c
JA		 5054static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
5055{
5056#if defined(CONFIG_UNIX)
5057 if (ctx->ring_sock) {
5058 struct sock *sock = ctx->ring_sock->sk;
5059 struct sk_buff *skb;
5060
5061 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
5062 kfree_skb(skb);
5063 }
5064#else
5065 int i;
5066
65e19f54
JA		 5067 for (i = 0; i < ctx->nr_user_files; i++) {
5068 struct file *file;
5069
5070 file = io_file_from_index(ctx, i);
5071 if (file)
5072 fput(file);
5073 }
6b06314c
JA		 5074#endif
5075}
5076
05f3fb3c
JA		 5077static void io_file_ref_kill(struct percpu_ref *ref)
5078{
5079 struct fixed_file_data *data;
5080
5081 data = container_of(ref, struct fixed_file_data, refs);
5082 complete(&data->done);
5083}
5084
6b06314c
JA		 5085static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
5086{
05f3fb3c 5087 struct fixed_file_data *data = ctx->file_data;
65e19f54
JA		 5088 unsigned nr_tables, i;
5089
05f3fb3c 5090 if (!data)
6b06314c
JA		 5091 return -ENXIO;
5092
05f3fb3c
JA		 5093 /* protect against inflight atomic switch, which drops the ref */
5094 flush_work(&data->ref_work);
5095 percpu_ref_get(&data->refs);
5096 percpu_ref_kill_and_confirm(&data->refs, io_file_ref_kill);
5097 wait_for_completion(&data->done);
5098 percpu_ref_put(&data->refs);
5099 percpu_ref_exit(&data->refs);
5100
6b06314c 5101 __io_sqe_files_unregister(ctx);
65e19f54
JA		 5102 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
5103 for (i = 0; i < nr_tables; i++)
05f3fb3c
JA		 5104 kfree(data->table[i].files);
5105 kfree(data->table);
5106 kfree(data);
5107 ctx->file_data = NULL;
6b06314c
JA		 5108 ctx->nr_user_files = 0;
5109 return 0;
5110}
5111
6c271ce2
JA		 5112static void io_sq_thread_stop(struct io_ring_ctx *ctx)
5113{
5114 if (ctx->sqo_thread) {
206aefde 5115 wait_for_completion(&ctx->completions[1]);
2bbcd6d3
RP		 5116 /*
5117 * The park is a bit of a work-around, without it we get
5118 * warning spews on shutdown with SQPOLL set and affinity
5119 * set to a single CPU.
5120 */
06058632 5121 kthread_park(ctx->sqo_thread);
6c271ce2
JA		 5122 kthread_stop(ctx->sqo_thread);
5123 ctx->sqo_thread = NULL;
5124 }
5125}
5126
6b06314c
JA		 5127static void io_finish_async(struct io_ring_ctx *ctx)
5128{
6c271ce2
JA		 5129 io_sq_thread_stop(ctx);
5130
561fb04a
JA		 5131 if (ctx->io_wq) {
5132 io_wq_destroy(ctx->io_wq);
5133 ctx->io_wq = NULL;
6b06314c
JA		 5134 }
5135}
5136
5137#if defined(CONFIG_UNIX)
6b06314c
JA		 5138/*
5139 * Ensure the UNIX gc is aware of our file set, so we are certain that
5140 * the io_uring can be safely unregistered on process exit, even if we have
5141 * loops in the file referencing.
5142 */
5143static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
5144{
5145 struct sock *sk = ctx->ring_sock->sk;
5146 struct scm_fp_list *fpl;
5147 struct sk_buff *skb;
08a45173 5148 int i, nr_files;
6b06314c
JA		 5149
5150 if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
5151 unsigned long inflight = ctx->user->unix_inflight + nr;
5152
5153 if (inflight > task_rlimit(current, RLIMIT_NOFILE))
5154 return -EMFILE;
5155 }
5156
5157 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
5158 if (!fpl)
5159 return -ENOMEM;
5160
5161 skb = alloc_skb(0, GFP_KERNEL);
5162 if (!skb) {
5163 kfree(fpl);
5164 return -ENOMEM;
5165 }
5166
5167 skb->sk = sk;
6b06314c 5168
08a45173 5169 nr_files = 0;
6b06314c
JA		 5170 fpl->user = get_uid(ctx->user);
5171 for (i = 0; i < nr; i++) {
65e19f54
JA		 5172 struct file *file = io_file_from_index(ctx, i + offset);
5173
5174 if (!file)
08a45173 5175 continue;
65e19f54 5176 fpl->fp[nr_files] = get_file(file);
08a45173
JA		 5177 unix_inflight(fpl->user, fpl->fp[nr_files]);
5178 nr_files++;
6b06314c
JA		 5179 }
5180
08a45173
JA		 5181 if (nr_files) {
5182 fpl->max = SCM_MAX_FD;
5183 fpl->count = nr_files;
5184 UNIXCB(skb).fp = fpl;
05f3fb3c 5185 skb->destructor = unix_destruct_scm;
08a45173
JA		 5186 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
5187 skb_queue_head(&sk->sk_receive_queue, skb);
6b06314c 5188
08a45173
JA		 5189 for (i = 0; i < nr_files; i++)
5190 fput(fpl->fp[i]);
5191 } else {
5192 kfree_skb(skb);
5193 kfree(fpl);
5194 }
6b06314c
JA		 5195
5196 return 0;
5197}
5198
5199/*
5200 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
5201 * causes regular reference counting to break down. We rely on the UNIX
5202 * garbage collection to take care of this problem for us.
5203 */
5204static int io_sqe_files_scm(struct io_ring_ctx *ctx)
5205{
5206 unsigned left, total;
5207 int ret = 0;
5208
5209 total = 0;
5210 left = ctx->nr_user_files;
5211 while (left) {
5212 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
6b06314c
JA		 5213
5214 ret = __io_sqe_files_scm(ctx, this_files, total);
5215 if (ret)
5216 break;
5217 left -= this_files;
5218 total += this_files;
5219 }
5220
5221 if (!ret)
5222 return 0;
5223
5224 while (total < ctx->nr_user_files) {
65e19f54
JA		 5225 struct file *file = io_file_from_index(ctx, total);
5226
5227 if (file)
5228 fput(file);
6b06314c
JA		 5229 total++;
5230 }
5231
5232 return ret;
5233}
5234#else
5235static int io_sqe_files_scm(struct io_ring_ctx *ctx)
5236{
5237 return 0;
5238}
5239#endif
5240
65e19f54
JA		 5241static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
5242 unsigned nr_files)
5243{
5244 int i;
5245
5246 for (i = 0; i < nr_tables; i++) {
05f3fb3c 5247 struct fixed_file_table *table = &ctx->file_data->table[i];
65e19f54
JA		 5248 unsigned this_files;
5249
5250 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
5251 table->files = kcalloc(this_files, sizeof(struct file *),
5252 GFP_KERNEL);
5253 if (!table->files)
5254 break;
5255 nr_files -= this_files;
5256 }
5257
5258 if (i == nr_tables)
5259 return 0;
5260
5261 for (i = 0; i < nr_tables; i++) {
05f3fb3c 5262 struct fixed_file_table *table = &ctx->file_data->table[i];
65e19f54
JA		 5263 kfree(table->files);
5264 }
5265 return 1;
5266}
5267
05f3fb3c
JA		 5268static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
5269{
5270#if defined(CONFIG_UNIX)
5271 struct sock *sock = ctx->ring_sock->sk;
5272 struct sk_buff_head list, *head = &sock->sk_receive_queue;
5273 struct sk_buff *skb;
5274 int i;
5275
5276 __skb_queue_head_init(&list);
5277
5278 /*
5279 * Find the skb that holds this file in its SCM_RIGHTS. When found,
5280 * remove this entry and rearrange the file array.
5281 */
5282 skb = skb_dequeue(head);
5283 while (skb) {
5284 struct scm_fp_list *fp;
5285
5286 fp = UNIXCB(skb).fp;
5287 for (i = 0; i < fp->count; i++) {
5288 int left;
5289
5290 if (fp->fp[i] != file)
5291 continue;
5292
5293 unix_notinflight(fp->user, fp->fp[i]);
5294 left = fp->count - 1 - i;
5295 if (left) {
5296 memmove(&fp->fp[i], &fp->fp[i + 1],
5297 left * sizeof(struct file *));
5298 }
5299 fp->count--;
5300 if (!fp->count) {
5301 kfree_skb(skb);
5302 skb = NULL;
5303 } else {
5304 __skb_queue_tail(&list, skb);
5305 }
5306 fput(file);
5307 file = NULL;
5308 break;
5309 }
5310
5311 if (!file)
5312 break;
5313
5314 __skb_queue_tail(&list, skb);
5315
5316 skb = skb_dequeue(head);
5317 }
5318
5319 if (skb_peek(&list)) {
5320 spin_lock_irq(&head->lock);
5321 while ((skb = __skb_dequeue(&list)) != NULL)
5322 __skb_queue_tail(head, skb);
5323 spin_unlock_irq(&head->lock);
5324 }
5325#else
5326 fput(file);
5327#endif
5328}
5329
5330struct io_file_put {
5331 struct llist_node llist;
5332 struct file *file;
5333 struct completion *done;
5334};
5335
5336static void io_ring_file_ref_switch(struct work_struct *work)
5337{
5338 struct io_file_put *pfile, *tmp;
5339 struct fixed_file_data *data;
5340 struct llist_node *node;
5341
5342 data = container_of(work, struct fixed_file_data, ref_work);
5343
5344 while ((node = llist_del_all(&data->put_llist)) != NULL) {
5345 llist_for_each_entry_safe(pfile, tmp, node, llist) {
5346 io_ring_file_put(data->ctx, pfile->file);
5347 if (pfile->done)
5348 complete(pfile->done);
5349 else
5350 kfree(pfile);
5351 }
5352 }
5353
5354 percpu_ref_get(&data->refs);
5355 percpu_ref_switch_to_percpu(&data->refs);
5356}
5357
5358static void io_file_data_ref_zero(struct percpu_ref *ref)
5359{
5360 struct fixed_file_data *data;
5361
5362 data = container_of(ref, struct fixed_file_data, refs);
5363
5364 /* we can't safely switch from inside this context, punt to wq */
5365 queue_work(system_wq, &data->ref_work);
5366}
5367
6b06314c
JA		 5368static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
5369 unsigned nr_args)
5370{
5371 __s32 __user *fds = (__s32 __user *) arg;
65e19f54 5372 unsigned nr_tables;
05f3fb3c 5373 struct file *file;
6b06314c
JA		 5374 int fd, ret = 0;
5375 unsigned i;
5376
05f3fb3c 5377 if (ctx->file_data)
6b06314c
JA		 5378 return -EBUSY;
5379 if (!nr_args)
5380 return -EINVAL;
5381 if (nr_args > IORING_MAX_FIXED_FILES)
5382 return -EMFILE;
5383
05f3fb3c
JA		 5384 ctx->file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
5385 if (!ctx->file_data)
5386 return -ENOMEM;
5387 ctx->file_data->ctx = ctx;
5388 init_completion(&ctx->file_data->done);
5389
65e19f54 5390 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
05f3fb3c
JA		 5391 ctx->file_data->table = kcalloc(nr_tables,
5392 sizeof(struct fixed_file_table),
65e19f54 5393 GFP_KERNEL);
05f3fb3c
JA		 5394 if (!ctx->file_data->table) {
5395 kfree(ctx->file_data);
5396 ctx->file_data = NULL;
6b06314c 5397 return -ENOMEM;
05f3fb3c
JA		 5398 }
5399
5400 if (percpu_ref_init(&ctx->file_data->refs, io_file_data_ref_zero,
5401 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
5402 kfree(ctx->file_data->table);
5403 kfree(ctx->file_data);
5404 ctx->file_data = NULL;
5405 return -ENOMEM;
5406 }
5407 ctx->file_data->put_llist.first = NULL;
5408 INIT_WORK(&ctx->file_data->ref_work, io_ring_file_ref_switch);
6b06314c 5409
65e19f54 5410 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
05f3fb3c
JA		 5411 percpu_ref_exit(&ctx->file_data->refs);
5412 kfree(ctx->file_data->table);
5413 kfree(ctx->file_data);
5414 ctx->file_data = NULL;
65e19f54
JA		 5415 return -ENOMEM;
5416 }
5417
08a45173 5418 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
65e19f54
JA		 5419 struct fixed_file_table *table;
5420 unsigned index;
5421
6b06314c
JA		 5422 ret = -EFAULT;
5423 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
5424 break;
08a45173
JA		 5425 /* allow sparse sets */
5426 if (fd == -1) {
5427 ret = 0;
5428 continue;
5429 }
6b06314c 5430
05f3fb3c 5431 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
65e19f54 5432 index = i & IORING_FILE_TABLE_MASK;
05f3fb3c 5433 file = fget(fd);
6b06314c
JA		 5434
5435 ret = -EBADF;
05f3fb3c 5436 if (!file)
6b06314c 5437 break;
05f3fb3c 5438
6b06314c
JA		 5439 /*
5440 * Don't allow io_uring instances to be registered. If UNIX
5441 * isn't enabled, then this causes a reference cycle and this
5442 * instance can never get freed. If UNIX is enabled we'll
5443 * handle it just fine, but there's still no point in allowing
5444 * a ring fd as it doesn't support regular read/write anyway.
5445 */
05f3fb3c
JA		 5446 if (file->f_op == &io_uring_fops) {
5447 fput(file);
6b06314c
JA		 5448 break;
5449 }
6b06314c 5450 ret = 0;
05f3fb3c 5451 table->files[index] = file;
6b06314c
JA		 5452 }
5453
5454 if (ret) {
65e19f54 5455 for (i = 0; i < ctx->nr_user_files; i++) {
65e19f54
JA		 5456 file = io_file_from_index(ctx, i);
5457 if (file)
5458 fput(file);
5459 }
5460 for (i = 0; i < nr_tables; i++)
05f3fb3c 5461 kfree(ctx->file_data->table[i].files);
6b06314c 5462
05f3fb3c
JA		 5463 kfree(ctx->file_data->table);
5464 kfree(ctx->file_data);
5465 ctx->file_data = NULL;
6b06314c
JA		 5466 ctx->nr_user_files = 0;
5467 return ret;
5468 }
5469
5470 ret = io_sqe_files_scm(ctx);
5471 if (ret)
5472 io_sqe_files_unregister(ctx);
5473
5474 return ret;
5475}
5476
c3a31e60
JA		 5477static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
5478 int index)
5479{
5480#if defined(CONFIG_UNIX)
5481 struct sock *sock = ctx->ring_sock->sk;
5482 struct sk_buff_head *head = &sock->sk_receive_queue;
5483 struct sk_buff *skb;
5484
5485 /*
5486 * See if we can merge this file into an existing skb SCM_RIGHTS
5487 * file set. If there's no room, fall back to allocating a new skb
5488 * and filling it in.
5489 */
5490 spin_lock_irq(&head->lock);
5491 skb = skb_peek(head);
5492 if (skb) {
5493 struct scm_fp_list *fpl = UNIXCB(skb).fp;
5494
5495 if (fpl->count < SCM_MAX_FD) {
5496 __skb_unlink(skb, head);
5497 spin_unlock_irq(&head->lock);
5498 fpl->fp[fpl->count] = get_file(file);
5499 unix_inflight(fpl->user, fpl->fp[fpl->count]);
5500 fpl->count++;
5501 spin_lock_irq(&head->lock);
5502 __skb_queue_head(head, skb);
5503 } else {
5504 skb = NULL;
5505 }
5506 }
5507 spin_unlock_irq(&head->lock);
5508
5509 if (skb) {
5510 fput(file);
5511 return 0;
5512 }
5513
5514 return __io_sqe_files_scm(ctx, 1, index);
5515#else
5516 return 0;
5517#endif
5518}
5519
05f3fb3c 5520static void io_atomic_switch(struct percpu_ref *ref)
c3a31e60 5521{
05f3fb3c
JA		 5522 struct fixed_file_data *data;
5523
5524 data = container_of(ref, struct fixed_file_data, refs);
5525 clear_bit(FFD_F_ATOMIC, &data->state);
5526}
5527
5528static bool io_queue_file_removal(struct fixed_file_data *data,
5529 struct file *file)
5530{
5531 struct io_file_put *pfile, pfile_stack;
5532 DECLARE_COMPLETION_ONSTACK(done);
5533
5534 /*
5535 * If we fail allocating the struct we need for doing async reomval
5536 * of this file, just punt to sync and wait for it.
5537 */
5538 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
5539 if (!pfile) {
5540 pfile = &pfile_stack;
5541 pfile->done = &done;
5542 }
5543
5544 pfile->file = file;
5545 llist_add(&pfile->llist, &data->put_llist);
5546
5547 if (pfile == &pfile_stack) {
5548 if (!test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
5549 percpu_ref_put(&data->refs);
5550 percpu_ref_switch_to_atomic(&data->refs,
5551 io_atomic_switch);
5552 }
5553 wait_for_completion(&done);
5554 flush_work(&data->ref_work);
5555 return false;
5556 }
5557
5558 return true;
5559}
5560
5561static int __io_sqe_files_update(struct io_ring_ctx *ctx,
5562 struct io_uring_files_update *up,
5563 unsigned nr_args)
5564{
5565 struct fixed_file_data *data = ctx->file_data;
5566 bool ref_switch = false;
5567 struct file *file;
c3a31e60
JA		 5568 __s32 __user *fds;
5569 int fd, i, err;
5570 __u32 done;
5571
05f3fb3c 5572 if (check_add_overflow(up->offset, nr_args, &done))
c3a31e60
JA		 5573 return -EOVERFLOW;
5574 if (done > ctx->nr_user_files)
5575 return -EINVAL;
5576
5577 done = 0;
05f3fb3c 5578 fds = u64_to_user_ptr(up->fds);
c3a31e60 5579 while (nr_args) {
65e19f54
JA		 5580 struct fixed_file_table *table;
5581 unsigned index;
5582
c3a31e60
JA		 5583 err = 0;
5584 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
5585 err = -EFAULT;
5586 break;
5587 }
05f3fb3c
JA		 5588 i = array_index_nospec(up->offset, ctx->nr_user_files);
5589 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
65e19f54
JA		 5590 index = i & IORING_FILE_TABLE_MASK;
5591 if (table->files[index]) {
05f3fb3c 5592 file = io_file_from_index(ctx, index);
65e19f54 5593 table->files[index] = NULL;
05f3fb3c
JA		 5594 if (io_queue_file_removal(data, file))
5595 ref_switch = true;
c3a31e60
JA		 5596 }
5597 if (fd != -1) {
c3a31e60
JA		 5598 file = fget(fd);
5599 if (!file) {
5600 err = -EBADF;
5601 break;
5602 }
5603 /*
5604 * Don't allow io_uring instances to be registered. If
5605 * UNIX isn't enabled, then this causes a reference
5606 * cycle and this instance can never get freed. If UNIX
5607 * is enabled we'll handle it just fine, but there's
5608 * still no point in allowing a ring fd as it doesn't
5609 * support regular read/write anyway.
5610 */
5611 if (file->f_op == &io_uring_fops) {
5612 fput(file);
5613 err = -EBADF;
5614 break;
5615 }
65e19f54 5616 table->files[index] = file;
c3a31e60
JA		 5617 err = io_sqe_file_register(ctx, file, i);
5618 if (err)
5619 break;
5620 }
5621 nr_args--;
5622 done++;
05f3fb3c
JA		 5623 up->offset++;
5624 }
5625
5626 if (ref_switch && !test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
5627 percpu_ref_put(&data->refs);
5628 percpu_ref_switch_to_atomic(&data->refs, io_atomic_switch);
c3a31e60
JA		 5629 }
5630
5631 return done ? done : err;
5632}
05f3fb3c
JA		 5633static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
5634 unsigned nr_args)
5635{
5636 struct io_uring_files_update up;
5637
5638 if (!ctx->file_data)
5639 return -ENXIO;
5640 if (!nr_args)
5641 return -EINVAL;
5642 if (copy_from_user(&up, arg, sizeof(up)))
5643 return -EFAULT;
5644 if (up.resv)
5645 return -EINVAL;
5646
5647 return __io_sqe_files_update(ctx, &up, nr_args);
5648}
c3a31e60 5649
7d723065
JA		 5650static void io_put_work(struct io_wq_work *work)
5651{
5652 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5653
5654 io_put_req(req);
5655}
5656
5657static void io_get_work(struct io_wq_work *work)
5658{
5659 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5660
5661 refcount_inc(&req->refs);
5662}
5663
6c271ce2
JA		 5664static int io_sq_offload_start(struct io_ring_ctx *ctx,
5665 struct io_uring_params *p)
2b188cc1 5666{
576a347b 5667 struct io_wq_data data;
561fb04a 5668 unsigned concurrency;
2b188cc1
JA		 5669 int ret;
5670
6c271ce2 5671 init_waitqueue_head(&ctx->sqo_wait);
2b188cc1
JA		 5672 mmgrab(current->mm);
5673 ctx->sqo_mm = current->mm;
5674
6c271ce2 5675 if (ctx->flags & IORING_SETUP_SQPOLL) {
3ec482d1
JA		 5676 ret = -EPERM;
5677 if (!capable(CAP_SYS_ADMIN))
5678 goto err;
5679
917257da
JA		 5680 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
5681 if (!ctx->sq_thread_idle)
5682 ctx->sq_thread_idle = HZ;
5683
6c271ce2 5684 if (p->flags & IORING_SETUP_SQ_AFF) {
44a9bd18 5685 int cpu = p->sq_thread_cpu;
6c271ce2 5686
917257da 5687 ret = -EINVAL;
44a9bd18
JA		 5688 if (cpu >= nr_cpu_ids)
5689 goto err;
7889f44d 5690 if (!cpu_online(cpu))
917257da
JA		 5691 goto err;
5692
6c271ce2
JA		 5693 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
5694 ctx, cpu,
5695 "io_uring-sq");
5696 } else {
5697 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
5698 "io_uring-sq");
5699 }
5700 if (IS_ERR(ctx->sqo_thread)) {
5701 ret = PTR_ERR(ctx->sqo_thread);
5702 ctx->sqo_thread = NULL;
5703 goto err;
5704 }
5705 wake_up_process(ctx->sqo_thread);
5706 } else if (p->flags & IORING_SETUP_SQ_AFF) {
5707 /* Can't have SQ_AFF without SQPOLL */
5708 ret = -EINVAL;
5709 goto err;
5710 }
5711
576a347b
JA		 5712 data.mm = ctx->sqo_mm;
5713 data.user = ctx->user;
181e448d 5714 data.creds = ctx->creds;
576a347b
JA		 5715 data.get_work = io_get_work;
5716 data.put_work = io_put_work;
5717
561fb04a
JA		 5718 /* Do QD, or 4 * CPUS, whatever is smallest */
5719 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
576a347b 5720 ctx->io_wq = io_wq_create(concurrency, &data);
975c99a5
JA		 5721 if (IS_ERR(ctx->io_wq)) {
5722 ret = PTR_ERR(ctx->io_wq);
5723 ctx->io_wq = NULL;
2b188cc1
JA		 5724 goto err;
5725 }
5726
5727 return 0;
5728err:
54a91f3b 5729 io_finish_async(ctx);
2b188cc1
JA		 5730 mmdrop(ctx->sqo_mm);
5731 ctx->sqo_mm = NULL;
5732 return ret;
5733}
5734
5735static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
5736{
5737 atomic_long_sub(nr_pages, &user->locked_vm);
5738}
5739
5740static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
5741{
5742 unsigned long page_limit, cur_pages, new_pages;
5743
5744 /* Don't allow more pages than we can safely lock */
5745 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
5746
5747 do {
5748 cur_pages = atomic_long_read(&user->locked_vm);
5749 new_pages = cur_pages + nr_pages;
5750 if (new_pages > page_limit)
5751 return -ENOMEM;
5752 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
5753 new_pages) != cur_pages);
5754
5755 return 0;
5756}
5757
5758static void io_mem_free(void *ptr)
5759{
52e04ef4
MR		 5760 struct page *page;
5761
5762 if (!ptr)
5763 return;
2b188cc1 5764
52e04ef4 5765 page = virt_to_head_page(ptr);
2b188cc1
JA		 5766 if (put_page_testzero(page))
5767 free_compound_page(page);
5768}
5769
5770static void *io_mem_alloc(size_t size)
5771{
5772 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
5773 __GFP_NORETRY;
5774
5775 return (void *) __get_free_pages(gfp_flags, get_order(size));
5776}
5777
75b28aff
HV		 5778static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
5779 size_t *sq_offset)
5780{
5781 struct io_rings *rings;
5782 size_t off, sq_array_size;
5783
5784 off = struct_size(rings, cqes, cq_entries);
5785 if (off == SIZE_MAX)
5786 return SIZE_MAX;
5787
5788#ifdef CONFIG_SMP
5789 off = ALIGN(off, SMP_CACHE_BYTES);
5790 if (off == 0)
5791 return SIZE_MAX;
5792#endif
5793
5794 sq_array_size = array_size(sizeof(u32), sq_entries);
5795 if (sq_array_size == SIZE_MAX)
5796 return SIZE_MAX;
5797
5798 if (check_add_overflow(off, sq_array_size, &off))
5799 return SIZE_MAX;
5800
5801 if (sq_offset)
5802 *sq_offset = off;
5803
5804 return off;
5805}
5806
2b188cc1
JA		 5807static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
5808{
75b28aff 5809 size_t pages;
2b188cc1 5810
75b28aff
HV		 5811 pages = (size_t)1 << get_order(
5812 rings_size(sq_entries, cq_entries, NULL));
5813 pages += (size_t)1 << get_order(
5814 array_size(sizeof(struct io_uring_sqe), sq_entries));
2b188cc1 5815
75b28aff 5816 return pages;
2b188cc1
JA		 5817}
5818
edafccee
JA		 5819static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
5820{
5821 int i, j;
5822
5823 if (!ctx->user_bufs)
5824 return -ENXIO;
5825
5826 for (i = 0; i < ctx->nr_user_bufs; i++) {
5827 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5828
5829 for (j = 0; j < imu->nr_bvecs; j++)
27c4d3a3 5830 put_user_page(imu->bvec[j].bv_page);
edafccee
JA		 5831
5832 if (ctx->account_mem)
5833 io_unaccount_mem(ctx->user, imu->nr_bvecs);
d4ef6475 5834 kvfree(imu->bvec);
edafccee
JA		 5835 imu->nr_bvecs = 0;
5836 }
5837
5838 kfree(ctx->user_bufs);
5839 ctx->user_bufs = NULL;
5840 ctx->nr_user_bufs = 0;
5841 return 0;
5842}
5843
5844static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
5845 void __user *arg, unsigned index)
5846{
5847 struct iovec __user *src;
5848
5849#ifdef CONFIG_COMPAT
5850 if (ctx->compat) {
5851 struct compat_iovec __user *ciovs;
5852 struct compat_iovec ciov;
5853
5854 ciovs = (struct compat_iovec __user *) arg;
5855 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
5856 return -EFAULT;
5857
d55e5f5b 5858 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
edafccee
JA		 5859 dst->iov_len = ciov.iov_len;
5860 return 0;
5861 }
5862#endif
5863 src = (struct iovec __user *) arg;
5864 if (copy_from_user(dst, &src[index], sizeof(*dst)))
5865 return -EFAULT;
5866 return 0;
5867}
5868
5869static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
5870 unsigned nr_args)
5871{
5872 struct vm_area_struct **vmas = NULL;
5873 struct page **pages = NULL;
5874 int i, j, got_pages = 0;
5875 int ret = -EINVAL;
5876
5877 if (ctx->user_bufs)
5878 return -EBUSY;
5879 if (!nr_args || nr_args > UIO_MAXIOV)
5880 return -EINVAL;
5881
5882 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
5883 GFP_KERNEL);
5884 if (!ctx->user_bufs)
5885 return -ENOMEM;
5886
5887 for (i = 0; i < nr_args; i++) {
5888 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5889 unsigned long off, start, end, ubuf;
5890 int pret, nr_pages;
5891 struct iovec iov;
5892 size_t size;
5893
5894 ret = io_copy_iov(ctx, &iov, arg, i);
5895 if (ret)
a278682d 5896 goto err;
edafccee
JA		 5897
5898 /*
5899 * Don't impose further limits on the size and buffer
5900 * constraints here, we'll -EINVAL later when IO is
5901 * submitted if they are wrong.
5902 */
5903 ret = -EFAULT;
5904 if (!iov.iov_base || !iov.iov_len)
5905 goto err;
5906
5907 /* arbitrary limit, but we need something */
5908 if (iov.iov_len > SZ_1G)
5909 goto err;
5910
5911 ubuf = (unsigned long) iov.iov_base;
5912 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
5913 start = ubuf >> PAGE_SHIFT;
5914 nr_pages = end - start;
5915
5916 if (ctx->account_mem) {
5917 ret = io_account_mem(ctx->user, nr_pages);
5918 if (ret)
5919 goto err;
5920 }
5921
5922 ret = 0;
5923 if (!pages || nr_pages > got_pages) {
5924 kfree(vmas);
5925 kfree(pages);
d4ef6475 5926 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
edafccee 5927 GFP_KERNEL);
d4ef6475 5928 vmas = kvmalloc_array(nr_pages,
edafccee
JA		 5929 sizeof(struct vm_area_struct *),
5930 GFP_KERNEL);
5931 if (!pages || !vmas) {
5932 ret = -ENOMEM;
5933 if (ctx->account_mem)
5934 io_unaccount_mem(ctx->user, nr_pages);
5935 goto err;
5936 }
5937 got_pages = nr_pages;
5938 }
5939
d4ef6475 5940 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
edafccee
JA		 5941 GFP_KERNEL);
5942 ret = -ENOMEM;
5943 if (!imu->bvec) {
5944 if (ctx->account_mem)
5945 io_unaccount_mem(ctx->user, nr_pages);
5946 goto err;
5947 }
5948
5949 ret = 0;
5950 down_read(&current->mm->mmap_sem);
932f4a63
IW		 5951 pret = get_user_pages(ubuf, nr_pages,
5952 FOLL_WRITE | FOLL_LONGTERM,
5953 pages, vmas);
edafccee
JA		 5954 if (pret == nr_pages) {
5955 /* don't support file backed memory */
5956 for (j = 0; j < nr_pages; j++) {
5957 struct vm_area_struct *vma = vmas[j];
5958
5959 if (vma->vm_file &&
5960 !is_file_hugepages(vma->vm_file)) {
5961 ret = -EOPNOTSUPP;
5962 break;
5963 }
5964 }
5965 } else {
5966 ret = pret < 0 ? pret : -EFAULT;
5967 }
5968 up_read(&current->mm->mmap_sem);
5969 if (ret) {
5970 /*
5971 * if we did partial map, or found file backed vmas,
5972 * release any pages we did get
5973 */
27c4d3a3
JH		 5974 if (pret > 0)
5975 put_user_pages(pages, pret);
edafccee
JA		 5976 if (ctx->account_mem)
5977 io_unaccount_mem(ctx->user, nr_pages);
d4ef6475 5978 kvfree(imu->bvec);
edafccee
JA		 5979 goto err;
5980 }
5981
5982 off = ubuf & ~PAGE_MASK;
5983 size = iov.iov_len;
5984 for (j = 0; j < nr_pages; j++) {
5985 size_t vec_len;
5986
5987 vec_len = min_t(size_t, size, PAGE_SIZE - off);
5988 imu->bvec[j].bv_page = pages[j];
5989 imu->bvec[j].bv_len = vec_len;
5990 imu->bvec[j].bv_offset = off;
5991 off = 0;
5992 size -= vec_len;
5993 }
5994 /* store original address for later verification */
5995 imu->ubuf = ubuf;
5996 imu->len = iov.iov_len;
5997 imu->nr_bvecs = nr_pages;
5998
5999 ctx->nr_user_bufs++;
6000 }
d4ef6475
MR		 6001 kvfree(pages);
6002 kvfree(vmas);
edafccee
JA		 6003 return 0;
6004err:
d4ef6475
MR		 6005 kvfree(pages);
6006 kvfree(vmas);
edafccee
JA		 6007 io_sqe_buffer_unregister(ctx);
6008 return ret;
6009}
6010
9b402849
JA		 6011static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
6012{
6013 __s32 __user *fds = arg;
6014 int fd;
6015
6016 if (ctx->cq_ev_fd)
6017 return -EBUSY;
6018
6019 if (copy_from_user(&fd, fds, sizeof(*fds)))
6020 return -EFAULT;
6021
6022 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
6023 if (IS_ERR(ctx->cq_ev_fd)) {
6024 int ret = PTR_ERR(ctx->cq_ev_fd);
6025 ctx->cq_ev_fd = NULL;
6026 return ret;
6027 }
6028
6029 return 0;
6030}
6031
6032static int io_eventfd_unregister(struct io_ring_ctx *ctx)
6033{
6034 if (ctx->cq_ev_fd) {
6035 eventfd_ctx_put(ctx->cq_ev_fd);
6036 ctx->cq_ev_fd = NULL;
6037 return 0;
6038 }
6039
6040 return -ENXIO;
6041}
6042
2b188cc1
JA		 6043static void io_ring_ctx_free(struct io_ring_ctx *ctx)
6044{
6b06314c 6045 io_finish_async(ctx);
2b188cc1
JA		 6046 if (ctx->sqo_mm)
6047 mmdrop(ctx->sqo_mm);
def596e9
JA		 6048
6049 io_iopoll_reap_events(ctx);
edafccee 6050 io_sqe_buffer_unregister(ctx);
6b06314c 6051 io_sqe_files_unregister(ctx);
9b402849 6052 io_eventfd_unregister(ctx);
def596e9 6053
2b188cc1 6054#if defined(CONFIG_UNIX)
355e8d26
EB		 6055 if (ctx->ring_sock) {
6056 ctx->ring_sock->file = NULL; /* so that iput() is called */
2b188cc1 6057 sock_release(ctx->ring_sock);
355e8d26 6058 }
2b188cc1
JA		 6059#endif
6060
75b28aff 6061 io_mem_free(ctx->rings);
2b188cc1 6062 io_mem_free(ctx->sq_sqes);
2b188cc1
JA		 6063
6064 percpu_ref_exit(&ctx->refs);
6065 if (ctx->account_mem)
6066 io_unaccount_mem(ctx->user,
6067 ring_pages(ctx->sq_entries, ctx->cq_entries));
6068 free_uid(ctx->user);
181e448d 6069 put_cred(ctx->creds);
206aefde 6070 kfree(ctx->completions);
78076bb6 6071 kfree(ctx->cancel_hash);
0ddf92e8 6072 kmem_cache_free(req_cachep, ctx->fallback_req);
2b188cc1
JA		 6073 kfree(ctx);
6074}
6075
6076static __poll_t io_uring_poll(struct file *file, poll_table *wait)
6077{
6078 struct io_ring_ctx *ctx = file->private_data;
6079 __poll_t mask = 0;
6080
6081 poll_wait(file, &ctx->cq_wait, wait);
4f7067c3
SB		 6082 /*
6083 * synchronizes with barrier from wq_has_sleeper call in
6084 * io_commit_cqring
6085 */
2b188cc1 6086 smp_rmb();
75b28aff
HV		 6087 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
6088 ctx->rings->sq_ring_entries)
2b188cc1 6089 mask |= EPOLLOUT | EPOLLWRNORM;
daa5de54 6090 if (READ_ONCE(ctx->rings->cq.head) != ctx->cached_cq_tail)
2b188cc1
JA		 6091 mask |= EPOLLIN | EPOLLRDNORM;
6092
6093 return mask;
6094}
6095
6096static int io_uring_fasync(int fd, struct file *file, int on)
6097{
6098 struct io_ring_ctx *ctx = file->private_data;
6099
6100 return fasync_helper(fd, file, on, &ctx->cq_fasync);
6101}
6102
6103static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
6104{
6105 mutex_lock(&ctx->uring_lock);
6106 percpu_ref_kill(&ctx->refs);
6107 mutex_unlock(&ctx->uring_lock);
6108
5262f567 6109 io_kill_timeouts(ctx);
221c5eb2 6110 io_poll_remove_all(ctx);
561fb04a
JA		 6111
6112 if (ctx->io_wq)
6113 io_wq_cancel_all(ctx->io_wq);
6114
def596e9 6115 io_iopoll_reap_events(ctx);
15dff286
JA		 6116 /* if we failed setting up the ctx, we might not have any rings */
6117 if (ctx->rings)
6118 io_cqring_overflow_flush(ctx, true);
206aefde 6119 wait_for_completion(&ctx->completions[0]);
2b188cc1
JA		 6120 io_ring_ctx_free(ctx);
6121}
6122
6123static int io_uring_release(struct inode *inode, struct file *file)
6124{
6125 struct io_ring_ctx *ctx = file->private_data;
6126
6127 file->private_data = NULL;
6128 io_ring_ctx_wait_and_kill(ctx);
6129 return 0;
6130}
6131
fcb323cc
JA		 6132static void io_uring_cancel_files(struct io_ring_ctx *ctx,
6133 struct files_struct *files)
6134{
6135 struct io_kiocb *req;
6136 DEFINE_WAIT(wait);
6137
6138 while (!list_empty_careful(&ctx->inflight_list)) {
768134d4 6139 struct io_kiocb *cancel_req = NULL;
fcb323cc
JA		 6140
6141 spin_lock_irq(&ctx->inflight_lock);
6142 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
768134d4
JA		 6143 if (req->work.files != files)
6144 continue;
6145 /* req is being completed, ignore */
6146 if (!refcount_inc_not_zero(&req->refs))
6147 continue;
6148 cancel_req = req;
6149 break;
fcb323cc 6150 }
768134d4 6151 if (cancel_req)
fcb323cc 6152 prepare_to_wait(&ctx->inflight_wait, &wait,
768134d4 6153 TASK_UNINTERRUPTIBLE);
fcb323cc
JA		 6154 spin_unlock_irq(&ctx->inflight_lock);
6155
768134d4
JA		 6156 /* We need to keep going until we don't find a matching req */
6157 if (!cancel_req)
fcb323cc 6158 break;
2f6d9b9d
BL		 6159
6160 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
6161 io_put_req(cancel_req);
fcb323cc
JA		 6162 schedule();
6163 }
768134d4 6164 finish_wait(&ctx->inflight_wait, &wait);
fcb323cc
JA		 6165}
6166
6167static int io_uring_flush(struct file *file, void *data)
6168{
6169 struct io_ring_ctx *ctx = file->private_data;
6170
6171 io_uring_cancel_files(ctx, data);
1d7bb1d5
JA		 6172 if (fatal_signal_pending(current) || (current->flags & PF_EXITING)) {
6173 io_cqring_overflow_flush(ctx, true);
fcb323cc 6174 io_wq_cancel_all(ctx->io_wq);
1d7bb1d5 6175 }
fcb323cc
JA		 6176 return 0;
6177}
6178
6c5c240e
RP		 6179static void *io_uring_validate_mmap_request(struct file *file,
6180 loff_t pgoff, size_t sz)
2b188cc1 6181{
2b188cc1 6182 struct io_ring_ctx *ctx = file->private_data;
6c5c240e 6183 loff_t offset = pgoff << PAGE_SHIFT;
2b188cc1
JA		 6184 struct page *page;
6185 void *ptr;
6186
6187 switch (offset) {
6188 case IORING_OFF_SQ_RING:
75b28aff
HV		 6189 case IORING_OFF_CQ_RING:
6190 ptr = ctx->rings;
2b188cc1
JA		 6191 break;
6192 case IORING_OFF_SQES:
6193 ptr = ctx->sq_sqes;
6194 break;
2b188cc1 6195 default:
6c5c240e 6196 return ERR_PTR(-EINVAL);
2b188cc1
JA		 6197 }
6198
6199 page = virt_to_head_page(ptr);
a50b854e 6200 if (sz > page_size(page))
6c5c240e
RP		 6201 return ERR_PTR(-EINVAL);
6202
6203 return ptr;
6204}
6205
6206#ifdef CONFIG_MMU
6207
6208static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
6209{
6210 size_t sz = vma->vm_end - vma->vm_start;
6211 unsigned long pfn;
6212 void *ptr;
6213
6214 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
6215 if (IS_ERR(ptr))
6216 return PTR_ERR(ptr);
2b188cc1
JA		 6217
6218 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
6219 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
6220}
6221
6c5c240e
RP		 6222#else /* !CONFIG_MMU */
6223
6224static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
6225{
6226 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
6227}
6228
6229static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
6230{
6231 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
6232}
6233
6234static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
6235 unsigned long addr, unsigned long len,
6236 unsigned long pgoff, unsigned long flags)
6237{
6238 void *ptr;
6239
6240 ptr = io_uring_validate_mmap_request(file, pgoff, len);
6241 if (IS_ERR(ptr))
6242 return PTR_ERR(ptr);
6243
6244 return (unsigned long) ptr;
6245}
6246
6247#endif /* !CONFIG_MMU */
6248
2b188cc1
JA		 6249SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
6250 u32, min_complete, u32, flags, const sigset_t __user *, sig,
6251 size_t, sigsz)
6252{
6253 struct io_ring_ctx *ctx;
6254 long ret = -EBADF;
6255 int submitted = 0;
6256 struct fd f;
6257
6c271ce2 6258 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
2b188cc1
JA		 6259 return -EINVAL;
6260
6261 f = fdget(fd);
6262 if (!f.file)
6263 return -EBADF;
6264
6265 ret = -EOPNOTSUPP;
6266 if (f.file->f_op != &io_uring_fops)
6267 goto out_fput;
6268
6269 ret = -ENXIO;
6270 ctx = f.file->private_data;
6271 if (!percpu_ref_tryget(&ctx->refs))
6272 goto out_fput;
6273
6c271ce2
JA		 6274 /*
6275 * For SQ polling, the thread will do all submissions and completions.
6276 * Just return the requested submit count, and wake the thread if
6277 * we were asked to.
6278 */
b2a9eada 6279 ret = 0;
6c271ce2 6280 if (ctx->flags & IORING_SETUP_SQPOLL) {
c1edbf5f
JA		 6281 if (!list_empty_careful(&ctx->cq_overflow_list))
6282 io_cqring_overflow_flush(ctx, false);
6c271ce2
JA		 6283 if (flags & IORING_ENTER_SQ_WAKEUP)
6284 wake_up(&ctx->sqo_wait);
6285 submitted = to_submit;
b2a9eada 6286 } else if (to_submit) {
ae9428ca 6287 struct mm_struct *cur_mm;
2b188cc1 6288
44d28279
JA		 6289 if (current->mm != ctx->sqo_mm ||
6290 current_cred() != ctx->creds) {
6291 ret = -EPERM;
6292 goto out;
6293 }
6294
2b188cc1 6295 mutex_lock(&ctx->uring_lock);
ae9428ca
PB		 6296 /* already have mm, so io_submit_sqes() won't try to grab it */
6297 cur_mm = ctx->sqo_mm;
6298 submitted = io_submit_sqes(ctx, to_submit, f.file, fd,
6299 &cur_mm, false);
2b188cc1 6300 mutex_unlock(&ctx->uring_lock);
7c504e65
PB		 6301
6302 if (submitted != to_submit)
6303 goto out;
2b188cc1
JA		 6304 }
6305 if (flags & IORING_ENTER_GETEVENTS) {
def596e9
JA		 6306 unsigned nr_events = 0;
6307
2b188cc1
JA		 6308 min_complete = min(min_complete, ctx->cq_entries);
6309
def596e9 6310 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9 6311 ret = io_iopoll_check(ctx, &nr_events, min_complete);
def596e9
JA		 6312 } else {
6313 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
6314 }
2b188cc1
JA		 6315 }
6316
7c504e65 6317out:
6805b32e 6318 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 6319out_fput:
6320 fdput(f);
6321 return submitted ? submitted : ret;
6322}
6323
6324static const struct file_operations io_uring_fops = {
6325 .release = io_uring_release,
fcb323cc 6326 .flush = io_uring_flush,
2b188cc1 6327 .mmap = io_uring_mmap,
6c5c240e
RP		 6328#ifndef CONFIG_MMU
6329 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
6330 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
6331#endif
2b188cc1
JA		 6332 .poll = io_uring_poll,
6333 .fasync = io_uring_fasync,
6334};
6335
6336static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
6337 struct io_uring_params *p)
6338{
75b28aff
HV		 6339 struct io_rings *rings;
6340 size_t size, sq_array_offset;
2b188cc1 6341
75b28aff
HV		 6342 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
6343 if (size == SIZE_MAX)
6344 return -EOVERFLOW;
6345
6346 rings = io_mem_alloc(size);
6347 if (!rings)
2b188cc1
JA		 6348 return -ENOMEM;
6349
75b28aff
HV		 6350 ctx->rings = rings;
6351 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
6352 rings->sq_ring_mask = p->sq_entries - 1;
6353 rings->cq_ring_mask = p->cq_entries - 1;
6354 rings->sq_ring_entries = p->sq_entries;
6355 rings->cq_ring_entries = p->cq_entries;
6356 ctx->sq_mask = rings->sq_ring_mask;
6357 ctx->cq_mask = rings->cq_ring_mask;
6358 ctx->sq_entries = rings->sq_ring_entries;
6359 ctx->cq_entries = rings->cq_ring_entries;
2b188cc1
JA		 6360
6361 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
eb065d30
JA		 6362 if (size == SIZE_MAX) {
6363 io_mem_free(ctx->rings);
6364 ctx->rings = NULL;
2b188cc1 6365 return -EOVERFLOW;
eb065d30 6366 }
2b188cc1
JA		 6367
6368 ctx->sq_sqes = io_mem_alloc(size);
eb065d30
JA		 6369 if (!ctx->sq_sqes) {
6370 io_mem_free(ctx->rings);
6371 ctx->rings = NULL;
2b188cc1 6372 return -ENOMEM;
eb065d30 6373 }
2b188cc1 6374
2b188cc1
JA		 6375 return 0;
6376}
6377
6378/*
6379 * Allocate an anonymous fd, this is what constitutes the application
6380 * visible backing of an io_uring instance. The application mmaps this
6381 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
6382 * we have to tie this fd to a socket for file garbage collection purposes.
6383 */
6384static int io_uring_get_fd(struct io_ring_ctx *ctx)
6385{
6386 struct file *file;
6387 int ret;
6388
6389#if defined(CONFIG_UNIX)
6390 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
6391 &ctx->ring_sock);
6392 if (ret)
6393 return ret;
6394#endif
6395
6396 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
6397 if (ret < 0)
6398 goto err;
6399
6400 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
6401 O_RDWR | O_CLOEXEC);
6402 if (IS_ERR(file)) {
6403 put_unused_fd(ret);
6404 ret = PTR_ERR(file);
6405 goto err;
6406 }
6407
6408#if defined(CONFIG_UNIX)
6409 ctx->ring_sock->file = file;
6410#endif
6411 fd_install(ret, file);
6412 return ret;
6413err:
6414#if defined(CONFIG_UNIX)
6415 sock_release(ctx->ring_sock);
6416 ctx->ring_sock = NULL;
6417#endif
6418 return ret;
6419}
6420
6421static int io_uring_create(unsigned entries, struct io_uring_params *p)
6422{
6423 struct user_struct *user = NULL;
6424 struct io_ring_ctx *ctx;
6425 bool account_mem;
6426 int ret;
6427
8110c1a6 6428 if (!entries)
2b188cc1 6429 return -EINVAL;
8110c1a6
JA		 6430 if (entries > IORING_MAX_ENTRIES) {
6431 if (!(p->flags & IORING_SETUP_CLAMP))
6432 return -EINVAL;
6433 entries = IORING_MAX_ENTRIES;
6434 }
2b188cc1
JA		 6435
6436 /*
6437 * Use twice as many entries for the CQ ring. It's possible for the
6438 * application to drive a higher depth than the size of the SQ ring,
6439 * since the sqes are only used at submission time. This allows for
33a107f0
JA		 6440 * some flexibility in overcommitting a bit. If the application has
6441 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
6442 * of CQ ring entries manually.
2b188cc1
JA		 6443 */
6444 p->sq_entries = roundup_pow_of_two(entries);
33a107f0
JA		 6445 if (p->flags & IORING_SETUP_CQSIZE) {
6446 /*
6447 * If IORING_SETUP_CQSIZE is set, we do the same roundup
6448 * to a power-of-two, if it isn't already. We do NOT impose
6449 * any cq vs sq ring sizing.
6450 */
8110c1a6 6451 if (p->cq_entries < p->sq_entries)
33a107f0 6452 return -EINVAL;
8110c1a6
JA		 6453 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
6454 if (!(p->flags & IORING_SETUP_CLAMP))
6455 return -EINVAL;
6456 p->cq_entries = IORING_MAX_CQ_ENTRIES;
6457 }
33a107f0
JA		 6458 p->cq_entries = roundup_pow_of_two(p->cq_entries);
6459 } else {
6460 p->cq_entries = 2 * p->sq_entries;
6461 }
2b188cc1
JA		 6462
6463 user = get_uid(current_user());
6464 account_mem = !capable(CAP_IPC_LOCK);
6465
6466 if (account_mem) {
6467 ret = io_account_mem(user,
6468 ring_pages(p->sq_entries, p->cq_entries));
6469 if (ret) {
6470 free_uid(user);
6471 return ret;
6472 }
6473 }
6474
6475 ctx = io_ring_ctx_alloc(p);
6476 if (!ctx) {
6477 if (account_mem)
6478 io_unaccount_mem(user, ring_pages(p->sq_entries,
6479 p->cq_entries));
6480 free_uid(user);
6481 return -ENOMEM;
6482 }
6483 ctx->compat = in_compat_syscall();
6484 ctx->account_mem = account_mem;
6485 ctx->user = user;
0b8c0ec7 6486 ctx->creds = get_current_cred();
2b188cc1
JA		 6487
6488 ret = io_allocate_scq_urings(ctx, p);
6489 if (ret)
6490 goto err;
6491
6c271ce2 6492 ret = io_sq_offload_start(ctx, p);
2b188cc1
JA		 6493 if (ret)
6494 goto err;
6495
2b188cc1 6496 memset(&p->sq_off, 0, sizeof(p->sq_off));
75b28aff
HV		 6497 p->sq_off.head = offsetof(struct io_rings, sq.head);
6498 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
6499 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
6500 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
6501 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
6502 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
6503 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
2b188cc1
JA		 6504
6505 memset(&p->cq_off, 0, sizeof(p->cq_off));
75b28aff
HV		 6506 p->cq_off.head = offsetof(struct io_rings, cq.head);
6507 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
6508 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
6509 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
6510 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
6511 p->cq_off.cqes = offsetof(struct io_rings, cqes);
ac90f249 6512
044c1ab3
JA		 6513 /*
6514 * Install ring fd as the very last thing, so we don't risk someone
6515 * having closed it before we finish setup
6516 */
6517 ret = io_uring_get_fd(ctx);
6518 if (ret < 0)
6519 goto err;
6520
da8c9690 6521 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
ba04291e 6522 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS;
c826bd7a 6523 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
2b188cc1
JA		 6524 return ret;
6525err:
6526 io_ring_ctx_wait_and_kill(ctx);
6527 return ret;
6528}
6529
6530/*
6531 * Sets up an aio uring context, and returns the fd. Applications asks for a
6532 * ring size, we return the actual sq/cq ring sizes (among other things) in the
6533 * params structure passed in.
6534 */
6535static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
6536{
6537 struct io_uring_params p;
6538 long ret;
6539 int i;
6540
6541 if (copy_from_user(&p, params, sizeof(p)))
6542 return -EFAULT;
6543 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
6544 if (p.resv[i])
6545 return -EINVAL;
6546 }
6547
6c271ce2 6548 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
8110c1a6
JA		 6549 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
6550 IORING_SETUP_CLAMP))
2b188cc1
JA		 6551 return -EINVAL;
6552
6553 ret = io_uring_create(entries, &p);
6554 if (ret < 0)
6555 return ret;
6556
6557 if (copy_to_user(params, &p, sizeof(p)))
6558 return -EFAULT;
6559
6560 return ret;
6561}
6562
6563SYSCALL_DEFINE2(io_uring_setup, u32, entries,
6564 struct io_uring_params __user *, params)
6565{
6566 return io_uring_setup(entries, params);
6567}
6568
edafccee
JA		 6569static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
6570 void __user *arg, unsigned nr_args)
b19062a5
JA		 6571 __releases(ctx->uring_lock)
6572 __acquires(ctx->uring_lock)
edafccee
JA		 6573{
6574 int ret;
6575
35fa71a0
JA		 6576 /*
6577 * We're inside the ring mutex, if the ref is already dying, then
6578 * someone else killed the ctx or is already going through
6579 * io_uring_register().
6580 */
6581 if (percpu_ref_is_dying(&ctx->refs))
6582 return -ENXIO;
6583
05f3fb3c
JA		 6584 if (opcode != IORING_UNREGISTER_FILES &&
6585 opcode != IORING_REGISTER_FILES_UPDATE) {
6586 percpu_ref_kill(&ctx->refs);
b19062a5 6587
05f3fb3c
JA		 6588 /*
6589 * Drop uring mutex before waiting for references to exit. If
6590 * another thread is currently inside io_uring_enter() it might
6591 * need to grab the uring_lock to make progress. If we hold it
6592 * here across the drain wait, then we can deadlock. It's safe
6593 * to drop the mutex here, since no new references will come in
6594 * after we've killed the percpu ref.
6595 */
6596 mutex_unlock(&ctx->uring_lock);
c150368b 6597 ret = wait_for_completion_interruptible(&ctx->completions[0]);
05f3fb3c 6598 mutex_lock(&ctx->uring_lock);
c150368b
JA		 6599 if (ret) {
6600 percpu_ref_resurrect(&ctx->refs);
6601 ret = -EINTR;
6602 goto out;
6603 }
05f3fb3c 6604 }
edafccee
JA		 6605
6606 switch (opcode) {
6607 case IORING_REGISTER_BUFFERS:
6608 ret = io_sqe_buffer_register(ctx, arg, nr_args);
6609 break;
6610 case IORING_UNREGISTER_BUFFERS:
6611 ret = -EINVAL;
6612 if (arg || nr_args)
6613 break;
6614 ret = io_sqe_buffer_unregister(ctx);
6615 break;
6b06314c
JA		 6616 case IORING_REGISTER_FILES:
6617 ret = io_sqe_files_register(ctx, arg, nr_args);
6618 break;
6619 case IORING_UNREGISTER_FILES:
6620 ret = -EINVAL;
6621 if (arg || nr_args)
6622 break;
6623 ret = io_sqe_files_unregister(ctx);
6624 break;
c3a31e60
JA		 6625 case IORING_REGISTER_FILES_UPDATE:
6626 ret = io_sqe_files_update(ctx, arg, nr_args);
6627 break;
9b402849 6628 case IORING_REGISTER_EVENTFD:
f2842ab5 6629 case IORING_REGISTER_EVENTFD_ASYNC:
9b402849
JA		 6630 ret = -EINVAL;
6631 if (nr_args != 1)
6632 break;
6633 ret = io_eventfd_register(ctx, arg);
f2842ab5
JA		 6634 if (ret)
6635 break;
6636 if (opcode == IORING_REGISTER_EVENTFD_ASYNC)
6637 ctx->eventfd_async = 1;
6638 else
6639 ctx->eventfd_async = 0;
9b402849
JA		 6640 break;
6641 case IORING_UNREGISTER_EVENTFD:
6642 ret = -EINVAL;
6643 if (arg || nr_args)
6644 break;
6645 ret = io_eventfd_unregister(ctx);
6646 break;
edafccee
JA		 6647 default:
6648 ret = -EINVAL;
6649 break;
6650 }
6651
05f3fb3c
JA		 6652
6653 if (opcode != IORING_UNREGISTER_FILES &&
6654 opcode != IORING_REGISTER_FILES_UPDATE) {
6655 /* bring the ctx back to life */
05f3fb3c 6656 percpu_ref_reinit(&ctx->refs);
c150368b
JA		 6657out:
6658 reinit_completion(&ctx->completions[0]);
05f3fb3c 6659 }
edafccee
JA		 6660 return ret;
6661}
6662
6663SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
6664 void __user *, arg, unsigned int, nr_args)
6665{
6666 struct io_ring_ctx *ctx;
6667 long ret = -EBADF;
6668 struct fd f;
6669
6670 f = fdget(fd);
6671 if (!f.file)
6672 return -EBADF;
6673
6674 ret = -EOPNOTSUPP;
6675 if (f.file->f_op != &io_uring_fops)
6676 goto out_fput;
6677
6678 ctx = f.file->private_data;
6679
6680 mutex_lock(&ctx->uring_lock);
6681 ret = __io_uring_register(ctx, opcode, arg, nr_args);
6682 mutex_unlock(&ctx->uring_lock);
c826bd7a
DD		 6683 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
6684 ctx->cq_ev_fd != NULL, ret);
edafccee
JA		 6685out_fput:
6686 fdput(f);
6687 return ret;
6688}
6689
2b188cc1
JA		 6690static int __init io_uring_init(void)
6691{
d3656344 6692 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
2b188cc1
JA		 6693 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
6694 return 0;
6695};
6696__initcall(io_uring_init);
Ubuntu Jammy Linux kernel mirror