]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blame - fs/io_uring.c
projects / mirror_ubuntu-jammy-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
io_uring: don't wait when under-submitting
[mirror_ubuntu-jammy-kernel.git] / fs / io_uring.c
CommitLineData
2b188cc1
JA		 1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
5 *
6 * A note on the read/write ordering memory barriers that are matched between
1e84b97b
SB		 7 * the application and kernel side.
8 *
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
16 * CQ entries.
17 *
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
23 * head will do).
24 *
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
28 * between.
2b188cc1
JA		 29 *
30 * Also see the examples in the liburing library:
31 *
32 * git://git.kernel.dk/liburing
33 *
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
38 *
39 * Copyright (C) 2018-2019 Jens Axboe
c992fe29 40 * Copyright (c) 2018-2019 Christoph Hellwig
2b188cc1
JA		 41 */
42#include <linux/kernel.h>
43#include <linux/init.h>
44#include <linux/errno.h>
45#include <linux/syscalls.h>
46#include <linux/compat.h>
47#include <linux/refcount.h>
48#include <linux/uio.h>
49
50#include <linux/sched/signal.h>
51#include <linux/fs.h>
52#include <linux/file.h>
53#include <linux/fdtable.h>
54#include <linux/mm.h>
55#include <linux/mman.h>
56#include <linux/mmu_context.h>
57#include <linux/percpu.h>
58#include <linux/slab.h>
6c271ce2 59#include <linux/kthread.h>
2b188cc1 60#include <linux/blkdev.h>
edafccee 61#include <linux/bvec.h>
2b188cc1
JA		 62#include <linux/net.h>
63#include <net/sock.h>
64#include <net/af_unix.h>
6b06314c 65#include <net/scm.h>
2b188cc1
JA		 66#include <linux/anon_inodes.h>
67#include <linux/sched/mm.h>
68#include <linux/uaccess.h>
69#include <linux/nospec.h>
edafccee
JA		 70#include <linux/sizes.h>
71#include <linux/hugetlb.h>
aa4c3967 72#include <linux/highmem.h>
2b188cc1 73
c826bd7a
DD		 74#define CREATE_TRACE_POINTS
75#include <trace/events/io_uring.h>
76
2b188cc1
JA		 77#include <uapi/linux/io_uring.h>
78
79#include "internal.h"
561fb04a 80#include "io-wq.h"
2b188cc1 81
5277deaa 82#define IORING_MAX_ENTRIES 32768
33a107f0 83#define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
65e19f54
JA		 84
85/*
86 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
87 */
88#define IORING_FILE_TABLE_SHIFT 9
89#define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
90#define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
91#define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
2b188cc1
JA		 92
93struct io_uring {
94 u32 head ____cacheline_aligned_in_smp;
95 u32 tail ____cacheline_aligned_in_smp;
96};
97
1e84b97b 98/*
75b28aff
HV		 99 * This data is shared with the application through the mmap at offsets
100 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
1e84b97b
SB		 101 *
102 * The offsets to the member fields are published through struct
103 * io_sqring_offsets when calling io_uring_setup.
104 */
75b28aff 105struct io_rings {
1e84b97b
SB		 106 /*
107 * Head and tail offsets into the ring; the offsets need to be
108 * masked to get valid indices.
109 *
75b28aff
HV		 110 * The kernel controls head of the sq ring and the tail of the cq ring,
111 * and the application controls tail of the sq ring and the head of the
112 * cq ring.
1e84b97b 113 */
75b28aff 114 struct io_uring sq, cq;
1e84b97b 115 /*
75b28aff 116 * Bitmasks to apply to head and tail offsets (constant, equals
1e84b97b
SB		 117 * ring_entries - 1)
118 */
75b28aff
HV		 119 u32 sq_ring_mask, cq_ring_mask;
120 /* Ring sizes (constant, power of 2) */
121 u32 sq_ring_entries, cq_ring_entries;
1e84b97b
SB		 122 /*
123 * Number of invalid entries dropped by the kernel due to
124 * invalid index stored in array
125 *
126 * Written by the kernel, shouldn't be modified by the
127 * application (i.e. get number of "new events" by comparing to
128 * cached value).
129 *
130 * After a new SQ head value was read by the application this
131 * counter includes all submissions that were dropped reaching
132 * the new SQ head (and possibly more).
133 */
75b28aff 134 u32 sq_dropped;
1e84b97b
SB		 135 /*
136 * Runtime flags
137 *
138 * Written by the kernel, shouldn't be modified by the
139 * application.
140 *
141 * The application needs a full memory barrier before checking
142 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
143 */
75b28aff 144 u32 sq_flags;
1e84b97b
SB		 145 /*
146 * Number of completion events lost because the queue was full;
147 * this should be avoided by the application by making sure
0b4295b5 148 * there are not more requests pending than there is space in
1e84b97b
SB		 149 * the completion queue.
150 *
151 * Written by the kernel, shouldn't be modified by the
152 * application (i.e. get number of "new events" by comparing to
153 * cached value).
154 *
155 * As completion events come in out of order this counter is not
156 * ordered with any other data.
157 */
75b28aff 158 u32 cq_overflow;
1e84b97b
SB		 159 /*
160 * Ring buffer of completion events.
161 *
162 * The kernel writes completion events fresh every time they are
163 * produced, so the application is allowed to modify pending
164 * entries.
165 */
75b28aff 166 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
2b188cc1
JA		 167};
168
edafccee
JA		 169struct io_mapped_ubuf {
170 u64 ubuf;
171 size_t len;
172 struct bio_vec *bvec;
173 unsigned int nr_bvecs;
174};
175
65e19f54
JA		 176struct fixed_file_table {
177 struct file **files;
31b51510
JA		 178};
179
2b188cc1
JA		 180struct io_ring_ctx {
181 struct {
182 struct percpu_ref refs;
183 } ____cacheline_aligned_in_smp;
184
185 struct {
186 unsigned int flags;
187 bool compat;
188 bool account_mem;
1d7bb1d5 189 bool cq_overflow_flushed;
1b4a51b6 190 bool drain_next;
2b188cc1 191
75b28aff
HV		 192 /*
193 * Ring buffer of indices into array of io_uring_sqe, which is
194 * mmapped by the application using the IORING_OFF_SQES offset.
195 *
196 * This indirection could e.g. be used to assign fixed
197 * io_uring_sqe entries to operations and only submit them to
198 * the queue when needed.
199 *
200 * The kernel modifies neither the indices array nor the entries
201 * array.
202 */
203 u32 *sq_array;
2b188cc1
JA		 204 unsigned cached_sq_head;
205 unsigned sq_entries;
206 unsigned sq_mask;
6c271ce2 207 unsigned sq_thread_idle;
498ccd9e 208 unsigned cached_sq_dropped;
206aefde 209 atomic_t cached_cq_overflow;
2b188cc1 210 struct io_uring_sqe *sq_sqes;
de0617e4
JA		 211
212 struct list_head defer_list;
5262f567 213 struct list_head timeout_list;
1d7bb1d5 214 struct list_head cq_overflow_list;
fcb323cc
JA		 215
216 wait_queue_head_t inflight_wait;
2b188cc1
JA		 217 } ____cacheline_aligned_in_smp;
218
206aefde
JA		 219 struct io_rings *rings;
220
2b188cc1 221 /* IO offload */
561fb04a 222 struct io_wq *io_wq;
6c271ce2 223 struct task_struct *sqo_thread; /* if using sq thread polling */
2b188cc1 224 struct mm_struct *sqo_mm;
6c271ce2 225 wait_queue_head_t sqo_wait;
75b28aff 226
6b06314c
JA		 227 /*
228 * If used, fixed file set. Writers must ensure that ->refs is dead,
229 * readers must ensure that ->refs is alive as long as the file* is
230 * used. Only updated through io_uring_register(2).
231 */
65e19f54 232 struct fixed_file_table *file_table;
6b06314c
JA		 233 unsigned nr_user_files;
234
edafccee
JA		 235 /* if used, fixed mapped user buffers */
236 unsigned nr_user_bufs;
237 struct io_mapped_ubuf *user_bufs;
238
2b188cc1
JA		 239 struct user_struct *user;
240
0b8c0ec7 241 const struct cred *creds;
181e448d 242
206aefde
JA		 243 /* 0 is for ctx quiesce/reinit/free, 1 is for sqo_thread started */
244 struct completion *completions;
245
0ddf92e8
JA		 246 /* if all else fails... */
247 struct io_kiocb *fallback_req;
248
206aefde
JA		 249#if defined(CONFIG_UNIX)
250 struct socket *ring_sock;
251#endif
252
253 struct {
254 unsigned cached_cq_tail;
255 unsigned cq_entries;
256 unsigned cq_mask;
257 atomic_t cq_timeouts;
258 struct wait_queue_head cq_wait;
259 struct fasync_struct *cq_fasync;
260 struct eventfd_ctx *cq_ev_fd;
261 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 262
263 struct {
264 struct mutex uring_lock;
265 wait_queue_head_t wait;
266 } ____cacheline_aligned_in_smp;
267
268 struct {
269 spinlock_t completion_lock;
def596e9
JA		 270 bool poll_multi_file;
271 /*
272 * ->poll_list is protected by the ctx->uring_lock for
273 * io_uring instances that don't use IORING_SETUP_SQPOLL.
274 * For SQPOLL, only the single threaded io_sq_thread() will
275 * manipulate the list, hence no extra locking is needed there.
276 */
277 struct list_head poll_list;
78076bb6
JA		 278 struct hlist_head *cancel_hash;
279 unsigned cancel_hash_bits;
31b51510 280
fcb323cc
JA		 281 spinlock_t inflight_lock;
282 struct list_head inflight_list;
2b188cc1 283 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 284};
285
09bb8394
JA		 286/*
287 * First field must be the file pointer in all the
288 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
289 */
221c5eb2
JA		 290struct io_poll_iocb {
291 struct file *file;
0969e783
JA		 292 union {
293 struct wait_queue_head *head;
294 u64 addr;
295 };
221c5eb2 296 __poll_t events;
8c838788 297 bool done;
221c5eb2 298 bool canceled;
392edb45 299 struct wait_queue_entry wait;
221c5eb2
JA		 300};
301
ad8a48ac
JA		 302struct io_timeout_data {
303 struct io_kiocb *req;
304 struct hrtimer timer;
305 struct timespec64 ts;
306 enum hrtimer_mode mode;
cc42e0ac 307 u32 seq_offset;
ad8a48ac
JA		 308};
309
8ed8d3c3
JA		 310struct io_accept {
311 struct file *file;
312 struct sockaddr __user *addr;
313 int __user *addr_len;
314 int flags;
315};
316
317struct io_sync {
318 struct file *file;
319 loff_t len;
320 loff_t off;
321 int flags;
322};
323
fbf23849
JA		 324struct io_cancel {
325 struct file *file;
326 u64 addr;
327};
328
b29472ee
JA		 329struct io_timeout {
330 struct file *file;
331 u64 addr;
332 int flags;
333};
334
f499a021
JA		 335struct io_async_connect {
336 struct sockaddr_storage address;
337};
338
03b1230c
JA		 339struct io_async_msghdr {
340 struct iovec fast_iov[UIO_FASTIOV];
341 struct iovec *iov;
342 struct sockaddr __user *uaddr;
343 struct msghdr msg;
344};
345
f67676d1
JA		 346struct io_async_rw {
347 struct iovec fast_iov[UIO_FASTIOV];
348 struct iovec *iov;
349 ssize_t nr_segs;
350 ssize_t size;
351};
352
1a6b74fc
JA		 353struct io_async_ctx {
354 struct io_uring_sqe sqe;
f67676d1
JA		 355 union {
356 struct io_async_rw rw;
03b1230c 357 struct io_async_msghdr msg;
f499a021 358 struct io_async_connect connect;
2d28390a 359 struct io_timeout_data timeout;
f67676d1 360 };
1a6b74fc
JA		 361};
362
09bb8394
JA		 363/*
364 * NOTE! Each of the iocb union members has the file pointer
365 * as the first entry in their struct definition. So you can
366 * access the file pointer through any of the sub-structs,
367 * or directly as just 'ki_filp' in this struct.
368 */
2b188cc1 369struct io_kiocb {
221c5eb2 370 union {
09bb8394 371 struct file *file;
221c5eb2
JA		 372 struct kiocb rw;
373 struct io_poll_iocb poll;
8ed8d3c3
JA		 374 struct io_accept accept;
375 struct io_sync sync;
fbf23849 376 struct io_cancel cancel;
b29472ee 377 struct io_timeout timeout;
221c5eb2 378 };
2b188cc1 379
cf6fd4bd 380 const struct io_uring_sqe *sqe;
1a6b74fc 381 struct io_async_ctx *io;
cf6fd4bd
PB		 382 struct file *ring_file;
383 int ring_fd;
384 bool has_user;
385 bool in_async;
386 bool needs_fixed_file;
d625c6ee 387 u8 opcode;
2b188cc1
JA		 388
389 struct io_ring_ctx *ctx;
eac406c6
JA		 390 union {
391 struct list_head list;
78076bb6 392 struct hlist_node hash_node;
eac406c6 393 };
9e645e11 394 struct list_head link_list;
2b188cc1 395 unsigned int flags;
c16361c1 396 refcount_t refs;
8449eeda 397#define REQ_F_NOWAIT 1 /* must not punt to workers */
def596e9 398#define REQ_F_IOPOLL_COMPLETED 2 /* polled IO has completed */
6b06314c 399#define REQ_F_FIXED_FILE 4 /* ctx owns file */
4d7dd462 400#define REQ_F_LINK_NEXT 8 /* already grabbed next link */
e2033e33
SB		 401#define REQ_F_IO_DRAIN 16 /* drain existing IO first */
402#define REQ_F_IO_DRAINED 32 /* drain done */
9e645e11 403#define REQ_F_LINK 64 /* linked sqes */
2665abfd 404#define REQ_F_LINK_TIMEOUT 128 /* has linked timeout */
f7b76ac9 405#define REQ_F_FAIL_LINK 256 /* fail rest of links */
1b4a51b6 406#define REQ_F_DRAIN_LINK 512 /* link should be fully drained */
5262f567 407#define REQ_F_TIMEOUT 1024 /* timeout request */
491381ce
JA		 408#define REQ_F_ISREG 2048 /* regular file */
409#define REQ_F_MUST_PUNT 4096 /* must be punted even for NONBLOCK */
93bd25bb 410#define REQ_F_TIMEOUT_NOSEQ 8192 /* no timeout sequence */
fb4b3d3f
LT		 411#define REQ_F_INFLIGHT 16384 /* on inflight list */
412#define REQ_F_COMP_LOCKED 32768 /* completion under lock */
4e88d6e7 413#define REQ_F_HARDLINK 65536 /* doesn't sever on completion < 0 */
8ed8d3c3 414#define REQ_F_PREPPED 131072 /* request already opcode prepared */
2b188cc1 415 u64 user_data;
9e645e11 416 u32 result;
de0617e4 417 u32 sequence;
2b188cc1 418
fcb323cc
JA		 419 struct list_head inflight_entry;
420
561fb04a 421 struct io_wq_work work;
2b188cc1
JA		 422};
423
424#define IO_PLUG_THRESHOLD 2
def596e9 425#define IO_IOPOLL_BATCH 8
2b188cc1 426
9a56a232
JA		 427struct io_submit_state {
428 struct blk_plug plug;
429
2579f913
JA		 430 /*
431 * io_kiocb alloc cache
432 */
433 void *reqs[IO_IOPOLL_BATCH];
434 unsigned int free_reqs;
435 unsigned int cur_req;
436
9a56a232
JA		 437 /*
438 * File reference cache
439 */
440 struct file *file;
441 unsigned int fd;
442 unsigned int has_refs;
443 unsigned int used_refs;
444 unsigned int ios_left;
445};
446
561fb04a 447static void io_wq_submit_work(struct io_wq_work **workptr);
78e19bbe 448static void io_cqring_fill_event(struct io_kiocb *req, long res);
4fe2c963 449static void __io_free_req(struct io_kiocb *req);
ec9c02ad 450static void io_put_req(struct io_kiocb *req);
78e19bbe 451static void io_double_put_req(struct io_kiocb *req);
978db57e 452static void __io_double_put_req(struct io_kiocb *req);
94ae5e77
JA		 453static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
454static void io_queue_linked_timeout(struct io_kiocb *req);
de0617e4 455
2b188cc1
JA		 456static struct kmem_cache *req_cachep;
457
458static const struct file_operations io_uring_fops;
459
460struct sock *io_uring_get_socket(struct file *file)
461{
462#if defined(CONFIG_UNIX)
463 if (file->f_op == &io_uring_fops) {
464 struct io_ring_ctx *ctx = file->private_data;
465
466 return ctx->ring_sock->sk;
467 }
468#endif
469 return NULL;
470}
471EXPORT_SYMBOL(io_uring_get_socket);
472
473static void io_ring_ctx_ref_free(struct percpu_ref *ref)
474{
475 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
476
206aefde 477 complete(&ctx->completions[0]);
2b188cc1
JA		 478}
479
480static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
481{
482 struct io_ring_ctx *ctx;
78076bb6 483 int hash_bits;
2b188cc1
JA		 484
485 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
486 if (!ctx)
487 return NULL;
488
0ddf92e8
JA		 489 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
490 if (!ctx->fallback_req)
491 goto err;
492
206aefde
JA		 493 ctx->completions = kmalloc(2 * sizeof(struct completion), GFP_KERNEL);
494 if (!ctx->completions)
495 goto err;
496
78076bb6
JA		 497 /*
498 * Use 5 bits less than the max cq entries, that should give us around
499 * 32 entries per hash list if totally full and uniformly spread.
500 */
501 hash_bits = ilog2(p->cq_entries);
502 hash_bits -= 5;
503 if (hash_bits <= 0)
504 hash_bits = 1;
505 ctx->cancel_hash_bits = hash_bits;
506 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
507 GFP_KERNEL);
508 if (!ctx->cancel_hash)
509 goto err;
510 __hash_init(ctx->cancel_hash, 1U << hash_bits);
511
21482896 512 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
206aefde
JA		 513 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
514 goto err;
2b188cc1
JA		 515
516 ctx->flags = p->flags;
517 init_waitqueue_head(&ctx->cq_wait);
1d7bb1d5 518 INIT_LIST_HEAD(&ctx->cq_overflow_list);
206aefde
JA		 519 init_completion(&ctx->completions[0]);
520 init_completion(&ctx->completions[1]);
2b188cc1
JA		 521 mutex_init(&ctx->uring_lock);
522 init_waitqueue_head(&ctx->wait);
523 spin_lock_init(&ctx->completion_lock);
def596e9 524 INIT_LIST_HEAD(&ctx->poll_list);
de0617e4 525 INIT_LIST_HEAD(&ctx->defer_list);
5262f567 526 INIT_LIST_HEAD(&ctx->timeout_list);
fcb323cc
JA		 527 init_waitqueue_head(&ctx->inflight_wait);
528 spin_lock_init(&ctx->inflight_lock);
529 INIT_LIST_HEAD(&ctx->inflight_list);
2b188cc1 530 return ctx;
206aefde 531err:
0ddf92e8
JA		 532 if (ctx->fallback_req)
533 kmem_cache_free(req_cachep, ctx->fallback_req);
206aefde 534 kfree(ctx->completions);
78076bb6 535 kfree(ctx->cancel_hash);
206aefde
JA		 536 kfree(ctx);
537 return NULL;
2b188cc1
JA		 538}
539
9d858b21 540static inline bool __req_need_defer(struct io_kiocb *req)
7adf4eaf 541{
a197f664
JL		 542 struct io_ring_ctx *ctx = req->ctx;
543
498ccd9e
JA		 544 return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
545 + atomic_read(&ctx->cached_cq_overflow);
7adf4eaf
JA		 546}
547
9d858b21 548static inline bool req_need_defer(struct io_kiocb *req)
de0617e4 549{
9d858b21
BL		 550 if ((req->flags & (REQ_F_IO_DRAIN|REQ_F_IO_DRAINED)) == REQ_F_IO_DRAIN)
551 return __req_need_defer(req);
de0617e4 552
9d858b21 553 return false;
de0617e4
JA		 554}
555
7adf4eaf 556static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)
de0617e4
JA		 557{
558 struct io_kiocb *req;
559
7adf4eaf 560 req = list_first_entry_or_null(&ctx->defer_list, struct io_kiocb, list);
9d858b21 561 if (req && !req_need_defer(req)) {
de0617e4
JA		 562 list_del_init(&req->list);
563 return req;
564 }
565
566 return NULL;
567}
568
5262f567
JA		 569static struct io_kiocb *io_get_timeout_req(struct io_ring_ctx *ctx)
570{
7adf4eaf
JA		 571 struct io_kiocb *req;
572
573 req = list_first_entry_or_null(&ctx->timeout_list, struct io_kiocb, list);
93bd25bb
JA		 574 if (req) {
575 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
576 return NULL;
fb4b3d3f 577 if (!__req_need_defer(req)) {
93bd25bb
JA		 578 list_del_init(&req->list);
579 return req;
580 }
7adf4eaf
JA		 581 }
582
583 return NULL;
5262f567
JA		 584}
585
de0617e4 586static void __io_commit_cqring(struct io_ring_ctx *ctx)
2b188cc1 587{
75b28aff 588 struct io_rings *rings = ctx->rings;
2b188cc1 589
75b28aff 590 if (ctx->cached_cq_tail != READ_ONCE(rings->cq.tail)) {
2b188cc1 591 /* order cqe stores with ring update */
75b28aff 592 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
2b188cc1 593
2b188cc1
JA		 594 if (wq_has_sleeper(&ctx->cq_wait)) {
595 wake_up_interruptible(&ctx->cq_wait);
596 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
597 }
598 }
599}
600
d625c6ee 601static inline bool io_req_needs_user(struct io_kiocb *req)
18d9be1a 602{
d625c6ee
JA		 603 return !(req->opcode == IORING_OP_READ_FIXED ||
604 req->opcode == IORING_OP_WRITE_FIXED);
561fb04a
JA		 605}
606
94ae5e77
JA		 607static inline bool io_prep_async_work(struct io_kiocb *req,
608 struct io_kiocb **link)
18d9be1a 609{
561fb04a 610 bool do_hashed = false;
54a91f3b 611
cf6fd4bd 612 if (req->sqe) {
d625c6ee 613 switch (req->opcode) {
6cc47d1d
JA		 614 case IORING_OP_WRITEV:
615 case IORING_OP_WRITE_FIXED:
53108d47
JA		 616 /* only regular files should be hashed for writes */
617 if (req->flags & REQ_F_ISREG)
618 do_hashed = true;
5f8fd2d3
JA		 619 /* fall-through */
620 case IORING_OP_READV:
621 case IORING_OP_READ_FIXED:
622 case IORING_OP_SENDMSG:
623 case IORING_OP_RECVMSG:
624 case IORING_OP_ACCEPT:
625 case IORING_OP_POLL_ADD:
f8e85cf2 626 case IORING_OP_CONNECT:
5f8fd2d3
JA		 627 /*
628 * We know REQ_F_ISREG is not set on some of these
629 * opcodes, but this enables us to keep the check in
630 * just one place.
631 */
632 if (!(req->flags & REQ_F_ISREG))
633 req->work.flags |= IO_WQ_WORK_UNBOUND;
6cc47d1d
JA		 634 break;
635 }
d625c6ee 636 if (io_req_needs_user(req))
561fb04a 637 req->work.flags |= IO_WQ_WORK_NEEDS_USER;
54a91f3b
JA		 638 }
639
94ae5e77 640 *link = io_prep_linked_timeout(req);
561fb04a
JA		 641 return do_hashed;
642}
643
a197f664 644static inline void io_queue_async_work(struct io_kiocb *req)
561fb04a 645{
a197f664 646 struct io_ring_ctx *ctx = req->ctx;
94ae5e77
JA		 647 struct io_kiocb *link;
648 bool do_hashed;
649
650 do_hashed = io_prep_async_work(req, &link);
561fb04a
JA		 651
652 trace_io_uring_queue_async_work(ctx, do_hashed, req, &req->work,
653 req->flags);
654 if (!do_hashed) {
655 io_wq_enqueue(ctx->io_wq, &req->work);
656 } else {
657 io_wq_enqueue_hashed(ctx->io_wq, &req->work,
658 file_inode(req->file));
659 }
94ae5e77
JA		 660
661 if (link)
662 io_queue_linked_timeout(link);
18d9be1a
JA		 663}
664
5262f567
JA		 665static void io_kill_timeout(struct io_kiocb *req)
666{
667 int ret;
668
2d28390a 669 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
5262f567
JA		 670 if (ret != -1) {
671 atomic_inc(&req->ctx->cq_timeouts);
842f9612 672 list_del_init(&req->list);
78e19bbe 673 io_cqring_fill_event(req, 0);
ec9c02ad 674 io_put_req(req);
5262f567
JA		 675 }
676}
677
678static void io_kill_timeouts(struct io_ring_ctx *ctx)
679{
680 struct io_kiocb *req, *tmp;
681
682 spin_lock_irq(&ctx->completion_lock);
683 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
684 io_kill_timeout(req);
685 spin_unlock_irq(&ctx->completion_lock);
686}
687
de0617e4
JA		 688static void io_commit_cqring(struct io_ring_ctx *ctx)
689{
690 struct io_kiocb *req;
691
5262f567
JA		 692 while ((req = io_get_timeout_req(ctx)) != NULL)
693 io_kill_timeout(req);
694
de0617e4
JA		 695 __io_commit_cqring(ctx);
696
697 while ((req = io_get_deferred_req(ctx)) != NULL) {
698 req->flags |= REQ_F_IO_DRAINED;
a197f664 699 io_queue_async_work(req);
de0617e4
JA		 700 }
701}
702
2b188cc1
JA		 703static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
704{
75b28aff 705 struct io_rings *rings = ctx->rings;
2b188cc1
JA		 706 unsigned tail;
707
708 tail = ctx->cached_cq_tail;
115e12e5
SB		 709 /*
710 * writes to the cq entry need to come after reading head; the
711 * control dependency is enough as we're using WRITE_ONCE to
712 * fill the cq entry
713 */
75b28aff 714 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
2b188cc1
JA		 715 return NULL;
716
717 ctx->cached_cq_tail++;
75b28aff 718 return &rings->cqes[tail & ctx->cq_mask];
2b188cc1
JA		 719}
720
1d7bb1d5
JA		 721static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
722{
723 if (waitqueue_active(&ctx->wait))
724 wake_up(&ctx->wait);
725 if (waitqueue_active(&ctx->sqo_wait))
726 wake_up(&ctx->sqo_wait);
727 if (ctx->cq_ev_fd)
728 eventfd_signal(ctx->cq_ev_fd, 1);
729}
730
c4a2ed72
JA		 731/* Returns true if there are no backlogged entries after the flush */
732static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1d7bb1d5
JA		 733{
734 struct io_rings *rings = ctx->rings;
735 struct io_uring_cqe *cqe;
736 struct io_kiocb *req;
737 unsigned long flags;
738 LIST_HEAD(list);
739
740 if (!force) {
741 if (list_empty_careful(&ctx->cq_overflow_list))
c4a2ed72 742 return true;
1d7bb1d5
JA		 743 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
744 rings->cq_ring_entries))
c4a2ed72 745 return false;
1d7bb1d5
JA		 746 }
747
748 spin_lock_irqsave(&ctx->completion_lock, flags);
749
750 /* if force is set, the ring is going away. always drop after that */
751 if (force)
752 ctx->cq_overflow_flushed = true;
753
c4a2ed72 754 cqe = NULL;
1d7bb1d5
JA		 755 while (!list_empty(&ctx->cq_overflow_list)) {
756 cqe = io_get_cqring(ctx);
757 if (!cqe && !force)
758 break;
759
760 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
761 list);
762 list_move(&req->list, &list);
763 if (cqe) {
764 WRITE_ONCE(cqe->user_data, req->user_data);
765 WRITE_ONCE(cqe->res, req->result);
766 WRITE_ONCE(cqe->flags, 0);
767 } else {
768 WRITE_ONCE(ctx->rings->cq_overflow,
769 atomic_inc_return(&ctx->cached_cq_overflow));
770 }
771 }
772
773 io_commit_cqring(ctx);
774 spin_unlock_irqrestore(&ctx->completion_lock, flags);
775 io_cqring_ev_posted(ctx);
776
777 while (!list_empty(&list)) {
778 req = list_first_entry(&list, struct io_kiocb, list);
779 list_del(&req->list);
ec9c02ad 780 io_put_req(req);
1d7bb1d5 781 }
c4a2ed72
JA		 782
783 return cqe != NULL;
1d7bb1d5
JA		 784}
785
78e19bbe 786static void io_cqring_fill_event(struct io_kiocb *req, long res)
2b188cc1 787{
78e19bbe 788 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 789 struct io_uring_cqe *cqe;
790
78e19bbe 791 trace_io_uring_complete(ctx, req->user_data, res);
51c3ff62 792
2b188cc1
JA		 793 /*
794 * If we can't get a cq entry, userspace overflowed the
795 * submission (by quite a lot). Increment the overflow count in
796 * the ring.
797 */
798 cqe = io_get_cqring(ctx);
1d7bb1d5 799 if (likely(cqe)) {
78e19bbe 800 WRITE_ONCE(cqe->user_data, req->user_data);
2b188cc1 801 WRITE_ONCE(cqe->res, res);
c71ffb67 802 WRITE_ONCE(cqe->flags, 0);
1d7bb1d5 803 } else if (ctx->cq_overflow_flushed) {
498ccd9e
JA		 804 WRITE_ONCE(ctx->rings->cq_overflow,
805 atomic_inc_return(&ctx->cached_cq_overflow));
1d7bb1d5
JA		 806 } else {
807 refcount_inc(&req->refs);
808 req->result = res;
809 list_add_tail(&req->list, &ctx->cq_overflow_list);
2b188cc1
JA		 810 }
811}
812
78e19bbe 813static void io_cqring_add_event(struct io_kiocb *req, long res)
2b188cc1 814{
78e19bbe 815 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 816 unsigned long flags;
817
818 spin_lock_irqsave(&ctx->completion_lock, flags);
78e19bbe 819 io_cqring_fill_event(req, res);
2b188cc1
JA		 820 io_commit_cqring(ctx);
821 spin_unlock_irqrestore(&ctx->completion_lock, flags);
822
8c838788 823 io_cqring_ev_posted(ctx);
2b188cc1
JA		 824}
825
0ddf92e8
JA		 826static inline bool io_is_fallback_req(struct io_kiocb *req)
827{
828 return req == (struct io_kiocb *)
829 ((unsigned long) req->ctx->fallback_req & ~1UL);
830}
831
832static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
833{
834 struct io_kiocb *req;
835
836 req = ctx->fallback_req;
837 if (!test_and_set_bit_lock(0, (unsigned long *) ctx->fallback_req))
838 return req;
839
840 return NULL;
841}
842
2579f913
JA		 843static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
844 struct io_submit_state *state)
2b188cc1 845{
fd6fab2c 846 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
2b188cc1
JA		 847 struct io_kiocb *req;
848
849 if (!percpu_ref_tryget(&ctx->refs))
850 return NULL;
851
2579f913 852 if (!state) {
fd6fab2c 853 req = kmem_cache_alloc(req_cachep, gfp);
2579f913 854 if (unlikely(!req))
0ddf92e8 855 goto fallback;
2579f913
JA		 856 } else if (!state->free_reqs) {
857 size_t sz;
858 int ret;
859
860 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
fd6fab2c
JA		 861 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
862
863 /*
864 * Bulk alloc is all-or-nothing. If we fail to get a batch,
865 * retry single alloc to be on the safe side.
866 */
867 if (unlikely(ret <= 0)) {
868 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
869 if (!state->reqs[0])
0ddf92e8 870 goto fallback;
fd6fab2c
JA		 871 ret = 1;
872 }
2579f913
JA		 873 state->free_reqs = ret - 1;
874 state->cur_req = 1;
875 req = state->reqs[0];
876 } else {
877 req = state->reqs[state->cur_req];
878 state->free_reqs--;
879 state->cur_req++;
2b188cc1
JA		 880 }
881
0ddf92e8 882got_it:
1a6b74fc 883 req->io = NULL;
cf6fd4bd 884 req->ring_file = NULL;
60c112b0 885 req->file = NULL;
2579f913
JA		 886 req->ctx = ctx;
887 req->flags = 0;
e65ef56d
JA		 888 /* one is dropped after submission, the other at completion */
889 refcount_set(&req->refs, 2);
9e645e11 890 req->result = 0;
561fb04a 891 INIT_IO_WORK(&req->work, io_wq_submit_work);
2579f913 892 return req;
0ddf92e8
JA		 893fallback:
894 req = io_get_fallback_req(ctx);
895 if (req)
896 goto got_it;
6805b32e 897 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 898 return NULL;
899}
900
def596e9
JA		 901static void io_free_req_many(struct io_ring_ctx *ctx, void **reqs, int *nr)
902{
903 if (*nr) {
904 kmem_cache_free_bulk(req_cachep, *nr, reqs);
6805b32e 905 percpu_ref_put_many(&ctx->refs, *nr);
def596e9
JA		 906 *nr = 0;
907 }
908}
909
9e645e11 910static void __io_free_req(struct io_kiocb *req)
2b188cc1 911{
fcb323cc
JA		 912 struct io_ring_ctx *ctx = req->ctx;
913
1a6b74fc
JA		 914 if (req->io)
915 kfree(req->io);
09bb8394
JA		 916 if (req->file && !(req->flags & REQ_F_FIXED_FILE))
917 fput(req->file);
fcb323cc
JA		 918 if (req->flags & REQ_F_INFLIGHT) {
919 unsigned long flags;
920
921 spin_lock_irqsave(&ctx->inflight_lock, flags);
922 list_del(&req->inflight_entry);
923 if (waitqueue_active(&ctx->inflight_wait))
924 wake_up(&ctx->inflight_wait);
925 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
926 }
927 percpu_ref_put(&ctx->refs);
0ddf92e8
JA		 928 if (likely(!io_is_fallback_req(req)))
929 kmem_cache_free(req_cachep, req);
930 else
931 clear_bit_unlock(0, (unsigned long *) ctx->fallback_req);
e65ef56d
JA		 932}
933
a197f664 934static bool io_link_cancel_timeout(struct io_kiocb *req)
2665abfd 935{
a197f664 936 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 937 int ret;
938
2d28390a 939 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
2665abfd 940 if (ret != -1) {
78e19bbe 941 io_cqring_fill_event(req, -ECANCELED);
2665abfd
JA		 942 io_commit_cqring(ctx);
943 req->flags &= ~REQ_F_LINK;
ec9c02ad 944 io_put_req(req);
2665abfd
JA		 945 return true;
946 }
947
948 return false;
e65ef56d
JA		 949}
950
ba816ad6 951static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
9e645e11 952{
2665abfd 953 struct io_ring_ctx *ctx = req->ctx;
2665abfd 954 bool wake_ev = false;
9e645e11 955
4d7dd462
JA		 956 /* Already got next link */
957 if (req->flags & REQ_F_LINK_NEXT)
958 return;
959
9e645e11
JA		 960 /*
961 * The list should never be empty when we are called here. But could
962 * potentially happen if the chain is messed up, check to be on the
963 * safe side.
964 */
4493233e
PB		 965 while (!list_empty(&req->link_list)) {
966 struct io_kiocb *nxt = list_first_entry(&req->link_list,
967 struct io_kiocb, link_list);
94ae5e77 968
4493233e
PB		 969 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
970 (nxt->flags & REQ_F_TIMEOUT))) {
971 list_del_init(&nxt->link_list);
94ae5e77 972 wake_ev |= io_link_cancel_timeout(nxt);
94ae5e77
JA		 973 req->flags &= ~REQ_F_LINK_TIMEOUT;
974 continue;
975 }
9e645e11 976
4493233e
PB		 977 list_del_init(&req->link_list);
978 if (!list_empty(&nxt->link_list))
979 nxt->flags |= REQ_F_LINK;
b18fdf71 980 *nxtptr = nxt;
94ae5e77 981 break;
9e645e11 982 }
2665abfd 983
4d7dd462 984 req->flags |= REQ_F_LINK_NEXT;
2665abfd
JA		 985 if (wake_ev)
986 io_cqring_ev_posted(ctx);
9e645e11
JA		 987}
988
989/*
990 * Called if REQ_F_LINK is set, and we fail the head request
991 */
992static void io_fail_links(struct io_kiocb *req)
993{
2665abfd 994 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 995 unsigned long flags;
996
997 spin_lock_irqsave(&ctx->completion_lock, flags);
9e645e11
JA		 998
999 while (!list_empty(&req->link_list)) {
4493233e
PB		 1000 struct io_kiocb *link = list_first_entry(&req->link_list,
1001 struct io_kiocb, link_list);
9e645e11 1002
4493233e 1003 list_del_init(&link->link_list);
c826bd7a 1004 trace_io_uring_fail_link(req, link);
2665abfd
JA		 1005
1006 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
d625c6ee 1007 link->opcode == IORING_OP_LINK_TIMEOUT) {
a197f664 1008 io_link_cancel_timeout(link);
2665abfd 1009 } else {
78e19bbe 1010 io_cqring_fill_event(link, -ECANCELED);
978db57e 1011 __io_double_put_req(link);
2665abfd 1012 }
5d960724 1013 req->flags &= ~REQ_F_LINK_TIMEOUT;
9e645e11 1014 }
2665abfd
JA		 1015
1016 io_commit_cqring(ctx);
1017 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1018 io_cqring_ev_posted(ctx);
9e645e11
JA		 1019}
1020
4d7dd462 1021static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
9e645e11 1022{
4d7dd462 1023 if (likely(!(req->flags & REQ_F_LINK)))
2665abfd 1024 return;
2665abfd 1025
9e645e11
JA		 1026 /*
1027 * If LINK is set, we have dependent requests in this chain. If we
1028 * didn't fail this request, queue the first one up, moving any other
1029 * dependencies to the next request. In case of failure, fail the rest
1030 * of the chain.
1031 */
2665abfd
JA		 1032 if (req->flags & REQ_F_FAIL_LINK) {
1033 io_fail_links(req);
7c9e7f0f
JA		 1034 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1035 REQ_F_LINK_TIMEOUT) {
2665abfd
JA		 1036 struct io_ring_ctx *ctx = req->ctx;
1037 unsigned long flags;
1038
1039 /*
1040 * If this is a timeout link, we could be racing with the
1041 * timeout timer. Grab the completion lock for this case to
7c9e7f0f 1042 * protect against that.
2665abfd
JA		 1043 */
1044 spin_lock_irqsave(&ctx->completion_lock, flags);
1045 io_req_link_next(req, nxt);
1046 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1047 } else {
1048 io_req_link_next(req, nxt);
9e645e11 1049 }
4d7dd462 1050}
9e645e11 1051
c69f8dbe
JL		 1052static void io_free_req(struct io_kiocb *req)
1053{
944e58bf
PB		 1054 struct io_kiocb *nxt = NULL;
1055
1056 io_req_find_next(req, &nxt);
70cf9f32 1057 __io_free_req(req);
944e58bf
PB		 1058
1059 if (nxt)
1060 io_queue_async_work(nxt);
c69f8dbe
JL		 1061}
1062
ba816ad6
JA		 1063/*
1064 * Drop reference to request, return next in chain (if there is one) if this
1065 * was the last reference to this request.
1066 */
f9bd67f6 1067__attribute__((nonnull))
ec9c02ad 1068static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
e65ef56d 1069{
f9bd67f6 1070 io_req_find_next(req, nxtptr);
4d7dd462 1071
e65ef56d 1072 if (refcount_dec_and_test(&req->refs))
4d7dd462 1073 __io_free_req(req);
2b188cc1
JA		 1074}
1075
e65ef56d
JA		 1076static void io_put_req(struct io_kiocb *req)
1077{
1078 if (refcount_dec_and_test(&req->refs))
1079 io_free_req(req);
2b188cc1
JA		 1080}
1081
978db57e
JA		 1082/*
1083 * Must only be used if we don't need to care about links, usually from
1084 * within the completion handling itself.
1085 */
1086static void __io_double_put_req(struct io_kiocb *req)
78e19bbe
JA		 1087{
1088 /* drop both submit and complete references */
1089 if (refcount_sub_and_test(2, &req->refs))
1090 __io_free_req(req);
1091}
1092
978db57e
JA		 1093static void io_double_put_req(struct io_kiocb *req)
1094{
1095 /* drop both submit and complete references */
1096 if (refcount_sub_and_test(2, &req->refs))
1097 io_free_req(req);
1098}
1099
1d7bb1d5 1100static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
a3a0e43f 1101{
84f97dc2
JA		 1102 struct io_rings *rings = ctx->rings;
1103
1d7bb1d5
JA		 1104 /*
1105 * noflush == true is from the waitqueue handler, just ensure we wake
1106 * up the task, and the next invocation will flush the entries. We
1107 * cannot safely to it from here.
1108 */
1109 if (noflush && !list_empty(&ctx->cq_overflow_list))
1110 return -1U;
1111
1112 io_cqring_overflow_flush(ctx, false);
1113
a3a0e43f
JA		 1114 /* See comment at the top of this file */
1115 smp_rmb();
75b28aff 1116 return READ_ONCE(rings->cq.tail) - READ_ONCE(rings->cq.head);
a3a0e43f
JA		 1117}
1118
fb5ccc98
PB		 1119static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1120{
1121 struct io_rings *rings = ctx->rings;
1122
1123 /* make sure SQ entry isn't read before tail */
1124 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1125}
1126
def596e9
JA		 1127/*
1128 * Find and free completed poll iocbs
1129 */
1130static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1131 struct list_head *done)
1132{
1133 void *reqs[IO_IOPOLL_BATCH];
1134 struct io_kiocb *req;
09bb8394 1135 int to_free;
def596e9 1136
09bb8394 1137 to_free = 0;
def596e9
JA		 1138 while (!list_empty(done)) {
1139 req = list_first_entry(done, struct io_kiocb, list);
1140 list_del(&req->list);
1141
78e19bbe 1142 io_cqring_fill_event(req, req->result);
def596e9
JA		 1143 (*nr_events)++;
1144
09bb8394
JA		 1145 if (refcount_dec_and_test(&req->refs)) {
1146 /* If we're not using fixed files, we have to pair the
1147 * completion part with the file put. Use regular
1148 * completions for those, only batch free for fixed
9e645e11 1149 * file and non-linked commands.
09bb8394 1150 */
1a6b74fc
JA		 1151 if (((req->flags & (REQ_F_FIXED_FILE|REQ_F_LINK)) ==
1152 REQ_F_FIXED_FILE) && !io_is_fallback_req(req) &&
1153 !req->io) {
09bb8394
JA		 1154 reqs[to_free++] = req;
1155 if (to_free == ARRAY_SIZE(reqs))
1156 io_free_req_many(ctx, reqs, &to_free);
6b06314c 1157 } else {
09bb8394 1158 io_free_req(req);
6b06314c 1159 }
9a56a232 1160 }
def596e9 1161 }
def596e9 1162
09bb8394 1163 io_commit_cqring(ctx);
def596e9
JA		 1164 io_free_req_many(ctx, reqs, &to_free);
1165}
1166
1167static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1168 long min)
1169{
1170 struct io_kiocb *req, *tmp;
1171 LIST_HEAD(done);
1172 bool spin;
1173 int ret;
1174
1175 /*
1176 * Only spin for completions if we don't have multiple devices hanging
1177 * off our complete list, and we're under the requested amount.
1178 */
1179 spin = !ctx->poll_multi_file && *nr_events < min;
1180
1181 ret = 0;
1182 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
1183 struct kiocb *kiocb = &req->rw;
1184
1185 /*
1186 * Move completed entries to our local list. If we find a
1187 * request that requires polling, break out and complete
1188 * the done list first, if we have entries there.
1189 */
1190 if (req->flags & REQ_F_IOPOLL_COMPLETED) {
1191 list_move_tail(&req->list, &done);
1192 continue;
1193 }
1194 if (!list_empty(&done))
1195 break;
1196
1197 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1198 if (ret < 0)
1199 break;
1200
1201 if (ret && spin)
1202 spin = false;
1203 ret = 0;
1204 }
1205
1206 if (!list_empty(&done))
1207 io_iopoll_complete(ctx, nr_events, &done);
1208
1209 return ret;
1210}
1211
1212/*
d195a66e 1213 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
def596e9
JA		 1214 * non-spinning poll check - we'll still enter the driver poll loop, but only
1215 * as a non-spinning completion check.
1216 */
1217static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1218 long min)
1219{
08f5439f 1220 while (!list_empty(&ctx->poll_list) && !need_resched()) {
def596e9
JA		 1221 int ret;
1222
1223 ret = io_do_iopoll(ctx, nr_events, min);
1224 if (ret < 0)
1225 return ret;
1226 if (!min || *nr_events >= min)
1227 return 0;
1228 }
1229
1230 return 1;
1231}
1232
1233/*
1234 * We can't just wait for polled events to come to us, we have to actively
1235 * find and complete them.
1236 */
1237static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1238{
1239 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1240 return;
1241
1242 mutex_lock(&ctx->uring_lock);
1243 while (!list_empty(&ctx->poll_list)) {
1244 unsigned int nr_events = 0;
1245
1246 io_iopoll_getevents(ctx, &nr_events, 1);
08f5439f
JA		 1247
1248 /*
1249 * Ensure we allow local-to-the-cpu processing to take place,
1250 * in this case we need to ensure that we reap all events.
1251 */
1252 cond_resched();
def596e9
JA		 1253 }
1254 mutex_unlock(&ctx->uring_lock);
1255}
1256
2b2ed975
JA		 1257static int __io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1258 long min)
def596e9 1259{
2b2ed975 1260 int iters = 0, ret = 0;
500f9fba 1261
def596e9
JA		 1262 do {
1263 int tmin = 0;
1264
a3a0e43f
JA		 1265 /*
1266 * Don't enter poll loop if we already have events pending.
1267 * If we do, we can potentially be spinning for commands that
1268 * already triggered a CQE (eg in error).
1269 */
1d7bb1d5 1270 if (io_cqring_events(ctx, false))
a3a0e43f
JA		 1271 break;
1272
500f9fba
JA		 1273 /*
1274 * If a submit got punted to a workqueue, we can have the
1275 * application entering polling for a command before it gets
1276 * issued. That app will hold the uring_lock for the duration
1277 * of the poll right here, so we need to take a breather every
1278 * now and then to ensure that the issue has a chance to add
1279 * the poll to the issued list. Otherwise we can spin here
1280 * forever, while the workqueue is stuck trying to acquire the
1281 * very same mutex.
1282 */
1283 if (!(++iters & 7)) {
1284 mutex_unlock(&ctx->uring_lock);
1285 mutex_lock(&ctx->uring_lock);
1286 }
1287
def596e9
JA		 1288 if (*nr_events < min)
1289 tmin = min - *nr_events;
1290
1291 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1292 if (ret <= 0)
1293 break;
1294 ret = 0;
1295 } while (min && !*nr_events && !need_resched());
1296
2b2ed975
JA		 1297 return ret;
1298}
1299
1300static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1301 long min)
1302{
1303 int ret;
1304
1305 /*
1306 * We disallow the app entering submit/complete with polling, but we
1307 * still need to lock the ring to prevent racing with polled issue
1308 * that got punted to a workqueue.
1309 */
1310 mutex_lock(&ctx->uring_lock);
1311 ret = __io_iopoll_check(ctx, nr_events, min);
500f9fba 1312 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 1313 return ret;
1314}
1315
491381ce 1316static void kiocb_end_write(struct io_kiocb *req)
2b188cc1 1317{
491381ce
JA		 1318 /*
1319 * Tell lockdep we inherited freeze protection from submission
1320 * thread.
1321 */
1322 if (req->flags & REQ_F_ISREG) {
1323 struct inode *inode = file_inode(req->file);
2b188cc1 1324
491381ce 1325 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2b188cc1 1326 }
491381ce 1327 file_end_write(req->file);
2b188cc1
JA		 1328}
1329
4e88d6e7
JA		 1330static inline void req_set_fail_links(struct io_kiocb *req)
1331{
1332 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1333 req->flags |= REQ_F_FAIL_LINK;
1334}
1335
ba816ad6 1336static void io_complete_rw_common(struct kiocb *kiocb, long res)
2b188cc1
JA		 1337{
1338 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw);
1339
491381ce
JA		 1340 if (kiocb->ki_flags & IOCB_WRITE)
1341 kiocb_end_write(req);
2b188cc1 1342
4e88d6e7
JA		 1343 if (res != req->result)
1344 req_set_fail_links(req);
78e19bbe 1345 io_cqring_add_event(req, res);
ba816ad6
JA		 1346}
1347
1348static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1349{
1350 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw);
1351
1352 io_complete_rw_common(kiocb, res);
e65ef56d 1353 io_put_req(req);
2b188cc1
JA		 1354}
1355
ba816ad6
JA		 1356static struct io_kiocb *__io_complete_rw(struct kiocb *kiocb, long res)
1357{
1358 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw);
ec9c02ad 1359 struct io_kiocb *nxt = NULL;
ba816ad6
JA		 1360
1361 io_complete_rw_common(kiocb, res);
ec9c02ad
JL		 1362 io_put_req_find_next(req, &nxt);
1363
1364 return nxt;
2b188cc1
JA		 1365}
1366
def596e9
JA		 1367static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1368{
1369 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw);
1370
491381ce
JA		 1371 if (kiocb->ki_flags & IOCB_WRITE)
1372 kiocb_end_write(req);
def596e9 1373
4e88d6e7
JA		 1374 if (res != req->result)
1375 req_set_fail_links(req);
9e645e11 1376 req->result = res;
def596e9
JA		 1377 if (res != -EAGAIN)
1378 req->flags |= REQ_F_IOPOLL_COMPLETED;
1379}
1380
1381/*
1382 * After the iocb has been issued, it's safe to be found on the poll list.
1383 * Adding the kiocb to the list AFTER submission ensures that we don't
1384 * find it from a io_iopoll_getevents() thread before the issuer is done
1385 * accessing the kiocb cookie.
1386 */
1387static void io_iopoll_req_issued(struct io_kiocb *req)
1388{
1389 struct io_ring_ctx *ctx = req->ctx;
1390
1391 /*
1392 * Track whether we have multiple files in our lists. This will impact
1393 * how we do polling eventually, not spinning if we're on potentially
1394 * different devices.
1395 */
1396 if (list_empty(&ctx->poll_list)) {
1397 ctx->poll_multi_file = false;
1398 } else if (!ctx->poll_multi_file) {
1399 struct io_kiocb *list_req;
1400
1401 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
1402 list);
1403 if (list_req->rw.ki_filp != req->rw.ki_filp)
1404 ctx->poll_multi_file = true;
1405 }
1406
1407 /*
1408 * For fast devices, IO may have already completed. If it has, add
1409 * it to the front so we find it first.
1410 */
1411 if (req->flags & REQ_F_IOPOLL_COMPLETED)
1412 list_add(&req->list, &ctx->poll_list);
1413 else
1414 list_add_tail(&req->list, &ctx->poll_list);
1415}
1416
3d6770fb 1417static void io_file_put(struct io_submit_state *state)
9a56a232 1418{
3d6770fb 1419 if (state->file) {
9a56a232
JA		 1420 int diff = state->has_refs - state->used_refs;
1421
1422 if (diff)
1423 fput_many(state->file, diff);
1424 state->file = NULL;
1425 }
1426}
1427
1428/*
1429 * Get as many references to a file as we have IOs left in this submission,
1430 * assuming most submissions are for one file, or at least that each file
1431 * has more than one submission.
1432 */
1433static struct file *io_file_get(struct io_submit_state *state, int fd)
1434{
1435 if (!state)
1436 return fget(fd);
1437
1438 if (state->file) {
1439 if (state->fd == fd) {
1440 state->used_refs++;
1441 state->ios_left--;
1442 return state->file;
1443 }
3d6770fb 1444 io_file_put(state);
9a56a232
JA		 1445 }
1446 state->file = fget_many(fd, state->ios_left);
1447 if (!state->file)
1448 return NULL;
1449
1450 state->fd = fd;
1451 state->has_refs = state->ios_left;
1452 state->used_refs = 1;
1453 state->ios_left--;
1454 return state->file;
1455}
1456
2b188cc1
JA		 1457/*
1458 * If we tracked the file through the SCM inflight mechanism, we could support
1459 * any file. For now, just ensure that anything potentially problematic is done
1460 * inline.
1461 */
1462static bool io_file_supports_async(struct file *file)
1463{
1464 umode_t mode = file_inode(file)->i_mode;
1465
10d59345 1466 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
2b188cc1
JA		 1467 return true;
1468 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
1469 return true;
1470
1471 return false;
1472}
1473
267bc904 1474static int io_prep_rw(struct io_kiocb *req, bool force_nonblock)
2b188cc1 1475{
cf6fd4bd 1476 const struct io_uring_sqe *sqe = req->sqe;
def596e9 1477 struct io_ring_ctx *ctx = req->ctx;
2b188cc1 1478 struct kiocb *kiocb = &req->rw;
09bb8394
JA		 1479 unsigned ioprio;
1480 int ret;
2b188cc1 1481
09bb8394
JA		 1482 if (!req->file)
1483 return -EBADF;
2b188cc1 1484
491381ce
JA		 1485 if (S_ISREG(file_inode(req->file)->i_mode))
1486 req->flags |= REQ_F_ISREG;
1487
2b188cc1
JA		 1488 kiocb->ki_pos = READ_ONCE(sqe->off);
1489 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
1490 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
1491
1492 ioprio = READ_ONCE(sqe->ioprio);
1493 if (ioprio) {
1494 ret = ioprio_check_cap(ioprio);
1495 if (ret)
09bb8394 1496 return ret;
2b188cc1
JA		 1497
1498 kiocb->ki_ioprio = ioprio;
1499 } else
1500 kiocb->ki_ioprio = get_current_ioprio();
1501
1502 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
1503 if (unlikely(ret))
09bb8394 1504 return ret;
8449eeda
SB		 1505
1506 /* don't allow async punt if RWF_NOWAIT was requested */
491381ce
JA		 1507 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
1508 (req->file->f_flags & O_NONBLOCK))
8449eeda
SB		 1509 req->flags |= REQ_F_NOWAIT;
1510
1511 if (force_nonblock)
2b188cc1 1512 kiocb->ki_flags |= IOCB_NOWAIT;
8449eeda 1513
def596e9 1514 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9
JA		 1515 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
1516 !kiocb->ki_filp->f_op->iopoll)
09bb8394 1517 return -EOPNOTSUPP;
2b188cc1 1518
def596e9
JA		 1519 kiocb->ki_flags |= IOCB_HIPRI;
1520 kiocb->ki_complete = io_complete_rw_iopoll;
6873e0bd 1521 req->result = 0;
def596e9 1522 } else {
09bb8394
JA		 1523 if (kiocb->ki_flags & IOCB_HIPRI)
1524 return -EINVAL;
def596e9
JA		 1525 kiocb->ki_complete = io_complete_rw;
1526 }
2b188cc1 1527 return 0;
2b188cc1
JA		 1528}
1529
1530static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
1531{
1532 switch (ret) {
1533 case -EIOCBQUEUED:
1534 break;
1535 case -ERESTARTSYS:
1536 case -ERESTARTNOINTR:
1537 case -ERESTARTNOHAND:
1538 case -ERESTART_RESTARTBLOCK:
1539 /*
1540 * We can't just restart the syscall, since previously
1541 * submitted sqes may already be in progress. Just fail this
1542 * IO with EINTR.
1543 */
1544 ret = -EINTR;
1545 /* fall through */
1546 default:
1547 kiocb->ki_complete(kiocb, ret, 0);
1548 }
1549}
1550
ba816ad6
JA		 1551static void kiocb_done(struct kiocb *kiocb, ssize_t ret, struct io_kiocb **nxt,
1552 bool in_async)
1553{
f9bd67f6 1554 if (in_async && ret >= 0 && kiocb->ki_complete == io_complete_rw)
ba816ad6
JA		 1555 *nxt = __io_complete_rw(kiocb, ret);
1556 else
1557 io_rw_done(kiocb, ret);
1558}
1559
7d009165
PB		 1560static ssize_t io_import_fixed(struct io_ring_ctx *ctx, int rw,
1561 const struct io_uring_sqe *sqe,
1562 struct iov_iter *iter)
edafccee
JA		 1563{
1564 size_t len = READ_ONCE(sqe->len);
1565 struct io_mapped_ubuf *imu;
1566 unsigned index, buf_index;
1567 size_t offset;
1568 u64 buf_addr;
1569
1570 /* attempt to use fixed buffers without having provided iovecs */
1571 if (unlikely(!ctx->user_bufs))
1572 return -EFAULT;
1573
1574 buf_index = READ_ONCE(sqe->buf_index);
1575 if (unlikely(buf_index >= ctx->nr_user_bufs))
1576 return -EFAULT;
1577
1578 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
1579 imu = &ctx->user_bufs[index];
1580 buf_addr = READ_ONCE(sqe->addr);
1581
1582 /* overflow */
1583 if (buf_addr + len < buf_addr)
1584 return -EFAULT;
1585 /* not inside the mapped region */
1586 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
1587 return -EFAULT;
1588
1589 /*
1590 * May not be a start of buffer, set size appropriately
1591 * and advance us to the beginning.
1592 */
1593 offset = buf_addr - imu->ubuf;
1594 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
bd11b3a3
JA		 1595
1596 if (offset) {
1597 /*
1598 * Don't use iov_iter_advance() here, as it's really slow for
1599 * using the latter parts of a big fixed buffer - it iterates
1600 * over each segment manually. We can cheat a bit here, because
1601 * we know that:
1602 *
1603 * 1) it's a BVEC iter, we set it up
1604 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1605 * first and last bvec
1606 *
1607 * So just find our index, and adjust the iterator afterwards.
1608 * If the offset is within the first bvec (or the whole first
1609 * bvec, just use iov_iter_advance(). This makes it easier
1610 * since we can just skip the first segment, which may not
1611 * be PAGE_SIZE aligned.
1612 */
1613 const struct bio_vec *bvec = imu->bvec;
1614
1615 if (offset <= bvec->bv_len) {
1616 iov_iter_advance(iter, offset);
1617 } else {
1618 unsigned long seg_skip;
1619
1620 /* skip first vec */
1621 offset -= bvec->bv_len;
1622 seg_skip = 1 + (offset >> PAGE_SHIFT);
1623
1624 iter->bvec = bvec + seg_skip;
1625 iter->nr_segs -= seg_skip;
99c79f66 1626 iter->count -= bvec->bv_len + offset;
bd11b3a3 1627 iter->iov_offset = offset & ~PAGE_MASK;
bd11b3a3
JA		 1628 }
1629 }
1630
5e559561 1631 return len;
edafccee
JA		 1632}
1633
cf6fd4bd
PB		 1634static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
1635 struct iovec **iovec, struct iov_iter *iter)
2b188cc1 1636{
cf6fd4bd 1637 const struct io_uring_sqe *sqe = req->sqe;
2b188cc1
JA		 1638 void __user *buf = u64_to_user_ptr(READ_ONCE(sqe->addr));
1639 size_t sqe_len = READ_ONCE(sqe->len);
edafccee
JA		 1640 u8 opcode;
1641
1642 /*
1643 * We're reading ->opcode for the second time, but the first read
1644 * doesn't care whether it's _FIXED or not, so it doesn't matter
1645 * whether ->opcode changes concurrently. The first read does care
1646 * about whether it is a READ or a WRITE, so we don't trust this read
1647 * for that purpose and instead let the caller pass in the read/write
1648 * flag.
1649 */
d625c6ee 1650 opcode = req->opcode;
7d009165 1651 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
edafccee 1652 *iovec = NULL;
7d009165 1653 return io_import_fixed(req->ctx, rw, sqe, iter);
edafccee 1654 }
2b188cc1 1655
f67676d1
JA		 1656 if (req->io) {
1657 struct io_async_rw *iorw = &req->io->rw;
1658
1659 *iovec = iorw->iov;
1660 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
1661 if (iorw->iov == iorw->fast_iov)
1662 *iovec = NULL;
1663 return iorw->size;
1664 }
1665
cf6fd4bd 1666 if (!req->has_user)
2b188cc1
JA		 1667 return -EFAULT;
1668
1669#ifdef CONFIG_COMPAT
cf6fd4bd 1670 if (req->ctx->compat)
2b188cc1
JA		 1671 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
1672 iovec, iter);
1673#endif
1674
1675 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
1676}
1677
31b51510 1678/*
32960613
JA		 1679 * For files that don't have ->read_iter() and ->write_iter(), handle them
1680 * by looping over ->read() or ->write() manually.
31b51510 1681 */
32960613
JA		 1682static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
1683 struct iov_iter *iter)
1684{
1685 ssize_t ret = 0;
1686
1687 /*
1688 * Don't support polled IO through this interface, and we can't
1689 * support non-blocking either. For the latter, this just causes
1690 * the kiocb to be handled from an async context.
1691 */
1692 if (kiocb->ki_flags & IOCB_HIPRI)
1693 return -EOPNOTSUPP;
1694 if (kiocb->ki_flags & IOCB_NOWAIT)
1695 return -EAGAIN;
1696
1697 while (iov_iter_count(iter)) {
311ae9e1 1698 struct iovec iovec;
32960613
JA		 1699 ssize_t nr;
1700
311ae9e1
PB		 1701 if (!iov_iter_is_bvec(iter)) {
1702 iovec = iov_iter_iovec(iter);
1703 } else {
1704 /* fixed buffers import bvec */
1705 iovec.iov_base = kmap(iter->bvec->bv_page)
1706 + iter->iov_offset;
1707 iovec.iov_len = min(iter->count,
1708 iter->bvec->bv_len - iter->iov_offset);
1709 }
1710
32960613
JA		 1711 if (rw == READ) {
1712 nr = file->f_op->read(file, iovec.iov_base,
1713 iovec.iov_len, &kiocb->ki_pos);
1714 } else {
1715 nr = file->f_op->write(file, iovec.iov_base,
1716 iovec.iov_len, &kiocb->ki_pos);
1717 }
1718
311ae9e1
PB		 1719 if (iov_iter_is_bvec(iter))
1720 kunmap(iter->bvec->bv_page);
1721
32960613
JA		 1722 if (nr < 0) {
1723 if (!ret)
1724 ret = nr;
1725 break;
1726 }
1727 ret += nr;
1728 if (nr != iovec.iov_len)
1729 break;
1730 iov_iter_advance(iter, nr);
1731 }
1732
1733 return ret;
1734}
1735
b7bb4f7d 1736static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
f67676d1
JA		 1737 struct iovec *iovec, struct iovec *fast_iov,
1738 struct iov_iter *iter)
1739{
1740 req->io->rw.nr_segs = iter->nr_segs;
1741 req->io->rw.size = io_size;
1742 req->io->rw.iov = iovec;
1743 if (!req->io->rw.iov) {
1744 req->io->rw.iov = req->io->rw.fast_iov;
1745 memcpy(req->io->rw.iov, fast_iov,
1746 sizeof(struct iovec) * iter->nr_segs);
1747 }
1748}
1749
b7bb4f7d 1750static int io_alloc_async_ctx(struct io_kiocb *req)
f67676d1
JA		 1751{
1752 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
1753 if (req->io) {
f67676d1
JA		 1754 memcpy(&req->io->sqe, req->sqe, sizeof(req->io->sqe));
1755 req->sqe = &req->io->sqe;
1756 return 0;
1757 }
1758
b7bb4f7d
JA		 1759 return 1;
1760}
1761
1762static void io_rw_async(struct io_wq_work **workptr)
1763{
1764 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
1765 struct iovec *iov = NULL;
1766
1767 if (req->io->rw.iov != req->io->rw.fast_iov)
1768 iov = req->io->rw.iov;
1769 io_wq_submit_work(workptr);
1770 kfree(iov);
1771}
1772
1773static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
1774 struct iovec *iovec, struct iovec *fast_iov,
1775 struct iov_iter *iter)
1776{
1777 if (!req->io && io_alloc_async_ctx(req))
1778 return -ENOMEM;
1779
1780 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
1781 req->work.func = io_rw_async;
1782 return 0;
f67676d1
JA		 1783}
1784
1785static int io_read_prep(struct io_kiocb *req, struct iovec **iovec,
1786 struct iov_iter *iter, bool force_nonblock)
1787{
1788 ssize_t ret;
1789
1790 ret = io_prep_rw(req, force_nonblock);
1791 if (ret)
1792 return ret;
1793
1794 if (unlikely(!(req->file->f_mode & FMODE_READ)))
1795 return -EBADF;
1796
1797 return io_import_iovec(READ, req, iovec, iter);
1798}
1799
267bc904 1800static int io_read(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 1801 bool force_nonblock)
2b188cc1
JA		 1802{
1803 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
1804 struct kiocb *kiocb = &req->rw;
1805 struct iov_iter iter;
1806 struct file *file;
31b51510 1807 size_t iov_count;
f67676d1 1808 ssize_t io_size, ret;
2b188cc1 1809
f67676d1
JA		 1810 if (!req->io) {
1811 ret = io_read_prep(req, &iovec, &iter, force_nonblock);
1812 if (ret < 0)
1813 return ret;
1814 } else {
1815 ret = io_import_iovec(READ, req, &iovec, &iter);
1816 if (ret < 0)
1817 return ret;
1818 }
2b188cc1 1819
f67676d1
JA		 1820 file = req->file;
1821 io_size = ret;
9e645e11 1822 if (req->flags & REQ_F_LINK)
f67676d1
JA		 1823 req->result = io_size;
1824
1825 /*
1826 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
1827 * we know to async punt it even if it was opened O_NONBLOCK
1828 */
1829 if (force_nonblock && !io_file_supports_async(file)) {
1830 req->flags |= REQ_F_MUST_PUNT;
1831 goto copy_iov;
1832 }
9e645e11 1833
31b51510
JA		 1834 iov_count = iov_iter_count(&iter);
1835 ret = rw_verify_area(READ, file, &kiocb->ki_pos, iov_count);
2b188cc1
JA		 1836 if (!ret) {
1837 ssize_t ret2;
1838
32960613
JA		 1839 if (file->f_op->read_iter)
1840 ret2 = call_read_iter(file, kiocb, &iter);
1841 else
1842 ret2 = loop_rw_iter(READ, file, kiocb, &iter);
1843
9d93a3f5
JA		 1844 /*
1845 * In case of a short read, punt to async. This can happen
1846 * if we have data partially cached. Alternatively we can
1847 * return the short read, in which case the application will
1848 * need to issue another SQE and wait for it. That SQE will
1849 * need async punt anyway, so it's more efficient to do it
1850 * here.
1851 */
491381ce
JA		 1852 if (force_nonblock && !(req->flags & REQ_F_NOWAIT) &&
1853 (req->flags & REQ_F_ISREG) &&
f67676d1 1854 ret2 > 0 && ret2 < io_size)
9d93a3f5
JA		 1855 ret2 = -EAGAIN;
1856 /* Catch -EAGAIN return for forced non-blocking submission */
f67676d1 1857 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 1858 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 1859 } else {
1860copy_iov:
b7bb4f7d 1861 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 1862 inline_vecs, &iter);
1863 if (ret)
1864 goto out_free;
1865 return -EAGAIN;
1866 }
2b188cc1 1867 }
f67676d1 1868out_free:
b7bb4f7d
JA		 1869 if (!io_wq_current_is_worker())
1870 kfree(iovec);
2b188cc1
JA		 1871 return ret;
1872}
1873
f67676d1
JA		 1874static int io_write_prep(struct io_kiocb *req, struct iovec **iovec,
1875 struct iov_iter *iter, bool force_nonblock)
1876{
1877 ssize_t ret;
1878
1879 ret = io_prep_rw(req, force_nonblock);
1880 if (ret)
1881 return ret;
1882
1883 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
1884 return -EBADF;
1885
1886 return io_import_iovec(WRITE, req, iovec, iter);
1887}
1888
267bc904 1889static int io_write(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 1890 bool force_nonblock)
2b188cc1
JA		 1891{
1892 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
1893 struct kiocb *kiocb = &req->rw;
1894 struct iov_iter iter;
1895 struct file *file;
31b51510 1896 size_t iov_count;
f67676d1 1897 ssize_t ret, io_size;
2b188cc1 1898
f67676d1
JA		 1899 if (!req->io) {
1900 ret = io_write_prep(req, &iovec, &iter, force_nonblock);
1901 if (ret < 0)
1902 return ret;
1903 } else {
1904 ret = io_import_iovec(WRITE, req, &iovec, &iter);
1905 if (ret < 0)
1906 return ret;
1907 }
2b188cc1 1908
2b188cc1 1909 file = kiocb->ki_filp;
f67676d1 1910 io_size = ret;
9e645e11 1911 if (req->flags & REQ_F_LINK)
f67676d1 1912 req->result = io_size;
9e645e11 1913
f67676d1
JA		 1914 /*
1915 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
1916 * we know to async punt it even if it was opened O_NONBLOCK
1917 */
1918 if (force_nonblock && !io_file_supports_async(req->file)) {
1919 req->flags |= REQ_F_MUST_PUNT;
1920 goto copy_iov;
1921 }
31b51510 1922
10d59345
JA		 1923 /* file path doesn't support NOWAIT for non-direct_IO */
1924 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
1925 (req->flags & REQ_F_ISREG))
f67676d1 1926 goto copy_iov;
31b51510 1927
f67676d1 1928 iov_count = iov_iter_count(&iter);
31b51510 1929 ret = rw_verify_area(WRITE, file, &kiocb->ki_pos, iov_count);
2b188cc1 1930 if (!ret) {
9bf7933f
RP		 1931 ssize_t ret2;
1932
2b188cc1
JA		 1933 /*
1934 * Open-code file_start_write here to grab freeze protection,
1935 * which will be released by another thread in
1936 * io_complete_rw(). Fool lockdep by telling it the lock got
1937 * released so that it doesn't complain about the held lock when
1938 * we return to userspace.
1939 */
491381ce 1940 if (req->flags & REQ_F_ISREG) {
2b188cc1
JA		 1941 __sb_start_write(file_inode(file)->i_sb,
1942 SB_FREEZE_WRITE, true);
1943 __sb_writers_release(file_inode(file)->i_sb,
1944 SB_FREEZE_WRITE);
1945 }
1946 kiocb->ki_flags |= IOCB_WRITE;
9bf7933f 1947
32960613
JA		 1948 if (file->f_op->write_iter)
1949 ret2 = call_write_iter(file, kiocb, &iter);
1950 else
1951 ret2 = loop_rw_iter(WRITE, file, kiocb, &iter);
f67676d1 1952 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 1953 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 1954 } else {
1955copy_iov:
b7bb4f7d 1956 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 1957 inline_vecs, &iter);
1958 if (ret)
1959 goto out_free;
1960 return -EAGAIN;
1961 }
2b188cc1 1962 }
31b51510 1963out_free:
b7bb4f7d
JA		 1964 if (!io_wq_current_is_worker())
1965 kfree(iovec);
2b188cc1
JA		 1966 return ret;
1967}
1968
1969/*
1970 * IORING_OP_NOP just posts a completion event, nothing else.
1971 */
78e19bbe 1972static int io_nop(struct io_kiocb *req)
2b188cc1
JA		 1973{
1974 struct io_ring_ctx *ctx = req->ctx;
2b188cc1 1975
def596e9
JA		 1976 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
1977 return -EINVAL;
1978
78e19bbe 1979 io_cqring_add_event(req, 0);
e65ef56d 1980 io_put_req(req);
2b188cc1
JA		 1981 return 0;
1982}
1983
fc4df999 1984static int io_prep_fsync(struct io_kiocb *req)
c992fe29 1985{
fc4df999 1986 const struct io_uring_sqe *sqe = req->sqe;
6b06314c 1987 struct io_ring_ctx *ctx = req->ctx;
c992fe29 1988
8ed8d3c3
JA		 1989 if (req->flags & REQ_F_PREPPED)
1990 return 0;
09bb8394
JA		 1991 if (!req->file)
1992 return -EBADF;
c992fe29 1993
6b06314c 1994 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
def596e9 1995 return -EINVAL;
edafccee 1996 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
c992fe29
CH		 1997 return -EINVAL;
1998
8ed8d3c3
JA		 1999 req->sync.flags = READ_ONCE(sqe->fsync_flags);
2000 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
2001 return -EINVAL;
2002
2003 req->sync.off = READ_ONCE(sqe->off);
2004 req->sync.len = READ_ONCE(sqe->len);
2005 req->flags |= REQ_F_PREPPED;
c992fe29
CH		 2006 return 0;
2007}
2008
8ed8d3c3
JA		 2009static bool io_req_cancelled(struct io_kiocb *req)
2010{
2011 if (req->work.flags & IO_WQ_WORK_CANCEL) {
2012 req_set_fail_links(req);
2013 io_cqring_add_event(req, -ECANCELED);
2014 io_put_req(req);
2015 return true;
2016 }
2017
2018 return false;
2019}
2020
2021static void io_fsync_finish(struct io_wq_work **workptr)
2022{
2023 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2024 loff_t end = req->sync.off + req->sync.len;
2025 struct io_kiocb *nxt = NULL;
2026 int ret;
2027
2028 if (io_req_cancelled(req))
2029 return;
2030
2031 ret = vfs_fsync_range(req->rw.ki_filp, req->sync.off,
2032 end > 0 ? end : LLONG_MAX,
2033 req->sync.flags & IORING_FSYNC_DATASYNC);
2034 if (ret < 0)
2035 req_set_fail_links(req);
2036 io_cqring_add_event(req, ret);
2037 io_put_req_find_next(req, &nxt);
2038 if (nxt)
2039 *workptr = &nxt->work;
2040}
2041
fc4df999
JA		 2042static int io_fsync(struct io_kiocb *req, struct io_kiocb **nxt,
2043 bool force_nonblock)
c992fe29 2044{
8ed8d3c3 2045 struct io_wq_work *work, *old_work;
c992fe29
CH		 2046 int ret;
2047
fc4df999 2048 ret = io_prep_fsync(req);
c992fe29
CH		 2049 if (ret)
2050 return ret;
2051
2052 /* fsync always requires a blocking context */
8ed8d3c3
JA		 2053 if (force_nonblock) {
2054 io_put_req(req);
2055 req->work.func = io_fsync_finish;
c992fe29 2056 return -EAGAIN;
8ed8d3c3 2057 }
c992fe29 2058
8ed8d3c3
JA		 2059 work = old_work = &req->work;
2060 io_fsync_finish(&work);
2061 if (work && work != old_work)
2062 *nxt = container_of(work, struct io_kiocb, work);
c992fe29
CH		 2063 return 0;
2064}
2065
fc4df999 2066static int io_prep_sfr(struct io_kiocb *req)
5d17b4a4 2067{
fc4df999 2068 const struct io_uring_sqe *sqe = req->sqe;
5d17b4a4 2069 struct io_ring_ctx *ctx = req->ctx;
5d17b4a4 2070
8ed8d3c3
JA		 2071 if (req->flags & REQ_F_PREPPED)
2072 return 0;
5d17b4a4
JA		 2073 if (!req->file)
2074 return -EBADF;
5d17b4a4
JA		 2075
2076 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2077 return -EINVAL;
2078 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2079 return -EINVAL;
2080
8ed8d3c3
JA		 2081 req->sync.off = READ_ONCE(sqe->off);
2082 req->sync.len = READ_ONCE(sqe->len);
2083 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
2084 req->flags |= REQ_F_PREPPED;
2085 return 0;
2086}
2087
2088static void io_sync_file_range_finish(struct io_wq_work **workptr)
2089{
2090 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2091 struct io_kiocb *nxt = NULL;
2092 int ret;
2093
2094 if (io_req_cancelled(req))
2095 return;
2096
2097 ret = sync_file_range(req->rw.ki_filp, req->sync.off, req->sync.len,
2098 req->sync.flags);
2099 if (ret < 0)
2100 req_set_fail_links(req);
2101 io_cqring_add_event(req, ret);
2102 io_put_req_find_next(req, &nxt);
2103 if (nxt)
2104 *workptr = &nxt->work;
5d17b4a4
JA		 2105}
2106
fc4df999 2107static int io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt,
5d17b4a4
JA		 2108 bool force_nonblock)
2109{
8ed8d3c3 2110 struct io_wq_work *work, *old_work;
5d17b4a4
JA		 2111 int ret;
2112
fc4df999 2113 ret = io_prep_sfr(req);
5d17b4a4
JA		 2114 if (ret)
2115 return ret;
2116
2117 /* sync_file_range always requires a blocking context */
8ed8d3c3
JA		 2118 if (force_nonblock) {
2119 io_put_req(req);
2120 req->work.func = io_sync_file_range_finish;
5d17b4a4 2121 return -EAGAIN;
8ed8d3c3 2122 }
5d17b4a4 2123
8ed8d3c3
JA		 2124 work = old_work = &req->work;
2125 io_sync_file_range_finish(&work);
2126 if (work && work != old_work)
2127 *nxt = container_of(work, struct io_kiocb, work);
5d17b4a4
JA		 2128 return 0;
2129}
2130
b7bb4f7d
JA		 2131#if defined(CONFIG_NET)
2132static void io_sendrecv_async(struct io_wq_work **workptr)
2133{
2134 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2135 struct iovec *iov = NULL;
2136
2137 if (req->io->rw.iov != req->io->rw.fast_iov)
2138 iov = req->io->msg.iov;
2139 io_wq_submit_work(workptr);
2140 kfree(iov);
2141}
2142#endif
2143
03b1230c
JA		 2144static int io_sendmsg_prep(struct io_kiocb *req, struct io_async_ctx *io)
2145{
0fa03c62 2146#if defined(CONFIG_NET)
03b1230c
JA		 2147 const struct io_uring_sqe *sqe = req->sqe;
2148 struct user_msghdr __user *msg;
2149 unsigned flags;
2150
2151 flags = READ_ONCE(sqe->msg_flags);
2152 msg = (struct user_msghdr __user *)(unsigned long) READ_ONCE(sqe->addr);
d9688565 2153 io->msg.iov = io->msg.fast_iov;
03b1230c
JA		 2154 return sendmsg_copy_msghdr(&io->msg.msg, msg, flags, &io->msg.iov);
2155#else
2156 return 0;
2157#endif
2158}
2159
fc4df999
JA		 2160static int io_sendmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2161 bool force_nonblock)
aa1fa28f 2162{
03b1230c 2163#if defined(CONFIG_NET)
fc4df999 2164 const struct io_uring_sqe *sqe = req->sqe;
0b416c3e 2165 struct io_async_msghdr *kmsg = NULL;
0fa03c62
JA		 2166 struct socket *sock;
2167 int ret;
2168
2169 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2170 return -EINVAL;
2171
2172 sock = sock_from_file(req->file, &ret);
2173 if (sock) {
b7bb4f7d 2174 struct io_async_ctx io;
03b1230c 2175 struct sockaddr_storage addr;
0fa03c62
JA		 2176 unsigned flags;
2177
2178 flags = READ_ONCE(sqe->msg_flags);
2179 if (flags & MSG_DONTWAIT)
2180 req->flags |= REQ_F_NOWAIT;
2181 else if (force_nonblock)
2182 flags |= MSG_DONTWAIT;
2183
03b1230c 2184 if (req->io) {
0b416c3e
JA		 2185 kmsg = &req->io->msg;
2186 kmsg->msg.msg_name = &addr;
2187 /* if iov is set, it's allocated already */
2188 if (!kmsg->iov)
2189 kmsg->iov = kmsg->fast_iov;
2190 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 2191 } else {
0b416c3e
JA		 2192 kmsg = &io.msg;
2193 kmsg->msg.msg_name = &addr;
03b1230c
JA		 2194 ret = io_sendmsg_prep(req, &io);
2195 if (ret)
2196 goto out;
2197 }
0fa03c62 2198
0b416c3e 2199 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
03b1230c 2200 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 2201 if (req->io)
2202 return -EAGAIN;
2203 if (io_alloc_async_ctx(req))
2204 return -ENOMEM;
2205 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2206 req->work.func = io_sendrecv_async;
0b416c3e 2207 return -EAGAIN;
03b1230c 2208 }
441cdbd5
JA		 2209 if (ret == -ERESTARTSYS)
2210 ret = -EINTR;
0fa03c62
JA		 2211 }
2212
03b1230c 2213out:
b7bb4f7d 2214 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 2215 kfree(kmsg->iov);
78e19bbe 2216 io_cqring_add_event(req, ret);
4e88d6e7
JA		 2217 if (ret < 0)
2218 req_set_fail_links(req);
ec9c02ad 2219 io_put_req_find_next(req, nxt);
5d17b4a4 2220 return 0;
03b1230c
JA		 2221#else
2222 return -EOPNOTSUPP;
aa1fa28f 2223#endif
03b1230c 2224}
aa1fa28f 2225
03b1230c 2226static int io_recvmsg_prep(struct io_kiocb *req, struct io_async_ctx *io)
aa1fa28f
JA		 2227{
2228#if defined(CONFIG_NET)
03b1230c
JA		 2229 const struct io_uring_sqe *sqe = req->sqe;
2230 struct user_msghdr __user *msg;
2231 unsigned flags;
2232
2233 flags = READ_ONCE(sqe->msg_flags);
2234 msg = (struct user_msghdr __user *)(unsigned long) READ_ONCE(sqe->addr);
d9688565 2235 io->msg.iov = io->msg.fast_iov;
03b1230c
JA		 2236 return recvmsg_copy_msghdr(&io->msg.msg, msg, flags, &io->msg.uaddr,
2237 &io->msg.iov);
aa1fa28f 2238#else
03b1230c 2239 return 0;
aa1fa28f
JA		 2240#endif
2241}
2242
fc4df999
JA		 2243static int io_recvmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2244 bool force_nonblock)
aa1fa28f
JA		 2245{
2246#if defined(CONFIG_NET)
fc4df999 2247 const struct io_uring_sqe *sqe = req->sqe;
0b416c3e 2248 struct io_async_msghdr *kmsg = NULL;
03b1230c
JA		 2249 struct socket *sock;
2250 int ret;
2251
2252 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2253 return -EINVAL;
2254
2255 sock = sock_from_file(req->file, &ret);
2256 if (sock) {
2257 struct user_msghdr __user *msg;
b7bb4f7d 2258 struct io_async_ctx io;
03b1230c 2259 struct sockaddr_storage addr;
03b1230c
JA		 2260 unsigned flags;
2261
2262 flags = READ_ONCE(sqe->msg_flags);
2263 if (flags & MSG_DONTWAIT)
2264 req->flags |= REQ_F_NOWAIT;
2265 else if (force_nonblock)
2266 flags |= MSG_DONTWAIT;
2267
2268 msg = (struct user_msghdr __user *) (unsigned long)
2269 READ_ONCE(sqe->addr);
2270 if (req->io) {
0b416c3e
JA		 2271 kmsg = &req->io->msg;
2272 kmsg->msg.msg_name = &addr;
2273 /* if iov is set, it's allocated already */
2274 if (!kmsg->iov)
2275 kmsg->iov = kmsg->fast_iov;
2276 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 2277 } else {
0b416c3e
JA		 2278 kmsg = &io.msg;
2279 kmsg->msg.msg_name = &addr;
03b1230c
JA		 2280 ret = io_recvmsg_prep(req, &io);
2281 if (ret)
2282 goto out;
2283 }
2284
0b416c3e 2285 ret = __sys_recvmsg_sock(sock, &kmsg->msg, msg, kmsg->uaddr, flags);
03b1230c 2286 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 2287 if (req->io)
2288 return -EAGAIN;
2289 if (io_alloc_async_ctx(req))
2290 return -ENOMEM;
2291 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2292 req->work.func = io_sendrecv_async;
0b416c3e 2293 return -EAGAIN;
03b1230c
JA		 2294 }
2295 if (ret == -ERESTARTSYS)
2296 ret = -EINTR;
2297 }
2298
2299out:
b7bb4f7d 2300 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 2301 kfree(kmsg->iov);
03b1230c 2302 io_cqring_add_event(req, ret);
4e88d6e7
JA		 2303 if (ret < 0)
2304 req_set_fail_links(req);
03b1230c
JA		 2305 io_put_req_find_next(req, nxt);
2306 return 0;
0fa03c62
JA		 2307#else
2308 return -EOPNOTSUPP;
2309#endif
2310}
5d17b4a4 2311
8ed8d3c3 2312static int io_accept_prep(struct io_kiocb *req)
17f2fe35
JA		 2313{
2314#if defined(CONFIG_NET)
fc4df999 2315 const struct io_uring_sqe *sqe = req->sqe;
8ed8d3c3
JA		 2316 struct io_accept *accept = &req->accept;
2317
2318 if (req->flags & REQ_F_PREPPED)
2319 return 0;
17f2fe35
JA		 2320
2321 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
2322 return -EINVAL;
8042d6ce 2323 if (sqe->ioprio || sqe->len || sqe->buf_index)
17f2fe35
JA		 2324 return -EINVAL;
2325
8ed8d3c3
JA		 2326 accept->addr = (struct sockaddr __user *)
2327 (unsigned long) READ_ONCE(sqe->addr);
2328 accept->addr_len = (int __user *) (unsigned long) READ_ONCE(sqe->addr2);
2329 accept->flags = READ_ONCE(sqe->accept_flags);
2330 req->flags |= REQ_F_PREPPED;
2331 return 0;
2332#else
2333 return -EOPNOTSUPP;
2334#endif
2335}
17f2fe35 2336
8ed8d3c3
JA		 2337#if defined(CONFIG_NET)
2338static int __io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2339 bool force_nonblock)
2340{
2341 struct io_accept *accept = &req->accept;
2342 unsigned file_flags;
2343 int ret;
2344
2345 file_flags = force_nonblock ? O_NONBLOCK : 0;
2346 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
2347 accept->addr_len, accept->flags);
2348 if (ret == -EAGAIN && force_nonblock)
17f2fe35 2349 return -EAGAIN;
8e3cca12
JA		 2350 if (ret == -ERESTARTSYS)
2351 ret = -EINTR;
4e88d6e7
JA		 2352 if (ret < 0)
2353 req_set_fail_links(req);
78e19bbe 2354 io_cqring_add_event(req, ret);
ec9c02ad 2355 io_put_req_find_next(req, nxt);
17f2fe35 2356 return 0;
8ed8d3c3
JA		 2357}
2358
2359static void io_accept_finish(struct io_wq_work **workptr)
2360{
2361 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2362 struct io_kiocb *nxt = NULL;
2363
2364 if (io_req_cancelled(req))
2365 return;
2366 __io_accept(req, &nxt, false);
2367 if (nxt)
2368 *workptr = &nxt->work;
2369}
2370#endif
2371
2372static int io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2373 bool force_nonblock)
2374{
2375#if defined(CONFIG_NET)
2376 int ret;
2377
2378 ret = io_accept_prep(req);
2379 if (ret)
2380 return ret;
2381
2382 ret = __io_accept(req, nxt, force_nonblock);
2383 if (ret == -EAGAIN && force_nonblock) {
2384 req->work.func = io_accept_finish;
2385 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2386 io_put_req(req);
2387 return -EAGAIN;
2388 }
2389 return 0;
0fa03c62
JA		 2390#else
2391 return -EOPNOTSUPP;
2392#endif
2393}
5d17b4a4 2394
f499a021
JA		 2395static int io_connect_prep(struct io_kiocb *req, struct io_async_ctx *io)
2396{
2397#if defined(CONFIG_NET)
2398 const struct io_uring_sqe *sqe = req->sqe;
2399 struct sockaddr __user *addr;
2400 int addr_len;
2401
2402 addr = (struct sockaddr __user *) (unsigned long) READ_ONCE(sqe->addr);
2403 addr_len = READ_ONCE(sqe->addr2);
2404 return move_addr_to_kernel(addr, addr_len, &io->connect.address);
2405#else
2406 return 0;
2407#endif
2408}
2409
fc4df999
JA		 2410static int io_connect(struct io_kiocb *req, struct io_kiocb **nxt,
2411 bool force_nonblock)
f8e85cf2
JA		 2412{
2413#if defined(CONFIG_NET)
fc4df999 2414 const struct io_uring_sqe *sqe = req->sqe;
f499a021 2415 struct io_async_ctx __io, *io;
f8e85cf2
JA		 2416 unsigned file_flags;
2417 int addr_len, ret;
2418
2419 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
2420 return -EINVAL;
2421 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
2422 return -EINVAL;
2423
f8e85cf2
JA		 2424 addr_len = READ_ONCE(sqe->addr2);
2425 file_flags = force_nonblock ? O_NONBLOCK : 0;
2426
f499a021
JA		 2427 if (req->io) {
2428 io = req->io;
2429 } else {
2430 ret = io_connect_prep(req, &__io);
2431 if (ret)
2432 goto out;
2433 io = &__io;
2434 }
2435
2436 ret = __sys_connect_file(req->file, &io->connect.address, addr_len,
2437 file_flags);
87f80d62 2438 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
b7bb4f7d
JA		 2439 if (req->io)
2440 return -EAGAIN;
2441 if (io_alloc_async_ctx(req)) {
f499a021
JA		 2442 ret = -ENOMEM;
2443 goto out;
2444 }
b7bb4f7d 2445 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
f8e85cf2 2446 return -EAGAIN;
f499a021 2447 }
f8e85cf2
JA		 2448 if (ret == -ERESTARTSYS)
2449 ret = -EINTR;
f499a021 2450out:
4e88d6e7
JA		 2451 if (ret < 0)
2452 req_set_fail_links(req);
f8e85cf2
JA		 2453 io_cqring_add_event(req, ret);
2454 io_put_req_find_next(req, nxt);
2455 return 0;
2456#else
2457 return -EOPNOTSUPP;
2458#endif
2459}
2460
221c5eb2
JA		 2461static void io_poll_remove_one(struct io_kiocb *req)
2462{
2463 struct io_poll_iocb *poll = &req->poll;
2464
2465 spin_lock(&poll->head->lock);
2466 WRITE_ONCE(poll->canceled, true);
392edb45
JA		 2467 if (!list_empty(&poll->wait.entry)) {
2468 list_del_init(&poll->wait.entry);
a197f664 2469 io_queue_async_work(req);
221c5eb2
JA		 2470 }
2471 spin_unlock(&poll->head->lock);
78076bb6 2472 hash_del(&req->hash_node);
221c5eb2
JA		 2473}
2474
2475static void io_poll_remove_all(struct io_ring_ctx *ctx)
2476{
78076bb6 2477 struct hlist_node *tmp;
221c5eb2 2478 struct io_kiocb *req;
78076bb6 2479 int i;
221c5eb2
JA		 2480
2481 spin_lock_irq(&ctx->completion_lock);
78076bb6
JA		 2482 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
2483 struct hlist_head *list;
2484
2485 list = &ctx->cancel_hash[i];
2486 hlist_for_each_entry_safe(req, tmp, list, hash_node)
2487 io_poll_remove_one(req);
221c5eb2
JA		 2488 }
2489 spin_unlock_irq(&ctx->completion_lock);
2490}
2491
47f46768
JA		 2492static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
2493{
78076bb6 2494 struct hlist_head *list;
47f46768
JA		 2495 struct io_kiocb *req;
2496
78076bb6
JA		 2497 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
2498 hlist_for_each_entry(req, list, hash_node) {
2499 if (sqe_addr == req->user_data) {
eac406c6
JA		 2500 io_poll_remove_one(req);
2501 return 0;
2502 }
47f46768
JA		 2503 }
2504
2505 return -ENOENT;
2506}
2507
0969e783
JA		 2508static int io_poll_remove_prep(struct io_kiocb *req)
2509{
2510 const struct io_uring_sqe *sqe = req->sqe;
2511
2512 if (req->flags & REQ_F_PREPPED)
2513 return 0;
2514 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2515 return -EINVAL;
2516 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
2517 sqe->poll_events)
2518 return -EINVAL;
2519
2520 req->poll.addr = READ_ONCE(sqe->addr);
2521 req->flags |= REQ_F_PREPPED;
2522 return 0;
2523}
2524
221c5eb2
JA		 2525/*
2526 * Find a running poll command that matches one specified in sqe->addr,
2527 * and remove it if found.
2528 */
fc4df999 2529static int io_poll_remove(struct io_kiocb *req)
221c5eb2
JA		 2530{
2531 struct io_ring_ctx *ctx = req->ctx;
0969e783 2532 u64 addr;
47f46768 2533 int ret;
221c5eb2 2534
0969e783
JA		 2535 ret = io_poll_remove_prep(req);
2536 if (ret)
2537 return ret;
221c5eb2 2538
0969e783 2539 addr = req->poll.addr;
221c5eb2 2540 spin_lock_irq(&ctx->completion_lock);
0969e783 2541 ret = io_poll_cancel(ctx, addr);
221c5eb2
JA		 2542 spin_unlock_irq(&ctx->completion_lock);
2543
78e19bbe 2544 io_cqring_add_event(req, ret);
4e88d6e7
JA		 2545 if (ret < 0)
2546 req_set_fail_links(req);
e65ef56d 2547 io_put_req(req);
221c5eb2
JA		 2548 return 0;
2549}
2550
b0dd8a41 2551static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
221c5eb2 2552{
a197f664
JL		 2553 struct io_ring_ctx *ctx = req->ctx;
2554
8c838788 2555 req->poll.done = true;
b0dd8a41
JA		 2556 if (error)
2557 io_cqring_fill_event(req, error);
2558 else
2559 io_cqring_fill_event(req, mangle_poll(mask));
8c838788 2560 io_commit_cqring(ctx);
221c5eb2
JA		 2561}
2562
561fb04a 2563static void io_poll_complete_work(struct io_wq_work **workptr)
221c5eb2 2564{
561fb04a 2565 struct io_wq_work *work = *workptr;
221c5eb2
JA		 2566 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
2567 struct io_poll_iocb *poll = &req->poll;
2568 struct poll_table_struct pt = { ._key = poll->events };
2569 struct io_ring_ctx *ctx = req->ctx;
89723d0b 2570 struct io_kiocb *nxt = NULL;
221c5eb2 2571 __poll_t mask = 0;
b0dd8a41 2572 int ret = 0;
221c5eb2 2573
b0dd8a41 2574 if (work->flags & IO_WQ_WORK_CANCEL) {
561fb04a 2575 WRITE_ONCE(poll->canceled, true);
b0dd8a41
JA		 2576 ret = -ECANCELED;
2577 } else if (READ_ONCE(poll->canceled)) {
2578 ret = -ECANCELED;
2579 }
561fb04a 2580
b0dd8a41 2581 if (ret != -ECANCELED)
221c5eb2
JA		 2582 mask = vfs_poll(poll->file, &pt) & poll->events;
2583
2584 /*
2585 * Note that ->ki_cancel callers also delete iocb from active_reqs after
2586 * calling ->ki_cancel. We need the ctx_lock roundtrip here to
2587 * synchronize with them. In the cancellation case the list_del_init
2588 * itself is not actually needed, but harmless so we keep it in to
2589 * avoid further branches in the fast path.
2590 */
2591 spin_lock_irq(&ctx->completion_lock);
b0dd8a41 2592 if (!mask && ret != -ECANCELED) {
392edb45 2593 add_wait_queue(poll->head, &poll->wait);
221c5eb2
JA		 2594 spin_unlock_irq(&ctx->completion_lock);
2595 return;
2596 }
78076bb6 2597 hash_del(&req->hash_node);
b0dd8a41 2598 io_poll_complete(req, mask, ret);
221c5eb2
JA		 2599 spin_unlock_irq(&ctx->completion_lock);
2600
8c838788 2601 io_cqring_ev_posted(ctx);
89723d0b 2602
4e88d6e7
JA		 2603 if (ret < 0)
2604 req_set_fail_links(req);
ec9c02ad 2605 io_put_req_find_next(req, &nxt);
89723d0b
JA		 2606 if (nxt)
2607 *workptr = &nxt->work;
221c5eb2
JA		 2608}
2609
2610static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
2611 void *key)
2612{
e944475e 2613 struct io_poll_iocb *poll = wait->private;
221c5eb2
JA		 2614 struct io_kiocb *req = container_of(poll, struct io_kiocb, poll);
2615 struct io_ring_ctx *ctx = req->ctx;
2616 __poll_t mask = key_to_poll(key);
8c838788 2617 unsigned long flags;
221c5eb2
JA		 2618
2619 /* for instances that support it check for an event match first: */
8c838788
JA		 2620 if (mask && !(mask & poll->events))
2621 return 0;
221c5eb2 2622
392edb45 2623 list_del_init(&poll->wait.entry);
221c5eb2 2624
7c9e7f0f
JA		 2625 /*
2626 * Run completion inline if we can. We're using trylock here because
2627 * we are violating the completion_lock -> poll wq lock ordering.
2628 * If we have a link timeout we're going to need the completion_lock
2629 * for finalizing the request, mark us as having grabbed that already.
2630 */
8c838788 2631 if (mask && spin_trylock_irqsave(&ctx->completion_lock, flags)) {
78076bb6 2632 hash_del(&req->hash_node);
b0dd8a41 2633 io_poll_complete(req, mask, 0);
7c9e7f0f
JA		 2634 req->flags |= REQ_F_COMP_LOCKED;
2635 io_put_req(req);
8c838788 2636 spin_unlock_irqrestore(&ctx->completion_lock, flags);
221c5eb2 2637
8c838788 2638 io_cqring_ev_posted(ctx);
8c838788 2639 } else {
a197f664 2640 io_queue_async_work(req);
221c5eb2
JA		 2641 }
2642
221c5eb2
JA		 2643 return 1;
2644}
2645
2646struct io_poll_table {
2647 struct poll_table_struct pt;
2648 struct io_kiocb *req;
2649 int error;
2650};
2651
2652static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
2653 struct poll_table_struct *p)
2654{
2655 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
2656
2657 if (unlikely(pt->req->poll.head)) {
2658 pt->error = -EINVAL;
2659 return;
2660 }
2661
2662 pt->error = 0;
2663 pt->req->poll.head = head;
392edb45 2664 add_wait_queue(head, &pt->req->poll.wait);
221c5eb2
JA		 2665}
2666
eac406c6
JA		 2667static void io_poll_req_insert(struct io_kiocb *req)
2668{
2669 struct io_ring_ctx *ctx = req->ctx;
78076bb6
JA		 2670 struct hlist_head *list;
2671
2672 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
2673 hlist_add_head(&req->hash_node, list);
eac406c6
JA		 2674}
2675
0969e783 2676static int io_poll_add_prep(struct io_kiocb *req)
221c5eb2 2677{
fc4df999 2678 const struct io_uring_sqe *sqe = req->sqe;
221c5eb2 2679 struct io_poll_iocb *poll = &req->poll;
221c5eb2 2680 u16 events;
221c5eb2 2681
0969e783
JA		 2682 if (req->flags & REQ_F_PREPPED)
2683 return 0;
221c5eb2
JA		 2684 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2685 return -EINVAL;
2686 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
2687 return -EINVAL;
09bb8394
JA		 2688 if (!poll->file)
2689 return -EBADF;
221c5eb2 2690
0969e783 2691 req->flags |= REQ_F_PREPPED;
221c5eb2
JA		 2692 events = READ_ONCE(sqe->poll_events);
2693 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
0969e783
JA		 2694 return 0;
2695}
2696
2697static int io_poll_add(struct io_kiocb *req, struct io_kiocb **nxt)
2698{
2699 struct io_poll_iocb *poll = &req->poll;
2700 struct io_ring_ctx *ctx = req->ctx;
2701 struct io_poll_table ipt;
2702 bool cancel = false;
2703 __poll_t mask;
2704 int ret;
2705
2706 ret = io_poll_add_prep(req);
2707 if (ret)
2708 return ret;
2709
2710 INIT_IO_WORK(&req->work, io_poll_complete_work);
78076bb6 2711 INIT_HLIST_NODE(&req->hash_node);
221c5eb2 2712
221c5eb2 2713 poll->head = NULL;
8c838788 2714 poll->done = false;
221c5eb2
JA		 2715 poll->canceled = false;
2716
2717 ipt.pt._qproc = io_poll_queue_proc;
2718 ipt.pt._key = poll->events;
2719 ipt.req = req;
2720 ipt.error = -EINVAL; /* same as no support for IOCB_CMD_POLL */
2721
2722 /* initialized the list so that we can do list_empty checks */
392edb45
JA		 2723 INIT_LIST_HEAD(&poll->wait.entry);
2724 init_waitqueue_func_entry(&poll->wait, io_poll_wake);
2725 poll->wait.private = poll;
221c5eb2 2726
36703247
JA		 2727 INIT_LIST_HEAD(&req->list);
2728
221c5eb2 2729 mask = vfs_poll(poll->file, &ipt.pt) & poll->events;
221c5eb2
JA		 2730
2731 spin_lock_irq(&ctx->completion_lock);
8c838788
JA		 2732 if (likely(poll->head)) {
2733 spin_lock(&poll->head->lock);
392edb45 2734 if (unlikely(list_empty(&poll->wait.entry))) {
8c838788
JA		 2735 if (ipt.error)
2736 cancel = true;
2737 ipt.error = 0;
2738 mask = 0;
2739 }
2740 if (mask || ipt.error)
392edb45 2741 list_del_init(&poll->wait.entry);
8c838788
JA		 2742 else if (cancel)
2743 WRITE_ONCE(poll->canceled, true);
2744 else if (!poll->done) /* actually waiting for an event */
eac406c6 2745 io_poll_req_insert(req);
8c838788
JA		 2746 spin_unlock(&poll->head->lock);
2747 }
2748 if (mask) { /* no async, we'd stolen it */
221c5eb2 2749 ipt.error = 0;
b0dd8a41 2750 io_poll_complete(req, mask, 0);
221c5eb2 2751 }
221c5eb2
JA		 2752 spin_unlock_irq(&ctx->completion_lock);
2753
8c838788
JA		 2754 if (mask) {
2755 io_cqring_ev_posted(ctx);
ec9c02ad 2756 io_put_req_find_next(req, nxt);
221c5eb2 2757 }
8c838788 2758 return ipt.error;
221c5eb2
JA		 2759}
2760
5262f567
JA		 2761static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
2762{
ad8a48ac
JA		 2763 struct io_timeout_data *data = container_of(timer,
2764 struct io_timeout_data, timer);
2765 struct io_kiocb *req = data->req;
2766 struct io_ring_ctx *ctx = req->ctx;
5262f567
JA		 2767 unsigned long flags;
2768
5262f567
JA		 2769 atomic_inc(&ctx->cq_timeouts);
2770
2771 spin_lock_irqsave(&ctx->completion_lock, flags);
ef03681a 2772 /*
11365043
JA		 2773 * We could be racing with timeout deletion. If the list is empty,
2774 * then timeout lookup already found it and will be handling it.
ef03681a 2775 */
842f9612 2776 if (!list_empty(&req->list)) {
11365043 2777 struct io_kiocb *prev;
5262f567 2778
11365043
JA		 2779 /*
2780 * Adjust the reqs sequence before the current one because it
d195a66e 2781 * will consume a slot in the cq_ring and the cq_tail
11365043
JA		 2782 * pointer will be increased, otherwise other timeout reqs may
2783 * return in advance without waiting for enough wait_nr.
2784 */
2785 prev = req;
2786 list_for_each_entry_continue_reverse(prev, &ctx->timeout_list, list)
2787 prev->sequence++;
11365043 2788 list_del_init(&req->list);
11365043 2789 }
5262f567 2790
78e19bbe 2791 io_cqring_fill_event(req, -ETIME);
5262f567
JA		 2792 io_commit_cqring(ctx);
2793 spin_unlock_irqrestore(&ctx->completion_lock, flags);
2794
2795 io_cqring_ev_posted(ctx);
4e88d6e7 2796 req_set_fail_links(req);
5262f567
JA		 2797 io_put_req(req);
2798 return HRTIMER_NORESTART;
2799}
2800
47f46768
JA		 2801static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
2802{
2803 struct io_kiocb *req;
2804 int ret = -ENOENT;
2805
2806 list_for_each_entry(req, &ctx->timeout_list, list) {
2807 if (user_data == req->user_data) {
2808 list_del_init(&req->list);
2809 ret = 0;
2810 break;
2811 }
2812 }
2813
2814 if (ret == -ENOENT)
2815 return ret;
2816
2d28390a 2817 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
47f46768
JA		 2818 if (ret == -1)
2819 return -EALREADY;
2820
4e88d6e7 2821 req_set_fail_links(req);
47f46768
JA		 2822 io_cqring_fill_event(req, -ECANCELED);
2823 io_put_req(req);
2824 return 0;
2825}
2826
b29472ee
JA		 2827static int io_timeout_remove_prep(struct io_kiocb *req)
2828{
2829 const struct io_uring_sqe *sqe = req->sqe;
2830
2831 if (req->flags & REQ_F_PREPPED)
2832 return 0;
2833 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2834 return -EINVAL;
2835 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
2836 return -EINVAL;
2837
2838 req->timeout.addr = READ_ONCE(sqe->addr);
2839 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
2840 if (req->timeout.flags)
2841 return -EINVAL;
2842
2843 req->flags |= REQ_F_PREPPED;
2844 return 0;
2845}
2846
11365043
JA		 2847/*
2848 * Remove or update an existing timeout command
2849 */
fc4df999 2850static int io_timeout_remove(struct io_kiocb *req)
11365043
JA		 2851{
2852 struct io_ring_ctx *ctx = req->ctx;
47f46768 2853 int ret;
11365043 2854
b29472ee
JA		 2855 ret = io_timeout_remove_prep(req);
2856 if (ret)
2857 return ret;
11365043 2858
11365043 2859 spin_lock_irq(&ctx->completion_lock);
b29472ee 2860 ret = io_timeout_cancel(ctx, req->timeout.addr);
11365043 2861
47f46768 2862 io_cqring_fill_event(req, ret);
11365043
JA		 2863 io_commit_cqring(ctx);
2864 spin_unlock_irq(&ctx->completion_lock);
5262f567 2865 io_cqring_ev_posted(ctx);
4e88d6e7
JA		 2866 if (ret < 0)
2867 req_set_fail_links(req);
ec9c02ad 2868 io_put_req(req);
11365043 2869 return 0;
5262f567
JA		 2870}
2871
2d28390a
JA		 2872static int io_timeout_prep(struct io_kiocb *req, struct io_async_ctx *io,
2873 bool is_timeout_link)
5262f567 2874{
cf6fd4bd 2875 const struct io_uring_sqe *sqe = req->sqe;
ad8a48ac 2876 struct io_timeout_data *data;
a41525ab 2877 unsigned flags;
5262f567 2878
ad8a48ac 2879 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5262f567 2880 return -EINVAL;
ad8a48ac 2881 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
a41525ab 2882 return -EINVAL;
2d28390a
JA		 2883 if (sqe->off && is_timeout_link)
2884 return -EINVAL;
a41525ab
JA		 2885 flags = READ_ONCE(sqe->timeout_flags);
2886 if (flags & ~IORING_TIMEOUT_ABS)
5262f567 2887 return -EINVAL;
bdf20073 2888
2d28390a 2889 data = &io->timeout;
ad8a48ac 2890 data->req = req;
ad8a48ac
JA		 2891 req->flags |= REQ_F_TIMEOUT;
2892
2893 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5262f567
JA		 2894 return -EFAULT;
2895
11365043 2896 if (flags & IORING_TIMEOUT_ABS)
ad8a48ac 2897 data->mode = HRTIMER_MODE_ABS;
11365043 2898 else
ad8a48ac 2899 data->mode = HRTIMER_MODE_REL;
11365043 2900
ad8a48ac
JA		 2901 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
2902 return 0;
2903}
2904
fc4df999 2905static int io_timeout(struct io_kiocb *req)
ad8a48ac 2906{
fc4df999 2907 const struct io_uring_sqe *sqe = req->sqe;
ad8a48ac
JA		 2908 unsigned count;
2909 struct io_ring_ctx *ctx = req->ctx;
2910 struct io_timeout_data *data;
2911 struct list_head *entry;
2912 unsigned span = 0;
b7bb4f7d 2913 int ret;
ad8a48ac 2914
b7bb4f7d
JA		 2915 if (!req->io) {
2916 if (io_alloc_async_ctx(req))
2d28390a 2917 return -ENOMEM;
b7bb4f7d
JA		 2918 ret = io_timeout_prep(req, req->io, false);
2919 if (ret)
2d28390a 2920 return ret;
2d28390a
JA		 2921 }
2922 data = &req->io->timeout;
93bd25bb 2923
5262f567
JA		 2924 /*
2925 * sqe->off holds how many events that need to occur for this
93bd25bb
JA		 2926 * timeout event to be satisfied. If it isn't set, then this is
2927 * a pure timeout request, sequence isn't used.
5262f567
JA		 2928 */
2929 count = READ_ONCE(sqe->off);
93bd25bb
JA		 2930 if (!count) {
2931 req->flags |= REQ_F_TIMEOUT_NOSEQ;
2932 spin_lock_irq(&ctx->completion_lock);
2933 entry = ctx->timeout_list.prev;
2934 goto add;
2935 }
5262f567
JA		 2936
2937 req->sequence = ctx->cached_sq_head + count - 1;
2d28390a 2938 data->seq_offset = count;
5262f567
JA		 2939
2940 /*
2941 * Insertion sort, ensuring the first entry in the list is always
2942 * the one we need first.
2943 */
5262f567
JA		 2944 spin_lock_irq(&ctx->completion_lock);
2945 list_for_each_prev(entry, &ctx->timeout_list) {
2946 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
5da0fb1a 2947 unsigned nxt_sq_head;
2948 long long tmp, tmp_nxt;
2d28390a 2949 u32 nxt_offset = nxt->io->timeout.seq_offset;
5262f567 2950
93bd25bb
JA		 2951 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
2952 continue;
2953
5da0fb1a 2954 /*
2955 * Since cached_sq_head + count - 1 can overflow, use type long
2956 * long to store it.
2957 */
2958 tmp = (long long)ctx->cached_sq_head + count - 1;
cc42e0ac
PB		 2959 nxt_sq_head = nxt->sequence - nxt_offset + 1;
2960 tmp_nxt = (long long)nxt_sq_head + nxt_offset - 1;
5da0fb1a 2961
2962 /*
2963 * cached_sq_head may overflow, and it will never overflow twice
2964 * once there is some timeout req still be valid.
2965 */
2966 if (ctx->cached_sq_head < nxt_sq_head)
8b07a65a 2967 tmp += UINT_MAX;
5da0fb1a 2968
a1f58ba4 2969 if (tmp > tmp_nxt)
5262f567 2970 break;
a1f58ba4 2971
2972 /*
2973 * Sequence of reqs after the insert one and itself should
2974 * be adjusted because each timeout req consumes a slot.
2975 */
2976 span++;
2977 nxt->sequence++;
5262f567 2978 }
a1f58ba4 2979 req->sequence -= span;
93bd25bb 2980add:
5262f567 2981 list_add(&req->list, entry);
ad8a48ac
JA		 2982 data->timer.function = io_timeout_fn;
2983 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5262f567 2984 spin_unlock_irq(&ctx->completion_lock);
5262f567
JA		 2985 return 0;
2986}
5262f567 2987
62755e35
JA		 2988static bool io_cancel_cb(struct io_wq_work *work, void *data)
2989{
2990 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
2991
2992 return req->user_data == (unsigned long) data;
2993}
2994
e977d6d3 2995static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
62755e35 2996{
62755e35 2997 enum io_wq_cancel cancel_ret;
62755e35
JA		 2998 int ret = 0;
2999
62755e35
JA		 3000 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr);
3001 switch (cancel_ret) {
3002 case IO_WQ_CANCEL_OK:
3003 ret = 0;
3004 break;
3005 case IO_WQ_CANCEL_RUNNING:
3006 ret = -EALREADY;
3007 break;
3008 case IO_WQ_CANCEL_NOTFOUND:
3009 ret = -ENOENT;
3010 break;
3011 }
3012
e977d6d3
JA		 3013 return ret;
3014}
3015
47f46768
JA		 3016static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
3017 struct io_kiocb *req, __u64 sqe_addr,
b0dd8a41 3018 struct io_kiocb **nxt, int success_ret)
47f46768
JA		 3019{
3020 unsigned long flags;
3021 int ret;
3022
3023 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
3024 if (ret != -ENOENT) {
3025 spin_lock_irqsave(&ctx->completion_lock, flags);
3026 goto done;
3027 }
3028
3029 spin_lock_irqsave(&ctx->completion_lock, flags);
3030 ret = io_timeout_cancel(ctx, sqe_addr);
3031 if (ret != -ENOENT)
3032 goto done;
3033 ret = io_poll_cancel(ctx, sqe_addr);
3034done:
b0dd8a41
JA		 3035 if (!ret)
3036 ret = success_ret;
47f46768
JA		 3037 io_cqring_fill_event(req, ret);
3038 io_commit_cqring(ctx);
3039 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3040 io_cqring_ev_posted(ctx);
3041
4e88d6e7
JA		 3042 if (ret < 0)
3043 req_set_fail_links(req);
47f46768
JA		 3044 io_put_req_find_next(req, nxt);
3045}
3046
fbf23849 3047static int io_async_cancel_prep(struct io_kiocb *req)
e977d6d3 3048{
fc4df999 3049 const struct io_uring_sqe *sqe = req->sqe;
e977d6d3 3050
fbf23849
JA		 3051 if (req->flags & REQ_F_PREPPED)
3052 return 0;
3053 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
e977d6d3
JA		 3054 return -EINVAL;
3055 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
3056 sqe->cancel_flags)
3057 return -EINVAL;
3058
fbf23849
JA		 3059 req->flags |= REQ_F_PREPPED;
3060 req->cancel.addr = READ_ONCE(sqe->addr);
3061 return 0;
3062}
3063
3064static int io_async_cancel(struct io_kiocb *req, struct io_kiocb **nxt)
3065{
3066 struct io_ring_ctx *ctx = req->ctx;
3067 int ret;
3068
3069 ret = io_async_cancel_prep(req);
3070 if (ret)
3071 return ret;
3072
3073 io_async_find_and_cancel(ctx, req, req->cancel.addr, nxt, 0);
5262f567
JA		 3074 return 0;
3075}
3076
b7bb4f7d 3077static int io_req_defer_prep(struct io_kiocb *req)
f67676d1
JA		 3078{
3079 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
b7bb4f7d 3080 struct io_async_ctx *io = req->io;
f67676d1 3081 struct iov_iter iter;
e781573e 3082 ssize_t ret = 0;
f67676d1 3083
d625c6ee 3084 switch (req->opcode) {
e781573e
JA		 3085 case IORING_OP_NOP:
3086 break;
f67676d1
JA		 3087 case IORING_OP_READV:
3088 case IORING_OP_READ_FIXED:
b7bb4f7d
JA		 3089 /* ensure prep does right import */
3090 req->io = NULL;
f67676d1 3091 ret = io_read_prep(req, &iovec, &iter, true);
b7bb4f7d
JA		 3092 req->io = io;
3093 if (ret < 0)
3094 break;
3095 io_req_map_rw(req, ret, iovec, inline_vecs, &iter);
3096 ret = 0;
f67676d1
JA		 3097 break;
3098 case IORING_OP_WRITEV:
3099 case IORING_OP_WRITE_FIXED:
b7bb4f7d
JA		 3100 /* ensure prep does right import */
3101 req->io = NULL;
f67676d1 3102 ret = io_write_prep(req, &iovec, &iter, true);
b7bb4f7d
JA		 3103 req->io = io;
3104 if (ret < 0)
3105 break;
3106 io_req_map_rw(req, ret, iovec, inline_vecs, &iter);
3107 ret = 0;
f67676d1 3108 break;
0969e783
JA		 3109 case IORING_OP_POLL_ADD:
3110 ret = io_poll_add_prep(req);
3111 break;
3112 case IORING_OP_POLL_REMOVE:
3113 ret = io_poll_remove_prep(req);
3114 break;
8ed8d3c3
JA		 3115 case IORING_OP_FSYNC:
3116 ret = io_prep_fsync(req);
3117 break;
3118 case IORING_OP_SYNC_FILE_RANGE:
3119 ret = io_prep_sfr(req);
3120 break;
03b1230c
JA		 3121 case IORING_OP_SENDMSG:
3122 ret = io_sendmsg_prep(req, io);
3123 break;
3124 case IORING_OP_RECVMSG:
3125 ret = io_recvmsg_prep(req, io);
3126 break;
f499a021
JA		 3127 case IORING_OP_CONNECT:
3128 ret = io_connect_prep(req, io);
3129 break;
2d28390a 3130 case IORING_OP_TIMEOUT:
b7bb4f7d
JA		 3131 ret = io_timeout_prep(req, io, false);
3132 break;
b29472ee
JA		 3133 case IORING_OP_TIMEOUT_REMOVE:
3134 ret = io_timeout_remove_prep(req);
3135 break;
fbf23849
JA		 3136 case IORING_OP_ASYNC_CANCEL:
3137 ret = io_async_cancel_prep(req);
3138 break;
2d28390a 3139 case IORING_OP_LINK_TIMEOUT:
b7bb4f7d
JA		 3140 ret = io_timeout_prep(req, io, true);
3141 break;
8ed8d3c3
JA		 3142 case IORING_OP_ACCEPT:
3143 ret = io_accept_prep(req);
3144 break;
f67676d1 3145 default:
e781573e
JA		 3146 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
3147 req->opcode);
3148 ret = -EINVAL;
b7bb4f7d 3149 break;
f67676d1
JA		 3150 }
3151
b7bb4f7d 3152 return ret;
f67676d1
JA		 3153}
3154
a197f664 3155static int io_req_defer(struct io_kiocb *req)
de0617e4 3156{
a197f664 3157 struct io_ring_ctx *ctx = req->ctx;
f67676d1 3158 int ret;
de0617e4 3159
9d858b21
BL		 3160 /* Still need defer if there is pending req in defer list. */
3161 if (!req_need_defer(req) && list_empty(&ctx->defer_list))
de0617e4
JA		 3162 return 0;
3163
b7bb4f7d 3164 if (io_alloc_async_ctx(req))
de0617e4
JA		 3165 return -EAGAIN;
3166
b7bb4f7d
JA		 3167 ret = io_req_defer_prep(req);
3168 if (ret < 0)
2d28390a 3169 return ret;
2d28390a 3170
de0617e4 3171 spin_lock_irq(&ctx->completion_lock);
9d858b21 3172 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
de0617e4 3173 spin_unlock_irq(&ctx->completion_lock);
de0617e4
JA		 3174 return 0;
3175 }
3176
915967f6 3177 trace_io_uring_defer(ctx, req, req->user_data);
de0617e4
JA		 3178 list_add_tail(&req->list, &ctx->defer_list);
3179 spin_unlock_irq(&ctx->completion_lock);
3180 return -EIOCBQUEUED;
3181}
3182
f9bd67f6 3183__attribute__((nonnull))
d732447f
PB		 3184static int io_issue_sqe(struct io_kiocb *req, struct io_kiocb **nxt,
3185 bool force_nonblock)
2b188cc1 3186{
a197f664 3187 struct io_ring_ctx *ctx = req->ctx;
d625c6ee 3188 int ret;
2b188cc1 3189
d625c6ee 3190 switch (req->opcode) {
2b188cc1 3191 case IORING_OP_NOP:
78e19bbe 3192 ret = io_nop(req);
2b188cc1
JA		 3193 break;
3194 case IORING_OP_READV:
cf6fd4bd 3195 if (unlikely(req->sqe->buf_index))
edafccee 3196 return -EINVAL;
267bc904 3197 ret = io_read(req, nxt, force_nonblock);
2b188cc1
JA		 3198 break;
3199 case IORING_OP_WRITEV:
cf6fd4bd 3200 if (unlikely(req->sqe->buf_index))
edafccee 3201 return -EINVAL;
267bc904 3202 ret = io_write(req, nxt, force_nonblock);
edafccee
JA		 3203 break;
3204 case IORING_OP_READ_FIXED:
267bc904 3205 ret = io_read(req, nxt, force_nonblock);
edafccee
JA		 3206 break;
3207 case IORING_OP_WRITE_FIXED:
267bc904 3208 ret = io_write(req, nxt, force_nonblock);
2b188cc1 3209 break;
c992fe29 3210 case IORING_OP_FSYNC:
fc4df999 3211 ret = io_fsync(req, nxt, force_nonblock);
c992fe29 3212 break;
221c5eb2 3213 case IORING_OP_POLL_ADD:
fc4df999 3214 ret = io_poll_add(req, nxt);
221c5eb2
JA		 3215 break;
3216 case IORING_OP_POLL_REMOVE:
fc4df999 3217 ret = io_poll_remove(req);
221c5eb2 3218 break;
5d17b4a4 3219 case IORING_OP_SYNC_FILE_RANGE:
fc4df999 3220 ret = io_sync_file_range(req, nxt, force_nonblock);
5d17b4a4 3221 break;
0fa03c62 3222 case IORING_OP_SENDMSG:
fc4df999 3223 ret = io_sendmsg(req, nxt, force_nonblock);
0fa03c62 3224 break;
aa1fa28f 3225 case IORING_OP_RECVMSG:
fc4df999 3226 ret = io_recvmsg(req, nxt, force_nonblock);
aa1fa28f 3227 break;
5262f567 3228 case IORING_OP_TIMEOUT:
fc4df999 3229 ret = io_timeout(req);
5262f567 3230 break;
11365043 3231 case IORING_OP_TIMEOUT_REMOVE:
fc4df999 3232 ret = io_timeout_remove(req);
11365043 3233 break;
17f2fe35 3234 case IORING_OP_ACCEPT:
fc4df999 3235 ret = io_accept(req, nxt, force_nonblock);
17f2fe35 3236 break;
f8e85cf2 3237 case IORING_OP_CONNECT:
fc4df999 3238 ret = io_connect(req, nxt, force_nonblock);
f8e85cf2 3239 break;
62755e35 3240 case IORING_OP_ASYNC_CANCEL:
fc4df999 3241 ret = io_async_cancel(req, nxt);
62755e35 3242 break;
2b188cc1
JA		 3243 default:
3244 ret = -EINVAL;
3245 break;
3246 }
3247
def596e9
JA		 3248 if (ret)
3249 return ret;
3250
3251 if (ctx->flags & IORING_SETUP_IOPOLL) {
9e645e11 3252 if (req->result == -EAGAIN)
def596e9
JA		 3253 return -EAGAIN;
3254
def596e9 3255 io_iopoll_req_issued(req);
def596e9
JA		 3256 }
3257
3258 return 0;
2b188cc1
JA		 3259}
3260
b76da70f
JA		 3261static void io_link_work_cb(struct io_wq_work **workptr)
3262{
3263 struct io_wq_work *work = *workptr;
3264 struct io_kiocb *link = work->data;
3265
3266 io_queue_linked_timeout(link);
3267 work->func = io_wq_submit_work;
3268}
3269
561fb04a 3270static void io_wq_submit_work(struct io_wq_work **workptr)
2b188cc1 3271{
561fb04a 3272 struct io_wq_work *work = *workptr;
2b188cc1 3273 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
561fb04a
JA		 3274 struct io_kiocb *nxt = NULL;
3275 int ret = 0;
2b188cc1 3276
561fb04a
JA		 3277 /* Ensure we clear previously set non-block flag */
3278 req->rw.ki_flags &= ~IOCB_NOWAIT;
2b188cc1 3279
561fb04a
JA		 3280 if (work->flags & IO_WQ_WORK_CANCEL)
3281 ret = -ECANCELED;
31b51510 3282
561fb04a 3283 if (!ret) {
cf6fd4bd
PB		 3284 req->has_user = (work->flags & IO_WQ_WORK_HAS_MM) != 0;
3285 req->in_async = true;
561fb04a 3286 do {
d732447f 3287 ret = io_issue_sqe(req, &nxt, false);
561fb04a
JA		 3288 /*
3289 * We can get EAGAIN for polled IO even though we're
3290 * forcing a sync submission from here, since we can't
3291 * wait for request slots on the block side.
3292 */
3293 if (ret != -EAGAIN)
3294 break;
3295 cond_resched();
3296 } while (1);
3297 }
31b51510 3298
561fb04a 3299 /* drop submission reference */
ec9c02ad 3300 io_put_req(req);
817869d2 3301
561fb04a 3302 if (ret) {
4e88d6e7 3303 req_set_fail_links(req);
78e19bbe 3304 io_cqring_add_event(req, ret);
817869d2 3305 io_put_req(req);
edafccee 3306 }
2b188cc1 3307
561fb04a
JA		 3308 /* if a dependent link is ready, pass it back */
3309 if (!ret && nxt) {
94ae5e77
JA		 3310 struct io_kiocb *link;
3311
3312 io_prep_async_work(nxt, &link);
561fb04a 3313 *workptr = &nxt->work;
b76da70f
JA		 3314 if (link) {
3315 nxt->work.flags |= IO_WQ_WORK_CB;
3316 nxt->work.func = io_link_work_cb;
3317 nxt->work.data = link;
3318 }
31b51510 3319 }
2b188cc1
JA		 3320}
3321
9e3aa61a
JA		 3322static bool io_req_op_valid(int op)
3323{
3324 return op >= IORING_OP_NOP && op < IORING_OP_LAST;
3325}
3326
d625c6ee 3327static int io_req_needs_file(struct io_kiocb *req)
09bb8394 3328{
d625c6ee 3329 switch (req->opcode) {
09bb8394
JA		 3330 case IORING_OP_NOP:
3331 case IORING_OP_POLL_REMOVE:
5683e540 3332 case IORING_OP_TIMEOUT:
a320e9fa
PB		 3333 case IORING_OP_TIMEOUT_REMOVE:
3334 case IORING_OP_ASYNC_CANCEL:
3335 case IORING_OP_LINK_TIMEOUT:
9e3aa61a 3336 return 0;
09bb8394 3337 default:
d625c6ee 3338 if (io_req_op_valid(req->opcode))
9e3aa61a
JA		 3339 return 1;
3340 return -EINVAL;
09bb8394
JA		 3341 }
3342}
3343
65e19f54
JA		 3344static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
3345 int index)
3346{
3347 struct fixed_file_table *table;
3348
3349 table = &ctx->file_table[index >> IORING_FILE_TABLE_SHIFT];
3350 return table->files[index & IORING_FILE_TABLE_MASK];
3351}
3352
a197f664 3353static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req)
09bb8394 3354{
a197f664 3355 struct io_ring_ctx *ctx = req->ctx;
09bb8394 3356 unsigned flags;
9e3aa61a 3357 int fd, ret;
09bb8394 3358
cf6fd4bd
PB		 3359 flags = READ_ONCE(req->sqe->flags);
3360 fd = READ_ONCE(req->sqe->fd);
09bb8394 3361
4fe2c963 3362 if (flags & IOSQE_IO_DRAIN)
de0617e4 3363 req->flags |= REQ_F_IO_DRAIN;
de0617e4 3364
d625c6ee 3365 ret = io_req_needs_file(req);
9e3aa61a
JA		 3366 if (ret <= 0)
3367 return ret;
09bb8394
JA		 3368
3369 if (flags & IOSQE_FIXED_FILE) {
65e19f54 3370 if (unlikely(!ctx->file_table ||
09bb8394
JA		 3371 (unsigned) fd >= ctx->nr_user_files))
3372 return -EBADF;
b7620121 3373 fd = array_index_nospec(fd, ctx->nr_user_files);
65e19f54
JA		 3374 req->file = io_file_from_index(ctx, fd);
3375 if (!req->file)
08a45173 3376 return -EBADF;
09bb8394
JA		 3377 req->flags |= REQ_F_FIXED_FILE;
3378 } else {
cf6fd4bd 3379 if (req->needs_fixed_file)
09bb8394 3380 return -EBADF;
c826bd7a 3381 trace_io_uring_file_get(ctx, fd);
09bb8394
JA		 3382 req->file = io_file_get(state, fd);
3383 if (unlikely(!req->file))
3384 return -EBADF;
3385 }
3386
3387 return 0;
3388}
3389
a197f664 3390static int io_grab_files(struct io_kiocb *req)
fcb323cc
JA		 3391{
3392 int ret = -EBADF;
a197f664 3393 struct io_ring_ctx *ctx = req->ctx;
fcb323cc
JA		 3394
3395 rcu_read_lock();
3396 spin_lock_irq(&ctx->inflight_lock);
3397 /*
3398 * We use the f_ops->flush() handler to ensure that we can flush
3399 * out work accessing these files if the fd is closed. Check if
3400 * the fd has changed since we started down this path, and disallow
3401 * this operation if it has.
3402 */
cf6fd4bd 3403 if (fcheck(req->ring_fd) == req->ring_file) {
fcb323cc
JA		 3404 list_add(&req->inflight_entry, &ctx->inflight_list);
3405 req->flags |= REQ_F_INFLIGHT;
3406 req->work.files = current->files;
3407 ret = 0;
3408 }
3409 spin_unlock_irq(&ctx->inflight_lock);
3410 rcu_read_unlock();
3411
3412 return ret;
3413}
3414
2665abfd 3415static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
2b188cc1 3416{
ad8a48ac
JA		 3417 struct io_timeout_data *data = container_of(timer,
3418 struct io_timeout_data, timer);
3419 struct io_kiocb *req = data->req;
2665abfd
JA		 3420 struct io_ring_ctx *ctx = req->ctx;
3421 struct io_kiocb *prev = NULL;
3422 unsigned long flags;
2665abfd
JA		 3423
3424 spin_lock_irqsave(&ctx->completion_lock, flags);
3425
3426 /*
3427 * We don't expect the list to be empty, that will only happen if we
3428 * race with the completion of the linked work.
3429 */
4493233e
PB		 3430 if (!list_empty(&req->link_list)) {
3431 prev = list_entry(req->link_list.prev, struct io_kiocb,
3432 link_list);
5d960724 3433 if (refcount_inc_not_zero(&prev->refs)) {
4493233e 3434 list_del_init(&req->link_list);
5d960724
JA		 3435 prev->flags &= ~REQ_F_LINK_TIMEOUT;
3436 } else
76a46e06 3437 prev = NULL;
2665abfd
JA		 3438 }
3439
3440 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3441
3442 if (prev) {
4e88d6e7 3443 req_set_fail_links(prev);
b0dd8a41
JA		 3444 io_async_find_and_cancel(ctx, req, prev->user_data, NULL,
3445 -ETIME);
76a46e06 3446 io_put_req(prev);
47f46768
JA		 3447 } else {
3448 io_cqring_add_event(req, -ETIME);
3449 io_put_req(req);
2665abfd 3450 }
2665abfd
JA		 3451 return HRTIMER_NORESTART;
3452}
3453
ad8a48ac 3454static void io_queue_linked_timeout(struct io_kiocb *req)
2665abfd 3455{
76a46e06 3456 struct io_ring_ctx *ctx = req->ctx;
2665abfd 3457
76a46e06
JA		 3458 /*
3459 * If the list is now empty, then our linked request finished before
3460 * we got a chance to setup the timer
3461 */
3462 spin_lock_irq(&ctx->completion_lock);
4493233e 3463 if (!list_empty(&req->link_list)) {
2d28390a 3464 struct io_timeout_data *data = &req->io->timeout;
94ae5e77 3465
ad8a48ac
JA		 3466 data->timer.function = io_link_timeout_fn;
3467 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
3468 data->mode);
2665abfd 3469 }
76a46e06 3470 spin_unlock_irq(&ctx->completion_lock);
2665abfd 3471
2665abfd 3472 /* drop submission reference */
76a46e06
JA		 3473 io_put_req(req);
3474}
2665abfd 3475
ad8a48ac 3476static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
2665abfd
JA		 3477{
3478 struct io_kiocb *nxt;
3479
3480 if (!(req->flags & REQ_F_LINK))
3481 return NULL;
3482
4493233e
PB		 3483 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
3484 link_list);
d625c6ee 3485 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
76a46e06 3486 return NULL;
2665abfd 3487
76a46e06 3488 req->flags |= REQ_F_LINK_TIMEOUT;
76a46e06 3489 return nxt;
2665abfd
JA		 3490}
3491
0e0702da 3492static void __io_queue_sqe(struct io_kiocb *req)
2b188cc1 3493{
4a0a7a18 3494 struct io_kiocb *linked_timeout;
f9bd67f6 3495 struct io_kiocb *nxt = NULL;
e0c5c576 3496 int ret;
2b188cc1 3497
4a0a7a18
JA		 3498again:
3499 linked_timeout = io_prep_linked_timeout(req);
3500
f9bd67f6 3501 ret = io_issue_sqe(req, &nxt, true);
491381ce
JA		 3502
3503 /*
3504 * We async punt it if the file wasn't marked NOWAIT, or if the file
3505 * doesn't support non-blocking read/write attempts
3506 */
3507 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
3508 (req->flags & REQ_F_MUST_PUNT))) {
bbad27b2
PB		 3509 if (req->work.flags & IO_WQ_WORK_NEEDS_FILES) {
3510 ret = io_grab_files(req);
3511 if (ret)
3512 goto err;
2b188cc1 3513 }
bbad27b2
PB		 3514
3515 /*
3516 * Queued up for async execution, worker will release
3517 * submit reference when the iocb is actually submitted.
3518 */
3519 io_queue_async_work(req);
4a0a7a18 3520 goto done_req;
2b188cc1 3521 }
e65ef56d 3522
fcb323cc 3523err:
76a46e06 3524 /* drop submission reference */
ec9c02ad 3525 io_put_req(req);
e65ef56d 3526
f9bd67f6 3527 if (linked_timeout) {
76a46e06 3528 if (!ret)
f9bd67f6 3529 io_queue_linked_timeout(linked_timeout);
76a46e06 3530 else
f9bd67f6 3531 io_put_req(linked_timeout);
76a46e06
JA		 3532 }
3533
e65ef56d 3534 /* and drop final reference, if we failed */
9e645e11 3535 if (ret) {
78e19bbe 3536 io_cqring_add_event(req, ret);
4e88d6e7 3537 req_set_fail_links(req);
e65ef56d 3538 io_put_req(req);
9e645e11 3539 }
4a0a7a18
JA		 3540done_req:
3541 if (nxt) {
3542 req = nxt;
3543 nxt = NULL;
3544 goto again;
3545 }
2b188cc1
JA		 3546}
3547
0e0702da 3548static void io_queue_sqe(struct io_kiocb *req)
4fe2c963
JL		 3549{
3550 int ret;
3551
1b4a51b6
PB		 3552 if (unlikely(req->ctx->drain_next)) {
3553 req->flags |= REQ_F_IO_DRAIN;
3554 req->ctx->drain_next = false;
3555 }
3556 req->ctx->drain_next = (req->flags & REQ_F_DRAIN_LINK);
3557
a197f664 3558 ret = io_req_defer(req);
4fe2c963
JL		 3559 if (ret) {
3560 if (ret != -EIOCBQUEUED) {
78e19bbe 3561 io_cqring_add_event(req, ret);
4e88d6e7 3562 req_set_fail_links(req);
78e19bbe 3563 io_double_put_req(req);
4fe2c963 3564 }
0e0702da
JA		 3565 } else
3566 __io_queue_sqe(req);
4fe2c963
JL		 3567}
3568
1b4a51b6 3569static inline void io_queue_link_head(struct io_kiocb *req)
4fe2c963 3570{
94ae5e77 3571 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
1b4a51b6
PB		 3572 io_cqring_add_event(req, -ECANCELED);
3573 io_double_put_req(req);
3574 } else
0e0702da 3575 io_queue_sqe(req);
4fe2c963
JL		 3576}
3577
4e88d6e7
JA		 3578#define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
3579 IOSQE_IO_HARDLINK)
9e645e11 3580
2e6e1fde 3581static bool io_submit_sqe(struct io_kiocb *req, struct io_submit_state *state,
a197f664 3582 struct io_kiocb **link)
9e645e11 3583{
a197f664 3584 struct io_ring_ctx *ctx = req->ctx;
9e645e11
JA		 3585 int ret;
3586
3587 /* enforce forwards compatibility on users */
cf6fd4bd 3588 if (unlikely(req->sqe->flags & ~SQE_VALID_FLAGS)) {
9e645e11 3589 ret = -EINVAL;
196be95c 3590 goto err_req;
9e645e11
JA		 3591 }
3592
a197f664 3593 ret = io_req_set_file(state, req);
9e645e11
JA		 3594 if (unlikely(ret)) {
3595err_req:
78e19bbe
JA		 3596 io_cqring_add_event(req, ret);
3597 io_double_put_req(req);
2e6e1fde 3598 return false;
9e645e11
JA		 3599 }
3600
9e645e11
JA		 3601 /*
3602 * If we already have a head request, queue this one for async
3603 * submittal once the head completes. If we don't have a head but
3604 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
3605 * submitted sync once the chain is complete. If none of those
3606 * conditions are true (normal request), then just queue it.
3607 */
3608 if (*link) {
3609 struct io_kiocb *prev = *link;
3610
cf6fd4bd 3611 if (req->sqe->flags & IOSQE_IO_DRAIN)
1b4a51b6
PB		 3612 (*link)->flags |= REQ_F_DRAIN_LINK | REQ_F_IO_DRAIN;
3613
4e88d6e7
JA		 3614 if (req->sqe->flags & IOSQE_IO_HARDLINK)
3615 req->flags |= REQ_F_HARDLINK;
3616
b7bb4f7d 3617 if (io_alloc_async_ctx(req)) {
9e645e11
JA		 3618 ret = -EAGAIN;
3619 goto err_req;
3620 }
3621
b7bb4f7d 3622 ret = io_req_defer_prep(req);
2d28390a 3623 if (ret) {
4e88d6e7 3624 /* fail even hard links since we don't submit */
2d28390a 3625 prev->flags |= REQ_F_FAIL_LINK;
f67676d1 3626 goto err_req;
2d28390a 3627 }
c826bd7a 3628 trace_io_uring_link(ctx, req, prev);
4493233e 3629 list_add_tail(&req->link_list, &prev->link_list);
4e88d6e7 3630 } else if (req->sqe->flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
9e645e11 3631 req->flags |= REQ_F_LINK;
4e88d6e7
JA		 3632 if (req->sqe->flags & IOSQE_IO_HARDLINK)
3633 req->flags |= REQ_F_HARDLINK;
9e645e11 3634
9e645e11
JA		 3635 INIT_LIST_HEAD(&req->link_list);
3636 *link = req;
3637 } else {
a197f664 3638 io_queue_sqe(req);
9e645e11 3639 }
2e6e1fde
PB		 3640
3641 return true;
9e645e11
JA		 3642}
3643
9a56a232
JA		 3644/*
3645 * Batched submission is done, ensure local IO is flushed out.
3646 */
3647static void io_submit_state_end(struct io_submit_state *state)
3648{
3649 blk_finish_plug(&state->plug);
3d6770fb 3650 io_file_put(state);
2579f913
JA		 3651 if (state->free_reqs)
3652 kmem_cache_free_bulk(req_cachep, state->free_reqs,
3653 &state->reqs[state->cur_req]);
9a56a232
JA		 3654}
3655
3656/*
3657 * Start submission side cache.
3658 */
3659static void io_submit_state_start(struct io_submit_state *state,
22efde59 3660 unsigned int max_ios)
9a56a232
JA		 3661{
3662 blk_start_plug(&state->plug);
2579f913 3663 state->free_reqs = 0;
9a56a232
JA		 3664 state->file = NULL;
3665 state->ios_left = max_ios;
3666}
3667
2b188cc1
JA		 3668static void io_commit_sqring(struct io_ring_ctx *ctx)
3669{
75b28aff 3670 struct io_rings *rings = ctx->rings;
2b188cc1 3671
75b28aff 3672 if (ctx->cached_sq_head != READ_ONCE(rings->sq.head)) {
2b188cc1
JA		 3673 /*
3674 * Ensure any loads from the SQEs are done at this point,
3675 * since once we write the new head, the application could
3676 * write new data to them.
3677 */
75b28aff 3678 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
2b188cc1
JA		 3679 }
3680}
3681
2b188cc1 3682/*
d195a66e 3683 * Fetch an sqe, if one is available. Note that req->sqe will point to memory
2b188cc1
JA		 3684 * that is mapped by userspace. This means that care needs to be taken to
3685 * ensure that reads are stable, as we cannot rely on userspace always
3686 * being a good citizen. If members of the sqe are validated and then later
3687 * used, it's important that those reads are done through READ_ONCE() to
3688 * prevent a re-load down the line.
3689 */
cf6fd4bd 3690static bool io_get_sqring(struct io_ring_ctx *ctx, struct io_kiocb *req)
2b188cc1 3691{
75b28aff
HV		 3692 struct io_rings *rings = ctx->rings;
3693 u32 *sq_array = ctx->sq_array;
2b188cc1
JA		 3694 unsigned head;
3695
3696 /*
3697 * The cached sq head (or cq tail) serves two purposes:
3698 *
3699 * 1) allows us to batch the cost of updating the user visible
3700 * head updates.
3701 * 2) allows the kernel side to track the head on its own, even
3702 * though the application is the one updating it.
3703 */
3704 head = ctx->cached_sq_head;
e523a29c 3705 /* make sure SQ entry isn't read before tail */
9835d6fa 3706 if (unlikely(head == smp_load_acquire(&rings->sq.tail)))
2b188cc1
JA		 3707 return false;
3708
75b28aff 3709 head = READ_ONCE(sq_array[head & ctx->sq_mask]);
9835d6fa 3710 if (likely(head < ctx->sq_entries)) {
cf6fd4bd
PB		 3711 /*
3712 * All io need record the previous position, if LINK vs DARIN,
3713 * it can be used to mark the position of the first IO in the
3714 * link list.
3715 */
3716 req->sequence = ctx->cached_sq_head;
3717 req->sqe = &ctx->sq_sqes[head];
d625c6ee
JA		 3718 req->opcode = READ_ONCE(req->sqe->opcode);
3719 req->user_data = READ_ONCE(req->sqe->user_data);
2b188cc1
JA		 3720 ctx->cached_sq_head++;
3721 return true;
3722 }
3723
3724 /* drop invalid entries */
3725 ctx->cached_sq_head++;
498ccd9e
JA		 3726 ctx->cached_sq_dropped++;
3727 WRITE_ONCE(rings->sq_dropped, ctx->cached_sq_dropped);
2b188cc1
JA		 3728 return false;
3729}
3730
fb5ccc98 3731static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
ae9428ca
PB		 3732 struct file *ring_file, int ring_fd,
3733 struct mm_struct **mm, bool async)
6c271ce2
JA		 3734{
3735 struct io_submit_state state, *statep = NULL;
9e645e11 3736 struct io_kiocb *link = NULL;
9e645e11 3737 int i, submitted = 0;
95a1b3ff 3738 bool mm_fault = false;
6c271ce2 3739
c4a2ed72
JA		 3740 /* if we have a backlog and couldn't flush it all, return BUSY */
3741 if (!list_empty(&ctx->cq_overflow_list) &&
3742 !io_cqring_overflow_flush(ctx, false))
1d7bb1d5 3743 return -EBUSY;
6c271ce2
JA		 3744
3745 if (nr > IO_PLUG_THRESHOLD) {
22efde59 3746 io_submit_state_start(&state, nr);
6c271ce2
JA		 3747 statep = &state;
3748 }
3749
3750 for (i = 0; i < nr; i++) {
196be95c 3751 struct io_kiocb *req;
50585b9a 3752 unsigned int sqe_flags;
fb5ccc98 3753
196be95c
PB		 3754 req = io_get_req(ctx, statep);
3755 if (unlikely(!req)) {
3756 if (!submitted)
3757 submitted = -EAGAIN;
fb5ccc98 3758 break;
196be95c 3759 }
cf6fd4bd 3760 if (!io_get_sqring(ctx, req)) {
196be95c
PB		 3761 __io_free_req(req);
3762 break;
3763 }
fb5ccc98 3764
d625c6ee 3765 if (io_req_needs_user(req) && !*mm) {
95a1b3ff
PB		 3766 mm_fault = mm_fault || !mmget_not_zero(ctx->sqo_mm);
3767 if (!mm_fault) {
3768 use_mm(ctx->sqo_mm);
3769 *mm = ctx->sqo_mm;
3770 }
9e645e11 3771 }
9e645e11 3772
2e6e1fde 3773 submitted++;
cf6fd4bd 3774 sqe_flags = req->sqe->flags;
50585b9a 3775
cf6fd4bd
PB		 3776 req->ring_file = ring_file;
3777 req->ring_fd = ring_fd;
3778 req->has_user = *mm != NULL;
3779 req->in_async = async;
3780 req->needs_fixed_file = async;
d625c6ee 3781 trace_io_uring_submit_sqe(ctx, req->user_data, true, async);
2e6e1fde
PB		 3782 if (!io_submit_sqe(req, statep, &link))
3783 break;
e5eb6366
PB		 3784 /*
3785 * If previous wasn't linked and we have a linked command,
3786 * that's the end of the chain. Submit the previous link.
3787 */
ffbb8d6b 3788 if (!(sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) && link) {
1b4a51b6 3789 io_queue_link_head(link);
e5eb6366 3790 link = NULL;
6c271ce2 3791 }
6c271ce2
JA		 3792 }
3793
9e645e11 3794 if (link)
1b4a51b6 3795 io_queue_link_head(link);
6c271ce2
JA		 3796 if (statep)
3797 io_submit_state_end(&state);
3798
ae9428ca
PB		 3799 /* Commit SQ ring head once we've consumed and submitted all SQEs */
3800 io_commit_sqring(ctx);
3801
6c271ce2
JA		 3802 return submitted;
3803}
3804
3805static int io_sq_thread(void *data)
3806{
6c271ce2
JA		 3807 struct io_ring_ctx *ctx = data;
3808 struct mm_struct *cur_mm = NULL;
181e448d 3809 const struct cred *old_cred;
6c271ce2
JA		 3810 mm_segment_t old_fs;
3811 DEFINE_WAIT(wait);
3812 unsigned inflight;
3813 unsigned long timeout;
c1edbf5f 3814 int ret;
6c271ce2 3815
206aefde 3816 complete(&ctx->completions[1]);
a4c0b3de 3817
6c271ce2
JA		 3818 old_fs = get_fs();
3819 set_fs(USER_DS);
181e448d 3820 old_cred = override_creds(ctx->creds);
6c271ce2 3821
c1edbf5f 3822 ret = timeout = inflight = 0;
2bbcd6d3 3823 while (!kthread_should_park()) {
fb5ccc98 3824 unsigned int to_submit;
6c271ce2
JA		 3825
3826 if (inflight) {
3827 unsigned nr_events = 0;
3828
3829 if (ctx->flags & IORING_SETUP_IOPOLL) {
2b2ed975
JA		 3830 /*
3831 * inflight is the count of the maximum possible
3832 * entries we submitted, but it can be smaller
3833 * if we dropped some of them. If we don't have
3834 * poll entries available, then we know that we
3835 * have nothing left to poll for. Reset the
3836 * inflight count to zero in that case.
3837 */
3838 mutex_lock(&ctx->uring_lock);
3839 if (!list_empty(&ctx->poll_list))
3840 __io_iopoll_check(ctx, &nr_events, 0);
3841 else
3842 inflight = 0;
3843 mutex_unlock(&ctx->uring_lock);
6c271ce2
JA		 3844 } else {
3845 /*
3846 * Normal IO, just pretend everything completed.
3847 * We don't have to poll completions for that.
3848 */
3849 nr_events = inflight;
3850 }
3851
3852 inflight -= nr_events;
3853 if (!inflight)
3854 timeout = jiffies + ctx->sq_thread_idle;
3855 }
3856
fb5ccc98 3857 to_submit = io_sqring_entries(ctx);
c1edbf5f
JA		 3858
3859 /*
3860 * If submit got -EBUSY, flag us as needing the application
3861 * to enter the kernel to reap and flush events.
3862 */
3863 if (!to_submit || ret == -EBUSY) {
6c271ce2
JA		 3864 /*
3865 * We're polling. If we're within the defined idle
3866 * period, then let us spin without work before going
c1edbf5f
JA		 3867 * to sleep. The exception is if we got EBUSY doing
3868 * more IO, we should wait for the application to
3869 * reap events and wake us up.
6c271ce2 3870 */
c1edbf5f
JA		 3871 if (inflight ||
3872 (!time_after(jiffies, timeout) && ret != -EBUSY)) {
9831a90c 3873 cond_resched();
6c271ce2
JA		 3874 continue;
3875 }
3876
3877 /*
3878 * Drop cur_mm before scheduling, we can't hold it for
3879 * long periods (or over schedule()). Do this before
3880 * adding ourselves to the waitqueue, as the unuse/drop
3881 * may sleep.
3882 */
3883 if (cur_mm) {
3884 unuse_mm(cur_mm);
3885 mmput(cur_mm);
3886 cur_mm = NULL;
3887 }
3888
3889 prepare_to_wait(&ctx->sqo_wait, &wait,
3890 TASK_INTERRUPTIBLE);
3891
3892 /* Tell userspace we may need a wakeup call */
75b28aff 3893 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
0d7bae69
SB		 3894 /* make sure to read SQ tail after writing flags */
3895 smp_mb();
6c271ce2 3896
fb5ccc98 3897 to_submit = io_sqring_entries(ctx);
c1edbf5f 3898 if (!to_submit || ret == -EBUSY) {
2bbcd6d3 3899 if (kthread_should_park()) {
6c271ce2
JA		 3900 finish_wait(&ctx->sqo_wait, &wait);
3901 break;
3902 }
3903 if (signal_pending(current))
3904 flush_signals(current);
3905 schedule();
3906 finish_wait(&ctx->sqo_wait, &wait);
3907
75b28aff 3908 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 3909 continue;
3910 }
3911 finish_wait(&ctx->sqo_wait, &wait);
3912
75b28aff 3913 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 3914 }
3915
fb5ccc98 3916 to_submit = min(to_submit, ctx->sq_entries);
8a4955ff 3917 mutex_lock(&ctx->uring_lock);
1d7bb1d5 3918 ret = io_submit_sqes(ctx, to_submit, NULL, -1, &cur_mm, true);
8a4955ff 3919 mutex_unlock(&ctx->uring_lock);
1d7bb1d5
JA		 3920 if (ret > 0)
3921 inflight += ret;
6c271ce2
JA		 3922 }
3923
3924 set_fs(old_fs);
3925 if (cur_mm) {
3926 unuse_mm(cur_mm);
3927 mmput(cur_mm);
3928 }
181e448d 3929 revert_creds(old_cred);
06058632 3930
2bbcd6d3 3931 kthread_parkme();
06058632 3932
6c271ce2
JA		 3933 return 0;
3934}
3935
bda52162
JA		 3936struct io_wait_queue {
3937 struct wait_queue_entry wq;
3938 struct io_ring_ctx *ctx;
3939 unsigned to_wait;
3940 unsigned nr_timeouts;
3941};
3942
1d7bb1d5 3943static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
bda52162
JA		 3944{
3945 struct io_ring_ctx *ctx = iowq->ctx;
3946
3947 /*
d195a66e 3948 * Wake up if we have enough events, or if a timeout occurred since we
bda52162
JA		 3949 * started waiting. For timeouts, we always want to return to userspace,
3950 * regardless of event count.
3951 */
1d7bb1d5 3952 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
bda52162
JA		 3953 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
3954}
3955
3956static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
3957 int wake_flags, void *key)
3958{
3959 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
3960 wq);
3961
1d7bb1d5
JA		 3962 /* use noflush == true, as we can't safely rely on locking context */
3963 if (!io_should_wake(iowq, true))
bda52162
JA		 3964 return -1;
3965
3966 return autoremove_wake_function(curr, mode, wake_flags, key);
3967}
3968
2b188cc1
JA		 3969/*
3970 * Wait until events become available, if we don't already have some. The
3971 * application must reap them itself, as they reside on the shared cq ring.
3972 */
3973static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
3974 const sigset_t __user *sig, size_t sigsz)
3975{
bda52162
JA		 3976 struct io_wait_queue iowq = {
3977 .wq = {
3978 .private = current,
3979 .func = io_wake_function,
3980 .entry = LIST_HEAD_INIT(iowq.wq.entry),
3981 },
3982 .ctx = ctx,
3983 .to_wait = min_events,
3984 };
75b28aff 3985 struct io_rings *rings = ctx->rings;
e9ffa5c2 3986 int ret = 0;
2b188cc1 3987
1d7bb1d5 3988 if (io_cqring_events(ctx, false) >= min_events)
2b188cc1
JA		 3989 return 0;
3990
3991 if (sig) {
9e75ad5d
AB		 3992#ifdef CONFIG_COMPAT
3993 if (in_compat_syscall())
3994 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
b772434b 3995 sigsz);
9e75ad5d
AB		 3996 else
3997#endif
b772434b 3998 ret = set_user_sigmask(sig, sigsz);
9e75ad5d 3999
2b188cc1
JA		 4000 if (ret)
4001 return ret;
4002 }
4003
bda52162 4004 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
c826bd7a 4005 trace_io_uring_cqring_wait(ctx, min_events);
bda52162
JA		 4006 do {
4007 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
4008 TASK_INTERRUPTIBLE);
1d7bb1d5 4009 if (io_should_wake(&iowq, false))
bda52162
JA		 4010 break;
4011 schedule();
4012 if (signal_pending(current)) {
e9ffa5c2 4013 ret = -EINTR;
bda52162
JA		 4014 break;
4015 }
4016 } while (1);
4017 finish_wait(&ctx->wait, &iowq.wq);
4018
e9ffa5c2 4019 restore_saved_sigmask_unless(ret == -EINTR);
2b188cc1 4020
75b28aff 4021 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
2b188cc1
JA		 4022}
4023
6b06314c
JA		 4024static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
4025{
4026#if defined(CONFIG_UNIX)
4027 if (ctx->ring_sock) {
4028 struct sock *sock = ctx->ring_sock->sk;
4029 struct sk_buff *skb;
4030
4031 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
4032 kfree_skb(skb);
4033 }
4034#else
4035 int i;
4036
65e19f54
JA		 4037 for (i = 0; i < ctx->nr_user_files; i++) {
4038 struct file *file;
4039
4040 file = io_file_from_index(ctx, i);
4041 if (file)
4042 fput(file);
4043 }
6b06314c
JA		 4044#endif
4045}
4046
4047static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
4048{
65e19f54
JA		 4049 unsigned nr_tables, i;
4050
4051 if (!ctx->file_table)
6b06314c
JA		 4052 return -ENXIO;
4053
4054 __io_sqe_files_unregister(ctx);
65e19f54
JA		 4055 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
4056 for (i = 0; i < nr_tables; i++)
4057 kfree(ctx->file_table[i].files);
4058 kfree(ctx->file_table);
4059 ctx->file_table = NULL;
6b06314c
JA		 4060 ctx->nr_user_files = 0;
4061 return 0;
4062}
4063
6c271ce2
JA		 4064static void io_sq_thread_stop(struct io_ring_ctx *ctx)
4065{
4066 if (ctx->sqo_thread) {
206aefde 4067 wait_for_completion(&ctx->completions[1]);
2bbcd6d3
RP		 4068 /*
4069 * The park is a bit of a work-around, without it we get
4070 * warning spews on shutdown with SQPOLL set and affinity
4071 * set to a single CPU.
4072 */
06058632 4073 kthread_park(ctx->sqo_thread);
6c271ce2
JA		 4074 kthread_stop(ctx->sqo_thread);
4075 ctx->sqo_thread = NULL;
4076 }
4077}
4078
6b06314c
JA		 4079static void io_finish_async(struct io_ring_ctx *ctx)
4080{
6c271ce2
JA		 4081 io_sq_thread_stop(ctx);
4082
561fb04a
JA		 4083 if (ctx->io_wq) {
4084 io_wq_destroy(ctx->io_wq);
4085 ctx->io_wq = NULL;
6b06314c
JA		 4086 }
4087}
4088
4089#if defined(CONFIG_UNIX)
4090static void io_destruct_skb(struct sk_buff *skb)
4091{
4092 struct io_ring_ctx *ctx = skb->sk->sk_user_data;
8a997340 4093
561fb04a
JA		 4094 if (ctx->io_wq)
4095 io_wq_flush(ctx->io_wq);
6b06314c 4096
6b06314c
JA		 4097 unix_destruct_scm(skb);
4098}
4099
4100/*
4101 * Ensure the UNIX gc is aware of our file set, so we are certain that
4102 * the io_uring can be safely unregistered on process exit, even if we have
4103 * loops in the file referencing.
4104 */
4105static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
4106{
4107 struct sock *sk = ctx->ring_sock->sk;
4108 struct scm_fp_list *fpl;
4109 struct sk_buff *skb;
08a45173 4110 int i, nr_files;
6b06314c
JA		 4111
4112 if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
4113 unsigned long inflight = ctx->user->unix_inflight + nr;
4114
4115 if (inflight > task_rlimit(current, RLIMIT_NOFILE))
4116 return -EMFILE;
4117 }
4118
4119 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
4120 if (!fpl)
4121 return -ENOMEM;
4122
4123 skb = alloc_skb(0, GFP_KERNEL);
4124 if (!skb) {
4125 kfree(fpl);
4126 return -ENOMEM;
4127 }
4128
4129 skb->sk = sk;
6b06314c 4130
08a45173 4131 nr_files = 0;
6b06314c
JA		 4132 fpl->user = get_uid(ctx->user);
4133 for (i = 0; i < nr; i++) {
65e19f54
JA		 4134 struct file *file = io_file_from_index(ctx, i + offset);
4135
4136 if (!file)
08a45173 4137 continue;
65e19f54 4138 fpl->fp[nr_files] = get_file(file);
08a45173
JA		 4139 unix_inflight(fpl->user, fpl->fp[nr_files]);
4140 nr_files++;
6b06314c
JA		 4141 }
4142
08a45173
JA		 4143 if (nr_files) {
4144 fpl->max = SCM_MAX_FD;
4145 fpl->count = nr_files;
4146 UNIXCB(skb).fp = fpl;
4147 skb->destructor = io_destruct_skb;
4148 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
4149 skb_queue_head(&sk->sk_receive_queue, skb);
6b06314c 4150
08a45173
JA		 4151 for (i = 0; i < nr_files; i++)
4152 fput(fpl->fp[i]);
4153 } else {
4154 kfree_skb(skb);
4155 kfree(fpl);
4156 }
6b06314c
JA		 4157
4158 return 0;
4159}
4160
4161/*
4162 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
4163 * causes regular reference counting to break down. We rely on the UNIX
4164 * garbage collection to take care of this problem for us.
4165 */
4166static int io_sqe_files_scm(struct io_ring_ctx *ctx)
4167{
4168 unsigned left, total;
4169 int ret = 0;
4170
4171 total = 0;
4172 left = ctx->nr_user_files;
4173 while (left) {
4174 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
6b06314c
JA		 4175
4176 ret = __io_sqe_files_scm(ctx, this_files, total);
4177 if (ret)
4178 break;
4179 left -= this_files;
4180 total += this_files;
4181 }
4182
4183 if (!ret)
4184 return 0;
4185
4186 while (total < ctx->nr_user_files) {
65e19f54
JA		 4187 struct file *file = io_file_from_index(ctx, total);
4188
4189 if (file)
4190 fput(file);
6b06314c
JA		 4191 total++;
4192 }
4193
4194 return ret;
4195}
4196#else
4197static int io_sqe_files_scm(struct io_ring_ctx *ctx)
4198{
4199 return 0;
4200}
4201#endif
4202
65e19f54
JA		 4203static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
4204 unsigned nr_files)
4205{
4206 int i;
4207
4208 for (i = 0; i < nr_tables; i++) {
4209 struct fixed_file_table *table = &ctx->file_table[i];
4210 unsigned this_files;
4211
4212 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
4213 table->files = kcalloc(this_files, sizeof(struct file *),
4214 GFP_KERNEL);
4215 if (!table->files)
4216 break;
4217 nr_files -= this_files;
4218 }
4219
4220 if (i == nr_tables)
4221 return 0;
4222
4223 for (i = 0; i < nr_tables; i++) {
4224 struct fixed_file_table *table = &ctx->file_table[i];
4225 kfree(table->files);
4226 }
4227 return 1;
4228}
4229
6b06314c
JA		 4230static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
4231 unsigned nr_args)
4232{
4233 __s32 __user *fds = (__s32 __user *) arg;
65e19f54 4234 unsigned nr_tables;
6b06314c
JA		 4235 int fd, ret = 0;
4236 unsigned i;
4237
65e19f54 4238 if (ctx->file_table)
6b06314c
JA		 4239 return -EBUSY;
4240 if (!nr_args)
4241 return -EINVAL;
4242 if (nr_args > IORING_MAX_FIXED_FILES)
4243 return -EMFILE;
4244
65e19f54
JA		 4245 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
4246 ctx->file_table = kcalloc(nr_tables, sizeof(struct fixed_file_table),
4247 GFP_KERNEL);
4248 if (!ctx->file_table)
6b06314c
JA		 4249 return -ENOMEM;
4250
65e19f54
JA		 4251 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
4252 kfree(ctx->file_table);
46568e9b 4253 ctx->file_table = NULL;
65e19f54
JA		 4254 return -ENOMEM;
4255 }
4256
08a45173 4257 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
65e19f54
JA		 4258 struct fixed_file_table *table;
4259 unsigned index;
4260
6b06314c
JA		 4261 ret = -EFAULT;
4262 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
4263 break;
08a45173
JA		 4264 /* allow sparse sets */
4265 if (fd == -1) {
4266 ret = 0;
4267 continue;
4268 }
6b06314c 4269
65e19f54
JA		 4270 table = &ctx->file_table[i >> IORING_FILE_TABLE_SHIFT];
4271 index = i & IORING_FILE_TABLE_MASK;
4272 table->files[index] = fget(fd);
6b06314c
JA		 4273
4274 ret = -EBADF;
65e19f54 4275 if (!table->files[index])
6b06314c
JA		 4276 break;
4277 /*
4278 * Don't allow io_uring instances to be registered. If UNIX
4279 * isn't enabled, then this causes a reference cycle and this
4280 * instance can never get freed. If UNIX is enabled we'll
4281 * handle it just fine, but there's still no point in allowing
4282 * a ring fd as it doesn't support regular read/write anyway.
4283 */
65e19f54
JA		 4284 if (table->files[index]->f_op == &io_uring_fops) {
4285 fput(table->files[index]);
6b06314c
JA		 4286 break;
4287 }
6b06314c
JA		 4288 ret = 0;
4289 }
4290
4291 if (ret) {
65e19f54
JA		 4292 for (i = 0; i < ctx->nr_user_files; i++) {
4293 struct file *file;
6b06314c 4294
65e19f54
JA		 4295 file = io_file_from_index(ctx, i);
4296 if (file)
4297 fput(file);
4298 }
4299 for (i = 0; i < nr_tables; i++)
4300 kfree(ctx->file_table[i].files);
6b06314c 4301
65e19f54
JA		 4302 kfree(ctx->file_table);
4303 ctx->file_table = NULL;
6b06314c
JA		 4304 ctx->nr_user_files = 0;
4305 return ret;
4306 }
4307
4308 ret = io_sqe_files_scm(ctx);
4309 if (ret)
4310 io_sqe_files_unregister(ctx);
4311
4312 return ret;
4313}
4314
c3a31e60
JA		 4315static void io_sqe_file_unregister(struct io_ring_ctx *ctx, int index)
4316{
4317#if defined(CONFIG_UNIX)
65e19f54 4318 struct file *file = io_file_from_index(ctx, index);
c3a31e60
JA		 4319 struct sock *sock = ctx->ring_sock->sk;
4320 struct sk_buff_head list, *head = &sock->sk_receive_queue;
4321 struct sk_buff *skb;
4322 int i;
4323
4324 __skb_queue_head_init(&list);
4325
4326 /*
4327 * Find the skb that holds this file in its SCM_RIGHTS. When found,
4328 * remove this entry and rearrange the file array.
4329 */
4330 skb = skb_dequeue(head);
4331 while (skb) {
4332 struct scm_fp_list *fp;
4333
4334 fp = UNIXCB(skb).fp;
4335 for (i = 0; i < fp->count; i++) {
4336 int left;
4337
4338 if (fp->fp[i] != file)
4339 continue;
4340
4341 unix_notinflight(fp->user, fp->fp[i]);
4342 left = fp->count - 1 - i;
4343 if (left) {
4344 memmove(&fp->fp[i], &fp->fp[i + 1],
4345 left * sizeof(struct file *));
4346 }
4347 fp->count--;
4348 if (!fp->count) {
4349 kfree_skb(skb);
4350 skb = NULL;
4351 } else {
4352 __skb_queue_tail(&list, skb);
4353 }
4354 fput(file);
4355 file = NULL;
4356 break;
4357 }
4358
4359 if (!file)
4360 break;
4361
4362 __skb_queue_tail(&list, skb);
4363
4364 skb = skb_dequeue(head);
4365 }
4366
4367 if (skb_peek(&list)) {
4368 spin_lock_irq(&head->lock);
4369 while ((skb = __skb_dequeue(&list)) != NULL)
4370 __skb_queue_tail(head, skb);
4371 spin_unlock_irq(&head->lock);
4372 }
4373#else
65e19f54 4374 fput(io_file_from_index(ctx, index));
c3a31e60
JA		 4375#endif
4376}
4377
4378static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
4379 int index)
4380{
4381#if defined(CONFIG_UNIX)
4382 struct sock *sock = ctx->ring_sock->sk;
4383 struct sk_buff_head *head = &sock->sk_receive_queue;
4384 struct sk_buff *skb;
4385
4386 /*
4387 * See if we can merge this file into an existing skb SCM_RIGHTS
4388 * file set. If there's no room, fall back to allocating a new skb
4389 * and filling it in.
4390 */
4391 spin_lock_irq(&head->lock);
4392 skb = skb_peek(head);
4393 if (skb) {
4394 struct scm_fp_list *fpl = UNIXCB(skb).fp;
4395
4396 if (fpl->count < SCM_MAX_FD) {
4397 __skb_unlink(skb, head);
4398 spin_unlock_irq(&head->lock);
4399 fpl->fp[fpl->count] = get_file(file);
4400 unix_inflight(fpl->user, fpl->fp[fpl->count]);
4401 fpl->count++;
4402 spin_lock_irq(&head->lock);
4403 __skb_queue_head(head, skb);
4404 } else {
4405 skb = NULL;
4406 }
4407 }
4408 spin_unlock_irq(&head->lock);
4409
4410 if (skb) {
4411 fput(file);
4412 return 0;
4413 }
4414
4415 return __io_sqe_files_scm(ctx, 1, index);
4416#else
4417 return 0;
4418#endif
4419}
4420
4421static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
4422 unsigned nr_args)
4423{
4424 struct io_uring_files_update up;
4425 __s32 __user *fds;
4426 int fd, i, err;
4427 __u32 done;
4428
65e19f54 4429 if (!ctx->file_table)
c3a31e60
JA		 4430 return -ENXIO;
4431 if (!nr_args)
4432 return -EINVAL;
4433 if (copy_from_user(&up, arg, sizeof(up)))
4434 return -EFAULT;
4435 if (check_add_overflow(up.offset, nr_args, &done))
4436 return -EOVERFLOW;
4437 if (done > ctx->nr_user_files)
4438 return -EINVAL;
4439
4440 done = 0;
4441 fds = (__s32 __user *) up.fds;
4442 while (nr_args) {
65e19f54
JA		 4443 struct fixed_file_table *table;
4444 unsigned index;
4445
c3a31e60
JA		 4446 err = 0;
4447 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
4448 err = -EFAULT;
4449 break;
4450 }
4451 i = array_index_nospec(up.offset, ctx->nr_user_files);
65e19f54
JA		 4452 table = &ctx->file_table[i >> IORING_FILE_TABLE_SHIFT];
4453 index = i & IORING_FILE_TABLE_MASK;
4454 if (table->files[index]) {
c3a31e60 4455 io_sqe_file_unregister(ctx, i);
65e19f54 4456 table->files[index] = NULL;
c3a31e60
JA		 4457 }
4458 if (fd != -1) {
4459 struct file *file;
4460
4461 file = fget(fd);
4462 if (!file) {
4463 err = -EBADF;
4464 break;
4465 }
4466 /*
4467 * Don't allow io_uring instances to be registered. If
4468 * UNIX isn't enabled, then this causes a reference
4469 * cycle and this instance can never get freed. If UNIX
4470 * is enabled we'll handle it just fine, but there's
4471 * still no point in allowing a ring fd as it doesn't
4472 * support regular read/write anyway.
4473 */
4474 if (file->f_op == &io_uring_fops) {
4475 fput(file);
4476 err = -EBADF;
4477 break;
4478 }
65e19f54 4479 table->files[index] = file;
c3a31e60
JA		 4480 err = io_sqe_file_register(ctx, file, i);
4481 if (err)
4482 break;
4483 }
4484 nr_args--;
4485 done++;
4486 up.offset++;
4487 }
4488
4489 return done ? done : err;
4490}
4491
7d723065
JA		 4492static void io_put_work(struct io_wq_work *work)
4493{
4494 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
4495
4496 io_put_req(req);
4497}
4498
4499static void io_get_work(struct io_wq_work *work)
4500{
4501 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
4502
4503 refcount_inc(&req->refs);
4504}
4505
6c271ce2
JA		 4506static int io_sq_offload_start(struct io_ring_ctx *ctx,
4507 struct io_uring_params *p)
2b188cc1 4508{
576a347b 4509 struct io_wq_data data;
561fb04a 4510 unsigned concurrency;
2b188cc1
JA		 4511 int ret;
4512
6c271ce2 4513 init_waitqueue_head(&ctx->sqo_wait);
2b188cc1
JA		 4514 mmgrab(current->mm);
4515 ctx->sqo_mm = current->mm;
4516
6c271ce2 4517 if (ctx->flags & IORING_SETUP_SQPOLL) {
3ec482d1
JA		 4518 ret = -EPERM;
4519 if (!capable(CAP_SYS_ADMIN))
4520 goto err;
4521
917257da
JA		 4522 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
4523 if (!ctx->sq_thread_idle)
4524 ctx->sq_thread_idle = HZ;
4525
6c271ce2 4526 if (p->flags & IORING_SETUP_SQ_AFF) {
44a9bd18 4527 int cpu = p->sq_thread_cpu;
6c271ce2 4528
917257da 4529 ret = -EINVAL;
44a9bd18
JA		 4530 if (cpu >= nr_cpu_ids)
4531 goto err;
7889f44d 4532 if (!cpu_online(cpu))
917257da
JA		 4533 goto err;
4534
6c271ce2
JA		 4535 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
4536 ctx, cpu,
4537 "io_uring-sq");
4538 } else {
4539 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
4540 "io_uring-sq");
4541 }
4542 if (IS_ERR(ctx->sqo_thread)) {
4543 ret = PTR_ERR(ctx->sqo_thread);
4544 ctx->sqo_thread = NULL;
4545 goto err;
4546 }
4547 wake_up_process(ctx->sqo_thread);
4548 } else if (p->flags & IORING_SETUP_SQ_AFF) {
4549 /* Can't have SQ_AFF without SQPOLL */
4550 ret = -EINVAL;
4551 goto err;
4552 }
4553
576a347b
JA		 4554 data.mm = ctx->sqo_mm;
4555 data.user = ctx->user;
181e448d 4556 data.creds = ctx->creds;
576a347b
JA		 4557 data.get_work = io_get_work;
4558 data.put_work = io_put_work;
4559
561fb04a
JA		 4560 /* Do QD, or 4 * CPUS, whatever is smallest */
4561 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
576a347b 4562 ctx->io_wq = io_wq_create(concurrency, &data);
975c99a5
JA		 4563 if (IS_ERR(ctx->io_wq)) {
4564 ret = PTR_ERR(ctx->io_wq);
4565 ctx->io_wq = NULL;
2b188cc1
JA		 4566 goto err;
4567 }
4568
4569 return 0;
4570err:
54a91f3b 4571 io_finish_async(ctx);
2b188cc1
JA		 4572 mmdrop(ctx->sqo_mm);
4573 ctx->sqo_mm = NULL;
4574 return ret;
4575}
4576
4577static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
4578{
4579 atomic_long_sub(nr_pages, &user->locked_vm);
4580}
4581
4582static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
4583{
4584 unsigned long page_limit, cur_pages, new_pages;
4585
4586 /* Don't allow more pages than we can safely lock */
4587 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
4588
4589 do {
4590 cur_pages = atomic_long_read(&user->locked_vm);
4591 new_pages = cur_pages + nr_pages;
4592 if (new_pages > page_limit)
4593 return -ENOMEM;
4594 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
4595 new_pages) != cur_pages);
4596
4597 return 0;
4598}
4599
4600static void io_mem_free(void *ptr)
4601{
52e04ef4
MR		 4602 struct page *page;
4603
4604 if (!ptr)
4605 return;
2b188cc1 4606
52e04ef4 4607 page = virt_to_head_page(ptr);
2b188cc1
JA		 4608 if (put_page_testzero(page))
4609 free_compound_page(page);
4610}
4611
4612static void *io_mem_alloc(size_t size)
4613{
4614 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
4615 __GFP_NORETRY;
4616
4617 return (void *) __get_free_pages(gfp_flags, get_order(size));
4618}
4619
75b28aff
HV		 4620static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
4621 size_t *sq_offset)
4622{
4623 struct io_rings *rings;
4624 size_t off, sq_array_size;
4625
4626 off = struct_size(rings, cqes, cq_entries);
4627 if (off == SIZE_MAX)
4628 return SIZE_MAX;
4629
4630#ifdef CONFIG_SMP
4631 off = ALIGN(off, SMP_CACHE_BYTES);
4632 if (off == 0)
4633 return SIZE_MAX;
4634#endif
4635
4636 sq_array_size = array_size(sizeof(u32), sq_entries);
4637 if (sq_array_size == SIZE_MAX)
4638 return SIZE_MAX;
4639
4640 if (check_add_overflow(off, sq_array_size, &off))
4641 return SIZE_MAX;
4642
4643 if (sq_offset)
4644 *sq_offset = off;
4645
4646 return off;
4647}
4648
2b188cc1
JA		 4649static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
4650{
75b28aff 4651 size_t pages;
2b188cc1 4652
75b28aff
HV		 4653 pages = (size_t)1 << get_order(
4654 rings_size(sq_entries, cq_entries, NULL));
4655 pages += (size_t)1 << get_order(
4656 array_size(sizeof(struct io_uring_sqe), sq_entries));
2b188cc1 4657
75b28aff 4658 return pages;
2b188cc1
JA		 4659}
4660
edafccee
JA		 4661static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
4662{
4663 int i, j;
4664
4665 if (!ctx->user_bufs)
4666 return -ENXIO;
4667
4668 for (i = 0; i < ctx->nr_user_bufs; i++) {
4669 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
4670
4671 for (j = 0; j < imu->nr_bvecs; j++)
27c4d3a3 4672 put_user_page(imu->bvec[j].bv_page);
edafccee
JA		 4673
4674 if (ctx->account_mem)
4675 io_unaccount_mem(ctx->user, imu->nr_bvecs);
d4ef6475 4676 kvfree(imu->bvec);
edafccee
JA		 4677 imu->nr_bvecs = 0;
4678 }
4679
4680 kfree(ctx->user_bufs);
4681 ctx->user_bufs = NULL;
4682 ctx->nr_user_bufs = 0;
4683 return 0;
4684}
4685
4686static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
4687 void __user *arg, unsigned index)
4688{
4689 struct iovec __user *src;
4690
4691#ifdef CONFIG_COMPAT
4692 if (ctx->compat) {
4693 struct compat_iovec __user *ciovs;
4694 struct compat_iovec ciov;
4695
4696 ciovs = (struct compat_iovec __user *) arg;
4697 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
4698 return -EFAULT;
4699
4700 dst->iov_base = (void __user *) (unsigned long) ciov.iov_base;
4701 dst->iov_len = ciov.iov_len;
4702 return 0;
4703 }
4704#endif
4705 src = (struct iovec __user *) arg;
4706 if (copy_from_user(dst, &src[index], sizeof(*dst)))
4707 return -EFAULT;
4708 return 0;
4709}
4710
4711static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
4712 unsigned nr_args)
4713{
4714 struct vm_area_struct **vmas = NULL;
4715 struct page **pages = NULL;
4716 int i, j, got_pages = 0;
4717 int ret = -EINVAL;
4718
4719 if (ctx->user_bufs)
4720 return -EBUSY;
4721 if (!nr_args || nr_args > UIO_MAXIOV)
4722 return -EINVAL;
4723
4724 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
4725 GFP_KERNEL);
4726 if (!ctx->user_bufs)
4727 return -ENOMEM;
4728
4729 for (i = 0; i < nr_args; i++) {
4730 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
4731 unsigned long off, start, end, ubuf;
4732 int pret, nr_pages;
4733 struct iovec iov;
4734 size_t size;
4735
4736 ret = io_copy_iov(ctx, &iov, arg, i);
4737 if (ret)
a278682d 4738 goto err;
edafccee
JA		 4739
4740 /*
4741 * Don't impose further limits on the size and buffer
4742 * constraints here, we'll -EINVAL later when IO is
4743 * submitted if they are wrong.
4744 */
4745 ret = -EFAULT;
4746 if (!iov.iov_base || !iov.iov_len)
4747 goto err;
4748
4749 /* arbitrary limit, but we need something */
4750 if (iov.iov_len > SZ_1G)
4751 goto err;
4752
4753 ubuf = (unsigned long) iov.iov_base;
4754 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
4755 start = ubuf >> PAGE_SHIFT;
4756 nr_pages = end - start;
4757
4758 if (ctx->account_mem) {
4759 ret = io_account_mem(ctx->user, nr_pages);
4760 if (ret)
4761 goto err;
4762 }
4763
4764 ret = 0;
4765 if (!pages || nr_pages > got_pages) {
4766 kfree(vmas);
4767 kfree(pages);
d4ef6475 4768 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
edafccee 4769 GFP_KERNEL);
d4ef6475 4770 vmas = kvmalloc_array(nr_pages,
edafccee
JA		 4771 sizeof(struct vm_area_struct *),
4772 GFP_KERNEL);
4773 if (!pages || !vmas) {
4774 ret = -ENOMEM;
4775 if (ctx->account_mem)
4776 io_unaccount_mem(ctx->user, nr_pages);
4777 goto err;
4778 }
4779 got_pages = nr_pages;
4780 }
4781
d4ef6475 4782 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
edafccee
JA		 4783 GFP_KERNEL);
4784 ret = -ENOMEM;
4785 if (!imu->bvec) {
4786 if (ctx->account_mem)
4787 io_unaccount_mem(ctx->user, nr_pages);
4788 goto err;
4789 }
4790
4791 ret = 0;
4792 down_read(&current->mm->mmap_sem);
932f4a63
IW		 4793 pret = get_user_pages(ubuf, nr_pages,
4794 FOLL_WRITE | FOLL_LONGTERM,
4795 pages, vmas);
edafccee
JA		 4796 if (pret == nr_pages) {
4797 /* don't support file backed memory */
4798 for (j = 0; j < nr_pages; j++) {
4799 struct vm_area_struct *vma = vmas[j];
4800
4801 if (vma->vm_file &&
4802 !is_file_hugepages(vma->vm_file)) {
4803 ret = -EOPNOTSUPP;
4804 break;
4805 }
4806 }
4807 } else {
4808 ret = pret < 0 ? pret : -EFAULT;
4809 }
4810 up_read(&current->mm->mmap_sem);
4811 if (ret) {
4812 /*
4813 * if we did partial map, or found file backed vmas,
4814 * release any pages we did get
4815 */
27c4d3a3
JH		 4816 if (pret > 0)
4817 put_user_pages(pages, pret);
edafccee
JA		 4818 if (ctx->account_mem)
4819 io_unaccount_mem(ctx->user, nr_pages);
d4ef6475 4820 kvfree(imu->bvec);
edafccee
JA		 4821 goto err;
4822 }
4823
4824 off = ubuf & ~PAGE_MASK;
4825 size = iov.iov_len;
4826 for (j = 0; j < nr_pages; j++) {
4827 size_t vec_len;
4828
4829 vec_len = min_t(size_t, size, PAGE_SIZE - off);
4830 imu->bvec[j].bv_page = pages[j];
4831 imu->bvec[j].bv_len = vec_len;
4832 imu->bvec[j].bv_offset = off;
4833 off = 0;
4834 size -= vec_len;
4835 }
4836 /* store original address for later verification */
4837 imu->ubuf = ubuf;
4838 imu->len = iov.iov_len;
4839 imu->nr_bvecs = nr_pages;
4840
4841 ctx->nr_user_bufs++;
4842 }
d4ef6475
MR		 4843 kvfree(pages);
4844 kvfree(vmas);
edafccee
JA		 4845 return 0;
4846err:
d4ef6475
MR		 4847 kvfree(pages);
4848 kvfree(vmas);
edafccee
JA		 4849 io_sqe_buffer_unregister(ctx);
4850 return ret;
4851}
4852
9b402849
JA		 4853static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
4854{
4855 __s32 __user *fds = arg;
4856 int fd;
4857
4858 if (ctx->cq_ev_fd)
4859 return -EBUSY;
4860
4861 if (copy_from_user(&fd, fds, sizeof(*fds)))
4862 return -EFAULT;
4863
4864 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
4865 if (IS_ERR(ctx->cq_ev_fd)) {
4866 int ret = PTR_ERR(ctx->cq_ev_fd);
4867 ctx->cq_ev_fd = NULL;
4868 return ret;
4869 }
4870
4871 return 0;
4872}
4873
4874static int io_eventfd_unregister(struct io_ring_ctx *ctx)
4875{
4876 if (ctx->cq_ev_fd) {
4877 eventfd_ctx_put(ctx->cq_ev_fd);
4878 ctx->cq_ev_fd = NULL;
4879 return 0;
4880 }
4881
4882 return -ENXIO;
4883}
4884
2b188cc1
JA		 4885static void io_ring_ctx_free(struct io_ring_ctx *ctx)
4886{
6b06314c 4887 io_finish_async(ctx);
2b188cc1
JA		 4888 if (ctx->sqo_mm)
4889 mmdrop(ctx->sqo_mm);
def596e9
JA		 4890
4891 io_iopoll_reap_events(ctx);
edafccee 4892 io_sqe_buffer_unregister(ctx);
6b06314c 4893 io_sqe_files_unregister(ctx);
9b402849 4894 io_eventfd_unregister(ctx);
def596e9 4895
2b188cc1 4896#if defined(CONFIG_UNIX)
355e8d26
EB		 4897 if (ctx->ring_sock) {
4898 ctx->ring_sock->file = NULL; /* so that iput() is called */
2b188cc1 4899 sock_release(ctx->ring_sock);
355e8d26 4900 }
2b188cc1
JA		 4901#endif
4902
75b28aff 4903 io_mem_free(ctx->rings);
2b188cc1 4904 io_mem_free(ctx->sq_sqes);
2b188cc1
JA		 4905
4906 percpu_ref_exit(&ctx->refs);
4907 if (ctx->account_mem)
4908 io_unaccount_mem(ctx->user,
4909 ring_pages(ctx->sq_entries, ctx->cq_entries));
4910 free_uid(ctx->user);
181e448d 4911 put_cred(ctx->creds);
206aefde 4912 kfree(ctx->completions);
78076bb6 4913 kfree(ctx->cancel_hash);
0ddf92e8 4914 kmem_cache_free(req_cachep, ctx->fallback_req);
2b188cc1
JA		 4915 kfree(ctx);
4916}
4917
4918static __poll_t io_uring_poll(struct file *file, poll_table *wait)
4919{
4920 struct io_ring_ctx *ctx = file->private_data;
4921 __poll_t mask = 0;
4922
4923 poll_wait(file, &ctx->cq_wait, wait);
4f7067c3
SB		 4924 /*
4925 * synchronizes with barrier from wq_has_sleeper call in
4926 * io_commit_cqring
4927 */
2b188cc1 4928 smp_rmb();
75b28aff
HV		 4929 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
4930 ctx->rings->sq_ring_entries)
2b188cc1 4931 mask |= EPOLLOUT | EPOLLWRNORM;
daa5de54 4932 if (READ_ONCE(ctx->rings->cq.head) != ctx->cached_cq_tail)
2b188cc1
JA		 4933 mask |= EPOLLIN | EPOLLRDNORM;
4934
4935 return mask;
4936}
4937
4938static int io_uring_fasync(int fd, struct file *file, int on)
4939{
4940 struct io_ring_ctx *ctx = file->private_data;
4941
4942 return fasync_helper(fd, file, on, &ctx->cq_fasync);
4943}
4944
4945static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
4946{
4947 mutex_lock(&ctx->uring_lock);
4948 percpu_ref_kill(&ctx->refs);
4949 mutex_unlock(&ctx->uring_lock);
4950
5262f567 4951 io_kill_timeouts(ctx);
221c5eb2 4952 io_poll_remove_all(ctx);
561fb04a
JA		 4953
4954 if (ctx->io_wq)
4955 io_wq_cancel_all(ctx->io_wq);
4956
def596e9 4957 io_iopoll_reap_events(ctx);
15dff286
JA		 4958 /* if we failed setting up the ctx, we might not have any rings */
4959 if (ctx->rings)
4960 io_cqring_overflow_flush(ctx, true);
206aefde 4961 wait_for_completion(&ctx->completions[0]);
2b188cc1
JA		 4962 io_ring_ctx_free(ctx);
4963}
4964
4965static int io_uring_release(struct inode *inode, struct file *file)
4966{
4967 struct io_ring_ctx *ctx = file->private_data;
4968
4969 file->private_data = NULL;
4970 io_ring_ctx_wait_and_kill(ctx);
4971 return 0;
4972}
4973
fcb323cc
JA		 4974static void io_uring_cancel_files(struct io_ring_ctx *ctx,
4975 struct files_struct *files)
4976{
4977 struct io_kiocb *req;
4978 DEFINE_WAIT(wait);
4979
4980 while (!list_empty_careful(&ctx->inflight_list)) {
768134d4 4981 struct io_kiocb *cancel_req = NULL;
fcb323cc
JA		 4982
4983 spin_lock_irq(&ctx->inflight_lock);
4984 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
768134d4
JA		 4985 if (req->work.files != files)
4986 continue;
4987 /* req is being completed, ignore */
4988 if (!refcount_inc_not_zero(&req->refs))
4989 continue;
4990 cancel_req = req;
4991 break;
fcb323cc 4992 }
768134d4 4993 if (cancel_req)
fcb323cc 4994 prepare_to_wait(&ctx->inflight_wait, &wait,
768134d4 4995 TASK_UNINTERRUPTIBLE);
fcb323cc
JA		 4996 spin_unlock_irq(&ctx->inflight_lock);
4997
768134d4
JA		 4998 /* We need to keep going until we don't find a matching req */
4999 if (!cancel_req)
fcb323cc 5000 break;
2f6d9b9d
BL		 5001
5002 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
5003 io_put_req(cancel_req);
fcb323cc
JA		 5004 schedule();
5005 }
768134d4 5006 finish_wait(&ctx->inflight_wait, &wait);
fcb323cc
JA		 5007}
5008
5009static int io_uring_flush(struct file *file, void *data)
5010{
5011 struct io_ring_ctx *ctx = file->private_data;
5012
5013 io_uring_cancel_files(ctx, data);
1d7bb1d5
JA		 5014 if (fatal_signal_pending(current) || (current->flags & PF_EXITING)) {
5015 io_cqring_overflow_flush(ctx, true);
fcb323cc 5016 io_wq_cancel_all(ctx->io_wq);
1d7bb1d5 5017 }
fcb323cc
JA		 5018 return 0;
5019}
5020
6c5c240e
RP		 5021static void *io_uring_validate_mmap_request(struct file *file,
5022 loff_t pgoff, size_t sz)
2b188cc1 5023{
2b188cc1 5024 struct io_ring_ctx *ctx = file->private_data;
6c5c240e 5025 loff_t offset = pgoff << PAGE_SHIFT;
2b188cc1
JA		 5026 struct page *page;
5027 void *ptr;
5028
5029 switch (offset) {
5030 case IORING_OFF_SQ_RING:
75b28aff
HV		 5031 case IORING_OFF_CQ_RING:
5032 ptr = ctx->rings;
2b188cc1
JA		 5033 break;
5034 case IORING_OFF_SQES:
5035 ptr = ctx->sq_sqes;
5036 break;
2b188cc1 5037 default:
6c5c240e 5038 return ERR_PTR(-EINVAL);
2b188cc1
JA		 5039 }
5040
5041 page = virt_to_head_page(ptr);
a50b854e 5042 if (sz > page_size(page))
6c5c240e
RP		 5043 return ERR_PTR(-EINVAL);
5044
5045 return ptr;
5046}
5047
5048#ifdef CONFIG_MMU
5049
5050static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5051{
5052 size_t sz = vma->vm_end - vma->vm_start;
5053 unsigned long pfn;
5054 void *ptr;
5055
5056 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
5057 if (IS_ERR(ptr))
5058 return PTR_ERR(ptr);
2b188cc1
JA		 5059
5060 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
5061 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
5062}
5063
6c5c240e
RP		 5064#else /* !CONFIG_MMU */
5065
5066static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5067{
5068 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
5069}
5070
5071static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
5072{
5073 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
5074}
5075
5076static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
5077 unsigned long addr, unsigned long len,
5078 unsigned long pgoff, unsigned long flags)
5079{
5080 void *ptr;
5081
5082 ptr = io_uring_validate_mmap_request(file, pgoff, len);
5083 if (IS_ERR(ptr))
5084 return PTR_ERR(ptr);
5085
5086 return (unsigned long) ptr;
5087}
5088
5089#endif /* !CONFIG_MMU */
5090
2b188cc1
JA		 5091SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
5092 u32, min_complete, u32, flags, const sigset_t __user *, sig,
5093 size_t, sigsz)
5094{
5095 struct io_ring_ctx *ctx;
5096 long ret = -EBADF;
5097 int submitted = 0;
5098 struct fd f;
5099
6c271ce2 5100 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
2b188cc1
JA		 5101 return -EINVAL;
5102
5103 f = fdget(fd);
5104 if (!f.file)
5105 return -EBADF;
5106
5107 ret = -EOPNOTSUPP;
5108 if (f.file->f_op != &io_uring_fops)
5109 goto out_fput;
5110
5111 ret = -ENXIO;
5112 ctx = f.file->private_data;
5113 if (!percpu_ref_tryget(&ctx->refs))
5114 goto out_fput;
5115
6c271ce2
JA		 5116 /*
5117 * For SQ polling, the thread will do all submissions and completions.
5118 * Just return the requested submit count, and wake the thread if
5119 * we were asked to.
5120 */
b2a9eada 5121 ret = 0;
6c271ce2 5122 if (ctx->flags & IORING_SETUP_SQPOLL) {
c1edbf5f
JA		 5123 if (!list_empty_careful(&ctx->cq_overflow_list))
5124 io_cqring_overflow_flush(ctx, false);
6c271ce2
JA		 5125 if (flags & IORING_ENTER_SQ_WAKEUP)
5126 wake_up(&ctx->sqo_wait);
5127 submitted = to_submit;
b2a9eada 5128 } else if (to_submit) {
ae9428ca 5129 struct mm_struct *cur_mm;
2b188cc1 5130
ae9428ca 5131 to_submit = min(to_submit, ctx->sq_entries);
2b188cc1 5132 mutex_lock(&ctx->uring_lock);
ae9428ca
PB		 5133 /* already have mm, so io_submit_sqes() won't try to grab it */
5134 cur_mm = ctx->sqo_mm;
5135 submitted = io_submit_sqes(ctx, to_submit, f.file, fd,
5136 &cur_mm, false);
2b188cc1 5137 mutex_unlock(&ctx->uring_lock);
7c504e65
PB		 5138
5139 if (submitted != to_submit)
5140 goto out;
2b188cc1
JA		 5141 }
5142 if (flags & IORING_ENTER_GETEVENTS) {
def596e9
JA		 5143 unsigned nr_events = 0;
5144
2b188cc1
JA		 5145 min_complete = min(min_complete, ctx->cq_entries);
5146
def596e9 5147 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9 5148 ret = io_iopoll_check(ctx, &nr_events, min_complete);
def596e9
JA		 5149 } else {
5150 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
5151 }
2b188cc1
JA		 5152 }
5153
7c504e65 5154out:
6805b32e 5155 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 5156out_fput:
5157 fdput(f);
5158 return submitted ? submitted : ret;
5159}
5160
5161static const struct file_operations io_uring_fops = {
5162 .release = io_uring_release,
fcb323cc 5163 .flush = io_uring_flush,
2b188cc1 5164 .mmap = io_uring_mmap,
6c5c240e
RP		 5165#ifndef CONFIG_MMU
5166 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
5167 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
5168#endif
2b188cc1
JA		 5169 .poll = io_uring_poll,
5170 .fasync = io_uring_fasync,
5171};
5172
5173static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
5174 struct io_uring_params *p)
5175{
75b28aff
HV		 5176 struct io_rings *rings;
5177 size_t size, sq_array_offset;
2b188cc1 5178
75b28aff
HV		 5179 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
5180 if (size == SIZE_MAX)
5181 return -EOVERFLOW;
5182
5183 rings = io_mem_alloc(size);
5184 if (!rings)
2b188cc1
JA		 5185 return -ENOMEM;
5186
75b28aff
HV		 5187 ctx->rings = rings;
5188 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
5189 rings->sq_ring_mask = p->sq_entries - 1;
5190 rings->cq_ring_mask = p->cq_entries - 1;
5191 rings->sq_ring_entries = p->sq_entries;
5192 rings->cq_ring_entries = p->cq_entries;
5193 ctx->sq_mask = rings->sq_ring_mask;
5194 ctx->cq_mask = rings->cq_ring_mask;
5195 ctx->sq_entries = rings->sq_ring_entries;
5196 ctx->cq_entries = rings->cq_ring_entries;
2b188cc1
JA		 5197
5198 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
eb065d30
JA		 5199 if (size == SIZE_MAX) {
5200 io_mem_free(ctx->rings);
5201 ctx->rings = NULL;
2b188cc1 5202 return -EOVERFLOW;
eb065d30 5203 }
2b188cc1
JA		 5204
5205 ctx->sq_sqes = io_mem_alloc(size);
eb065d30
JA		 5206 if (!ctx->sq_sqes) {
5207 io_mem_free(ctx->rings);
5208 ctx->rings = NULL;
2b188cc1 5209 return -ENOMEM;
eb065d30 5210 }
2b188cc1 5211
2b188cc1
JA		 5212 return 0;
5213}
5214
5215/*
5216 * Allocate an anonymous fd, this is what constitutes the application
5217 * visible backing of an io_uring instance. The application mmaps this
5218 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
5219 * we have to tie this fd to a socket for file garbage collection purposes.
5220 */
5221static int io_uring_get_fd(struct io_ring_ctx *ctx)
5222{
5223 struct file *file;
5224 int ret;
5225
5226#if defined(CONFIG_UNIX)
5227 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
5228 &ctx->ring_sock);
5229 if (ret)
5230 return ret;
5231#endif
5232
5233 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
5234 if (ret < 0)
5235 goto err;
5236
5237 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
5238 O_RDWR | O_CLOEXEC);
5239 if (IS_ERR(file)) {
5240 put_unused_fd(ret);
5241 ret = PTR_ERR(file);
5242 goto err;
5243 }
5244
5245#if defined(CONFIG_UNIX)
5246 ctx->ring_sock->file = file;
6b06314c 5247 ctx->ring_sock->sk->sk_user_data = ctx;
2b188cc1
JA		 5248#endif
5249 fd_install(ret, file);
5250 return ret;
5251err:
5252#if defined(CONFIG_UNIX)
5253 sock_release(ctx->ring_sock);
5254 ctx->ring_sock = NULL;
5255#endif
5256 return ret;
5257}
5258
5259static int io_uring_create(unsigned entries, struct io_uring_params *p)
5260{
5261 struct user_struct *user = NULL;
5262 struct io_ring_ctx *ctx;
5263 bool account_mem;
5264 int ret;
5265
5266 if (!entries || entries > IORING_MAX_ENTRIES)
5267 return -EINVAL;
5268
5269 /*
5270 * Use twice as many entries for the CQ ring. It's possible for the
5271 * application to drive a higher depth than the size of the SQ ring,
5272 * since the sqes are only used at submission time. This allows for
33a107f0
JA		 5273 * some flexibility in overcommitting a bit. If the application has
5274 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
5275 * of CQ ring entries manually.
2b188cc1
JA		 5276 */
5277 p->sq_entries = roundup_pow_of_two(entries);
33a107f0
JA		 5278 if (p->flags & IORING_SETUP_CQSIZE) {
5279 /*
5280 * If IORING_SETUP_CQSIZE is set, we do the same roundup
5281 * to a power-of-two, if it isn't already. We do NOT impose
5282 * any cq vs sq ring sizing.
5283 */
5284 if (p->cq_entries < p->sq_entries || p->cq_entries > IORING_MAX_CQ_ENTRIES)
5285 return -EINVAL;
5286 p->cq_entries = roundup_pow_of_two(p->cq_entries);
5287 } else {
5288 p->cq_entries = 2 * p->sq_entries;
5289 }
2b188cc1
JA		 5290
5291 user = get_uid(current_user());
5292 account_mem = !capable(CAP_IPC_LOCK);
5293
5294 if (account_mem) {
5295 ret = io_account_mem(user,
5296 ring_pages(p->sq_entries, p->cq_entries));
5297 if (ret) {
5298 free_uid(user);
5299 return ret;
5300 }
5301 }
5302
5303 ctx = io_ring_ctx_alloc(p);
5304 if (!ctx) {
5305 if (account_mem)
5306 io_unaccount_mem(user, ring_pages(p->sq_entries,
5307 p->cq_entries));
5308 free_uid(user);
5309 return -ENOMEM;
5310 }
5311 ctx->compat = in_compat_syscall();
5312 ctx->account_mem = account_mem;
5313 ctx->user = user;
0b8c0ec7 5314 ctx->creds = get_current_cred();
2b188cc1
JA		 5315
5316 ret = io_allocate_scq_urings(ctx, p);
5317 if (ret)
5318 goto err;
5319
6c271ce2 5320 ret = io_sq_offload_start(ctx, p);
2b188cc1
JA		 5321 if (ret)
5322 goto err;
5323
2b188cc1 5324 memset(&p->sq_off, 0, sizeof(p->sq_off));
75b28aff
HV		 5325 p->sq_off.head = offsetof(struct io_rings, sq.head);
5326 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
5327 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
5328 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
5329 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
5330 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
5331 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
2b188cc1
JA		 5332
5333 memset(&p->cq_off, 0, sizeof(p->cq_off));
75b28aff
HV		 5334 p->cq_off.head = offsetof(struct io_rings, cq.head);
5335 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
5336 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
5337 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
5338 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
5339 p->cq_off.cqes = offsetof(struct io_rings, cqes);
ac90f249 5340
044c1ab3
JA		 5341 /*
5342 * Install ring fd as the very last thing, so we don't risk someone
5343 * having closed it before we finish setup
5344 */
5345 ret = io_uring_get_fd(ctx);
5346 if (ret < 0)
5347 goto err;
5348
da8c9690
JA		 5349 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
5350 IORING_FEAT_SUBMIT_STABLE;
c826bd7a 5351 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
2b188cc1
JA		 5352 return ret;
5353err:
5354 io_ring_ctx_wait_and_kill(ctx);
5355 return ret;
5356}
5357
5358/*
5359 * Sets up an aio uring context, and returns the fd. Applications asks for a
5360 * ring size, we return the actual sq/cq ring sizes (among other things) in the
5361 * params structure passed in.
5362 */
5363static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
5364{
5365 struct io_uring_params p;
5366 long ret;
5367 int i;
5368
5369 if (copy_from_user(&p, params, sizeof(p)))
5370 return -EFAULT;
5371 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
5372 if (p.resv[i])
5373 return -EINVAL;
5374 }
5375
6c271ce2 5376 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
33a107f0 5377 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE))
2b188cc1
JA		 5378 return -EINVAL;
5379
5380 ret = io_uring_create(entries, &p);
5381 if (ret < 0)
5382 return ret;
5383
5384 if (copy_to_user(params, &p, sizeof(p)))
5385 return -EFAULT;
5386
5387 return ret;
5388}
5389
5390SYSCALL_DEFINE2(io_uring_setup, u32, entries,
5391 struct io_uring_params __user *, params)
5392{
5393 return io_uring_setup(entries, params);
5394}
5395
edafccee
JA		 5396static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
5397 void __user *arg, unsigned nr_args)
b19062a5
JA		 5398 __releases(ctx->uring_lock)
5399 __acquires(ctx->uring_lock)
edafccee
JA		 5400{
5401 int ret;
5402
35fa71a0
JA		 5403 /*
5404 * We're inside the ring mutex, if the ref is already dying, then
5405 * someone else killed the ctx or is already going through
5406 * io_uring_register().
5407 */
5408 if (percpu_ref_is_dying(&ctx->refs))
5409 return -ENXIO;
5410
edafccee 5411 percpu_ref_kill(&ctx->refs);
b19062a5
JA		 5412
5413 /*
5414 * Drop uring mutex before waiting for references to exit. If another
5415 * thread is currently inside io_uring_enter() it might need to grab
5416 * the uring_lock to make progress. If we hold it here across the drain
5417 * wait, then we can deadlock. It's safe to drop the mutex here, since
5418 * no new references will come in after we've killed the percpu ref.
5419 */
5420 mutex_unlock(&ctx->uring_lock);
206aefde 5421 wait_for_completion(&ctx->completions[0]);
b19062a5 5422 mutex_lock(&ctx->uring_lock);
edafccee
JA		 5423
5424 switch (opcode) {
5425 case IORING_REGISTER_BUFFERS:
5426 ret = io_sqe_buffer_register(ctx, arg, nr_args);
5427 break;
5428 case IORING_UNREGISTER_BUFFERS:
5429 ret = -EINVAL;
5430 if (arg || nr_args)
5431 break;
5432 ret = io_sqe_buffer_unregister(ctx);
5433 break;
6b06314c
JA		 5434 case IORING_REGISTER_FILES:
5435 ret = io_sqe_files_register(ctx, arg, nr_args);
5436 break;
5437 case IORING_UNREGISTER_FILES:
5438 ret = -EINVAL;
5439 if (arg || nr_args)
5440 break;
5441 ret = io_sqe_files_unregister(ctx);
5442 break;
c3a31e60
JA		 5443 case IORING_REGISTER_FILES_UPDATE:
5444 ret = io_sqe_files_update(ctx, arg, nr_args);
5445 break;
9b402849
JA		 5446 case IORING_REGISTER_EVENTFD:
5447 ret = -EINVAL;
5448 if (nr_args != 1)
5449 break;
5450 ret = io_eventfd_register(ctx, arg);
5451 break;
5452 case IORING_UNREGISTER_EVENTFD:
5453 ret = -EINVAL;
5454 if (arg || nr_args)
5455 break;
5456 ret = io_eventfd_unregister(ctx);
5457 break;
edafccee
JA		 5458 default:
5459 ret = -EINVAL;
5460 break;
5461 }
5462
5463 /* bring the ctx back to life */
206aefde 5464 reinit_completion(&ctx->completions[0]);
edafccee
JA		 5465 percpu_ref_reinit(&ctx->refs);
5466 return ret;
5467}
5468
5469SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
5470 void __user *, arg, unsigned int, nr_args)
5471{
5472 struct io_ring_ctx *ctx;
5473 long ret = -EBADF;
5474 struct fd f;
5475
5476 f = fdget(fd);
5477 if (!f.file)
5478 return -EBADF;
5479
5480 ret = -EOPNOTSUPP;
5481 if (f.file->f_op != &io_uring_fops)
5482 goto out_fput;
5483
5484 ctx = f.file->private_data;
5485
5486 mutex_lock(&ctx->uring_lock);
5487 ret = __io_uring_register(ctx, opcode, arg, nr_args);
5488 mutex_unlock(&ctx->uring_lock);
c826bd7a
DD		 5489 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
5490 ctx->cq_ev_fd != NULL, ret);
edafccee
JA		 5491out_fput:
5492 fdput(f);
5493 return ret;
5494}
5495
2b188cc1
JA		 5496static int __init io_uring_init(void)
5497{
5498 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
5499 return 0;
5500};
5501__initcall(io_uring_init);
Ubuntu Jammy Linux kernel mirror