]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blame - fs/io_uring.c
projects / mirror_ubuntu-jammy-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
mm: make do_madvise() available internally
[mirror_ubuntu-jammy-kernel.git] / fs / io_uring.c
CommitLineData
2b188cc1
JA		 1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
5 *
6 * A note on the read/write ordering memory barriers that are matched between
1e84b97b
SB		 7 * the application and kernel side.
8 *
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
16 * CQ entries.
17 *
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
23 * head will do).
24 *
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
28 * between.
2b188cc1
JA		 29 *
30 * Also see the examples in the liburing library:
31 *
32 * git://git.kernel.dk/liburing
33 *
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
38 *
39 * Copyright (C) 2018-2019 Jens Axboe
c992fe29 40 * Copyright (c) 2018-2019 Christoph Hellwig
2b188cc1
JA		 41 */
42#include <linux/kernel.h>
43#include <linux/init.h>
44#include <linux/errno.h>
45#include <linux/syscalls.h>
46#include <linux/compat.h>
47#include <linux/refcount.h>
48#include <linux/uio.h>
49
50#include <linux/sched/signal.h>
51#include <linux/fs.h>
52#include <linux/file.h>
53#include <linux/fdtable.h>
54#include <linux/mm.h>
55#include <linux/mman.h>
56#include <linux/mmu_context.h>
57#include <linux/percpu.h>
58#include <linux/slab.h>
6c271ce2 59#include <linux/kthread.h>
2b188cc1 60#include <linux/blkdev.h>
edafccee 61#include <linux/bvec.h>
2b188cc1
JA		 62#include <linux/net.h>
63#include <net/sock.h>
64#include <net/af_unix.h>
6b06314c 65#include <net/scm.h>
2b188cc1
JA		 66#include <linux/anon_inodes.h>
67#include <linux/sched/mm.h>
68#include <linux/uaccess.h>
69#include <linux/nospec.h>
edafccee
JA		 70#include <linux/sizes.h>
71#include <linux/hugetlb.h>
aa4c3967 72#include <linux/highmem.h>
15b71abe
JA		 73#include <linux/namei.h>
74#include <linux/fsnotify.h>
4840e418 75#include <linux/fadvise.h>
2b188cc1 76
c826bd7a
DD		 77#define CREATE_TRACE_POINTS
78#include <trace/events/io_uring.h>
79
2b188cc1
JA		 80#include <uapi/linux/io_uring.h>
81
82#include "internal.h"
561fb04a 83#include "io-wq.h"
2b188cc1 84
5277deaa 85#define IORING_MAX_ENTRIES 32768
33a107f0 86#define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
65e19f54
JA		 87
88/*
89 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
90 */
91#define IORING_FILE_TABLE_SHIFT 9
92#define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
93#define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
94#define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
2b188cc1
JA		 95
96struct io_uring {
97 u32 head ____cacheline_aligned_in_smp;
98 u32 tail ____cacheline_aligned_in_smp;
99};
100
1e84b97b 101/*
75b28aff
HV		 102 * This data is shared with the application through the mmap at offsets
103 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
1e84b97b
SB		 104 *
105 * The offsets to the member fields are published through struct
106 * io_sqring_offsets when calling io_uring_setup.
107 */
75b28aff 108struct io_rings {
1e84b97b
SB		 109 /*
110 * Head and tail offsets into the ring; the offsets need to be
111 * masked to get valid indices.
112 *
75b28aff
HV		 113 * The kernel controls head of the sq ring and the tail of the cq ring,
114 * and the application controls tail of the sq ring and the head of the
115 * cq ring.
1e84b97b 116 */
75b28aff 117 struct io_uring sq, cq;
1e84b97b 118 /*
75b28aff 119 * Bitmasks to apply to head and tail offsets (constant, equals
1e84b97b
SB		 120 * ring_entries - 1)
121 */
75b28aff
HV		 122 u32 sq_ring_mask, cq_ring_mask;
123 /* Ring sizes (constant, power of 2) */
124 u32 sq_ring_entries, cq_ring_entries;
1e84b97b
SB		 125 /*
126 * Number of invalid entries dropped by the kernel due to
127 * invalid index stored in array
128 *
129 * Written by the kernel, shouldn't be modified by the
130 * application (i.e. get number of "new events" by comparing to
131 * cached value).
132 *
133 * After a new SQ head value was read by the application this
134 * counter includes all submissions that were dropped reaching
135 * the new SQ head (and possibly more).
136 */
75b28aff 137 u32 sq_dropped;
1e84b97b
SB		 138 /*
139 * Runtime flags
140 *
141 * Written by the kernel, shouldn't be modified by the
142 * application.
143 *
144 * The application needs a full memory barrier before checking
145 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
146 */
75b28aff 147 u32 sq_flags;
1e84b97b
SB		 148 /*
149 * Number of completion events lost because the queue was full;
150 * this should be avoided by the application by making sure
0b4295b5 151 * there are not more requests pending than there is space in
1e84b97b
SB		 152 * the completion queue.
153 *
154 * Written by the kernel, shouldn't be modified by the
155 * application (i.e. get number of "new events" by comparing to
156 * cached value).
157 *
158 * As completion events come in out of order this counter is not
159 * ordered with any other data.
160 */
75b28aff 161 u32 cq_overflow;
1e84b97b
SB		 162 /*
163 * Ring buffer of completion events.
164 *
165 * The kernel writes completion events fresh every time they are
166 * produced, so the application is allowed to modify pending
167 * entries.
168 */
75b28aff 169 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
2b188cc1
JA		 170};
171
edafccee
JA		 172struct io_mapped_ubuf {
173 u64 ubuf;
174 size_t len;
175 struct bio_vec *bvec;
176 unsigned int nr_bvecs;
177};
178
65e19f54
JA		 179struct fixed_file_table {
180 struct file **files;
31b51510
JA		 181};
182
05f3fb3c
JA		 183enum {
184 FFD_F_ATOMIC,
185};
186
187struct fixed_file_data {
188 struct fixed_file_table *table;
189 struct io_ring_ctx *ctx;
190
191 struct percpu_ref refs;
192 struct llist_head put_llist;
193 unsigned long state;
194 struct work_struct ref_work;
195 struct completion done;
196};
197
2b188cc1
JA		 198struct io_ring_ctx {
199 struct {
200 struct percpu_ref refs;
201 } ____cacheline_aligned_in_smp;
202
203 struct {
204 unsigned int flags;
205 bool compat;
206 bool account_mem;
1d7bb1d5 207 bool cq_overflow_flushed;
1b4a51b6 208 bool drain_next;
2b188cc1 209
75b28aff
HV		 210 /*
211 * Ring buffer of indices into array of io_uring_sqe, which is
212 * mmapped by the application using the IORING_OFF_SQES offset.
213 *
214 * This indirection could e.g. be used to assign fixed
215 * io_uring_sqe entries to operations and only submit them to
216 * the queue when needed.
217 *
218 * The kernel modifies neither the indices array nor the entries
219 * array.
220 */
221 u32 *sq_array;
2b188cc1
JA		 222 unsigned cached_sq_head;
223 unsigned sq_entries;
224 unsigned sq_mask;
6c271ce2 225 unsigned sq_thread_idle;
498ccd9e 226 unsigned cached_sq_dropped;
206aefde 227 atomic_t cached_cq_overflow;
ad3eb2c8 228 unsigned long sq_check_overflow;
de0617e4
JA		 229
230 struct list_head defer_list;
5262f567 231 struct list_head timeout_list;
1d7bb1d5 232 struct list_head cq_overflow_list;
fcb323cc
JA		 233
234 wait_queue_head_t inflight_wait;
ad3eb2c8 235 struct io_uring_sqe *sq_sqes;
2b188cc1
JA		 236 } ____cacheline_aligned_in_smp;
237
206aefde
JA		 238 struct io_rings *rings;
239
2b188cc1 240 /* IO offload */
561fb04a 241 struct io_wq *io_wq;
6c271ce2 242 struct task_struct *sqo_thread; /* if using sq thread polling */
2b188cc1 243 struct mm_struct *sqo_mm;
6c271ce2 244 wait_queue_head_t sqo_wait;
75b28aff 245
6b06314c
JA		 246 /*
247 * If used, fixed file set. Writers must ensure that ->refs is dead,
248 * readers must ensure that ->refs is alive as long as the file* is
249 * used. Only updated through io_uring_register(2).
250 */
05f3fb3c 251 struct fixed_file_data *file_data;
6b06314c
JA		 252 unsigned nr_user_files;
253
edafccee
JA		 254 /* if used, fixed mapped user buffers */
255 unsigned nr_user_bufs;
256 struct io_mapped_ubuf *user_bufs;
257
2b188cc1
JA		 258 struct user_struct *user;
259
0b8c0ec7 260 const struct cred *creds;
181e448d 261
206aefde
JA		 262 /* 0 is for ctx quiesce/reinit/free, 1 is for sqo_thread started */
263 struct completion *completions;
264
0ddf92e8
JA		 265 /* if all else fails... */
266 struct io_kiocb *fallback_req;
267
206aefde
JA		 268#if defined(CONFIG_UNIX)
269 struct socket *ring_sock;
270#endif
271
272 struct {
273 unsigned cached_cq_tail;
274 unsigned cq_entries;
275 unsigned cq_mask;
276 atomic_t cq_timeouts;
ad3eb2c8 277 unsigned long cq_check_overflow;
206aefde
JA		 278 struct wait_queue_head cq_wait;
279 struct fasync_struct *cq_fasync;
280 struct eventfd_ctx *cq_ev_fd;
281 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 282
283 struct {
284 struct mutex uring_lock;
285 wait_queue_head_t wait;
286 } ____cacheline_aligned_in_smp;
287
288 struct {
289 spinlock_t completion_lock;
e94f141b
JA		 290 struct llist_head poll_llist;
291
def596e9
JA		 292 /*
293 * ->poll_list is protected by the ctx->uring_lock for
294 * io_uring instances that don't use IORING_SETUP_SQPOLL.
295 * For SQPOLL, only the single threaded io_sq_thread() will
296 * manipulate the list, hence no extra locking is needed there.
297 */
298 struct list_head poll_list;
78076bb6
JA		 299 struct hlist_head *cancel_hash;
300 unsigned cancel_hash_bits;
e94f141b 301 bool poll_multi_file;
31b51510 302
fcb323cc
JA		 303 spinlock_t inflight_lock;
304 struct list_head inflight_list;
2b188cc1 305 } ____cacheline_aligned_in_smp;
2b188cc1
JA		 306};
307
09bb8394
JA		 308/*
309 * First field must be the file pointer in all the
310 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
311 */
221c5eb2
JA		 312struct io_poll_iocb {
313 struct file *file;
0969e783
JA		 314 union {
315 struct wait_queue_head *head;
316 u64 addr;
317 };
221c5eb2 318 __poll_t events;
8c838788 319 bool done;
221c5eb2 320 bool canceled;
392edb45 321 struct wait_queue_entry wait;
221c5eb2
JA		 322};
323
b5dba59e
JA		 324struct io_close {
325 struct file *file;
326 struct file *put_file;
327 int fd;
328};
329
ad8a48ac
JA		 330struct io_timeout_data {
331 struct io_kiocb *req;
332 struct hrtimer timer;
333 struct timespec64 ts;
334 enum hrtimer_mode mode;
cc42e0ac 335 u32 seq_offset;
ad8a48ac
JA		 336};
337
8ed8d3c3
JA		 338struct io_accept {
339 struct file *file;
340 struct sockaddr __user *addr;
341 int __user *addr_len;
342 int flags;
343};
344
345struct io_sync {
346 struct file *file;
347 loff_t len;
348 loff_t off;
349 int flags;
d63d1b5e 350 int mode;
8ed8d3c3
JA		 351};
352
fbf23849
JA		 353struct io_cancel {
354 struct file *file;
355 u64 addr;
356};
357
b29472ee
JA		 358struct io_timeout {
359 struct file *file;
360 u64 addr;
361 int flags;
26a61679 362 unsigned count;
b29472ee
JA		 363};
364
9adbd45d
JA		 365struct io_rw {
366 /* NOTE: kiocb has the file as the first member, so don't do it here */
367 struct kiocb kiocb;
368 u64 addr;
369 u64 len;
370};
371
3fbb51c1
JA		 372struct io_connect {
373 struct file *file;
374 struct sockaddr __user *addr;
375 int addr_len;
376};
377
e47293fd
JA		 378struct io_sr_msg {
379 struct file *file;
380 struct user_msghdr __user *msg;
381 int msg_flags;
382};
383
15b71abe
JA		 384struct io_open {
385 struct file *file;
386 int dfd;
eddc7ef5
JA		 387 union {
388 umode_t mode;
389 unsigned mask;
390 };
15b71abe
JA		 391 const char __user *fname;
392 struct filename *filename;
eddc7ef5 393 struct statx __user *buffer;
15b71abe
JA		 394 int flags;
395};
396
05f3fb3c
JA		 397struct io_files_update {
398 struct file *file;
399 u64 arg;
400 u32 nr_args;
401 u32 offset;
402};
403
4840e418
JA		 404struct io_fadvise {
405 struct file *file;
406 u64 offset;
407 u32 len;
408 u32 advice;
409};
410
f499a021
JA		 411struct io_async_connect {
412 struct sockaddr_storage address;
413};
414
03b1230c
JA		 415struct io_async_msghdr {
416 struct iovec fast_iov[UIO_FASTIOV];
417 struct iovec *iov;
418 struct sockaddr __user *uaddr;
419 struct msghdr msg;
420};
421
f67676d1
JA		 422struct io_async_rw {
423 struct iovec fast_iov[UIO_FASTIOV];
424 struct iovec *iov;
425 ssize_t nr_segs;
426 ssize_t size;
427};
428
15b71abe
JA		 429struct io_async_open {
430 struct filename *filename;
431};
432
1a6b74fc 433struct io_async_ctx {
f67676d1
JA		 434 union {
435 struct io_async_rw rw;
03b1230c 436 struct io_async_msghdr msg;
f499a021 437 struct io_async_connect connect;
2d28390a 438 struct io_timeout_data timeout;
15b71abe 439 struct io_async_open open;
f67676d1 440 };
1a6b74fc
JA		 441};
442
09bb8394
JA		 443/*
444 * NOTE! Each of the iocb union members has the file pointer
445 * as the first entry in their struct definition. So you can
446 * access the file pointer through any of the sub-structs,
447 * or directly as just 'ki_filp' in this struct.
448 */
2b188cc1 449struct io_kiocb {
221c5eb2 450 union {
09bb8394 451 struct file *file;
9adbd45d 452 struct io_rw rw;
221c5eb2 453 struct io_poll_iocb poll;
8ed8d3c3
JA		 454 struct io_accept accept;
455 struct io_sync sync;
fbf23849 456 struct io_cancel cancel;
b29472ee 457 struct io_timeout timeout;
3fbb51c1 458 struct io_connect connect;
e47293fd 459 struct io_sr_msg sr_msg;
15b71abe 460 struct io_open open;
b5dba59e 461 struct io_close close;
05f3fb3c 462 struct io_files_update files_update;
4840e418 463 struct io_fadvise fadvise;
221c5eb2 464 };
2b188cc1 465
1a6b74fc 466 struct io_async_ctx *io;
e94f141b
JA		 467 union {
468 /*
469 * ring_file is only used in the submission path, and
470 * llist_node is only used for poll deferred completions
471 */
472 struct file *ring_file;
473 struct llist_node llist_node;
474 };
cf6fd4bd
PB		 475 int ring_fd;
476 bool has_user;
477 bool in_async;
478 bool needs_fixed_file;
d625c6ee 479 u8 opcode;
2b188cc1
JA		 480
481 struct io_ring_ctx *ctx;
eac406c6
JA		 482 union {
483 struct list_head list;
78076bb6 484 struct hlist_node hash_node;
eac406c6 485 };
9e645e11 486 struct list_head link_list;
2b188cc1 487 unsigned int flags;
c16361c1 488 refcount_t refs;
8449eeda 489#define REQ_F_NOWAIT 1 /* must not punt to workers */
def596e9 490#define REQ_F_IOPOLL_COMPLETED 2 /* polled IO has completed */
6b06314c 491#define REQ_F_FIXED_FILE 4 /* ctx owns file */
4d7dd462 492#define REQ_F_LINK_NEXT 8 /* already grabbed next link */
e2033e33
SB		 493#define REQ_F_IO_DRAIN 16 /* drain existing IO first */
494#define REQ_F_IO_DRAINED 32 /* drain done */
9e645e11 495#define REQ_F_LINK 64 /* linked sqes */
2665abfd 496#define REQ_F_LINK_TIMEOUT 128 /* has linked timeout */
f7b76ac9 497#define REQ_F_FAIL_LINK 256 /* fail rest of links */
1b4a51b6 498#define REQ_F_DRAIN_LINK 512 /* link should be fully drained */
5262f567 499#define REQ_F_TIMEOUT 1024 /* timeout request */
491381ce
JA		 500#define REQ_F_ISREG 2048 /* regular file */
501#define REQ_F_MUST_PUNT 4096 /* must be punted even for NONBLOCK */
93bd25bb 502#define REQ_F_TIMEOUT_NOSEQ 8192 /* no timeout sequence */
fb4b3d3f
LT		 503#define REQ_F_INFLIGHT 16384 /* on inflight list */
504#define REQ_F_COMP_LOCKED 32768 /* completion under lock */
4e88d6e7 505#define REQ_F_HARDLINK 65536 /* doesn't sever on completion < 0 */
ce35a47a 506#define REQ_F_FORCE_ASYNC 131072 /* IOSQE_ASYNC */
ba04291e 507#define REQ_F_CUR_POS 262144 /* read/write uses file position */
2b188cc1 508 u64 user_data;
9e645e11 509 u32 result;
de0617e4 510 u32 sequence;
2b188cc1 511
fcb323cc
JA		 512 struct list_head inflight_entry;
513
561fb04a 514 struct io_wq_work work;
2b188cc1
JA		 515};
516
517#define IO_PLUG_THRESHOLD 2
def596e9 518#define IO_IOPOLL_BATCH 8
2b188cc1 519
9a56a232
JA		 520struct io_submit_state {
521 struct blk_plug plug;
522
2579f913
JA		 523 /*
524 * io_kiocb alloc cache
525 */
526 void *reqs[IO_IOPOLL_BATCH];
527 unsigned int free_reqs;
528 unsigned int cur_req;
529
9a56a232
JA		 530 /*
531 * File reference cache
532 */
533 struct file *file;
534 unsigned int fd;
535 unsigned int has_refs;
536 unsigned int used_refs;
537 unsigned int ios_left;
538};
539
d3656344
JA		 540struct io_op_def {
541 /* needs req->io allocated for deferral/async */
542 unsigned async_ctx : 1;
543 /* needs current->mm setup, does mm access */
544 unsigned needs_mm : 1;
545 /* needs req->file assigned */
546 unsigned needs_file : 1;
547 /* needs req->file assigned IFF fd is >= 0 */
548 unsigned fd_non_neg : 1;
549 /* hash wq insertion if file is a regular file */
550 unsigned hash_reg_file : 1;
551 /* unbound wq insertion if file is a non-regular file */
552 unsigned unbound_nonreg_file : 1;
553};
554
555static const struct io_op_def io_op_defs[] = {
556 {
557 /* IORING_OP_NOP */
558 },
559 {
560 /* IORING_OP_READV */
561 .async_ctx = 1,
562 .needs_mm = 1,
563 .needs_file = 1,
564 .unbound_nonreg_file = 1,
565 },
566 {
567 /* IORING_OP_WRITEV */
568 .async_ctx = 1,
569 .needs_mm = 1,
570 .needs_file = 1,
571 .hash_reg_file = 1,
572 .unbound_nonreg_file = 1,
573 },
574 {
575 /* IORING_OP_FSYNC */
576 .needs_file = 1,
577 },
578 {
579 /* IORING_OP_READ_FIXED */
580 .needs_file = 1,
581 .unbound_nonreg_file = 1,
582 },
583 {
584 /* IORING_OP_WRITE_FIXED */
585 .needs_file = 1,
586 .hash_reg_file = 1,
587 .unbound_nonreg_file = 1,
588 },
589 {
590 /* IORING_OP_POLL_ADD */
591 .needs_file = 1,
592 .unbound_nonreg_file = 1,
593 },
594 {
595 /* IORING_OP_POLL_REMOVE */
596 },
597 {
598 /* IORING_OP_SYNC_FILE_RANGE */
599 .needs_file = 1,
600 },
601 {
602 /* IORING_OP_SENDMSG */
603 .async_ctx = 1,
604 .needs_mm = 1,
605 .needs_file = 1,
606 .unbound_nonreg_file = 1,
607 },
608 {
609 /* IORING_OP_RECVMSG */
610 .async_ctx = 1,
611 .needs_mm = 1,
612 .needs_file = 1,
613 .unbound_nonreg_file = 1,
614 },
615 {
616 /* IORING_OP_TIMEOUT */
617 .async_ctx = 1,
618 .needs_mm = 1,
619 },
620 {
621 /* IORING_OP_TIMEOUT_REMOVE */
622 },
623 {
624 /* IORING_OP_ACCEPT */
625 .needs_mm = 1,
626 .needs_file = 1,
627 .unbound_nonreg_file = 1,
628 },
629 {
630 /* IORING_OP_ASYNC_CANCEL */
631 },
632 {
633 /* IORING_OP_LINK_TIMEOUT */
634 .async_ctx = 1,
635 .needs_mm = 1,
636 },
637 {
638 /* IORING_OP_CONNECT */
639 .async_ctx = 1,
640 .needs_mm = 1,
641 .needs_file = 1,
642 .unbound_nonreg_file = 1,
643 },
644 {
645 /* IORING_OP_FALLOCATE */
646 .needs_file = 1,
647 },
648 {
649 /* IORING_OP_OPENAT */
650 .needs_file = 1,
651 .fd_non_neg = 1,
652 },
653 {
654 /* IORING_OP_CLOSE */
655 .needs_file = 1,
656 },
657 {
658 /* IORING_OP_FILES_UPDATE */
659 .needs_mm = 1,
660 },
661 {
662 /* IORING_OP_STATX */
663 .needs_mm = 1,
664 .needs_file = 1,
665 .fd_non_neg = 1,
666 },
3a6820f2
JA		 667 {
668 /* IORING_OP_READ */
669 .needs_mm = 1,
670 .needs_file = 1,
671 .unbound_nonreg_file = 1,
672 },
673 {
674 /* IORING_OP_WRITE */
675 .needs_mm = 1,
676 .needs_file = 1,
677 .unbound_nonreg_file = 1,
678 },
4840e418
JA		 679 {
680 /* IORING_OP_FADVISE */
681 .needs_file = 1,
682 },
d3656344
JA		 683};
684
561fb04a 685static void io_wq_submit_work(struct io_wq_work **workptr);
78e19bbe 686static void io_cqring_fill_event(struct io_kiocb *req, long res);
ec9c02ad 687static void io_put_req(struct io_kiocb *req);
978db57e 688static void __io_double_put_req(struct io_kiocb *req);
94ae5e77
JA		 689static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
690static void io_queue_linked_timeout(struct io_kiocb *req);
05f3fb3c
JA		 691static int __io_sqe_files_update(struct io_ring_ctx *ctx,
692 struct io_uring_files_update *ip,
693 unsigned nr_args);
de0617e4 694
2b188cc1
JA		 695static struct kmem_cache *req_cachep;
696
697static const struct file_operations io_uring_fops;
698
699struct sock *io_uring_get_socket(struct file *file)
700{
701#if defined(CONFIG_UNIX)
702 if (file->f_op == &io_uring_fops) {
703 struct io_ring_ctx *ctx = file->private_data;
704
705 return ctx->ring_sock->sk;
706 }
707#endif
708 return NULL;
709}
710EXPORT_SYMBOL(io_uring_get_socket);
711
712static void io_ring_ctx_ref_free(struct percpu_ref *ref)
713{
714 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
715
206aefde 716 complete(&ctx->completions[0]);
2b188cc1
JA		 717}
718
719static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
720{
721 struct io_ring_ctx *ctx;
78076bb6 722 int hash_bits;
2b188cc1
JA		 723
724 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
725 if (!ctx)
726 return NULL;
727
0ddf92e8
JA		 728 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
729 if (!ctx->fallback_req)
730 goto err;
731
206aefde
JA		 732 ctx->completions = kmalloc(2 * sizeof(struct completion), GFP_KERNEL);
733 if (!ctx->completions)
734 goto err;
735
78076bb6
JA		 736 /*
737 * Use 5 bits less than the max cq entries, that should give us around
738 * 32 entries per hash list if totally full and uniformly spread.
739 */
740 hash_bits = ilog2(p->cq_entries);
741 hash_bits -= 5;
742 if (hash_bits <= 0)
743 hash_bits = 1;
744 ctx->cancel_hash_bits = hash_bits;
745 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
746 GFP_KERNEL);
747 if (!ctx->cancel_hash)
748 goto err;
749 __hash_init(ctx->cancel_hash, 1U << hash_bits);
750
21482896 751 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
206aefde
JA		 752 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
753 goto err;
2b188cc1
JA		 754
755 ctx->flags = p->flags;
756 init_waitqueue_head(&ctx->cq_wait);
1d7bb1d5 757 INIT_LIST_HEAD(&ctx->cq_overflow_list);
206aefde
JA		 758 init_completion(&ctx->completions[0]);
759 init_completion(&ctx->completions[1]);
2b188cc1
JA		 760 mutex_init(&ctx->uring_lock);
761 init_waitqueue_head(&ctx->wait);
762 spin_lock_init(&ctx->completion_lock);
e94f141b 763 init_llist_head(&ctx->poll_llist);
def596e9 764 INIT_LIST_HEAD(&ctx->poll_list);
de0617e4 765 INIT_LIST_HEAD(&ctx->defer_list);
5262f567 766 INIT_LIST_HEAD(&ctx->timeout_list);
fcb323cc
JA		 767 init_waitqueue_head(&ctx->inflight_wait);
768 spin_lock_init(&ctx->inflight_lock);
769 INIT_LIST_HEAD(&ctx->inflight_list);
2b188cc1 770 return ctx;
206aefde 771err:
0ddf92e8
JA		 772 if (ctx->fallback_req)
773 kmem_cache_free(req_cachep, ctx->fallback_req);
206aefde 774 kfree(ctx->completions);
78076bb6 775 kfree(ctx->cancel_hash);
206aefde
JA		 776 kfree(ctx);
777 return NULL;
2b188cc1
JA		 778}
779
9d858b21 780static inline bool __req_need_defer(struct io_kiocb *req)
7adf4eaf 781{
a197f664
JL		 782 struct io_ring_ctx *ctx = req->ctx;
783
498ccd9e
JA		 784 return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
785 + atomic_read(&ctx->cached_cq_overflow);
7adf4eaf
JA		 786}
787
9d858b21 788static inline bool req_need_defer(struct io_kiocb *req)
de0617e4 789{
9d858b21
BL		 790 if ((req->flags & (REQ_F_IO_DRAIN|REQ_F_IO_DRAINED)) == REQ_F_IO_DRAIN)
791 return __req_need_defer(req);
de0617e4 792
9d858b21 793 return false;
de0617e4
JA		 794}
795
7adf4eaf 796static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)
de0617e4
JA		 797{
798 struct io_kiocb *req;
799
7adf4eaf 800 req = list_first_entry_or_null(&ctx->defer_list, struct io_kiocb, list);
9d858b21 801 if (req && !req_need_defer(req)) {
de0617e4
JA		 802 list_del_init(&req->list);
803 return req;
804 }
805
806 return NULL;
807}
808
5262f567
JA		 809static struct io_kiocb *io_get_timeout_req(struct io_ring_ctx *ctx)
810{
7adf4eaf
JA		 811 struct io_kiocb *req;
812
813 req = list_first_entry_or_null(&ctx->timeout_list, struct io_kiocb, list);
93bd25bb
JA		 814 if (req) {
815 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
816 return NULL;
fb4b3d3f 817 if (!__req_need_defer(req)) {
93bd25bb
JA		 818 list_del_init(&req->list);
819 return req;
820 }
7adf4eaf
JA		 821 }
822
823 return NULL;
5262f567
JA		 824}
825
de0617e4 826static void __io_commit_cqring(struct io_ring_ctx *ctx)
2b188cc1 827{
75b28aff 828 struct io_rings *rings = ctx->rings;
2b188cc1 829
75b28aff 830 if (ctx->cached_cq_tail != READ_ONCE(rings->cq.tail)) {
2b188cc1 831 /* order cqe stores with ring update */
75b28aff 832 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
2b188cc1 833
2b188cc1
JA		 834 if (wq_has_sleeper(&ctx->cq_wait)) {
835 wake_up_interruptible(&ctx->cq_wait);
836 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
837 }
838 }
839}
840
94ae5e77
JA		 841static inline bool io_prep_async_work(struct io_kiocb *req,
842 struct io_kiocb **link)
18d9be1a 843{
d3656344 844 const struct io_op_def *def = &io_op_defs[req->opcode];
561fb04a 845 bool do_hashed = false;
54a91f3b 846
d3656344
JA		 847 if (req->flags & REQ_F_ISREG) {
848 if (def->hash_reg_file)
3529d8c2 849 do_hashed = true;
d3656344
JA		 850 } else {
851 if (def->unbound_nonreg_file)
3529d8c2 852 req->work.flags |= IO_WQ_WORK_UNBOUND;
54a91f3b 853 }
d3656344 854 if (def->needs_mm)
3529d8c2 855 req->work.flags |= IO_WQ_WORK_NEEDS_USER;
54a91f3b 856
94ae5e77 857 *link = io_prep_linked_timeout(req);
561fb04a
JA		 858 return do_hashed;
859}
860
a197f664 861static inline void io_queue_async_work(struct io_kiocb *req)
561fb04a 862{
a197f664 863 struct io_ring_ctx *ctx = req->ctx;
94ae5e77
JA		 864 struct io_kiocb *link;
865 bool do_hashed;
866
867 do_hashed = io_prep_async_work(req, &link);
561fb04a
JA		 868
869 trace_io_uring_queue_async_work(ctx, do_hashed, req, &req->work,
870 req->flags);
871 if (!do_hashed) {
872 io_wq_enqueue(ctx->io_wq, &req->work);
873 } else {
874 io_wq_enqueue_hashed(ctx->io_wq, &req->work,
875 file_inode(req->file));
876 }
94ae5e77
JA		 877
878 if (link)
879 io_queue_linked_timeout(link);
18d9be1a
JA		 880}
881
5262f567
JA		 882static void io_kill_timeout(struct io_kiocb *req)
883{
884 int ret;
885
2d28390a 886 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
5262f567
JA		 887 if (ret != -1) {
888 atomic_inc(&req->ctx->cq_timeouts);
842f9612 889 list_del_init(&req->list);
78e19bbe 890 io_cqring_fill_event(req, 0);
ec9c02ad 891 io_put_req(req);
5262f567
JA		 892 }
893}
894
895static void io_kill_timeouts(struct io_ring_ctx *ctx)
896{
897 struct io_kiocb *req, *tmp;
898
899 spin_lock_irq(&ctx->completion_lock);
900 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
901 io_kill_timeout(req);
902 spin_unlock_irq(&ctx->completion_lock);
903}
904
de0617e4
JA		 905static void io_commit_cqring(struct io_ring_ctx *ctx)
906{
907 struct io_kiocb *req;
908
5262f567
JA		 909 while ((req = io_get_timeout_req(ctx)) != NULL)
910 io_kill_timeout(req);
911
de0617e4
JA		 912 __io_commit_cqring(ctx);
913
914 while ((req = io_get_deferred_req(ctx)) != NULL) {
915 req->flags |= REQ_F_IO_DRAINED;
a197f664 916 io_queue_async_work(req);
de0617e4
JA		 917 }
918}
919
2b188cc1
JA		 920static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
921{
75b28aff 922 struct io_rings *rings = ctx->rings;
2b188cc1
JA		 923 unsigned tail;
924
925 tail = ctx->cached_cq_tail;
115e12e5
SB		 926 /*
927 * writes to the cq entry need to come after reading head; the
928 * control dependency is enough as we're using WRITE_ONCE to
929 * fill the cq entry
930 */
75b28aff 931 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
2b188cc1
JA		 932 return NULL;
933
934 ctx->cached_cq_tail++;
75b28aff 935 return &rings->cqes[tail & ctx->cq_mask];
2b188cc1
JA		 936}
937
1d7bb1d5
JA		 938static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
939{
940 if (waitqueue_active(&ctx->wait))
941 wake_up(&ctx->wait);
942 if (waitqueue_active(&ctx->sqo_wait))
943 wake_up(&ctx->sqo_wait);
944 if (ctx->cq_ev_fd)
945 eventfd_signal(ctx->cq_ev_fd, 1);
946}
947
c4a2ed72
JA		 948/* Returns true if there are no backlogged entries after the flush */
949static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1d7bb1d5
JA		 950{
951 struct io_rings *rings = ctx->rings;
952 struct io_uring_cqe *cqe;
953 struct io_kiocb *req;
954 unsigned long flags;
955 LIST_HEAD(list);
956
957 if (!force) {
958 if (list_empty_careful(&ctx->cq_overflow_list))
c4a2ed72 959 return true;
1d7bb1d5
JA		 960 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
961 rings->cq_ring_entries))
c4a2ed72 962 return false;
1d7bb1d5
JA		 963 }
964
965 spin_lock_irqsave(&ctx->completion_lock, flags);
966
967 /* if force is set, the ring is going away. always drop after that */
968 if (force)
969 ctx->cq_overflow_flushed = true;
970
c4a2ed72 971 cqe = NULL;
1d7bb1d5
JA		 972 while (!list_empty(&ctx->cq_overflow_list)) {
973 cqe = io_get_cqring(ctx);
974 if (!cqe && !force)
975 break;
976
977 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
978 list);
979 list_move(&req->list, &list);
980 if (cqe) {
981 WRITE_ONCE(cqe->user_data, req->user_data);
982 WRITE_ONCE(cqe->res, req->result);
983 WRITE_ONCE(cqe->flags, 0);
984 } else {
985 WRITE_ONCE(ctx->rings->cq_overflow,
986 atomic_inc_return(&ctx->cached_cq_overflow));
987 }
988 }
989
990 io_commit_cqring(ctx);
ad3eb2c8
JA		 991 if (cqe) {
992 clear_bit(0, &ctx->sq_check_overflow);
993 clear_bit(0, &ctx->cq_check_overflow);
994 }
1d7bb1d5
JA		 995 spin_unlock_irqrestore(&ctx->completion_lock, flags);
996 io_cqring_ev_posted(ctx);
997
998 while (!list_empty(&list)) {
999 req = list_first_entry(&list, struct io_kiocb, list);
1000 list_del(&req->list);
ec9c02ad 1001 io_put_req(req);
1d7bb1d5 1002 }
c4a2ed72
JA		 1003
1004 return cqe != NULL;
1d7bb1d5
JA		 1005}
1006
78e19bbe 1007static void io_cqring_fill_event(struct io_kiocb *req, long res)
2b188cc1 1008{
78e19bbe 1009 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 1010 struct io_uring_cqe *cqe;
1011
78e19bbe 1012 trace_io_uring_complete(ctx, req->user_data, res);
51c3ff62 1013
2b188cc1
JA		 1014 /*
1015 * If we can't get a cq entry, userspace overflowed the
1016 * submission (by quite a lot). Increment the overflow count in
1017 * the ring.
1018 */
1019 cqe = io_get_cqring(ctx);
1d7bb1d5 1020 if (likely(cqe)) {
78e19bbe 1021 WRITE_ONCE(cqe->user_data, req->user_data);
2b188cc1 1022 WRITE_ONCE(cqe->res, res);
c71ffb67 1023 WRITE_ONCE(cqe->flags, 0);
1d7bb1d5 1024 } else if (ctx->cq_overflow_flushed) {
498ccd9e
JA		 1025 WRITE_ONCE(ctx->rings->cq_overflow,
1026 atomic_inc_return(&ctx->cached_cq_overflow));
1d7bb1d5 1027 } else {
ad3eb2c8
JA		 1028 if (list_empty(&ctx->cq_overflow_list)) {
1029 set_bit(0, &ctx->sq_check_overflow);
1030 set_bit(0, &ctx->cq_check_overflow);
1031 }
1d7bb1d5
JA		 1032 refcount_inc(&req->refs);
1033 req->result = res;
1034 list_add_tail(&req->list, &ctx->cq_overflow_list);
2b188cc1
JA		 1035 }
1036}
1037
78e19bbe 1038static void io_cqring_add_event(struct io_kiocb *req, long res)
2b188cc1 1039{
78e19bbe 1040 struct io_ring_ctx *ctx = req->ctx;
2b188cc1
JA		 1041 unsigned long flags;
1042
1043 spin_lock_irqsave(&ctx->completion_lock, flags);
78e19bbe 1044 io_cqring_fill_event(req, res);
2b188cc1
JA		 1045 io_commit_cqring(ctx);
1046 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1047
8c838788 1048 io_cqring_ev_posted(ctx);
2b188cc1
JA		 1049}
1050
0ddf92e8
JA		 1051static inline bool io_is_fallback_req(struct io_kiocb *req)
1052{
1053 return req == (struct io_kiocb *)
1054 ((unsigned long) req->ctx->fallback_req & ~1UL);
1055}
1056
1057static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
1058{
1059 struct io_kiocb *req;
1060
1061 req = ctx->fallback_req;
1062 if (!test_and_set_bit_lock(0, (unsigned long *) ctx->fallback_req))
1063 return req;
1064
1065 return NULL;
1066}
1067
2579f913
JA		 1068static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
1069 struct io_submit_state *state)
2b188cc1 1070{
fd6fab2c 1071 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
2b188cc1
JA		 1072 struct io_kiocb *req;
1073
1074 if (!percpu_ref_tryget(&ctx->refs))
1075 return NULL;
1076
2579f913 1077 if (!state) {
fd6fab2c 1078 req = kmem_cache_alloc(req_cachep, gfp);
2579f913 1079 if (unlikely(!req))
0ddf92e8 1080 goto fallback;
2579f913
JA		 1081 } else if (!state->free_reqs) {
1082 size_t sz;
1083 int ret;
1084
1085 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
fd6fab2c
JA		 1086 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
1087
1088 /*
1089 * Bulk alloc is all-or-nothing. If we fail to get a batch,
1090 * retry single alloc to be on the safe side.
1091 */
1092 if (unlikely(ret <= 0)) {
1093 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
1094 if (!state->reqs[0])
0ddf92e8 1095 goto fallback;
fd6fab2c
JA		 1096 ret = 1;
1097 }
2579f913
JA		 1098 state->free_reqs = ret - 1;
1099 state->cur_req = 1;
1100 req = state->reqs[0];
1101 } else {
1102 req = state->reqs[state->cur_req];
1103 state->free_reqs--;
1104 state->cur_req++;
2b188cc1
JA		 1105 }
1106
0ddf92e8 1107got_it:
1a6b74fc 1108 req->io = NULL;
cf6fd4bd 1109 req->ring_file = NULL;
60c112b0 1110 req->file = NULL;
2579f913
JA		 1111 req->ctx = ctx;
1112 req->flags = 0;
e65ef56d
JA		 1113 /* one is dropped after submission, the other at completion */
1114 refcount_set(&req->refs, 2);
9e645e11 1115 req->result = 0;
561fb04a 1116 INIT_IO_WORK(&req->work, io_wq_submit_work);
2579f913 1117 return req;
0ddf92e8
JA		 1118fallback:
1119 req = io_get_fallback_req(ctx);
1120 if (req)
1121 goto got_it;
6805b32e 1122 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 1123 return NULL;
1124}
1125
def596e9
JA		 1126static void io_free_req_many(struct io_ring_ctx *ctx, void **reqs, int *nr)
1127{
1128 if (*nr) {
1129 kmem_cache_free_bulk(req_cachep, *nr, reqs);
6805b32e 1130 percpu_ref_put_many(&ctx->refs, *nr);
05f3fb3c 1131 percpu_ref_put_many(&ctx->file_data->refs, *nr);
def596e9
JA		 1132 *nr = 0;
1133 }
1134}
1135
9e645e11 1136static void __io_free_req(struct io_kiocb *req)
2b188cc1 1137{
fcb323cc
JA		 1138 struct io_ring_ctx *ctx = req->ctx;
1139
1a6b74fc
JA		 1140 if (req->io)
1141 kfree(req->io);
05f3fb3c
JA		 1142 if (req->file) {
1143 if (req->flags & REQ_F_FIXED_FILE)
1144 percpu_ref_put(&ctx->file_data->refs);
1145 else
1146 fput(req->file);
1147 }
fcb323cc
JA		 1148 if (req->flags & REQ_F_INFLIGHT) {
1149 unsigned long flags;
1150
1151 spin_lock_irqsave(&ctx->inflight_lock, flags);
1152 list_del(&req->inflight_entry);
1153 if (waitqueue_active(&ctx->inflight_wait))
1154 wake_up(&ctx->inflight_wait);
1155 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1156 }
1157 percpu_ref_put(&ctx->refs);
0ddf92e8
JA		 1158 if (likely(!io_is_fallback_req(req)))
1159 kmem_cache_free(req_cachep, req);
1160 else
1161 clear_bit_unlock(0, (unsigned long *) ctx->fallback_req);
e65ef56d
JA		 1162}
1163
a197f664 1164static bool io_link_cancel_timeout(struct io_kiocb *req)
2665abfd 1165{
a197f664 1166 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 1167 int ret;
1168
2d28390a 1169 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
2665abfd 1170 if (ret != -1) {
78e19bbe 1171 io_cqring_fill_event(req, -ECANCELED);
2665abfd
JA		 1172 io_commit_cqring(ctx);
1173 req->flags &= ~REQ_F_LINK;
ec9c02ad 1174 io_put_req(req);
2665abfd
JA		 1175 return true;
1176 }
1177
1178 return false;
e65ef56d
JA		 1179}
1180
ba816ad6 1181static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
9e645e11 1182{
2665abfd 1183 struct io_ring_ctx *ctx = req->ctx;
2665abfd 1184 bool wake_ev = false;
9e645e11 1185
4d7dd462
JA		 1186 /* Already got next link */
1187 if (req->flags & REQ_F_LINK_NEXT)
1188 return;
1189
9e645e11
JA		 1190 /*
1191 * The list should never be empty when we are called here. But could
1192 * potentially happen if the chain is messed up, check to be on the
1193 * safe side.
1194 */
4493233e
PB		 1195 while (!list_empty(&req->link_list)) {
1196 struct io_kiocb *nxt = list_first_entry(&req->link_list,
1197 struct io_kiocb, link_list);
94ae5e77 1198
4493233e
PB		 1199 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
1200 (nxt->flags & REQ_F_TIMEOUT))) {
1201 list_del_init(&nxt->link_list);
94ae5e77 1202 wake_ev |= io_link_cancel_timeout(nxt);
94ae5e77
JA		 1203 req->flags &= ~REQ_F_LINK_TIMEOUT;
1204 continue;
1205 }
9e645e11 1206
4493233e
PB		 1207 list_del_init(&req->link_list);
1208 if (!list_empty(&nxt->link_list))
1209 nxt->flags |= REQ_F_LINK;
b18fdf71 1210 *nxtptr = nxt;
94ae5e77 1211 break;
9e645e11 1212 }
2665abfd 1213
4d7dd462 1214 req->flags |= REQ_F_LINK_NEXT;
2665abfd
JA		 1215 if (wake_ev)
1216 io_cqring_ev_posted(ctx);
9e645e11
JA		 1217}
1218
1219/*
1220 * Called if REQ_F_LINK is set, and we fail the head request
1221 */
1222static void io_fail_links(struct io_kiocb *req)
1223{
2665abfd 1224 struct io_ring_ctx *ctx = req->ctx;
2665abfd
JA		 1225 unsigned long flags;
1226
1227 spin_lock_irqsave(&ctx->completion_lock, flags);
9e645e11
JA		 1228
1229 while (!list_empty(&req->link_list)) {
4493233e
PB		 1230 struct io_kiocb *link = list_first_entry(&req->link_list,
1231 struct io_kiocb, link_list);
9e645e11 1232
4493233e 1233 list_del_init(&link->link_list);
c826bd7a 1234 trace_io_uring_fail_link(req, link);
2665abfd
JA		 1235
1236 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
d625c6ee 1237 link->opcode == IORING_OP_LINK_TIMEOUT) {
a197f664 1238 io_link_cancel_timeout(link);
2665abfd 1239 } else {
78e19bbe 1240 io_cqring_fill_event(link, -ECANCELED);
978db57e 1241 __io_double_put_req(link);
2665abfd 1242 }
5d960724 1243 req->flags &= ~REQ_F_LINK_TIMEOUT;
9e645e11 1244 }
2665abfd
JA		 1245
1246 io_commit_cqring(ctx);
1247 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1248 io_cqring_ev_posted(ctx);
9e645e11
JA		 1249}
1250
4d7dd462 1251static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
9e645e11 1252{
4d7dd462 1253 if (likely(!(req->flags & REQ_F_LINK)))
2665abfd 1254 return;
2665abfd 1255
9e645e11
JA		 1256 /*
1257 * If LINK is set, we have dependent requests in this chain. If we
1258 * didn't fail this request, queue the first one up, moving any other
1259 * dependencies to the next request. In case of failure, fail the rest
1260 * of the chain.
1261 */
2665abfd
JA		 1262 if (req->flags & REQ_F_FAIL_LINK) {
1263 io_fail_links(req);
7c9e7f0f
JA		 1264 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1265 REQ_F_LINK_TIMEOUT) {
2665abfd
JA		 1266 struct io_ring_ctx *ctx = req->ctx;
1267 unsigned long flags;
1268
1269 /*
1270 * If this is a timeout link, we could be racing with the
1271 * timeout timer. Grab the completion lock for this case to
7c9e7f0f 1272 * protect against that.
2665abfd
JA		 1273 */
1274 spin_lock_irqsave(&ctx->completion_lock, flags);
1275 io_req_link_next(req, nxt);
1276 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1277 } else {
1278 io_req_link_next(req, nxt);
9e645e11 1279 }
4d7dd462 1280}
9e645e11 1281
c69f8dbe
JL		 1282static void io_free_req(struct io_kiocb *req)
1283{
944e58bf
PB		 1284 struct io_kiocb *nxt = NULL;
1285
1286 io_req_find_next(req, &nxt);
70cf9f32 1287 __io_free_req(req);
944e58bf
PB		 1288
1289 if (nxt)
1290 io_queue_async_work(nxt);
c69f8dbe
JL		 1291}
1292
ba816ad6
JA		 1293/*
1294 * Drop reference to request, return next in chain (if there is one) if this
1295 * was the last reference to this request.
1296 */
f9bd67f6 1297__attribute__((nonnull))
ec9c02ad 1298static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
e65ef56d 1299{
f9bd67f6 1300 io_req_find_next(req, nxtptr);
4d7dd462 1301
e65ef56d 1302 if (refcount_dec_and_test(&req->refs))
4d7dd462 1303 __io_free_req(req);
2b188cc1
JA		 1304}
1305
e65ef56d
JA		 1306static void io_put_req(struct io_kiocb *req)
1307{
1308 if (refcount_dec_and_test(&req->refs))
1309 io_free_req(req);
2b188cc1
JA		 1310}
1311
978db57e
JA		 1312/*
1313 * Must only be used if we don't need to care about links, usually from
1314 * within the completion handling itself.
1315 */
1316static void __io_double_put_req(struct io_kiocb *req)
78e19bbe
JA		 1317{
1318 /* drop both submit and complete references */
1319 if (refcount_sub_and_test(2, &req->refs))
1320 __io_free_req(req);
1321}
1322
978db57e
JA		 1323static void io_double_put_req(struct io_kiocb *req)
1324{
1325 /* drop both submit and complete references */
1326 if (refcount_sub_and_test(2, &req->refs))
1327 io_free_req(req);
1328}
1329
1d7bb1d5 1330static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
a3a0e43f 1331{
84f97dc2
JA		 1332 struct io_rings *rings = ctx->rings;
1333
ad3eb2c8
JA		 1334 if (test_bit(0, &ctx->cq_check_overflow)) {
1335 /*
1336 * noflush == true is from the waitqueue handler, just ensure
1337 * we wake up the task, and the next invocation will flush the
1338 * entries. We cannot safely to it from here.
1339 */
1340 if (noflush && !list_empty(&ctx->cq_overflow_list))
1341 return -1U;
1d7bb1d5 1342
ad3eb2c8
JA		 1343 io_cqring_overflow_flush(ctx, false);
1344 }
1d7bb1d5 1345
a3a0e43f
JA		 1346 /* See comment at the top of this file */
1347 smp_rmb();
ad3eb2c8 1348 return ctx->cached_cq_tail - READ_ONCE(rings->cq.head);
a3a0e43f
JA		 1349}
1350
fb5ccc98
PB		 1351static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1352{
1353 struct io_rings *rings = ctx->rings;
1354
1355 /* make sure SQ entry isn't read before tail */
1356 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1357}
1358
e94f141b
JA		 1359static inline bool io_req_multi_free(struct io_kiocb *req)
1360{
1361 /*
1362 * If we're not using fixed files, we have to pair the completion part
1363 * with the file put. Use regular completions for those, only batch
1364 * free for fixed file and non-linked commands.
1365 */
1366 if (((req->flags & (REQ_F_FIXED_FILE|REQ_F_LINK)) == REQ_F_FIXED_FILE)
1367 && !io_is_fallback_req(req) && !req->io)
1368 return true;
1369
1370 return false;
1371}
1372
def596e9
JA		 1373/*
1374 * Find and free completed poll iocbs
1375 */
1376static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1377 struct list_head *done)
1378{
1379 void *reqs[IO_IOPOLL_BATCH];
1380 struct io_kiocb *req;
09bb8394 1381 int to_free;
def596e9 1382
09bb8394 1383 to_free = 0;
def596e9
JA		 1384 while (!list_empty(done)) {
1385 req = list_first_entry(done, struct io_kiocb, list);
1386 list_del(&req->list);
1387
78e19bbe 1388 io_cqring_fill_event(req, req->result);
def596e9
JA		 1389 (*nr_events)++;
1390
09bb8394 1391 if (refcount_dec_and_test(&req->refs)) {
e94f141b 1392 if (io_req_multi_free(req)) {
09bb8394
JA		 1393 reqs[to_free++] = req;
1394 if (to_free == ARRAY_SIZE(reqs))
1395 io_free_req_many(ctx, reqs, &to_free);
6b06314c 1396 } else {
09bb8394 1397 io_free_req(req);
6b06314c 1398 }
9a56a232 1399 }
def596e9 1400 }
def596e9 1401
09bb8394 1402 io_commit_cqring(ctx);
def596e9
JA		 1403 io_free_req_many(ctx, reqs, &to_free);
1404}
1405
1406static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1407 long min)
1408{
1409 struct io_kiocb *req, *tmp;
1410 LIST_HEAD(done);
1411 bool spin;
1412 int ret;
1413
1414 /*
1415 * Only spin for completions if we don't have multiple devices hanging
1416 * off our complete list, and we're under the requested amount.
1417 */
1418 spin = !ctx->poll_multi_file && *nr_events < min;
1419
1420 ret = 0;
1421 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
9adbd45d 1422 struct kiocb *kiocb = &req->rw.kiocb;
def596e9
JA		 1423
1424 /*
1425 * Move completed entries to our local list. If we find a
1426 * request that requires polling, break out and complete
1427 * the done list first, if we have entries there.
1428 */
1429 if (req->flags & REQ_F_IOPOLL_COMPLETED) {
1430 list_move_tail(&req->list, &done);
1431 continue;
1432 }
1433 if (!list_empty(&done))
1434 break;
1435
1436 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1437 if (ret < 0)
1438 break;
1439
1440 if (ret && spin)
1441 spin = false;
1442 ret = 0;
1443 }
1444
1445 if (!list_empty(&done))
1446 io_iopoll_complete(ctx, nr_events, &done);
1447
1448 return ret;
1449}
1450
1451/*
d195a66e 1452 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
def596e9
JA		 1453 * non-spinning poll check - we'll still enter the driver poll loop, but only
1454 * as a non-spinning completion check.
1455 */
1456static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1457 long min)
1458{
08f5439f 1459 while (!list_empty(&ctx->poll_list) && !need_resched()) {
def596e9
JA		 1460 int ret;
1461
1462 ret = io_do_iopoll(ctx, nr_events, min);
1463 if (ret < 0)
1464 return ret;
1465 if (!min || *nr_events >= min)
1466 return 0;
1467 }
1468
1469 return 1;
1470}
1471
1472/*
1473 * We can't just wait for polled events to come to us, we have to actively
1474 * find and complete them.
1475 */
1476static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1477{
1478 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1479 return;
1480
1481 mutex_lock(&ctx->uring_lock);
1482 while (!list_empty(&ctx->poll_list)) {
1483 unsigned int nr_events = 0;
1484
1485 io_iopoll_getevents(ctx, &nr_events, 1);
08f5439f
JA		 1486
1487 /*
1488 * Ensure we allow local-to-the-cpu processing to take place,
1489 * in this case we need to ensure that we reap all events.
1490 */
1491 cond_resched();
def596e9
JA		 1492 }
1493 mutex_unlock(&ctx->uring_lock);
1494}
1495
2b2ed975
JA		 1496static int __io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1497 long min)
def596e9 1498{
2b2ed975 1499 int iters = 0, ret = 0;
500f9fba 1500
def596e9
JA		 1501 do {
1502 int tmin = 0;
1503
a3a0e43f
JA		 1504 /*
1505 * Don't enter poll loop if we already have events pending.
1506 * If we do, we can potentially be spinning for commands that
1507 * already triggered a CQE (eg in error).
1508 */
1d7bb1d5 1509 if (io_cqring_events(ctx, false))
a3a0e43f
JA		 1510 break;
1511
500f9fba
JA		 1512 /*
1513 * If a submit got punted to a workqueue, we can have the
1514 * application entering polling for a command before it gets
1515 * issued. That app will hold the uring_lock for the duration
1516 * of the poll right here, so we need to take a breather every
1517 * now and then to ensure that the issue has a chance to add
1518 * the poll to the issued list. Otherwise we can spin here
1519 * forever, while the workqueue is stuck trying to acquire the
1520 * very same mutex.
1521 */
1522 if (!(++iters & 7)) {
1523 mutex_unlock(&ctx->uring_lock);
1524 mutex_lock(&ctx->uring_lock);
1525 }
1526
def596e9
JA		 1527 if (*nr_events < min)
1528 tmin = min - *nr_events;
1529
1530 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1531 if (ret <= 0)
1532 break;
1533 ret = 0;
1534 } while (min && !*nr_events && !need_resched());
1535
2b2ed975
JA		 1536 return ret;
1537}
1538
1539static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1540 long min)
1541{
1542 int ret;
1543
1544 /*
1545 * We disallow the app entering submit/complete with polling, but we
1546 * still need to lock the ring to prevent racing with polled issue
1547 * that got punted to a workqueue.
1548 */
1549 mutex_lock(&ctx->uring_lock);
1550 ret = __io_iopoll_check(ctx, nr_events, min);
500f9fba 1551 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 1552 return ret;
1553}
1554
491381ce 1555static void kiocb_end_write(struct io_kiocb *req)
2b188cc1 1556{
491381ce
JA		 1557 /*
1558 * Tell lockdep we inherited freeze protection from submission
1559 * thread.
1560 */
1561 if (req->flags & REQ_F_ISREG) {
1562 struct inode *inode = file_inode(req->file);
2b188cc1 1563
491381ce 1564 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
2b188cc1 1565 }
491381ce 1566 file_end_write(req->file);
2b188cc1
JA		 1567}
1568
4e88d6e7
JA		 1569static inline void req_set_fail_links(struct io_kiocb *req)
1570{
1571 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1572 req->flags |= REQ_F_FAIL_LINK;
1573}
1574
ba816ad6 1575static void io_complete_rw_common(struct kiocb *kiocb, long res)
2b188cc1 1576{
9adbd45d 1577 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
2b188cc1 1578
491381ce
JA		 1579 if (kiocb->ki_flags & IOCB_WRITE)
1580 kiocb_end_write(req);
2b188cc1 1581
4e88d6e7
JA		 1582 if (res != req->result)
1583 req_set_fail_links(req);
78e19bbe 1584 io_cqring_add_event(req, res);
ba816ad6
JA		 1585}
1586
1587static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1588{
9adbd45d 1589 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ba816ad6
JA		 1590
1591 io_complete_rw_common(kiocb, res);
e65ef56d 1592 io_put_req(req);
2b188cc1
JA		 1593}
1594
ba816ad6
JA		 1595static struct io_kiocb *__io_complete_rw(struct kiocb *kiocb, long res)
1596{
9adbd45d 1597 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
ec9c02ad 1598 struct io_kiocb *nxt = NULL;
ba816ad6
JA		 1599
1600 io_complete_rw_common(kiocb, res);
ec9c02ad
JL		 1601 io_put_req_find_next(req, &nxt);
1602
1603 return nxt;
2b188cc1
JA		 1604}
1605
def596e9
JA		 1606static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1607{
9adbd45d 1608 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
def596e9 1609
491381ce
JA		 1610 if (kiocb->ki_flags & IOCB_WRITE)
1611 kiocb_end_write(req);
def596e9 1612
4e88d6e7
JA		 1613 if (res != req->result)
1614 req_set_fail_links(req);
9e645e11 1615 req->result = res;
def596e9
JA		 1616 if (res != -EAGAIN)
1617 req->flags |= REQ_F_IOPOLL_COMPLETED;
1618}
1619
1620/*
1621 * After the iocb has been issued, it's safe to be found on the poll list.
1622 * Adding the kiocb to the list AFTER submission ensures that we don't
1623 * find it from a io_iopoll_getevents() thread before the issuer is done
1624 * accessing the kiocb cookie.
1625 */
1626static void io_iopoll_req_issued(struct io_kiocb *req)
1627{
1628 struct io_ring_ctx *ctx = req->ctx;
1629
1630 /*
1631 * Track whether we have multiple files in our lists. This will impact
1632 * how we do polling eventually, not spinning if we're on potentially
1633 * different devices.
1634 */
1635 if (list_empty(&ctx->poll_list)) {
1636 ctx->poll_multi_file = false;
1637 } else if (!ctx->poll_multi_file) {
1638 struct io_kiocb *list_req;
1639
1640 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
1641 list);
9adbd45d 1642 if (list_req->file != req->file)
def596e9
JA		 1643 ctx->poll_multi_file = true;
1644 }
1645
1646 /*
1647 * For fast devices, IO may have already completed. If it has, add
1648 * it to the front so we find it first.
1649 */
1650 if (req->flags & REQ_F_IOPOLL_COMPLETED)
1651 list_add(&req->list, &ctx->poll_list);
1652 else
1653 list_add_tail(&req->list, &ctx->poll_list);
1654}
1655
3d6770fb 1656static void io_file_put(struct io_submit_state *state)
9a56a232 1657{
3d6770fb 1658 if (state->file) {
9a56a232
JA		 1659 int diff = state->has_refs - state->used_refs;
1660
1661 if (diff)
1662 fput_many(state->file, diff);
1663 state->file = NULL;
1664 }
1665}
1666
1667/*
1668 * Get as many references to a file as we have IOs left in this submission,
1669 * assuming most submissions are for one file, or at least that each file
1670 * has more than one submission.
1671 */
1672static struct file *io_file_get(struct io_submit_state *state, int fd)
1673{
1674 if (!state)
1675 return fget(fd);
1676
1677 if (state->file) {
1678 if (state->fd == fd) {
1679 state->used_refs++;
1680 state->ios_left--;
1681 return state->file;
1682 }
3d6770fb 1683 io_file_put(state);
9a56a232
JA		 1684 }
1685 state->file = fget_many(fd, state->ios_left);
1686 if (!state->file)
1687 return NULL;
1688
1689 state->fd = fd;
1690 state->has_refs = state->ios_left;
1691 state->used_refs = 1;
1692 state->ios_left--;
1693 return state->file;
1694}
1695
2b188cc1
JA		 1696/*
1697 * If we tracked the file through the SCM inflight mechanism, we could support
1698 * any file. For now, just ensure that anything potentially problematic is done
1699 * inline.
1700 */
1701static bool io_file_supports_async(struct file *file)
1702{
1703 umode_t mode = file_inode(file)->i_mode;
1704
10d59345 1705 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
2b188cc1
JA		 1706 return true;
1707 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
1708 return true;
1709
1710 return false;
1711}
1712
3529d8c2
JA		 1713static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1714 bool force_nonblock)
2b188cc1 1715{
def596e9 1716 struct io_ring_ctx *ctx = req->ctx;
9adbd45d 1717 struct kiocb *kiocb = &req->rw.kiocb;
09bb8394
JA		 1718 unsigned ioprio;
1719 int ret;
2b188cc1 1720
09bb8394
JA		 1721 if (!req->file)
1722 return -EBADF;
2b188cc1 1723
491381ce
JA		 1724 if (S_ISREG(file_inode(req->file)->i_mode))
1725 req->flags |= REQ_F_ISREG;
1726
2b188cc1 1727 kiocb->ki_pos = READ_ONCE(sqe->off);
ba04291e
JA		 1728 if (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {
1729 req->flags |= REQ_F_CUR_POS;
1730 kiocb->ki_pos = req->file->f_pos;
1731 }
2b188cc1
JA		 1732 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
1733 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
1734
1735 ioprio = READ_ONCE(sqe->ioprio);
1736 if (ioprio) {
1737 ret = ioprio_check_cap(ioprio);
1738 if (ret)
09bb8394 1739 return ret;
2b188cc1
JA		 1740
1741 kiocb->ki_ioprio = ioprio;
1742 } else
1743 kiocb->ki_ioprio = get_current_ioprio();
1744
1745 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
1746 if (unlikely(ret))
09bb8394 1747 return ret;
8449eeda
SB		 1748
1749 /* don't allow async punt if RWF_NOWAIT was requested */
491381ce
JA		 1750 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
1751 (req->file->f_flags & O_NONBLOCK))
8449eeda
SB		 1752 req->flags |= REQ_F_NOWAIT;
1753
1754 if (force_nonblock)
2b188cc1 1755 kiocb->ki_flags |= IOCB_NOWAIT;
8449eeda 1756
def596e9 1757 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9
JA		 1758 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
1759 !kiocb->ki_filp->f_op->iopoll)
09bb8394 1760 return -EOPNOTSUPP;
2b188cc1 1761
def596e9
JA		 1762 kiocb->ki_flags |= IOCB_HIPRI;
1763 kiocb->ki_complete = io_complete_rw_iopoll;
6873e0bd 1764 req->result = 0;
def596e9 1765 } else {
09bb8394
JA		 1766 if (kiocb->ki_flags & IOCB_HIPRI)
1767 return -EINVAL;
def596e9
JA		 1768 kiocb->ki_complete = io_complete_rw;
1769 }
9adbd45d 1770
3529d8c2
JA		 1771 req->rw.addr = READ_ONCE(sqe->addr);
1772 req->rw.len = READ_ONCE(sqe->len);
9adbd45d
JA		 1773 /* we own ->private, reuse it for the buffer index */
1774 req->rw.kiocb.private = (void *) (unsigned long)
3529d8c2 1775 READ_ONCE(sqe->buf_index);
2b188cc1 1776 return 0;
2b188cc1
JA		 1777}
1778
1779static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
1780{
1781 switch (ret) {
1782 case -EIOCBQUEUED:
1783 break;
1784 case -ERESTARTSYS:
1785 case -ERESTARTNOINTR:
1786 case -ERESTARTNOHAND:
1787 case -ERESTART_RESTARTBLOCK:
1788 /*
1789 * We can't just restart the syscall, since previously
1790 * submitted sqes may already be in progress. Just fail this
1791 * IO with EINTR.
1792 */
1793 ret = -EINTR;
1794 /* fall through */
1795 default:
1796 kiocb->ki_complete(kiocb, ret, 0);
1797 }
1798}
1799
ba816ad6
JA		 1800static void kiocb_done(struct kiocb *kiocb, ssize_t ret, struct io_kiocb **nxt,
1801 bool in_async)
1802{
ba04291e
JA		 1803 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1804
1805 if (req->flags & REQ_F_CUR_POS)
1806 req->file->f_pos = kiocb->ki_pos;
f9bd67f6 1807 if (in_async && ret >= 0 && kiocb->ki_complete == io_complete_rw)
ba816ad6
JA		 1808 *nxt = __io_complete_rw(kiocb, ret);
1809 else
1810 io_rw_done(kiocb, ret);
1811}
1812
9adbd45d 1813static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
7d009165 1814 struct iov_iter *iter)
edafccee 1815{
9adbd45d
JA		 1816 struct io_ring_ctx *ctx = req->ctx;
1817 size_t len = req->rw.len;
edafccee
JA		 1818 struct io_mapped_ubuf *imu;
1819 unsigned index, buf_index;
1820 size_t offset;
1821 u64 buf_addr;
1822
1823 /* attempt to use fixed buffers without having provided iovecs */
1824 if (unlikely(!ctx->user_bufs))
1825 return -EFAULT;
1826
9adbd45d 1827 buf_index = (unsigned long) req->rw.kiocb.private;
edafccee
JA		 1828 if (unlikely(buf_index >= ctx->nr_user_bufs))
1829 return -EFAULT;
1830
1831 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
1832 imu = &ctx->user_bufs[index];
9adbd45d 1833 buf_addr = req->rw.addr;
edafccee
JA		 1834
1835 /* overflow */
1836 if (buf_addr + len < buf_addr)
1837 return -EFAULT;
1838 /* not inside the mapped region */
1839 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
1840 return -EFAULT;
1841
1842 /*
1843 * May not be a start of buffer, set size appropriately
1844 * and advance us to the beginning.
1845 */
1846 offset = buf_addr - imu->ubuf;
1847 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
bd11b3a3
JA		 1848
1849 if (offset) {
1850 /*
1851 * Don't use iov_iter_advance() here, as it's really slow for
1852 * using the latter parts of a big fixed buffer - it iterates
1853 * over each segment manually. We can cheat a bit here, because
1854 * we know that:
1855 *
1856 * 1) it's a BVEC iter, we set it up
1857 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1858 * first and last bvec
1859 *
1860 * So just find our index, and adjust the iterator afterwards.
1861 * If the offset is within the first bvec (or the whole first
1862 * bvec, just use iov_iter_advance(). This makes it easier
1863 * since we can just skip the first segment, which may not
1864 * be PAGE_SIZE aligned.
1865 */
1866 const struct bio_vec *bvec = imu->bvec;
1867
1868 if (offset <= bvec->bv_len) {
1869 iov_iter_advance(iter, offset);
1870 } else {
1871 unsigned long seg_skip;
1872
1873 /* skip first vec */
1874 offset -= bvec->bv_len;
1875 seg_skip = 1 + (offset >> PAGE_SHIFT);
1876
1877 iter->bvec = bvec + seg_skip;
1878 iter->nr_segs -= seg_skip;
99c79f66 1879 iter->count -= bvec->bv_len + offset;
bd11b3a3 1880 iter->iov_offset = offset & ~PAGE_MASK;
bd11b3a3
JA		 1881 }
1882 }
1883
5e559561 1884 return len;
edafccee
JA		 1885}
1886
cf6fd4bd
PB		 1887static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
1888 struct iovec **iovec, struct iov_iter *iter)
2b188cc1 1889{
9adbd45d
JA		 1890 void __user *buf = u64_to_user_ptr(req->rw.addr);
1891 size_t sqe_len = req->rw.len;
edafccee
JA		 1892 u8 opcode;
1893
d625c6ee 1894 opcode = req->opcode;
7d009165 1895 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
edafccee 1896 *iovec = NULL;
9adbd45d 1897 return io_import_fixed(req, rw, iter);
edafccee 1898 }
2b188cc1 1899
9adbd45d
JA		 1900 /* buffer index only valid with fixed read/write */
1901 if (req->rw.kiocb.private)
1902 return -EINVAL;
1903
3a6820f2
JA		 1904 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
1905 ssize_t ret;
1906 ret = import_single_range(rw, buf, sqe_len, *iovec, iter);
1907 *iovec = NULL;
1908 return ret;
1909 }
1910
f67676d1
JA		 1911 if (req->io) {
1912 struct io_async_rw *iorw = &req->io->rw;
1913
1914 *iovec = iorw->iov;
1915 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
1916 if (iorw->iov == iorw->fast_iov)
1917 *iovec = NULL;
1918 return iorw->size;
1919 }
1920
cf6fd4bd 1921 if (!req->has_user)
2b188cc1
JA		 1922 return -EFAULT;
1923
1924#ifdef CONFIG_COMPAT
cf6fd4bd 1925 if (req->ctx->compat)
2b188cc1
JA		 1926 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
1927 iovec, iter);
1928#endif
1929
1930 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
1931}
1932
31b51510 1933/*
32960613
JA		 1934 * For files that don't have ->read_iter() and ->write_iter(), handle them
1935 * by looping over ->read() or ->write() manually.
31b51510 1936 */
32960613
JA		 1937static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
1938 struct iov_iter *iter)
1939{
1940 ssize_t ret = 0;
1941
1942 /*
1943 * Don't support polled IO through this interface, and we can't
1944 * support non-blocking either. For the latter, this just causes
1945 * the kiocb to be handled from an async context.
1946 */
1947 if (kiocb->ki_flags & IOCB_HIPRI)
1948 return -EOPNOTSUPP;
1949 if (kiocb->ki_flags & IOCB_NOWAIT)
1950 return -EAGAIN;
1951
1952 while (iov_iter_count(iter)) {
311ae9e1 1953 struct iovec iovec;
32960613
JA		 1954 ssize_t nr;
1955
311ae9e1
PB		 1956 if (!iov_iter_is_bvec(iter)) {
1957 iovec = iov_iter_iovec(iter);
1958 } else {
1959 /* fixed buffers import bvec */
1960 iovec.iov_base = kmap(iter->bvec->bv_page)
1961 + iter->iov_offset;
1962 iovec.iov_len = min(iter->count,
1963 iter->bvec->bv_len - iter->iov_offset);
1964 }
1965
32960613
JA		 1966 if (rw == READ) {
1967 nr = file->f_op->read(file, iovec.iov_base,
1968 iovec.iov_len, &kiocb->ki_pos);
1969 } else {
1970 nr = file->f_op->write(file, iovec.iov_base,
1971 iovec.iov_len, &kiocb->ki_pos);
1972 }
1973
311ae9e1
PB		 1974 if (iov_iter_is_bvec(iter))
1975 kunmap(iter->bvec->bv_page);
1976
32960613
JA		 1977 if (nr < 0) {
1978 if (!ret)
1979 ret = nr;
1980 break;
1981 }
1982 ret += nr;
1983 if (nr != iovec.iov_len)
1984 break;
1985 iov_iter_advance(iter, nr);
1986 }
1987
1988 return ret;
1989}
1990
b7bb4f7d 1991static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
f67676d1
JA		 1992 struct iovec *iovec, struct iovec *fast_iov,
1993 struct iov_iter *iter)
1994{
1995 req->io->rw.nr_segs = iter->nr_segs;
1996 req->io->rw.size = io_size;
1997 req->io->rw.iov = iovec;
1998 if (!req->io->rw.iov) {
1999 req->io->rw.iov = req->io->rw.fast_iov;
2000 memcpy(req->io->rw.iov, fast_iov,
2001 sizeof(struct iovec) * iter->nr_segs);
2002 }
2003}
2004
b7bb4f7d 2005static int io_alloc_async_ctx(struct io_kiocb *req)
f67676d1 2006{
d3656344
JA		 2007 if (!io_op_defs[req->opcode].async_ctx)
2008 return 0;
f67676d1 2009 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
06b76d44 2010 return req->io == NULL;
b7bb4f7d
JA		 2011}
2012
2013static void io_rw_async(struct io_wq_work **workptr)
2014{
2015 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2016 struct iovec *iov = NULL;
2017
2018 if (req->io->rw.iov != req->io->rw.fast_iov)
2019 iov = req->io->rw.iov;
2020 io_wq_submit_work(workptr);
2021 kfree(iov);
2022}
2023
2024static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
2025 struct iovec *iovec, struct iovec *fast_iov,
2026 struct iov_iter *iter)
2027{
74566df3
JA		 2028 if (req->opcode == IORING_OP_READ_FIXED ||
2029 req->opcode == IORING_OP_WRITE_FIXED)
2030 return 0;
b7bb4f7d
JA		 2031 if (!req->io && io_alloc_async_ctx(req))
2032 return -ENOMEM;
2033
2034 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
2035 req->work.func = io_rw_async;
2036 return 0;
f67676d1
JA		 2037}
2038
3529d8c2
JA		 2039static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2040 bool force_nonblock)
f67676d1 2041{
3529d8c2
JA		 2042 struct io_async_ctx *io;
2043 struct iov_iter iter;
f67676d1
JA		 2044 ssize_t ret;
2045
3529d8c2
JA		 2046 ret = io_prep_rw(req, sqe, force_nonblock);
2047 if (ret)
2048 return ret;
f67676d1 2049
3529d8c2
JA		 2050 if (unlikely(!(req->file->f_mode & FMODE_READ)))
2051 return -EBADF;
f67676d1 2052
3529d8c2
JA		 2053 if (!req->io)
2054 return 0;
2055
2056 io = req->io;
2057 io->rw.iov = io->rw.fast_iov;
2058 req->io = NULL;
2059 ret = io_import_iovec(READ, req, &io->rw.iov, &iter);
2060 req->io = io;
2061 if (ret < 0)
2062 return ret;
2063
2064 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2065 return 0;
f67676d1
JA		 2066}
2067
267bc904 2068static int io_read(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 2069 bool force_nonblock)
2b188cc1
JA		 2070{
2071 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 2072 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 2073 struct iov_iter iter;
31b51510 2074 size_t iov_count;
f67676d1 2075 ssize_t io_size, ret;
2b188cc1 2076
3529d8c2 2077 ret = io_import_iovec(READ, req, &iovec, &iter);
06b76d44
JA		 2078 if (ret < 0)
2079 return ret;
2b188cc1 2080
fd6c2e4c
JA		 2081 /* Ensure we clear previously set non-block flag */
2082 if (!force_nonblock)
9adbd45d 2083 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 2084
797f3f53 2085 req->result = 0;
f67676d1 2086 io_size = ret;
9e645e11 2087 if (req->flags & REQ_F_LINK)
f67676d1
JA		 2088 req->result = io_size;
2089
2090 /*
2091 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2092 * we know to async punt it even if it was opened O_NONBLOCK
2093 */
9adbd45d 2094 if (force_nonblock && !io_file_supports_async(req->file)) {
f67676d1
JA		 2095 req->flags |= REQ_F_MUST_PUNT;
2096 goto copy_iov;
2097 }
9e645e11 2098
31b51510 2099 iov_count = iov_iter_count(&iter);
9adbd45d 2100 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
2b188cc1
JA		 2101 if (!ret) {
2102 ssize_t ret2;
2103
9adbd45d
JA		 2104 if (req->file->f_op->read_iter)
2105 ret2 = call_read_iter(req->file, kiocb, &iter);
32960613 2106 else
9adbd45d 2107 ret2 = loop_rw_iter(READ, req->file, kiocb, &iter);
32960613 2108
9d93a3f5 2109 /* Catch -EAGAIN return for forced non-blocking submission */
f67676d1 2110 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 2111 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 2112 } else {
2113copy_iov:
b7bb4f7d 2114 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 2115 inline_vecs, &iter);
2116 if (ret)
2117 goto out_free;
2118 return -EAGAIN;
2119 }
2b188cc1 2120 }
f67676d1 2121out_free:
b7bb4f7d
JA		 2122 if (!io_wq_current_is_worker())
2123 kfree(iovec);
2b188cc1
JA		 2124 return ret;
2125}
2126
3529d8c2
JA		 2127static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2128 bool force_nonblock)
f67676d1 2129{
3529d8c2
JA		 2130 struct io_async_ctx *io;
2131 struct iov_iter iter;
f67676d1
JA		 2132 ssize_t ret;
2133
3529d8c2
JA		 2134 ret = io_prep_rw(req, sqe, force_nonblock);
2135 if (ret)
2136 return ret;
f67676d1 2137
3529d8c2
JA		 2138 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
2139 return -EBADF;
f67676d1 2140
3529d8c2
JA		 2141 if (!req->io)
2142 return 0;
2143
2144 io = req->io;
2145 io->rw.iov = io->rw.fast_iov;
2146 req->io = NULL;
2147 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter);
2148 req->io = io;
2149 if (ret < 0)
2150 return ret;
2151
2152 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
2153 return 0;
f67676d1
JA		 2154}
2155
267bc904 2156static int io_write(struct io_kiocb *req, struct io_kiocb **nxt,
8358e3a8 2157 bool force_nonblock)
2b188cc1
JA		 2158{
2159 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
9adbd45d 2160 struct kiocb *kiocb = &req->rw.kiocb;
2b188cc1 2161 struct iov_iter iter;
31b51510 2162 size_t iov_count;
f67676d1 2163 ssize_t ret, io_size;
2b188cc1 2164
3529d8c2 2165 ret = io_import_iovec(WRITE, req, &iovec, &iter);
06b76d44
JA		 2166 if (ret < 0)
2167 return ret;
2b188cc1 2168
fd6c2e4c
JA		 2169 /* Ensure we clear previously set non-block flag */
2170 if (!force_nonblock)
9adbd45d 2171 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
fd6c2e4c 2172
797f3f53 2173 req->result = 0;
f67676d1 2174 io_size = ret;
9e645e11 2175 if (req->flags & REQ_F_LINK)
f67676d1 2176 req->result = io_size;
9e645e11 2177
f67676d1
JA		 2178 /*
2179 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2180 * we know to async punt it even if it was opened O_NONBLOCK
2181 */
2182 if (force_nonblock && !io_file_supports_async(req->file)) {
2183 req->flags |= REQ_F_MUST_PUNT;
2184 goto copy_iov;
2185 }
31b51510 2186
10d59345
JA		 2187 /* file path doesn't support NOWAIT for non-direct_IO */
2188 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
2189 (req->flags & REQ_F_ISREG))
f67676d1 2190 goto copy_iov;
31b51510 2191
f67676d1 2192 iov_count = iov_iter_count(&iter);
9adbd45d 2193 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
2b188cc1 2194 if (!ret) {
9bf7933f
RP		 2195 ssize_t ret2;
2196
2b188cc1
JA		 2197 /*
2198 * Open-code file_start_write here to grab freeze protection,
2199 * which will be released by another thread in
2200 * io_complete_rw(). Fool lockdep by telling it the lock got
2201 * released so that it doesn't complain about the held lock when
2202 * we return to userspace.
2203 */
491381ce 2204 if (req->flags & REQ_F_ISREG) {
9adbd45d 2205 __sb_start_write(file_inode(req->file)->i_sb,
2b188cc1 2206 SB_FREEZE_WRITE, true);
9adbd45d 2207 __sb_writers_release(file_inode(req->file)->i_sb,
2b188cc1
JA		 2208 SB_FREEZE_WRITE);
2209 }
2210 kiocb->ki_flags |= IOCB_WRITE;
9bf7933f 2211
9adbd45d
JA		 2212 if (req->file->f_op->write_iter)
2213 ret2 = call_write_iter(req->file, kiocb, &iter);
32960613 2214 else
9adbd45d 2215 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
f67676d1 2216 if (!force_nonblock || ret2 != -EAGAIN) {
cf6fd4bd 2217 kiocb_done(kiocb, ret2, nxt, req->in_async);
f67676d1
JA		 2218 } else {
2219copy_iov:
b7bb4f7d 2220 ret = io_setup_async_rw(req, io_size, iovec,
f67676d1
JA		 2221 inline_vecs, &iter);
2222 if (ret)
2223 goto out_free;
2224 return -EAGAIN;
2225 }
2b188cc1 2226 }
31b51510 2227out_free:
b7bb4f7d
JA		 2228 if (!io_wq_current_is_worker())
2229 kfree(iovec);
2b188cc1
JA		 2230 return ret;
2231}
2232
2233/*
2234 * IORING_OP_NOP just posts a completion event, nothing else.
2235 */
78e19bbe 2236static int io_nop(struct io_kiocb *req)
2b188cc1
JA		 2237{
2238 struct io_ring_ctx *ctx = req->ctx;
2b188cc1 2239
def596e9
JA		 2240 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2241 return -EINVAL;
2242
78e19bbe 2243 io_cqring_add_event(req, 0);
e65ef56d 2244 io_put_req(req);
2b188cc1
JA		 2245 return 0;
2246}
2247
3529d8c2 2248static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
c992fe29 2249{
6b06314c 2250 struct io_ring_ctx *ctx = req->ctx;
c992fe29 2251
09bb8394
JA		 2252 if (!req->file)
2253 return -EBADF;
c992fe29 2254
6b06314c 2255 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
def596e9 2256 return -EINVAL;
edafccee 2257 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
c992fe29
CH		 2258 return -EINVAL;
2259
8ed8d3c3
JA		 2260 req->sync.flags = READ_ONCE(sqe->fsync_flags);
2261 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
2262 return -EINVAL;
2263
2264 req->sync.off = READ_ONCE(sqe->off);
2265 req->sync.len = READ_ONCE(sqe->len);
c992fe29
CH		 2266 return 0;
2267}
2268
8ed8d3c3
JA		 2269static bool io_req_cancelled(struct io_kiocb *req)
2270{
2271 if (req->work.flags & IO_WQ_WORK_CANCEL) {
2272 req_set_fail_links(req);
2273 io_cqring_add_event(req, -ECANCELED);
2274 io_put_req(req);
2275 return true;
2276 }
2277
2278 return false;
2279}
2280
78912934
JA		 2281static void io_link_work_cb(struct io_wq_work **workptr)
2282{
2283 struct io_wq_work *work = *workptr;
2284 struct io_kiocb *link = work->data;
2285
2286 io_queue_linked_timeout(link);
2287 work->func = io_wq_submit_work;
2288}
2289
2290static void io_wq_assign_next(struct io_wq_work **workptr, struct io_kiocb *nxt)
2291{
2292 struct io_kiocb *link;
2293
2294 io_prep_async_work(nxt, &link);
2295 *workptr = &nxt->work;
2296 if (link) {
2297 nxt->work.flags |= IO_WQ_WORK_CB;
2298 nxt->work.func = io_link_work_cb;
2299 nxt->work.data = link;
2300 }
2301}
2302
8ed8d3c3
JA		 2303static void io_fsync_finish(struct io_wq_work **workptr)
2304{
2305 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2306 loff_t end = req->sync.off + req->sync.len;
2307 struct io_kiocb *nxt = NULL;
2308 int ret;
2309
2310 if (io_req_cancelled(req))
2311 return;
2312
9adbd45d 2313 ret = vfs_fsync_range(req->file, req->sync.off,
8ed8d3c3
JA		 2314 end > 0 ? end : LLONG_MAX,
2315 req->sync.flags & IORING_FSYNC_DATASYNC);
2316 if (ret < 0)
2317 req_set_fail_links(req);
2318 io_cqring_add_event(req, ret);
2319 io_put_req_find_next(req, &nxt);
2320 if (nxt)
78912934 2321 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 2322}
2323
fc4df999
JA		 2324static int io_fsync(struct io_kiocb *req, struct io_kiocb **nxt,
2325 bool force_nonblock)
c992fe29 2326{
8ed8d3c3 2327 struct io_wq_work *work, *old_work;
c992fe29
CH		 2328
2329 /* fsync always requires a blocking context */
8ed8d3c3
JA		 2330 if (force_nonblock) {
2331 io_put_req(req);
2332 req->work.func = io_fsync_finish;
c992fe29 2333 return -EAGAIN;
8ed8d3c3 2334 }
c992fe29 2335
8ed8d3c3
JA		 2336 work = old_work = &req->work;
2337 io_fsync_finish(&work);
2338 if (work && work != old_work)
2339 *nxt = container_of(work, struct io_kiocb, work);
c992fe29
CH		 2340 return 0;
2341}
2342
d63d1b5e
JA		 2343static void io_fallocate_finish(struct io_wq_work **workptr)
2344{
2345 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2346 struct io_kiocb *nxt = NULL;
2347 int ret;
2348
2349 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
2350 req->sync.len);
2351 if (ret < 0)
2352 req_set_fail_links(req);
2353 io_cqring_add_event(req, ret);
2354 io_put_req_find_next(req, &nxt);
2355 if (nxt)
2356 io_wq_assign_next(workptr, nxt);
2357}
2358
2359static int io_fallocate_prep(struct io_kiocb *req,
2360 const struct io_uring_sqe *sqe)
2361{
2362 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
2363 return -EINVAL;
2364
2365 req->sync.off = READ_ONCE(sqe->off);
2366 req->sync.len = READ_ONCE(sqe->addr);
2367 req->sync.mode = READ_ONCE(sqe->len);
2368 return 0;
2369}
2370
2371static int io_fallocate(struct io_kiocb *req, struct io_kiocb **nxt,
2372 bool force_nonblock)
2373{
2374 struct io_wq_work *work, *old_work;
2375
2376 /* fallocate always requiring blocking context */
2377 if (force_nonblock) {
2378 io_put_req(req);
2379 req->work.func = io_fallocate_finish;
2380 return -EAGAIN;
2381 }
2382
2383 work = old_work = &req->work;
2384 io_fallocate_finish(&work);
2385 if (work && work != old_work)
2386 *nxt = container_of(work, struct io_kiocb, work);
2387
2388 return 0;
2389}
2390
15b71abe
JA		 2391static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2392{
2393 int ret;
2394
2395 if (sqe->ioprio || sqe->buf_index)
2396 return -EINVAL;
2397
2398 req->open.dfd = READ_ONCE(sqe->fd);
2399 req->open.mode = READ_ONCE(sqe->len);
2400 req->open.fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2401 req->open.flags = READ_ONCE(sqe->open_flags);
2402
2403 req->open.filename = getname(req->open.fname);
2404 if (IS_ERR(req->open.filename)) {
2405 ret = PTR_ERR(req->open.filename);
2406 req->open.filename = NULL;
2407 return ret;
2408 }
2409
2410 return 0;
2411}
2412
2413static int io_openat(struct io_kiocb *req, struct io_kiocb **nxt,
2414 bool force_nonblock)
2415{
2416 struct open_flags op;
2417 struct open_how how;
2418 struct file *file;
2419 int ret;
2420
2421 if (force_nonblock) {
2422 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2423 return -EAGAIN;
2424 }
2425
2426 how = build_open_how(req->open.flags, req->open.mode);
2427 ret = build_open_flags(&how, &op);
2428 if (ret)
2429 goto err;
2430
2431 ret = get_unused_fd_flags(how.flags);
2432 if (ret < 0)
2433 goto err;
2434
2435 file = do_filp_open(req->open.dfd, req->open.filename, &op);
2436 if (IS_ERR(file)) {
2437 put_unused_fd(ret);
2438 ret = PTR_ERR(file);
2439 } else {
2440 fsnotify_open(file);
2441 fd_install(ret, file);
2442 }
2443err:
2444 putname(req->open.filename);
2445 if (ret < 0)
2446 req_set_fail_links(req);
2447 io_cqring_add_event(req, ret);
2448 io_put_req_find_next(req, nxt);
2449 return 0;
2450}
2451
4840e418
JA		 2452static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2453{
2454 if (sqe->ioprio || sqe->buf_index || sqe->addr)
2455 return -EINVAL;
2456
2457 req->fadvise.offset = READ_ONCE(sqe->off);
2458 req->fadvise.len = READ_ONCE(sqe->len);
2459 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
2460 return 0;
2461}
2462
2463static int io_fadvise(struct io_kiocb *req, struct io_kiocb **nxt,
2464 bool force_nonblock)
2465{
2466 struct io_fadvise *fa = &req->fadvise;
2467 int ret;
2468
2469 /* DONTNEED may block, others _should_ not */
2470 if (fa->advice == POSIX_FADV_DONTNEED && force_nonblock)
2471 return -EAGAIN;
2472
2473 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
2474 if (ret < 0)
2475 req_set_fail_links(req);
2476 io_cqring_add_event(req, ret);
2477 io_put_req_find_next(req, nxt);
2478 return 0;
2479}
2480
eddc7ef5
JA		 2481static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2482{
2483 unsigned lookup_flags;
2484 int ret;
2485
2486 if (sqe->ioprio || sqe->buf_index)
2487 return -EINVAL;
2488
2489 req->open.dfd = READ_ONCE(sqe->fd);
2490 req->open.mask = READ_ONCE(sqe->len);
2491 req->open.fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2492 req->open.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
2493 req->open.flags = READ_ONCE(sqe->statx_flags);
2494
2495 if (vfs_stat_set_lookup_flags(&lookup_flags, req->open.flags))
2496 return -EINVAL;
2497
2498 req->open.filename = getname_flags(req->open.fname, lookup_flags, NULL);
2499 if (IS_ERR(req->open.filename)) {
2500 ret = PTR_ERR(req->open.filename);
2501 req->open.filename = NULL;
2502 return ret;
2503 }
2504
2505 return 0;
2506}
2507
2508static int io_statx(struct io_kiocb *req, struct io_kiocb **nxt,
2509 bool force_nonblock)
2510{
2511 struct io_open *ctx = &req->open;
2512 unsigned lookup_flags;
2513 struct path path;
2514 struct kstat stat;
2515 int ret;
2516
2517 if (force_nonblock)
2518 return -EAGAIN;
2519
2520 if (vfs_stat_set_lookup_flags(&lookup_flags, ctx->flags))
2521 return -EINVAL;
2522
2523retry:
2524 /* filename_lookup() drops it, keep a reference */
2525 ctx->filename->refcnt++;
2526
2527 ret = filename_lookup(ctx->dfd, ctx->filename, lookup_flags, &path,
2528 NULL);
2529 if (ret)
2530 goto err;
2531
2532 ret = vfs_getattr(&path, &stat, ctx->mask, ctx->flags);
2533 path_put(&path);
2534 if (retry_estale(ret, lookup_flags)) {
2535 lookup_flags |= LOOKUP_REVAL;
2536 goto retry;
2537 }
2538 if (!ret)
2539 ret = cp_statx(&stat, ctx->buffer);
2540err:
2541 putname(ctx->filename);
2542 if (ret < 0)
2543 req_set_fail_links(req);
2544 io_cqring_add_event(req, ret);
2545 io_put_req_find_next(req, nxt);
2546 return 0;
2547}
2548
b5dba59e
JA		 2549static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2550{
2551 /*
2552 * If we queue this for async, it must not be cancellable. That would
2553 * leave the 'file' in an undeterminate state.
2554 */
2555 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
2556
2557 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
2558 sqe->rw_flags || sqe->buf_index)
2559 return -EINVAL;
2560 if (sqe->flags & IOSQE_FIXED_FILE)
2561 return -EINVAL;
2562
2563 req->close.fd = READ_ONCE(sqe->fd);
2564 if (req->file->f_op == &io_uring_fops ||
2565 req->close.fd == req->ring_fd)
2566 return -EBADF;
2567
2568 return 0;
2569}
2570
2571static void io_close_finish(struct io_wq_work **workptr)
2572{
2573 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2574 struct io_kiocb *nxt = NULL;
2575
2576 /* Invoked with files, we need to do the close */
2577 if (req->work.files) {
2578 int ret;
2579
2580 ret = filp_close(req->close.put_file, req->work.files);
2581 if (ret < 0) {
2582 req_set_fail_links(req);
2583 }
2584 io_cqring_add_event(req, ret);
2585 }
2586
2587 fput(req->close.put_file);
2588
2589 /* we bypassed the re-issue, drop the submission reference */
2590 io_put_req(req);
2591 io_put_req_find_next(req, &nxt);
2592 if (nxt)
2593 io_wq_assign_next(workptr, nxt);
2594}
2595
2596static int io_close(struct io_kiocb *req, struct io_kiocb **nxt,
2597 bool force_nonblock)
2598{
2599 int ret;
2600
2601 req->close.put_file = NULL;
2602 ret = __close_fd_get_file(req->close.fd, &req->close.put_file);
2603 if (ret < 0)
2604 return ret;
2605
2606 /* if the file has a flush method, be safe and punt to async */
2607 if (req->close.put_file->f_op->flush && !io_wq_current_is_worker()) {
2608 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2609 goto eagain;
2610 }
2611
2612 /*
2613 * No ->flush(), safely close from here and just punt the
2614 * fput() to async context.
2615 */
2616 ret = filp_close(req->close.put_file, current->files);
2617
2618 if (ret < 0)
2619 req_set_fail_links(req);
2620 io_cqring_add_event(req, ret);
2621
2622 if (io_wq_current_is_worker()) {
2623 struct io_wq_work *old_work, *work;
2624
2625 old_work = work = &req->work;
2626 io_close_finish(&work);
2627 if (work && work != old_work)
2628 *nxt = container_of(work, struct io_kiocb, work);
2629 return 0;
2630 }
2631
2632eagain:
2633 req->work.func = io_close_finish;
2634 return -EAGAIN;
2635}
2636
3529d8c2 2637static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5d17b4a4
JA		 2638{
2639 struct io_ring_ctx *ctx = req->ctx;
5d17b4a4
JA		 2640
2641 if (!req->file)
2642 return -EBADF;
5d17b4a4
JA		 2643
2644 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2645 return -EINVAL;
2646 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2647 return -EINVAL;
2648
8ed8d3c3
JA		 2649 req->sync.off = READ_ONCE(sqe->off);
2650 req->sync.len = READ_ONCE(sqe->len);
2651 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
8ed8d3c3
JA		 2652 return 0;
2653}
2654
2655static void io_sync_file_range_finish(struct io_wq_work **workptr)
2656{
2657 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2658 struct io_kiocb *nxt = NULL;
2659 int ret;
2660
2661 if (io_req_cancelled(req))
2662 return;
2663
9adbd45d 2664 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
8ed8d3c3
JA		 2665 req->sync.flags);
2666 if (ret < 0)
2667 req_set_fail_links(req);
2668 io_cqring_add_event(req, ret);
2669 io_put_req_find_next(req, &nxt);
2670 if (nxt)
78912934 2671 io_wq_assign_next(workptr, nxt);
5d17b4a4
JA		 2672}
2673
fc4df999 2674static int io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt,
5d17b4a4
JA		 2675 bool force_nonblock)
2676{
8ed8d3c3 2677 struct io_wq_work *work, *old_work;
5d17b4a4
JA		 2678
2679 /* sync_file_range always requires a blocking context */
8ed8d3c3
JA		 2680 if (force_nonblock) {
2681 io_put_req(req);
2682 req->work.func = io_sync_file_range_finish;
5d17b4a4 2683 return -EAGAIN;
8ed8d3c3 2684 }
5d17b4a4 2685
8ed8d3c3
JA		 2686 work = old_work = &req->work;
2687 io_sync_file_range_finish(&work);
2688 if (work && work != old_work)
2689 *nxt = container_of(work, struct io_kiocb, work);
5d17b4a4
JA		 2690 return 0;
2691}
2692
b7bb4f7d
JA		 2693#if defined(CONFIG_NET)
2694static void io_sendrecv_async(struct io_wq_work **workptr)
2695{
2696 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2697 struct iovec *iov = NULL;
2698
2699 if (req->io->rw.iov != req->io->rw.fast_iov)
2700 iov = req->io->msg.iov;
2701 io_wq_submit_work(workptr);
2702 kfree(iov);
2703}
2704#endif
2705
3529d8c2 2706static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
03b1230c 2707{
0fa03c62 2708#if defined(CONFIG_NET)
e47293fd 2709 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2 2710 struct io_async_ctx *io = req->io;
03b1230c 2711
e47293fd
JA		 2712 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2713 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
3529d8c2
JA		 2714
2715 if (!io)
2716 return 0;
2717
d9688565 2718 io->msg.iov = io->msg.fast_iov;
3529d8c2 2719 return sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 2720 &io->msg.iov);
03b1230c 2721#else
e47293fd 2722 return -EOPNOTSUPP;
03b1230c
JA		 2723#endif
2724}
2725
fc4df999
JA		 2726static int io_sendmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2727 bool force_nonblock)
aa1fa28f 2728{
03b1230c 2729#if defined(CONFIG_NET)
0b416c3e 2730 struct io_async_msghdr *kmsg = NULL;
0fa03c62
JA		 2731 struct socket *sock;
2732 int ret;
2733
2734 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2735 return -EINVAL;
2736
2737 sock = sock_from_file(req->file, &ret);
2738 if (sock) {
b7bb4f7d 2739 struct io_async_ctx io;
03b1230c 2740 struct sockaddr_storage addr;
0fa03c62
JA		 2741 unsigned flags;
2742
03b1230c 2743 if (req->io) {
0b416c3e
JA		 2744 kmsg = &req->io->msg;
2745 kmsg->msg.msg_name = &addr;
2746 /* if iov is set, it's allocated already */
2747 if (!kmsg->iov)
2748 kmsg->iov = kmsg->fast_iov;
2749 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 2750 } else {
3529d8c2
JA		 2751 struct io_sr_msg *sr = &req->sr_msg;
2752
0b416c3e
JA		 2753 kmsg = &io.msg;
2754 kmsg->msg.msg_name = &addr;
3529d8c2
JA		 2755
2756 io.msg.iov = io.msg.fast_iov;
2757 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
2758 sr->msg_flags, &io.msg.iov);
03b1230c 2759 if (ret)
3529d8c2 2760 return ret;
03b1230c 2761 }
0fa03c62 2762
e47293fd
JA		 2763 flags = req->sr_msg.msg_flags;
2764 if (flags & MSG_DONTWAIT)
2765 req->flags |= REQ_F_NOWAIT;
2766 else if (force_nonblock)
2767 flags |= MSG_DONTWAIT;
2768
0b416c3e 2769 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
03b1230c 2770 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 2771 if (req->io)
2772 return -EAGAIN;
2773 if (io_alloc_async_ctx(req))
2774 return -ENOMEM;
2775 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2776 req->work.func = io_sendrecv_async;
0b416c3e 2777 return -EAGAIN;
03b1230c 2778 }
441cdbd5
JA		 2779 if (ret == -ERESTARTSYS)
2780 ret = -EINTR;
0fa03c62
JA		 2781 }
2782
b7bb4f7d 2783 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 2784 kfree(kmsg->iov);
78e19bbe 2785 io_cqring_add_event(req, ret);
4e88d6e7
JA		 2786 if (ret < 0)
2787 req_set_fail_links(req);
ec9c02ad 2788 io_put_req_find_next(req, nxt);
5d17b4a4 2789 return 0;
03b1230c
JA		 2790#else
2791 return -EOPNOTSUPP;
aa1fa28f 2792#endif
03b1230c 2793}
aa1fa28f 2794
3529d8c2
JA		 2795static int io_recvmsg_prep(struct io_kiocb *req,
2796 const struct io_uring_sqe *sqe)
aa1fa28f
JA		 2797{
2798#if defined(CONFIG_NET)
e47293fd 2799 struct io_sr_msg *sr = &req->sr_msg;
3529d8c2
JA		 2800 struct io_async_ctx *io = req->io;
2801
2802 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2803 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
06b76d44 2804
3529d8c2 2805 if (!io)
06b76d44 2806 return 0;
03b1230c 2807
d9688565 2808 io->msg.iov = io->msg.fast_iov;
3529d8c2 2809 return recvmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
e47293fd 2810 &io->msg.uaddr, &io->msg.iov);
aa1fa28f 2811#else
e47293fd 2812 return -EOPNOTSUPP;
aa1fa28f
JA		 2813#endif
2814}
2815
fc4df999
JA		 2816static int io_recvmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2817 bool force_nonblock)
aa1fa28f
JA		 2818{
2819#if defined(CONFIG_NET)
0b416c3e 2820 struct io_async_msghdr *kmsg = NULL;
03b1230c
JA		 2821 struct socket *sock;
2822 int ret;
2823
2824 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2825 return -EINVAL;
2826
2827 sock = sock_from_file(req->file, &ret);
2828 if (sock) {
b7bb4f7d 2829 struct io_async_ctx io;
03b1230c 2830 struct sockaddr_storage addr;
03b1230c
JA		 2831 unsigned flags;
2832
03b1230c 2833 if (req->io) {
0b416c3e
JA		 2834 kmsg = &req->io->msg;
2835 kmsg->msg.msg_name = &addr;
2836 /* if iov is set, it's allocated already */
2837 if (!kmsg->iov)
2838 kmsg->iov = kmsg->fast_iov;
2839 kmsg->msg.msg_iter.iov = kmsg->iov;
03b1230c 2840 } else {
3529d8c2
JA		 2841 struct io_sr_msg *sr = &req->sr_msg;
2842
0b416c3e
JA		 2843 kmsg = &io.msg;
2844 kmsg->msg.msg_name = &addr;
3529d8c2
JA		 2845
2846 io.msg.iov = io.msg.fast_iov;
2847 ret = recvmsg_copy_msghdr(&io.msg.msg, sr->msg,
2848 sr->msg_flags, &io.msg.uaddr,
2849 &io.msg.iov);
03b1230c 2850 if (ret)
3529d8c2 2851 return ret;
03b1230c
JA		 2852 }
2853
e47293fd
JA		 2854 flags = req->sr_msg.msg_flags;
2855 if (flags & MSG_DONTWAIT)
2856 req->flags |= REQ_F_NOWAIT;
2857 else if (force_nonblock)
2858 flags |= MSG_DONTWAIT;
2859
2860 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
2861 kmsg->uaddr, flags);
03b1230c 2862 if (force_nonblock && ret == -EAGAIN) {
b7bb4f7d
JA		 2863 if (req->io)
2864 return -EAGAIN;
2865 if (io_alloc_async_ctx(req))
2866 return -ENOMEM;
2867 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2868 req->work.func = io_sendrecv_async;
0b416c3e 2869 return -EAGAIN;
03b1230c
JA		 2870 }
2871 if (ret == -ERESTARTSYS)
2872 ret = -EINTR;
2873 }
2874
b7bb4f7d 2875 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
0b416c3e 2876 kfree(kmsg->iov);
03b1230c 2877 io_cqring_add_event(req, ret);
4e88d6e7
JA		 2878 if (ret < 0)
2879 req_set_fail_links(req);
03b1230c
JA		 2880 io_put_req_find_next(req, nxt);
2881 return 0;
0fa03c62
JA		 2882#else
2883 return -EOPNOTSUPP;
2884#endif
2885}
5d17b4a4 2886
3529d8c2 2887static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
17f2fe35
JA		 2888{
2889#if defined(CONFIG_NET)
8ed8d3c3
JA		 2890 struct io_accept *accept = &req->accept;
2891
17f2fe35
JA		 2892 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
2893 return -EINVAL;
8042d6ce 2894 if (sqe->ioprio || sqe->len || sqe->buf_index)
17f2fe35
JA		 2895 return -EINVAL;
2896
d55e5f5b
JA		 2897 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
2898 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
8ed8d3c3 2899 accept->flags = READ_ONCE(sqe->accept_flags);
8ed8d3c3
JA		 2900 return 0;
2901#else
2902 return -EOPNOTSUPP;
2903#endif
2904}
17f2fe35 2905
8ed8d3c3
JA		 2906#if defined(CONFIG_NET)
2907static int __io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2908 bool force_nonblock)
2909{
2910 struct io_accept *accept = &req->accept;
2911 unsigned file_flags;
2912 int ret;
2913
2914 file_flags = force_nonblock ? O_NONBLOCK : 0;
2915 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
2916 accept->addr_len, accept->flags);
2917 if (ret == -EAGAIN && force_nonblock)
17f2fe35 2918 return -EAGAIN;
8e3cca12
JA		 2919 if (ret == -ERESTARTSYS)
2920 ret = -EINTR;
4e88d6e7
JA		 2921 if (ret < 0)
2922 req_set_fail_links(req);
78e19bbe 2923 io_cqring_add_event(req, ret);
ec9c02ad 2924 io_put_req_find_next(req, nxt);
17f2fe35 2925 return 0;
8ed8d3c3
JA		 2926}
2927
2928static void io_accept_finish(struct io_wq_work **workptr)
2929{
2930 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2931 struct io_kiocb *nxt = NULL;
2932
2933 if (io_req_cancelled(req))
2934 return;
2935 __io_accept(req, &nxt, false);
2936 if (nxt)
78912934 2937 io_wq_assign_next(workptr, nxt);
8ed8d3c3
JA		 2938}
2939#endif
2940
2941static int io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2942 bool force_nonblock)
2943{
2944#if defined(CONFIG_NET)
2945 int ret;
2946
8ed8d3c3
JA		 2947 ret = __io_accept(req, nxt, force_nonblock);
2948 if (ret == -EAGAIN && force_nonblock) {
2949 req->work.func = io_accept_finish;
2950 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2951 io_put_req(req);
2952 return -EAGAIN;
2953 }
2954 return 0;
0fa03c62
JA		 2955#else
2956 return -EOPNOTSUPP;
2957#endif
2958}
5d17b4a4 2959
3529d8c2 2960static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
f499a021
JA		 2961{
2962#if defined(CONFIG_NET)
3529d8c2
JA		 2963 struct io_connect *conn = &req->connect;
2964 struct io_async_ctx *io = req->io;
f499a021 2965
3fbb51c1
JA		 2966 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
2967 return -EINVAL;
2968 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
2969 return -EINVAL;
2970
3529d8c2
JA		 2971 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
2972 conn->addr_len = READ_ONCE(sqe->addr2);
2973
2974 if (!io)
2975 return 0;
2976
2977 return move_addr_to_kernel(conn->addr, conn->addr_len,
3fbb51c1 2978 &io->connect.address);
f499a021 2979#else
3fbb51c1 2980 return -EOPNOTSUPP;
f499a021
JA		 2981#endif
2982}
2983
fc4df999
JA		 2984static int io_connect(struct io_kiocb *req, struct io_kiocb **nxt,
2985 bool force_nonblock)
f8e85cf2
JA		 2986{
2987#if defined(CONFIG_NET)
f499a021 2988 struct io_async_ctx __io, *io;
f8e85cf2 2989 unsigned file_flags;
3fbb51c1 2990 int ret;
f8e85cf2 2991
f499a021
JA		 2992 if (req->io) {
2993 io = req->io;
2994 } else {
3529d8c2
JA		 2995 ret = move_addr_to_kernel(req->connect.addr,
2996 req->connect.addr_len,
2997 &__io.connect.address);
f499a021
JA		 2998 if (ret)
2999 goto out;
3000 io = &__io;
3001 }
3002
3fbb51c1
JA		 3003 file_flags = force_nonblock ? O_NONBLOCK : 0;
3004
3005 ret = __sys_connect_file(req->file, &io->connect.address,
3006 req->connect.addr_len, file_flags);
87f80d62 3007 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
b7bb4f7d
JA		 3008 if (req->io)
3009 return -EAGAIN;
3010 if (io_alloc_async_ctx(req)) {
f499a021
JA		 3011 ret = -ENOMEM;
3012 goto out;
3013 }
b7bb4f7d 3014 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
f8e85cf2 3015 return -EAGAIN;
f499a021 3016 }
f8e85cf2
JA		 3017 if (ret == -ERESTARTSYS)
3018 ret = -EINTR;
f499a021 3019out:
4e88d6e7
JA		 3020 if (ret < 0)
3021 req_set_fail_links(req);
f8e85cf2
JA		 3022 io_cqring_add_event(req, ret);
3023 io_put_req_find_next(req, nxt);
3024 return 0;
3025#else
3026 return -EOPNOTSUPP;
3027#endif
3028}
3029
221c5eb2
JA		 3030static void io_poll_remove_one(struct io_kiocb *req)
3031{
3032 struct io_poll_iocb *poll = &req->poll;
3033
3034 spin_lock(&poll->head->lock);
3035 WRITE_ONCE(poll->canceled, true);
392edb45
JA		 3036 if (!list_empty(&poll->wait.entry)) {
3037 list_del_init(&poll->wait.entry);
a197f664 3038 io_queue_async_work(req);
221c5eb2
JA		 3039 }
3040 spin_unlock(&poll->head->lock);
78076bb6 3041 hash_del(&req->hash_node);
221c5eb2
JA		 3042}
3043
3044static void io_poll_remove_all(struct io_ring_ctx *ctx)
3045{
78076bb6 3046 struct hlist_node *tmp;
221c5eb2 3047 struct io_kiocb *req;
78076bb6 3048 int i;
221c5eb2
JA		 3049
3050 spin_lock_irq(&ctx->completion_lock);
78076bb6
JA		 3051 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
3052 struct hlist_head *list;
3053
3054 list = &ctx->cancel_hash[i];
3055 hlist_for_each_entry_safe(req, tmp, list, hash_node)
3056 io_poll_remove_one(req);
221c5eb2
JA		 3057 }
3058 spin_unlock_irq(&ctx->completion_lock);
3059}
3060
47f46768
JA		 3061static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
3062{
78076bb6 3063 struct hlist_head *list;
47f46768
JA		 3064 struct io_kiocb *req;
3065
78076bb6
JA		 3066 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
3067 hlist_for_each_entry(req, list, hash_node) {
3068 if (sqe_addr == req->user_data) {
eac406c6
JA		 3069 io_poll_remove_one(req);
3070 return 0;
3071 }
47f46768
JA		 3072 }
3073
3074 return -ENOENT;
3075}
3076
3529d8c2
JA		 3077static int io_poll_remove_prep(struct io_kiocb *req,
3078 const struct io_uring_sqe *sqe)
0969e783 3079{
0969e783
JA		 3080 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3081 return -EINVAL;
3082 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
3083 sqe->poll_events)
3084 return -EINVAL;
3085
3086 req->poll.addr = READ_ONCE(sqe->addr);
0969e783
JA		 3087 return 0;
3088}
3089
221c5eb2
JA		 3090/*
3091 * Find a running poll command that matches one specified in sqe->addr,
3092 * and remove it if found.
3093 */
fc4df999 3094static int io_poll_remove(struct io_kiocb *req)
221c5eb2
JA		 3095{
3096 struct io_ring_ctx *ctx = req->ctx;
0969e783 3097 u64 addr;
47f46768 3098 int ret;
221c5eb2 3099
0969e783 3100 addr = req->poll.addr;
221c5eb2 3101 spin_lock_irq(&ctx->completion_lock);
0969e783 3102 ret = io_poll_cancel(ctx, addr);
221c5eb2
JA		 3103 spin_unlock_irq(&ctx->completion_lock);
3104
78e19bbe 3105 io_cqring_add_event(req, ret);
4e88d6e7
JA		 3106 if (ret < 0)
3107 req_set_fail_links(req);
e65ef56d 3108 io_put_req(req);
221c5eb2
JA		 3109 return 0;
3110}
3111
b0dd8a41 3112static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
221c5eb2 3113{
a197f664
JL		 3114 struct io_ring_ctx *ctx = req->ctx;
3115
8c838788 3116 req->poll.done = true;
b0dd8a41
JA		 3117 if (error)
3118 io_cqring_fill_event(req, error);
3119 else
3120 io_cqring_fill_event(req, mangle_poll(mask));
8c838788 3121 io_commit_cqring(ctx);
221c5eb2
JA		 3122}
3123
561fb04a 3124static void io_poll_complete_work(struct io_wq_work **workptr)
221c5eb2 3125{
561fb04a 3126 struct io_wq_work *work = *workptr;
221c5eb2
JA		 3127 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3128 struct io_poll_iocb *poll = &req->poll;
3129 struct poll_table_struct pt = { ._key = poll->events };
3130 struct io_ring_ctx *ctx = req->ctx;
89723d0b 3131 struct io_kiocb *nxt = NULL;
221c5eb2 3132 __poll_t mask = 0;
b0dd8a41 3133 int ret = 0;
221c5eb2 3134
b0dd8a41 3135 if (work->flags & IO_WQ_WORK_CANCEL) {
561fb04a 3136 WRITE_ONCE(poll->canceled, true);
b0dd8a41
JA		 3137 ret = -ECANCELED;
3138 } else if (READ_ONCE(poll->canceled)) {
3139 ret = -ECANCELED;
3140 }
561fb04a 3141
b0dd8a41 3142 if (ret != -ECANCELED)
221c5eb2
JA		 3143 mask = vfs_poll(poll->file, &pt) & poll->events;
3144
3145 /*
3146 * Note that ->ki_cancel callers also delete iocb from active_reqs after
3147 * calling ->ki_cancel. We need the ctx_lock roundtrip here to
3148 * synchronize with them. In the cancellation case the list_del_init
3149 * itself is not actually needed, but harmless so we keep it in to
3150 * avoid further branches in the fast path.
3151 */
3152 spin_lock_irq(&ctx->completion_lock);
b0dd8a41 3153 if (!mask && ret != -ECANCELED) {
392edb45 3154 add_wait_queue(poll->head, &poll->wait);
221c5eb2
JA		 3155 spin_unlock_irq(&ctx->completion_lock);
3156 return;
3157 }
78076bb6 3158 hash_del(&req->hash_node);
b0dd8a41 3159 io_poll_complete(req, mask, ret);
221c5eb2
JA		 3160 spin_unlock_irq(&ctx->completion_lock);
3161
8c838788 3162 io_cqring_ev_posted(ctx);
89723d0b 3163
4e88d6e7
JA		 3164 if (ret < 0)
3165 req_set_fail_links(req);
ec9c02ad 3166 io_put_req_find_next(req, &nxt);
89723d0b 3167 if (nxt)
78912934 3168 io_wq_assign_next(workptr, nxt);
221c5eb2
JA		 3169}
3170
e94f141b
JA		 3171static void __io_poll_flush(struct io_ring_ctx *ctx, struct llist_node *nodes)
3172{
3173 void *reqs[IO_IOPOLL_BATCH];
3174 struct io_kiocb *req, *tmp;
3175 int to_free = 0;
3176
3177 spin_lock_irq(&ctx->completion_lock);
3178 llist_for_each_entry_safe(req, tmp, nodes, llist_node) {
3179 hash_del(&req->hash_node);
3180 io_poll_complete(req, req->result, 0);
3181
3182 if (refcount_dec_and_test(&req->refs)) {
3183 if (io_req_multi_free(req)) {
3184 reqs[to_free++] = req;
3185 if (to_free == ARRAY_SIZE(reqs))
3186 io_free_req_many(ctx, reqs, &to_free);
3187 } else {
3188 req->flags |= REQ_F_COMP_LOCKED;
3189 io_free_req(req);
3190 }
3191 }
3192 }
3193 spin_unlock_irq(&ctx->completion_lock);
3194
3195 io_cqring_ev_posted(ctx);
3196 io_free_req_many(ctx, reqs, &to_free);
3197}
3198
3199static void io_poll_flush(struct io_wq_work **workptr)
3200{
3201 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
3202 struct llist_node *nodes;
3203
3204 nodes = llist_del_all(&req->ctx->poll_llist);
3205 if (nodes)
3206 __io_poll_flush(req->ctx, nodes);
3207}
3208
221c5eb2
JA		 3209static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
3210 void *key)
3211{
e944475e 3212 struct io_poll_iocb *poll = wait->private;
221c5eb2
JA		 3213 struct io_kiocb *req = container_of(poll, struct io_kiocb, poll);
3214 struct io_ring_ctx *ctx = req->ctx;
3215 __poll_t mask = key_to_poll(key);
221c5eb2
JA		 3216
3217 /* for instances that support it check for an event match first: */
8c838788
JA		 3218 if (mask && !(mask & poll->events))
3219 return 0;
221c5eb2 3220
392edb45 3221 list_del_init(&poll->wait.entry);
221c5eb2 3222
7c9e7f0f
JA		 3223 /*
3224 * Run completion inline if we can. We're using trylock here because
3225 * we are violating the completion_lock -> poll wq lock ordering.
3226 * If we have a link timeout we're going to need the completion_lock
3227 * for finalizing the request, mark us as having grabbed that already.
3228 */
e94f141b
JA		 3229 if (mask) {
3230 unsigned long flags;
221c5eb2 3231
e94f141b
JA		 3232 if (llist_empty(&ctx->poll_llist) &&
3233 spin_trylock_irqsave(&ctx->completion_lock, flags)) {
3234 hash_del(&req->hash_node);
3235 io_poll_complete(req, mask, 0);
3236 req->flags |= REQ_F_COMP_LOCKED;
3237 io_put_req(req);
3238 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3239
3240 io_cqring_ev_posted(ctx);
3241 req = NULL;
3242 } else {
3243 req->result = mask;
3244 req->llist_node.next = NULL;
3245 /* if the list wasn't empty, we're done */
3246 if (!llist_add(&req->llist_node, &ctx->poll_llist))
3247 req = NULL;
3248 else
3249 req->work.func = io_poll_flush;
3250 }
221c5eb2 3251 }
e94f141b
JA		 3252 if (req)
3253 io_queue_async_work(req);
221c5eb2 3254
221c5eb2
JA		 3255 return 1;
3256}
3257
3258struct io_poll_table {
3259 struct poll_table_struct pt;
3260 struct io_kiocb *req;
3261 int error;
3262};
3263
3264static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
3265 struct poll_table_struct *p)
3266{
3267 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
3268
3269 if (unlikely(pt->req->poll.head)) {
3270 pt->error = -EINVAL;
3271 return;
3272 }
3273
3274 pt->error = 0;
3275 pt->req->poll.head = head;
392edb45 3276 add_wait_queue(head, &pt->req->poll.wait);
221c5eb2
JA		 3277}
3278
eac406c6
JA		 3279static void io_poll_req_insert(struct io_kiocb *req)
3280{
3281 struct io_ring_ctx *ctx = req->ctx;
78076bb6
JA		 3282 struct hlist_head *list;
3283
3284 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
3285 hlist_add_head(&req->hash_node, list);
eac406c6
JA		 3286}
3287
3529d8c2 3288static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
221c5eb2
JA		 3289{
3290 struct io_poll_iocb *poll = &req->poll;
221c5eb2 3291 u16 events;
221c5eb2
JA		 3292
3293 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3294 return -EINVAL;
3295 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
3296 return -EINVAL;
09bb8394
JA		 3297 if (!poll->file)
3298 return -EBADF;
221c5eb2 3299
221c5eb2
JA		 3300 events = READ_ONCE(sqe->poll_events);
3301 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
0969e783
JA		 3302 return 0;
3303}
3304
3305static int io_poll_add(struct io_kiocb *req, struct io_kiocb **nxt)
3306{
3307 struct io_poll_iocb *poll = &req->poll;
3308 struct io_ring_ctx *ctx = req->ctx;
3309 struct io_poll_table ipt;
3310 bool cancel = false;
3311 __poll_t mask;
0969e783
JA		 3312
3313 INIT_IO_WORK(&req->work, io_poll_complete_work);
78076bb6 3314 INIT_HLIST_NODE(&req->hash_node);
221c5eb2 3315
221c5eb2 3316 poll->head = NULL;
8c838788 3317 poll->done = false;
221c5eb2
JA		 3318 poll->canceled = false;
3319
3320 ipt.pt._qproc = io_poll_queue_proc;
3321 ipt.pt._key = poll->events;
3322 ipt.req = req;
3323 ipt.error = -EINVAL; /* same as no support for IOCB_CMD_POLL */
3324
3325 /* initialized the list so that we can do list_empty checks */
392edb45
JA		 3326 INIT_LIST_HEAD(&poll->wait.entry);
3327 init_waitqueue_func_entry(&poll->wait, io_poll_wake);
3328 poll->wait.private = poll;
221c5eb2 3329
36703247
JA		 3330 INIT_LIST_HEAD(&req->list);
3331
221c5eb2 3332 mask = vfs_poll(poll->file, &ipt.pt) & poll->events;
221c5eb2
JA		 3333
3334 spin_lock_irq(&ctx->completion_lock);
8c838788
JA		 3335 if (likely(poll->head)) {
3336 spin_lock(&poll->head->lock);
392edb45 3337 if (unlikely(list_empty(&poll->wait.entry))) {
8c838788
JA		 3338 if (ipt.error)
3339 cancel = true;
3340 ipt.error = 0;
3341 mask = 0;
3342 }
3343 if (mask || ipt.error)
392edb45 3344 list_del_init(&poll->wait.entry);
8c838788
JA		 3345 else if (cancel)
3346 WRITE_ONCE(poll->canceled, true);
3347 else if (!poll->done) /* actually waiting for an event */
eac406c6 3348 io_poll_req_insert(req);
8c838788
JA		 3349 spin_unlock(&poll->head->lock);
3350 }
3351 if (mask) { /* no async, we'd stolen it */
221c5eb2 3352 ipt.error = 0;
b0dd8a41 3353 io_poll_complete(req, mask, 0);
221c5eb2 3354 }
221c5eb2
JA		 3355 spin_unlock_irq(&ctx->completion_lock);
3356
8c838788
JA		 3357 if (mask) {
3358 io_cqring_ev_posted(ctx);
ec9c02ad 3359 io_put_req_find_next(req, nxt);
221c5eb2 3360 }
8c838788 3361 return ipt.error;
221c5eb2
JA		 3362}
3363
5262f567
JA		 3364static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
3365{
ad8a48ac
JA		 3366 struct io_timeout_data *data = container_of(timer,
3367 struct io_timeout_data, timer);
3368 struct io_kiocb *req = data->req;
3369 struct io_ring_ctx *ctx = req->ctx;
5262f567
JA		 3370 unsigned long flags;
3371
5262f567
JA		 3372 atomic_inc(&ctx->cq_timeouts);
3373
3374 spin_lock_irqsave(&ctx->completion_lock, flags);
ef03681a 3375 /*
11365043
JA		 3376 * We could be racing with timeout deletion. If the list is empty,
3377 * then timeout lookup already found it and will be handling it.
ef03681a 3378 */
842f9612 3379 if (!list_empty(&req->list)) {
11365043 3380 struct io_kiocb *prev;
5262f567 3381
11365043
JA		 3382 /*
3383 * Adjust the reqs sequence before the current one because it
d195a66e 3384 * will consume a slot in the cq_ring and the cq_tail
11365043
JA		 3385 * pointer will be increased, otherwise other timeout reqs may
3386 * return in advance without waiting for enough wait_nr.
3387 */
3388 prev = req;
3389 list_for_each_entry_continue_reverse(prev, &ctx->timeout_list, list)
3390 prev->sequence++;
11365043 3391 list_del_init(&req->list);
11365043 3392 }
5262f567 3393
78e19bbe 3394 io_cqring_fill_event(req, -ETIME);
5262f567
JA		 3395 io_commit_cqring(ctx);
3396 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3397
3398 io_cqring_ev_posted(ctx);
4e88d6e7 3399 req_set_fail_links(req);
5262f567
JA		 3400 io_put_req(req);
3401 return HRTIMER_NORESTART;
3402}
3403
47f46768
JA		 3404static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
3405{
3406 struct io_kiocb *req;
3407 int ret = -ENOENT;
3408
3409 list_for_each_entry(req, &ctx->timeout_list, list) {
3410 if (user_data == req->user_data) {
3411 list_del_init(&req->list);
3412 ret = 0;
3413 break;
3414 }
3415 }
3416
3417 if (ret == -ENOENT)
3418 return ret;
3419
2d28390a 3420 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
47f46768
JA		 3421 if (ret == -1)
3422 return -EALREADY;
3423
4e88d6e7 3424 req_set_fail_links(req);
47f46768
JA		 3425 io_cqring_fill_event(req, -ECANCELED);
3426 io_put_req(req);
3427 return 0;
3428}
3429
3529d8c2
JA		 3430static int io_timeout_remove_prep(struct io_kiocb *req,
3431 const struct io_uring_sqe *sqe)
b29472ee 3432{
b29472ee
JA		 3433 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3434 return -EINVAL;
3435 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
3436 return -EINVAL;
3437
3438 req->timeout.addr = READ_ONCE(sqe->addr);
3439 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
3440 if (req->timeout.flags)
3441 return -EINVAL;
3442
b29472ee
JA		 3443 return 0;
3444}
3445
11365043
JA		 3446/*
3447 * Remove or update an existing timeout command
3448 */
fc4df999 3449static int io_timeout_remove(struct io_kiocb *req)
11365043
JA		 3450{
3451 struct io_ring_ctx *ctx = req->ctx;
47f46768 3452 int ret;
11365043 3453
11365043 3454 spin_lock_irq(&ctx->completion_lock);
b29472ee 3455 ret = io_timeout_cancel(ctx, req->timeout.addr);
11365043 3456
47f46768 3457 io_cqring_fill_event(req, ret);
11365043
JA		 3458 io_commit_cqring(ctx);
3459 spin_unlock_irq(&ctx->completion_lock);
5262f567 3460 io_cqring_ev_posted(ctx);
4e88d6e7
JA		 3461 if (ret < 0)
3462 req_set_fail_links(req);
ec9c02ad 3463 io_put_req(req);
11365043 3464 return 0;
5262f567
JA		 3465}
3466
3529d8c2 3467static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
2d28390a 3468 bool is_timeout_link)
5262f567 3469{
ad8a48ac 3470 struct io_timeout_data *data;
a41525ab 3471 unsigned flags;
5262f567 3472
ad8a48ac 3473 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5262f567 3474 return -EINVAL;
ad8a48ac 3475 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
a41525ab 3476 return -EINVAL;
2d28390a
JA		 3477 if (sqe->off && is_timeout_link)
3478 return -EINVAL;
a41525ab
JA		 3479 flags = READ_ONCE(sqe->timeout_flags);
3480 if (flags & ~IORING_TIMEOUT_ABS)
5262f567 3481 return -EINVAL;
bdf20073 3482
26a61679
JA		 3483 req->timeout.count = READ_ONCE(sqe->off);
3484
3529d8c2 3485 if (!req->io && io_alloc_async_ctx(req))
26a61679
JA		 3486 return -ENOMEM;
3487
3488 data = &req->io->timeout;
ad8a48ac 3489 data->req = req;
ad8a48ac
JA		 3490 req->flags |= REQ_F_TIMEOUT;
3491
3492 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
5262f567
JA		 3493 return -EFAULT;
3494
11365043 3495 if (flags & IORING_TIMEOUT_ABS)
ad8a48ac 3496 data->mode = HRTIMER_MODE_ABS;
11365043 3497 else
ad8a48ac 3498 data->mode = HRTIMER_MODE_REL;
11365043 3499
ad8a48ac
JA		 3500 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
3501 return 0;
3502}
3503
fc4df999 3504static int io_timeout(struct io_kiocb *req)
ad8a48ac
JA		 3505{
3506 unsigned count;
3507 struct io_ring_ctx *ctx = req->ctx;
3508 struct io_timeout_data *data;
3509 struct list_head *entry;
3510 unsigned span = 0;
ad8a48ac 3511
2d28390a 3512 data = &req->io->timeout;
93bd25bb 3513
5262f567
JA		 3514 /*
3515 * sqe->off holds how many events that need to occur for this
93bd25bb
JA		 3516 * timeout event to be satisfied. If it isn't set, then this is
3517 * a pure timeout request, sequence isn't used.
5262f567 3518 */
26a61679 3519 count = req->timeout.count;
93bd25bb
JA		 3520 if (!count) {
3521 req->flags |= REQ_F_TIMEOUT_NOSEQ;
3522 spin_lock_irq(&ctx->completion_lock);
3523 entry = ctx->timeout_list.prev;
3524 goto add;
3525 }
5262f567
JA		 3526
3527 req->sequence = ctx->cached_sq_head + count - 1;
2d28390a 3528 data->seq_offset = count;
5262f567
JA		 3529
3530 /*
3531 * Insertion sort, ensuring the first entry in the list is always
3532 * the one we need first.
3533 */
5262f567
JA		 3534 spin_lock_irq(&ctx->completion_lock);
3535 list_for_each_prev(entry, &ctx->timeout_list) {
3536 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
5da0fb1a 3537 unsigned nxt_sq_head;
3538 long long tmp, tmp_nxt;
2d28390a 3539 u32 nxt_offset = nxt->io->timeout.seq_offset;
5262f567 3540
93bd25bb
JA		 3541 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
3542 continue;
3543
5da0fb1a 3544 /*
3545 * Since cached_sq_head + count - 1 can overflow, use type long
3546 * long to store it.
3547 */
3548 tmp = (long long)ctx->cached_sq_head + count - 1;
cc42e0ac
PB		 3549 nxt_sq_head = nxt->sequence - nxt_offset + 1;
3550 tmp_nxt = (long long)nxt_sq_head + nxt_offset - 1;
5da0fb1a 3551
3552 /*
3553 * cached_sq_head may overflow, and it will never overflow twice
3554 * once there is some timeout req still be valid.
3555 */
3556 if (ctx->cached_sq_head < nxt_sq_head)
8b07a65a 3557 tmp += UINT_MAX;
5da0fb1a 3558
a1f58ba4 3559 if (tmp > tmp_nxt)
5262f567 3560 break;
a1f58ba4 3561
3562 /*
3563 * Sequence of reqs after the insert one and itself should
3564 * be adjusted because each timeout req consumes a slot.
3565 */
3566 span++;
3567 nxt->sequence++;
5262f567 3568 }
a1f58ba4 3569 req->sequence -= span;
93bd25bb 3570add:
5262f567 3571 list_add(&req->list, entry);
ad8a48ac
JA		 3572 data->timer.function = io_timeout_fn;
3573 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
5262f567 3574 spin_unlock_irq(&ctx->completion_lock);
5262f567
JA		 3575 return 0;
3576}
5262f567 3577
62755e35
JA		 3578static bool io_cancel_cb(struct io_wq_work *work, void *data)
3579{
3580 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3581
3582 return req->user_data == (unsigned long) data;
3583}
3584
e977d6d3 3585static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
62755e35 3586{
62755e35 3587 enum io_wq_cancel cancel_ret;
62755e35
JA		 3588 int ret = 0;
3589
62755e35
JA		 3590 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr);
3591 switch (cancel_ret) {
3592 case IO_WQ_CANCEL_OK:
3593 ret = 0;
3594 break;
3595 case IO_WQ_CANCEL_RUNNING:
3596 ret = -EALREADY;
3597 break;
3598 case IO_WQ_CANCEL_NOTFOUND:
3599 ret = -ENOENT;
3600 break;
3601 }
3602
e977d6d3
JA		 3603 return ret;
3604}
3605
47f46768
JA		 3606static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
3607 struct io_kiocb *req, __u64 sqe_addr,
b0dd8a41 3608 struct io_kiocb **nxt, int success_ret)
47f46768
JA		 3609{
3610 unsigned long flags;
3611 int ret;
3612
3613 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
3614 if (ret != -ENOENT) {
3615 spin_lock_irqsave(&ctx->completion_lock, flags);
3616 goto done;
3617 }
3618
3619 spin_lock_irqsave(&ctx->completion_lock, flags);
3620 ret = io_timeout_cancel(ctx, sqe_addr);
3621 if (ret != -ENOENT)
3622 goto done;
3623 ret = io_poll_cancel(ctx, sqe_addr);
3624done:
b0dd8a41
JA		 3625 if (!ret)
3626 ret = success_ret;
47f46768
JA		 3627 io_cqring_fill_event(req, ret);
3628 io_commit_cqring(ctx);
3629 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3630 io_cqring_ev_posted(ctx);
3631
4e88d6e7
JA		 3632 if (ret < 0)
3633 req_set_fail_links(req);
47f46768
JA		 3634 io_put_req_find_next(req, nxt);
3635}
3636
3529d8c2
JA		 3637static int io_async_cancel_prep(struct io_kiocb *req,
3638 const struct io_uring_sqe *sqe)
e977d6d3 3639{
fbf23849 3640 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
e977d6d3
JA		 3641 return -EINVAL;
3642 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
3643 sqe->cancel_flags)
3644 return -EINVAL;
3645
fbf23849
JA		 3646 req->cancel.addr = READ_ONCE(sqe->addr);
3647 return 0;
3648}
3649
3650static int io_async_cancel(struct io_kiocb *req, struct io_kiocb **nxt)
3651{
3652 struct io_ring_ctx *ctx = req->ctx;
fbf23849
JA		 3653
3654 io_async_find_and_cancel(ctx, req, req->cancel.addr, nxt, 0);
5262f567
JA		 3655 return 0;
3656}
3657
05f3fb3c
JA		 3658static int io_files_update_prep(struct io_kiocb *req,
3659 const struct io_uring_sqe *sqe)
3660{
3661 if (sqe->flags || sqe->ioprio || sqe->rw_flags)
3662 return -EINVAL;
3663
3664 req->files_update.offset = READ_ONCE(sqe->off);
3665 req->files_update.nr_args = READ_ONCE(sqe->len);
3666 if (!req->files_update.nr_args)
3667 return -EINVAL;
3668 req->files_update.arg = READ_ONCE(sqe->addr);
3669 return 0;
3670}
3671
3672static int io_files_update(struct io_kiocb *req, bool force_nonblock)
3673{
3674 struct io_ring_ctx *ctx = req->ctx;
3675 struct io_uring_files_update up;
3676 int ret;
3677
3678 if (force_nonblock) {
3679 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
3680 return -EAGAIN;
3681 }
3682
3683 up.offset = req->files_update.offset;
3684 up.fds = req->files_update.arg;
3685
3686 mutex_lock(&ctx->uring_lock);
3687 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
3688 mutex_unlock(&ctx->uring_lock);
3689
3690 if (ret < 0)
3691 req_set_fail_links(req);
3692 io_cqring_add_event(req, ret);
3693 io_put_req(req);
3694 return 0;
3695}
3696
3529d8c2
JA		 3697static int io_req_defer_prep(struct io_kiocb *req,
3698 const struct io_uring_sqe *sqe)
f67676d1 3699{
e781573e 3700 ssize_t ret = 0;
f67676d1 3701
d625c6ee 3702 switch (req->opcode) {
e781573e
JA		 3703 case IORING_OP_NOP:
3704 break;
f67676d1
JA		 3705 case IORING_OP_READV:
3706 case IORING_OP_READ_FIXED:
3a6820f2 3707 case IORING_OP_READ:
3529d8c2 3708 ret = io_read_prep(req, sqe, true);
f67676d1
JA		 3709 break;
3710 case IORING_OP_WRITEV:
3711 case IORING_OP_WRITE_FIXED:
3a6820f2 3712 case IORING_OP_WRITE:
3529d8c2 3713 ret = io_write_prep(req, sqe, true);
f67676d1 3714 break;
0969e783 3715 case IORING_OP_POLL_ADD:
3529d8c2 3716 ret = io_poll_add_prep(req, sqe);
0969e783
JA		 3717 break;
3718 case IORING_OP_POLL_REMOVE:
3529d8c2 3719 ret = io_poll_remove_prep(req, sqe);
0969e783 3720 break;
8ed8d3c3 3721 case IORING_OP_FSYNC:
3529d8c2 3722 ret = io_prep_fsync(req, sqe);
8ed8d3c3
JA		 3723 break;
3724 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2 3725 ret = io_prep_sfr(req, sqe);
8ed8d3c3 3726 break;
03b1230c 3727 case IORING_OP_SENDMSG:
3529d8c2 3728 ret = io_sendmsg_prep(req, sqe);
03b1230c
JA		 3729 break;
3730 case IORING_OP_RECVMSG:
3529d8c2 3731 ret = io_recvmsg_prep(req, sqe);
03b1230c 3732 break;
f499a021 3733 case IORING_OP_CONNECT:
3529d8c2 3734 ret = io_connect_prep(req, sqe);
f499a021 3735 break;
2d28390a 3736 case IORING_OP_TIMEOUT:
3529d8c2 3737 ret = io_timeout_prep(req, sqe, false);
b7bb4f7d 3738 break;
b29472ee 3739 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2 3740 ret = io_timeout_remove_prep(req, sqe);
b29472ee 3741 break;
fbf23849 3742 case IORING_OP_ASYNC_CANCEL:
3529d8c2 3743 ret = io_async_cancel_prep(req, sqe);
fbf23849 3744 break;
2d28390a 3745 case IORING_OP_LINK_TIMEOUT:
3529d8c2 3746 ret = io_timeout_prep(req, sqe, true);
b7bb4f7d 3747 break;
8ed8d3c3 3748 case IORING_OP_ACCEPT:
3529d8c2 3749 ret = io_accept_prep(req, sqe);
8ed8d3c3 3750 break;
d63d1b5e
JA		 3751 case IORING_OP_FALLOCATE:
3752 ret = io_fallocate_prep(req, sqe);
3753 break;
15b71abe
JA		 3754 case IORING_OP_OPENAT:
3755 ret = io_openat_prep(req, sqe);
3756 break;
b5dba59e
JA		 3757 case IORING_OP_CLOSE:
3758 ret = io_close_prep(req, sqe);
3759 break;
05f3fb3c
JA		 3760 case IORING_OP_FILES_UPDATE:
3761 ret = io_files_update_prep(req, sqe);
3762 break;
eddc7ef5
JA		 3763 case IORING_OP_STATX:
3764 ret = io_statx_prep(req, sqe);
3765 break;
4840e418
JA		 3766 case IORING_OP_FADVISE:
3767 ret = io_fadvise_prep(req, sqe);
3768 break;
f67676d1 3769 default:
e781573e
JA		 3770 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
3771 req->opcode);
3772 ret = -EINVAL;
b7bb4f7d 3773 break;
f67676d1
JA		 3774 }
3775
b7bb4f7d 3776 return ret;
f67676d1
JA		 3777}
3778
3529d8c2 3779static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
de0617e4 3780{
a197f664 3781 struct io_ring_ctx *ctx = req->ctx;
f67676d1 3782 int ret;
de0617e4 3783
9d858b21
BL		 3784 /* Still need defer if there is pending req in defer list. */
3785 if (!req_need_defer(req) && list_empty(&ctx->defer_list))
de0617e4
JA		 3786 return 0;
3787
3529d8c2 3788 if (!req->io && io_alloc_async_ctx(req))
de0617e4
JA		 3789 return -EAGAIN;
3790
3529d8c2 3791 ret = io_req_defer_prep(req, sqe);
b7bb4f7d 3792 if (ret < 0)
2d28390a 3793 return ret;
2d28390a 3794
de0617e4 3795 spin_lock_irq(&ctx->completion_lock);
9d858b21 3796 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
de0617e4 3797 spin_unlock_irq(&ctx->completion_lock);
de0617e4
JA		 3798 return 0;
3799 }
3800
915967f6 3801 trace_io_uring_defer(ctx, req, req->user_data);
de0617e4
JA		 3802 list_add_tail(&req->list, &ctx->defer_list);
3803 spin_unlock_irq(&ctx->completion_lock);
3804 return -EIOCBQUEUED;
3805}
3806
3529d8c2
JA		 3807static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
3808 struct io_kiocb **nxt, bool force_nonblock)
2b188cc1 3809{
a197f664 3810 struct io_ring_ctx *ctx = req->ctx;
d625c6ee 3811 int ret;
2b188cc1 3812
d625c6ee 3813 switch (req->opcode) {
2b188cc1 3814 case IORING_OP_NOP:
78e19bbe 3815 ret = io_nop(req);
2b188cc1
JA		 3816 break;
3817 case IORING_OP_READV:
edafccee 3818 case IORING_OP_READ_FIXED:
3a6820f2 3819 case IORING_OP_READ:
3529d8c2
JA		 3820 if (sqe) {
3821 ret = io_read_prep(req, sqe, force_nonblock);
3822 if (ret < 0)
3823 break;
3824 }
267bc904 3825 ret = io_read(req, nxt, force_nonblock);
edafccee 3826 break;
3529d8c2 3827 case IORING_OP_WRITEV:
edafccee 3828 case IORING_OP_WRITE_FIXED:
3a6820f2 3829 case IORING_OP_WRITE:
3529d8c2
JA		 3830 if (sqe) {
3831 ret = io_write_prep(req, sqe, force_nonblock);
3832 if (ret < 0)
3833 break;
3834 }
267bc904 3835 ret = io_write(req, nxt, force_nonblock);
2b188cc1 3836 break;
c992fe29 3837 case IORING_OP_FSYNC:
3529d8c2
JA		 3838 if (sqe) {
3839 ret = io_prep_fsync(req, sqe);
3840 if (ret < 0)
3841 break;
3842 }
fc4df999 3843 ret = io_fsync(req, nxt, force_nonblock);
c992fe29 3844 break;
221c5eb2 3845 case IORING_OP_POLL_ADD:
3529d8c2
JA		 3846 if (sqe) {
3847 ret = io_poll_add_prep(req, sqe);
3848 if (ret)
3849 break;
3850 }
fc4df999 3851 ret = io_poll_add(req, nxt);
221c5eb2
JA		 3852 break;
3853 case IORING_OP_POLL_REMOVE:
3529d8c2
JA		 3854 if (sqe) {
3855 ret = io_poll_remove_prep(req, sqe);
3856 if (ret < 0)
3857 break;
3858 }
fc4df999 3859 ret = io_poll_remove(req);
221c5eb2 3860 break;
5d17b4a4 3861 case IORING_OP_SYNC_FILE_RANGE:
3529d8c2
JA		 3862 if (sqe) {
3863 ret = io_prep_sfr(req, sqe);
3864 if (ret < 0)
3865 break;
3866 }
fc4df999 3867 ret = io_sync_file_range(req, nxt, force_nonblock);
5d17b4a4 3868 break;
0fa03c62 3869 case IORING_OP_SENDMSG:
3529d8c2
JA		 3870 if (sqe) {
3871 ret = io_sendmsg_prep(req, sqe);
3872 if (ret < 0)
3873 break;
3874 }
fc4df999 3875 ret = io_sendmsg(req, nxt, force_nonblock);
0fa03c62 3876 break;
aa1fa28f 3877 case IORING_OP_RECVMSG:
3529d8c2
JA		 3878 if (sqe) {
3879 ret = io_recvmsg_prep(req, sqe);
3880 if (ret)
3881 break;
3882 }
fc4df999 3883 ret = io_recvmsg(req, nxt, force_nonblock);
aa1fa28f 3884 break;
5262f567 3885 case IORING_OP_TIMEOUT:
3529d8c2
JA		 3886 if (sqe) {
3887 ret = io_timeout_prep(req, sqe, false);
3888 if (ret)
3889 break;
3890 }
fc4df999 3891 ret = io_timeout(req);
5262f567 3892 break;
11365043 3893 case IORING_OP_TIMEOUT_REMOVE:
3529d8c2
JA		 3894 if (sqe) {
3895 ret = io_timeout_remove_prep(req, sqe);
3896 if (ret)
3897 break;
3898 }
fc4df999 3899 ret = io_timeout_remove(req);
11365043 3900 break;
17f2fe35 3901 case IORING_OP_ACCEPT:
3529d8c2
JA		 3902 if (sqe) {
3903 ret = io_accept_prep(req, sqe);
3904 if (ret)
3905 break;
3906 }
fc4df999 3907 ret = io_accept(req, nxt, force_nonblock);
17f2fe35 3908 break;
f8e85cf2 3909 case IORING_OP_CONNECT:
3529d8c2
JA		 3910 if (sqe) {
3911 ret = io_connect_prep(req, sqe);
3912 if (ret)
3913 break;
3914 }
fc4df999 3915 ret = io_connect(req, nxt, force_nonblock);
f8e85cf2 3916 break;
62755e35 3917 case IORING_OP_ASYNC_CANCEL:
3529d8c2
JA		 3918 if (sqe) {
3919 ret = io_async_cancel_prep(req, sqe);
3920 if (ret)
3921 break;
3922 }
fc4df999 3923 ret = io_async_cancel(req, nxt);
62755e35 3924 break;
d63d1b5e
JA		 3925 case IORING_OP_FALLOCATE:
3926 if (sqe) {
3927 ret = io_fallocate_prep(req, sqe);
3928 if (ret)
3929 break;
3930 }
3931 ret = io_fallocate(req, nxt, force_nonblock);
3932 break;
15b71abe
JA		 3933 case IORING_OP_OPENAT:
3934 if (sqe) {
3935 ret = io_openat_prep(req, sqe);
3936 if (ret)
3937 break;
3938 }
3939 ret = io_openat(req, nxt, force_nonblock);
3940 break;
b5dba59e
JA		 3941 case IORING_OP_CLOSE:
3942 if (sqe) {
3943 ret = io_close_prep(req, sqe);
3944 if (ret)
3945 break;
3946 }
3947 ret = io_close(req, nxt, force_nonblock);
3948 break;
05f3fb3c
JA		 3949 case IORING_OP_FILES_UPDATE:
3950 if (sqe) {
3951 ret = io_files_update_prep(req, sqe);
3952 if (ret)
3953 break;
3954 }
3955 ret = io_files_update(req, force_nonblock);
3956 break;
eddc7ef5
JA		 3957 case IORING_OP_STATX:
3958 if (sqe) {
3959 ret = io_statx_prep(req, sqe);
3960 if (ret)
3961 break;
3962 }
3963 ret = io_statx(req, nxt, force_nonblock);
3964 break;
4840e418
JA		 3965 case IORING_OP_FADVISE:
3966 if (sqe) {
3967 ret = io_fadvise_prep(req, sqe);
3968 if (ret)
3969 break;
3970 }
3971 ret = io_fadvise(req, nxt, force_nonblock);
3972 break;
2b188cc1
JA		 3973 default:
3974 ret = -EINVAL;
3975 break;
3976 }
3977
def596e9
JA		 3978 if (ret)
3979 return ret;
3980
3981 if (ctx->flags & IORING_SETUP_IOPOLL) {
11ba820b
JA		 3982 const bool in_async = io_wq_current_is_worker();
3983
9e645e11 3984 if (req->result == -EAGAIN)
def596e9
JA		 3985 return -EAGAIN;
3986
11ba820b
JA		 3987 /* workqueue context doesn't hold uring_lock, grab it now */
3988 if (in_async)
3989 mutex_lock(&ctx->uring_lock);
3990
def596e9 3991 io_iopoll_req_issued(req);
11ba820b
JA		 3992
3993 if (in_async)
3994 mutex_unlock(&ctx->uring_lock);
def596e9
JA		 3995 }
3996
3997 return 0;
2b188cc1
JA		 3998}
3999
561fb04a 4000static void io_wq_submit_work(struct io_wq_work **workptr)
2b188cc1 4001{
561fb04a 4002 struct io_wq_work *work = *workptr;
2b188cc1 4003 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
561fb04a
JA		 4004 struct io_kiocb *nxt = NULL;
4005 int ret = 0;
2b188cc1 4006
0c9d5ccd
JA		 4007 /* if NO_CANCEL is set, we must still run the work */
4008 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
4009 IO_WQ_WORK_CANCEL) {
561fb04a 4010 ret = -ECANCELED;
0c9d5ccd 4011 }
31b51510 4012
561fb04a 4013 if (!ret) {
cf6fd4bd
PB		 4014 req->has_user = (work->flags & IO_WQ_WORK_HAS_MM) != 0;
4015 req->in_async = true;
561fb04a 4016 do {
3529d8c2 4017 ret = io_issue_sqe(req, NULL, &nxt, false);
561fb04a
JA		 4018 /*
4019 * We can get EAGAIN for polled IO even though we're
4020 * forcing a sync submission from here, since we can't
4021 * wait for request slots on the block side.
4022 */
4023 if (ret != -EAGAIN)
4024 break;
4025 cond_resched();
4026 } while (1);
4027 }
31b51510 4028
561fb04a 4029 /* drop submission reference */
ec9c02ad 4030 io_put_req(req);
817869d2 4031
561fb04a 4032 if (ret) {
4e88d6e7 4033 req_set_fail_links(req);
78e19bbe 4034 io_cqring_add_event(req, ret);
817869d2 4035 io_put_req(req);
edafccee 4036 }
2b188cc1 4037
561fb04a 4038 /* if a dependent link is ready, pass it back */
78912934
JA		 4039 if (!ret && nxt)
4040 io_wq_assign_next(workptr, nxt);
2b188cc1
JA		 4041}
4042
15b71abe 4043static int io_req_needs_file(struct io_kiocb *req, int fd)
09bb8394 4044{
d3656344 4045 if (!io_op_defs[req->opcode].needs_file)
9e3aa61a 4046 return 0;
d3656344
JA		 4047 if (fd == -1 && io_op_defs[req->opcode].fd_non_neg)
4048 return 0;
4049 return 1;
09bb8394
JA		 4050}
4051
65e19f54
JA		 4052static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
4053 int index)
4054{
4055 struct fixed_file_table *table;
4056
05f3fb3c
JA		 4057 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
4058 return table->files[index & IORING_FILE_TABLE_MASK];;
65e19f54
JA		 4059}
4060
3529d8c2
JA		 4061static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
4062 const struct io_uring_sqe *sqe)
09bb8394 4063{
a197f664 4064 struct io_ring_ctx *ctx = req->ctx;
09bb8394 4065 unsigned flags;
d3656344 4066 int fd;
09bb8394 4067
3529d8c2
JA		 4068 flags = READ_ONCE(sqe->flags);
4069 fd = READ_ONCE(sqe->fd);
09bb8394 4070
4fe2c963 4071 if (flags & IOSQE_IO_DRAIN)
de0617e4 4072 req->flags |= REQ_F_IO_DRAIN;
de0617e4 4073
d3656344
JA		 4074 if (!io_req_needs_file(req, fd))
4075 return 0;
09bb8394
JA		 4076
4077 if (flags & IOSQE_FIXED_FILE) {
05f3fb3c 4078 if (unlikely(!ctx->file_data ||
09bb8394
JA		 4079 (unsigned) fd >= ctx->nr_user_files))
4080 return -EBADF;
b7620121 4081 fd = array_index_nospec(fd, ctx->nr_user_files);
65e19f54
JA		 4082 req->file = io_file_from_index(ctx, fd);
4083 if (!req->file)
08a45173 4084 return -EBADF;
09bb8394 4085 req->flags |= REQ_F_FIXED_FILE;
05f3fb3c 4086 percpu_ref_get(&ctx->file_data->refs);
09bb8394 4087 } else {
cf6fd4bd 4088 if (req->needs_fixed_file)
09bb8394 4089 return -EBADF;
c826bd7a 4090 trace_io_uring_file_get(ctx, fd);
09bb8394
JA		 4091 req->file = io_file_get(state, fd);
4092 if (unlikely(!req->file))
4093 return -EBADF;
4094 }
4095
4096 return 0;
4097}
4098
a197f664 4099static int io_grab_files(struct io_kiocb *req)
fcb323cc
JA		 4100{
4101 int ret = -EBADF;
a197f664 4102 struct io_ring_ctx *ctx = req->ctx;
fcb323cc 4103
b5dba59e
JA		 4104 if (!req->ring_file)
4105 return -EBADF;
4106
fcb323cc
JA		 4107 rcu_read_lock();
4108 spin_lock_irq(&ctx->inflight_lock);
4109 /*
4110 * We use the f_ops->flush() handler to ensure that we can flush
4111 * out work accessing these files if the fd is closed. Check if
4112 * the fd has changed since we started down this path, and disallow
4113 * this operation if it has.
4114 */
cf6fd4bd 4115 if (fcheck(req->ring_fd) == req->ring_file) {
fcb323cc
JA		 4116 list_add(&req->inflight_entry, &ctx->inflight_list);
4117 req->flags |= REQ_F_INFLIGHT;
4118 req->work.files = current->files;
4119 ret = 0;
4120 }
4121 spin_unlock_irq(&ctx->inflight_lock);
4122 rcu_read_unlock();
4123
4124 return ret;
4125}
4126
2665abfd 4127static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
2b188cc1 4128{
ad8a48ac
JA		 4129 struct io_timeout_data *data = container_of(timer,
4130 struct io_timeout_data, timer);
4131 struct io_kiocb *req = data->req;
2665abfd
JA		 4132 struct io_ring_ctx *ctx = req->ctx;
4133 struct io_kiocb *prev = NULL;
4134 unsigned long flags;
2665abfd
JA		 4135
4136 spin_lock_irqsave(&ctx->completion_lock, flags);
4137
4138 /*
4139 * We don't expect the list to be empty, that will only happen if we
4140 * race with the completion of the linked work.
4141 */
4493233e
PB		 4142 if (!list_empty(&req->link_list)) {
4143 prev = list_entry(req->link_list.prev, struct io_kiocb,
4144 link_list);
5d960724 4145 if (refcount_inc_not_zero(&prev->refs)) {
4493233e 4146 list_del_init(&req->link_list);
5d960724
JA		 4147 prev->flags &= ~REQ_F_LINK_TIMEOUT;
4148 } else
76a46e06 4149 prev = NULL;
2665abfd
JA		 4150 }
4151
4152 spin_unlock_irqrestore(&ctx->completion_lock, flags);
4153
4154 if (prev) {
4e88d6e7 4155 req_set_fail_links(prev);
b0dd8a41
JA		 4156 io_async_find_and_cancel(ctx, req, prev->user_data, NULL,
4157 -ETIME);
76a46e06 4158 io_put_req(prev);
47f46768
JA		 4159 } else {
4160 io_cqring_add_event(req, -ETIME);
4161 io_put_req(req);
2665abfd 4162 }
2665abfd
JA		 4163 return HRTIMER_NORESTART;
4164}
4165
ad8a48ac 4166static void io_queue_linked_timeout(struct io_kiocb *req)
2665abfd 4167{
76a46e06 4168 struct io_ring_ctx *ctx = req->ctx;
2665abfd 4169
76a46e06
JA		 4170 /*
4171 * If the list is now empty, then our linked request finished before
4172 * we got a chance to setup the timer
4173 */
4174 spin_lock_irq(&ctx->completion_lock);
4493233e 4175 if (!list_empty(&req->link_list)) {
2d28390a 4176 struct io_timeout_data *data = &req->io->timeout;
94ae5e77 4177
ad8a48ac
JA		 4178 data->timer.function = io_link_timeout_fn;
4179 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
4180 data->mode);
2665abfd 4181 }
76a46e06 4182 spin_unlock_irq(&ctx->completion_lock);
2665abfd 4183
2665abfd 4184 /* drop submission reference */
76a46e06
JA		 4185 io_put_req(req);
4186}
2665abfd 4187
ad8a48ac 4188static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
2665abfd
JA		 4189{
4190 struct io_kiocb *nxt;
4191
4192 if (!(req->flags & REQ_F_LINK))
4193 return NULL;
4194
4493233e
PB		 4195 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
4196 link_list);
d625c6ee 4197 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
76a46e06 4198 return NULL;
2665abfd 4199
76a46e06 4200 req->flags |= REQ_F_LINK_TIMEOUT;
76a46e06 4201 return nxt;
2665abfd
JA		 4202}
4203
3529d8c2 4204static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2b188cc1 4205{
4a0a7a18 4206 struct io_kiocb *linked_timeout;
f9bd67f6 4207 struct io_kiocb *nxt = NULL;
e0c5c576 4208 int ret;
2b188cc1 4209
4a0a7a18
JA		 4210again:
4211 linked_timeout = io_prep_linked_timeout(req);
4212
3529d8c2 4213 ret = io_issue_sqe(req, sqe, &nxt, true);
491381ce
JA		 4214
4215 /*
4216 * We async punt it if the file wasn't marked NOWAIT, or if the file
4217 * doesn't support non-blocking read/write attempts
4218 */
4219 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
4220 (req->flags & REQ_F_MUST_PUNT))) {
bbad27b2
PB		 4221 if (req->work.flags & IO_WQ_WORK_NEEDS_FILES) {
4222 ret = io_grab_files(req);
4223 if (ret)
4224 goto err;
2b188cc1 4225 }
bbad27b2
PB		 4226
4227 /*
4228 * Queued up for async execution, worker will release
4229 * submit reference when the iocb is actually submitted.
4230 */
4231 io_queue_async_work(req);
4a0a7a18 4232 goto done_req;
2b188cc1 4233 }
e65ef56d 4234
fcb323cc 4235err:
76a46e06 4236 /* drop submission reference */
ec9c02ad 4237 io_put_req(req);
e65ef56d 4238
f9bd67f6 4239 if (linked_timeout) {
76a46e06 4240 if (!ret)
f9bd67f6 4241 io_queue_linked_timeout(linked_timeout);
76a46e06 4242 else
f9bd67f6 4243 io_put_req(linked_timeout);
76a46e06
JA		 4244 }
4245
e65ef56d 4246 /* and drop final reference, if we failed */
9e645e11 4247 if (ret) {
78e19bbe 4248 io_cqring_add_event(req, ret);
4e88d6e7 4249 req_set_fail_links(req);
e65ef56d 4250 io_put_req(req);
9e645e11 4251 }
4a0a7a18
JA		 4252done_req:
4253 if (nxt) {
4254 req = nxt;
4255 nxt = NULL;
4256 goto again;
4257 }
2b188cc1
JA		 4258}
4259
3529d8c2 4260static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4fe2c963
JL		 4261{
4262 int ret;
4263
1b4a51b6
PB		 4264 if (unlikely(req->ctx->drain_next)) {
4265 req->flags |= REQ_F_IO_DRAIN;
4266 req->ctx->drain_next = false;
4267 }
4268 req->ctx->drain_next = (req->flags & REQ_F_DRAIN_LINK);
4269
3529d8c2 4270 ret = io_req_defer(req, sqe);
4fe2c963
JL		 4271 if (ret) {
4272 if (ret != -EIOCBQUEUED) {
78e19bbe 4273 io_cqring_add_event(req, ret);
4e88d6e7 4274 req_set_fail_links(req);
78e19bbe 4275 io_double_put_req(req);
4fe2c963 4276 }
ce35a47a
JA		 4277 } else if ((req->flags & REQ_F_FORCE_ASYNC) &&
4278 !io_wq_current_is_worker()) {
4279 /*
4280 * Never try inline submit of IOSQE_ASYNC is set, go straight
4281 * to async execution.
4282 */
4283 req->work.flags |= IO_WQ_WORK_CONCURRENT;
4284 io_queue_async_work(req);
4285 } else {
3529d8c2 4286 __io_queue_sqe(req, sqe);
ce35a47a 4287 }
4fe2c963
JL		 4288}
4289
1b4a51b6 4290static inline void io_queue_link_head(struct io_kiocb *req)
4fe2c963 4291{
94ae5e77 4292 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
1b4a51b6
PB		 4293 io_cqring_add_event(req, -ECANCELED);
4294 io_double_put_req(req);
4295 } else
3529d8c2 4296 io_queue_sqe(req, NULL);
4fe2c963
JL		 4297}
4298
4e88d6e7 4299#define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
ce35a47a 4300 IOSQE_IO_HARDLINK | IOSQE_ASYNC)
9e645e11 4301
3529d8c2
JA		 4302static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4303 struct io_submit_state *state, struct io_kiocb **link)
9e645e11 4304{
a197f664 4305 struct io_ring_ctx *ctx = req->ctx;
32fe525b 4306 unsigned int sqe_flags;
9e645e11
JA		 4307 int ret;
4308
32fe525b
PB		 4309 sqe_flags = READ_ONCE(sqe->flags);
4310
9e645e11 4311 /* enforce forwards compatibility on users */
32fe525b 4312 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS)) {
9e645e11 4313 ret = -EINVAL;
196be95c 4314 goto err_req;
9e645e11 4315 }
32fe525b 4316 if (sqe_flags & IOSQE_ASYNC)
ce35a47a 4317 req->flags |= REQ_F_FORCE_ASYNC;
9e645e11 4318
3529d8c2 4319 ret = io_req_set_file(state, req, sqe);
9e645e11
JA		 4320 if (unlikely(ret)) {
4321err_req:
78e19bbe
JA		 4322 io_cqring_add_event(req, ret);
4323 io_double_put_req(req);
2e6e1fde 4324 return false;
9e645e11
JA		 4325 }
4326
9e645e11
JA		 4327 /*
4328 * If we already have a head request, queue this one for async
4329 * submittal once the head completes. If we don't have a head but
4330 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
4331 * submitted sync once the chain is complete. If none of those
4332 * conditions are true (normal request), then just queue it.
4333 */
4334 if (*link) {
9d76377f 4335 struct io_kiocb *head = *link;
9e645e11 4336
32fe525b 4337 if (sqe_flags & IOSQE_IO_DRAIN)
9d76377f 4338 head->flags |= REQ_F_DRAIN_LINK | REQ_F_IO_DRAIN;
1b4a51b6 4339
32fe525b 4340 if (sqe_flags & IOSQE_IO_HARDLINK)
4e88d6e7
JA		 4341 req->flags |= REQ_F_HARDLINK;
4342
b7bb4f7d 4343 if (io_alloc_async_ctx(req)) {
9e645e11
JA		 4344 ret = -EAGAIN;
4345 goto err_req;
4346 }
4347
3529d8c2 4348 ret = io_req_defer_prep(req, sqe);
2d28390a 4349 if (ret) {
4e88d6e7 4350 /* fail even hard links since we don't submit */
9d76377f 4351 head->flags |= REQ_F_FAIL_LINK;
f67676d1 4352 goto err_req;
2d28390a 4353 }
9d76377f
PB		 4354 trace_io_uring_link(ctx, req, head);
4355 list_add_tail(&req->link_list, &head->link_list);
32fe525b
PB		 4356
4357 /* last request of a link, enqueue the link */
4358 if (!(sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK))) {
4359 io_queue_link_head(head);
4360 *link = NULL;
4361 }
4362 } else if (sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
9e645e11 4363 req->flags |= REQ_F_LINK;
32fe525b 4364 if (sqe_flags & IOSQE_IO_HARDLINK)
4e88d6e7 4365 req->flags |= REQ_F_HARDLINK;
9e645e11 4366
9e645e11 4367 INIT_LIST_HEAD(&req->link_list);
3529d8c2
JA		 4368 ret = io_req_defer_prep(req, sqe);
4369 if (ret)
4370 req->flags |= REQ_F_FAIL_LINK;
9e645e11
JA		 4371 *link = req;
4372 } else {
3529d8c2 4373 io_queue_sqe(req, sqe);
9e645e11 4374 }
2e6e1fde
PB		 4375
4376 return true;
9e645e11
JA		 4377}
4378
9a56a232
JA		 4379/*
4380 * Batched submission is done, ensure local IO is flushed out.
4381 */
4382static void io_submit_state_end(struct io_submit_state *state)
4383{
4384 blk_finish_plug(&state->plug);
3d6770fb 4385 io_file_put(state);
2579f913
JA		 4386 if (state->free_reqs)
4387 kmem_cache_free_bulk(req_cachep, state->free_reqs,
4388 &state->reqs[state->cur_req]);
9a56a232
JA		 4389}
4390
4391/*
4392 * Start submission side cache.
4393 */
4394static void io_submit_state_start(struct io_submit_state *state,
22efde59 4395 unsigned int max_ios)
9a56a232
JA		 4396{
4397 blk_start_plug(&state->plug);
2579f913 4398 state->free_reqs = 0;
9a56a232
JA		 4399 state->file = NULL;
4400 state->ios_left = max_ios;
4401}
4402
2b188cc1
JA		 4403static void io_commit_sqring(struct io_ring_ctx *ctx)
4404{
75b28aff 4405 struct io_rings *rings = ctx->rings;
2b188cc1 4406
75b28aff 4407 if (ctx->cached_sq_head != READ_ONCE(rings->sq.head)) {
2b188cc1
JA		 4408 /*
4409 * Ensure any loads from the SQEs are done at this point,
4410 * since once we write the new head, the application could
4411 * write new data to them.
4412 */
75b28aff 4413 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
2b188cc1
JA		 4414 }
4415}
4416
2b188cc1 4417/*
3529d8c2 4418 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
2b188cc1
JA		 4419 * that is mapped by userspace. This means that care needs to be taken to
4420 * ensure that reads are stable, as we cannot rely on userspace always
4421 * being a good citizen. If members of the sqe are validated and then later
4422 * used, it's important that those reads are done through READ_ONCE() to
4423 * prevent a re-load down the line.
4424 */
3529d8c2
JA		 4425static bool io_get_sqring(struct io_ring_ctx *ctx, struct io_kiocb *req,
4426 const struct io_uring_sqe **sqe_ptr)
2b188cc1 4427{
75b28aff
HV		 4428 struct io_rings *rings = ctx->rings;
4429 u32 *sq_array = ctx->sq_array;
2b188cc1
JA		 4430 unsigned head;
4431
4432 /*
4433 * The cached sq head (or cq tail) serves two purposes:
4434 *
4435 * 1) allows us to batch the cost of updating the user visible
4436 * head updates.
4437 * 2) allows the kernel side to track the head on its own, even
4438 * though the application is the one updating it.
4439 */
4440 head = ctx->cached_sq_head;
e523a29c 4441 /* make sure SQ entry isn't read before tail */
9835d6fa 4442 if (unlikely(head == smp_load_acquire(&rings->sq.tail)))
2b188cc1
JA		 4443 return false;
4444
75b28aff 4445 head = READ_ONCE(sq_array[head & ctx->sq_mask]);
9835d6fa 4446 if (likely(head < ctx->sq_entries)) {
cf6fd4bd
PB		 4447 /*
4448 * All io need record the previous position, if LINK vs DARIN,
4449 * it can be used to mark the position of the first IO in the
4450 * link list.
4451 */
4452 req->sequence = ctx->cached_sq_head;
3529d8c2
JA		 4453 *sqe_ptr = &ctx->sq_sqes[head];
4454 req->opcode = READ_ONCE((*sqe_ptr)->opcode);
4455 req->user_data = READ_ONCE((*sqe_ptr)->user_data);
2b188cc1
JA		 4456 ctx->cached_sq_head++;
4457 return true;
4458 }
4459
4460 /* drop invalid entries */
4461 ctx->cached_sq_head++;
498ccd9e
JA		 4462 ctx->cached_sq_dropped++;
4463 WRITE_ONCE(rings->sq_dropped, ctx->cached_sq_dropped);
2b188cc1
JA		 4464 return false;
4465}
4466
fb5ccc98 4467static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
ae9428ca
PB		 4468 struct file *ring_file, int ring_fd,
4469 struct mm_struct **mm, bool async)
6c271ce2
JA		 4470{
4471 struct io_submit_state state, *statep = NULL;
9e645e11 4472 struct io_kiocb *link = NULL;
9e645e11 4473 int i, submitted = 0;
95a1b3ff 4474 bool mm_fault = false;
6c271ce2 4475
c4a2ed72 4476 /* if we have a backlog and couldn't flush it all, return BUSY */
ad3eb2c8
JA		 4477 if (test_bit(0, &ctx->sq_check_overflow)) {
4478 if (!list_empty(&ctx->cq_overflow_list) &&
4479 !io_cqring_overflow_flush(ctx, false))
4480 return -EBUSY;
4481 }
6c271ce2
JA		 4482
4483 if (nr > IO_PLUG_THRESHOLD) {
22efde59 4484 io_submit_state_start(&state, nr);
6c271ce2
JA		 4485 statep = &state;
4486 }
4487
4488 for (i = 0; i < nr; i++) {
3529d8c2 4489 const struct io_uring_sqe *sqe;
196be95c 4490 struct io_kiocb *req;
fb5ccc98 4491
196be95c
PB		 4492 req = io_get_req(ctx, statep);
4493 if (unlikely(!req)) {
4494 if (!submitted)
4495 submitted = -EAGAIN;
fb5ccc98 4496 break;
196be95c 4497 }
3529d8c2 4498 if (!io_get_sqring(ctx, req, &sqe)) {
196be95c
PB		 4499 __io_free_req(req);
4500 break;
4501 }
fb5ccc98 4502
d3656344
JA		 4503 /* will complete beyond this point, count as submitted */
4504 submitted++;
4505
4506 if (unlikely(req->opcode >= IORING_OP_LAST)) {
4507 io_cqring_add_event(req, -EINVAL);
4508 io_double_put_req(req);
4509 break;
4510 }
4511
4512 if (io_op_defs[req->opcode].needs_mm && !*mm) {
95a1b3ff
PB		 4513 mm_fault = mm_fault || !mmget_not_zero(ctx->sqo_mm);
4514 if (!mm_fault) {
4515 use_mm(ctx->sqo_mm);
4516 *mm = ctx->sqo_mm;
4517 }
9e645e11 4518 }
9e645e11 4519
cf6fd4bd
PB		 4520 req->ring_file = ring_file;
4521 req->ring_fd = ring_fd;
4522 req->has_user = *mm != NULL;
4523 req->in_async = async;
4524 req->needs_fixed_file = async;
d625c6ee 4525 trace_io_uring_submit_sqe(ctx, req->user_data, true, async);
3529d8c2 4526 if (!io_submit_sqe(req, sqe, statep, &link))
2e6e1fde 4527 break;
6c271ce2
JA		 4528 }
4529
9e645e11 4530 if (link)
1b4a51b6 4531 io_queue_link_head(link);
6c271ce2
JA		 4532 if (statep)
4533 io_submit_state_end(&state);
4534
ae9428ca
PB		 4535 /* Commit SQ ring head once we've consumed and submitted all SQEs */
4536 io_commit_sqring(ctx);
4537
6c271ce2
JA		 4538 return submitted;
4539}
4540
4541static int io_sq_thread(void *data)
4542{
6c271ce2
JA		 4543 struct io_ring_ctx *ctx = data;
4544 struct mm_struct *cur_mm = NULL;
181e448d 4545 const struct cred *old_cred;
6c271ce2
JA		 4546 mm_segment_t old_fs;
4547 DEFINE_WAIT(wait);
4548 unsigned inflight;
4549 unsigned long timeout;
c1edbf5f 4550 int ret;
6c271ce2 4551
206aefde 4552 complete(&ctx->completions[1]);
a4c0b3de 4553
6c271ce2
JA		 4554 old_fs = get_fs();
4555 set_fs(USER_DS);
181e448d 4556 old_cred = override_creds(ctx->creds);
6c271ce2 4557
c1edbf5f 4558 ret = timeout = inflight = 0;
2bbcd6d3 4559 while (!kthread_should_park()) {
fb5ccc98 4560 unsigned int to_submit;
6c271ce2
JA		 4561
4562 if (inflight) {
4563 unsigned nr_events = 0;
4564
4565 if (ctx->flags & IORING_SETUP_IOPOLL) {
2b2ed975
JA		 4566 /*
4567 * inflight is the count of the maximum possible
4568 * entries we submitted, but it can be smaller
4569 * if we dropped some of them. If we don't have
4570 * poll entries available, then we know that we
4571 * have nothing left to poll for. Reset the
4572 * inflight count to zero in that case.
4573 */
4574 mutex_lock(&ctx->uring_lock);
4575 if (!list_empty(&ctx->poll_list))
4576 __io_iopoll_check(ctx, &nr_events, 0);
4577 else
4578 inflight = 0;
4579 mutex_unlock(&ctx->uring_lock);
6c271ce2
JA		 4580 } else {
4581 /*
4582 * Normal IO, just pretend everything completed.
4583 * We don't have to poll completions for that.
4584 */
4585 nr_events = inflight;
4586 }
4587
4588 inflight -= nr_events;
4589 if (!inflight)
4590 timeout = jiffies + ctx->sq_thread_idle;
4591 }
4592
fb5ccc98 4593 to_submit = io_sqring_entries(ctx);
c1edbf5f
JA		 4594
4595 /*
4596 * If submit got -EBUSY, flag us as needing the application
4597 * to enter the kernel to reap and flush events.
4598 */
4599 if (!to_submit || ret == -EBUSY) {
6c271ce2
JA		 4600 /*
4601 * We're polling. If we're within the defined idle
4602 * period, then let us spin without work before going
c1edbf5f
JA		 4603 * to sleep. The exception is if we got EBUSY doing
4604 * more IO, we should wait for the application to
4605 * reap events and wake us up.
6c271ce2 4606 */
c1edbf5f
JA		 4607 if (inflight ||
4608 (!time_after(jiffies, timeout) && ret != -EBUSY)) {
9831a90c 4609 cond_resched();
6c271ce2
JA		 4610 continue;
4611 }
4612
4613 /*
4614 * Drop cur_mm before scheduling, we can't hold it for
4615 * long periods (or over schedule()). Do this before
4616 * adding ourselves to the waitqueue, as the unuse/drop
4617 * may sleep.
4618 */
4619 if (cur_mm) {
4620 unuse_mm(cur_mm);
4621 mmput(cur_mm);
4622 cur_mm = NULL;
4623 }
4624
4625 prepare_to_wait(&ctx->sqo_wait, &wait,
4626 TASK_INTERRUPTIBLE);
4627
4628 /* Tell userspace we may need a wakeup call */
75b28aff 4629 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
0d7bae69
SB		 4630 /* make sure to read SQ tail after writing flags */
4631 smp_mb();
6c271ce2 4632
fb5ccc98 4633 to_submit = io_sqring_entries(ctx);
c1edbf5f 4634 if (!to_submit || ret == -EBUSY) {
2bbcd6d3 4635 if (kthread_should_park()) {
6c271ce2
JA		 4636 finish_wait(&ctx->sqo_wait, &wait);
4637 break;
4638 }
4639 if (signal_pending(current))
4640 flush_signals(current);
4641 schedule();
4642 finish_wait(&ctx->sqo_wait, &wait);
4643
75b28aff 4644 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 4645 continue;
4646 }
4647 finish_wait(&ctx->sqo_wait, &wait);
4648
75b28aff 4649 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
6c271ce2
JA		 4650 }
4651
fb5ccc98 4652 to_submit = min(to_submit, ctx->sq_entries);
8a4955ff 4653 mutex_lock(&ctx->uring_lock);
1d7bb1d5 4654 ret = io_submit_sqes(ctx, to_submit, NULL, -1, &cur_mm, true);
8a4955ff 4655 mutex_unlock(&ctx->uring_lock);
1d7bb1d5
JA		 4656 if (ret > 0)
4657 inflight += ret;
6c271ce2
JA		 4658 }
4659
4660 set_fs(old_fs);
4661 if (cur_mm) {
4662 unuse_mm(cur_mm);
4663 mmput(cur_mm);
4664 }
181e448d 4665 revert_creds(old_cred);
06058632 4666
2bbcd6d3 4667 kthread_parkme();
06058632 4668
6c271ce2
JA		 4669 return 0;
4670}
4671
bda52162
JA		 4672struct io_wait_queue {
4673 struct wait_queue_entry wq;
4674 struct io_ring_ctx *ctx;
4675 unsigned to_wait;
4676 unsigned nr_timeouts;
4677};
4678
1d7bb1d5 4679static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
bda52162
JA		 4680{
4681 struct io_ring_ctx *ctx = iowq->ctx;
4682
4683 /*
d195a66e 4684 * Wake up if we have enough events, or if a timeout occurred since we
bda52162
JA		 4685 * started waiting. For timeouts, we always want to return to userspace,
4686 * regardless of event count.
4687 */
1d7bb1d5 4688 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
bda52162
JA		 4689 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
4690}
4691
4692static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
4693 int wake_flags, void *key)
4694{
4695 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
4696 wq);
4697
1d7bb1d5
JA		 4698 /* use noflush == true, as we can't safely rely on locking context */
4699 if (!io_should_wake(iowq, true))
bda52162
JA		 4700 return -1;
4701
4702 return autoremove_wake_function(curr, mode, wake_flags, key);
4703}
4704
2b188cc1
JA		 4705/*
4706 * Wait until events become available, if we don't already have some. The
4707 * application must reap them itself, as they reside on the shared cq ring.
4708 */
4709static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
4710 const sigset_t __user *sig, size_t sigsz)
4711{
bda52162
JA		 4712 struct io_wait_queue iowq = {
4713 .wq = {
4714 .private = current,
4715 .func = io_wake_function,
4716 .entry = LIST_HEAD_INIT(iowq.wq.entry),
4717 },
4718 .ctx = ctx,
4719 .to_wait = min_events,
4720 };
75b28aff 4721 struct io_rings *rings = ctx->rings;
e9ffa5c2 4722 int ret = 0;
2b188cc1 4723
1d7bb1d5 4724 if (io_cqring_events(ctx, false) >= min_events)
2b188cc1
JA		 4725 return 0;
4726
4727 if (sig) {
9e75ad5d
AB		 4728#ifdef CONFIG_COMPAT
4729 if (in_compat_syscall())
4730 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
b772434b 4731 sigsz);
9e75ad5d
AB		 4732 else
4733#endif
b772434b 4734 ret = set_user_sigmask(sig, sigsz);
9e75ad5d 4735
2b188cc1
JA		 4736 if (ret)
4737 return ret;
4738 }
4739
bda52162 4740 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
c826bd7a 4741 trace_io_uring_cqring_wait(ctx, min_events);
bda52162
JA		 4742 do {
4743 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
4744 TASK_INTERRUPTIBLE);
1d7bb1d5 4745 if (io_should_wake(&iowq, false))
bda52162
JA		 4746 break;
4747 schedule();
4748 if (signal_pending(current)) {
e9ffa5c2 4749 ret = -EINTR;
bda52162
JA		 4750 break;
4751 }
4752 } while (1);
4753 finish_wait(&ctx->wait, &iowq.wq);
4754
e9ffa5c2 4755 restore_saved_sigmask_unless(ret == -EINTR);
2b188cc1 4756
75b28aff 4757 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
2b188cc1
JA		 4758}
4759
6b06314c
JA		 4760static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
4761{
4762#if defined(CONFIG_UNIX)
4763 if (ctx->ring_sock) {
4764 struct sock *sock = ctx->ring_sock->sk;
4765 struct sk_buff *skb;
4766
4767 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
4768 kfree_skb(skb);
4769 }
4770#else
4771 int i;
4772
65e19f54
JA		 4773 for (i = 0; i < ctx->nr_user_files; i++) {
4774 struct file *file;
4775
4776 file = io_file_from_index(ctx, i);
4777 if (file)
4778 fput(file);
4779 }
6b06314c
JA		 4780#endif
4781}
4782
05f3fb3c
JA		 4783static void io_file_ref_kill(struct percpu_ref *ref)
4784{
4785 struct fixed_file_data *data;
4786
4787 data = container_of(ref, struct fixed_file_data, refs);
4788 complete(&data->done);
4789}
4790
6b06314c
JA		 4791static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
4792{
05f3fb3c 4793 struct fixed_file_data *data = ctx->file_data;
65e19f54
JA		 4794 unsigned nr_tables, i;
4795
05f3fb3c 4796 if (!data)
6b06314c
JA		 4797 return -ENXIO;
4798
05f3fb3c
JA		 4799 /* protect against inflight atomic switch, which drops the ref */
4800 flush_work(&data->ref_work);
4801 percpu_ref_get(&data->refs);
4802 percpu_ref_kill_and_confirm(&data->refs, io_file_ref_kill);
4803 wait_for_completion(&data->done);
4804 percpu_ref_put(&data->refs);
4805 percpu_ref_exit(&data->refs);
4806
6b06314c 4807 __io_sqe_files_unregister(ctx);
65e19f54
JA		 4808 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
4809 for (i = 0; i < nr_tables; i++)
05f3fb3c
JA		 4810 kfree(data->table[i].files);
4811 kfree(data->table);
4812 kfree(data);
4813 ctx->file_data = NULL;
6b06314c
JA		 4814 ctx->nr_user_files = 0;
4815 return 0;
4816}
4817
6c271ce2
JA		 4818static void io_sq_thread_stop(struct io_ring_ctx *ctx)
4819{
4820 if (ctx->sqo_thread) {
206aefde 4821 wait_for_completion(&ctx->completions[1]);
2bbcd6d3
RP		 4822 /*
4823 * The park is a bit of a work-around, without it we get
4824 * warning spews on shutdown with SQPOLL set and affinity
4825 * set to a single CPU.
4826 */
06058632 4827 kthread_park(ctx->sqo_thread);
6c271ce2
JA		 4828 kthread_stop(ctx->sqo_thread);
4829 ctx->sqo_thread = NULL;
4830 }
4831}
4832
6b06314c
JA		 4833static void io_finish_async(struct io_ring_ctx *ctx)
4834{
6c271ce2
JA		 4835 io_sq_thread_stop(ctx);
4836
561fb04a
JA		 4837 if (ctx->io_wq) {
4838 io_wq_destroy(ctx->io_wq);
4839 ctx->io_wq = NULL;
6b06314c
JA		 4840 }
4841}
4842
4843#if defined(CONFIG_UNIX)
6b06314c
JA		 4844/*
4845 * Ensure the UNIX gc is aware of our file set, so we are certain that
4846 * the io_uring can be safely unregistered on process exit, even if we have
4847 * loops in the file referencing.
4848 */
4849static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
4850{
4851 struct sock *sk = ctx->ring_sock->sk;
4852 struct scm_fp_list *fpl;
4853 struct sk_buff *skb;
08a45173 4854 int i, nr_files;
6b06314c
JA		 4855
4856 if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
4857 unsigned long inflight = ctx->user->unix_inflight + nr;
4858
4859 if (inflight > task_rlimit(current, RLIMIT_NOFILE))
4860 return -EMFILE;
4861 }
4862
4863 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
4864 if (!fpl)
4865 return -ENOMEM;
4866
4867 skb = alloc_skb(0, GFP_KERNEL);
4868 if (!skb) {
4869 kfree(fpl);
4870 return -ENOMEM;
4871 }
4872
4873 skb->sk = sk;
6b06314c 4874
08a45173 4875 nr_files = 0;
6b06314c
JA		 4876 fpl->user = get_uid(ctx->user);
4877 for (i = 0; i < nr; i++) {
65e19f54
JA		 4878 struct file *file = io_file_from_index(ctx, i + offset);
4879
4880 if (!file)
08a45173 4881 continue;
65e19f54 4882 fpl->fp[nr_files] = get_file(file);
08a45173
JA		 4883 unix_inflight(fpl->user, fpl->fp[nr_files]);
4884 nr_files++;
6b06314c
JA		 4885 }
4886
08a45173
JA		 4887 if (nr_files) {
4888 fpl->max = SCM_MAX_FD;
4889 fpl->count = nr_files;
4890 UNIXCB(skb).fp = fpl;
05f3fb3c 4891 skb->destructor = unix_destruct_scm;
08a45173
JA		 4892 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
4893 skb_queue_head(&sk->sk_receive_queue, skb);
6b06314c 4894
08a45173
JA		 4895 for (i = 0; i < nr_files; i++)
4896 fput(fpl->fp[i]);
4897 } else {
4898 kfree_skb(skb);
4899 kfree(fpl);
4900 }
6b06314c
JA		 4901
4902 return 0;
4903}
4904
4905/*
4906 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
4907 * causes regular reference counting to break down. We rely on the UNIX
4908 * garbage collection to take care of this problem for us.
4909 */
4910static int io_sqe_files_scm(struct io_ring_ctx *ctx)
4911{
4912 unsigned left, total;
4913 int ret = 0;
4914
4915 total = 0;
4916 left = ctx->nr_user_files;
4917 while (left) {
4918 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
6b06314c
JA		 4919
4920 ret = __io_sqe_files_scm(ctx, this_files, total);
4921 if (ret)
4922 break;
4923 left -= this_files;
4924 total += this_files;
4925 }
4926
4927 if (!ret)
4928 return 0;
4929
4930 while (total < ctx->nr_user_files) {
65e19f54
JA		 4931 struct file *file = io_file_from_index(ctx, total);
4932
4933 if (file)
4934 fput(file);
6b06314c
JA		 4935 total++;
4936 }
4937
4938 return ret;
4939}
4940#else
4941static int io_sqe_files_scm(struct io_ring_ctx *ctx)
4942{
4943 return 0;
4944}
4945#endif
4946
65e19f54
JA		 4947static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
4948 unsigned nr_files)
4949{
4950 int i;
4951
4952 for (i = 0; i < nr_tables; i++) {
05f3fb3c 4953 struct fixed_file_table *table = &ctx->file_data->table[i];
65e19f54
JA		 4954 unsigned this_files;
4955
4956 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
4957 table->files = kcalloc(this_files, sizeof(struct file *),
4958 GFP_KERNEL);
4959 if (!table->files)
4960 break;
4961 nr_files -= this_files;
4962 }
4963
4964 if (i == nr_tables)
4965 return 0;
4966
4967 for (i = 0; i < nr_tables; i++) {
05f3fb3c 4968 struct fixed_file_table *table = &ctx->file_data->table[i];
65e19f54
JA		 4969 kfree(table->files);
4970 }
4971 return 1;
4972}
4973
05f3fb3c
JA		 4974static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
4975{
4976#if defined(CONFIG_UNIX)
4977 struct sock *sock = ctx->ring_sock->sk;
4978 struct sk_buff_head list, *head = &sock->sk_receive_queue;
4979 struct sk_buff *skb;
4980 int i;
4981
4982 __skb_queue_head_init(&list);
4983
4984 /*
4985 * Find the skb that holds this file in its SCM_RIGHTS. When found,
4986 * remove this entry and rearrange the file array.
4987 */
4988 skb = skb_dequeue(head);
4989 while (skb) {
4990 struct scm_fp_list *fp;
4991
4992 fp = UNIXCB(skb).fp;
4993 for (i = 0; i < fp->count; i++) {
4994 int left;
4995
4996 if (fp->fp[i] != file)
4997 continue;
4998
4999 unix_notinflight(fp->user, fp->fp[i]);
5000 left = fp->count - 1 - i;
5001 if (left) {
5002 memmove(&fp->fp[i], &fp->fp[i + 1],
5003 left * sizeof(struct file *));
5004 }
5005 fp->count--;
5006 if (!fp->count) {
5007 kfree_skb(skb);
5008 skb = NULL;
5009 } else {
5010 __skb_queue_tail(&list, skb);
5011 }
5012 fput(file);
5013 file = NULL;
5014 break;
5015 }
5016
5017 if (!file)
5018 break;
5019
5020 __skb_queue_tail(&list, skb);
5021
5022 skb = skb_dequeue(head);
5023 }
5024
5025 if (skb_peek(&list)) {
5026 spin_lock_irq(&head->lock);
5027 while ((skb = __skb_dequeue(&list)) != NULL)
5028 __skb_queue_tail(head, skb);
5029 spin_unlock_irq(&head->lock);
5030 }
5031#else
5032 fput(file);
5033#endif
5034}
5035
5036struct io_file_put {
5037 struct llist_node llist;
5038 struct file *file;
5039 struct completion *done;
5040};
5041
5042static void io_ring_file_ref_switch(struct work_struct *work)
5043{
5044 struct io_file_put *pfile, *tmp;
5045 struct fixed_file_data *data;
5046 struct llist_node *node;
5047
5048 data = container_of(work, struct fixed_file_data, ref_work);
5049
5050 while ((node = llist_del_all(&data->put_llist)) != NULL) {
5051 llist_for_each_entry_safe(pfile, tmp, node, llist) {
5052 io_ring_file_put(data->ctx, pfile->file);
5053 if (pfile->done)
5054 complete(pfile->done);
5055 else
5056 kfree(pfile);
5057 }
5058 }
5059
5060 percpu_ref_get(&data->refs);
5061 percpu_ref_switch_to_percpu(&data->refs);
5062}
5063
5064static void io_file_data_ref_zero(struct percpu_ref *ref)
5065{
5066 struct fixed_file_data *data;
5067
5068 data = container_of(ref, struct fixed_file_data, refs);
5069
5070 /* we can't safely switch from inside this context, punt to wq */
5071 queue_work(system_wq, &data->ref_work);
5072}
5073
6b06314c
JA		 5074static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
5075 unsigned nr_args)
5076{
5077 __s32 __user *fds = (__s32 __user *) arg;
65e19f54 5078 unsigned nr_tables;
05f3fb3c 5079 struct file *file;
6b06314c
JA		 5080 int fd, ret = 0;
5081 unsigned i;
5082
05f3fb3c 5083 if (ctx->file_data)
6b06314c
JA		 5084 return -EBUSY;
5085 if (!nr_args)
5086 return -EINVAL;
5087 if (nr_args > IORING_MAX_FIXED_FILES)
5088 return -EMFILE;
5089
05f3fb3c
JA		 5090 ctx->file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
5091 if (!ctx->file_data)
5092 return -ENOMEM;
5093 ctx->file_data->ctx = ctx;
5094 init_completion(&ctx->file_data->done);
5095
65e19f54 5096 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
05f3fb3c
JA		 5097 ctx->file_data->table = kcalloc(nr_tables,
5098 sizeof(struct fixed_file_table),
65e19f54 5099 GFP_KERNEL);
05f3fb3c
JA		 5100 if (!ctx->file_data->table) {
5101 kfree(ctx->file_data);
5102 ctx->file_data = NULL;
6b06314c 5103 return -ENOMEM;
05f3fb3c
JA		 5104 }
5105
5106 if (percpu_ref_init(&ctx->file_data->refs, io_file_data_ref_zero,
5107 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
5108 kfree(ctx->file_data->table);
5109 kfree(ctx->file_data);
5110 ctx->file_data = NULL;
5111 return -ENOMEM;
5112 }
5113 ctx->file_data->put_llist.first = NULL;
5114 INIT_WORK(&ctx->file_data->ref_work, io_ring_file_ref_switch);
6b06314c 5115
65e19f54 5116 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
05f3fb3c
JA		 5117 percpu_ref_exit(&ctx->file_data->refs);
5118 kfree(ctx->file_data->table);
5119 kfree(ctx->file_data);
5120 ctx->file_data = NULL;
65e19f54
JA		 5121 return -ENOMEM;
5122 }
5123
08a45173 5124 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
65e19f54
JA		 5125 struct fixed_file_table *table;
5126 unsigned index;
5127
6b06314c
JA		 5128 ret = -EFAULT;
5129 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
5130 break;
08a45173
JA		 5131 /* allow sparse sets */
5132 if (fd == -1) {
5133 ret = 0;
5134 continue;
5135 }
6b06314c 5136
05f3fb3c 5137 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
65e19f54 5138 index = i & IORING_FILE_TABLE_MASK;
05f3fb3c 5139 file = fget(fd);
6b06314c
JA		 5140
5141 ret = -EBADF;
05f3fb3c 5142 if (!file)
6b06314c 5143 break;
05f3fb3c 5144
6b06314c
JA		 5145 /*
5146 * Don't allow io_uring instances to be registered. If UNIX
5147 * isn't enabled, then this causes a reference cycle and this
5148 * instance can never get freed. If UNIX is enabled we'll
5149 * handle it just fine, but there's still no point in allowing
5150 * a ring fd as it doesn't support regular read/write anyway.
5151 */
05f3fb3c
JA		 5152 if (file->f_op == &io_uring_fops) {
5153 fput(file);
6b06314c
JA		 5154 break;
5155 }
6b06314c 5156 ret = 0;
05f3fb3c 5157 table->files[index] = file;
6b06314c
JA		 5158 }
5159
5160 if (ret) {
65e19f54 5161 for (i = 0; i < ctx->nr_user_files; i++) {
65e19f54
JA		 5162 file = io_file_from_index(ctx, i);
5163 if (file)
5164 fput(file);
5165 }
5166 for (i = 0; i < nr_tables; i++)
05f3fb3c 5167 kfree(ctx->file_data->table[i].files);
6b06314c 5168
05f3fb3c
JA		 5169 kfree(ctx->file_data->table);
5170 kfree(ctx->file_data);
5171 ctx->file_data = NULL;
6b06314c
JA		 5172 ctx->nr_user_files = 0;
5173 return ret;
5174 }
5175
5176 ret = io_sqe_files_scm(ctx);
5177 if (ret)
5178 io_sqe_files_unregister(ctx);
5179
5180 return ret;
5181}
5182
c3a31e60
JA		 5183static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
5184 int index)
5185{
5186#if defined(CONFIG_UNIX)
5187 struct sock *sock = ctx->ring_sock->sk;
5188 struct sk_buff_head *head = &sock->sk_receive_queue;
5189 struct sk_buff *skb;
5190
5191 /*
5192 * See if we can merge this file into an existing skb SCM_RIGHTS
5193 * file set. If there's no room, fall back to allocating a new skb
5194 * and filling it in.
5195 */
5196 spin_lock_irq(&head->lock);
5197 skb = skb_peek(head);
5198 if (skb) {
5199 struct scm_fp_list *fpl = UNIXCB(skb).fp;
5200
5201 if (fpl->count < SCM_MAX_FD) {
5202 __skb_unlink(skb, head);
5203 spin_unlock_irq(&head->lock);
5204 fpl->fp[fpl->count] = get_file(file);
5205 unix_inflight(fpl->user, fpl->fp[fpl->count]);
5206 fpl->count++;
5207 spin_lock_irq(&head->lock);
5208 __skb_queue_head(head, skb);
5209 } else {
5210 skb = NULL;
5211 }
5212 }
5213 spin_unlock_irq(&head->lock);
5214
5215 if (skb) {
5216 fput(file);
5217 return 0;
5218 }
5219
5220 return __io_sqe_files_scm(ctx, 1, index);
5221#else
5222 return 0;
5223#endif
5224}
5225
05f3fb3c 5226static void io_atomic_switch(struct percpu_ref *ref)
c3a31e60 5227{
05f3fb3c
JA		 5228 struct fixed_file_data *data;
5229
5230 data = container_of(ref, struct fixed_file_data, refs);
5231 clear_bit(FFD_F_ATOMIC, &data->state);
5232}
5233
5234static bool io_queue_file_removal(struct fixed_file_data *data,
5235 struct file *file)
5236{
5237 struct io_file_put *pfile, pfile_stack;
5238 DECLARE_COMPLETION_ONSTACK(done);
5239
5240 /*
5241 * If we fail allocating the struct we need for doing async reomval
5242 * of this file, just punt to sync and wait for it.
5243 */
5244 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
5245 if (!pfile) {
5246 pfile = &pfile_stack;
5247 pfile->done = &done;
5248 }
5249
5250 pfile->file = file;
5251 llist_add(&pfile->llist, &data->put_llist);
5252
5253 if (pfile == &pfile_stack) {
5254 if (!test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
5255 percpu_ref_put(&data->refs);
5256 percpu_ref_switch_to_atomic(&data->refs,
5257 io_atomic_switch);
5258 }
5259 wait_for_completion(&done);
5260 flush_work(&data->ref_work);
5261 return false;
5262 }
5263
5264 return true;
5265}
5266
5267static int __io_sqe_files_update(struct io_ring_ctx *ctx,
5268 struct io_uring_files_update *up,
5269 unsigned nr_args)
5270{
5271 struct fixed_file_data *data = ctx->file_data;
5272 bool ref_switch = false;
5273 struct file *file;
c3a31e60
JA		 5274 __s32 __user *fds;
5275 int fd, i, err;
5276 __u32 done;
5277
05f3fb3c 5278 if (check_add_overflow(up->offset, nr_args, &done))
c3a31e60
JA		 5279 return -EOVERFLOW;
5280 if (done > ctx->nr_user_files)
5281 return -EINVAL;
5282
5283 done = 0;
05f3fb3c 5284 fds = u64_to_user_ptr(up->fds);
c3a31e60 5285 while (nr_args) {
65e19f54
JA		 5286 struct fixed_file_table *table;
5287 unsigned index;
5288
c3a31e60
JA		 5289 err = 0;
5290 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
5291 err = -EFAULT;
5292 break;
5293 }
05f3fb3c
JA		 5294 i = array_index_nospec(up->offset, ctx->nr_user_files);
5295 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
65e19f54
JA		 5296 index = i & IORING_FILE_TABLE_MASK;
5297 if (table->files[index]) {
05f3fb3c 5298 file = io_file_from_index(ctx, index);
65e19f54 5299 table->files[index] = NULL;
05f3fb3c
JA		 5300 if (io_queue_file_removal(data, file))
5301 ref_switch = true;
c3a31e60
JA		 5302 }
5303 if (fd != -1) {
c3a31e60
JA		 5304 file = fget(fd);
5305 if (!file) {
5306 err = -EBADF;
5307 break;
5308 }
5309 /*
5310 * Don't allow io_uring instances to be registered. If
5311 * UNIX isn't enabled, then this causes a reference
5312 * cycle and this instance can never get freed. If UNIX
5313 * is enabled we'll handle it just fine, but there's
5314 * still no point in allowing a ring fd as it doesn't
5315 * support regular read/write anyway.
5316 */
5317 if (file->f_op == &io_uring_fops) {
5318 fput(file);
5319 err = -EBADF;
5320 break;
5321 }
65e19f54 5322 table->files[index] = file;
c3a31e60
JA		 5323 err = io_sqe_file_register(ctx, file, i);
5324 if (err)
5325 break;
5326 }
5327 nr_args--;
5328 done++;
05f3fb3c
JA		 5329 up->offset++;
5330 }
5331
5332 if (ref_switch && !test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
5333 percpu_ref_put(&data->refs);
5334 percpu_ref_switch_to_atomic(&data->refs, io_atomic_switch);
c3a31e60
JA		 5335 }
5336
5337 return done ? done : err;
5338}
05f3fb3c
JA		 5339static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
5340 unsigned nr_args)
5341{
5342 struct io_uring_files_update up;
5343
5344 if (!ctx->file_data)
5345 return -ENXIO;
5346 if (!nr_args)
5347 return -EINVAL;
5348 if (copy_from_user(&up, arg, sizeof(up)))
5349 return -EFAULT;
5350 if (up.resv)
5351 return -EINVAL;
5352
5353 return __io_sqe_files_update(ctx, &up, nr_args);
5354}
c3a31e60 5355
7d723065
JA		 5356static void io_put_work(struct io_wq_work *work)
5357{
5358 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5359
5360 io_put_req(req);
5361}
5362
5363static void io_get_work(struct io_wq_work *work)
5364{
5365 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5366
5367 refcount_inc(&req->refs);
5368}
5369
6c271ce2
JA		 5370static int io_sq_offload_start(struct io_ring_ctx *ctx,
5371 struct io_uring_params *p)
2b188cc1 5372{
576a347b 5373 struct io_wq_data data;
561fb04a 5374 unsigned concurrency;
2b188cc1
JA		 5375 int ret;
5376
6c271ce2 5377 init_waitqueue_head(&ctx->sqo_wait);
2b188cc1
JA		 5378 mmgrab(current->mm);
5379 ctx->sqo_mm = current->mm;
5380
6c271ce2 5381 if (ctx->flags & IORING_SETUP_SQPOLL) {
3ec482d1
JA		 5382 ret = -EPERM;
5383 if (!capable(CAP_SYS_ADMIN))
5384 goto err;
5385
917257da
JA		 5386 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
5387 if (!ctx->sq_thread_idle)
5388 ctx->sq_thread_idle = HZ;
5389
6c271ce2 5390 if (p->flags & IORING_SETUP_SQ_AFF) {
44a9bd18 5391 int cpu = p->sq_thread_cpu;
6c271ce2 5392
917257da 5393 ret = -EINVAL;
44a9bd18
JA		 5394 if (cpu >= nr_cpu_ids)
5395 goto err;
7889f44d 5396 if (!cpu_online(cpu))
917257da
JA		 5397 goto err;
5398
6c271ce2
JA		 5399 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
5400 ctx, cpu,
5401 "io_uring-sq");
5402 } else {
5403 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
5404 "io_uring-sq");
5405 }
5406 if (IS_ERR(ctx->sqo_thread)) {
5407 ret = PTR_ERR(ctx->sqo_thread);
5408 ctx->sqo_thread = NULL;
5409 goto err;
5410 }
5411 wake_up_process(ctx->sqo_thread);
5412 } else if (p->flags & IORING_SETUP_SQ_AFF) {
5413 /* Can't have SQ_AFF without SQPOLL */
5414 ret = -EINVAL;
5415 goto err;
5416 }
5417
576a347b
JA		 5418 data.mm = ctx->sqo_mm;
5419 data.user = ctx->user;
181e448d 5420 data.creds = ctx->creds;
576a347b
JA		 5421 data.get_work = io_get_work;
5422 data.put_work = io_put_work;
5423
561fb04a
JA		 5424 /* Do QD, or 4 * CPUS, whatever is smallest */
5425 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
576a347b 5426 ctx->io_wq = io_wq_create(concurrency, &data);
975c99a5
JA		 5427 if (IS_ERR(ctx->io_wq)) {
5428 ret = PTR_ERR(ctx->io_wq);
5429 ctx->io_wq = NULL;
2b188cc1
JA		 5430 goto err;
5431 }
5432
5433 return 0;
5434err:
54a91f3b 5435 io_finish_async(ctx);
2b188cc1
JA		 5436 mmdrop(ctx->sqo_mm);
5437 ctx->sqo_mm = NULL;
5438 return ret;
5439}
5440
5441static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
5442{
5443 atomic_long_sub(nr_pages, &user->locked_vm);
5444}
5445
5446static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
5447{
5448 unsigned long page_limit, cur_pages, new_pages;
5449
5450 /* Don't allow more pages than we can safely lock */
5451 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
5452
5453 do {
5454 cur_pages = atomic_long_read(&user->locked_vm);
5455 new_pages = cur_pages + nr_pages;
5456 if (new_pages > page_limit)
5457 return -ENOMEM;
5458 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
5459 new_pages) != cur_pages);
5460
5461 return 0;
5462}
5463
5464static void io_mem_free(void *ptr)
5465{
52e04ef4
MR		 5466 struct page *page;
5467
5468 if (!ptr)
5469 return;
2b188cc1 5470
52e04ef4 5471 page = virt_to_head_page(ptr);
2b188cc1
JA		 5472 if (put_page_testzero(page))
5473 free_compound_page(page);
5474}
5475
5476static void *io_mem_alloc(size_t size)
5477{
5478 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
5479 __GFP_NORETRY;
5480
5481 return (void *) __get_free_pages(gfp_flags, get_order(size));
5482}
5483
75b28aff
HV		 5484static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
5485 size_t *sq_offset)
5486{
5487 struct io_rings *rings;
5488 size_t off, sq_array_size;
5489
5490 off = struct_size(rings, cqes, cq_entries);
5491 if (off == SIZE_MAX)
5492 return SIZE_MAX;
5493
5494#ifdef CONFIG_SMP
5495 off = ALIGN(off, SMP_CACHE_BYTES);
5496 if (off == 0)
5497 return SIZE_MAX;
5498#endif
5499
5500 sq_array_size = array_size(sizeof(u32), sq_entries);
5501 if (sq_array_size == SIZE_MAX)
5502 return SIZE_MAX;
5503
5504 if (check_add_overflow(off, sq_array_size, &off))
5505 return SIZE_MAX;
5506
5507 if (sq_offset)
5508 *sq_offset = off;
5509
5510 return off;
5511}
5512
2b188cc1
JA		 5513static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
5514{
75b28aff 5515 size_t pages;
2b188cc1 5516
75b28aff
HV		 5517 pages = (size_t)1 << get_order(
5518 rings_size(sq_entries, cq_entries, NULL));
5519 pages += (size_t)1 << get_order(
5520 array_size(sizeof(struct io_uring_sqe), sq_entries));
2b188cc1 5521
75b28aff 5522 return pages;
2b188cc1
JA		 5523}
5524
edafccee
JA		 5525static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
5526{
5527 int i, j;
5528
5529 if (!ctx->user_bufs)
5530 return -ENXIO;
5531
5532 for (i = 0; i < ctx->nr_user_bufs; i++) {
5533 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5534
5535 for (j = 0; j < imu->nr_bvecs; j++)
27c4d3a3 5536 put_user_page(imu->bvec[j].bv_page);
edafccee
JA		 5537
5538 if (ctx->account_mem)
5539 io_unaccount_mem(ctx->user, imu->nr_bvecs);
d4ef6475 5540 kvfree(imu->bvec);
edafccee
JA		 5541 imu->nr_bvecs = 0;
5542 }
5543
5544 kfree(ctx->user_bufs);
5545 ctx->user_bufs = NULL;
5546 ctx->nr_user_bufs = 0;
5547 return 0;
5548}
5549
5550static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
5551 void __user *arg, unsigned index)
5552{
5553 struct iovec __user *src;
5554
5555#ifdef CONFIG_COMPAT
5556 if (ctx->compat) {
5557 struct compat_iovec __user *ciovs;
5558 struct compat_iovec ciov;
5559
5560 ciovs = (struct compat_iovec __user *) arg;
5561 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
5562 return -EFAULT;
5563
d55e5f5b 5564 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
edafccee
JA		 5565 dst->iov_len = ciov.iov_len;
5566 return 0;
5567 }
5568#endif
5569 src = (struct iovec __user *) arg;
5570 if (copy_from_user(dst, &src[index], sizeof(*dst)))
5571 return -EFAULT;
5572 return 0;
5573}
5574
5575static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
5576 unsigned nr_args)
5577{
5578 struct vm_area_struct **vmas = NULL;
5579 struct page **pages = NULL;
5580 int i, j, got_pages = 0;
5581 int ret = -EINVAL;
5582
5583 if (ctx->user_bufs)
5584 return -EBUSY;
5585 if (!nr_args || nr_args > UIO_MAXIOV)
5586 return -EINVAL;
5587
5588 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
5589 GFP_KERNEL);
5590 if (!ctx->user_bufs)
5591 return -ENOMEM;
5592
5593 for (i = 0; i < nr_args; i++) {
5594 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5595 unsigned long off, start, end, ubuf;
5596 int pret, nr_pages;
5597 struct iovec iov;
5598 size_t size;
5599
5600 ret = io_copy_iov(ctx, &iov, arg, i);
5601 if (ret)
a278682d 5602 goto err;
edafccee
JA		 5603
5604 /*
5605 * Don't impose further limits on the size and buffer
5606 * constraints here, we'll -EINVAL later when IO is
5607 * submitted if they are wrong.
5608 */
5609 ret = -EFAULT;
5610 if (!iov.iov_base || !iov.iov_len)
5611 goto err;
5612
5613 /* arbitrary limit, but we need something */
5614 if (iov.iov_len > SZ_1G)
5615 goto err;
5616
5617 ubuf = (unsigned long) iov.iov_base;
5618 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
5619 start = ubuf >> PAGE_SHIFT;
5620 nr_pages = end - start;
5621
5622 if (ctx->account_mem) {
5623 ret = io_account_mem(ctx->user, nr_pages);
5624 if (ret)
5625 goto err;
5626 }
5627
5628 ret = 0;
5629 if (!pages || nr_pages > got_pages) {
5630 kfree(vmas);
5631 kfree(pages);
d4ef6475 5632 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
edafccee 5633 GFP_KERNEL);
d4ef6475 5634 vmas = kvmalloc_array(nr_pages,
edafccee
JA		 5635 sizeof(struct vm_area_struct *),
5636 GFP_KERNEL);
5637 if (!pages || !vmas) {
5638 ret = -ENOMEM;
5639 if (ctx->account_mem)
5640 io_unaccount_mem(ctx->user, nr_pages);
5641 goto err;
5642 }
5643 got_pages = nr_pages;
5644 }
5645
d4ef6475 5646 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
edafccee
JA		 5647 GFP_KERNEL);
5648 ret = -ENOMEM;
5649 if (!imu->bvec) {
5650 if (ctx->account_mem)
5651 io_unaccount_mem(ctx->user, nr_pages);
5652 goto err;
5653 }
5654
5655 ret = 0;
5656 down_read(&current->mm->mmap_sem);
932f4a63
IW		 5657 pret = get_user_pages(ubuf, nr_pages,
5658 FOLL_WRITE | FOLL_LONGTERM,
5659 pages, vmas);
edafccee
JA		 5660 if (pret == nr_pages) {
5661 /* don't support file backed memory */
5662 for (j = 0; j < nr_pages; j++) {
5663 struct vm_area_struct *vma = vmas[j];
5664
5665 if (vma->vm_file &&
5666 !is_file_hugepages(vma->vm_file)) {
5667 ret = -EOPNOTSUPP;
5668 break;
5669 }
5670 }
5671 } else {
5672 ret = pret < 0 ? pret : -EFAULT;
5673 }
5674 up_read(&current->mm->mmap_sem);
5675 if (ret) {
5676 /*
5677 * if we did partial map, or found file backed vmas,
5678 * release any pages we did get
5679 */
27c4d3a3
JH		 5680 if (pret > 0)
5681 put_user_pages(pages, pret);
edafccee
JA		 5682 if (ctx->account_mem)
5683 io_unaccount_mem(ctx->user, nr_pages);
d4ef6475 5684 kvfree(imu->bvec);
edafccee
JA		 5685 goto err;
5686 }
5687
5688 off = ubuf & ~PAGE_MASK;
5689 size = iov.iov_len;
5690 for (j = 0; j < nr_pages; j++) {
5691 size_t vec_len;
5692
5693 vec_len = min_t(size_t, size, PAGE_SIZE - off);
5694 imu->bvec[j].bv_page = pages[j];
5695 imu->bvec[j].bv_len = vec_len;
5696 imu->bvec[j].bv_offset = off;
5697 off = 0;
5698 size -= vec_len;
5699 }
5700 /* store original address for later verification */
5701 imu->ubuf = ubuf;
5702 imu->len = iov.iov_len;
5703 imu->nr_bvecs = nr_pages;
5704
5705 ctx->nr_user_bufs++;
5706 }
d4ef6475
MR		 5707 kvfree(pages);
5708 kvfree(vmas);
edafccee
JA		 5709 return 0;
5710err:
d4ef6475
MR		 5711 kvfree(pages);
5712 kvfree(vmas);
edafccee
JA		 5713 io_sqe_buffer_unregister(ctx);
5714 return ret;
5715}
5716
9b402849
JA		 5717static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
5718{
5719 __s32 __user *fds = arg;
5720 int fd;
5721
5722 if (ctx->cq_ev_fd)
5723 return -EBUSY;
5724
5725 if (copy_from_user(&fd, fds, sizeof(*fds)))
5726 return -EFAULT;
5727
5728 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
5729 if (IS_ERR(ctx->cq_ev_fd)) {
5730 int ret = PTR_ERR(ctx->cq_ev_fd);
5731 ctx->cq_ev_fd = NULL;
5732 return ret;
5733 }
5734
5735 return 0;
5736}
5737
5738static int io_eventfd_unregister(struct io_ring_ctx *ctx)
5739{
5740 if (ctx->cq_ev_fd) {
5741 eventfd_ctx_put(ctx->cq_ev_fd);
5742 ctx->cq_ev_fd = NULL;
5743 return 0;
5744 }
5745
5746 return -ENXIO;
5747}
5748
2b188cc1
JA		 5749static void io_ring_ctx_free(struct io_ring_ctx *ctx)
5750{
6b06314c 5751 io_finish_async(ctx);
2b188cc1
JA		 5752 if (ctx->sqo_mm)
5753 mmdrop(ctx->sqo_mm);
def596e9
JA		 5754
5755 io_iopoll_reap_events(ctx);
edafccee 5756 io_sqe_buffer_unregister(ctx);
6b06314c 5757 io_sqe_files_unregister(ctx);
9b402849 5758 io_eventfd_unregister(ctx);
def596e9 5759
2b188cc1 5760#if defined(CONFIG_UNIX)
355e8d26
EB		 5761 if (ctx->ring_sock) {
5762 ctx->ring_sock->file = NULL; /* so that iput() is called */
2b188cc1 5763 sock_release(ctx->ring_sock);
355e8d26 5764 }
2b188cc1
JA		 5765#endif
5766
75b28aff 5767 io_mem_free(ctx->rings);
2b188cc1 5768 io_mem_free(ctx->sq_sqes);
2b188cc1
JA		 5769
5770 percpu_ref_exit(&ctx->refs);
5771 if (ctx->account_mem)
5772 io_unaccount_mem(ctx->user,
5773 ring_pages(ctx->sq_entries, ctx->cq_entries));
5774 free_uid(ctx->user);
181e448d 5775 put_cred(ctx->creds);
206aefde 5776 kfree(ctx->completions);
78076bb6 5777 kfree(ctx->cancel_hash);
0ddf92e8 5778 kmem_cache_free(req_cachep, ctx->fallback_req);
2b188cc1
JA		 5779 kfree(ctx);
5780}
5781
5782static __poll_t io_uring_poll(struct file *file, poll_table *wait)
5783{
5784 struct io_ring_ctx *ctx = file->private_data;
5785 __poll_t mask = 0;
5786
5787 poll_wait(file, &ctx->cq_wait, wait);
4f7067c3
SB		 5788 /*
5789 * synchronizes with barrier from wq_has_sleeper call in
5790 * io_commit_cqring
5791 */
2b188cc1 5792 smp_rmb();
75b28aff
HV		 5793 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
5794 ctx->rings->sq_ring_entries)
2b188cc1 5795 mask |= EPOLLOUT | EPOLLWRNORM;
daa5de54 5796 if (READ_ONCE(ctx->rings->cq.head) != ctx->cached_cq_tail)
2b188cc1
JA		 5797 mask |= EPOLLIN | EPOLLRDNORM;
5798
5799 return mask;
5800}
5801
5802static int io_uring_fasync(int fd, struct file *file, int on)
5803{
5804 struct io_ring_ctx *ctx = file->private_data;
5805
5806 return fasync_helper(fd, file, on, &ctx->cq_fasync);
5807}
5808
5809static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
5810{
5811 mutex_lock(&ctx->uring_lock);
5812 percpu_ref_kill(&ctx->refs);
5813 mutex_unlock(&ctx->uring_lock);
5814
5262f567 5815 io_kill_timeouts(ctx);
221c5eb2 5816 io_poll_remove_all(ctx);
561fb04a
JA		 5817
5818 if (ctx->io_wq)
5819 io_wq_cancel_all(ctx->io_wq);
5820
def596e9 5821 io_iopoll_reap_events(ctx);
15dff286
JA		 5822 /* if we failed setting up the ctx, we might not have any rings */
5823 if (ctx->rings)
5824 io_cqring_overflow_flush(ctx, true);
206aefde 5825 wait_for_completion(&ctx->completions[0]);
2b188cc1
JA		 5826 io_ring_ctx_free(ctx);
5827}
5828
5829static int io_uring_release(struct inode *inode, struct file *file)
5830{
5831 struct io_ring_ctx *ctx = file->private_data;
5832
5833 file->private_data = NULL;
5834 io_ring_ctx_wait_and_kill(ctx);
5835 return 0;
5836}
5837
fcb323cc
JA		 5838static void io_uring_cancel_files(struct io_ring_ctx *ctx,
5839 struct files_struct *files)
5840{
5841 struct io_kiocb *req;
5842 DEFINE_WAIT(wait);
5843
5844 while (!list_empty_careful(&ctx->inflight_list)) {
768134d4 5845 struct io_kiocb *cancel_req = NULL;
fcb323cc
JA		 5846
5847 spin_lock_irq(&ctx->inflight_lock);
5848 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
768134d4
JA		 5849 if (req->work.files != files)
5850 continue;
5851 /* req is being completed, ignore */
5852 if (!refcount_inc_not_zero(&req->refs))
5853 continue;
5854 cancel_req = req;
5855 break;
fcb323cc 5856 }
768134d4 5857 if (cancel_req)
fcb323cc 5858 prepare_to_wait(&ctx->inflight_wait, &wait,
768134d4 5859 TASK_UNINTERRUPTIBLE);
fcb323cc
JA		 5860 spin_unlock_irq(&ctx->inflight_lock);
5861
768134d4
JA		 5862 /* We need to keep going until we don't find a matching req */
5863 if (!cancel_req)
fcb323cc 5864 break;
2f6d9b9d
BL		 5865
5866 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
5867 io_put_req(cancel_req);
fcb323cc
JA		 5868 schedule();
5869 }
768134d4 5870 finish_wait(&ctx->inflight_wait, &wait);
fcb323cc
JA		 5871}
5872
5873static int io_uring_flush(struct file *file, void *data)
5874{
5875 struct io_ring_ctx *ctx = file->private_data;
5876
5877 io_uring_cancel_files(ctx, data);
1d7bb1d5
JA		 5878 if (fatal_signal_pending(current) || (current->flags & PF_EXITING)) {
5879 io_cqring_overflow_flush(ctx, true);
fcb323cc 5880 io_wq_cancel_all(ctx->io_wq);
1d7bb1d5 5881 }
fcb323cc
JA		 5882 return 0;
5883}
5884
6c5c240e
RP		 5885static void *io_uring_validate_mmap_request(struct file *file,
5886 loff_t pgoff, size_t sz)
2b188cc1 5887{
2b188cc1 5888 struct io_ring_ctx *ctx = file->private_data;
6c5c240e 5889 loff_t offset = pgoff << PAGE_SHIFT;
2b188cc1
JA		 5890 struct page *page;
5891 void *ptr;
5892
5893 switch (offset) {
5894 case IORING_OFF_SQ_RING:
75b28aff
HV		 5895 case IORING_OFF_CQ_RING:
5896 ptr = ctx->rings;
2b188cc1
JA		 5897 break;
5898 case IORING_OFF_SQES:
5899 ptr = ctx->sq_sqes;
5900 break;
2b188cc1 5901 default:
6c5c240e 5902 return ERR_PTR(-EINVAL);
2b188cc1
JA		 5903 }
5904
5905 page = virt_to_head_page(ptr);
a50b854e 5906 if (sz > page_size(page))
6c5c240e
RP		 5907 return ERR_PTR(-EINVAL);
5908
5909 return ptr;
5910}
5911
5912#ifdef CONFIG_MMU
5913
5914static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5915{
5916 size_t sz = vma->vm_end - vma->vm_start;
5917 unsigned long pfn;
5918 void *ptr;
5919
5920 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
5921 if (IS_ERR(ptr))
5922 return PTR_ERR(ptr);
2b188cc1
JA		 5923
5924 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
5925 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
5926}
5927
6c5c240e
RP		 5928#else /* !CONFIG_MMU */
5929
5930static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5931{
5932 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
5933}
5934
5935static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
5936{
5937 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
5938}
5939
5940static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
5941 unsigned long addr, unsigned long len,
5942 unsigned long pgoff, unsigned long flags)
5943{
5944 void *ptr;
5945
5946 ptr = io_uring_validate_mmap_request(file, pgoff, len);
5947 if (IS_ERR(ptr))
5948 return PTR_ERR(ptr);
5949
5950 return (unsigned long) ptr;
5951}
5952
5953#endif /* !CONFIG_MMU */
5954
2b188cc1
JA		 5955SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
5956 u32, min_complete, u32, flags, const sigset_t __user *, sig,
5957 size_t, sigsz)
5958{
5959 struct io_ring_ctx *ctx;
5960 long ret = -EBADF;
5961 int submitted = 0;
5962 struct fd f;
5963
6c271ce2 5964 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
2b188cc1
JA		 5965 return -EINVAL;
5966
5967 f = fdget(fd);
5968 if (!f.file)
5969 return -EBADF;
5970
5971 ret = -EOPNOTSUPP;
5972 if (f.file->f_op != &io_uring_fops)
5973 goto out_fput;
5974
5975 ret = -ENXIO;
5976 ctx = f.file->private_data;
5977 if (!percpu_ref_tryget(&ctx->refs))
5978 goto out_fput;
5979
6c271ce2
JA		 5980 /*
5981 * For SQ polling, the thread will do all submissions and completions.
5982 * Just return the requested submit count, and wake the thread if
5983 * we were asked to.
5984 */
b2a9eada 5985 ret = 0;
6c271ce2 5986 if (ctx->flags & IORING_SETUP_SQPOLL) {
c1edbf5f
JA		 5987 if (!list_empty_careful(&ctx->cq_overflow_list))
5988 io_cqring_overflow_flush(ctx, false);
6c271ce2
JA		 5989 if (flags & IORING_ENTER_SQ_WAKEUP)
5990 wake_up(&ctx->sqo_wait);
5991 submitted = to_submit;
b2a9eada 5992 } else if (to_submit) {
ae9428ca 5993 struct mm_struct *cur_mm;
2b188cc1 5994
44d28279
JA		 5995 if (current->mm != ctx->sqo_mm ||
5996 current_cred() != ctx->creds) {
5997 ret = -EPERM;
5998 goto out;
5999 }
6000
ae9428ca 6001 to_submit = min(to_submit, ctx->sq_entries);
2b188cc1 6002 mutex_lock(&ctx->uring_lock);
ae9428ca
PB		 6003 /* already have mm, so io_submit_sqes() won't try to grab it */
6004 cur_mm = ctx->sqo_mm;
6005 submitted = io_submit_sqes(ctx, to_submit, f.file, fd,
6006 &cur_mm, false);
2b188cc1 6007 mutex_unlock(&ctx->uring_lock);
7c504e65
PB		 6008
6009 if (submitted != to_submit)
6010 goto out;
2b188cc1
JA		 6011 }
6012 if (flags & IORING_ENTER_GETEVENTS) {
def596e9
JA		 6013 unsigned nr_events = 0;
6014
2b188cc1
JA		 6015 min_complete = min(min_complete, ctx->cq_entries);
6016
def596e9 6017 if (ctx->flags & IORING_SETUP_IOPOLL) {
def596e9 6018 ret = io_iopoll_check(ctx, &nr_events, min_complete);
def596e9
JA		 6019 } else {
6020 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
6021 }
2b188cc1
JA		 6022 }
6023
7c504e65 6024out:
6805b32e 6025 percpu_ref_put(&ctx->refs);
2b188cc1
JA		 6026out_fput:
6027 fdput(f);
6028 return submitted ? submitted : ret;
6029}
6030
6031static const struct file_operations io_uring_fops = {
6032 .release = io_uring_release,
fcb323cc 6033 .flush = io_uring_flush,
2b188cc1 6034 .mmap = io_uring_mmap,
6c5c240e
RP		 6035#ifndef CONFIG_MMU
6036 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
6037 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
6038#endif
2b188cc1
JA		 6039 .poll = io_uring_poll,
6040 .fasync = io_uring_fasync,
6041};
6042
6043static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
6044 struct io_uring_params *p)
6045{
75b28aff
HV		 6046 struct io_rings *rings;
6047 size_t size, sq_array_offset;
2b188cc1 6048
75b28aff
HV		 6049 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
6050 if (size == SIZE_MAX)
6051 return -EOVERFLOW;
6052
6053 rings = io_mem_alloc(size);
6054 if (!rings)
2b188cc1
JA		 6055 return -ENOMEM;
6056
75b28aff
HV		 6057 ctx->rings = rings;
6058 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
6059 rings->sq_ring_mask = p->sq_entries - 1;
6060 rings->cq_ring_mask = p->cq_entries - 1;
6061 rings->sq_ring_entries = p->sq_entries;
6062 rings->cq_ring_entries = p->cq_entries;
6063 ctx->sq_mask = rings->sq_ring_mask;
6064 ctx->cq_mask = rings->cq_ring_mask;
6065 ctx->sq_entries = rings->sq_ring_entries;
6066 ctx->cq_entries = rings->cq_ring_entries;
2b188cc1
JA		 6067
6068 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
eb065d30
JA		 6069 if (size == SIZE_MAX) {
6070 io_mem_free(ctx->rings);
6071 ctx->rings = NULL;
2b188cc1 6072 return -EOVERFLOW;
eb065d30 6073 }
2b188cc1
JA		 6074
6075 ctx->sq_sqes = io_mem_alloc(size);
eb065d30
JA		 6076 if (!ctx->sq_sqes) {
6077 io_mem_free(ctx->rings);
6078 ctx->rings = NULL;
2b188cc1 6079 return -ENOMEM;
eb065d30 6080 }
2b188cc1 6081
2b188cc1
JA		 6082 return 0;
6083}
6084
6085/*
6086 * Allocate an anonymous fd, this is what constitutes the application
6087 * visible backing of an io_uring instance. The application mmaps this
6088 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
6089 * we have to tie this fd to a socket for file garbage collection purposes.
6090 */
6091static int io_uring_get_fd(struct io_ring_ctx *ctx)
6092{
6093 struct file *file;
6094 int ret;
6095
6096#if defined(CONFIG_UNIX)
6097 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
6098 &ctx->ring_sock);
6099 if (ret)
6100 return ret;
6101#endif
6102
6103 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
6104 if (ret < 0)
6105 goto err;
6106
6107 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
6108 O_RDWR | O_CLOEXEC);
6109 if (IS_ERR(file)) {
6110 put_unused_fd(ret);
6111 ret = PTR_ERR(file);
6112 goto err;
6113 }
6114
6115#if defined(CONFIG_UNIX)
6116 ctx->ring_sock->file = file;
6117#endif
6118 fd_install(ret, file);
6119 return ret;
6120err:
6121#if defined(CONFIG_UNIX)
6122 sock_release(ctx->ring_sock);
6123 ctx->ring_sock = NULL;
6124#endif
6125 return ret;
6126}
6127
6128static int io_uring_create(unsigned entries, struct io_uring_params *p)
6129{
6130 struct user_struct *user = NULL;
6131 struct io_ring_ctx *ctx;
6132 bool account_mem;
6133 int ret;
6134
6135 if (!entries || entries > IORING_MAX_ENTRIES)
6136 return -EINVAL;
6137
6138 /*
6139 * Use twice as many entries for the CQ ring. It's possible for the
6140 * application to drive a higher depth than the size of the SQ ring,
6141 * since the sqes are only used at submission time. This allows for
33a107f0
JA		 6142 * some flexibility in overcommitting a bit. If the application has
6143 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
6144 * of CQ ring entries manually.
2b188cc1
JA		 6145 */
6146 p->sq_entries = roundup_pow_of_two(entries);
33a107f0
JA		 6147 if (p->flags & IORING_SETUP_CQSIZE) {
6148 /*
6149 * If IORING_SETUP_CQSIZE is set, we do the same roundup
6150 * to a power-of-two, if it isn't already. We do NOT impose
6151 * any cq vs sq ring sizing.
6152 */
6153 if (p->cq_entries < p->sq_entries || p->cq_entries > IORING_MAX_CQ_ENTRIES)
6154 return -EINVAL;
6155 p->cq_entries = roundup_pow_of_two(p->cq_entries);
6156 } else {
6157 p->cq_entries = 2 * p->sq_entries;
6158 }
2b188cc1
JA		 6159
6160 user = get_uid(current_user());
6161 account_mem = !capable(CAP_IPC_LOCK);
6162
6163 if (account_mem) {
6164 ret = io_account_mem(user,
6165 ring_pages(p->sq_entries, p->cq_entries));
6166 if (ret) {
6167 free_uid(user);
6168 return ret;
6169 }
6170 }
6171
6172 ctx = io_ring_ctx_alloc(p);
6173 if (!ctx) {
6174 if (account_mem)
6175 io_unaccount_mem(user, ring_pages(p->sq_entries,
6176 p->cq_entries));
6177 free_uid(user);
6178 return -ENOMEM;
6179 }
6180 ctx->compat = in_compat_syscall();
6181 ctx->account_mem = account_mem;
6182 ctx->user = user;
0b8c0ec7 6183 ctx->creds = get_current_cred();
2b188cc1
JA		 6184
6185 ret = io_allocate_scq_urings(ctx, p);
6186 if (ret)
6187 goto err;
6188
6c271ce2 6189 ret = io_sq_offload_start(ctx, p);
2b188cc1
JA		 6190 if (ret)
6191 goto err;
6192
2b188cc1 6193 memset(&p->sq_off, 0, sizeof(p->sq_off));
75b28aff
HV		 6194 p->sq_off.head = offsetof(struct io_rings, sq.head);
6195 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
6196 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
6197 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
6198 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
6199 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
6200 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
2b188cc1
JA		 6201
6202 memset(&p->cq_off, 0, sizeof(p->cq_off));
75b28aff
HV		 6203 p->cq_off.head = offsetof(struct io_rings, cq.head);
6204 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
6205 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
6206 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
6207 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
6208 p->cq_off.cqes = offsetof(struct io_rings, cqes);
ac90f249 6209
044c1ab3
JA		 6210 /*
6211 * Install ring fd as the very last thing, so we don't risk someone
6212 * having closed it before we finish setup
6213 */
6214 ret = io_uring_get_fd(ctx);
6215 if (ret < 0)
6216 goto err;
6217
da8c9690 6218 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
ba04291e 6219 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS;
c826bd7a 6220 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
2b188cc1
JA		 6221 return ret;
6222err:
6223 io_ring_ctx_wait_and_kill(ctx);
6224 return ret;
6225}
6226
6227/*
6228 * Sets up an aio uring context, and returns the fd. Applications asks for a
6229 * ring size, we return the actual sq/cq ring sizes (among other things) in the
6230 * params structure passed in.
6231 */
6232static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
6233{
6234 struct io_uring_params p;
6235 long ret;
6236 int i;
6237
6238 if (copy_from_user(&p, params, sizeof(p)))
6239 return -EFAULT;
6240 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
6241 if (p.resv[i])
6242 return -EINVAL;
6243 }
6244
6c271ce2 6245 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
33a107f0 6246 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE))
2b188cc1
JA		 6247 return -EINVAL;
6248
6249 ret = io_uring_create(entries, &p);
6250 if (ret < 0)
6251 return ret;
6252
6253 if (copy_to_user(params, &p, sizeof(p)))
6254 return -EFAULT;
6255
6256 return ret;
6257}
6258
6259SYSCALL_DEFINE2(io_uring_setup, u32, entries,
6260 struct io_uring_params __user *, params)
6261{
6262 return io_uring_setup(entries, params);
6263}
6264
edafccee
JA		 6265static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
6266 void __user *arg, unsigned nr_args)
b19062a5
JA		 6267 __releases(ctx->uring_lock)
6268 __acquires(ctx->uring_lock)
edafccee
JA		 6269{
6270 int ret;
6271
35fa71a0
JA		 6272 /*
6273 * We're inside the ring mutex, if the ref is already dying, then
6274 * someone else killed the ctx or is already going through
6275 * io_uring_register().
6276 */
6277 if (percpu_ref_is_dying(&ctx->refs))
6278 return -ENXIO;
6279
05f3fb3c
JA		 6280 if (opcode != IORING_UNREGISTER_FILES &&
6281 opcode != IORING_REGISTER_FILES_UPDATE) {
6282 percpu_ref_kill(&ctx->refs);
b19062a5 6283
05f3fb3c
JA		 6284 /*
6285 * Drop uring mutex before waiting for references to exit. If
6286 * another thread is currently inside io_uring_enter() it might
6287 * need to grab the uring_lock to make progress. If we hold it
6288 * here across the drain wait, then we can deadlock. It's safe
6289 * to drop the mutex here, since no new references will come in
6290 * after we've killed the percpu ref.
6291 */
6292 mutex_unlock(&ctx->uring_lock);
6293 wait_for_completion(&ctx->completions[0]);
6294 mutex_lock(&ctx->uring_lock);
6295 }
edafccee
JA		 6296
6297 switch (opcode) {
6298 case IORING_REGISTER_BUFFERS:
6299 ret = io_sqe_buffer_register(ctx, arg, nr_args);
6300 break;
6301 case IORING_UNREGISTER_BUFFERS:
6302 ret = -EINVAL;
6303 if (arg || nr_args)
6304 break;
6305 ret = io_sqe_buffer_unregister(ctx);
6306 break;
6b06314c
JA		 6307 case IORING_REGISTER_FILES:
6308 ret = io_sqe_files_register(ctx, arg, nr_args);
6309 break;
6310 case IORING_UNREGISTER_FILES:
6311 ret = -EINVAL;
6312 if (arg || nr_args)
6313 break;
6314 ret = io_sqe_files_unregister(ctx);
6315 break;
c3a31e60
JA		 6316 case IORING_REGISTER_FILES_UPDATE:
6317 ret = io_sqe_files_update(ctx, arg, nr_args);
6318 break;
9b402849
JA		 6319 case IORING_REGISTER_EVENTFD:
6320 ret = -EINVAL;
6321 if (nr_args != 1)
6322 break;
6323 ret = io_eventfd_register(ctx, arg);
6324 break;
6325 case IORING_UNREGISTER_EVENTFD:
6326 ret = -EINVAL;
6327 if (arg || nr_args)
6328 break;
6329 ret = io_eventfd_unregister(ctx);
6330 break;
edafccee
JA		 6331 default:
6332 ret = -EINVAL;
6333 break;
6334 }
6335
05f3fb3c
JA		 6336
6337 if (opcode != IORING_UNREGISTER_FILES &&
6338 opcode != IORING_REGISTER_FILES_UPDATE) {
6339 /* bring the ctx back to life */
6340 reinit_completion(&ctx->completions[0]);
6341 percpu_ref_reinit(&ctx->refs);
6342 }
edafccee
JA		 6343 return ret;
6344}
6345
6346SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
6347 void __user *, arg, unsigned int, nr_args)
6348{
6349 struct io_ring_ctx *ctx;
6350 long ret = -EBADF;
6351 struct fd f;
6352
6353 f = fdget(fd);
6354 if (!f.file)
6355 return -EBADF;
6356
6357 ret = -EOPNOTSUPP;
6358 if (f.file->f_op != &io_uring_fops)
6359 goto out_fput;
6360
6361 ctx = f.file->private_data;
6362
6363 mutex_lock(&ctx->uring_lock);
6364 ret = __io_uring_register(ctx, opcode, arg, nr_args);
6365 mutex_unlock(&ctx->uring_lock);
c826bd7a
DD		 6366 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
6367 ctx->cq_ev_fd != NULL, ret);
edafccee
JA		 6368out_fput:
6369 fdput(f);
6370 return ret;
6371}
6372
2b188cc1
JA		 6373static int __init io_uring_init(void)
6374{
d3656344 6375 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
2b188cc1
JA		 6376 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
6377 return 0;
6378};
6379__initcall(io_uring_init);
Ubuntu Jammy Linux kernel mirror