]> git.ipfire.org Git - thirdparty/kernel/stable.git/blob - io_uring/io_uring.c
projects / thirdparty / kernel / stable.git / blob
? search:


2dd6731c10221e2d7bbfb2916d1cc3d42d9bd4e5
[thirdparty/kernel/stable.git] / io_uring / io_uring.c
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
5 *
6 * A note on the read/write ordering memory barriers that are matched between
7 * the application and kernel side.
8 *
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqe (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
16 * CQ entries.
17 *
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
23 * head will do).
24 *
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
28 * between.
29 *
30 * Also see the examples in the liburing library:
31 *
32 * git://git.kernel.dk/liburing
33 *
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
38 *
39 * Copyright (C) 2018-2019 Jens Axboe
40 * Copyright (c) 2018-2019 Christoph Hellwig
41 */
42 #include <linux/kernel.h>
43 #include <linux/init.h>
44 #include <linux/errno.h>
45 #include <linux/syscalls.h>
46 #include <linux/compat.h>
47 #include <net/compat.h>
48 #include <linux/refcount.h>
49 #include <linux/uio.h>
50 #include <linux/bits.h>
51
52 #include <linux/sched/signal.h>
53 #include <linux/fs.h>
54 #include <linux/file.h>
55 #include <linux/fdtable.h>
56 #include <linux/mm.h>
57 #include <linux/mman.h>
58 #include <linux/percpu.h>
59 #include <linux/slab.h>
60 #include <linux/blk-mq.h>
61 #include <linux/bvec.h>
62 #include <linux/net.h>
63 #include <net/sock.h>
64 #include <net/af_unix.h>
65 #include <net/scm.h>
66 #include <linux/anon_inodes.h>
67 #include <linux/sched/mm.h>
68 #include <linux/uaccess.h>
69 #include <linux/nospec.h>
70 #include <linux/sizes.h>
71 #include <linux/hugetlb.h>
72 #include <linux/highmem.h>
73 #include <linux/namei.h>
74 #include <linux/fsnotify.h>
75 #include <linux/fadvise.h>
76 #include <linux/eventpoll.h>
77 #include <linux/splice.h>
78 #include <linux/task_work.h>
79 #include <linux/pagemap.h>
80 #include <linux/io_uring.h>
81 #include <linux/audit.h>
82 #include <linux/security.h>
83
84 #define CREATE_TRACE_POINTS
85 #include <trace/events/io_uring.h>
86
87 #include <uapi/linux/io_uring.h>
88
89 #include "../fs/internal.h"
90 #include "io-wq.h"
91
92 #define IORING_MAX_ENTRIES 32768
93 #define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
94 #define IORING_SQPOLL_CAP_ENTRIES_VALUE 8
95
96 /* only define max */
97 #define IORING_MAX_FIXED_FILES (1U << 15)
98 #define IORING_MAX_RESTRICTIONS (IORING_RESTRICTION_LAST + \
99 IORING_REGISTER_LAST + IORING_OP_LAST)
100
101 #define IO_RSRC_TAG_TABLE_SHIFT (PAGE_SHIFT - 3)
102 #define IO_RSRC_TAG_TABLE_MAX (1U << IO_RSRC_TAG_TABLE_SHIFT)
103 #define IO_RSRC_TAG_TABLE_MASK (IO_RSRC_TAG_TABLE_MAX - 1)
104
105 #define IORING_MAX_REG_BUFFERS (1U << 14)
106
107 #define SQE_COMMON_FLAGS (IOSQE_FIXED_FILE | IOSQE_IO_LINK | \
108 IOSQE_IO_HARDLINK | IOSQE_ASYNC)
109
110 #define SQE_VALID_FLAGS (SQE_COMMON_FLAGS | IOSQE_BUFFER_SELECT | \
111 IOSQE_IO_DRAIN | IOSQE_CQE_SKIP_SUCCESS)
112
113 #define IO_REQ_CLEAN_FLAGS (REQ_F_BUFFER_SELECTED | REQ_F_NEED_CLEANUP | \
114 REQ_F_POLLED | REQ_F_INFLIGHT | REQ_F_CREDS | \
115 REQ_F_ASYNC_DATA)
116
117 #define IO_TCTX_REFS_CACHE_NR (1U << 10)
118
119 struct io_uring {
120 u32 head ____cacheline_aligned_in_smp;
121 u32 tail ____cacheline_aligned_in_smp;
122 };
123
124 /*
125 * This data is shared with the application through the mmap at offsets
126 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
127 *
128 * The offsets to the member fields are published through struct
129 * io_sqring_offsets when calling io_uring_setup.
130 */
131 struct io_rings {
132 /*
133 * Head and tail offsets into the ring; the offsets need to be
134 * masked to get valid indices.
135 *
136 * The kernel controls head of the sq ring and the tail of the cq ring,
137 * and the application controls tail of the sq ring and the head of the
138 * cq ring.
139 */
140 struct io_uring sq, cq;
141 /*
142 * Bitmasks to apply to head and tail offsets (constant, equals
143 * ring_entries - 1)
144 */
145 u32 sq_ring_mask, cq_ring_mask;
146 /* Ring sizes (constant, power of 2) */
147 u32 sq_ring_entries, cq_ring_entries;
148 /*
149 * Number of invalid entries dropped by the kernel due to
150 * invalid index stored in array
151 *
152 * Written by the kernel, shouldn't be modified by the
153 * application (i.e. get number of "new events" by comparing to
154 * cached value).
155 *
156 * After a new SQ head value was read by the application this
157 * counter includes all submissions that were dropped reaching
158 * the new SQ head (and possibly more).
159 */
160 u32 sq_dropped;
161 /*
162 * Runtime SQ flags
163 *
164 * Written by the kernel, shouldn't be modified by the
165 * application.
166 *
167 * The application needs a full memory barrier before checking
168 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
169 */
170 u32 sq_flags;
171 /*
172 * Runtime CQ flags
173 *
174 * Written by the application, shouldn't be modified by the
175 * kernel.
176 */
177 u32 cq_flags;
178 /*
179 * Number of completion events lost because the queue was full;
180 * this should be avoided by the application by making sure
181 * there are not more requests pending than there is space in
182 * the completion queue.
183 *
184 * Written by the kernel, shouldn't be modified by the
185 * application (i.e. get number of "new events" by comparing to
186 * cached value).
187 *
188 * As completion events come in out of order this counter is not
189 * ordered with any other data.
190 */
191 u32 cq_overflow;
192 /*
193 * Ring buffer of completion events.
194 *
195 * The kernel writes completion events fresh every time they are
196 * produced, so the application is allowed to modify pending
197 * entries.
198 */
199 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
200 };
201
202 enum io_uring_cmd_flags {
203 IO_URING_F_COMPLETE_DEFER = 1,
204 IO_URING_F_UNLOCKED = 2,
205 /* int's last bit, sign checks are usually faster than a bit test */
206 IO_URING_F_NONBLOCK = INT_MIN,
207 };
208
209 struct io_mapped_ubuf {
210 u64 ubuf;
211 u64 ubuf_end;
212 unsigned int nr_bvecs;
213 unsigned long acct_pages;
214 struct bio_vec bvec[];
215 };
216
217 struct io_ring_ctx;
218
219 struct io_overflow_cqe {
220 struct io_uring_cqe cqe;
221 struct list_head list;
222 };
223
224 struct io_fixed_file {
225 /* file * with additional FFS_* flags */
226 unsigned long file_ptr;
227 };
228
229 struct io_rsrc_put {
230 struct list_head list;
231 u64 tag;
232 union {
233 void *rsrc;
234 struct file *file;
235 struct io_mapped_ubuf *buf;
236 };
237 };
238
239 struct io_file_table {
240 struct io_fixed_file *files;
241 };
242
243 struct io_rsrc_node {
244 struct percpu_ref refs;
245 struct list_head node;
246 struct list_head rsrc_list;
247 struct io_rsrc_data *rsrc_data;
248 struct llist_node llist;
249 bool done;
250 };
251
252 typedef void (rsrc_put_fn)(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc);
253
254 struct io_rsrc_data {
255 struct io_ring_ctx *ctx;
256
257 u64 **tags;
258 unsigned int nr;
259 rsrc_put_fn *do_put;
260 atomic_t refs;
261 struct completion done;
262 bool quiesce;
263 };
264
265 struct io_buffer_list {
266 struct list_head list;
267 struct list_head buf_list;
268 __u16 bgid;
269 };
270
271 struct io_buffer {
272 struct list_head list;
273 __u64 addr;
274 __u32 len;
275 __u16 bid;
276 __u16 bgid;
277 };
278
279 struct io_restriction {
280 DECLARE_BITMAP(register_op, IORING_REGISTER_LAST);
281 DECLARE_BITMAP(sqe_op, IORING_OP_LAST);
282 u8 sqe_flags_allowed;
283 u8 sqe_flags_required;
284 bool registered;
285 };
286
287 enum {
288 IO_SQ_THREAD_SHOULD_STOP = 0,
289 IO_SQ_THREAD_SHOULD_PARK,
290 };
291
292 struct io_sq_data {
293 refcount_t refs;
294 atomic_t park_pending;
295 struct mutex lock;
296
297 /* ctx's that are using this sqd */
298 struct list_head ctx_list;
299
300 struct task_struct *thread;
301 struct wait_queue_head wait;
302
303 unsigned sq_thread_idle;
304 int sq_cpu;
305 pid_t task_pid;
306 pid_t task_tgid;
307
308 unsigned long state;
309 struct completion exited;
310 };
311
312 #define IO_COMPL_BATCH 32
313 #define IO_REQ_CACHE_SIZE 32
314 #define IO_REQ_ALLOC_BATCH 8
315
316 struct io_submit_link {
317 struct io_kiocb *head;
318 struct io_kiocb *last;
319 };
320
321 struct io_submit_state {
322 /* inline/task_work completion list, under ->uring_lock */
323 struct io_wq_work_node free_list;
324 /* batch completion logic */
325 struct io_wq_work_list compl_reqs;
326 struct io_submit_link link;
327
328 bool plug_started;
329 bool need_plug;
330 bool flush_cqes;
331 unsigned short submit_nr;
332 struct blk_plug plug;
333 };
334
335 struct io_ev_fd {
336 struct eventfd_ctx *cq_ev_fd;
337 unsigned int eventfd_async: 1;
338 struct rcu_head rcu;
339 };
340
341 #define IO_BUFFERS_HASH_BITS 5
342
343 struct io_ring_ctx {
344 /* const or read-mostly hot data */
345 struct {
346 struct percpu_ref refs;
347
348 struct io_rings *rings;
349 unsigned int flags;
350 unsigned int compat: 1;
351 unsigned int drain_next: 1;
352 unsigned int restricted: 1;
353 unsigned int off_timeout_used: 1;
354 unsigned int drain_active: 1;
355 unsigned int drain_disabled: 1;
356 unsigned int has_evfd: 1;
357 } ____cacheline_aligned_in_smp;
358
359 /* submission data */
360 struct {
361 struct mutex uring_lock;
362
363 /*
364 * Ring buffer of indices into array of io_uring_sqe, which is
365 * mmapped by the application using the IORING_OFF_SQES offset.
366 *
367 * This indirection could e.g. be used to assign fixed
368 * io_uring_sqe entries to operations and only submit them to
369 * the queue when needed.
370 *
371 * The kernel modifies neither the indices array nor the entries
372 * array.
373 */
374 u32 *sq_array;
375 struct io_uring_sqe *sq_sqes;
376 unsigned cached_sq_head;
377 unsigned sq_entries;
378 struct list_head defer_list;
379
380 /*
381 * Fixed resources fast path, should be accessed only under
382 * uring_lock, and updated through io_uring_register(2)
383 */
384 struct io_rsrc_node *rsrc_node;
385 int rsrc_cached_refs;
386 struct io_file_table file_table;
387 unsigned nr_user_files;
388 unsigned nr_user_bufs;
389 struct io_mapped_ubuf **user_bufs;
390
391 struct io_submit_state submit_state;
392 struct list_head timeout_list;
393 struct list_head ltimeout_list;
394 struct list_head cq_overflow_list;
395 struct list_head *io_buffers;
396 struct list_head io_buffers_cache;
397 struct list_head apoll_cache;
398 struct xarray personalities;
399 u32 pers_next;
400 unsigned sq_thread_idle;
401 } ____cacheline_aligned_in_smp;
402
403 /* IRQ completion list, under ->completion_lock */
404 struct io_wq_work_list locked_free_list;
405 unsigned int locked_free_nr;
406
407 const struct cred *sq_creds; /* cred used for __io_sq_thread() */
408 struct io_sq_data *sq_data; /* if using sq thread polling */
409
410 struct wait_queue_head sqo_sq_wait;
411 struct list_head sqd_list;
412
413 unsigned long check_cq_overflow;
414
415 struct {
416 unsigned cached_cq_tail;
417 unsigned cq_entries;
418 struct io_ev_fd __rcu *io_ev_fd;
419 struct wait_queue_head cq_wait;
420 unsigned cq_extra;
421 atomic_t cq_timeouts;
422 unsigned cq_last_tm_flush;
423 } ____cacheline_aligned_in_smp;
424
425 struct {
426 spinlock_t completion_lock;
427
428 spinlock_t timeout_lock;
429
430 /*
431 * ->iopoll_list is protected by the ctx->uring_lock for
432 * io_uring instances that don't use IORING_SETUP_SQPOLL.
433 * For SQPOLL, only the single threaded io_sq_thread() will
434 * manipulate the list, hence no extra locking is needed there.
435 */
436 struct io_wq_work_list iopoll_list;
437 struct hlist_head *cancel_hash;
438 unsigned cancel_hash_bits;
439 bool poll_multi_queue;
440
441 struct list_head io_buffers_comp;
442 } ____cacheline_aligned_in_smp;
443
444 struct io_restriction restrictions;
445
446 /* slow path rsrc auxilary data, used by update/register */
447 struct {
448 struct io_rsrc_node *rsrc_backup_node;
449 struct io_mapped_ubuf *dummy_ubuf;
450 struct io_rsrc_data *file_data;
451 struct io_rsrc_data *buf_data;
452
453 struct delayed_work rsrc_put_work;
454 struct llist_head rsrc_put_llist;
455 struct list_head rsrc_ref_list;
456 spinlock_t rsrc_ref_lock;
457
458 struct list_head io_buffers_pages;
459 };
460
461 /* Keep this last, we don't need it for the fast path */
462 struct {
463 #if defined(CONFIG_UNIX)
464 struct socket *ring_sock;
465 #endif
466 /* hashed buffered write serialization */
467 struct io_wq_hash *hash_map;
468
469 /* Only used for accounting purposes */
470 struct user_struct *user;
471 struct mm_struct *mm_account;
472
473 /* ctx exit and cancelation */
474 struct llist_head fallback_llist;
475 struct delayed_work fallback_work;
476 struct work_struct exit_work;
477 struct list_head tctx_list;
478 struct completion ref_comp;
479 u32 iowq_limits[2];
480 bool iowq_limits_set;
481 };
482 };
483
484 /*
485 * Arbitrary limit, can be raised if need be
486 */
487 #define IO_RINGFD_REG_MAX 16
488
489 struct io_uring_task {
490 /* submission side */
491 int cached_refs;
492 struct xarray xa;
493 struct wait_queue_head wait;
494 const struct io_ring_ctx *last;
495 struct io_wq *io_wq;
496 struct percpu_counter inflight;
497 atomic_t inflight_tracked;
498 atomic_t in_idle;
499
500 spinlock_t task_lock;
501 struct io_wq_work_list task_list;
502 struct io_wq_work_list prior_task_list;
503 struct callback_head task_work;
504 struct file **registered_rings;
505 bool task_running;
506 };
507
508 /*
509 * First field must be the file pointer in all the
510 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
511 */
512 struct io_poll_iocb {
513 struct file *file;
514 struct wait_queue_head *head;
515 __poll_t events;
516 struct wait_queue_entry wait;
517 };
518
519 struct io_poll_update {
520 struct file *file;
521 u64 old_user_data;
522 u64 new_user_data;
523 __poll_t events;
524 bool update_events;
525 bool update_user_data;
526 };
527
528 struct io_close {
529 struct file *file;
530 int fd;
531 u32 file_slot;
532 };
533
534 struct io_timeout_data {
535 struct io_kiocb *req;
536 struct hrtimer timer;
537 struct timespec64 ts;
538 enum hrtimer_mode mode;
539 u32 flags;
540 };
541
542 struct io_accept {
543 struct file *file;
544 struct sockaddr __user *addr;
545 int __user *addr_len;
546 int flags;
547 u32 file_slot;
548 unsigned long nofile;
549 };
550
551 struct io_sync {
552 struct file *file;
553 loff_t len;
554 loff_t off;
555 int flags;
556 int mode;
557 };
558
559 struct io_cancel {
560 struct file *file;
561 u64 addr;
562 };
563
564 struct io_timeout {
565 struct file *file;
566 u32 off;
567 u32 target_seq;
568 struct list_head list;
569 /* head of the link, used by linked timeouts only */
570 struct io_kiocb *head;
571 /* for linked completions */
572 struct io_kiocb *prev;
573 };
574
575 struct io_timeout_rem {
576 struct file *file;
577 u64 addr;
578
579 /* timeout update */
580 struct timespec64 ts;
581 u32 flags;
582 bool ltimeout;
583 };
584
585 struct io_rw {
586 /* NOTE: kiocb has the file as the first member, so don't do it here */
587 struct kiocb kiocb;
588 u64 addr;
589 u32 len;
590 u32 flags;
591 };
592
593 struct io_connect {
594 struct file *file;
595 struct sockaddr __user *addr;
596 int addr_len;
597 };
598
599 struct io_sr_msg {
600 struct file *file;
601 union {
602 struct compat_msghdr __user *umsg_compat;
603 struct user_msghdr __user *umsg;
604 void __user *buf;
605 };
606 int msg_flags;
607 int bgid;
608 size_t len;
609 size_t done_io;
610 };
611
612 struct io_open {
613 struct file *file;
614 int dfd;
615 u32 file_slot;
616 struct filename *filename;
617 struct open_how how;
618 unsigned long nofile;
619 };
620
621 struct io_rsrc_update {
622 struct file *file;
623 u64 arg;
624 u32 nr_args;
625 u32 offset;
626 };
627
628 struct io_fadvise {
629 struct file *file;
630 u64 offset;
631 u32 len;
632 u32 advice;
633 };
634
635 struct io_madvise {
636 struct file *file;
637 u64 addr;
638 u32 len;
639 u32 advice;
640 };
641
642 struct io_epoll {
643 struct file *file;
644 int epfd;
645 int op;
646 int fd;
647 struct epoll_event event;
648 };
649
650 struct io_splice {
651 struct file *file_out;
652 loff_t off_out;
653 loff_t off_in;
654 u64 len;
655 int splice_fd_in;
656 unsigned int flags;
657 };
658
659 struct io_provide_buf {
660 struct file *file;
661 __u64 addr;
662 __u32 len;
663 __u32 bgid;
664 __u16 nbufs;
665 __u16 bid;
666 };
667
668 struct io_statx {
669 struct file *file;
670 int dfd;
671 unsigned int mask;
672 unsigned int flags;
673 struct filename *filename;
674 struct statx __user *buffer;
675 };
676
677 struct io_shutdown {
678 struct file *file;
679 int how;
680 };
681
682 struct io_rename {
683 struct file *file;
684 int old_dfd;
685 int new_dfd;
686 struct filename *oldpath;
687 struct filename *newpath;
688 int flags;
689 };
690
691 struct io_unlink {
692 struct file *file;
693 int dfd;
694 int flags;
695 struct filename *filename;
696 };
697
698 struct io_mkdir {
699 struct file *file;
700 int dfd;
701 umode_t mode;
702 struct filename *filename;
703 };
704
705 struct io_symlink {
706 struct file *file;
707 int new_dfd;
708 struct filename *oldpath;
709 struct filename *newpath;
710 };
711
712 struct io_hardlink {
713 struct file *file;
714 int old_dfd;
715 int new_dfd;
716 struct filename *oldpath;
717 struct filename *newpath;
718 int flags;
719 };
720
721 struct io_msg {
722 struct file *file;
723 u64 user_data;
724 u32 len;
725 };
726
727 struct io_async_connect {
728 struct sockaddr_storage address;
729 };
730
731 struct io_async_msghdr {
732 struct iovec fast_iov[UIO_FASTIOV];
733 /* points to an allocated iov, if NULL we use fast_iov instead */
734 struct iovec *free_iov;
735 struct sockaddr __user *uaddr;
736 struct msghdr msg;
737 struct sockaddr_storage addr;
738 };
739
740 struct io_rw_state {
741 struct iov_iter iter;
742 struct iov_iter_state iter_state;
743 struct iovec fast_iov[UIO_FASTIOV];
744 };
745
746 struct io_async_rw {
747 struct io_rw_state s;
748 const struct iovec *free_iovec;
749 size_t bytes_done;
750 struct wait_page_queue wpq;
751 };
752
753 enum {
754 REQ_F_FIXED_FILE_BIT = IOSQE_FIXED_FILE_BIT,
755 REQ_F_IO_DRAIN_BIT = IOSQE_IO_DRAIN_BIT,
756 REQ_F_LINK_BIT = IOSQE_IO_LINK_BIT,
757 REQ_F_HARDLINK_BIT = IOSQE_IO_HARDLINK_BIT,
758 REQ_F_FORCE_ASYNC_BIT = IOSQE_ASYNC_BIT,
759 REQ_F_BUFFER_SELECT_BIT = IOSQE_BUFFER_SELECT_BIT,
760 REQ_F_CQE_SKIP_BIT = IOSQE_CQE_SKIP_SUCCESS_BIT,
761
762 /* first byte is taken by user flags, shift it to not overlap */
763 REQ_F_FAIL_BIT = 8,
764 REQ_F_INFLIGHT_BIT,
765 REQ_F_CUR_POS_BIT,
766 REQ_F_NOWAIT_BIT,
767 REQ_F_LINK_TIMEOUT_BIT,
768 REQ_F_NEED_CLEANUP_BIT,
769 REQ_F_POLLED_BIT,
770 REQ_F_BUFFER_SELECTED_BIT,
771 REQ_F_COMPLETE_INLINE_BIT,
772 REQ_F_REISSUE_BIT,
773 REQ_F_CREDS_BIT,
774 REQ_F_REFCOUNT_BIT,
775 REQ_F_ARM_LTIMEOUT_BIT,
776 REQ_F_ASYNC_DATA_BIT,
777 REQ_F_SKIP_LINK_CQES_BIT,
778 REQ_F_SINGLE_POLL_BIT,
779 REQ_F_DOUBLE_POLL_BIT,
780 REQ_F_PARTIAL_IO_BIT,
781 /* keep async read/write and isreg together and in order */
782 REQ_F_SUPPORT_NOWAIT_BIT,
783 REQ_F_ISREG_BIT,
784
785 /* not a real bit, just to check we're not overflowing the space */
786 __REQ_F_LAST_BIT,
787 };
788
789 enum {
790 /* ctx owns file */
791 REQ_F_FIXED_FILE = BIT(REQ_F_FIXED_FILE_BIT),
792 /* drain existing IO first */
793 REQ_F_IO_DRAIN = BIT(REQ_F_IO_DRAIN_BIT),
794 /* linked sqes */
795 REQ_F_LINK = BIT(REQ_F_LINK_BIT),
796 /* doesn't sever on completion < 0 */
797 REQ_F_HARDLINK = BIT(REQ_F_HARDLINK_BIT),
798 /* IOSQE_ASYNC */
799 REQ_F_FORCE_ASYNC = BIT(REQ_F_FORCE_ASYNC_BIT),
800 /* IOSQE_BUFFER_SELECT */
801 REQ_F_BUFFER_SELECT = BIT(REQ_F_BUFFER_SELECT_BIT),
802 /* IOSQE_CQE_SKIP_SUCCESS */
803 REQ_F_CQE_SKIP = BIT(REQ_F_CQE_SKIP_BIT),
804
805 /* fail rest of links */
806 REQ_F_FAIL = BIT(REQ_F_FAIL_BIT),
807 /* on inflight list, should be cancelled and waited on exit reliably */
808 REQ_F_INFLIGHT = BIT(REQ_F_INFLIGHT_BIT),
809 /* read/write uses file position */
810 REQ_F_CUR_POS = BIT(REQ_F_CUR_POS_BIT),
811 /* must not punt to workers */
812 REQ_F_NOWAIT = BIT(REQ_F_NOWAIT_BIT),
813 /* has or had linked timeout */
814 REQ_F_LINK_TIMEOUT = BIT(REQ_F_LINK_TIMEOUT_BIT),
815 /* needs cleanup */
816 REQ_F_NEED_CLEANUP = BIT(REQ_F_NEED_CLEANUP_BIT),
817 /* already went through poll handler */
818 REQ_F_POLLED = BIT(REQ_F_POLLED_BIT),
819 /* buffer already selected */
820 REQ_F_BUFFER_SELECTED = BIT(REQ_F_BUFFER_SELECTED_BIT),
821 /* completion is deferred through io_comp_state */
822 REQ_F_COMPLETE_INLINE = BIT(REQ_F_COMPLETE_INLINE_BIT),
823 /* caller should reissue async */
824 REQ_F_REISSUE = BIT(REQ_F_REISSUE_BIT),
825 /* supports async reads/writes */
826 REQ_F_SUPPORT_NOWAIT = BIT(REQ_F_SUPPORT_NOWAIT_BIT),
827 /* regular file */
828 REQ_F_ISREG = BIT(REQ_F_ISREG_BIT),
829 /* has creds assigned */
830 REQ_F_CREDS = BIT(REQ_F_CREDS_BIT),
831 /* skip refcounting if not set */
832 REQ_F_REFCOUNT = BIT(REQ_F_REFCOUNT_BIT),
833 /* there is a linked timeout that has to be armed */
834 REQ_F_ARM_LTIMEOUT = BIT(REQ_F_ARM_LTIMEOUT_BIT),
835 /* ->async_data allocated */
836 REQ_F_ASYNC_DATA = BIT(REQ_F_ASYNC_DATA_BIT),
837 /* don't post CQEs while failing linked requests */
838 REQ_F_SKIP_LINK_CQES = BIT(REQ_F_SKIP_LINK_CQES_BIT),
839 /* single poll may be active */
840 REQ_F_SINGLE_POLL = BIT(REQ_F_SINGLE_POLL_BIT),
841 /* double poll may active */
842 REQ_F_DOUBLE_POLL = BIT(REQ_F_DOUBLE_POLL_BIT),
843 /* request has already done partial IO */
844 REQ_F_PARTIAL_IO = BIT(REQ_F_PARTIAL_IO_BIT),
845 };
846
847 struct async_poll {
848 struct io_poll_iocb poll;
849 struct io_poll_iocb *double_poll;
850 };
851
852 typedef void (*io_req_tw_func_t)(struct io_kiocb *req, bool *locked);
853
854 struct io_task_work {
855 union {
856 struct io_wq_work_node node;
857 struct llist_node fallback_node;
858 };
859 io_req_tw_func_t func;
860 };
861
862 enum {
863 IORING_RSRC_FILE = 0,
864 IORING_RSRC_BUFFER = 1,
865 };
866
867 /*
868 * NOTE! Each of the iocb union members has the file pointer
869 * as the first entry in their struct definition. So you can
870 * access the file pointer through any of the sub-structs,
871 * or directly as just 'file' in this struct.
872 */
873 struct io_kiocb {
874 union {
875 struct file *file;
876 struct io_rw rw;
877 struct io_poll_iocb poll;
878 struct io_poll_update poll_update;
879 struct io_accept accept;
880 struct io_sync sync;
881 struct io_cancel cancel;
882 struct io_timeout timeout;
883 struct io_timeout_rem timeout_rem;
884 struct io_connect connect;
885 struct io_sr_msg sr_msg;
886 struct io_open open;
887 struct io_close close;
888 struct io_rsrc_update rsrc_update;
889 struct io_fadvise fadvise;
890 struct io_madvise madvise;
891 struct io_epoll epoll;
892 struct io_splice splice;
893 struct io_provide_buf pbuf;
894 struct io_statx statx;
895 struct io_shutdown shutdown;
896 struct io_rename rename;
897 struct io_unlink unlink;
898 struct io_mkdir mkdir;
899 struct io_symlink symlink;
900 struct io_hardlink hardlink;
901 struct io_msg msg;
902 };
903
904 u8 opcode;
905 /* polled IO has completed */
906 u8 iopoll_completed;
907 u16 buf_index;
908 unsigned int flags;
909
910 u64 user_data;
911 u32 result;
912 /* fd initially, then cflags for completion */
913 union {
914 u32 cflags;
915 int fd;
916 };
917
918 struct io_ring_ctx *ctx;
919 struct task_struct *task;
920
921 struct percpu_ref *fixed_rsrc_refs;
922 /* store used ubuf, so we can prevent reloading */
923 struct io_mapped_ubuf *imu;
924
925 union {
926 /* used by request caches, completion batching and iopoll */
927 struct io_wq_work_node comp_list;
928 /* cache ->apoll->events */
929 __poll_t apoll_events;
930 };
931 atomic_t refs;
932 atomic_t poll_refs;
933 struct io_task_work io_task_work;
934 /* for polled requests, i.e. IORING_OP_POLL_ADD and async armed poll */
935 struct hlist_node hash_node;
936 /* internal polling, see IORING_FEAT_FAST_POLL */
937 struct async_poll *apoll;
938 /* opcode allocated if it needs to store data for async defer */
939 void *async_data;
940 /* stores selected buf, valid IFF REQ_F_BUFFER_SELECTED is set */
941 struct io_buffer *kbuf;
942 /* linked requests, IFF REQ_F_HARDLINK or REQ_F_LINK are set */
943 struct io_kiocb *link;
944 /* custom credentials, valid IFF REQ_F_CREDS is set */
945 const struct cred *creds;
946 struct io_wq_work work;
947 };
948
949 struct io_tctx_node {
950 struct list_head ctx_node;
951 struct task_struct *task;
952 struct io_ring_ctx *ctx;
953 };
954
955 struct io_defer_entry {
956 struct list_head list;
957 struct io_kiocb *req;
958 u32 seq;
959 };
960
961 struct io_op_def {
962 /* needs req->file assigned */
963 unsigned needs_file : 1;
964 /* should block plug */
965 unsigned plug : 1;
966 /* hash wq insertion if file is a regular file */
967 unsigned hash_reg_file : 1;
968 /* unbound wq insertion if file is a non-regular file */
969 unsigned unbound_nonreg_file : 1;
970 /* set if opcode supports polled "wait" */
971 unsigned pollin : 1;
972 unsigned pollout : 1;
973 unsigned poll_exclusive : 1;
974 /* op supports buffer selection */
975 unsigned buffer_select : 1;
976 /* do prep async if is going to be punted */
977 unsigned needs_async_setup : 1;
978 /* opcode is not supported by this kernel */
979 unsigned not_supported : 1;
980 /* skip auditing */
981 unsigned audit_skip : 1;
982 /* size of async data needed, if any */
983 unsigned short async_size;
984 };
985
986 static const struct io_op_def io_op_defs[] = {
987 [IORING_OP_NOP] = {},
988 [IORING_OP_READV] = {
989 .needs_file = 1,
990 .unbound_nonreg_file = 1,
991 .pollin = 1,
992 .buffer_select = 1,
993 .needs_async_setup = 1,
994 .plug = 1,
995 .audit_skip = 1,
996 .async_size = sizeof(struct io_async_rw),
997 },
998 [IORING_OP_WRITEV] = {
999 .needs_file = 1,
1000 .hash_reg_file = 1,
1001 .unbound_nonreg_file = 1,
1002 .pollout = 1,
1003 .needs_async_setup = 1,
1004 .plug = 1,
1005 .audit_skip = 1,
1006 .async_size = sizeof(struct io_async_rw),
1007 },
1008 [IORING_OP_FSYNC] = {
1009 .needs_file = 1,
1010 .audit_skip = 1,
1011 },
1012 [IORING_OP_READ_FIXED] = {
1013 .needs_file = 1,
1014 .unbound_nonreg_file = 1,
1015 .pollin = 1,
1016 .plug = 1,
1017 .audit_skip = 1,
1018 .async_size = sizeof(struct io_async_rw),
1019 },
1020 [IORING_OP_WRITE_FIXED] = {
1021 .needs_file = 1,
1022 .hash_reg_file = 1,
1023 .unbound_nonreg_file = 1,
1024 .pollout = 1,
1025 .plug = 1,
1026 .audit_skip = 1,
1027 .async_size = sizeof(struct io_async_rw),
1028 },
1029 [IORING_OP_POLL_ADD] = {
1030 .needs_file = 1,
1031 .unbound_nonreg_file = 1,
1032 .audit_skip = 1,
1033 },
1034 [IORING_OP_POLL_REMOVE] = {
1035 .audit_skip = 1,
1036 },
1037 [IORING_OP_SYNC_FILE_RANGE] = {
1038 .needs_file = 1,
1039 .audit_skip = 1,
1040 },
1041 [IORING_OP_SENDMSG] = {
1042 .needs_file = 1,
1043 .unbound_nonreg_file = 1,
1044 .pollout = 1,
1045 .needs_async_setup = 1,
1046 .async_size = sizeof(struct io_async_msghdr),
1047 },
1048 [IORING_OP_RECVMSG] = {
1049 .needs_file = 1,
1050 .unbound_nonreg_file = 1,
1051 .pollin = 1,
1052 .buffer_select = 1,
1053 .needs_async_setup = 1,
1054 .async_size = sizeof(struct io_async_msghdr),
1055 },
1056 [IORING_OP_TIMEOUT] = {
1057 .audit_skip = 1,
1058 .async_size = sizeof(struct io_timeout_data),
1059 },
1060 [IORING_OP_TIMEOUT_REMOVE] = {
1061 /* used by timeout updates' prep() */
1062 .audit_skip = 1,
1063 },
1064 [IORING_OP_ACCEPT] = {
1065 .needs_file = 1,
1066 .unbound_nonreg_file = 1,
1067 .pollin = 1,
1068 .poll_exclusive = 1,
1069 },
1070 [IORING_OP_ASYNC_CANCEL] = {
1071 .audit_skip = 1,
1072 },
1073 [IORING_OP_LINK_TIMEOUT] = {
1074 .audit_skip = 1,
1075 .async_size = sizeof(struct io_timeout_data),
1076 },
1077 [IORING_OP_CONNECT] = {
1078 .needs_file = 1,
1079 .unbound_nonreg_file = 1,
1080 .pollout = 1,
1081 .needs_async_setup = 1,
1082 .async_size = sizeof(struct io_async_connect),
1083 },
1084 [IORING_OP_FALLOCATE] = {
1085 .needs_file = 1,
1086 },
1087 [IORING_OP_OPENAT] = {},
1088 [IORING_OP_CLOSE] = {},
1089 [IORING_OP_FILES_UPDATE] = {
1090 .audit_skip = 1,
1091 },
1092 [IORING_OP_STATX] = {
1093 .audit_skip = 1,
1094 },
1095 [IORING_OP_READ] = {
1096 .needs_file = 1,
1097 .unbound_nonreg_file = 1,
1098 .pollin = 1,
1099 .buffer_select = 1,
1100 .plug = 1,
1101 .audit_skip = 1,
1102 .async_size = sizeof(struct io_async_rw),
1103 },
1104 [IORING_OP_WRITE] = {
1105 .needs_file = 1,
1106 .hash_reg_file = 1,
1107 .unbound_nonreg_file = 1,
1108 .pollout = 1,
1109 .plug = 1,
1110 .audit_skip = 1,
1111 .async_size = sizeof(struct io_async_rw),
1112 },
1113 [IORING_OP_FADVISE] = {
1114 .needs_file = 1,
1115 .audit_skip = 1,
1116 },
1117 [IORING_OP_MADVISE] = {},
1118 [IORING_OP_SEND] = {
1119 .needs_file = 1,
1120 .unbound_nonreg_file = 1,
1121 .pollout = 1,
1122 .audit_skip = 1,
1123 },
1124 [IORING_OP_RECV] = {
1125 .needs_file = 1,
1126 .unbound_nonreg_file = 1,
1127 .pollin = 1,
1128 .buffer_select = 1,
1129 .audit_skip = 1,
1130 },
1131 [IORING_OP_OPENAT2] = {
1132 },
1133 [IORING_OP_EPOLL_CTL] = {
1134 .unbound_nonreg_file = 1,
1135 .audit_skip = 1,
1136 },
1137 [IORING_OP_SPLICE] = {
1138 .needs_file = 1,
1139 .hash_reg_file = 1,
1140 .unbound_nonreg_file = 1,
1141 .audit_skip = 1,
1142 },
1143 [IORING_OP_PROVIDE_BUFFERS] = {
1144 .audit_skip = 1,
1145 },
1146 [IORING_OP_REMOVE_BUFFERS] = {
1147 .audit_skip = 1,
1148 },
1149 [IORING_OP_TEE] = {
1150 .needs_file = 1,
1151 .hash_reg_file = 1,
1152 .unbound_nonreg_file = 1,
1153 .audit_skip = 1,
1154 },
1155 [IORING_OP_SHUTDOWN] = {
1156 .needs_file = 1,
1157 },
1158 [IORING_OP_RENAMEAT] = {},
1159 [IORING_OP_UNLINKAT] = {},
1160 [IORING_OP_MKDIRAT] = {},
1161 [IORING_OP_SYMLINKAT] = {},
1162 [IORING_OP_LINKAT] = {},
1163 [IORING_OP_MSG_RING] = {
1164 .needs_file = 1,
1165 },
1166 };
1167
1168 /* requests with any of those set should undergo io_disarm_next() */
1169 #define IO_DISARM_MASK (REQ_F_ARM_LTIMEOUT | REQ_F_LINK_TIMEOUT | REQ_F_FAIL)
1170
1171 static bool io_disarm_next(struct io_kiocb *req);
1172 static void io_uring_del_tctx_node(unsigned long index);
1173 static void io_uring_try_cancel_requests(struct io_ring_ctx *ctx,
1174 struct task_struct *task,
1175 bool cancel_all);
1176 static void io_uring_cancel_generic(bool cancel_all, struct io_sq_data *sqd);
1177
1178 static void io_fill_cqe_req(struct io_kiocb *req, s32 res, u32 cflags);
1179
1180 static void io_put_req(struct io_kiocb *req);
1181 static void io_put_req_deferred(struct io_kiocb *req);
1182 static void io_dismantle_req(struct io_kiocb *req);
1183 static void io_queue_linked_timeout(struct io_kiocb *req);
1184 static int __io_register_rsrc_update(struct io_ring_ctx *ctx, unsigned type,
1185 struct io_uring_rsrc_update2 *up,
1186 unsigned nr_args);
1187 static void io_clean_op(struct io_kiocb *req);
1188 static inline struct file *io_file_get_fixed(struct io_kiocb *req, int fd,
1189 unsigned issue_flags);
1190 static inline struct file *io_file_get_normal(struct io_kiocb *req, int fd);
1191 static void __io_queue_sqe(struct io_kiocb *req);
1192 static void io_rsrc_put_work(struct work_struct *work);
1193
1194 static void io_req_task_queue(struct io_kiocb *req);
1195 static void __io_submit_flush_completions(struct io_ring_ctx *ctx);
1196 static int io_req_prep_async(struct io_kiocb *req);
1197
1198 static int io_install_fixed_file(struct io_kiocb *req, struct file *file,
1199 unsigned int issue_flags, u32 slot_index);
1200 static int io_close_fixed(struct io_kiocb *req, unsigned int issue_flags);
1201
1202 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer);
1203 static void io_eventfd_signal(struct io_ring_ctx *ctx);
1204
1205 static struct kmem_cache *req_cachep;
1206
1207 static const struct file_operations io_uring_fops;
1208
1209 struct sock *io_uring_get_socket(struct file *file)
1210 {
1211 #if defined(CONFIG_UNIX)
1212 if (file->f_op == &io_uring_fops) {
1213 struct io_ring_ctx *ctx = file->private_data;
1214
1215 return ctx->ring_sock->sk;
1216 }
1217 #endif
1218 return NULL;
1219 }
1220 EXPORT_SYMBOL(io_uring_get_socket);
1221
1222 static inline void io_tw_lock(struct io_ring_ctx *ctx, bool *locked)
1223 {
1224 if (!*locked) {
1225 mutex_lock(&ctx->uring_lock);
1226 *locked = true;
1227 }
1228 }
1229
1230 #define io_for_each_link(pos, head) \
1231 for (pos = (head); pos; pos = pos->link)
1232
1233 /*
1234 * Shamelessly stolen from the mm implementation of page reference checking,
1235 * see commit f958d7b528b1 for details.
1236 */
1237 #define req_ref_zero_or_close_to_overflow(req) \
1238 ((unsigned int) atomic_read(&(req->refs)) + 127u <= 127u)
1239
1240 static inline bool req_ref_inc_not_zero(struct io_kiocb *req)
1241 {
1242 WARN_ON_ONCE(!(req->flags & REQ_F_REFCOUNT));
1243 return atomic_inc_not_zero(&req->refs);
1244 }
1245
1246 static inline bool req_ref_put_and_test(struct io_kiocb *req)
1247 {
1248 if (likely(!(req->flags & REQ_F_REFCOUNT)))
1249 return true;
1250
1251 WARN_ON_ONCE(req_ref_zero_or_close_to_overflow(req));
1252 return atomic_dec_and_test(&req->refs);
1253 }
1254
1255 static inline void req_ref_get(struct io_kiocb *req)
1256 {
1257 WARN_ON_ONCE(!(req->flags & REQ_F_REFCOUNT));
1258 WARN_ON_ONCE(req_ref_zero_or_close_to_overflow(req));
1259 atomic_inc(&req->refs);
1260 }
1261
1262 static inline void io_submit_flush_completions(struct io_ring_ctx *ctx)
1263 {
1264 if (!wq_list_empty(&ctx->submit_state.compl_reqs))
1265 __io_submit_flush_completions(ctx);
1266 }
1267
1268 static inline void __io_req_set_refcount(struct io_kiocb *req, int nr)
1269 {
1270 if (!(req->flags & REQ_F_REFCOUNT)) {
1271 req->flags |= REQ_F_REFCOUNT;
1272 atomic_set(&req->refs, nr);
1273 }
1274 }
1275
1276 static inline void io_req_set_refcount(struct io_kiocb *req)
1277 {
1278 __io_req_set_refcount(req, 1);
1279 }
1280
1281 #define IO_RSRC_REF_BATCH 100
1282
1283 static inline void io_req_put_rsrc_locked(struct io_kiocb *req,
1284 struct io_ring_ctx *ctx)
1285 __must_hold(&ctx->uring_lock)
1286 {
1287 struct percpu_ref *ref = req->fixed_rsrc_refs;
1288
1289 if (ref) {
1290 if (ref == &ctx->rsrc_node->refs)
1291 ctx->rsrc_cached_refs++;
1292 else
1293 percpu_ref_put(ref);
1294 }
1295 }
1296
1297 static inline void io_req_put_rsrc(struct io_kiocb *req, struct io_ring_ctx *ctx)
1298 {
1299 if (req->fixed_rsrc_refs)
1300 percpu_ref_put(req->fixed_rsrc_refs);
1301 }
1302
1303 static __cold void io_rsrc_refs_drop(struct io_ring_ctx *ctx)
1304 __must_hold(&ctx->uring_lock)
1305 {
1306 if (ctx->rsrc_cached_refs) {
1307 percpu_ref_put_many(&ctx->rsrc_node->refs, ctx->rsrc_cached_refs);
1308 ctx->rsrc_cached_refs = 0;
1309 }
1310 }
1311
1312 static void io_rsrc_refs_refill(struct io_ring_ctx *ctx)
1313 __must_hold(&ctx->uring_lock)
1314 {
1315 ctx->rsrc_cached_refs += IO_RSRC_REF_BATCH;
1316 percpu_ref_get_many(&ctx->rsrc_node->refs, IO_RSRC_REF_BATCH);
1317 }
1318
1319 static inline void io_req_set_rsrc_node(struct io_kiocb *req,
1320 struct io_ring_ctx *ctx,
1321 unsigned int issue_flags)
1322 {
1323 if (!req->fixed_rsrc_refs) {
1324 req->fixed_rsrc_refs = &ctx->rsrc_node->refs;
1325
1326 if (!(issue_flags & IO_URING_F_UNLOCKED)) {
1327 lockdep_assert_held(&ctx->uring_lock);
1328 ctx->rsrc_cached_refs--;
1329 if (unlikely(ctx->rsrc_cached_refs < 0))
1330 io_rsrc_refs_refill(ctx);
1331 } else {
1332 percpu_ref_get(req->fixed_rsrc_refs);
1333 }
1334 }
1335 }
1336
1337 static unsigned int __io_put_kbuf(struct io_kiocb *req, struct list_head *list)
1338 {
1339 struct io_buffer *kbuf = req->kbuf;
1340 unsigned int cflags;
1341
1342 cflags = IORING_CQE_F_BUFFER | (kbuf->bid << IORING_CQE_BUFFER_SHIFT);
1343 req->flags &= ~REQ_F_BUFFER_SELECTED;
1344 list_add(&kbuf->list, list);
1345 req->kbuf = NULL;
1346 return cflags;
1347 }
1348
1349 static inline unsigned int io_put_kbuf_comp(struct io_kiocb *req)
1350 {
1351 lockdep_assert_held(&req->ctx->completion_lock);
1352
1353 if (likely(!(req->flags & REQ_F_BUFFER_SELECTED)))
1354 return 0;
1355 return __io_put_kbuf(req, &req->ctx->io_buffers_comp);
1356 }
1357
1358 static inline unsigned int io_put_kbuf(struct io_kiocb *req,
1359 unsigned issue_flags)
1360 {
1361 unsigned int cflags;
1362
1363 if (likely(!(req->flags & REQ_F_BUFFER_SELECTED)))
1364 return 0;
1365
1366 /*
1367 * We can add this buffer back to two lists:
1368 *
1369 * 1) The io_buffers_cache list. This one is protected by the
1370 * ctx->uring_lock. If we already hold this lock, add back to this
1371 * list as we can grab it from issue as well.
1372 * 2) The io_buffers_comp list. This one is protected by the
1373 * ctx->completion_lock.
1374 *
1375 * We migrate buffers from the comp_list to the issue cache list
1376 * when we need one.
1377 */
1378 if (issue_flags & IO_URING_F_UNLOCKED) {
1379 struct io_ring_ctx *ctx = req->ctx;
1380
1381 spin_lock(&ctx->completion_lock);
1382 cflags = __io_put_kbuf(req, &ctx->io_buffers_comp);
1383 spin_unlock(&ctx->completion_lock);
1384 } else {
1385 lockdep_assert_held(&req->ctx->uring_lock);
1386
1387 cflags = __io_put_kbuf(req, &req->ctx->io_buffers_cache);
1388 }
1389
1390 return cflags;
1391 }
1392
1393 static struct io_buffer_list *io_buffer_get_list(struct io_ring_ctx *ctx,
1394 unsigned int bgid)
1395 {
1396 struct list_head *hash_list;
1397 struct io_buffer_list *bl;
1398
1399 hash_list = &ctx->io_buffers[hash_32(bgid, IO_BUFFERS_HASH_BITS)];
1400 list_for_each_entry(bl, hash_list, list)
1401 if (bl->bgid == bgid || bgid == -1U)
1402 return bl;
1403
1404 return NULL;
1405 }
1406
1407 static void io_kbuf_recycle(struct io_kiocb *req, unsigned issue_flags)
1408 {
1409 struct io_ring_ctx *ctx = req->ctx;
1410 struct io_buffer_list *bl;
1411 struct io_buffer *buf;
1412
1413 if (likely(!(req->flags & REQ_F_BUFFER_SELECTED)))
1414 return;
1415 /* don't recycle if we already did IO to this buffer */
1416 if (req->flags & REQ_F_PARTIAL_IO)
1417 return;
1418
1419 if (issue_flags & IO_URING_F_UNLOCKED)
1420 mutex_lock(&ctx->uring_lock);
1421
1422 lockdep_assert_held(&ctx->uring_lock);
1423
1424 buf = req->kbuf;
1425 bl = io_buffer_get_list(ctx, buf->bgid);
1426 list_add(&buf->list, &bl->buf_list);
1427 req->flags &= ~REQ_F_BUFFER_SELECTED;
1428 req->kbuf = NULL;
1429
1430 if (issue_flags & IO_URING_F_UNLOCKED)
1431 mutex_unlock(&ctx->uring_lock);
1432 }
1433
1434 static bool io_match_task(struct io_kiocb *head, struct task_struct *task,
1435 bool cancel_all)
1436 __must_hold(&req->ctx->timeout_lock)
1437 {
1438 struct io_kiocb *req;
1439
1440 if (task && head->task != task)
1441 return false;
1442 if (cancel_all)
1443 return true;
1444
1445 io_for_each_link(req, head) {
1446 if (req->flags & REQ_F_INFLIGHT)
1447 return true;
1448 }
1449 return false;
1450 }
1451
1452 static bool io_match_linked(struct io_kiocb *head)
1453 {
1454 struct io_kiocb *req;
1455
1456 io_for_each_link(req, head) {
1457 if (req->flags & REQ_F_INFLIGHT)
1458 return true;
1459 }
1460 return false;
1461 }
1462
1463 /*
1464 * As io_match_task() but protected against racing with linked timeouts.
1465 * User must not hold timeout_lock.
1466 */
1467 static bool io_match_task_safe(struct io_kiocb *head, struct task_struct *task,
1468 bool cancel_all)
1469 {
1470 bool matched;
1471
1472 if (task && head->task != task)
1473 return false;
1474 if (cancel_all)
1475 return true;
1476
1477 if (head->flags & REQ_F_LINK_TIMEOUT) {
1478 struct io_ring_ctx *ctx = head->ctx;
1479
1480 /* protect against races with linked timeouts */
1481 spin_lock_irq(&ctx->timeout_lock);
1482 matched = io_match_linked(head);
1483 spin_unlock_irq(&ctx->timeout_lock);
1484 } else {
1485 matched = io_match_linked(head);
1486 }
1487 return matched;
1488 }
1489
1490 static inline bool req_has_async_data(struct io_kiocb *req)
1491 {
1492 return req->flags & REQ_F_ASYNC_DATA;
1493 }
1494
1495 static inline void req_set_fail(struct io_kiocb *req)
1496 {
1497 req->flags |= REQ_F_FAIL;
1498 if (req->flags & REQ_F_CQE_SKIP) {
1499 req->flags &= ~REQ_F_CQE_SKIP;
1500 req->flags |= REQ_F_SKIP_LINK_CQES;
1501 }
1502 }
1503
1504 static inline void req_fail_link_node(struct io_kiocb *req, int res)
1505 {
1506 req_set_fail(req);
1507 req->result = res;
1508 }
1509
1510 static __cold void io_ring_ctx_ref_free(struct percpu_ref *ref)
1511 {
1512 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
1513
1514 complete(&ctx->ref_comp);
1515 }
1516
1517 static inline bool io_is_timeout_noseq(struct io_kiocb *req)
1518 {
1519 return !req->timeout.off;
1520 }
1521
1522 static __cold void io_fallback_req_func(struct work_struct *work)
1523 {
1524 struct io_ring_ctx *ctx = container_of(work, struct io_ring_ctx,
1525 fallback_work.work);
1526 struct llist_node *node = llist_del_all(&ctx->fallback_llist);
1527 struct io_kiocb *req, *tmp;
1528 bool locked = false;
1529
1530 percpu_ref_get(&ctx->refs);
1531 llist_for_each_entry_safe(req, tmp, node, io_task_work.fallback_node)
1532 req->io_task_work.func(req, &locked);
1533
1534 if (locked) {
1535 io_submit_flush_completions(ctx);
1536 mutex_unlock(&ctx->uring_lock);
1537 }
1538 percpu_ref_put(&ctx->refs);
1539 }
1540
1541 static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
1542 {
1543 struct io_ring_ctx *ctx;
1544 int i, hash_bits;
1545
1546 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
1547 if (!ctx)
1548 return NULL;
1549
1550 /*
1551 * Use 5 bits less than the max cq entries, that should give us around
1552 * 32 entries per hash list if totally full and uniformly spread.
1553 */
1554 hash_bits = ilog2(p->cq_entries);
1555 hash_bits -= 5;
1556 if (hash_bits <= 0)
1557 hash_bits = 1;
1558 ctx->cancel_hash_bits = hash_bits;
1559 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
1560 GFP_KERNEL);
1561 if (!ctx->cancel_hash)
1562 goto err;
1563 __hash_init(ctx->cancel_hash, 1U << hash_bits);
1564
1565 ctx->dummy_ubuf = kzalloc(sizeof(*ctx->dummy_ubuf), GFP_KERNEL);
1566 if (!ctx->dummy_ubuf)
1567 goto err;
1568 /* set invalid range, so io_import_fixed() fails meeting it */
1569 ctx->dummy_ubuf->ubuf = -1UL;
1570
1571 ctx->io_buffers = kcalloc(1U << IO_BUFFERS_HASH_BITS,
1572 sizeof(struct list_head), GFP_KERNEL);
1573 if (!ctx->io_buffers)
1574 goto err;
1575 for (i = 0; i < (1U << IO_BUFFERS_HASH_BITS); i++)
1576 INIT_LIST_HEAD(&ctx->io_buffers[i]);
1577
1578 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
1579 0, GFP_KERNEL))
1580 goto err;
1581
1582 ctx->flags = p->flags;
1583 init_waitqueue_head(&ctx->sqo_sq_wait);
1584 INIT_LIST_HEAD(&ctx->sqd_list);
1585 INIT_LIST_HEAD(&ctx->cq_overflow_list);
1586 INIT_LIST_HEAD(&ctx->io_buffers_cache);
1587 INIT_LIST_HEAD(&ctx->apoll_cache);
1588 init_completion(&ctx->ref_comp);
1589 xa_init_flags(&ctx->personalities, XA_FLAGS_ALLOC1);
1590 mutex_init(&ctx->uring_lock);
1591 init_waitqueue_head(&ctx->cq_wait);
1592 spin_lock_init(&ctx->completion_lock);
1593 spin_lock_init(&ctx->timeout_lock);
1594 INIT_WQ_LIST(&ctx->iopoll_list);
1595 INIT_LIST_HEAD(&ctx->io_buffers_pages);
1596 INIT_LIST_HEAD(&ctx->io_buffers_comp);
1597 INIT_LIST_HEAD(&ctx->defer_list);
1598 INIT_LIST_HEAD(&ctx->timeout_list);
1599 INIT_LIST_HEAD(&ctx->ltimeout_list);
1600 spin_lock_init(&ctx->rsrc_ref_lock);
1601 INIT_LIST_HEAD(&ctx->rsrc_ref_list);
1602 INIT_DELAYED_WORK(&ctx->rsrc_put_work, io_rsrc_put_work);
1603 init_llist_head(&ctx->rsrc_put_llist);
1604 INIT_LIST_HEAD(&ctx->tctx_list);
1605 ctx->submit_state.free_list.next = NULL;
1606 INIT_WQ_LIST(&ctx->locked_free_list);
1607 INIT_DELAYED_WORK(&ctx->fallback_work, io_fallback_req_func);
1608 INIT_WQ_LIST(&ctx->submit_state.compl_reqs);
1609 return ctx;
1610 err:
1611 kfree(ctx->dummy_ubuf);
1612 kfree(ctx->cancel_hash);
1613 kfree(ctx->io_buffers);
1614 kfree(ctx);
1615 return NULL;
1616 }
1617
1618 static void io_account_cq_overflow(struct io_ring_ctx *ctx)
1619 {
1620 struct io_rings *r = ctx->rings;
1621
1622 WRITE_ONCE(r->cq_overflow, READ_ONCE(r->cq_overflow) + 1);
1623 ctx->cq_extra--;
1624 }
1625
1626 static bool req_need_defer(struct io_kiocb *req, u32 seq)
1627 {
1628 if (unlikely(req->flags & REQ_F_IO_DRAIN)) {
1629 struct io_ring_ctx *ctx = req->ctx;
1630
1631 return seq + READ_ONCE(ctx->cq_extra) != ctx->cached_cq_tail;
1632 }
1633
1634 return false;
1635 }
1636
1637 #define FFS_NOWAIT 0x1UL
1638 #define FFS_ISREG 0x2UL
1639 #define FFS_MASK ~(FFS_NOWAIT|FFS_ISREG)
1640
1641 static inline bool io_req_ffs_set(struct io_kiocb *req)
1642 {
1643 return req->flags & REQ_F_FIXED_FILE;
1644 }
1645
1646 static inline void io_req_track_inflight(struct io_kiocb *req)
1647 {
1648 if (!(req->flags & REQ_F_INFLIGHT)) {
1649 req->flags |= REQ_F_INFLIGHT;
1650 atomic_inc(&req->task->io_uring->inflight_tracked);
1651 }
1652 }
1653
1654 static struct io_kiocb *__io_prep_linked_timeout(struct io_kiocb *req)
1655 {
1656 if (WARN_ON_ONCE(!req->link))
1657 return NULL;
1658
1659 req->flags &= ~REQ_F_ARM_LTIMEOUT;
1660 req->flags |= REQ_F_LINK_TIMEOUT;
1661
1662 /* linked timeouts should have two refs once prep'ed */
1663 io_req_set_refcount(req);
1664 __io_req_set_refcount(req->link, 2);
1665 return req->link;
1666 }
1667
1668 static inline struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
1669 {
1670 if (likely(!(req->flags & REQ_F_ARM_LTIMEOUT)))
1671 return NULL;
1672 return __io_prep_linked_timeout(req);
1673 }
1674
1675 static void io_prep_async_work(struct io_kiocb *req)
1676 {
1677 const struct io_op_def *def = &io_op_defs[req->opcode];
1678 struct io_ring_ctx *ctx = req->ctx;
1679
1680 if (!(req->flags & REQ_F_CREDS)) {
1681 req->flags |= REQ_F_CREDS;
1682 req->creds = get_current_cred();
1683 }
1684
1685 req->work.list.next = NULL;
1686 req->work.flags = 0;
1687 if (req->flags & REQ_F_FORCE_ASYNC)
1688 req->work.flags |= IO_WQ_WORK_CONCURRENT;
1689
1690 if (req->flags & REQ_F_ISREG) {
1691 if (def->hash_reg_file || (ctx->flags & IORING_SETUP_IOPOLL))
1692 io_wq_hash_work(&req->work, file_inode(req->file));
1693 } else if (!req->file || !S_ISBLK(file_inode(req->file)->i_mode)) {
1694 if (def->unbound_nonreg_file)
1695 req->work.flags |= IO_WQ_WORK_UNBOUND;
1696 }
1697 }
1698
1699 static void io_prep_async_link(struct io_kiocb *req)
1700 {
1701 struct io_kiocb *cur;
1702
1703 if (req->flags & REQ_F_LINK_TIMEOUT) {
1704 struct io_ring_ctx *ctx = req->ctx;
1705
1706 spin_lock_irq(&ctx->timeout_lock);
1707 io_for_each_link(cur, req)
1708 io_prep_async_work(cur);
1709 spin_unlock_irq(&ctx->timeout_lock);
1710 } else {
1711 io_for_each_link(cur, req)
1712 io_prep_async_work(cur);
1713 }
1714 }
1715
1716 static inline void io_req_add_compl_list(struct io_kiocb *req)
1717 {
1718 struct io_ring_ctx *ctx = req->ctx;
1719 struct io_submit_state *state = &ctx->submit_state;
1720
1721 if (!(req->flags & REQ_F_CQE_SKIP))
1722 ctx->submit_state.flush_cqes = true;
1723 wq_list_add_tail(&req->comp_list, &state->compl_reqs);
1724 }
1725
1726 static void io_queue_async_work(struct io_kiocb *req, bool *dont_use)
1727 {
1728 struct io_ring_ctx *ctx = req->ctx;
1729 struct io_kiocb *link = io_prep_linked_timeout(req);
1730 struct io_uring_task *tctx = req->task->io_uring;
1731
1732 BUG_ON(!tctx);
1733 BUG_ON(!tctx->io_wq);
1734
1735 /* init ->work of the whole link before punting */
1736 io_prep_async_link(req);
1737
1738 /*
1739 * Not expected to happen, but if we do have a bug where this _can_
1740 * happen, catch it here and ensure the request is marked as
1741 * canceled. That will make io-wq go through the usual work cancel
1742 * procedure rather than attempt to run this request (or create a new
1743 * worker for it).
1744 */
1745 if (WARN_ON_ONCE(!same_thread_group(req->task, current)))
1746 req->work.flags |= IO_WQ_WORK_CANCEL;
1747
1748 trace_io_uring_queue_async_work(ctx, req, req->user_data, req->opcode, req->flags,
1749 &req->work, io_wq_is_hashed(&req->work));
1750 io_wq_enqueue(tctx->io_wq, &req->work);
1751 if (link)
1752 io_queue_linked_timeout(link);
1753 }
1754
1755 static void io_kill_timeout(struct io_kiocb *req, int status)
1756 __must_hold(&req->ctx->completion_lock)
1757 __must_hold(&req->ctx->timeout_lock)
1758 {
1759 struct io_timeout_data *io = req->async_data;
1760
1761 if (hrtimer_try_to_cancel(&io->timer) != -1) {
1762 if (status)
1763 req_set_fail(req);
1764 atomic_set(&req->ctx->cq_timeouts,
1765 atomic_read(&req->ctx->cq_timeouts) + 1);
1766 list_del_init(&req->timeout.list);
1767 io_fill_cqe_req(req, status, 0);
1768 io_put_req_deferred(req);
1769 }
1770 }
1771
1772 static __cold void io_queue_deferred(struct io_ring_ctx *ctx)
1773 {
1774 while (!list_empty(&ctx->defer_list)) {
1775 struct io_defer_entry *de = list_first_entry(&ctx->defer_list,
1776 struct io_defer_entry, list);
1777
1778 if (req_need_defer(de->req, de->seq))
1779 break;
1780 list_del_init(&de->list);
1781 io_req_task_queue(de->req);
1782 kfree(de);
1783 }
1784 }
1785
1786 static __cold void io_flush_timeouts(struct io_ring_ctx *ctx)
1787 __must_hold(&ctx->completion_lock)
1788 {
1789 u32 seq = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
1790 struct io_kiocb *req, *tmp;
1791
1792 spin_lock_irq(&ctx->timeout_lock);
1793 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, timeout.list) {
1794 u32 events_needed, events_got;
1795
1796 if (io_is_timeout_noseq(req))
1797 break;
1798
1799 /*
1800 * Since seq can easily wrap around over time, subtract
1801 * the last seq at which timeouts were flushed before comparing.
1802 * Assuming not more than 2^31-1 events have happened since,
1803 * these subtractions won't have wrapped, so we can check if
1804 * target is in [last_seq, current_seq] by comparing the two.
1805 */
1806 events_needed = req->timeout.target_seq - ctx->cq_last_tm_flush;
1807 events_got = seq - ctx->cq_last_tm_flush;
1808 if (events_got < events_needed)
1809 break;
1810
1811 io_kill_timeout(req, 0);
1812 }
1813 ctx->cq_last_tm_flush = seq;
1814 spin_unlock_irq(&ctx->timeout_lock);
1815 }
1816
1817 static inline void io_commit_cqring(struct io_ring_ctx *ctx)
1818 {
1819 /* order cqe stores with ring update */
1820 smp_store_release(&ctx->rings->cq.tail, ctx->cached_cq_tail);
1821 }
1822
1823 static void __io_commit_cqring_flush(struct io_ring_ctx *ctx)
1824 {
1825 if (ctx->off_timeout_used || ctx->drain_active) {
1826 spin_lock(&ctx->completion_lock);
1827 if (ctx->off_timeout_used)
1828 io_flush_timeouts(ctx);
1829 if (ctx->drain_active)
1830 io_queue_deferred(ctx);
1831 io_commit_cqring(ctx);
1832 spin_unlock(&ctx->completion_lock);
1833 }
1834 if (ctx->has_evfd)
1835 io_eventfd_signal(ctx);
1836 }
1837
1838 static inline bool io_sqring_full(struct io_ring_ctx *ctx)
1839 {
1840 struct io_rings *r = ctx->rings;
1841
1842 return READ_ONCE(r->sq.tail) - ctx->cached_sq_head == ctx->sq_entries;
1843 }
1844
1845 static inline unsigned int __io_cqring_events(struct io_ring_ctx *ctx)
1846 {
1847 return ctx->cached_cq_tail - READ_ONCE(ctx->rings->cq.head);
1848 }
1849
1850 static inline struct io_uring_cqe *io_get_cqe(struct io_ring_ctx *ctx)
1851 {
1852 struct io_rings *rings = ctx->rings;
1853 unsigned tail, mask = ctx->cq_entries - 1;
1854
1855 /*
1856 * writes to the cq entry need to come after reading head; the
1857 * control dependency is enough as we're using WRITE_ONCE to
1858 * fill the cq entry
1859 */
1860 if (__io_cqring_events(ctx) == ctx->cq_entries)
1861 return NULL;
1862
1863 tail = ctx->cached_cq_tail++;
1864 return &rings->cqes[tail & mask];
1865 }
1866
1867 static void io_eventfd_signal(struct io_ring_ctx *ctx)
1868 {
1869 struct io_ev_fd *ev_fd;
1870
1871 rcu_read_lock();
1872 /*
1873 * rcu_dereference ctx->io_ev_fd once and use it for both for checking
1874 * and eventfd_signal
1875 */
1876 ev_fd = rcu_dereference(ctx->io_ev_fd);
1877
1878 /*
1879 * Check again if ev_fd exists incase an io_eventfd_unregister call
1880 * completed between the NULL check of ctx->io_ev_fd at the start of
1881 * the function and rcu_read_lock.
1882 */
1883 if (unlikely(!ev_fd))
1884 goto out;
1885 if (READ_ONCE(ctx->rings->cq_flags) & IORING_CQ_EVENTFD_DISABLED)
1886 goto out;
1887
1888 if (!ev_fd->eventfd_async || io_wq_current_is_worker())
1889 eventfd_signal(ev_fd->cq_ev_fd, 1);
1890 out:
1891 rcu_read_unlock();
1892 }
1893
1894 static inline void io_cqring_wake(struct io_ring_ctx *ctx)
1895 {
1896 /*
1897 * wake_up_all() may seem excessive, but io_wake_function() and
1898 * io_should_wake() handle the termination of the loop and only
1899 * wake as many waiters as we need to.
1900 */
1901 if (wq_has_sleeper(&ctx->cq_wait))
1902 wake_up_all(&ctx->cq_wait);
1903 }
1904
1905 /*
1906 * This should only get called when at least one event has been posted.
1907 * Some applications rely on the eventfd notification count only changing
1908 * IFF a new CQE has been added to the CQ ring. There's no depedency on
1909 * 1:1 relationship between how many times this function is called (and
1910 * hence the eventfd count) and number of CQEs posted to the CQ ring.
1911 */
1912 static inline void io_cqring_ev_posted(struct io_ring_ctx *ctx)
1913 {
1914 if (unlikely(ctx->off_timeout_used || ctx->drain_active ||
1915 ctx->has_evfd))
1916 __io_commit_cqring_flush(ctx);
1917
1918 io_cqring_wake(ctx);
1919 }
1920
1921 static void io_cqring_ev_posted_iopoll(struct io_ring_ctx *ctx)
1922 {
1923 if (unlikely(ctx->off_timeout_used || ctx->drain_active ||
1924 ctx->has_evfd))
1925 __io_commit_cqring_flush(ctx);
1926
1927 if (ctx->flags & IORING_SETUP_SQPOLL)
1928 io_cqring_wake(ctx);
1929 }
1930
1931 /* Returns true if there are no backlogged entries after the flush */
1932 static bool __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
1933 {
1934 bool all_flushed, posted;
1935
1936 if (!force && __io_cqring_events(ctx) == ctx->cq_entries)
1937 return false;
1938
1939 posted = false;
1940 spin_lock(&ctx->completion_lock);
1941 while (!list_empty(&ctx->cq_overflow_list)) {
1942 struct io_uring_cqe *cqe = io_get_cqe(ctx);
1943 struct io_overflow_cqe *ocqe;
1944
1945 if (!cqe && !force)
1946 break;
1947 ocqe = list_first_entry(&ctx->cq_overflow_list,
1948 struct io_overflow_cqe, list);
1949 if (cqe)
1950 memcpy(cqe, &ocqe->cqe, sizeof(*cqe));
1951 else
1952 io_account_cq_overflow(ctx);
1953
1954 posted = true;
1955 list_del(&ocqe->list);
1956 kfree(ocqe);
1957 }
1958
1959 all_flushed = list_empty(&ctx->cq_overflow_list);
1960 if (all_flushed) {
1961 clear_bit(0, &ctx->check_cq_overflow);
1962 WRITE_ONCE(ctx->rings->sq_flags,
1963 ctx->rings->sq_flags & ~IORING_SQ_CQ_OVERFLOW);
1964 }
1965
1966 if (posted)
1967 io_commit_cqring(ctx);
1968 spin_unlock(&ctx->completion_lock);
1969 if (posted)
1970 io_cqring_ev_posted(ctx);
1971 return all_flushed;
1972 }
1973
1974 static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx)
1975 {
1976 bool ret = true;
1977
1978 if (test_bit(0, &ctx->check_cq_overflow)) {
1979 /* iopoll syncs against uring_lock, not completion_lock */
1980 if (ctx->flags & IORING_SETUP_IOPOLL)
1981 mutex_lock(&ctx->uring_lock);
1982 ret = __io_cqring_overflow_flush(ctx, false);
1983 if (ctx->flags & IORING_SETUP_IOPOLL)
1984 mutex_unlock(&ctx->uring_lock);
1985 }
1986
1987 return ret;
1988 }
1989
1990 /* must to be called somewhat shortly after putting a request */
1991 static inline void io_put_task(struct task_struct *task, int nr)
1992 {
1993 struct io_uring_task *tctx = task->io_uring;
1994
1995 if (likely(task == current)) {
1996 tctx->cached_refs += nr;
1997 } else {
1998 percpu_counter_sub(&tctx->inflight, nr);
1999 if (unlikely(atomic_read(&tctx->in_idle)))
2000 wake_up(&tctx->wait);
2001 put_task_struct_many(task, nr);
2002 }
2003 }
2004
2005 static void io_task_refs_refill(struct io_uring_task *tctx)
2006 {
2007 unsigned int refill = -tctx->cached_refs + IO_TCTX_REFS_CACHE_NR;
2008
2009 percpu_counter_add(&tctx->inflight, refill);
2010 refcount_add(refill, &current->usage);
2011 tctx->cached_refs += refill;
2012 }
2013
2014 static inline void io_get_task_refs(int nr)
2015 {
2016 struct io_uring_task *tctx = current->io_uring;
2017
2018 tctx->cached_refs -= nr;
2019 if (unlikely(tctx->cached_refs < 0))
2020 io_task_refs_refill(tctx);
2021 }
2022
2023 static __cold void io_uring_drop_tctx_refs(struct task_struct *task)
2024 {
2025 struct io_uring_task *tctx = task->io_uring;
2026 unsigned int refs = tctx->cached_refs;
2027
2028 if (refs) {
2029 tctx->cached_refs = 0;
2030 percpu_counter_sub(&tctx->inflight, refs);
2031 put_task_struct_many(task, refs);
2032 }
2033 }
2034
2035 static bool io_cqring_event_overflow(struct io_ring_ctx *ctx, u64 user_data,
2036 s32 res, u32 cflags)
2037 {
2038 struct io_overflow_cqe *ocqe;
2039
2040 ocqe = kmalloc(sizeof(*ocqe), GFP_ATOMIC | __GFP_ACCOUNT);
2041 if (!ocqe) {
2042 /*
2043 * If we're in ring overflow flush mode, or in task cancel mode,
2044 * or cannot allocate an overflow entry, then we need to drop it
2045 * on the floor.
2046 */
2047 io_account_cq_overflow(ctx);
2048 return false;
2049 }
2050 if (list_empty(&ctx->cq_overflow_list)) {
2051 set_bit(0, &ctx->check_cq_overflow);
2052 WRITE_ONCE(ctx->rings->sq_flags,
2053 ctx->rings->sq_flags | IORING_SQ_CQ_OVERFLOW);
2054
2055 }
2056 ocqe->cqe.user_data = user_data;
2057 ocqe->cqe.res = res;
2058 ocqe->cqe.flags = cflags;
2059 list_add_tail(&ocqe->list, &ctx->cq_overflow_list);
2060 return true;
2061 }
2062
2063 static inline bool __io_fill_cqe(struct io_ring_ctx *ctx, u64 user_data,
2064 s32 res, u32 cflags)
2065 {
2066 struct io_uring_cqe *cqe;
2067
2068 /*
2069 * If we can't get a cq entry, userspace overflowed the
2070 * submission (by quite a lot). Increment the overflow count in
2071 * the ring.
2072 */
2073 cqe = io_get_cqe(ctx);
2074 if (likely(cqe)) {
2075 WRITE_ONCE(cqe->user_data, user_data);
2076 WRITE_ONCE(cqe->res, res);
2077 WRITE_ONCE(cqe->flags, cflags);
2078 return true;
2079 }
2080 return io_cqring_event_overflow(ctx, user_data, res, cflags);
2081 }
2082
2083 static inline bool __io_fill_cqe_req(struct io_kiocb *req, s32 res, u32 cflags)
2084 {
2085 trace_io_uring_complete(req->ctx, req, req->user_data, res, cflags);
2086 return __io_fill_cqe(req->ctx, req->user_data, res, cflags);
2087 }
2088
2089 static noinline void io_fill_cqe_req(struct io_kiocb *req, s32 res, u32 cflags)
2090 {
2091 if (!(req->flags & REQ_F_CQE_SKIP))
2092 __io_fill_cqe_req(req, res, cflags);
2093 }
2094
2095 static noinline bool io_fill_cqe_aux(struct io_ring_ctx *ctx, u64 user_data,
2096 s32 res, u32 cflags)
2097 {
2098 ctx->cq_extra++;
2099 trace_io_uring_complete(ctx, NULL, user_data, res, cflags);
2100 return __io_fill_cqe(ctx, user_data, res, cflags);
2101 }
2102
2103 static void __io_req_complete_post(struct io_kiocb *req, s32 res,
2104 u32 cflags)
2105 {
2106 struct io_ring_ctx *ctx = req->ctx;
2107
2108 if (!(req->flags & REQ_F_CQE_SKIP))
2109 __io_fill_cqe_req(req, res, cflags);
2110 /*
2111 * If we're the last reference to this request, add to our locked
2112 * free_list cache.
2113 */
2114 if (req_ref_put_and_test(req)) {
2115 if (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {
2116 if (req->flags & IO_DISARM_MASK)
2117 io_disarm_next(req);
2118 if (req->link) {
2119 io_req_task_queue(req->link);
2120 req->link = NULL;
2121 }
2122 }
2123 io_req_put_rsrc(req, ctx);
2124 /*
2125 * Selected buffer deallocation in io_clean_op() assumes that
2126 * we don't hold ->completion_lock. Clean them here to avoid
2127 * deadlocks.
2128 */
2129 io_put_kbuf_comp(req);
2130 io_dismantle_req(req);
2131 io_put_task(req->task, 1);
2132 wq_list_add_head(&req->comp_list, &ctx->locked_free_list);
2133 ctx->locked_free_nr++;
2134 }
2135 }
2136
2137 static void io_req_complete_post(struct io_kiocb *req, s32 res,
2138 u32 cflags)
2139 {
2140 struct io_ring_ctx *ctx = req->ctx;
2141
2142 spin_lock(&ctx->completion_lock);
2143 __io_req_complete_post(req, res, cflags);
2144 io_commit_cqring(ctx);
2145 spin_unlock(&ctx->completion_lock);
2146 io_cqring_ev_posted(ctx);
2147 }
2148
2149 static inline void io_req_complete_state(struct io_kiocb *req, s32 res,
2150 u32 cflags)
2151 {
2152 req->result = res;
2153 req->cflags = cflags;
2154 req->flags |= REQ_F_COMPLETE_INLINE;
2155 }
2156
2157 static inline void __io_req_complete(struct io_kiocb *req, unsigned issue_flags,
2158 s32 res, u32 cflags)
2159 {
2160 if (issue_flags & IO_URING_F_COMPLETE_DEFER)
2161 io_req_complete_state(req, res, cflags);
2162 else
2163 io_req_complete_post(req, res, cflags);
2164 }
2165
2166 static inline void io_req_complete(struct io_kiocb *req, s32 res)
2167 {
2168 __io_req_complete(req, 0, res, 0);
2169 }
2170
2171 static void io_req_complete_failed(struct io_kiocb *req, s32 res)
2172 {
2173 req_set_fail(req);
2174 io_req_complete_post(req, res, io_put_kbuf(req, IO_URING_F_UNLOCKED));
2175 }
2176
2177 static void io_req_complete_fail_submit(struct io_kiocb *req)
2178 {
2179 /*
2180 * We don't submit, fail them all, for that replace hardlinks with
2181 * normal links. Extra REQ_F_LINK is tolerated.
2182 */
2183 req->flags &= ~REQ_F_HARDLINK;
2184 req->flags |= REQ_F_LINK;
2185 io_req_complete_failed(req, req->result);
2186 }
2187
2188 /*
2189 * Don't initialise the fields below on every allocation, but do that in
2190 * advance and keep them valid across allocations.
2191 */
2192 static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
2193 {
2194 req->ctx = ctx;
2195 req->link = NULL;
2196 req->async_data = NULL;
2197 /* not necessary, but safer to zero */
2198 req->result = 0;
2199 }
2200
2201 static void io_flush_cached_locked_reqs(struct io_ring_ctx *ctx,
2202 struct io_submit_state *state)
2203 {
2204 spin_lock(&ctx->completion_lock);
2205 wq_list_splice(&ctx->locked_free_list, &state->free_list);
2206 ctx->locked_free_nr = 0;
2207 spin_unlock(&ctx->completion_lock);
2208 }
2209
2210 /* Returns true IFF there are requests in the cache */
2211 static bool io_flush_cached_reqs(struct io_ring_ctx *ctx)
2212 {
2213 struct io_submit_state *state = &ctx->submit_state;
2214
2215 /*
2216 * If we have more than a batch's worth of requests in our IRQ side
2217 * locked cache, grab the lock and move them over to our submission
2218 * side cache.
2219 */
2220 if (READ_ONCE(ctx->locked_free_nr) > IO_COMPL_BATCH)
2221 io_flush_cached_locked_reqs(ctx, state);
2222 return !!state->free_list.next;
2223 }
2224
2225 /*
2226 * A request might get retired back into the request caches even before opcode
2227 * handlers and io_issue_sqe() are done with it, e.g. inline completion path.
2228 * Because of that, io_alloc_req() should be called only under ->uring_lock
2229 * and with extra caution to not get a request that is still worked on.
2230 */
2231 static __cold bool __io_alloc_req_refill(struct io_ring_ctx *ctx)
2232 __must_hold(&ctx->uring_lock)
2233 {
2234 struct io_submit_state *state = &ctx->submit_state;
2235 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
2236 void *reqs[IO_REQ_ALLOC_BATCH];
2237 struct io_kiocb *req;
2238 int ret, i;
2239
2240 if (likely(state->free_list.next || io_flush_cached_reqs(ctx)))
2241 return true;
2242
2243 ret = kmem_cache_alloc_bulk(req_cachep, gfp, ARRAY_SIZE(reqs), reqs);
2244
2245 /*
2246 * Bulk alloc is all-or-nothing. If we fail to get a batch,
2247 * retry single alloc to be on the safe side.
2248 */
2249 if (unlikely(ret <= 0)) {
2250 reqs[0] = kmem_cache_alloc(req_cachep, gfp);
2251 if (!reqs[0])
2252 return false;
2253 ret = 1;
2254 }
2255
2256 percpu_ref_get_many(&ctx->refs, ret);
2257 for (i = 0; i < ret; i++) {
2258 req = reqs[i];
2259
2260 io_preinit_req(req, ctx);
2261 wq_stack_add_head(&req->comp_list, &state->free_list);
2262 }
2263 return true;
2264 }
2265
2266 static inline bool io_alloc_req_refill(struct io_ring_ctx *ctx)
2267 {
2268 if (unlikely(!ctx->submit_state.free_list.next))
2269 return __io_alloc_req_refill(ctx);
2270 return true;
2271 }
2272
2273 static inline struct io_kiocb *io_alloc_req(struct io_ring_ctx *ctx)
2274 {
2275 struct io_wq_work_node *node;
2276
2277 node = wq_stack_extract(&ctx->submit_state.free_list);
2278 return container_of(node, struct io_kiocb, comp_list);
2279 }
2280
2281 static inline void io_put_file(struct file *file)
2282 {
2283 if (file)
2284 fput(file);
2285 }
2286
2287 static inline void io_dismantle_req(struct io_kiocb *req)
2288 {
2289 unsigned int flags = req->flags;
2290
2291 if (unlikely(flags & IO_REQ_CLEAN_FLAGS))
2292 io_clean_op(req);
2293 if (!(flags & REQ_F_FIXED_FILE))
2294 io_put_file(req->file);
2295 }
2296
2297 static __cold void __io_free_req(struct io_kiocb *req)
2298 {
2299 struct io_ring_ctx *ctx = req->ctx;
2300
2301 io_req_put_rsrc(req, ctx);
2302 io_dismantle_req(req);
2303 io_put_task(req->task, 1);
2304
2305 spin_lock(&ctx->completion_lock);
2306 wq_list_add_head(&req->comp_list, &ctx->locked_free_list);
2307 ctx->locked_free_nr++;
2308 spin_unlock(&ctx->completion_lock);
2309 }
2310
2311 static inline void io_remove_next_linked(struct io_kiocb *req)
2312 {
2313 struct io_kiocb *nxt = req->link;
2314
2315 req->link = nxt->link;
2316 nxt->link = NULL;
2317 }
2318
2319 static bool io_kill_linked_timeout(struct io_kiocb *req)
2320 __must_hold(&req->ctx->completion_lock)
2321 __must_hold(&req->ctx->timeout_lock)
2322 {
2323 struct io_kiocb *link = req->link;
2324
2325 if (link && link->opcode == IORING_OP_LINK_TIMEOUT) {
2326 struct io_timeout_data *io = link->async_data;
2327
2328 io_remove_next_linked(req);
2329 link->timeout.head = NULL;
2330 if (hrtimer_try_to_cancel(&io->timer) != -1) {
2331 list_del(&link->timeout.list);
2332 /* leave REQ_F_CQE_SKIP to io_fill_cqe_req */
2333 io_fill_cqe_req(link, -ECANCELED, 0);
2334 io_put_req_deferred(link);
2335 return true;
2336 }
2337 }
2338 return false;
2339 }
2340
2341 static void io_fail_links(struct io_kiocb *req)
2342 __must_hold(&req->ctx->completion_lock)
2343 {
2344 struct io_kiocb *nxt, *link = req->link;
2345 bool ignore_cqes = req->flags & REQ_F_SKIP_LINK_CQES;
2346
2347 req->link = NULL;
2348 while (link) {
2349 long res = -ECANCELED;
2350
2351 if (link->flags & REQ_F_FAIL)
2352 res = link->result;
2353
2354 nxt = link->link;
2355 link->link = NULL;
2356
2357 trace_io_uring_fail_link(req->ctx, req, req->user_data,
2358 req->opcode, link);
2359
2360 if (!ignore_cqes) {
2361 link->flags &= ~REQ_F_CQE_SKIP;
2362 io_fill_cqe_req(link, res, 0);
2363 }
2364 io_put_req_deferred(link);
2365 link = nxt;
2366 }
2367 }
2368
2369 static bool io_disarm_next(struct io_kiocb *req)
2370 __must_hold(&req->ctx->completion_lock)
2371 {
2372 bool posted = false;
2373
2374 if (req->flags & REQ_F_ARM_LTIMEOUT) {
2375 struct io_kiocb *link = req->link;
2376
2377 req->flags &= ~REQ_F_ARM_LTIMEOUT;
2378 if (link && link->opcode == IORING_OP_LINK_TIMEOUT) {
2379 io_remove_next_linked(req);
2380 /* leave REQ_F_CQE_SKIP to io_fill_cqe_req */
2381 io_fill_cqe_req(link, -ECANCELED, 0);
2382 io_put_req_deferred(link);
2383 posted = true;
2384 }
2385 } else if (req->flags & REQ_F_LINK_TIMEOUT) {
2386 struct io_ring_ctx *ctx = req->ctx;
2387
2388 spin_lock_irq(&ctx->timeout_lock);
2389 posted = io_kill_linked_timeout(req);
2390 spin_unlock_irq(&ctx->timeout_lock);
2391 }
2392 if (unlikely((req->flags & REQ_F_FAIL) &&
2393 !(req->flags & REQ_F_HARDLINK))) {
2394 posted |= (req->link != NULL);
2395 io_fail_links(req);
2396 }
2397 return posted;
2398 }
2399
2400 static void __io_req_find_next_prep(struct io_kiocb *req)
2401 {
2402 struct io_ring_ctx *ctx = req->ctx;
2403 bool posted;
2404
2405 spin_lock(&ctx->completion_lock);
2406 posted = io_disarm_next(req);
2407 if (posted)
2408 io_commit_cqring(ctx);
2409 spin_unlock(&ctx->completion_lock);
2410 if (posted)
2411 io_cqring_ev_posted(ctx);
2412 }
2413
2414 static inline struct io_kiocb *io_req_find_next(struct io_kiocb *req)
2415 {
2416 struct io_kiocb *nxt;
2417
2418 if (likely(!(req->flags & (REQ_F_LINK|REQ_F_HARDLINK))))
2419 return NULL;
2420 /*
2421 * If LINK is set, we have dependent requests in this chain. If we
2422 * didn't fail this request, queue the first one up, moving any other
2423 * dependencies to the next request. In case of failure, fail the rest
2424 * of the chain.
2425 */
2426 if (unlikely(req->flags & IO_DISARM_MASK))
2427 __io_req_find_next_prep(req);
2428 nxt = req->link;
2429 req->link = NULL;
2430 return nxt;
2431 }
2432
2433 static void ctx_flush_and_put(struct io_ring_ctx *ctx, bool *locked)
2434 {
2435 if (!ctx)
2436 return;
2437 if (*locked) {
2438 io_submit_flush_completions(ctx);
2439 mutex_unlock(&ctx->uring_lock);
2440 *locked = false;
2441 }
2442 percpu_ref_put(&ctx->refs);
2443 }
2444
2445 static inline void ctx_commit_and_unlock(struct io_ring_ctx *ctx)
2446 {
2447 io_commit_cqring(ctx);
2448 spin_unlock(&ctx->completion_lock);
2449 io_cqring_ev_posted(ctx);
2450 }
2451
2452 static void handle_prev_tw_list(struct io_wq_work_node *node,
2453 struct io_ring_ctx **ctx, bool *uring_locked)
2454 {
2455 if (*ctx && !*uring_locked)
2456 spin_lock(&(*ctx)->completion_lock);
2457
2458 do {
2459 struct io_wq_work_node *next = node->next;
2460 struct io_kiocb *req = container_of(node, struct io_kiocb,
2461 io_task_work.node);
2462
2463 prefetch(container_of(next, struct io_kiocb, io_task_work.node));
2464
2465 if (req->ctx != *ctx) {
2466 if (unlikely(!*uring_locked && *ctx))
2467 ctx_commit_and_unlock(*ctx);
2468
2469 ctx_flush_and_put(*ctx, uring_locked);
2470 *ctx = req->ctx;
2471 /* if not contended, grab and improve batching */
2472 *uring_locked = mutex_trylock(&(*ctx)->uring_lock);
2473 percpu_ref_get(&(*ctx)->refs);
2474 if (unlikely(!*uring_locked))
2475 spin_lock(&(*ctx)->completion_lock);
2476 }
2477 if (likely(*uring_locked))
2478 req->io_task_work.func(req, uring_locked);
2479 else
2480 __io_req_complete_post(req, req->result,
2481 io_put_kbuf_comp(req));
2482 node = next;
2483 } while (node);
2484
2485 if (unlikely(!*uring_locked))
2486 ctx_commit_and_unlock(*ctx);
2487 }
2488
2489 static void handle_tw_list(struct io_wq_work_node *node,
2490 struct io_ring_ctx **ctx, bool *locked)
2491 {
2492 do {
2493 struct io_wq_work_node *next = node->next;
2494 struct io_kiocb *req = container_of(node, struct io_kiocb,
2495 io_task_work.node);
2496
2497 prefetch(container_of(next, struct io_kiocb, io_task_work.node));
2498
2499 if (req->ctx != *ctx) {
2500 ctx_flush_and_put(*ctx, locked);
2501 *ctx = req->ctx;
2502 /* if not contended, grab and improve batching */
2503 *locked = mutex_trylock(&(*ctx)->uring_lock);
2504 percpu_ref_get(&(*ctx)->refs);
2505 }
2506 req->io_task_work.func(req, locked);
2507 node = next;
2508 } while (node);
2509 }
2510
2511 static void tctx_task_work(struct callback_head *cb)
2512 {
2513 bool uring_locked = false;
2514 struct io_ring_ctx *ctx = NULL;
2515 struct io_uring_task *tctx = container_of(cb, struct io_uring_task,
2516 task_work);
2517
2518 while (1) {
2519 struct io_wq_work_node *node1, *node2;
2520
2521 if (!tctx->task_list.first &&
2522 !tctx->prior_task_list.first && uring_locked)
2523 io_submit_flush_completions(ctx);
2524
2525 spin_lock_irq(&tctx->task_lock);
2526 node1 = tctx->prior_task_list.first;
2527 node2 = tctx->task_list.first;
2528 INIT_WQ_LIST(&tctx->task_list);
2529 INIT_WQ_LIST(&tctx->prior_task_list);
2530 if (!node2 && !node1)
2531 tctx->task_running = false;
2532 spin_unlock_irq(&tctx->task_lock);
2533 if (!node2 && !node1)
2534 break;
2535
2536 if (node1)
2537 handle_prev_tw_list(node1, &ctx, &uring_locked);
2538
2539 if (node2)
2540 handle_tw_list(node2, &ctx, &uring_locked);
2541 cond_resched();
2542 }
2543
2544 ctx_flush_and_put(ctx, &uring_locked);
2545
2546 /* relaxed read is enough as only the task itself sets ->in_idle */
2547 if (unlikely(atomic_read(&tctx->in_idle)))
2548 io_uring_drop_tctx_refs(current);
2549 }
2550
2551 static void io_req_task_work_add(struct io_kiocb *req, bool priority)
2552 {
2553 struct task_struct *tsk = req->task;
2554 struct io_uring_task *tctx = tsk->io_uring;
2555 enum task_work_notify_mode notify;
2556 struct io_wq_work_node *node;
2557 unsigned long flags;
2558 bool running;
2559
2560 WARN_ON_ONCE(!tctx);
2561
2562 spin_lock_irqsave(&tctx->task_lock, flags);
2563 if (priority)
2564 wq_list_add_tail(&req->io_task_work.node, &tctx->prior_task_list);
2565 else
2566 wq_list_add_tail(&req->io_task_work.node, &tctx->task_list);
2567 running = tctx->task_running;
2568 if (!running)
2569 tctx->task_running = true;
2570 spin_unlock_irqrestore(&tctx->task_lock, flags);
2571
2572 /* task_work already pending, we're done */
2573 if (running)
2574 return;
2575
2576 /*
2577 * SQPOLL kernel thread doesn't need notification, just a wakeup. For
2578 * all other cases, use TWA_SIGNAL unconditionally to ensure we're
2579 * processing task_work. There's no reliable way to tell if TWA_RESUME
2580 * will do the job.
2581 */
2582 notify = (req->ctx->flags & IORING_SETUP_SQPOLL) ? TWA_NONE : TWA_SIGNAL;
2583 if (likely(!task_work_add(tsk, &tctx->task_work, notify))) {
2584 if (notify == TWA_NONE)
2585 wake_up_process(tsk);
2586 return;
2587 }
2588
2589 spin_lock_irqsave(&tctx->task_lock, flags);
2590 tctx->task_running = false;
2591 node = wq_list_merge(&tctx->prior_task_list, &tctx->task_list);
2592 spin_unlock_irqrestore(&tctx->task_lock, flags);
2593
2594 while (node) {
2595 req = container_of(node, struct io_kiocb, io_task_work.node);
2596 node = node->next;
2597 if (llist_add(&req->io_task_work.fallback_node,
2598 &req->ctx->fallback_llist))
2599 schedule_delayed_work(&req->ctx->fallback_work, 1);
2600 }
2601 }
2602
2603 static void io_req_task_cancel(struct io_kiocb *req, bool *locked)
2604 {
2605 struct io_ring_ctx *ctx = req->ctx;
2606
2607 /* not needed for normal modes, but SQPOLL depends on it */
2608 io_tw_lock(ctx, locked);
2609 io_req_complete_failed(req, req->result);
2610 }
2611
2612 static void io_req_task_submit(struct io_kiocb *req, bool *locked)
2613 {
2614 struct io_ring_ctx *ctx = req->ctx;
2615
2616 io_tw_lock(ctx, locked);
2617 /* req->task == current here, checking PF_EXITING is safe */
2618 if (likely(!(req->task->flags & PF_EXITING)))
2619 __io_queue_sqe(req);
2620 else
2621 io_req_complete_failed(req, -EFAULT);
2622 }
2623
2624 static void io_req_task_queue_fail(struct io_kiocb *req, int ret)
2625 {
2626 req->result = ret;
2627 req->io_task_work.func = io_req_task_cancel;
2628 io_req_task_work_add(req, false);
2629 }
2630
2631 static void io_req_task_queue(struct io_kiocb *req)
2632 {
2633 req->io_task_work.func = io_req_task_submit;
2634 io_req_task_work_add(req, false);
2635 }
2636
2637 static void io_req_task_queue_reissue(struct io_kiocb *req)
2638 {
2639 req->io_task_work.func = io_queue_async_work;
2640 io_req_task_work_add(req, false);
2641 }
2642
2643 static inline void io_queue_next(struct io_kiocb *req)
2644 {
2645 struct io_kiocb *nxt = io_req_find_next(req);
2646
2647 if (nxt)
2648 io_req_task_queue(nxt);
2649 }
2650
2651 static void io_free_req(struct io_kiocb *req)
2652 {
2653 io_queue_next(req);
2654 __io_free_req(req);
2655 }
2656
2657 static void io_free_req_work(struct io_kiocb *req, bool *locked)
2658 {
2659 io_free_req(req);
2660 }
2661
2662 static void io_free_batch_list(struct io_ring_ctx *ctx,
2663 struct io_wq_work_node *node)
2664 __must_hold(&ctx->uring_lock)
2665 {
2666 struct task_struct *task = NULL;
2667 int task_refs = 0;
2668
2669 do {
2670 struct io_kiocb *req = container_of(node, struct io_kiocb,
2671 comp_list);
2672
2673 if (unlikely(req->flags & REQ_F_REFCOUNT)) {
2674 node = req->comp_list.next;
2675 if (!req_ref_put_and_test(req))
2676 continue;
2677 }
2678
2679 io_req_put_rsrc_locked(req, ctx);
2680 io_queue_next(req);
2681 io_dismantle_req(req);
2682
2683 if (req->task != task) {
2684 if (task)
2685 io_put_task(task, task_refs);
2686 task = req->task;
2687 task_refs = 0;
2688 }
2689 task_refs++;
2690 node = req->comp_list.next;
2691 wq_stack_add_head(&req->comp_list, &ctx->submit_state.free_list);
2692 } while (node);
2693
2694 if (task)
2695 io_put_task(task, task_refs);
2696 }
2697
2698 static void __io_submit_flush_completions(struct io_ring_ctx *ctx)
2699 __must_hold(&ctx->uring_lock)
2700 {
2701 struct io_wq_work_node *node, *prev;
2702 struct io_submit_state *state = &ctx->submit_state;
2703
2704 if (state->flush_cqes) {
2705 spin_lock(&ctx->completion_lock);
2706 wq_list_for_each(node, prev, &state->compl_reqs) {
2707 struct io_kiocb *req = container_of(node, struct io_kiocb,
2708 comp_list);
2709
2710 if (!(req->flags & REQ_F_CQE_SKIP))
2711 __io_fill_cqe_req(req, req->result, req->cflags);
2712 if ((req->flags & REQ_F_POLLED) && req->apoll) {
2713 struct async_poll *apoll = req->apoll;
2714
2715 if (apoll->double_poll)
2716 kfree(apoll->double_poll);
2717 list_add(&apoll->poll.wait.entry,
2718 &ctx->apoll_cache);
2719 req->flags &= ~REQ_F_POLLED;
2720 }
2721 }
2722
2723 io_commit_cqring(ctx);
2724 spin_unlock(&ctx->completion_lock);
2725 io_cqring_ev_posted(ctx);
2726 state->flush_cqes = false;
2727 }
2728
2729 io_free_batch_list(ctx, state->compl_reqs.first);
2730 INIT_WQ_LIST(&state->compl_reqs);
2731 }
2732
2733 /*
2734 * Drop reference to request, return next in chain (if there is one) if this
2735 * was the last reference to this request.
2736 */
2737 static inline struct io_kiocb *io_put_req_find_next(struct io_kiocb *req)
2738 {
2739 struct io_kiocb *nxt = NULL;
2740
2741 if (req_ref_put_and_test(req)) {
2742 nxt = io_req_find_next(req);
2743 __io_free_req(req);
2744 }
2745 return nxt;
2746 }
2747
2748 static inline void io_put_req(struct io_kiocb *req)
2749 {
2750 if (req_ref_put_and_test(req))
2751 io_free_req(req);
2752 }
2753
2754 static inline void io_put_req_deferred(struct io_kiocb *req)
2755 {
2756 if (req_ref_put_and_test(req)) {
2757 req->io_task_work.func = io_free_req_work;
2758 io_req_task_work_add(req, false);
2759 }
2760 }
2761
2762 static unsigned io_cqring_events(struct io_ring_ctx *ctx)
2763 {
2764 /* See comment at the top of this file */
2765 smp_rmb();
2766 return __io_cqring_events(ctx);
2767 }
2768
2769 static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
2770 {
2771 struct io_rings *rings = ctx->rings;
2772
2773 /* make sure SQ entry isn't read before tail */
2774 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
2775 }
2776
2777 static inline bool io_run_task_work(void)
2778 {
2779 if (test_thread_flag(TIF_NOTIFY_SIGNAL) || task_work_pending(current)) {
2780 __set_current_state(TASK_RUNNING);
2781 clear_notify_signal();
2782 if (task_work_pending(current))
2783 task_work_run();
2784 return true;
2785 }
2786
2787 return false;
2788 }
2789
2790 static int io_do_iopoll(struct io_ring_ctx *ctx, bool force_nonspin)
2791 {
2792 struct io_wq_work_node *pos, *start, *prev;
2793 unsigned int poll_flags = BLK_POLL_NOSLEEP;
2794 DEFINE_IO_COMP_BATCH(iob);
2795 int nr_events = 0;
2796
2797 /*
2798 * Only spin for completions if we don't have multiple devices hanging
2799 * off our complete list.
2800 */
2801 if (ctx->poll_multi_queue || force_nonspin)
2802 poll_flags |= BLK_POLL_ONESHOT;
2803
2804 wq_list_for_each(pos, start, &ctx->iopoll_list) {
2805 struct io_kiocb *req = container_of(pos, struct io_kiocb, comp_list);
2806 struct kiocb *kiocb = &req->rw.kiocb;
2807 int ret;
2808
2809 /*
2810 * Move completed and retryable entries to our local lists.
2811 * If we find a request that requires polling, break out
2812 * and complete those lists first, if we have entries there.
2813 */
2814 if (READ_ONCE(req->iopoll_completed))
2815 break;
2816
2817 ret = kiocb->ki_filp->f_op->iopoll(kiocb, &iob, poll_flags);
2818 if (unlikely(ret < 0))
2819 return ret;
2820 else if (ret)
2821 poll_flags |= BLK_POLL_ONESHOT;
2822
2823 /* iopoll may have completed current req */
2824 if (!rq_list_empty(iob.req_list) ||
2825 READ_ONCE(req->iopoll_completed))
2826 break;
2827 }
2828
2829 if (!rq_list_empty(iob.req_list))
2830 iob.complete(&iob);
2831 else if (!pos)
2832 return 0;
2833
2834 prev = start;
2835 wq_list_for_each_resume(pos, prev) {
2836 struct io_kiocb *req = container_of(pos, struct io_kiocb, comp_list);
2837
2838 /* order with io_complete_rw_iopoll(), e.g. ->result updates */
2839 if (!smp_load_acquire(&req->iopoll_completed))
2840 break;
2841 nr_events++;
2842 if (unlikely(req->flags & REQ_F_CQE_SKIP))
2843 continue;
2844 __io_fill_cqe_req(req, req->result, io_put_kbuf(req, 0));
2845 }
2846
2847 if (unlikely(!nr_events))
2848 return 0;
2849
2850 io_commit_cqring(ctx);
2851 io_cqring_ev_posted_iopoll(ctx);
2852 pos = start ? start->next : ctx->iopoll_list.first;
2853 wq_list_cut(&ctx->iopoll_list, prev, start);
2854 io_free_batch_list(ctx, pos);
2855 return nr_events;
2856 }
2857
2858 /*
2859 * We can't just wait for polled events to come to us, we have to actively
2860 * find and complete them.
2861 */
2862 static __cold void io_iopoll_try_reap_events(struct io_ring_ctx *ctx)
2863 {
2864 if (!(ctx->flags & IORING_SETUP_IOPOLL))
2865 return;
2866
2867 mutex_lock(&ctx->uring_lock);
2868 while (!wq_list_empty(&ctx->iopoll_list)) {
2869 /* let it sleep and repeat later if can't complete a request */
2870 if (io_do_iopoll(ctx, true) == 0)
2871 break;
2872 /*
2873 * Ensure we allow local-to-the-cpu processing to take place,
2874 * in this case we need to ensure that we reap all events.
2875 * Also let task_work, etc. to progress by releasing the mutex
2876 */
2877 if (need_resched()) {
2878 mutex_unlock(&ctx->uring_lock);
2879 cond_resched();
2880 mutex_lock(&ctx->uring_lock);
2881 }
2882 }
2883 mutex_unlock(&ctx->uring_lock);
2884 }
2885
2886 static int io_iopoll_check(struct io_ring_ctx *ctx, long min)
2887 {
2888 unsigned int nr_events = 0;
2889 int ret = 0;
2890
2891 /*
2892 * We disallow the app entering submit/complete with polling, but we
2893 * still need to lock the ring to prevent racing with polled issue
2894 * that got punted to a workqueue.
2895 */
2896 mutex_lock(&ctx->uring_lock);
2897 /*
2898 * Don't enter poll loop if we already have events pending.
2899 * If we do, we can potentially be spinning for commands that
2900 * already triggered a CQE (eg in error).
2901 */
2902 if (test_bit(0, &ctx->check_cq_overflow))
2903 __io_cqring_overflow_flush(ctx, false);
2904 if (io_cqring_events(ctx))
2905 goto out;
2906 do {
2907 /*
2908 * If a submit got punted to a workqueue, we can have the
2909 * application entering polling for a command before it gets
2910 * issued. That app will hold the uring_lock for the duration
2911 * of the poll right here, so we need to take a breather every
2912 * now and then to ensure that the issue has a chance to add
2913 * the poll to the issued list. Otherwise we can spin here
2914 * forever, while the workqueue is stuck trying to acquire the
2915 * very same mutex.
2916 */
2917 if (wq_list_empty(&ctx->iopoll_list)) {
2918 u32 tail = ctx->cached_cq_tail;
2919
2920 mutex_unlock(&ctx->uring_lock);
2921 io_run_task_work();
2922 mutex_lock(&ctx->uring_lock);
2923
2924 /* some requests don't go through iopoll_list */
2925 if (tail != ctx->cached_cq_tail ||
2926 wq_list_empty(&ctx->iopoll_list))
2927 break;
2928 }
2929 ret = io_do_iopoll(ctx, !min);
2930 if (ret < 0)
2931 break;
2932 nr_events += ret;
2933 ret = 0;
2934 } while (nr_events < min && !need_resched());
2935 out:
2936 mutex_unlock(&ctx->uring_lock);
2937 return ret;
2938 }
2939
2940 static void kiocb_end_write(struct io_kiocb *req)
2941 {
2942 /*
2943 * Tell lockdep we inherited freeze protection from submission
2944 * thread.
2945 */
2946 if (req->flags & REQ_F_ISREG) {
2947 struct super_block *sb = file_inode(req->file)->i_sb;
2948
2949 __sb_writers_acquired(sb, SB_FREEZE_WRITE);
2950 sb_end_write(sb);
2951 }
2952 }
2953
2954 #ifdef CONFIG_BLOCK
2955 static bool io_resubmit_prep(struct io_kiocb *req)
2956 {
2957 struct io_async_rw *rw = req->async_data;
2958
2959 if (!req_has_async_data(req))
2960 return !io_req_prep_async(req);
2961 iov_iter_restore(&rw->s.iter, &rw->s.iter_state);
2962 return true;
2963 }
2964
2965 static bool io_rw_should_reissue(struct io_kiocb *req)
2966 {
2967 umode_t mode = file_inode(req->file)->i_mode;
2968 struct io_ring_ctx *ctx = req->ctx;
2969
2970 if (!S_ISBLK(mode) && !S_ISREG(mode))
2971 return false;
2972 if ((req->flags & REQ_F_NOWAIT) || (io_wq_current_is_worker() &&
2973 !(ctx->flags & IORING_SETUP_IOPOLL)))
2974 return false;
2975 /*
2976 * If ref is dying, we might be running poll reap from the exit work.
2977 * Don't attempt to reissue from that path, just let it fail with
2978 * -EAGAIN.
2979 */
2980 if (percpu_ref_is_dying(&ctx->refs))
2981 return false;
2982 /*
2983 * Play it safe and assume not safe to re-import and reissue if we're
2984 * not in the original thread group (or in task context).
2985 */
2986 if (!same_thread_group(req->task, current) || !in_task())
2987 return false;
2988 return true;
2989 }
2990 #else
2991 static bool io_resubmit_prep(struct io_kiocb *req)
2992 {
2993 return false;
2994 }
2995 static bool io_rw_should_reissue(struct io_kiocb *req)
2996 {
2997 return false;
2998 }
2999 #endif
3000
3001 static bool __io_complete_rw_common(struct io_kiocb *req, long res)
3002 {
3003 if (req->rw.kiocb.ki_flags & IOCB_WRITE) {
3004 kiocb_end_write(req);
3005 fsnotify_modify(req->file);
3006 } else {
3007 fsnotify_access(req->file);
3008 }
3009 if (unlikely(res != req->result)) {
3010 if ((res == -EAGAIN || res == -EOPNOTSUPP) &&
3011 io_rw_should_reissue(req)) {
3012 req->flags |= REQ_F_REISSUE;
3013 return true;
3014 }
3015 req_set_fail(req);
3016 req->result = res;
3017 }
3018 return false;
3019 }
3020
3021 static inline void io_req_task_complete(struct io_kiocb *req, bool *locked)
3022 {
3023 int res = req->result;
3024
3025 if (*locked) {
3026 io_req_complete_state(req, res, io_put_kbuf(req, 0));
3027 io_req_add_compl_list(req);
3028 } else {
3029 io_req_complete_post(req, res,
3030 io_put_kbuf(req, IO_URING_F_UNLOCKED));
3031 }
3032 }
3033
3034 static void __io_complete_rw(struct io_kiocb *req, long res,
3035 unsigned int issue_flags)
3036 {
3037 if (__io_complete_rw_common(req, res))
3038 return;
3039 __io_req_complete(req, issue_flags, req->result,
3040 io_put_kbuf(req, issue_flags));
3041 }
3042
3043 static void io_complete_rw(struct kiocb *kiocb, long res)
3044 {
3045 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
3046
3047 if (__io_complete_rw_common(req, res))
3048 return;
3049 req->result = res;
3050 req->io_task_work.func = io_req_task_complete;
3051 io_req_task_work_add(req, !!(req->ctx->flags & IORING_SETUP_SQPOLL));
3052 }
3053
3054 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res)
3055 {
3056 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
3057
3058 if (kiocb->ki_flags & IOCB_WRITE)
3059 kiocb_end_write(req);
3060 if (unlikely(res != req->result)) {
3061 if (res == -EAGAIN && io_rw_should_reissue(req)) {
3062 req->flags |= REQ_F_REISSUE;
3063 return;
3064 }
3065 req->result = res;
3066 }
3067
3068 /* order with io_iopoll_complete() checking ->iopoll_completed */
3069 smp_store_release(&req->iopoll_completed, 1);
3070 }
3071
3072 /*
3073 * After the iocb has been issued, it's safe to be found on the poll list.
3074 * Adding the kiocb to the list AFTER submission ensures that we don't
3075 * find it from a io_do_iopoll() thread before the issuer is done
3076 * accessing the kiocb cookie.
3077 */
3078 static void io_iopoll_req_issued(struct io_kiocb *req, unsigned int issue_flags)
3079 {
3080 struct io_ring_ctx *ctx = req->ctx;
3081 const bool needs_lock = issue_flags & IO_URING_F_UNLOCKED;
3082
3083 /* workqueue context doesn't hold uring_lock, grab it now */
3084 if (unlikely(needs_lock))
3085 mutex_lock(&ctx->uring_lock);
3086
3087 /*
3088 * Track whether we have multiple files in our lists. This will impact
3089 * how we do polling eventually, not spinning if we're on potentially
3090 * different devices.
3091 */
3092 if (wq_list_empty(&ctx->iopoll_list)) {
3093 ctx->poll_multi_queue = false;
3094 } else if (!ctx->poll_multi_queue) {
3095 struct io_kiocb *list_req;
3096
3097 list_req = container_of(ctx->iopoll_list.first, struct io_kiocb,
3098 comp_list);
3099 if (list_req->file != req->file)
3100 ctx->poll_multi_queue = true;
3101 }
3102
3103 /*
3104 * For fast devices, IO may have already completed. If it has, add
3105 * it to the front so we find it first.
3106 */
3107 if (READ_ONCE(req->iopoll_completed))
3108 wq_list_add_head(&req->comp_list, &ctx->iopoll_list);
3109 else
3110 wq_list_add_tail(&req->comp_list, &ctx->iopoll_list);
3111
3112 if (unlikely(needs_lock)) {
3113 /*
3114 * If IORING_SETUP_SQPOLL is enabled, sqes are either handle
3115 * in sq thread task context or in io worker task context. If
3116 * current task context is sq thread, we don't need to check
3117 * whether should wake up sq thread.
3118 */
3119 if ((ctx->flags & IORING_SETUP_SQPOLL) &&
3120 wq_has_sleeper(&ctx->sq_data->wait))
3121 wake_up(&ctx->sq_data->wait);
3122
3123 mutex_unlock(&ctx->uring_lock);
3124 }
3125 }
3126
3127 static bool io_bdev_nowait(struct block_device *bdev)
3128 {
3129 return !bdev || blk_queue_nowait(bdev_get_queue(bdev));
3130 }
3131
3132 /*
3133 * If we tracked the file through the SCM inflight mechanism, we could support
3134 * any file. For now, just ensure that anything potentially problematic is done
3135 * inline.
3136 */
3137 static bool __io_file_supports_nowait(struct file *file, umode_t mode)
3138 {
3139 if (S_ISBLK(mode)) {
3140 if (IS_ENABLED(CONFIG_BLOCK) &&
3141 io_bdev_nowait(I_BDEV(file->f_mapping->host)))
3142 return true;
3143 return false;
3144 }
3145 if (S_ISSOCK(mode))
3146 return true;
3147 if (S_ISREG(mode)) {
3148 if (IS_ENABLED(CONFIG_BLOCK) &&
3149 io_bdev_nowait(file->f_inode->i_sb->s_bdev) &&
3150 file->f_op != &io_uring_fops)
3151 return true;
3152 return false;
3153 }
3154
3155 /* any ->read/write should understand O_NONBLOCK */
3156 if (file->f_flags & O_NONBLOCK)
3157 return true;
3158 return file->f_mode & FMODE_NOWAIT;
3159 }
3160
3161 /*
3162 * If we tracked the file through the SCM inflight mechanism, we could support
3163 * any file. For now, just ensure that anything potentially problematic is done
3164 * inline.
3165 */
3166 static unsigned int io_file_get_flags(struct file *file)
3167 {
3168 umode_t mode = file_inode(file)->i_mode;
3169 unsigned int res = 0;
3170
3171 if (S_ISREG(mode))
3172 res |= FFS_ISREG;
3173 if (__io_file_supports_nowait(file, mode))
3174 res |= FFS_NOWAIT;
3175 return res;
3176 }
3177
3178 static inline bool io_file_supports_nowait(struct io_kiocb *req)
3179 {
3180 return req->flags & REQ_F_SUPPORT_NOWAIT;
3181 }
3182
3183 static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3184 {
3185 struct kiocb *kiocb = &req->rw.kiocb;
3186 unsigned ioprio;
3187 int ret;
3188
3189 kiocb->ki_pos = READ_ONCE(sqe->off);
3190 /* used for fixed read/write too - just read unconditionally */
3191 req->buf_index = READ_ONCE(sqe->buf_index);
3192 req->imu = NULL;
3193
3194 if (req->opcode == IORING_OP_READ_FIXED ||
3195 req->opcode == IORING_OP_WRITE_FIXED) {
3196 struct io_ring_ctx *ctx = req->ctx;
3197 u16 index;
3198
3199 if (unlikely(req->buf_index >= ctx->nr_user_bufs))
3200 return -EFAULT;
3201 index = array_index_nospec(req->buf_index, ctx->nr_user_bufs);
3202 req->imu = ctx->user_bufs[index];
3203 io_req_set_rsrc_node(req, ctx, 0);
3204 }
3205
3206 ioprio = READ_ONCE(sqe->ioprio);
3207 if (ioprio) {
3208 ret = ioprio_check_cap(ioprio);
3209 if (ret)
3210 return ret;
3211
3212 kiocb->ki_ioprio = ioprio;
3213 } else {
3214 kiocb->ki_ioprio = get_current_ioprio();
3215 }
3216
3217 req->rw.addr = READ_ONCE(sqe->addr);
3218 req->rw.len = READ_ONCE(sqe->len);
3219 req->rw.flags = READ_ONCE(sqe->rw_flags);
3220 return 0;
3221 }
3222
3223 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
3224 {
3225 switch (ret) {
3226 case -EIOCBQUEUED:
3227 break;
3228 case -ERESTARTSYS:
3229 case -ERESTARTNOINTR:
3230 case -ERESTARTNOHAND:
3231 case -ERESTART_RESTARTBLOCK:
3232 /*
3233 * We can't just restart the syscall, since previously
3234 * submitted sqes may already be in progress. Just fail this
3235 * IO with EINTR.
3236 */
3237 ret = -EINTR;
3238 fallthrough;
3239 default:
3240 kiocb->ki_complete(kiocb, ret);
3241 }
3242 }
3243
3244 static inline loff_t *io_kiocb_update_pos(struct io_kiocb *req)
3245 {
3246 struct kiocb *kiocb = &req->rw.kiocb;
3247
3248 if (kiocb->ki_pos != -1)
3249 return &kiocb->ki_pos;
3250
3251 if (!(req->file->f_mode & FMODE_STREAM)) {
3252 req->flags |= REQ_F_CUR_POS;
3253 kiocb->ki_pos = req->file->f_pos;
3254 return &kiocb->ki_pos;
3255 }
3256
3257 kiocb->ki_pos = 0;
3258 return NULL;
3259 }
3260
3261 static void kiocb_done(struct io_kiocb *req, ssize_t ret,
3262 unsigned int issue_flags)
3263 {
3264 struct io_async_rw *io = req->async_data;
3265
3266 /* add previously done IO, if any */
3267 if (req_has_async_data(req) && io->bytes_done > 0) {
3268 if (ret < 0)
3269 ret = io->bytes_done;
3270 else
3271 ret += io->bytes_done;
3272 }
3273
3274 if (req->flags & REQ_F_CUR_POS)
3275 req->file->f_pos = req->rw.kiocb.ki_pos;
3276 if (ret >= 0 && (req->rw.kiocb.ki_complete == io_complete_rw))
3277 __io_complete_rw(req, ret, issue_flags);
3278 else
3279 io_rw_done(&req->rw.kiocb, ret);
3280
3281 if (req->flags & REQ_F_REISSUE) {
3282 req->flags &= ~REQ_F_REISSUE;
3283 if (io_resubmit_prep(req))
3284 io_req_task_queue_reissue(req);
3285 else
3286 io_req_task_queue_fail(req, ret);
3287 }
3288 }
3289
3290 static int __io_import_fixed(struct io_kiocb *req, int rw, struct iov_iter *iter,
3291 struct io_mapped_ubuf *imu)
3292 {
3293 size_t len = req->rw.len;
3294 u64 buf_end, buf_addr = req->rw.addr;
3295 size_t offset;
3296
3297 if (unlikely(check_add_overflow(buf_addr, (u64)len, &buf_end)))
3298 return -EFAULT;
3299 /* not inside the mapped region */
3300 if (unlikely(buf_addr < imu->ubuf || buf_end > imu->ubuf_end))
3301 return -EFAULT;
3302
3303 /*
3304 * May not be a start of buffer, set size appropriately
3305 * and advance us to the beginning.
3306 */
3307 offset = buf_addr - imu->ubuf;
3308 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
3309
3310 if (offset) {
3311 /*
3312 * Don't use iov_iter_advance() here, as it's really slow for
3313 * using the latter parts of a big fixed buffer - it iterates
3314 * over each segment manually. We can cheat a bit here, because
3315 * we know that:
3316 *
3317 * 1) it's a BVEC iter, we set it up
3318 * 2) all bvecs are PAGE_SIZE in size, except potentially the
3319 * first and last bvec
3320 *
3321 * So just find our index, and adjust the iterator afterwards.
3322 * If the offset is within the first bvec (or the whole first
3323 * bvec, just use iov_iter_advance(). This makes it easier
3324 * since we can just skip the first segment, which may not
3325 * be PAGE_SIZE aligned.
3326 */
3327 const struct bio_vec *bvec = imu->bvec;
3328
3329 if (offset <= bvec->bv_len) {
3330 iov_iter_advance(iter, offset);
3331 } else {
3332 unsigned long seg_skip;
3333
3334 /* skip first vec */
3335 offset -= bvec->bv_len;
3336 seg_skip = 1 + (offset >> PAGE_SHIFT);
3337
3338 iter->bvec = bvec + seg_skip;
3339 iter->nr_segs -= seg_skip;
3340 iter->count -= bvec->bv_len + offset;
3341 iter->iov_offset = offset & ~PAGE_MASK;
3342 }
3343 }
3344
3345 return 0;
3346 }
3347
3348 static int io_import_fixed(struct io_kiocb *req, int rw, struct iov_iter *iter,
3349 unsigned int issue_flags)
3350 {
3351 if (WARN_ON_ONCE(!req->imu))
3352 return -EFAULT;
3353 return __io_import_fixed(req, rw, iter, req->imu);
3354 }
3355
3356 static void io_ring_submit_unlock(struct io_ring_ctx *ctx, bool needs_lock)
3357 {
3358 if (needs_lock)
3359 mutex_unlock(&ctx->uring_lock);
3360 }
3361
3362 static void io_ring_submit_lock(struct io_ring_ctx *ctx, bool needs_lock)
3363 {
3364 /*
3365 * "Normal" inline submissions always hold the uring_lock, since we
3366 * grab it from the system call. Same is true for the SQPOLL offload.
3367 * The only exception is when we've detached the request and issue it
3368 * from an async worker thread, grab the lock for that case.
3369 */
3370 if (needs_lock)
3371 mutex_lock(&ctx->uring_lock);
3372 }
3373
3374 static void io_buffer_add_list(struct io_ring_ctx *ctx,
3375 struct io_buffer_list *bl, unsigned int bgid)
3376 {
3377 struct list_head *list;
3378
3379 list = &ctx->io_buffers[hash_32(bgid, IO_BUFFERS_HASH_BITS)];
3380 INIT_LIST_HEAD(&bl->buf_list);
3381 bl->bgid = bgid;
3382 list_add(&bl->list, list);
3383 }
3384
3385 static struct io_buffer *io_buffer_select(struct io_kiocb *req, size_t *len,
3386 int bgid, unsigned int issue_flags)
3387 {
3388 struct io_buffer *kbuf = req->kbuf;
3389 bool needs_lock = issue_flags & IO_URING_F_UNLOCKED;
3390 struct io_ring_ctx *ctx = req->ctx;
3391 struct io_buffer_list *bl;
3392
3393 if (req->flags & REQ_F_BUFFER_SELECTED)
3394 return kbuf;
3395
3396 io_ring_submit_lock(ctx, needs_lock);
3397
3398 lockdep_assert_held(&ctx->uring_lock);
3399
3400 bl = io_buffer_get_list(ctx, bgid);
3401 if (bl && !list_empty(&bl->buf_list)) {
3402 kbuf = list_first_entry(&bl->buf_list, struct io_buffer, list);
3403 list_del(&kbuf->list);
3404 if (*len > kbuf->len)
3405 *len = kbuf->len;
3406 req->flags |= REQ_F_BUFFER_SELECTED;
3407 req->kbuf = kbuf;
3408 } else {
3409 kbuf = ERR_PTR(-ENOBUFS);
3410 }
3411
3412 io_ring_submit_unlock(req->ctx, needs_lock);
3413 return kbuf;
3414 }
3415
3416 static void __user *io_rw_buffer_select(struct io_kiocb *req, size_t *len,
3417 unsigned int issue_flags)
3418 {
3419 struct io_buffer *kbuf;
3420 u16 bgid;
3421
3422 bgid = req->buf_index;
3423 kbuf = io_buffer_select(req, len, bgid, issue_flags);
3424 if (IS_ERR(kbuf))
3425 return kbuf;
3426 return u64_to_user_ptr(kbuf->addr);
3427 }
3428
3429 #ifdef CONFIG_COMPAT
3430 static ssize_t io_compat_import(struct io_kiocb *req, struct iovec *iov,
3431 unsigned int issue_flags)
3432 {
3433 struct compat_iovec __user *uiov;
3434 compat_ssize_t clen;
3435 void __user *buf;
3436 ssize_t len;
3437
3438 uiov = u64_to_user_ptr(req->rw.addr);
3439 if (!access_ok(uiov, sizeof(*uiov)))
3440 return -EFAULT;
3441 if (__get_user(clen, &uiov->iov_len))
3442 return -EFAULT;
3443 if (clen < 0)
3444 return -EINVAL;
3445
3446 len = clen;
3447 buf = io_rw_buffer_select(req, &len, issue_flags);
3448 if (IS_ERR(buf))
3449 return PTR_ERR(buf);
3450 iov[0].iov_base = buf;
3451 iov[0].iov_len = (compat_size_t) len;
3452 return 0;
3453 }
3454 #endif
3455
3456 static ssize_t __io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
3457 unsigned int issue_flags)
3458 {
3459 struct iovec __user *uiov = u64_to_user_ptr(req->rw.addr);
3460 void __user *buf;
3461 ssize_t len;
3462
3463 if (copy_from_user(iov, uiov, sizeof(*uiov)))
3464 return -EFAULT;
3465
3466 len = iov[0].iov_len;
3467 if (len < 0)
3468 return -EINVAL;
3469 buf = io_rw_buffer_select(req, &len, issue_flags);
3470 if (IS_ERR(buf))
3471 return PTR_ERR(buf);
3472 iov[0].iov_base = buf;
3473 iov[0].iov_len = len;
3474 return 0;
3475 }
3476
3477 static ssize_t io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
3478 unsigned int issue_flags)
3479 {
3480 if (req->flags & REQ_F_BUFFER_SELECTED) {
3481 struct io_buffer *kbuf = req->kbuf;
3482
3483 iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
3484 iov[0].iov_len = kbuf->len;
3485 return 0;
3486 }
3487 if (req->rw.len != 1)
3488 return -EINVAL;
3489
3490 #ifdef CONFIG_COMPAT
3491 if (req->ctx->compat)
3492 return io_compat_import(req, iov, issue_flags);
3493 #endif
3494
3495 return __io_iov_buffer_select(req, iov, issue_flags);
3496 }
3497
3498 static inline bool io_do_buffer_select(struct io_kiocb *req)
3499 {
3500 if (!(req->flags & REQ_F_BUFFER_SELECT))
3501 return false;
3502 return !(req->flags & REQ_F_BUFFER_SELECTED);
3503 }
3504
3505 static struct iovec *__io_import_iovec(int rw, struct io_kiocb *req,
3506 struct io_rw_state *s,
3507 unsigned int issue_flags)
3508 {
3509 struct iov_iter *iter = &s->iter;
3510 u8 opcode = req->opcode;
3511 struct iovec *iovec;
3512 void __user *buf;
3513 size_t sqe_len;
3514 ssize_t ret;
3515
3516 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
3517 ret = io_import_fixed(req, rw, iter, issue_flags);
3518 if (ret)
3519 return ERR_PTR(ret);
3520 return NULL;
3521 }
3522
3523 /* buffer index only valid with fixed read/write, or buffer select */
3524 if (unlikely(req->buf_index && !(req->flags & REQ_F_BUFFER_SELECT)))
3525 return ERR_PTR(-EINVAL);
3526
3527 buf = u64_to_user_ptr(req->rw.addr);
3528 sqe_len = req->rw.len;
3529
3530 if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
3531 if (req->flags & REQ_F_BUFFER_SELECT) {
3532 buf = io_rw_buffer_select(req, &sqe_len, issue_flags);
3533 if (IS_ERR(buf))
3534 return ERR_CAST(buf);
3535 req->rw.len = sqe_len;
3536 }
3537
3538 ret = import_single_range(rw, buf, sqe_len, s->fast_iov, iter);
3539 if (ret)
3540 return ERR_PTR(ret);
3541 return NULL;
3542 }
3543
3544 iovec = s->fast_iov;
3545 if (req->flags & REQ_F_BUFFER_SELECT) {
3546 ret = io_iov_buffer_select(req, iovec, issue_flags);
3547 if (ret)
3548 return ERR_PTR(ret);
3549 iov_iter_init(iter, rw, iovec, 1, iovec->iov_len);
3550 return NULL;
3551 }
3552
3553 ret = __import_iovec(rw, buf, sqe_len, UIO_FASTIOV, &iovec, iter,
3554 req->ctx->compat);
3555 if (unlikely(ret < 0))
3556 return ERR_PTR(ret);
3557 return iovec;
3558 }
3559
3560 static inline int io_import_iovec(int rw, struct io_kiocb *req,
3561 struct iovec **iovec, struct io_rw_state *s,
3562 unsigned int issue_flags)
3563 {
3564 *iovec = __io_import_iovec(rw, req, s, issue_flags);
3565 if (unlikely(IS_ERR(*iovec)))
3566 return PTR_ERR(*iovec);
3567
3568 iov_iter_save_state(&s->iter, &s->iter_state);
3569 return 0;
3570 }
3571
3572 static inline loff_t *io_kiocb_ppos(struct kiocb *kiocb)
3573 {
3574 return (kiocb->ki_filp->f_mode & FMODE_STREAM) ? NULL : &kiocb->ki_pos;
3575 }
3576
3577 /*
3578 * For files that don't have ->read_iter() and ->write_iter(), handle them
3579 * by looping over ->read() or ->write() manually.
3580 */
3581 static ssize_t loop_rw_iter(int rw, struct io_kiocb *req, struct iov_iter *iter)
3582 {
3583 struct kiocb *kiocb = &req->rw.kiocb;
3584 struct file *file = req->file;
3585 ssize_t ret = 0;
3586 loff_t *ppos;
3587
3588 /*
3589 * Don't support polled IO through this interface, and we can't
3590 * support non-blocking either. For the latter, this just causes
3591 * the kiocb to be handled from an async context.
3592 */
3593 if (kiocb->ki_flags & IOCB_HIPRI)
3594 return -EOPNOTSUPP;
3595 if ((kiocb->ki_flags & IOCB_NOWAIT) &&
3596 !(kiocb->ki_filp->f_flags & O_NONBLOCK))
3597 return -EAGAIN;
3598
3599 ppos = io_kiocb_ppos(kiocb);
3600
3601 while (iov_iter_count(iter)) {
3602 struct iovec iovec;
3603 ssize_t nr;
3604
3605 if (!iov_iter_is_bvec(iter)) {
3606 iovec = iov_iter_iovec(iter);
3607 } else {
3608 iovec.iov_base = u64_to_user_ptr(req->rw.addr);
3609 iovec.iov_len = req->rw.len;
3610 }
3611
3612 if (rw == READ) {
3613 nr = file->f_op->read(file, iovec.iov_base,
3614 iovec.iov_len, ppos);
3615 } else {
3616 nr = file->f_op->write(file, iovec.iov_base,
3617 iovec.iov_len, ppos);
3618 }
3619
3620 if (nr < 0) {
3621 if (!ret)
3622 ret = nr;
3623 break;
3624 }
3625 ret += nr;
3626 if (!iov_iter_is_bvec(iter)) {
3627 iov_iter_advance(iter, nr);
3628 } else {
3629 req->rw.addr += nr;
3630 req->rw.len -= nr;
3631 if (!req->rw.len)
3632 break;
3633 }
3634 if (nr != iovec.iov_len)
3635 break;
3636 }
3637
3638 return ret;
3639 }
3640
3641 static void io_req_map_rw(struct io_kiocb *req, const struct iovec *iovec,
3642 const struct iovec *fast_iov, struct iov_iter *iter)
3643 {
3644 struct io_async_rw *rw = req->async_data;
3645
3646 memcpy(&rw->s.iter, iter, sizeof(*iter));
3647 rw->free_iovec = iovec;
3648 rw->bytes_done = 0;
3649 /* can only be fixed buffers, no need to do anything */
3650 if (iov_iter_is_bvec(iter))
3651 return;
3652 if (!iovec) {
3653 unsigned iov_off = 0;
3654
3655 rw->s.iter.iov = rw->s.fast_iov;
3656 if (iter->iov != fast_iov) {
3657 iov_off = iter->iov - fast_iov;
3658 rw->s.iter.iov += iov_off;
3659 }
3660 if (rw->s.fast_iov != fast_iov)
3661 memcpy(rw->s.fast_iov + iov_off, fast_iov + iov_off,
3662 sizeof(struct iovec) * iter->nr_segs);
3663 } else {
3664 req->flags |= REQ_F_NEED_CLEANUP;
3665 }
3666 }
3667
3668 static inline bool io_alloc_async_data(struct io_kiocb *req)
3669 {
3670 WARN_ON_ONCE(!io_op_defs[req->opcode].async_size);
3671 req->async_data = kmalloc(io_op_defs[req->opcode].async_size, GFP_KERNEL);
3672 if (req->async_data) {
3673 req->flags |= REQ_F_ASYNC_DATA;
3674 return false;
3675 }
3676 return true;
3677 }
3678
3679 static int io_setup_async_rw(struct io_kiocb *req, const struct iovec *iovec,
3680 struct io_rw_state *s, bool force)
3681 {
3682 if (!force && !io_op_defs[req->opcode].needs_async_setup)
3683 return 0;
3684 if (!req_has_async_data(req)) {
3685 struct io_async_rw *iorw;
3686
3687 if (io_alloc_async_data(req)) {
3688 kfree(iovec);
3689 return -ENOMEM;
3690 }
3691
3692 io_req_map_rw(req, iovec, s->fast_iov, &s->iter);
3693 iorw = req->async_data;
3694 /* we've copied and mapped the iter, ensure state is saved */
3695 iov_iter_save_state(&iorw->s.iter, &iorw->s.iter_state);
3696 }
3697 return 0;
3698 }
3699
3700 static inline int io_rw_prep_async(struct io_kiocb *req, int rw)
3701 {
3702 struct io_async_rw *iorw = req->async_data;
3703 struct iovec *iov;
3704 int ret;
3705
3706 /* submission path, ->uring_lock should already be taken */
3707 ret = io_import_iovec(rw, req, &iov, &iorw->s, 0);
3708 if (unlikely(ret < 0))
3709 return ret;
3710
3711 iorw->bytes_done = 0;
3712 iorw->free_iovec = iov;
3713 if (iov)
3714 req->flags |= REQ_F_NEED_CLEANUP;
3715 return 0;
3716 }
3717
3718 /*
3719 * This is our waitqueue callback handler, registered through __folio_lock_async()
3720 * when we initially tried to do the IO with the iocb armed our waitqueue.
3721 * This gets called when the page is unlocked, and we generally expect that to
3722 * happen when the page IO is completed and the page is now uptodate. This will
3723 * queue a task_work based retry of the operation, attempting to copy the data
3724 * again. If the latter fails because the page was NOT uptodate, then we will
3725 * do a thread based blocking retry of the operation. That's the unexpected
3726 * slow path.
3727 */
3728 static int io_async_buf_func(struct wait_queue_entry *wait, unsigned mode,
3729 int sync, void *arg)
3730 {
3731 struct wait_page_queue *wpq;
3732 struct io_kiocb *req = wait->private;
3733 struct wait_page_key *key = arg;
3734
3735 wpq = container_of(wait, struct wait_page_queue, wait);
3736
3737 if (!wake_page_match(wpq, key))
3738 return 0;
3739
3740 req->rw.kiocb.ki_flags &= ~IOCB_WAITQ;
3741 list_del_init(&wait->entry);
3742 io_req_task_queue(req);
3743 return 1;
3744 }
3745
3746 /*
3747 * This controls whether a given IO request should be armed for async page
3748 * based retry. If we return false here, the request is handed to the async
3749 * worker threads for retry. If we're doing buffered reads on a regular file,
3750 * we prepare a private wait_page_queue entry and retry the operation. This
3751 * will either succeed because the page is now uptodate and unlocked, or it
3752 * will register a callback when the page is unlocked at IO completion. Through
3753 * that callback, io_uring uses task_work to setup a retry of the operation.
3754 * That retry will attempt the buffered read again. The retry will generally
3755 * succeed, or in rare cases where it fails, we then fall back to using the
3756 * async worker threads for a blocking retry.
3757 */
3758 static bool io_rw_should_retry(struct io_kiocb *req)
3759 {
3760 struct io_async_rw *rw = req->async_data;
3761 struct wait_page_queue *wait = &rw->wpq;
3762 struct kiocb *kiocb = &req->rw.kiocb;
3763
3764 /* never retry for NOWAIT, we just complete with -EAGAIN */
3765 if (req->flags & REQ_F_NOWAIT)
3766 return false;
3767
3768 /* Only for buffered IO */
3769 if (kiocb->ki_flags & (IOCB_DIRECT | IOCB_HIPRI))
3770 return false;
3771
3772 /*
3773 * just use poll if we can, and don't attempt if the fs doesn't
3774 * support callback based unlocks
3775 */
3776 if (file_can_poll(req->file) || !(req->file->f_mode & FMODE_BUF_RASYNC))
3777 return false;
3778
3779 wait->wait.func = io_async_buf_func;
3780 wait->wait.private = req;
3781 wait->wait.flags = 0;
3782 INIT_LIST_HEAD(&wait->wait.entry);
3783 kiocb->ki_flags |= IOCB_WAITQ;
3784 kiocb->ki_flags &= ~IOCB_NOWAIT;
3785 kiocb->ki_waitq = wait;
3786 return true;
3787 }
3788
3789 static inline int io_iter_do_read(struct io_kiocb *req, struct iov_iter *iter)
3790 {
3791 if (likely(req->file->f_op->read_iter))
3792 return call_read_iter(req->file, &req->rw.kiocb, iter);
3793 else if (req->file->f_op->read)
3794 return loop_rw_iter(READ, req, iter);
3795 else
3796 return -EINVAL;
3797 }
3798
3799 static bool need_read_all(struct io_kiocb *req)
3800 {
3801 return req->flags & REQ_F_ISREG ||
3802 S_ISBLK(file_inode(req->file)->i_mode);
3803 }
3804
3805 static int io_rw_init_file(struct io_kiocb *req, fmode_t mode)
3806 {
3807 struct kiocb *kiocb = &req->rw.kiocb;
3808 struct io_ring_ctx *ctx = req->ctx;
3809 struct file *file = req->file;
3810 int ret;
3811
3812 if (unlikely(!file || !(file->f_mode & mode)))
3813 return -EBADF;
3814
3815 if (!io_req_ffs_set(req))
3816 req->flags |= io_file_get_flags(file) << REQ_F_SUPPORT_NOWAIT_BIT;
3817
3818 kiocb->ki_flags = iocb_flags(file);
3819 ret = kiocb_set_rw_flags(kiocb, req->rw.flags);
3820 if (unlikely(ret))
3821 return ret;
3822
3823 /*
3824 * If the file is marked O_NONBLOCK, still allow retry for it if it
3825 * supports async. Otherwise it's impossible to use O_NONBLOCK files
3826 * reliably. If not, or it IOCB_NOWAIT is set, don't retry.
3827 */
3828 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
3829 ((file->f_flags & O_NONBLOCK) && !io_file_supports_nowait(req)))
3830 req->flags |= REQ_F_NOWAIT;
3831
3832 if (ctx->flags & IORING_SETUP_IOPOLL) {
3833 if (!(kiocb->ki_flags & IOCB_DIRECT) || !file->f_op->iopoll)
3834 return -EOPNOTSUPP;
3835
3836 kiocb->private = NULL;
3837 kiocb->ki_flags |= IOCB_HIPRI | IOCB_ALLOC_CACHE;
3838 kiocb->ki_complete = io_complete_rw_iopoll;
3839 req->iopoll_completed = 0;
3840 } else {
3841 if (kiocb->ki_flags & IOCB_HIPRI)
3842 return -EINVAL;
3843 kiocb->ki_complete = io_complete_rw;
3844 }
3845
3846 return 0;
3847 }
3848
3849 static int io_read(struct io_kiocb *req, unsigned int issue_flags)
3850 {
3851 struct io_rw_state __s, *s = &__s;
3852 struct iovec *iovec;
3853 struct kiocb *kiocb = &req->rw.kiocb;
3854 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
3855 struct io_async_rw *rw;
3856 ssize_t ret, ret2;
3857 loff_t *ppos;
3858
3859 if (!req_has_async_data(req)) {
3860 ret = io_import_iovec(READ, req, &iovec, s, issue_flags);
3861 if (unlikely(ret < 0))
3862 return ret;
3863 } else {
3864 rw = req->async_data;
3865 s = &rw->s;
3866
3867 /*
3868 * Safe and required to re-import if we're using provided
3869 * buffers, as we dropped the selected one before retry.
3870 */
3871 if (io_do_buffer_select(req)) {
3872 ret = io_import_iovec(READ, req, &iovec, s, issue_flags);
3873 if (unlikely(ret < 0))
3874 return ret;
3875 }
3876
3877 /*
3878 * We come here from an earlier attempt, restore our state to
3879 * match in case it doesn't. It's cheap enough that we don't
3880 * need to make this conditional.
3881 */
3882 iov_iter_restore(&s->iter, &s->iter_state);
3883 iovec = NULL;
3884 }
3885 ret = io_rw_init_file(req, FMODE_READ);
3886 if (unlikely(ret)) {
3887 kfree(iovec);
3888 return ret;
3889 }
3890 req->result = iov_iter_count(&s->iter);
3891
3892 if (force_nonblock) {
3893 /* If the file doesn't support async, just async punt */
3894 if (unlikely(!io_file_supports_nowait(req))) {
3895 ret = io_setup_async_rw(req, iovec, s, true);
3896 return ret ?: -EAGAIN;
3897 }
3898 kiocb->ki_flags |= IOCB_NOWAIT;
3899 } else {
3900 /* Ensure we clear previously set non-block flag */
3901 kiocb->ki_flags &= ~IOCB_NOWAIT;
3902 }
3903
3904 ppos = io_kiocb_update_pos(req);
3905
3906 ret = rw_verify_area(READ, req->file, ppos, req->result);
3907 if (unlikely(ret)) {
3908 kfree(iovec);
3909 return ret;
3910 }
3911
3912 ret = io_iter_do_read(req, &s->iter);
3913
3914 if (ret == -EAGAIN || (req->flags & REQ_F_REISSUE)) {
3915 req->flags &= ~REQ_F_REISSUE;
3916 /* if we can poll, just do that */
3917 if (req->opcode == IORING_OP_READ && file_can_poll(req->file))
3918 return -EAGAIN;
3919 /* IOPOLL retry should happen for io-wq threads */
3920 if (!force_nonblock && !(req->ctx->flags & IORING_SETUP_IOPOLL))
3921 goto done;
3922 /* no retry on NONBLOCK nor RWF_NOWAIT */
3923 if (req->flags & REQ_F_NOWAIT)
3924 goto done;
3925 ret = 0;
3926 } else if (ret == -EIOCBQUEUED) {
3927 goto out_free;
3928 } else if (ret == req->result || ret <= 0 || !force_nonblock ||
3929 (req->flags & REQ_F_NOWAIT) || !need_read_all(req)) {
3930 /* read all, failed, already did sync or don't want to retry */
3931 goto done;
3932 }
3933
3934 /*
3935 * Don't depend on the iter state matching what was consumed, or being
3936 * untouched in case of error. Restore it and we'll advance it
3937 * manually if we need to.
3938 */
3939 iov_iter_restore(&s->iter, &s->iter_state);
3940
3941 ret2 = io_setup_async_rw(req, iovec, s, true);
3942 if (ret2)
3943 return ret2;
3944
3945 iovec = NULL;
3946 rw = req->async_data;
3947 s = &rw->s;
3948 /*
3949 * Now use our persistent iterator and state, if we aren't already.
3950 * We've restored and mapped the iter to match.
3951 */
3952
3953 do {
3954 /*
3955 * We end up here because of a partial read, either from
3956 * above or inside this loop. Advance the iter by the bytes
3957 * that were consumed.
3958 */
3959 iov_iter_advance(&s->iter, ret);
3960 if (!iov_iter_count(&s->iter))
3961 break;
3962 rw->bytes_done += ret;
3963 iov_iter_save_state(&s->iter, &s->iter_state);
3964
3965 /* if we can retry, do so with the callbacks armed */
3966 if (!io_rw_should_retry(req)) {
3967 kiocb->ki_flags &= ~IOCB_WAITQ;
3968 return -EAGAIN;
3969 }
3970
3971 /*
3972 * Now retry read with the IOCB_WAITQ parts set in the iocb. If
3973 * we get -EIOCBQUEUED, then we'll get a notification when the
3974 * desired page gets unlocked. We can also get a partial read
3975 * here, and if we do, then just retry at the new offset.
3976 */
3977 ret = io_iter_do_read(req, &s->iter);
3978 if (ret == -EIOCBQUEUED)
3979 return 0;
3980 /* we got some bytes, but not all. retry. */
3981 kiocb->ki_flags &= ~IOCB_WAITQ;
3982 iov_iter_restore(&s->iter, &s->iter_state);
3983 } while (ret > 0);
3984 done:
3985 kiocb_done(req, ret, issue_flags);
3986 out_free:
3987 /* it's faster to check here then delegate to kfree */
3988 if (iovec)
3989 kfree(iovec);
3990 return 0;
3991 }
3992
3993 static int io_write(struct io_kiocb *req, unsigned int issue_flags)
3994 {
3995 struct io_rw_state __s, *s = &__s;
3996 struct iovec *iovec;
3997 struct kiocb *kiocb = &req->rw.kiocb;
3998 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
3999 ssize_t ret, ret2;
4000 loff_t *ppos;
4001
4002 if (!req_has_async_data(req)) {
4003 ret = io_import_iovec(WRITE, req, &iovec, s, issue_flags);
4004 if (unlikely(ret < 0))
4005 return ret;
4006 } else {
4007 struct io_async_rw *rw = req->async_data;
4008
4009 s = &rw->s;
4010 iov_iter_restore(&s->iter, &s->iter_state);
4011 iovec = NULL;
4012 }
4013 ret = io_rw_init_file(req, FMODE_WRITE);
4014 if (unlikely(ret)) {
4015 kfree(iovec);
4016 return ret;
4017 }
4018 req->result = iov_iter_count(&s->iter);
4019
4020 if (force_nonblock) {
4021 /* If the file doesn't support async, just async punt */
4022 if (unlikely(!io_file_supports_nowait(req)))
4023 goto copy_iov;
4024
4025 /* file path doesn't support NOWAIT for non-direct_IO */
4026 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
4027 (req->flags & REQ_F_ISREG))
4028 goto copy_iov;
4029
4030 kiocb->ki_flags |= IOCB_NOWAIT;
4031 } else {
4032 /* Ensure we clear previously set non-block flag */
4033 kiocb->ki_flags &= ~IOCB_NOWAIT;
4034 }
4035
4036 ppos = io_kiocb_update_pos(req);
4037
4038 ret = rw_verify_area(WRITE, req->file, ppos, req->result);
4039 if (unlikely(ret))
4040 goto out_free;
4041
4042 /*
4043 * Open-code file_start_write here to grab freeze protection,
4044 * which will be released by another thread in
4045 * io_complete_rw(). Fool lockdep by telling it the lock got
4046 * released so that it doesn't complain about the held lock when
4047 * we return to userspace.
4048 */
4049 if (req->flags & REQ_F_ISREG) {
4050 sb_start_write(file_inode(req->file)->i_sb);
4051 __sb_writers_release(file_inode(req->file)->i_sb,
4052 SB_FREEZE_WRITE);
4053 }
4054 kiocb->ki_flags |= IOCB_WRITE;
4055
4056 if (likely(req->file->f_op->write_iter))
4057 ret2 = call_write_iter(req->file, kiocb, &s->iter);
4058 else if (req->file->f_op->write)
4059 ret2 = loop_rw_iter(WRITE, req, &s->iter);
4060 else
4061 ret2 = -EINVAL;
4062
4063 if (req->flags & REQ_F_REISSUE) {
4064 req->flags &= ~REQ_F_REISSUE;
4065 ret2 = -EAGAIN;
4066 }
4067
4068 /*
4069 * Raw bdev writes will return -EOPNOTSUPP for IOCB_NOWAIT. Just
4070 * retry them without IOCB_NOWAIT.
4071 */
4072 if (ret2 == -EOPNOTSUPP && (kiocb->ki_flags & IOCB_NOWAIT))
4073 ret2 = -EAGAIN;
4074 /* no retry on NONBLOCK nor RWF_NOWAIT */
4075 if (ret2 == -EAGAIN && (req->flags & REQ_F_NOWAIT))
4076 goto done;
4077 if (!force_nonblock || ret2 != -EAGAIN) {
4078 /* IOPOLL retry should happen for io-wq threads */
4079 if (ret2 == -EAGAIN && (req->ctx->flags & IORING_SETUP_IOPOLL))
4080 goto copy_iov;
4081 done:
4082 kiocb_done(req, ret2, issue_flags);
4083 } else {
4084 copy_iov:
4085 iov_iter_restore(&s->iter, &s->iter_state);
4086 ret = io_setup_async_rw(req, iovec, s, false);
4087 return ret ?: -EAGAIN;
4088 }
4089 out_free:
4090 /* it's reportedly faster than delegating the null check to kfree() */
4091 if (iovec)
4092 kfree(iovec);
4093 return ret;
4094 }
4095
4096 static int io_renameat_prep(struct io_kiocb *req,
4097 const struct io_uring_sqe *sqe)
4098 {
4099 struct io_rename *ren = &req->rename;
4100 const char __user *oldf, *newf;
4101
4102 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4103 return -EINVAL;
4104 if (sqe->ioprio || sqe->buf_index || sqe->splice_fd_in)
4105 return -EINVAL;
4106 if (unlikely(req->flags & REQ_F_FIXED_FILE))
4107 return -EBADF;
4108
4109 ren->old_dfd = READ_ONCE(sqe->fd);
4110 oldf = u64_to_user_ptr(READ_ONCE(sqe->addr));
4111 newf = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4112 ren->new_dfd = READ_ONCE(sqe->len);
4113 ren->flags = READ_ONCE(sqe->rename_flags);
4114
4115 ren->oldpath = getname(oldf);
4116 if (IS_ERR(ren->oldpath))
4117 return PTR_ERR(ren->oldpath);
4118
4119 ren->newpath = getname(newf);
4120 if (IS_ERR(ren->newpath)) {
4121 putname(ren->oldpath);
4122 return PTR_ERR(ren->newpath);
4123 }
4124
4125 req->flags |= REQ_F_NEED_CLEANUP;
4126 return 0;
4127 }
4128
4129 static int io_renameat(struct io_kiocb *req, unsigned int issue_flags)
4130 {
4131 struct io_rename *ren = &req->rename;
4132 int ret;
4133
4134 if (issue_flags & IO_URING_F_NONBLOCK)
4135 return -EAGAIN;
4136
4137 ret = do_renameat2(ren->old_dfd, ren->oldpath, ren->new_dfd,
4138 ren->newpath, ren->flags);
4139
4140 req->flags &= ~REQ_F_NEED_CLEANUP;
4141 if (ret < 0)
4142 req_set_fail(req);
4143 io_req_complete(req, ret);
4144 return 0;
4145 }
4146
4147 static int io_unlinkat_prep(struct io_kiocb *req,
4148 const struct io_uring_sqe *sqe)
4149 {
4150 struct io_unlink *un = &req->unlink;
4151 const char __user *fname;
4152
4153 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4154 return -EINVAL;
4155 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
4156 sqe->splice_fd_in)
4157 return -EINVAL;
4158 if (unlikely(req->flags & REQ_F_FIXED_FILE))
4159 return -EBADF;
4160
4161 un->dfd = READ_ONCE(sqe->fd);
4162
4163 un->flags = READ_ONCE(sqe->unlink_flags);
4164 if (un->flags & ~AT_REMOVEDIR)
4165 return -EINVAL;
4166
4167 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
4168 un->filename = getname(fname);
4169 if (IS_ERR(un->filename))
4170 return PTR_ERR(un->filename);
4171
4172 req->flags |= REQ_F_NEED_CLEANUP;
4173 return 0;
4174 }
4175
4176 static int io_unlinkat(struct io_kiocb *req, unsigned int issue_flags)
4177 {
4178 struct io_unlink *un = &req->unlink;
4179 int ret;
4180
4181 if (issue_flags & IO_URING_F_NONBLOCK)
4182 return -EAGAIN;
4183
4184 if (un->flags & AT_REMOVEDIR)
4185 ret = do_rmdir(un->dfd, un->filename);
4186 else
4187 ret = do_unlinkat(un->dfd, un->filename);
4188
4189 req->flags &= ~REQ_F_NEED_CLEANUP;
4190 if (ret < 0)
4191 req_set_fail(req);
4192 io_req_complete(req, ret);
4193 return 0;
4194 }
4195
4196 static int io_mkdirat_prep(struct io_kiocb *req,
4197 const struct io_uring_sqe *sqe)
4198 {
4199 struct io_mkdir *mkd = &req->mkdir;
4200 const char __user *fname;
4201
4202 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4203 return -EINVAL;
4204 if (sqe->ioprio || sqe->off || sqe->rw_flags || sqe->buf_index ||
4205 sqe->splice_fd_in)
4206 return -EINVAL;
4207 if (unlikely(req->flags & REQ_F_FIXED_FILE))
4208 return -EBADF;
4209
4210 mkd->dfd = READ_ONCE(sqe->fd);
4211 mkd->mode = READ_ONCE(sqe->len);
4212
4213 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
4214 mkd->filename = getname(fname);
4215 if (IS_ERR(mkd->filename))
4216 return PTR_ERR(mkd->filename);
4217
4218 req->flags |= REQ_F_NEED_CLEANUP;
4219 return 0;
4220 }
4221
4222 static int io_mkdirat(struct io_kiocb *req, unsigned int issue_flags)
4223 {
4224 struct io_mkdir *mkd = &req->mkdir;
4225 int ret;
4226
4227 if (issue_flags & IO_URING_F_NONBLOCK)
4228 return -EAGAIN;
4229
4230 ret = do_mkdirat(mkd->dfd, mkd->filename, mkd->mode);
4231
4232 req->flags &= ~REQ_F_NEED_CLEANUP;
4233 if (ret < 0)
4234 req_set_fail(req);
4235 io_req_complete(req, ret);
4236 return 0;
4237 }
4238
4239 static int io_symlinkat_prep(struct io_kiocb *req,
4240 const struct io_uring_sqe *sqe)
4241 {
4242 struct io_symlink *sl = &req->symlink;
4243 const char __user *oldpath, *newpath;
4244
4245 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4246 return -EINVAL;
4247 if (sqe->ioprio || sqe->len || sqe->rw_flags || sqe->buf_index ||
4248 sqe->splice_fd_in)
4249 return -EINVAL;
4250 if (unlikely(req->flags & REQ_F_FIXED_FILE))
4251 return -EBADF;
4252
4253 sl->new_dfd = READ_ONCE(sqe->fd);
4254 oldpath = u64_to_user_ptr(READ_ONCE(sqe->addr));
4255 newpath = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4256
4257 sl->oldpath = getname(oldpath);
4258 if (IS_ERR(sl->oldpath))
4259 return PTR_ERR(sl->oldpath);
4260
4261 sl->newpath = getname(newpath);
4262 if (IS_ERR(sl->newpath)) {
4263 putname(sl->oldpath);
4264 return PTR_ERR(sl->newpath);
4265 }
4266
4267 req->flags |= REQ_F_NEED_CLEANUP;
4268 return 0;
4269 }
4270
4271 static int io_symlinkat(struct io_kiocb *req, unsigned int issue_flags)
4272 {
4273 struct io_symlink *sl = &req->symlink;
4274 int ret;
4275
4276 if (issue_flags & IO_URING_F_NONBLOCK)
4277 return -EAGAIN;
4278
4279 ret = do_symlinkat(sl->oldpath, sl->new_dfd, sl->newpath);
4280
4281 req->flags &= ~REQ_F_NEED_CLEANUP;
4282 if (ret < 0)
4283 req_set_fail(req);
4284 io_req_complete(req, ret);
4285 return 0;
4286 }
4287
4288 static int io_linkat_prep(struct io_kiocb *req,
4289 const struct io_uring_sqe *sqe)
4290 {
4291 struct io_hardlink *lnk = &req->hardlink;
4292 const char __user *oldf, *newf;
4293
4294 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4295 return -EINVAL;
4296 if (sqe->ioprio || sqe->rw_flags || sqe->buf_index || sqe->splice_fd_in)
4297 return -EINVAL;
4298 if (unlikely(req->flags & REQ_F_FIXED_FILE))
4299 return -EBADF;
4300
4301 lnk->old_dfd = READ_ONCE(sqe->fd);
4302 lnk->new_dfd = READ_ONCE(sqe->len);
4303 oldf = u64_to_user_ptr(READ_ONCE(sqe->addr));
4304 newf = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4305 lnk->flags = READ_ONCE(sqe->hardlink_flags);
4306
4307 lnk->oldpath = getname(oldf);
4308 if (IS_ERR(lnk->oldpath))
4309 return PTR_ERR(lnk->oldpath);
4310
4311 lnk->newpath = getname(newf);
4312 if (IS_ERR(lnk->newpath)) {
4313 putname(lnk->oldpath);
4314 return PTR_ERR(lnk->newpath);
4315 }
4316
4317 req->flags |= REQ_F_NEED_CLEANUP;
4318 return 0;
4319 }
4320
4321 static int io_linkat(struct io_kiocb *req, unsigned int issue_flags)
4322 {
4323 struct io_hardlink *lnk = &req->hardlink;
4324 int ret;
4325
4326 if (issue_flags & IO_URING_F_NONBLOCK)
4327 return -EAGAIN;
4328
4329 ret = do_linkat(lnk->old_dfd, lnk->oldpath, lnk->new_dfd,
4330 lnk->newpath, lnk->flags);
4331
4332 req->flags &= ~REQ_F_NEED_CLEANUP;
4333 if (ret < 0)
4334 req_set_fail(req);
4335 io_req_complete(req, ret);
4336 return 0;
4337 }
4338
4339 static int io_shutdown_prep(struct io_kiocb *req,
4340 const struct io_uring_sqe *sqe)
4341 {
4342 #if defined(CONFIG_NET)
4343 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4344 return -EINVAL;
4345 if (unlikely(sqe->ioprio || sqe->off || sqe->addr || sqe->rw_flags ||
4346 sqe->buf_index || sqe->splice_fd_in))
4347 return -EINVAL;
4348
4349 req->shutdown.how = READ_ONCE(sqe->len);
4350 return 0;
4351 #else
4352 return -EOPNOTSUPP;
4353 #endif
4354 }
4355
4356 static int io_shutdown(struct io_kiocb *req, unsigned int issue_flags)
4357 {
4358 #if defined(CONFIG_NET)
4359 struct socket *sock;
4360 int ret;
4361
4362 if (issue_flags & IO_URING_F_NONBLOCK)
4363 return -EAGAIN;
4364
4365 sock = sock_from_file(req->file);
4366 if (unlikely(!sock))
4367 return -ENOTSOCK;
4368
4369 ret = __sys_shutdown_sock(sock, req->shutdown.how);
4370 if (ret < 0)
4371 req_set_fail(req);
4372 io_req_complete(req, ret);
4373 return 0;
4374 #else
4375 return -EOPNOTSUPP;
4376 #endif
4377 }
4378
4379 static int __io_splice_prep(struct io_kiocb *req,
4380 const struct io_uring_sqe *sqe)
4381 {
4382 struct io_splice *sp = &req->splice;
4383 unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL;
4384
4385 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4386 return -EINVAL;
4387
4388 sp->len = READ_ONCE(sqe->len);
4389 sp->flags = READ_ONCE(sqe->splice_flags);
4390 if (unlikely(sp->flags & ~valid_flags))
4391 return -EINVAL;
4392 sp->splice_fd_in = READ_ONCE(sqe->splice_fd_in);
4393 return 0;
4394 }
4395
4396 static int io_tee_prep(struct io_kiocb *req,
4397 const struct io_uring_sqe *sqe)
4398 {
4399 if (READ_ONCE(sqe->splice_off_in) || READ_ONCE(sqe->off))
4400 return -EINVAL;
4401 return __io_splice_prep(req, sqe);
4402 }
4403
4404 static int io_tee(struct io_kiocb *req, unsigned int issue_flags)
4405 {
4406 struct io_splice *sp = &req->splice;
4407 struct file *out = sp->file_out;
4408 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
4409 struct file *in;
4410 long ret = 0;
4411
4412 if (issue_flags & IO_URING_F_NONBLOCK)
4413 return -EAGAIN;
4414
4415 if (sp->flags & SPLICE_F_FD_IN_FIXED)
4416 in = io_file_get_fixed(req, sp->splice_fd_in, issue_flags);
4417 else
4418 in = io_file_get_normal(req, sp->splice_fd_in);
4419 if (!in) {
4420 ret = -EBADF;
4421 goto done;
4422 }
4423
4424 if (sp->len)
4425 ret = do_tee(in, out, sp->len, flags);
4426
4427 if (!(sp->flags & SPLICE_F_FD_IN_FIXED))
4428 io_put_file(in);
4429 done:
4430 if (ret != sp->len)
4431 req_set_fail(req);
4432 io_req_complete(req, ret);
4433 return 0;
4434 }
4435
4436 static int io_splice_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4437 {
4438 struct io_splice *sp = &req->splice;
4439
4440 sp->off_in = READ_ONCE(sqe->splice_off_in);
4441 sp->off_out = READ_ONCE(sqe->off);
4442 return __io_splice_prep(req, sqe);
4443 }
4444
4445 static int io_splice(struct io_kiocb *req, unsigned int issue_flags)
4446 {
4447 struct io_splice *sp = &req->splice;
4448 struct file *out = sp->file_out;
4449 unsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;
4450 loff_t *poff_in, *poff_out;
4451 struct file *in;
4452 long ret = 0;
4453
4454 if (issue_flags & IO_URING_F_NONBLOCK)
4455 return -EAGAIN;
4456
4457 if (sp->flags & SPLICE_F_FD_IN_FIXED)
4458 in = io_file_get_fixed(req, sp->splice_fd_in, issue_flags);
4459 else
4460 in = io_file_get_normal(req, sp->splice_fd_in);
4461 if (!in) {
4462 ret = -EBADF;
4463 goto done;
4464 }
4465
4466 poff_in = (sp->off_in == -1) ? NULL : &sp->off_in;
4467 poff_out = (sp->off_out == -1) ? NULL : &sp->off_out;
4468
4469 if (sp->len)
4470 ret = do_splice(in, poff_in, out, poff_out, sp->len, flags);
4471
4472 if (!(sp->flags & SPLICE_F_FD_IN_FIXED))
4473 io_put_file(in);
4474 done:
4475 if (ret != sp->len)
4476 req_set_fail(req);
4477 io_req_complete(req, ret);
4478 return 0;
4479 }
4480
4481 /*
4482 * IORING_OP_NOP just posts a completion event, nothing else.
4483 */
4484 static int io_nop(struct io_kiocb *req, unsigned int issue_flags)
4485 {
4486 struct io_ring_ctx *ctx = req->ctx;
4487
4488 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
4489 return -EINVAL;
4490
4491 __io_req_complete(req, issue_flags, 0, 0);
4492 return 0;
4493 }
4494
4495 static int io_msg_ring_prep(struct io_kiocb *req,
4496 const struct io_uring_sqe *sqe)
4497 {
4498 if (unlikely(sqe->addr || sqe->ioprio || sqe->rw_flags ||
4499 sqe->splice_fd_in || sqe->buf_index || sqe->personality))
4500 return -EINVAL;
4501
4502 req->msg.user_data = READ_ONCE(sqe->off);
4503 req->msg.len = READ_ONCE(sqe->len);
4504 return 0;
4505 }
4506
4507 static int io_msg_ring(struct io_kiocb *req, unsigned int issue_flags)
4508 {
4509 struct io_ring_ctx *target_ctx;
4510 struct io_msg *msg = &req->msg;
4511 bool filled;
4512 int ret;
4513
4514 ret = -EBADFD;
4515 if (req->file->f_op != &io_uring_fops)
4516 goto done;
4517
4518 ret = -EOVERFLOW;
4519 target_ctx = req->file->private_data;
4520
4521 spin_lock(&target_ctx->completion_lock);
4522 filled = io_fill_cqe_aux(target_ctx, msg->user_data, msg->len, 0);
4523 io_commit_cqring(target_ctx);
4524 spin_unlock(&target_ctx->completion_lock);
4525
4526 if (filled) {
4527 io_cqring_ev_posted(target_ctx);
4528 ret = 0;
4529 }
4530
4531 done:
4532 if (ret < 0)
4533 req_set_fail(req);
4534 __io_req_complete(req, issue_flags, ret, 0);
4535 /* put file to avoid an attempt to IOPOLL the req */
4536 io_put_file(req->file);
4537 req->file = NULL;
4538 return 0;
4539 }
4540
4541 static int io_fsync_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4542 {
4543 struct io_ring_ctx *ctx = req->ctx;
4544
4545 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
4546 return -EINVAL;
4547 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index ||
4548 sqe->splice_fd_in))
4549 return -EINVAL;
4550
4551 req->sync.flags = READ_ONCE(sqe->fsync_flags);
4552 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
4553 return -EINVAL;
4554
4555 req->sync.off = READ_ONCE(sqe->off);
4556 req->sync.len = READ_ONCE(sqe->len);
4557 return 0;
4558 }
4559
4560 static int io_fsync(struct io_kiocb *req, unsigned int issue_flags)
4561 {
4562 loff_t end = req->sync.off + req->sync.len;
4563 int ret;
4564
4565 /* fsync always requires a blocking context */
4566 if (issue_flags & IO_URING_F_NONBLOCK)
4567 return -EAGAIN;
4568
4569 ret = vfs_fsync_range(req->file, req->sync.off,
4570 end > 0 ? end : LLONG_MAX,
4571 req->sync.flags & IORING_FSYNC_DATASYNC);
4572 if (ret < 0)
4573 req_set_fail(req);
4574 io_req_complete(req, ret);
4575 return 0;
4576 }
4577
4578 static int io_fallocate_prep(struct io_kiocb *req,
4579 const struct io_uring_sqe *sqe)
4580 {
4581 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags ||
4582 sqe->splice_fd_in)
4583 return -EINVAL;
4584 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4585 return -EINVAL;
4586
4587 req->sync.off = READ_ONCE(sqe->off);
4588 req->sync.len = READ_ONCE(sqe->addr);
4589 req->sync.mode = READ_ONCE(sqe->len);
4590 return 0;
4591 }
4592
4593 static int io_fallocate(struct io_kiocb *req, unsigned int issue_flags)
4594 {
4595 int ret;
4596
4597 /* fallocate always requiring blocking context */
4598 if (issue_flags & IO_URING_F_NONBLOCK)
4599 return -EAGAIN;
4600 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
4601 req->sync.len);
4602 if (ret < 0)
4603 req_set_fail(req);
4604 else
4605 fsnotify_modify(req->file);
4606 io_req_complete(req, ret);
4607 return 0;
4608 }
4609
4610 static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4611 {
4612 const char __user *fname;
4613 int ret;
4614
4615 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4616 return -EINVAL;
4617 if (unlikely(sqe->ioprio || sqe->buf_index))
4618 return -EINVAL;
4619 if (unlikely(req->flags & REQ_F_FIXED_FILE))
4620 return -EBADF;
4621
4622 /* open.how should be already initialised */
4623 if (!(req->open.how.flags & O_PATH) && force_o_largefile())
4624 req->open.how.flags |= O_LARGEFILE;
4625
4626 req->open.dfd = READ_ONCE(sqe->fd);
4627 fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
4628 req->open.filename = getname(fname);
4629 if (IS_ERR(req->open.filename)) {
4630 ret = PTR_ERR(req->open.filename);
4631 req->open.filename = NULL;
4632 return ret;
4633 }
4634
4635 req->open.file_slot = READ_ONCE(sqe->file_index);
4636 if (req->open.file_slot && (req->open.how.flags & O_CLOEXEC))
4637 return -EINVAL;
4638
4639 req->open.nofile = rlimit(RLIMIT_NOFILE);
4640 req->flags |= REQ_F_NEED_CLEANUP;
4641 return 0;
4642 }
4643
4644 static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4645 {
4646 u64 mode = READ_ONCE(sqe->len);
4647 u64 flags = READ_ONCE(sqe->open_flags);
4648
4649 req->open.how = build_open_how(flags, mode);
4650 return __io_openat_prep(req, sqe);
4651 }
4652
4653 static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4654 {
4655 struct open_how __user *how;
4656 size_t len;
4657 int ret;
4658
4659 how = u64_to_user_ptr(READ_ONCE(sqe->addr2));
4660 len = READ_ONCE(sqe->len);
4661 if (len < OPEN_HOW_SIZE_VER0)
4662 return -EINVAL;
4663
4664 ret = copy_struct_from_user(&req->open.how, sizeof(req->open.how), how,
4665 len);
4666 if (ret)
4667 return ret;
4668
4669 return __io_openat_prep(req, sqe);
4670 }
4671
4672 static int io_openat2(struct io_kiocb *req, unsigned int issue_flags)
4673 {
4674 struct open_flags op;
4675 struct file *file;
4676 bool resolve_nonblock, nonblock_set;
4677 bool fixed = !!req->open.file_slot;
4678 int ret;
4679
4680 ret = build_open_flags(&req->open.how, &op);
4681 if (ret)
4682 goto err;
4683 nonblock_set = op.open_flag & O_NONBLOCK;
4684 resolve_nonblock = req->open.how.resolve & RESOLVE_CACHED;
4685 if (issue_flags & IO_URING_F_NONBLOCK) {
4686 /*
4687 * Don't bother trying for O_TRUNC, O_CREAT, or O_TMPFILE open,
4688 * it'll always -EAGAIN
4689 */
4690 if (req->open.how.flags & (O_TRUNC | O_CREAT | O_TMPFILE))
4691 return -EAGAIN;
4692 op.lookup_flags |= LOOKUP_CACHED;
4693 op.open_flag |= O_NONBLOCK;
4694 }
4695
4696 if (!fixed) {
4697 ret = __get_unused_fd_flags(req->open.how.flags, req->open.nofile);
4698 if (ret < 0)
4699 goto err;
4700 }
4701
4702 file = do_filp_open(req->open.dfd, req->open.filename, &op);
4703 if (IS_ERR(file)) {
4704 /*
4705 * We could hang on to this 'fd' on retrying, but seems like
4706 * marginal gain for something that is now known to be a slower
4707 * path. So just put it, and we'll get a new one when we retry.
4708 */
4709 if (!fixed)
4710 put_unused_fd(ret);
4711
4712 ret = PTR_ERR(file);
4713 /* only retry if RESOLVE_CACHED wasn't already set by application */
4714 if (ret == -EAGAIN &&
4715 (!resolve_nonblock && (issue_flags & IO_URING_F_NONBLOCK)))
4716 return -EAGAIN;
4717 goto err;
4718 }
4719
4720 if ((issue_flags & IO_URING_F_NONBLOCK) && !nonblock_set)
4721 file->f_flags &= ~O_NONBLOCK;
4722 fsnotify_open(file);
4723
4724 if (!fixed)
4725 fd_install(ret, file);
4726 else
4727 ret = io_install_fixed_file(req, file, issue_flags,
4728 req->open.file_slot - 1);
4729 err:
4730 putname(req->open.filename);
4731 req->flags &= ~REQ_F_NEED_CLEANUP;
4732 if (ret < 0)
4733 req_set_fail(req);
4734 __io_req_complete(req, issue_flags, ret, 0);
4735 return 0;
4736 }
4737
4738 static int io_openat(struct io_kiocb *req, unsigned int issue_flags)
4739 {
4740 return io_openat2(req, issue_flags);
4741 }
4742
4743 static int io_remove_buffers_prep(struct io_kiocb *req,
4744 const struct io_uring_sqe *sqe)
4745 {
4746 struct io_provide_buf *p = &req->pbuf;
4747 u64 tmp;
4748
4749 if (sqe->ioprio || sqe->rw_flags || sqe->addr || sqe->len || sqe->off ||
4750 sqe->splice_fd_in)
4751 return -EINVAL;
4752
4753 tmp = READ_ONCE(sqe->fd);
4754 if (!tmp || tmp > USHRT_MAX)
4755 return -EINVAL;
4756
4757 memset(p, 0, sizeof(*p));
4758 p->nbufs = tmp;
4759 p->bgid = READ_ONCE(sqe->buf_group);
4760 return 0;
4761 }
4762
4763 static int __io_remove_buffers(struct io_ring_ctx *ctx,
4764 struct io_buffer_list *bl, unsigned nbufs)
4765 {
4766 unsigned i = 0;
4767
4768 /* shouldn't happen */
4769 if (!nbufs)
4770 return 0;
4771
4772 /* the head kbuf is the list itself */
4773 while (!list_empty(&bl->buf_list)) {
4774 struct io_buffer *nxt;
4775
4776 nxt = list_first_entry(&bl->buf_list, struct io_buffer, list);
4777 list_del(&nxt->list);
4778 if (++i == nbufs)
4779 return i;
4780 cond_resched();
4781 }
4782 i++;
4783
4784 return i;
4785 }
4786
4787 static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
4788 {
4789 struct io_provide_buf *p = &req->pbuf;
4790 struct io_ring_ctx *ctx = req->ctx;
4791 struct io_buffer_list *bl;
4792 int ret = 0;
4793 bool needs_lock = issue_flags & IO_URING_F_UNLOCKED;
4794
4795 io_ring_submit_lock(ctx, needs_lock);
4796
4797 lockdep_assert_held(&ctx->uring_lock);
4798
4799 ret = -ENOENT;
4800 bl = io_buffer_get_list(ctx, p->bgid);
4801 if (bl)
4802 ret = __io_remove_buffers(ctx, bl, p->nbufs);
4803 if (ret < 0)
4804 req_set_fail(req);
4805
4806 /* complete before unlock, IOPOLL may need the lock */
4807 __io_req_complete(req, issue_flags, ret, 0);
4808 io_ring_submit_unlock(ctx, needs_lock);
4809 return 0;
4810 }
4811
4812 static int io_provide_buffers_prep(struct io_kiocb *req,
4813 const struct io_uring_sqe *sqe)
4814 {
4815 unsigned long size, tmp_check;
4816 struct io_provide_buf *p = &req->pbuf;
4817 u64 tmp;
4818
4819 if (sqe->ioprio || sqe->rw_flags || sqe->splice_fd_in)
4820 return -EINVAL;
4821
4822 tmp = READ_ONCE(sqe->fd);
4823 if (!tmp || tmp > USHRT_MAX)
4824 return -E2BIG;
4825 p->nbufs = tmp;
4826 p->addr = READ_ONCE(sqe->addr);
4827 p->len = READ_ONCE(sqe->len);
4828
4829 if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
4830 &size))
4831 return -EOVERFLOW;
4832 if (check_add_overflow((unsigned long)p->addr, size, &tmp_check))
4833 return -EOVERFLOW;
4834
4835 size = (unsigned long)p->len * p->nbufs;
4836 if (!access_ok(u64_to_user_ptr(p->addr), size))
4837 return -EFAULT;
4838
4839 p->bgid = READ_ONCE(sqe->buf_group);
4840 tmp = READ_ONCE(sqe->off);
4841 if (tmp > USHRT_MAX)
4842 return -E2BIG;
4843 p->bid = tmp;
4844 return 0;
4845 }
4846
4847 static int io_refill_buffer_cache(struct io_ring_ctx *ctx)
4848 {
4849 struct io_buffer *buf;
4850 struct page *page;
4851 int bufs_in_page;
4852
4853 /*
4854 * Completions that don't happen inline (eg not under uring_lock) will
4855 * add to ->io_buffers_comp. If we don't have any free buffers, check
4856 * the completion list and splice those entries first.
4857 */
4858 if (!list_empty_careful(&ctx->io_buffers_comp)) {
4859 spin_lock(&ctx->completion_lock);
4860 if (!list_empty(&ctx->io_buffers_comp)) {
4861 list_splice_init(&ctx->io_buffers_comp,
4862 &ctx->io_buffers_cache);
4863 spin_unlock(&ctx->completion_lock);
4864 return 0;
4865 }
4866 spin_unlock(&ctx->completion_lock);
4867 }
4868
4869 /*
4870 * No free buffers and no completion entries either. Allocate a new
4871 * page worth of buffer entries and add those to our freelist.
4872 */
4873 page = alloc_page(GFP_KERNEL_ACCOUNT);
4874 if (!page)
4875 return -ENOMEM;
4876
4877 list_add(&page->lru, &ctx->io_buffers_pages);
4878
4879 buf = page_address(page);
4880 bufs_in_page = PAGE_SIZE / sizeof(*buf);
4881 while (bufs_in_page) {
4882 list_add_tail(&buf->list, &ctx->io_buffers_cache);
4883 buf++;
4884 bufs_in_page--;
4885 }
4886
4887 return 0;
4888 }
4889
4890 static int io_add_buffers(struct io_ring_ctx *ctx, struct io_provide_buf *pbuf,
4891 struct io_buffer_list *bl)
4892 {
4893 struct io_buffer *buf;
4894 u64 addr = pbuf->addr;
4895 int i, bid = pbuf->bid;
4896
4897 for (i = 0; i < pbuf->nbufs; i++) {
4898 if (list_empty(&ctx->io_buffers_cache) &&
4899 io_refill_buffer_cache(ctx))
4900 break;
4901 buf = list_first_entry(&ctx->io_buffers_cache, struct io_buffer,
4902 list);
4903 list_move_tail(&buf->list, &bl->buf_list);
4904 buf->addr = addr;
4905 buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT);
4906 buf->bid = bid;
4907 buf->bgid = pbuf->bgid;
4908 addr += pbuf->len;
4909 bid++;
4910 cond_resched();
4911 }
4912
4913 return i ? 0 : -ENOMEM;
4914 }
4915
4916 static int io_provide_buffers(struct io_kiocb *req, unsigned int issue_flags)
4917 {
4918 struct io_provide_buf *p = &req->pbuf;
4919 struct io_ring_ctx *ctx = req->ctx;
4920 struct io_buffer_list *bl;
4921 int ret = 0;
4922 bool needs_lock = issue_flags & IO_URING_F_UNLOCKED;
4923
4924 io_ring_submit_lock(ctx, needs_lock);
4925
4926 lockdep_assert_held(&ctx->uring_lock);
4927
4928 bl = io_buffer_get_list(ctx, p->bgid);
4929 if (unlikely(!bl)) {
4930 bl = kmalloc(sizeof(*bl), GFP_KERNEL);
4931 if (!bl) {
4932 ret = -ENOMEM;
4933 goto err;
4934 }
4935 io_buffer_add_list(ctx, bl, p->bgid);
4936 }
4937
4938 ret = io_add_buffers(ctx, p, bl);
4939 err:
4940 if (ret < 0)
4941 req_set_fail(req);
4942 /* complete before unlock, IOPOLL may need the lock */
4943 __io_req_complete(req, issue_flags, ret, 0);
4944 io_ring_submit_unlock(ctx, needs_lock);
4945 return 0;
4946 }
4947
4948 static int io_epoll_ctl_prep(struct io_kiocb *req,
4949 const struct io_uring_sqe *sqe)
4950 {
4951 #if defined(CONFIG_EPOLL)
4952 if (sqe->ioprio || sqe->buf_index || sqe->splice_fd_in)
4953 return -EINVAL;
4954 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
4955 return -EINVAL;
4956
4957 req->epoll.epfd = READ_ONCE(sqe->fd);
4958 req->epoll.op = READ_ONCE(sqe->len);
4959 req->epoll.fd = READ_ONCE(sqe->off);
4960
4961 if (ep_op_has_event(req->epoll.op)) {
4962 struct epoll_event __user *ev;
4963
4964 ev = u64_to_user_ptr(READ_ONCE(sqe->addr));
4965 if (copy_from_user(&req->epoll.event, ev, sizeof(*ev)))
4966 return -EFAULT;
4967 }
4968
4969 return 0;
4970 #else
4971 return -EOPNOTSUPP;
4972 #endif
4973 }
4974
4975 static int io_epoll_ctl(struct io_kiocb *req, unsigned int issue_flags)
4976 {
4977 #if defined(CONFIG_EPOLL)
4978 struct io_epoll *ie = &req->epoll;
4979 int ret;
4980 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
4981
4982 ret = do_epoll_ctl(ie->epfd, ie->op, ie->fd, &ie->event, force_nonblock);
4983 if (force_nonblock && ret == -EAGAIN)
4984 return -EAGAIN;
4985
4986 if (ret < 0)
4987 req_set_fail(req);
4988 __io_req_complete(req, issue_flags, ret, 0);
4989 return 0;
4990 #else
4991 return -EOPNOTSUPP;
4992 #endif
4993 }
4994
4995 static int io_madvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4996 {
4997 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
4998 if (sqe->ioprio || sqe->buf_index || sqe->off || sqe->splice_fd_in)
4999 return -EINVAL;
5000 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5001 return -EINVAL;
5002
5003 req->madvise.addr = READ_ONCE(sqe->addr);
5004 req->madvise.len = READ_ONCE(sqe->len);
5005 req->madvise.advice = READ_ONCE(sqe->fadvise_advice);
5006 return 0;
5007 #else
5008 return -EOPNOTSUPP;
5009 #endif
5010 }
5011
5012 static int io_madvise(struct io_kiocb *req, unsigned int issue_flags)
5013 {
5014 #if defined(CONFIG_ADVISE_SYSCALLS) && defined(CONFIG_MMU)
5015 struct io_madvise *ma = &req->madvise;
5016 int ret;
5017
5018 if (issue_flags & IO_URING_F_NONBLOCK)
5019 return -EAGAIN;
5020
5021 ret = do_madvise(current->mm, ma->addr, ma->len, ma->advice);
5022 if (ret < 0)
5023 req_set_fail(req);
5024 io_req_complete(req, ret);
5025 return 0;
5026 #else
5027 return -EOPNOTSUPP;
5028 #endif
5029 }
5030
5031 static int io_fadvise_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5032 {
5033 if (sqe->ioprio || sqe->buf_index || sqe->addr || sqe->splice_fd_in)
5034 return -EINVAL;
5035 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5036 return -EINVAL;
5037
5038 req->fadvise.offset = READ_ONCE(sqe->off);
5039 req->fadvise.len = READ_ONCE(sqe->len);
5040 req->fadvise.advice = READ_ONCE(sqe->fadvise_advice);
5041 return 0;
5042 }
5043
5044 static int io_fadvise(struct io_kiocb *req, unsigned int issue_flags)
5045 {
5046 struct io_fadvise *fa = &req->fadvise;
5047 int ret;
5048
5049 if (issue_flags & IO_URING_F_NONBLOCK) {
5050 switch (fa->advice) {
5051 case POSIX_FADV_NORMAL:
5052 case POSIX_FADV_RANDOM:
5053 case POSIX_FADV_SEQUENTIAL:
5054 break;
5055 default:
5056 return -EAGAIN;
5057 }
5058 }
5059
5060 ret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);
5061 if (ret < 0)
5062 req_set_fail(req);
5063 __io_req_complete(req, issue_flags, ret, 0);
5064 return 0;
5065 }
5066
5067 static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5068 {
5069 const char __user *path;
5070
5071 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5072 return -EINVAL;
5073 if (sqe->ioprio || sqe->buf_index || sqe->splice_fd_in)
5074 return -EINVAL;
5075 if (req->flags & REQ_F_FIXED_FILE)
5076 return -EBADF;
5077
5078 req->statx.dfd = READ_ONCE(sqe->fd);
5079 req->statx.mask = READ_ONCE(sqe->len);
5080 path = u64_to_user_ptr(READ_ONCE(sqe->addr));
5081 req->statx.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
5082 req->statx.flags = READ_ONCE(sqe->statx_flags);
5083
5084 req->statx.filename = getname_flags(path,
5085 getname_statx_lookup_flags(req->statx.flags),
5086 NULL);
5087
5088 if (IS_ERR(req->statx.filename)) {
5089 int ret = PTR_ERR(req->statx.filename);
5090
5091 req->statx.filename = NULL;
5092 return ret;
5093 }
5094
5095 req->flags |= REQ_F_NEED_CLEANUP;
5096 return 0;
5097 }
5098
5099 static int io_statx(struct io_kiocb *req, unsigned int issue_flags)
5100 {
5101 struct io_statx *ctx = &req->statx;
5102 int ret;
5103
5104 if (issue_flags & IO_URING_F_NONBLOCK)
5105 return -EAGAIN;
5106
5107 ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
5108 ctx->buffer);
5109
5110 if (ret < 0)
5111 req_set_fail(req);
5112 io_req_complete(req, ret);
5113 return 0;
5114 }
5115
5116 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5117 {
5118 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5119 return -EINVAL;
5120 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
5121 sqe->rw_flags || sqe->buf_index)
5122 return -EINVAL;
5123 if (req->flags & REQ_F_FIXED_FILE)
5124 return -EBADF;
5125
5126 req->close.fd = READ_ONCE(sqe->fd);
5127 req->close.file_slot = READ_ONCE(sqe->file_index);
5128 if (req->close.file_slot && req->close.fd)
5129 return -EINVAL;
5130
5131 return 0;
5132 }
5133
5134 static int io_close(struct io_kiocb *req, unsigned int issue_flags)
5135 {
5136 struct files_struct *files = current->files;
5137 struct io_close *close = &req->close;
5138 struct fdtable *fdt;
5139 struct file *file = NULL;
5140 int ret = -EBADF;
5141
5142 if (req->close.file_slot) {
5143 ret = io_close_fixed(req, issue_flags);
5144 goto err;
5145 }
5146
5147 spin_lock(&files->file_lock);
5148 fdt = files_fdtable(files);
5149 if (close->fd >= fdt->max_fds) {
5150 spin_unlock(&files->file_lock);
5151 goto err;
5152 }
5153 file = fdt->fd[close->fd];
5154 if (!file || file->f_op == &io_uring_fops) {
5155 spin_unlock(&files->file_lock);
5156 file = NULL;
5157 goto err;
5158 }
5159
5160 /* if the file has a flush method, be safe and punt to async */
5161 if (file->f_op->flush && (issue_flags & IO_URING_F_NONBLOCK)) {
5162 spin_unlock(&files->file_lock);
5163 return -EAGAIN;
5164 }
5165
5166 ret = __close_fd_get_file(close->fd, &file);
5167 spin_unlock(&files->file_lock);
5168 if (ret < 0) {
5169 if (ret == -ENOENT)
5170 ret = -EBADF;
5171 goto err;
5172 }
5173
5174 /* No ->flush() or already async, safely close from here */
5175 ret = filp_close(file, current->files);
5176 err:
5177 if (ret < 0)
5178 req_set_fail(req);
5179 if (file)
5180 fput(file);
5181 __io_req_complete(req, issue_flags, ret, 0);
5182 return 0;
5183 }
5184
5185 static int io_sfr_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5186 {
5187 struct io_ring_ctx *ctx = req->ctx;
5188
5189 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
5190 return -EINVAL;
5191 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index ||
5192 sqe->splice_fd_in))
5193 return -EINVAL;
5194
5195 req->sync.off = READ_ONCE(sqe->off);
5196 req->sync.len = READ_ONCE(sqe->len);
5197 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
5198 return 0;
5199 }
5200
5201 static int io_sync_file_range(struct io_kiocb *req, unsigned int issue_flags)
5202 {
5203 int ret;
5204
5205 /* sync_file_range always requires a blocking context */
5206 if (issue_flags & IO_URING_F_NONBLOCK)
5207 return -EAGAIN;
5208
5209 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
5210 req->sync.flags);
5211 if (ret < 0)
5212 req_set_fail(req);
5213 io_req_complete(req, ret);
5214 return 0;
5215 }
5216
5217 #if defined(CONFIG_NET)
5218 static int io_setup_async_msg(struct io_kiocb *req,
5219 struct io_async_msghdr *kmsg)
5220 {
5221 struct io_async_msghdr *async_msg = req->async_data;
5222
5223 if (async_msg)
5224 return -EAGAIN;
5225 if (io_alloc_async_data(req)) {
5226 kfree(kmsg->free_iov);
5227 return -ENOMEM;
5228 }
5229 async_msg = req->async_data;
5230 req->flags |= REQ_F_NEED_CLEANUP;
5231 memcpy(async_msg, kmsg, sizeof(*kmsg));
5232 async_msg->msg.msg_name = &async_msg->addr;
5233 /* if were using fast_iov, set it to the new one */
5234 if (!async_msg->free_iov)
5235 async_msg->msg.msg_iter.iov = async_msg->fast_iov;
5236
5237 return -EAGAIN;
5238 }
5239
5240 static int io_sendmsg_copy_hdr(struct io_kiocb *req,
5241 struct io_async_msghdr *iomsg)
5242 {
5243 iomsg->msg.msg_name = &iomsg->addr;
5244 iomsg->free_iov = iomsg->fast_iov;
5245 return sendmsg_copy_msghdr(&iomsg->msg, req->sr_msg.umsg,
5246 req->sr_msg.msg_flags, &iomsg->free_iov);
5247 }
5248
5249 static int io_sendmsg_prep_async(struct io_kiocb *req)
5250 {
5251 int ret;
5252
5253 ret = io_sendmsg_copy_hdr(req, req->async_data);
5254 if (!ret)
5255 req->flags |= REQ_F_NEED_CLEANUP;
5256 return ret;
5257 }
5258
5259 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5260 {
5261 struct io_sr_msg *sr = &req->sr_msg;
5262
5263 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5264 return -EINVAL;
5265 if (unlikely(sqe->addr2 || sqe->file_index || sqe->ioprio))
5266 return -EINVAL;
5267
5268 sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
5269 sr->len = READ_ONCE(sqe->len);
5270 sr->msg_flags = READ_ONCE(sqe->msg_flags) | MSG_NOSIGNAL;
5271 if (sr->msg_flags & MSG_DONTWAIT)
5272 req->flags |= REQ_F_NOWAIT;
5273
5274 #ifdef CONFIG_COMPAT
5275 if (req->ctx->compat)
5276 sr->msg_flags |= MSG_CMSG_COMPAT;
5277 #endif
5278 return 0;
5279 }
5280
5281 static int io_sendmsg(struct io_kiocb *req, unsigned int issue_flags)
5282 {
5283 struct io_async_msghdr iomsg, *kmsg;
5284 struct socket *sock;
5285 unsigned flags;
5286 int min_ret = 0;
5287 int ret;
5288
5289 sock = sock_from_file(req->file);
5290 if (unlikely(!sock))
5291 return -ENOTSOCK;
5292
5293 if (req_has_async_data(req)) {
5294 kmsg = req->async_data;
5295 } else {
5296 ret = io_sendmsg_copy_hdr(req, &iomsg);
5297 if (ret)
5298 return ret;
5299 kmsg = &iomsg;
5300 }
5301
5302 flags = req->sr_msg.msg_flags;
5303 if (issue_flags & IO_URING_F_NONBLOCK)
5304 flags |= MSG_DONTWAIT;
5305 if (flags & MSG_WAITALL)
5306 min_ret = iov_iter_count(&kmsg->msg.msg_iter);
5307
5308 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
5309
5310 if (ret < min_ret) {
5311 if (ret == -EAGAIN && (issue_flags & IO_URING_F_NONBLOCK))
5312 return io_setup_async_msg(req, kmsg);
5313 if (ret == -ERESTARTSYS)
5314 ret = -EINTR;
5315 req_set_fail(req);
5316 }
5317 /* fast path, check for non-NULL to avoid function call */
5318 if (kmsg->free_iov)
5319 kfree(kmsg->free_iov);
5320 req->flags &= ~REQ_F_NEED_CLEANUP;
5321 __io_req_complete(req, issue_flags, ret, 0);
5322 return 0;
5323 }
5324
5325 static int io_send(struct io_kiocb *req, unsigned int issue_flags)
5326 {
5327 struct io_sr_msg *sr = &req->sr_msg;
5328 struct msghdr msg;
5329 struct iovec iov;
5330 struct socket *sock;
5331 unsigned flags;
5332 int min_ret = 0;
5333 int ret;
5334
5335 sock = sock_from_file(req->file);
5336 if (unlikely(!sock))
5337 return -ENOTSOCK;
5338
5339 ret = import_single_range(WRITE, sr->buf, sr->len, &iov, &msg.msg_iter);
5340 if (unlikely(ret))
5341 return ret;
5342
5343 msg.msg_name = NULL;
5344 msg.msg_control = NULL;
5345 msg.msg_controllen = 0;
5346 msg.msg_namelen = 0;
5347
5348 flags = req->sr_msg.msg_flags;
5349 if (issue_flags & IO_URING_F_NONBLOCK)
5350 flags |= MSG_DONTWAIT;
5351 if (flags & MSG_WAITALL)
5352 min_ret = iov_iter_count(&msg.msg_iter);
5353
5354 msg.msg_flags = flags;
5355 ret = sock_sendmsg(sock, &msg);
5356 if (ret < min_ret) {
5357 if (ret == -EAGAIN && (issue_flags & IO_URING_F_NONBLOCK))
5358 return -EAGAIN;
5359 if (ret == -ERESTARTSYS)
5360 ret = -EINTR;
5361 req_set_fail(req);
5362 }
5363 __io_req_complete(req, issue_flags, ret, 0);
5364 return 0;
5365 }
5366
5367 static int __io_recvmsg_copy_hdr(struct io_kiocb *req,
5368 struct io_async_msghdr *iomsg)
5369 {
5370 struct io_sr_msg *sr = &req->sr_msg;
5371 struct iovec __user *uiov;
5372 size_t iov_len;
5373 int ret;
5374
5375 ret = __copy_msghdr_from_user(&iomsg->msg, sr->umsg,
5376 &iomsg->uaddr, &uiov, &iov_len);
5377 if (ret)
5378 return ret;
5379
5380 if (req->flags & REQ_F_BUFFER_SELECT) {
5381 if (iov_len > 1)
5382 return -EINVAL;
5383 if (copy_from_user(iomsg->fast_iov, uiov, sizeof(*uiov)))
5384 return -EFAULT;
5385 sr->len = iomsg->fast_iov[0].iov_len;
5386 iomsg->free_iov = NULL;
5387 } else {
5388 iomsg->free_iov = iomsg->fast_iov;
5389 ret = __import_iovec(READ, uiov, iov_len, UIO_FASTIOV,
5390 &iomsg->free_iov, &iomsg->msg.msg_iter,
5391 false);
5392 if (ret > 0)
5393 ret = 0;
5394 }
5395
5396 return ret;
5397 }
5398
5399 #ifdef CONFIG_COMPAT
5400 static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req,
5401 struct io_async_msghdr *iomsg)
5402 {
5403 struct io_sr_msg *sr = &req->sr_msg;
5404 struct compat_iovec __user *uiov;
5405 compat_uptr_t ptr;
5406 compat_size_t len;
5407 int ret;
5408
5409 ret = __get_compat_msghdr(&iomsg->msg, sr->umsg_compat, &iomsg->uaddr,
5410 &ptr, &len);
5411 if (ret)
5412 return ret;
5413
5414 uiov = compat_ptr(ptr);
5415 if (req->flags & REQ_F_BUFFER_SELECT) {
5416 compat_ssize_t clen;
5417
5418 if (len > 1)
5419 return -EINVAL;
5420 if (!access_ok(uiov, sizeof(*uiov)))
5421 return -EFAULT;
5422 if (__get_user(clen, &uiov->iov_len))
5423 return -EFAULT;
5424 if (clen < 0)
5425 return -EINVAL;
5426 sr->len = clen;
5427 iomsg->free_iov = NULL;
5428 } else {
5429 iomsg->free_iov = iomsg->fast_iov;
5430 ret = __import_iovec(READ, (struct iovec __user *)uiov, len,
5431 UIO_FASTIOV, &iomsg->free_iov,
5432 &iomsg->msg.msg_iter, true);
5433 if (ret < 0)
5434 return ret;
5435 }
5436
5437 return 0;
5438 }
5439 #endif
5440
5441 static int io_recvmsg_copy_hdr(struct io_kiocb *req,
5442 struct io_async_msghdr *iomsg)
5443 {
5444 iomsg->msg.msg_name = &iomsg->addr;
5445
5446 #ifdef CONFIG_COMPAT
5447 if (req->ctx->compat)
5448 return __io_compat_recvmsg_copy_hdr(req, iomsg);
5449 #endif
5450
5451 return __io_recvmsg_copy_hdr(req, iomsg);
5452 }
5453
5454 static struct io_buffer *io_recv_buffer_select(struct io_kiocb *req,
5455 unsigned int issue_flags)
5456 {
5457 struct io_sr_msg *sr = &req->sr_msg;
5458
5459 return io_buffer_select(req, &sr->len, sr->bgid, issue_flags);
5460 }
5461
5462 static int io_recvmsg_prep_async(struct io_kiocb *req)
5463 {
5464 int ret;
5465
5466 ret = io_recvmsg_copy_hdr(req, req->async_data);
5467 if (!ret)
5468 req->flags |= REQ_F_NEED_CLEANUP;
5469 return ret;
5470 }
5471
5472 static int io_recvmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5473 {
5474 struct io_sr_msg *sr = &req->sr_msg;
5475
5476 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5477 return -EINVAL;
5478 if (unlikely(sqe->addr2 || sqe->file_index || sqe->ioprio))
5479 return -EINVAL;
5480
5481 sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
5482 sr->len = READ_ONCE(sqe->len);
5483 sr->bgid = READ_ONCE(sqe->buf_group);
5484 sr->msg_flags = READ_ONCE(sqe->msg_flags) | MSG_NOSIGNAL;
5485 if (sr->msg_flags & MSG_DONTWAIT)
5486 req->flags |= REQ_F_NOWAIT;
5487
5488 #ifdef CONFIG_COMPAT
5489 if (req->ctx->compat)
5490 sr->msg_flags |= MSG_CMSG_COMPAT;
5491 #endif
5492 sr->done_io = 0;
5493 return 0;
5494 }
5495
5496 static bool io_net_retry(struct socket *sock, int flags)
5497 {
5498 if (!(flags & MSG_WAITALL))
5499 return false;
5500 return sock->type == SOCK_STREAM || sock->type == SOCK_SEQPACKET;
5501 }
5502
5503 static int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)
5504 {
5505 struct io_async_msghdr iomsg, *kmsg;
5506 struct io_sr_msg *sr = &req->sr_msg;
5507 struct socket *sock;
5508 struct io_buffer *kbuf;
5509 unsigned flags;
5510 int ret, min_ret = 0;
5511 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
5512
5513 sock = sock_from_file(req->file);
5514 if (unlikely(!sock))
5515 return -ENOTSOCK;
5516
5517 if (req_has_async_data(req)) {
5518 kmsg = req->async_data;
5519 } else {
5520 ret = io_recvmsg_copy_hdr(req, &iomsg);
5521 if (ret)
5522 return ret;
5523 kmsg = &iomsg;
5524 }
5525
5526 if (req->flags & REQ_F_BUFFER_SELECT) {
5527 kbuf = io_recv_buffer_select(req, issue_flags);
5528 if (IS_ERR(kbuf))
5529 return PTR_ERR(kbuf);
5530 kmsg->fast_iov[0].iov_base = u64_to_user_ptr(kbuf->addr);
5531 kmsg->fast_iov[0].iov_len = req->sr_msg.len;
5532 iov_iter_init(&kmsg->msg.msg_iter, READ, kmsg->fast_iov,
5533 1, req->sr_msg.len);
5534 }
5535
5536 flags = req->sr_msg.msg_flags;
5537 if (force_nonblock)
5538 flags |= MSG_DONTWAIT;
5539 if (flags & MSG_WAITALL)
5540 min_ret = iov_iter_count(&kmsg->msg.msg_iter);
5541
5542 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.umsg,
5543 kmsg->uaddr, flags);
5544 if (ret < min_ret) {
5545 if (ret == -EAGAIN && force_nonblock)
5546 return io_setup_async_msg(req, kmsg);
5547 if (ret == -ERESTARTSYS)
5548 ret = -EINTR;
5549 if (ret > 0 && io_net_retry(sock, flags)) {
5550 sr->done_io += ret;
5551 req->flags |= REQ_F_PARTIAL_IO;
5552 return io_setup_async_msg(req, kmsg);
5553 }
5554 req_set_fail(req);
5555 } else if ((flags & MSG_WAITALL) && (kmsg->msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))) {
5556 req_set_fail(req);
5557 }
5558
5559 /* fast path, check for non-NULL to avoid function call */
5560 if (kmsg->free_iov)
5561 kfree(kmsg->free_iov);
5562 req->flags &= ~REQ_F_NEED_CLEANUP;
5563 if (ret >= 0)
5564 ret += sr->done_io;
5565 else if (sr->done_io)
5566 ret = sr->done_io;
5567 __io_req_complete(req, issue_flags, ret, io_put_kbuf(req, issue_flags));
5568 return 0;
5569 }
5570
5571 static int io_recv(struct io_kiocb *req, unsigned int issue_flags)
5572 {
5573 struct io_buffer *kbuf;
5574 struct io_sr_msg *sr = &req->sr_msg;
5575 struct msghdr msg;
5576 void __user *buf = sr->buf;
5577 struct socket *sock;
5578 struct iovec iov;
5579 unsigned flags;
5580 int ret, min_ret = 0;
5581 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
5582
5583 sock = sock_from_file(req->file);
5584 if (unlikely(!sock))
5585 return -ENOTSOCK;
5586
5587 if (req->flags & REQ_F_BUFFER_SELECT) {
5588 kbuf = io_recv_buffer_select(req, issue_flags);
5589 if (IS_ERR(kbuf))
5590 return PTR_ERR(kbuf);
5591 buf = u64_to_user_ptr(kbuf->addr);
5592 }
5593
5594 ret = import_single_range(READ, buf, sr->len, &iov, &msg.msg_iter);
5595 if (unlikely(ret))
5596 goto out_free;
5597
5598 msg.msg_name = NULL;
5599 msg.msg_control = NULL;
5600 msg.msg_controllen = 0;
5601 msg.msg_namelen = 0;
5602 msg.msg_iocb = NULL;
5603 msg.msg_flags = 0;
5604
5605 flags = req->sr_msg.msg_flags;
5606 if (force_nonblock)
5607 flags |= MSG_DONTWAIT;
5608 if (flags & MSG_WAITALL)
5609 min_ret = iov_iter_count(&msg.msg_iter);
5610
5611 ret = sock_recvmsg(sock, &msg, flags);
5612 if (ret < min_ret) {
5613 if (ret == -EAGAIN && force_nonblock)
5614 return -EAGAIN;
5615 if (ret == -ERESTARTSYS)
5616 ret = -EINTR;
5617 if (ret > 0 && io_net_retry(sock, flags)) {
5618 sr->len -= ret;
5619 sr->buf += ret;
5620 sr->done_io += ret;
5621 req->flags |= REQ_F_PARTIAL_IO;
5622 return -EAGAIN;
5623 }
5624 req_set_fail(req);
5625 } else if ((flags & MSG_WAITALL) && (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))) {
5626 out_free:
5627 req_set_fail(req);
5628 }
5629
5630 if (ret >= 0)
5631 ret += sr->done_io;
5632 else if (sr->done_io)
5633 ret = sr->done_io;
5634 __io_req_complete(req, issue_flags, ret, io_put_kbuf(req, issue_flags));
5635 return 0;
5636 }
5637
5638 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5639 {
5640 struct io_accept *accept = &req->accept;
5641
5642 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5643 return -EINVAL;
5644 if (sqe->ioprio || sqe->len || sqe->buf_index)
5645 return -EINVAL;
5646
5647 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
5648 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
5649 accept->flags = READ_ONCE(sqe->accept_flags);
5650 accept->nofile = rlimit(RLIMIT_NOFILE);
5651
5652 accept->file_slot = READ_ONCE(sqe->file_index);
5653 if (accept->file_slot && (accept->flags & SOCK_CLOEXEC))
5654 return -EINVAL;
5655 if (accept->flags & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
5656 return -EINVAL;
5657 if (SOCK_NONBLOCK != O_NONBLOCK && (accept->flags & SOCK_NONBLOCK))
5658 accept->flags = (accept->flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
5659 return 0;
5660 }
5661
5662 static int io_accept(struct io_kiocb *req, unsigned int issue_flags)
5663 {
5664 struct io_accept *accept = &req->accept;
5665 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
5666 unsigned int file_flags = force_nonblock ? O_NONBLOCK : 0;
5667 bool fixed = !!accept->file_slot;
5668 struct file *file;
5669 int ret, fd;
5670
5671 if (!fixed) {
5672 fd = __get_unused_fd_flags(accept->flags, accept->nofile);
5673 if (unlikely(fd < 0))
5674 return fd;
5675 }
5676 file = do_accept(req->file, file_flags, accept->addr, accept->addr_len,
5677 accept->flags);
5678 if (IS_ERR(file)) {
5679 if (!fixed)
5680 put_unused_fd(fd);
5681 ret = PTR_ERR(file);
5682 if (ret == -EAGAIN && force_nonblock)
5683 return -EAGAIN;
5684 if (ret == -ERESTARTSYS)
5685 ret = -EINTR;
5686 req_set_fail(req);
5687 } else if (!fixed) {
5688 fd_install(fd, file);
5689 ret = fd;
5690 } else {
5691 ret = io_install_fixed_file(req, file, issue_flags,
5692 accept->file_slot - 1);
5693 }
5694 __io_req_complete(req, issue_flags, ret, 0);
5695 return 0;
5696 }
5697
5698 static int io_connect_prep_async(struct io_kiocb *req)
5699 {
5700 struct io_async_connect *io = req->async_data;
5701 struct io_connect *conn = &req->connect;
5702
5703 return move_addr_to_kernel(conn->addr, conn->addr_len, &io->address);
5704 }
5705
5706 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
5707 {
5708 struct io_connect *conn = &req->connect;
5709
5710 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
5711 return -EINVAL;
5712 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags ||
5713 sqe->splice_fd_in)
5714 return -EINVAL;
5715
5716 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
5717 conn->addr_len = READ_ONCE(sqe->addr2);
5718 return 0;
5719 }
5720
5721 static int io_connect(struct io_kiocb *req, unsigned int issue_flags)
5722 {
5723 struct io_async_connect __io, *io;
5724 unsigned file_flags;
5725 int ret;
5726 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
5727
5728 if (req_has_async_data(req)) {
5729 io = req->async_data;
5730 } else {
5731 ret = move_addr_to_kernel(req->connect.addr,
5732 req->connect.addr_len,
5733 &__io.address);
5734 if (ret)
5735 goto out;
5736 io = &__io;
5737 }
5738
5739 file_flags = force_nonblock ? O_NONBLOCK : 0;
5740
5741 ret = __sys_connect_file(req->file, &io->address,
5742 req->connect.addr_len, file_flags);
5743 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
5744 if (req_has_async_data(req))
5745 return -EAGAIN;
5746 if (io_alloc_async_data(req)) {
5747 ret = -ENOMEM;
5748 goto out;
5749 }
5750 memcpy(req->async_data, &__io, sizeof(__io));
5751 return -EAGAIN;
5752 }
5753 if (ret == -ERESTARTSYS)
5754 ret = -EINTR;
5755 out:
5756 if (ret < 0)
5757 req_set_fail(req);
5758 __io_req_complete(req, issue_flags, ret, 0);
5759 return 0;
5760 }
5761 #else /* !CONFIG_NET */
5762 #define IO_NETOP_FN(op) \
5763 static int io_##op(struct io_kiocb *req, unsigned int issue_flags) \
5764 { \
5765 return -EOPNOTSUPP; \
5766 }
5767
5768 #define IO_NETOP_PREP(op) \
5769 IO_NETOP_FN(op) \
5770 static int io_##op##_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) \
5771 { \
5772 return -EOPNOTSUPP; \
5773 } \
5774
5775 #define IO_NETOP_PREP_ASYNC(op) \
5776 IO_NETOP_PREP(op) \
5777 static int io_##op##_prep_async(struct io_kiocb *req) \
5778 { \
5779 return -EOPNOTSUPP; \
5780 }
5781
5782 IO_NETOP_PREP_ASYNC(sendmsg);
5783 IO_NETOP_PREP_ASYNC(recvmsg);
5784 IO_NETOP_PREP_ASYNC(connect);
5785 IO_NETOP_PREP(accept);
5786 IO_NETOP_FN(send);
5787 IO_NETOP_FN(recv);
5788 #endif /* CONFIG_NET */
5789
5790 struct io_poll_table {
5791 struct poll_table_struct pt;
5792 struct io_kiocb *req;
5793 int nr_entries;
5794 int error;
5795 };
5796
5797 #define IO_POLL_CANCEL_FLAG BIT(31)
5798 #define IO_POLL_REF_MASK GENMASK(30, 0)
5799
5800 /*
5801 * If refs part of ->poll_refs (see IO_POLL_REF_MASK) is 0, it's free. We can
5802 * bump it and acquire ownership. It's disallowed to modify requests while not
5803 * owning it, that prevents from races for enqueueing task_work's and b/w
5804 * arming poll and wakeups.
5805 */
5806 static inline bool io_poll_get_ownership(struct io_kiocb *req)
5807 {
5808 return !(atomic_fetch_inc(&req->poll_refs) & IO_POLL_REF_MASK);
5809 }
5810
5811 static void io_poll_mark_cancelled(struct io_kiocb *req)
5812 {
5813 atomic_or(IO_POLL_CANCEL_FLAG, &req->poll_refs);
5814 }
5815
5816 static struct io_poll_iocb *io_poll_get_double(struct io_kiocb *req)
5817 {
5818 /* pure poll stashes this in ->async_data, poll driven retry elsewhere */
5819 if (req->opcode == IORING_OP_POLL_ADD)
5820 return req->async_data;
5821 return req->apoll->double_poll;
5822 }
5823
5824 static struct io_poll_iocb *io_poll_get_single(struct io_kiocb *req)
5825 {
5826 if (req->opcode == IORING_OP_POLL_ADD)
5827 return &req->poll;
5828 return &req->apoll->poll;
5829 }
5830
5831 static void io_poll_req_insert(struct io_kiocb *req)
5832 {
5833 struct io_ring_ctx *ctx = req->ctx;
5834 struct hlist_head *list;
5835
5836 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
5837 hlist_add_head(&req->hash_node, list);
5838 }
5839
5840 static void io_init_poll_iocb(struct io_poll_iocb *poll, __poll_t events,
5841 wait_queue_func_t wake_func)
5842 {
5843 poll->head = NULL;
5844 #define IO_POLL_UNMASK (EPOLLERR|EPOLLHUP|EPOLLNVAL|EPOLLRDHUP)
5845 /* mask in events that we always want/need */
5846 poll->events = events | IO_POLL_UNMASK;
5847 INIT_LIST_HEAD(&poll->wait.entry);
5848 init_waitqueue_func_entry(&poll->wait, wake_func);
5849 }
5850
5851 static inline void io_poll_remove_entry(struct io_poll_iocb *poll)
5852 {
5853 struct wait_queue_head *head = smp_load_acquire(&poll->head);
5854
5855 if (head) {
5856 spin_lock_irq(&head->lock);
5857 list_del_init(&poll->wait.entry);
5858 poll->head = NULL;
5859 spin_unlock_irq(&head->lock);
5860 }
5861 }
5862
5863 static void io_poll_remove_entries(struct io_kiocb *req)
5864 {
5865 /*
5866 * Nothing to do if neither of those flags are set. Avoid dipping
5867 * into the poll/apoll/double cachelines if we can.
5868 */
5869 if (!(req->flags & (REQ_F_SINGLE_POLL | REQ_F_DOUBLE_POLL)))
5870 return;
5871
5872 /*
5873 * While we hold the waitqueue lock and the waitqueue is nonempty,
5874 * wake_up_pollfree() will wait for us. However, taking the waitqueue
5875 * lock in the first place can race with the waitqueue being freed.
5876 *
5877 * We solve this as eventpoll does: by taking advantage of the fact that
5878 * all users of wake_up_pollfree() will RCU-delay the actual free. If
5879 * we enter rcu_read_lock() and see that the pointer to the queue is
5880 * non-NULL, we can then lock it without the memory being freed out from
5881 * under us.
5882 *
5883 * Keep holding rcu_read_lock() as long as we hold the queue lock, in
5884 * case the caller deletes the entry from the queue, leaving it empty.
5885 * In that case, only RCU prevents the queue memory from being freed.
5886 */
5887 rcu_read_lock();
5888 if (req->flags & REQ_F_SINGLE_POLL)
5889 io_poll_remove_entry(io_poll_get_single(req));
5890 if (req->flags & REQ_F_DOUBLE_POLL)
5891 io_poll_remove_entry(io_poll_get_double(req));
5892 rcu_read_unlock();
5893 }
5894
5895 /*
5896 * All poll tw should go through this. Checks for poll events, manages
5897 * references, does rewait, etc.
5898 *
5899 * Returns a negative error on failure. >0 when no action require, which is
5900 * either spurious wakeup or multishot CQE is served. 0 when it's done with
5901 * the request, then the mask is stored in req->result.
5902 */
5903 static int io_poll_check_events(struct io_kiocb *req, bool locked)
5904 {
5905 struct io_ring_ctx *ctx = req->ctx;
5906 int v;
5907
5908 /* req->task == current here, checking PF_EXITING is safe */
5909 if (unlikely(req->task->flags & PF_EXITING))
5910 io_poll_mark_cancelled(req);
5911
5912 do {
5913 v = atomic_read(&req->poll_refs);
5914
5915 /* tw handler should be the owner, and so have some references */
5916 if (WARN_ON_ONCE(!(v & IO_POLL_REF_MASK)))
5917 return 0;
5918 if (v & IO_POLL_CANCEL_FLAG)
5919 return -ECANCELED;
5920
5921 if (!req->result) {
5922 struct poll_table_struct pt = { ._key = req->apoll_events };
5923 req->result = vfs_poll(req->file, &pt) & req->apoll_events;
5924 }
5925
5926 /* multishot, just fill an CQE and proceed */
5927 if (req->result && !(req->apoll_events & EPOLLONESHOT)) {
5928 __poll_t mask = mangle_poll(req->result & req->apoll_events);
5929 bool filled;
5930
5931 spin_lock(&ctx->completion_lock);
5932 filled = io_fill_cqe_aux(ctx, req->user_data, mask,
5933 IORING_CQE_F_MORE);
5934 io_commit_cqring(ctx);
5935 spin_unlock(&ctx->completion_lock);
5936 if (unlikely(!filled))
5937 return -ECANCELED;
5938 io_cqring_ev_posted(ctx);
5939 } else if (req->result) {
5940 return 0;
5941 }
5942
5943 /*
5944 * Release all references, retry if someone tried to restart
5945 * task_work while we were executing it.
5946 */
5947 } while (atomic_sub_return(v & IO_POLL_REF_MASK, &req->poll_refs));
5948
5949 return 1;
5950 }
5951
5952 static void io_poll_task_func(struct io_kiocb *req, bool *locked)
5953 {
5954 struct io_ring_ctx *ctx = req->ctx;
5955 int ret;
5956
5957 ret = io_poll_check_events(req, *locked);
5958 if (ret > 0)
5959 return;
5960
5961 if (!ret) {
5962 req->result = mangle_poll(req->result & req->poll.events);
5963 } else {
5964 req->result = ret;
5965 req_set_fail(req);
5966 }
5967
5968 io_poll_remove_entries(req);
5969 spin_lock(&ctx->completion_lock);
5970 hash_del(&req->hash_node);
5971 __io_req_complete_post(req, req->result, 0);
5972 io_commit_cqring(ctx);
5973 spin_unlock(&ctx->completion_lock);
5974 io_cqring_ev_posted(ctx);
5975 }
5976
5977 static void io_apoll_task_func(struct io_kiocb *req, bool *locked)
5978 {
5979 struct io_ring_ctx *ctx = req->ctx;
5980 int ret;
5981
5982 ret = io_poll_check_events(req, *locked);
5983 if (ret > 0)
5984 return;
5985
5986 io_poll_remove_entries(req);
5987 spin_lock(&ctx->completion_lock);
5988 hash_del(&req->hash_node);
5989 spin_unlock(&ctx->completion_lock);
5990
5991 if (!ret)
5992 io_req_task_submit(req, locked);
5993 else
5994 io_req_complete_failed(req, ret);
5995 }
5996
5997 static void __io_poll_execute(struct io_kiocb *req, int mask,
5998 __poll_t __maybe_unused events)
5999 {
6000 req->result = mask;
6001 /*
6002 * This is useful for poll that is armed on behalf of another
6003 * request, and where the wakeup path could be on a different
6004 * CPU. We want to avoid pulling in req->apoll->events for that
6005 * case.
6006 */
6007 if (req->opcode == IORING_OP_POLL_ADD)
6008 req->io_task_work.func = io_poll_task_func;
6009 else
6010 req->io_task_work.func = io_apoll_task_func;
6011
6012 trace_io_uring_task_add(req->ctx, req, req->user_data, req->opcode, mask);
6013 io_req_task_work_add(req, false);
6014 }
6015
6016 static inline void io_poll_execute(struct io_kiocb *req, int res,
6017 __poll_t events)
6018 {
6019 if (io_poll_get_ownership(req))
6020 __io_poll_execute(req, res, events);
6021 }
6022
6023 static void io_poll_cancel_req(struct io_kiocb *req)
6024 {
6025 io_poll_mark_cancelled(req);
6026 /* kick tw, which should complete the request */
6027 io_poll_execute(req, 0, 0);
6028 }
6029
6030 #define wqe_to_req(wait) ((void *)((unsigned long) (wait)->private & ~1))
6031 #define wqe_is_double(wait) ((unsigned long) (wait)->private & 1)
6032 #define IO_ASYNC_POLL_COMMON (EPOLLONESHOT | POLLPRI)
6033
6034 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
6035 void *key)
6036 {
6037 struct io_kiocb *req = wqe_to_req(wait);
6038 struct io_poll_iocb *poll = container_of(wait, struct io_poll_iocb,
6039 wait);
6040 __poll_t mask = key_to_poll(key);
6041
6042 if (unlikely(mask & POLLFREE)) {
6043 io_poll_mark_cancelled(req);
6044 /* we have to kick tw in case it's not already */
6045 io_poll_execute(req, 0, poll->events);
6046
6047 /*
6048 * If the waitqueue is being freed early but someone is already
6049 * holds ownership over it, we have to tear down the request as
6050 * best we can. That means immediately removing the request from
6051 * its waitqueue and preventing all further accesses to the
6052 * waitqueue via the request.
6053 */
6054 list_del_init(&poll->wait.entry);
6055
6056 /*
6057 * Careful: this *must* be the last step, since as soon
6058 * as req->head is NULL'ed out, the request can be
6059 * completed and freed, since aio_poll_complete_work()
6060 * will no longer need to take the waitqueue lock.
6061 */
6062 smp_store_release(&poll->head, NULL);
6063 return 1;
6064 }
6065
6066 /* for instances that support it check for an event match first */
6067 if (mask && !(mask & (poll->events & ~IO_ASYNC_POLL_COMMON)))
6068 return 0;
6069
6070 if (io_poll_get_ownership(req)) {
6071 /* optional, saves extra locking for removal in tw handler */
6072 if (mask && poll->events & EPOLLONESHOT) {
6073 list_del_init(&poll->wait.entry);
6074 poll->head = NULL;
6075 if (wqe_is_double(wait))
6076 req->flags &= ~REQ_F_DOUBLE_POLL;
6077 else
6078 req->flags &= ~REQ_F_SINGLE_POLL;
6079 }
6080 __io_poll_execute(req, mask, poll->events);
6081 }
6082 return 1;
6083 }
6084
6085 static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
6086 struct wait_queue_head *head,
6087 struct io_poll_iocb **poll_ptr)
6088 {
6089 struct io_kiocb *req = pt->req;
6090 unsigned long wqe_private = (unsigned long) req;
6091
6092 /*
6093 * The file being polled uses multiple waitqueues for poll handling
6094 * (e.g. one for read, one for write). Setup a separate io_poll_iocb
6095 * if this happens.
6096 */
6097 if (unlikely(pt->nr_entries)) {
6098 struct io_poll_iocb *first = poll;
6099
6100 /* double add on the same waitqueue head, ignore */
6101 if (first->head == head)
6102 return;
6103 /* already have a 2nd entry, fail a third attempt */
6104 if (*poll_ptr) {
6105 if ((*poll_ptr)->head == head)
6106 return;
6107 pt->error = -EINVAL;
6108 return;
6109 }
6110
6111 poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
6112 if (!poll) {
6113 pt->error = -ENOMEM;
6114 return;
6115 }
6116 /* mark as double wq entry */
6117 wqe_private |= 1;
6118 req->flags |= REQ_F_DOUBLE_POLL;
6119 io_init_poll_iocb(poll, first->events, first->wait.func);
6120 *poll_ptr = poll;
6121 if (req->opcode == IORING_OP_POLL_ADD)
6122 req->flags |= REQ_F_ASYNC_DATA;
6123 }
6124
6125 req->flags |= REQ_F_SINGLE_POLL;
6126 pt->nr_entries++;
6127 poll->head = head;
6128 poll->wait.private = (void *) wqe_private;
6129
6130 if (poll->events & EPOLLEXCLUSIVE)
6131 add_wait_queue_exclusive(head, &poll->wait);
6132 else
6133 add_wait_queue(head, &poll->wait);
6134 }
6135
6136 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
6137 struct poll_table_struct *p)
6138 {
6139 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
6140
6141 __io_queue_proc(&pt->req->poll, pt, head,
6142 (struct io_poll_iocb **) &pt->req->async_data);
6143 }
6144
6145 static int __io_arm_poll_handler(struct io_kiocb *req,
6146 struct io_poll_iocb *poll,
6147 struct io_poll_table *ipt, __poll_t mask)
6148 {
6149 struct io_ring_ctx *ctx = req->ctx;
6150 int v;
6151
6152 INIT_HLIST_NODE(&req->hash_node);
6153 io_init_poll_iocb(poll, mask, io_poll_wake);
6154 poll->file = req->file;
6155
6156 req->apoll_events = poll->events;
6157
6158 ipt->pt._key = mask;
6159 ipt->req = req;
6160 ipt->error = 0;
6161 ipt->nr_entries = 0;
6162
6163 /*
6164 * Take the ownership to delay any tw execution up until we're done
6165 * with poll arming. see io_poll_get_ownership().
6166 */
6167 atomic_set(&req->poll_refs, 1);
6168 mask = vfs_poll(req->file, &ipt->pt) & poll->events;
6169
6170 if (mask && (poll->events & EPOLLONESHOT)) {
6171 io_poll_remove_entries(req);
6172 /* no one else has access to the req, forget about the ref */
6173 return mask;
6174 }
6175 if (!mask && unlikely(ipt->error || !ipt->nr_entries)) {
6176 io_poll_remove_entries(req);
6177 if (!ipt->error)
6178 ipt->error = -EINVAL;
6179 return 0;
6180 }
6181
6182 spin_lock(&ctx->completion_lock);
6183 io_poll_req_insert(req);
6184 spin_unlock(&ctx->completion_lock);
6185
6186 if (mask) {
6187 /* can't multishot if failed, just queue the event we've got */
6188 if (unlikely(ipt->error || !ipt->nr_entries)) {
6189 poll->events |= EPOLLONESHOT;
6190 req->apoll_events |= EPOLLONESHOT;
6191 ipt->error = 0;
6192 }
6193 __io_poll_execute(req, mask, poll->events);
6194 return 0;
6195 }
6196
6197 /*
6198 * Release ownership. If someone tried to queue a tw while it was
6199 * locked, kick it off for them.
6200 */
6201 v = atomic_dec_return(&req->poll_refs);
6202 if (unlikely(v & IO_POLL_REF_MASK))
6203 __io_poll_execute(req, 0, poll->events);
6204 return 0;
6205 }
6206
6207 static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
6208 struct poll_table_struct *p)
6209 {
6210 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
6211 struct async_poll *apoll = pt->req->apoll;
6212
6213 __io_queue_proc(&apoll->poll, pt, head, &apoll->double_poll);
6214 }
6215
6216 enum {
6217 IO_APOLL_OK,
6218 IO_APOLL_ABORTED,
6219 IO_APOLL_READY
6220 };
6221
6222 static int io_arm_poll_handler(struct io_kiocb *req, unsigned issue_flags)
6223 {
6224 const struct io_op_def *def = &io_op_defs[req->opcode];
6225 struct io_ring_ctx *ctx = req->ctx;
6226 struct async_poll *apoll;
6227 struct io_poll_table ipt;
6228 __poll_t mask = IO_ASYNC_POLL_COMMON | POLLERR;
6229 int ret;
6230
6231 if (!def->pollin && !def->pollout)
6232 return IO_APOLL_ABORTED;
6233 if (!file_can_poll(req->file) || (req->flags & REQ_F_POLLED))
6234 return IO_APOLL_ABORTED;
6235
6236 if (def->pollin) {
6237 mask |= POLLIN | POLLRDNORM;
6238
6239 /* If reading from MSG_ERRQUEUE using recvmsg, ignore POLLIN */
6240 if ((req->opcode == IORING_OP_RECVMSG) &&
6241 (req->sr_msg.msg_flags & MSG_ERRQUEUE))
6242 mask &= ~POLLIN;
6243 } else {
6244 mask |= POLLOUT | POLLWRNORM;
6245 }
6246 if (def->poll_exclusive)
6247 mask |= EPOLLEXCLUSIVE;
6248 if (!(issue_flags & IO_URING_F_UNLOCKED) &&
6249 !list_empty(&ctx->apoll_cache)) {
6250 apoll = list_first_entry(&ctx->apoll_cache, struct async_poll,
6251 poll.wait.entry);
6252 list_del_init(&apoll->poll.wait.entry);
6253 } else {
6254 apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
6255 if (unlikely(!apoll))
6256 return IO_APOLL_ABORTED;
6257 }
6258 apoll->double_poll = NULL;
6259 req->apoll = apoll;
6260 req->flags |= REQ_F_POLLED;
6261 ipt.pt._qproc = io_async_queue_proc;
6262
6263 io_kbuf_recycle(req, issue_flags);
6264
6265 ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask);
6266 if (ret || ipt.error)
6267 return ret ? IO_APOLL_READY : IO_APOLL_ABORTED;
6268
6269 trace_io_uring_poll_arm(ctx, req, req->user_data, req->opcode,
6270 mask, apoll->poll.events);
6271 return IO_APOLL_OK;
6272 }
6273
6274 /*
6275 * Returns true if we found and killed one or more poll requests
6276 */
6277 static __cold bool io_poll_remove_all(struct io_ring_ctx *ctx,
6278 struct task_struct *tsk, bool cancel_all)
6279 {
6280 struct hlist_node *tmp;
6281 struct io_kiocb *req;
6282 bool found = false;
6283 int i;
6284
6285 spin_lock(&ctx->completion_lock);
6286 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
6287 struct hlist_head *list;
6288
6289 list = &ctx->cancel_hash[i];
6290 hlist_for_each_entry_safe(req, tmp, list, hash_node) {
6291 if (io_match_task_safe(req, tsk, cancel_all)) {
6292 hlist_del_init(&req->hash_node);
6293 io_poll_cancel_req(req);
6294 found = true;
6295 }
6296 }
6297 }
6298 spin_unlock(&ctx->completion_lock);
6299 return found;
6300 }
6301
6302 static struct io_kiocb *io_poll_find(struct io_ring_ctx *ctx, __u64 sqe_addr,
6303 bool poll_only)
6304 __must_hold(&ctx->completion_lock)
6305 {
6306 struct hlist_head *list;
6307 struct io_kiocb *req;
6308
6309 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
6310 hlist_for_each_entry(req, list, hash_node) {
6311 if (sqe_addr != req->user_data)
6312 continue;
6313 if (poll_only && req->opcode != IORING_OP_POLL_ADD)
6314 continue;
6315 return req;
6316 }
6317 return NULL;
6318 }
6319
6320 static bool io_poll_disarm(struct io_kiocb *req)
6321 __must_hold(&ctx->completion_lock)
6322 {
6323 if (!io_poll_get_ownership(req))
6324 return false;
6325 io_poll_remove_entries(req);
6326 hash_del(&req->hash_node);
6327 return true;
6328 }
6329
6330 static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr,
6331 bool poll_only)
6332 __must_hold(&ctx->completion_lock)
6333 {
6334 struct io_kiocb *req = io_poll_find(ctx, sqe_addr, poll_only);
6335
6336 if (!req)
6337 return -ENOENT;
6338 io_poll_cancel_req(req);
6339 return 0;
6340 }
6341
6342 static __poll_t io_poll_parse_events(const struct io_uring_sqe *sqe,
6343 unsigned int flags)
6344 {
6345 u32 events;
6346
6347 events = READ_ONCE(sqe->poll32_events);
6348 #ifdef __BIG_ENDIAN
6349 events = swahw32(events);
6350 #endif
6351 if (!(flags & IORING_POLL_ADD_MULTI))
6352 events |= EPOLLONESHOT;
6353 return demangle_poll(events) | (events & (EPOLLEXCLUSIVE|EPOLLONESHOT));
6354 }
6355
6356 static int io_poll_update_prep(struct io_kiocb *req,
6357 const struct io_uring_sqe *sqe)
6358 {
6359 struct io_poll_update *upd = &req->poll_update;
6360 u32 flags;
6361
6362 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
6363 return -EINVAL;
6364 if (sqe->ioprio || sqe->buf_index || sqe->splice_fd_in)
6365 return -EINVAL;
6366 flags = READ_ONCE(sqe->len);
6367 if (flags & ~(IORING_POLL_UPDATE_EVENTS | IORING_POLL_UPDATE_USER_DATA |
6368 IORING_POLL_ADD_MULTI))
6369 return -EINVAL;
6370 /* meaningless without update */
6371 if (flags == IORING_POLL_ADD_MULTI)
6372 return -EINVAL;
6373
6374 upd->old_user_data = READ_ONCE(sqe->addr);
6375 upd->update_events = flags & IORING_POLL_UPDATE_EVENTS;
6376 upd->update_user_data = flags & IORING_POLL_UPDATE_USER_DATA;
6377
6378 upd->new_user_data = READ_ONCE(sqe->off);
6379 if (!upd->update_user_data && upd->new_user_data)
6380 return -EINVAL;
6381 if (upd->update_events)
6382 upd->events = io_poll_parse_events(sqe, flags);
6383 else if (sqe->poll32_events)
6384 return -EINVAL;
6385
6386 return 0;
6387 }
6388
6389 static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
6390 {
6391 struct io_poll_iocb *poll = &req->poll;
6392 u32 flags;
6393
6394 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
6395 return -EINVAL;
6396 if (sqe->ioprio || sqe->buf_index || sqe->off || sqe->addr)
6397 return -EINVAL;
6398 flags = READ_ONCE(sqe->len);
6399 if (flags & ~IORING_POLL_ADD_MULTI)
6400 return -EINVAL;
6401 if ((flags & IORING_POLL_ADD_MULTI) && (req->flags & REQ_F_CQE_SKIP))
6402 return -EINVAL;
6403
6404 io_req_set_refcount(req);
6405 poll->events = io_poll_parse_events(sqe, flags);
6406 return 0;
6407 }
6408
6409 static int io_poll_add(struct io_kiocb *req, unsigned int issue_flags)
6410 {
6411 struct io_poll_iocb *poll = &req->poll;
6412 struct io_poll_table ipt;
6413 int ret;
6414
6415 ipt.pt._qproc = io_poll_queue_proc;
6416
6417 ret = __io_arm_poll_handler(req, &req->poll, &ipt, poll->events);
6418 if (!ret && ipt.error)
6419 req_set_fail(req);
6420 ret = ret ?: ipt.error;
6421 if (ret)
6422 __io_req_complete(req, issue_flags, ret, 0);
6423 return 0;
6424 }
6425
6426 static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags)
6427 {
6428 struct io_ring_ctx *ctx = req->ctx;
6429 struct io_kiocb *preq;
6430 int ret2, ret = 0;
6431 bool locked;
6432
6433 spin_lock(&ctx->completion_lock);
6434 preq = io_poll_find(ctx, req->poll_update.old_user_data, true);
6435 if (!preq || !io_poll_disarm(preq)) {
6436 spin_unlock(&ctx->completion_lock);
6437 ret = preq ? -EALREADY : -ENOENT;
6438 goto out;
6439 }
6440 spin_unlock(&ctx->completion_lock);
6441
6442 if (req->poll_update.update_events || req->poll_update.update_user_data) {
6443 /* only mask one event flags, keep behavior flags */
6444 if (req->poll_update.update_events) {
6445 preq->poll.events &= ~0xffff;
6446 preq->poll.events |= req->poll_update.events & 0xffff;
6447 preq->poll.events |= IO_POLL_UNMASK;
6448 }
6449 if (req->poll_update.update_user_data)
6450 preq->user_data = req->poll_update.new_user_data;
6451
6452 ret2 = io_poll_add(preq, issue_flags);
6453 /* successfully updated, don't complete poll request */
6454 if (!ret2)
6455 goto out;
6456 }
6457
6458 req_set_fail(preq);
6459 preq->result = -ECANCELED;
6460 locked = !(issue_flags & IO_URING_F_UNLOCKED);
6461 io_req_task_complete(preq, &locked);
6462 out:
6463 if (ret < 0)
6464 req_set_fail(req);
6465 /* complete update request, we're done with it */
6466 __io_req_complete(req, issue_flags, ret, 0);
6467 return 0;
6468 }
6469
6470 static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
6471 {
6472 struct io_timeout_data *data = container_of(timer,
6473 struct io_timeout_data, timer);
6474 struct io_kiocb *req = data->req;
6475 struct io_ring_ctx *ctx = req->ctx;
6476 unsigned long flags;
6477
6478 spin_lock_irqsave(&ctx->timeout_lock, flags);
6479 list_del_init(&req->timeout.list);
6480 atomic_set(&req->ctx->cq_timeouts,
6481 atomic_read(&req->ctx->cq_timeouts) + 1);
6482 spin_unlock_irqrestore(&ctx->timeout_lock, flags);
6483
6484 if (!(data->flags & IORING_TIMEOUT_ETIME_SUCCESS))
6485 req_set_fail(req);
6486
6487 req->result = -ETIME;
6488 req->io_task_work.func = io_req_task_complete;
6489 io_req_task_work_add(req, false);
6490 return HRTIMER_NORESTART;
6491 }
6492
6493 static struct io_kiocb *io_timeout_extract(struct io_ring_ctx *ctx,
6494 __u64 user_data)
6495 __must_hold(&ctx->timeout_lock)
6496 {
6497 struct io_timeout_data *io;
6498 struct io_kiocb *req;
6499 bool found = false;
6500
6501 list_for_each_entry(req, &ctx->timeout_list, timeout.list) {
6502 found = user_data == req->user_data;
6503 if (found)
6504 break;
6505 }
6506 if (!found)
6507 return ERR_PTR(-ENOENT);
6508
6509 io = req->async_data;
6510 if (hrtimer_try_to_cancel(&io->timer) == -1)
6511 return ERR_PTR(-EALREADY);
6512 list_del_init(&req->timeout.list);
6513 return req;
6514 }
6515
6516 static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
6517 __must_hold(&ctx->completion_lock)
6518 __must_hold(&ctx->timeout_lock)
6519 {
6520 struct io_kiocb *req = io_timeout_extract(ctx, user_data);
6521
6522 if (IS_ERR(req))
6523 return PTR_ERR(req);
6524 io_req_task_queue_fail(req, -ECANCELED);
6525 return 0;
6526 }
6527
6528 static clockid_t io_timeout_get_clock(struct io_timeout_data *data)
6529 {
6530 switch (data->flags & IORING_TIMEOUT_CLOCK_MASK) {
6531 case IORING_TIMEOUT_BOOTTIME:
6532 return CLOCK_BOOTTIME;
6533 case IORING_TIMEOUT_REALTIME:
6534 return CLOCK_REALTIME;
6535 default:
6536 /* can't happen, vetted at prep time */
6537 WARN_ON_ONCE(1);
6538 fallthrough;
6539 case 0:
6540 return CLOCK_MONOTONIC;
6541 }
6542 }
6543
6544 static int io_linked_timeout_update(struct io_ring_ctx *ctx, __u64 user_data,
6545 struct timespec64 *ts, enum hrtimer_mode mode)
6546 __must_hold(&ctx->timeout_lock)
6547 {
6548 struct io_timeout_data *io;
6549 struct io_kiocb *req;
6550 bool found = false;
6551
6552 list_for_each_entry(req, &ctx->ltimeout_list, timeout.list) {
6553 found = user_data == req->user_data;
6554 if (found)
6555 break;
6556 }
6557 if (!found)
6558 return -ENOENT;
6559
6560 io = req->async_data;
6561 if (hrtimer_try_to_cancel(&io->timer) == -1)
6562 return -EALREADY;
6563 hrtimer_init(&io->timer, io_timeout_get_clock(io), mode);
6564 io->timer.function = io_link_timeout_fn;
6565 hrtimer_start(&io->timer, timespec64_to_ktime(*ts), mode);
6566 return 0;
6567 }
6568
6569 static int io_timeout_update(struct io_ring_ctx *ctx, __u64 user_data,
6570 struct timespec64 *ts, enum hrtimer_mode mode)
6571 __must_hold(&ctx->timeout_lock)
6572 {
6573 struct io_kiocb *req = io_timeout_extract(ctx, user_data);
6574 struct io_timeout_data *data;
6575
6576 if (IS_ERR(req))
6577 return PTR_ERR(req);
6578
6579 req->timeout.off = 0; /* noseq */
6580 data = req->async_data;
6581 list_add_tail(&req->timeout.list, &ctx->timeout_list);
6582 hrtimer_init(&data->timer, io_timeout_get_clock(data), mode);
6583 data->timer.function = io_timeout_fn;
6584 hrtimer_start(&data->timer, timespec64_to_ktime(*ts), mode);
6585 return 0;
6586 }
6587
6588 static int io_timeout_remove_prep(struct io_kiocb *req,
6589 const struct io_uring_sqe *sqe)
6590 {
6591 struct io_timeout_rem *tr = &req->timeout_rem;
6592
6593 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
6594 return -EINVAL;
6595 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
6596 return -EINVAL;
6597 if (sqe->ioprio || sqe->buf_index || sqe->len || sqe->splice_fd_in)
6598 return -EINVAL;
6599
6600 tr->ltimeout = false;
6601 tr->addr = READ_ONCE(sqe->addr);
6602 tr->flags = READ_ONCE(sqe->timeout_flags);
6603 if (tr->flags & IORING_TIMEOUT_UPDATE_MASK) {
6604 if (hweight32(tr->flags & IORING_TIMEOUT_CLOCK_MASK) > 1)
6605 return -EINVAL;
6606 if (tr->flags & IORING_LINK_TIMEOUT_UPDATE)
6607 tr->ltimeout = true;
6608 if (tr->flags & ~(IORING_TIMEOUT_UPDATE_MASK|IORING_TIMEOUT_ABS))
6609 return -EINVAL;
6610 if (get_timespec64(&tr->ts, u64_to_user_ptr(sqe->addr2)))
6611 return -EFAULT;
6612 if (tr->ts.tv_sec < 0 || tr->ts.tv_nsec < 0)
6613 return -EINVAL;
6614 } else if (tr->flags) {
6615 /* timeout removal doesn't support flags */
6616 return -EINVAL;
6617 }
6618
6619 return 0;
6620 }
6621
6622 static inline enum hrtimer_mode io_translate_timeout_mode(unsigned int flags)
6623 {
6624 return (flags & IORING_TIMEOUT_ABS) ? HRTIMER_MODE_ABS
6625 : HRTIMER_MODE_REL;
6626 }
6627
6628 /*
6629 * Remove or update an existing timeout command
6630 */
6631 static int io_timeout_remove(struct io_kiocb *req, unsigned int issue_flags)
6632 {
6633 struct io_timeout_rem *tr = &req->timeout_rem;
6634 struct io_ring_ctx *ctx = req->ctx;
6635 int ret;
6636
6637 if (!(req->timeout_rem.flags & IORING_TIMEOUT_UPDATE)) {
6638 spin_lock(&ctx->completion_lock);
6639 spin_lock_irq(&ctx->timeout_lock);
6640 ret = io_timeout_cancel(ctx, tr->addr);
6641 spin_unlock_irq(&ctx->timeout_lock);
6642 spin_unlock(&ctx->completion_lock);
6643 } else {
6644 enum hrtimer_mode mode = io_translate_timeout_mode(tr->flags);
6645
6646 spin_lock_irq(&ctx->timeout_lock);
6647 if (tr->ltimeout)
6648 ret = io_linked_timeout_update(ctx, tr->addr, &tr->ts, mode);
6649 else
6650 ret = io_timeout_update(ctx, tr->addr, &tr->ts, mode);
6651 spin_unlock_irq(&ctx->timeout_lock);
6652 }
6653
6654 if (ret < 0)
6655 req_set_fail(req);
6656 io_req_complete_post(req, ret, 0);
6657 return 0;
6658 }
6659
6660 static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
6661 bool is_timeout_link)
6662 {
6663 struct io_timeout_data *data;
6664 unsigned flags;
6665 u32 off = READ_ONCE(sqe->off);
6666
6667 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
6668 return -EINVAL;
6669 if (sqe->ioprio || sqe->buf_index || sqe->len != 1 ||
6670 sqe->splice_fd_in)
6671 return -EINVAL;
6672 if (off && is_timeout_link)
6673 return -EINVAL;
6674 flags = READ_ONCE(sqe->timeout_flags);
6675 if (flags & ~(IORING_TIMEOUT_ABS | IORING_TIMEOUT_CLOCK_MASK |
6676 IORING_TIMEOUT_ETIME_SUCCESS))
6677 return -EINVAL;
6678 /* more than one clock specified is invalid, obviously */
6679 if (hweight32(flags & IORING_TIMEOUT_CLOCK_MASK) > 1)
6680 return -EINVAL;
6681
6682 INIT_LIST_HEAD(&req->timeout.list);
6683 req->timeout.off = off;
6684 if (unlikely(off && !req->ctx->off_timeout_used))
6685 req->ctx->off_timeout_used = true;
6686
6687 if (WARN_ON_ONCE(req_has_async_data(req)))
6688 return -EFAULT;
6689 if (io_alloc_async_data(req))
6690 return -ENOMEM;
6691
6692 data = req->async_data;
6693 data->req = req;
6694 data->flags = flags;
6695
6696 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
6697 return -EFAULT;
6698
6699 if (data->ts.tv_sec < 0 || data->ts.tv_nsec < 0)
6700 return -EINVAL;
6701
6702 INIT_LIST_HEAD(&req->timeout.list);
6703 data->mode = io_translate_timeout_mode(flags);
6704 hrtimer_init(&data->timer, io_timeout_get_clock(data), data->mode);
6705
6706 if (is_timeout_link) {
6707 struct io_submit_link *link = &req->ctx->submit_state.link;
6708
6709 if (!link->head)
6710 return -EINVAL;
6711 if (link->last->opcode == IORING_OP_LINK_TIMEOUT)
6712 return -EINVAL;
6713 req->timeout.head = link->last;
6714 link->last->flags |= REQ_F_ARM_LTIMEOUT;
6715 }
6716 return 0;
6717 }
6718
6719 static int io_timeout(struct io_kiocb *req, unsigned int issue_flags)
6720 {
6721 struct io_ring_ctx *ctx = req->ctx;
6722 struct io_timeout_data *data = req->async_data;
6723 struct list_head *entry;
6724 u32 tail, off = req->timeout.off;
6725
6726 spin_lock_irq(&ctx->timeout_lock);
6727
6728 /*
6729 * sqe->off holds how many events that need to occur for this
6730 * timeout event to be satisfied. If it isn't set, then this is
6731 * a pure timeout request, sequence isn't used.
6732 */
6733 if (io_is_timeout_noseq(req)) {
6734 entry = ctx->timeout_list.prev;
6735 goto add;
6736 }
6737
6738 tail = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
6739 req->timeout.target_seq = tail + off;
6740
6741 /* Update the last seq here in case io_flush_timeouts() hasn't.
6742 * This is safe because ->completion_lock is held, and submissions
6743 * and completions are never mixed in the same ->completion_lock section.
6744 */
6745 ctx->cq_last_tm_flush = tail;
6746
6747 /*
6748 * Insertion sort, ensuring the first entry in the list is always
6749 * the one we need first.
6750 */
6751 list_for_each_prev(entry, &ctx->timeout_list) {
6752 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb,
6753 timeout.list);
6754
6755 if (io_is_timeout_noseq(nxt))
6756 continue;
6757 /* nxt.seq is behind @tail, otherwise would've been completed */
6758 if (off >= nxt->timeout.target_seq - tail)
6759 break;
6760 }
6761 add:
6762 list_add(&req->timeout.list, entry);
6763 data->timer.function = io_timeout_fn;
6764 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
6765 spin_unlock_irq(&ctx->timeout_lock);
6766 return 0;
6767 }
6768
6769 struct io_cancel_data {
6770 struct io_ring_ctx *ctx;
6771 u64 user_data;
6772 };
6773
6774 static bool io_cancel_cb(struct io_wq_work *work, void *data)
6775 {
6776 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
6777 struct io_cancel_data *cd = data;
6778
6779 return req->ctx == cd->ctx && req->user_data == cd->user_data;
6780 }
6781
6782 static int io_async_cancel_one(struct io_uring_task *tctx, u64 user_data,
6783 struct io_ring_ctx *ctx)
6784 {
6785 struct io_cancel_data data = { .ctx = ctx, .user_data = user_data, };
6786 enum io_wq_cancel cancel_ret;
6787 int ret = 0;
6788
6789 if (!tctx || !tctx->io_wq)
6790 return -ENOENT;
6791
6792 cancel_ret = io_wq_cancel_cb(tctx->io_wq, io_cancel_cb, &data, false);
6793 switch (cancel_ret) {
6794 case IO_WQ_CANCEL_OK:
6795 ret = 0;
6796 break;
6797 case IO_WQ_CANCEL_RUNNING:
6798 ret = -EALREADY;
6799 break;
6800 case IO_WQ_CANCEL_NOTFOUND:
6801 ret = -ENOENT;
6802 break;
6803 }
6804
6805 return ret;
6806 }
6807
6808 static int io_try_cancel_userdata(struct io_kiocb *req, u64 sqe_addr)
6809 {
6810 struct io_ring_ctx *ctx = req->ctx;
6811 int ret;
6812
6813 WARN_ON_ONCE(!io_wq_current_is_worker() && req->task != current);
6814
6815 ret = io_async_cancel_one(req->task->io_uring, sqe_addr, ctx);
6816 /*
6817 * Fall-through even for -EALREADY, as we may have poll armed
6818 * that need unarming.
6819 */
6820 if (!ret)
6821 return 0;
6822
6823 spin_lock(&ctx->completion_lock);
6824 ret = io_poll_cancel(ctx, sqe_addr, false);
6825 if (ret != -ENOENT)
6826 goto out;
6827
6828 spin_lock_irq(&ctx->timeout_lock);
6829 ret = io_timeout_cancel(ctx, sqe_addr);
6830 spin_unlock_irq(&ctx->timeout_lock);
6831 out:
6832 spin_unlock(&ctx->completion_lock);
6833 return ret;
6834 }
6835
6836 static int io_async_cancel_prep(struct io_kiocb *req,
6837 const struct io_uring_sqe *sqe)
6838 {
6839 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
6840 return -EINVAL;
6841 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
6842 return -EINVAL;
6843 if (sqe->ioprio || sqe->off || sqe->len || sqe->cancel_flags ||
6844 sqe->splice_fd_in)
6845 return -EINVAL;
6846
6847 req->cancel.addr = READ_ONCE(sqe->addr);
6848 return 0;
6849 }
6850
6851 static int io_async_cancel(struct io_kiocb *req, unsigned int issue_flags)
6852 {
6853 struct io_ring_ctx *ctx = req->ctx;
6854 u64 sqe_addr = req->cancel.addr;
6855 bool needs_lock = issue_flags & IO_URING_F_UNLOCKED;
6856 struct io_tctx_node *node;
6857 int ret;
6858
6859 ret = io_try_cancel_userdata(req, sqe_addr);
6860 if (ret != -ENOENT)
6861 goto done;
6862
6863 /* slow path, try all io-wq's */
6864 io_ring_submit_lock(ctx, needs_lock);
6865 ret = -ENOENT;
6866 list_for_each_entry(node, &ctx->tctx_list, ctx_node) {
6867 struct io_uring_task *tctx = node->task->io_uring;
6868
6869 ret = io_async_cancel_one(tctx, req->cancel.addr, ctx);
6870 if (ret != -ENOENT)
6871 break;
6872 }
6873 io_ring_submit_unlock(ctx, needs_lock);
6874 done:
6875 if (ret < 0)
6876 req_set_fail(req);
6877 io_req_complete_post(req, ret, 0);
6878 return 0;
6879 }
6880
6881 static int io_rsrc_update_prep(struct io_kiocb *req,
6882 const struct io_uring_sqe *sqe)
6883 {
6884 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
6885 return -EINVAL;
6886 if (sqe->ioprio || sqe->rw_flags || sqe->splice_fd_in)
6887 return -EINVAL;
6888
6889 req->rsrc_update.offset = READ_ONCE(sqe->off);
6890 req->rsrc_update.nr_args = READ_ONCE(sqe->len);
6891 if (!req->rsrc_update.nr_args)
6892 return -EINVAL;
6893 req->rsrc_update.arg = READ_ONCE(sqe->addr);
6894 return 0;
6895 }
6896
6897 static int io_files_update(struct io_kiocb *req, unsigned int issue_flags)
6898 {
6899 struct io_ring_ctx *ctx = req->ctx;
6900 bool needs_lock = issue_flags & IO_URING_F_UNLOCKED;
6901 struct io_uring_rsrc_update2 up;
6902 int ret;
6903
6904 up.offset = req->rsrc_update.offset;
6905 up.data = req->rsrc_update.arg;
6906 up.nr = 0;
6907 up.tags = 0;
6908 up.resv = 0;
6909 up.resv2 = 0;
6910
6911 io_ring_submit_lock(ctx, needs_lock);
6912 ret = __io_register_rsrc_update(ctx, IORING_RSRC_FILE,
6913 &up, req->rsrc_update.nr_args);
6914 io_ring_submit_unlock(ctx, needs_lock);
6915
6916 if (ret < 0)
6917 req_set_fail(req);
6918 __io_req_complete(req, issue_flags, ret, 0);
6919 return 0;
6920 }
6921
6922 static int io_req_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
6923 {
6924 switch (req->opcode) {
6925 case IORING_OP_NOP:
6926 return 0;
6927 case IORING_OP_READV:
6928 case IORING_OP_READ_FIXED:
6929 case IORING_OP_READ:
6930 case IORING_OP_WRITEV:
6931 case IORING_OP_WRITE_FIXED:
6932 case IORING_OP_WRITE:
6933 return io_prep_rw(req, sqe);
6934 case IORING_OP_POLL_ADD:
6935 return io_poll_add_prep(req, sqe);
6936 case IORING_OP_POLL_REMOVE:
6937 return io_poll_update_prep(req, sqe);
6938 case IORING_OP_FSYNC:
6939 return io_fsync_prep(req, sqe);
6940 case IORING_OP_SYNC_FILE_RANGE:
6941 return io_sfr_prep(req, sqe);
6942 case IORING_OP_SENDMSG:
6943 case IORING_OP_SEND:
6944 return io_sendmsg_prep(req, sqe);
6945 case IORING_OP_RECVMSG:
6946 case IORING_OP_RECV:
6947 return io_recvmsg_prep(req, sqe);
6948 case IORING_OP_CONNECT:
6949 return io_connect_prep(req, sqe);
6950 case IORING_OP_TIMEOUT:
6951 return io_timeout_prep(req, sqe, false);
6952 case IORING_OP_TIMEOUT_REMOVE:
6953 return io_timeout_remove_prep(req, sqe);
6954 case IORING_OP_ASYNC_CANCEL:
6955 return io_async_cancel_prep(req, sqe);
6956 case IORING_OP_LINK_TIMEOUT:
6957 return io_timeout_prep(req, sqe, true);
6958 case IORING_OP_ACCEPT:
6959 return io_accept_prep(req, sqe);
6960 case IORING_OP_FALLOCATE:
6961 return io_fallocate_prep(req, sqe);
6962 case IORING_OP_OPENAT:
6963 return io_openat_prep(req, sqe);
6964 case IORING_OP_CLOSE:
6965 return io_close_prep(req, sqe);
6966 case IORING_OP_FILES_UPDATE:
6967 return io_rsrc_update_prep(req, sqe);
6968 case IORING_OP_STATX:
6969 return io_statx_prep(req, sqe);
6970 case IORING_OP_FADVISE:
6971 return io_fadvise_prep(req, sqe);
6972 case IORING_OP_MADVISE:
6973 return io_madvise_prep(req, sqe);
6974 case IORING_OP_OPENAT2:
6975 return io_openat2_prep(req, sqe);
6976 case IORING_OP_EPOLL_CTL:
6977 return io_epoll_ctl_prep(req, sqe);
6978 case IORING_OP_SPLICE:
6979 return io_splice_prep(req, sqe);
6980 case IORING_OP_PROVIDE_BUFFERS:
6981 return io_provide_buffers_prep(req, sqe);
6982 case IORING_OP_REMOVE_BUFFERS:
6983 return io_remove_buffers_prep(req, sqe);
6984 case IORING_OP_TEE:
6985 return io_tee_prep(req, sqe);
6986 case IORING_OP_SHUTDOWN:
6987 return io_shutdown_prep(req, sqe);
6988 case IORING_OP_RENAMEAT:
6989 return io_renameat_prep(req, sqe);
6990 case IORING_OP_UNLINKAT:
6991 return io_unlinkat_prep(req, sqe);
6992 case IORING_OP_MKDIRAT:
6993 return io_mkdirat_prep(req, sqe);
6994 case IORING_OP_SYMLINKAT:
6995 return io_symlinkat_prep(req, sqe);
6996 case IORING_OP_LINKAT:
6997 return io_linkat_prep(req, sqe);
6998 case IORING_OP_MSG_RING:
6999 return io_msg_ring_prep(req, sqe);
7000 }
7001
7002 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
7003 req->opcode);
7004 return -EINVAL;
7005 }
7006
7007 static int io_req_prep_async(struct io_kiocb *req)
7008 {
7009 const struct io_op_def *def = &io_op_defs[req->opcode];
7010
7011 /* assign early for deferred execution for non-fixed file */
7012 if (def->needs_file && !(req->flags & REQ_F_FIXED_FILE))
7013 req->file = io_file_get_normal(req, req->fd);
7014 if (!def->needs_async_setup)
7015 return 0;
7016 if (WARN_ON_ONCE(req_has_async_data(req)))
7017 return -EFAULT;
7018 if (io_alloc_async_data(req))
7019 return -EAGAIN;
7020
7021 switch (req->opcode) {
7022 case IORING_OP_READV:
7023 return io_rw_prep_async(req, READ);
7024 case IORING_OP_WRITEV:
7025 return io_rw_prep_async(req, WRITE);
7026 case IORING_OP_SENDMSG:
7027 return io_sendmsg_prep_async(req);
7028 case IORING_OP_RECVMSG:
7029 return io_recvmsg_prep_async(req);
7030 case IORING_OP_CONNECT:
7031 return io_connect_prep_async(req);
7032 }
7033 printk_once(KERN_WARNING "io_uring: prep_async() bad opcode %d\n",
7034 req->opcode);
7035 return -EFAULT;
7036 }
7037
7038 static u32 io_get_sequence(struct io_kiocb *req)
7039 {
7040 u32 seq = req->ctx->cached_sq_head;
7041
7042 /* need original cached_sq_head, but it was increased for each req */
7043 io_for_each_link(req, req)
7044 seq--;
7045 return seq;
7046 }
7047
7048 static __cold void io_drain_req(struct io_kiocb *req)
7049 {
7050 struct io_ring_ctx *ctx = req->ctx;
7051 struct io_defer_entry *de;
7052 int ret;
7053 u32 seq = io_get_sequence(req);
7054
7055 /* Still need defer if there is pending req in defer list. */
7056 spin_lock(&ctx->completion_lock);
7057 if (!req_need_defer(req, seq) && list_empty_careful(&ctx->defer_list)) {
7058 spin_unlock(&ctx->completion_lock);
7059 queue:
7060 ctx->drain_active = false;
7061 io_req_task_queue(req);
7062 return;
7063 }
7064 spin_unlock(&ctx->completion_lock);
7065
7066 ret = io_req_prep_async(req);
7067 if (ret) {
7068 fail:
7069 io_req_complete_failed(req, ret);
7070 return;
7071 }
7072 io_prep_async_link(req);
7073 de = kmalloc(sizeof(*de), GFP_KERNEL);
7074 if (!de) {
7075 ret = -ENOMEM;
7076 goto fail;
7077 }
7078
7079 spin_lock(&ctx->completion_lock);
7080 if (!req_need_defer(req, seq) && list_empty(&ctx->defer_list)) {
7081 spin_unlock(&ctx->completion_lock);
7082 kfree(de);
7083 goto queue;
7084 }
7085
7086 trace_io_uring_defer(ctx, req, req->user_data, req->opcode);
7087 de->req = req;
7088 de->seq = seq;
7089 list_add_tail(&de->list, &ctx->defer_list);
7090 spin_unlock(&ctx->completion_lock);
7091 }
7092
7093 static void io_clean_op(struct io_kiocb *req)
7094 {
7095 if (req->flags & REQ_F_BUFFER_SELECTED) {
7096 spin_lock(&req->ctx->completion_lock);
7097 io_put_kbuf_comp(req);
7098 spin_unlock(&req->ctx->completion_lock);
7099 }
7100
7101 if (req->flags & REQ_F_NEED_CLEANUP) {
7102 switch (req->opcode) {
7103 case IORING_OP_READV:
7104 case IORING_OP_READ_FIXED:
7105 case IORING_OP_READ:
7106 case IORING_OP_WRITEV:
7107 case IORING_OP_WRITE_FIXED:
7108 case IORING_OP_WRITE: {
7109 struct io_async_rw *io = req->async_data;
7110
7111 kfree(io->free_iovec);
7112 break;
7113 }
7114 case IORING_OP_RECVMSG:
7115 case IORING_OP_SENDMSG: {
7116 struct io_async_msghdr *io = req->async_data;
7117
7118 kfree(io->free_iov);
7119 break;
7120 }
7121 case IORING_OP_OPENAT:
7122 case IORING_OP_OPENAT2:
7123 if (req->open.filename)
7124 putname(req->open.filename);
7125 break;
7126 case IORING_OP_RENAMEAT:
7127 putname(req->rename.oldpath);
7128 putname(req->rename.newpath);
7129 break;
7130 case IORING_OP_UNLINKAT:
7131 putname(req->unlink.filename);
7132 break;
7133 case IORING_OP_MKDIRAT:
7134 putname(req->mkdir.filename);
7135 break;
7136 case IORING_OP_SYMLINKAT:
7137 putname(req->symlink.oldpath);
7138 putname(req->symlink.newpath);
7139 break;
7140 case IORING_OP_LINKAT:
7141 putname(req->hardlink.oldpath);
7142 putname(req->hardlink.newpath);
7143 break;
7144 case IORING_OP_STATX:
7145 if (req->statx.filename)
7146 putname(req->statx.filename);
7147 break;
7148 }
7149 }
7150 if ((req->flags & REQ_F_POLLED) && req->apoll) {
7151 kfree(req->apoll->double_poll);
7152 kfree(req->apoll);
7153 req->apoll = NULL;
7154 }
7155 if (req->flags & REQ_F_INFLIGHT) {
7156 struct io_uring_task *tctx = req->task->io_uring;
7157
7158 atomic_dec(&tctx->inflight_tracked);
7159 }
7160 if (req->flags & REQ_F_CREDS)
7161 put_cred(req->creds);
7162 if (req->flags & REQ_F_ASYNC_DATA) {
7163 kfree(req->async_data);
7164 req->async_data = NULL;
7165 }
7166 req->flags &= ~IO_REQ_CLEAN_FLAGS;
7167 }
7168
7169 static bool io_assign_file(struct io_kiocb *req, unsigned int issue_flags)
7170 {
7171 if (req->file || !io_op_defs[req->opcode].needs_file)
7172 return true;
7173
7174 if (req->flags & REQ_F_FIXED_FILE)
7175 req->file = io_file_get_fixed(req, req->fd, issue_flags);
7176 else
7177 req->file = io_file_get_normal(req, req->fd);
7178 if (req->file)
7179 return true;
7180
7181 req_set_fail(req);
7182 req->result = -EBADF;
7183 return false;
7184 }
7185
7186 static int io_issue_sqe(struct io_kiocb *req, unsigned int issue_flags)
7187 {
7188 const struct cred *creds = NULL;
7189 int ret;
7190
7191 if (unlikely(!io_assign_file(req, issue_flags)))
7192 return -EBADF;
7193
7194 if (unlikely((req->flags & REQ_F_CREDS) && req->creds != current_cred()))
7195 creds = override_creds(req->creds);
7196
7197 if (!io_op_defs[req->opcode].audit_skip)
7198 audit_uring_entry(req->opcode);
7199
7200 switch (req->opcode) {
7201 case IORING_OP_NOP:
7202 ret = io_nop(req, issue_flags);
7203 break;
7204 case IORING_OP_READV:
7205 case IORING_OP_READ_FIXED:
7206 case IORING_OP_READ:
7207 ret = io_read(req, issue_flags);
7208 break;
7209 case IORING_OP_WRITEV:
7210 case IORING_OP_WRITE_FIXED:
7211 case IORING_OP_WRITE:
7212 ret = io_write(req, issue_flags);
7213 break;
7214 case IORING_OP_FSYNC:
7215 ret = io_fsync(req, issue_flags);
7216 break;
7217 case IORING_OP_POLL_ADD:
7218 ret = io_poll_add(req, issue_flags);
7219 break;
7220 case IORING_OP_POLL_REMOVE:
7221 ret = io_poll_update(req, issue_flags);
7222 break;
7223 case IORING_OP_SYNC_FILE_RANGE:
7224 ret = io_sync_file_range(req, issue_flags);
7225 break;
7226 case IORING_OP_SENDMSG:
7227 ret = io_sendmsg(req, issue_flags);
7228 break;
7229 case IORING_OP_SEND:
7230 ret = io_send(req, issue_flags);
7231 break;
7232 case IORING_OP_RECVMSG:
7233 ret = io_recvmsg(req, issue_flags);
7234 break;
7235 case IORING_OP_RECV:
7236 ret = io_recv(req, issue_flags);
7237 break;
7238 case IORING_OP_TIMEOUT:
7239 ret = io_timeout(req, issue_flags);
7240 break;
7241 case IORING_OP_TIMEOUT_REMOVE:
7242 ret = io_timeout_remove(req, issue_flags);
7243 break;
7244 case IORING_OP_ACCEPT:
7245 ret = io_accept(req, issue_flags);
7246 break;
7247 case IORING_OP_CONNECT:
7248 ret = io_connect(req, issue_flags);
7249 break;
7250 case IORING_OP_ASYNC_CANCEL:
7251 ret = io_async_cancel(req, issue_flags);
7252 break;
7253 case IORING_OP_FALLOCATE:
7254 ret = io_fallocate(req, issue_flags);
7255 break;
7256 case IORING_OP_OPENAT:
7257 ret = io_openat(req, issue_flags);
7258 break;
7259 case IORING_OP_CLOSE:
7260 ret = io_close(req, issue_flags);
7261 break;
7262 case IORING_OP_FILES_UPDATE:
7263 ret = io_files_update(req, issue_flags);
7264 break;
7265 case IORING_OP_STATX:
7266 ret = io_statx(req, issue_flags);
7267 break;
7268 case IORING_OP_FADVISE:
7269 ret = io_fadvise(req, issue_flags);
7270 break;
7271 case IORING_OP_MADVISE:
7272 ret = io_madvise(req, issue_flags);
7273 break;
7274 case IORING_OP_OPENAT2:
7275 ret = io_openat2(req, issue_flags);
7276 break;
7277 case IORING_OP_EPOLL_CTL:
7278 ret = io_epoll_ctl(req, issue_flags);
7279 break;
7280 case IORING_OP_SPLICE:
7281 ret = io_splice(req, issue_flags);
7282 break;
7283 case IORING_OP_PROVIDE_BUFFERS:
7284 ret = io_provide_buffers(req, issue_flags);
7285 break;
7286 case IORING_OP_REMOVE_BUFFERS:
7287 ret = io_remove_buffers(req, issue_flags);
7288 break;
7289 case IORING_OP_TEE:
7290 ret = io_tee(req, issue_flags);
7291 break;
7292 case IORING_OP_SHUTDOWN:
7293 ret = io_shutdown(req, issue_flags);
7294 break;
7295 case IORING_OP_RENAMEAT:
7296 ret = io_renameat(req, issue_flags);
7297 break;
7298 case IORING_OP_UNLINKAT:
7299 ret = io_unlinkat(req, issue_flags);
7300 break;
7301 case IORING_OP_MKDIRAT:
7302 ret = io_mkdirat(req, issue_flags);
7303 break;
7304 case IORING_OP_SYMLINKAT:
7305 ret = io_symlinkat(req, issue_flags);
7306 break;
7307 case IORING_OP_LINKAT:
7308 ret = io_linkat(req, issue_flags);
7309 break;
7310 case IORING_OP_MSG_RING:
7311 ret = io_msg_ring(req, issue_flags);
7312 break;
7313 default:
7314 ret = -EINVAL;
7315 break;
7316 }
7317
7318 if (!io_op_defs[req->opcode].audit_skip)
7319 audit_uring_exit(!ret, ret);
7320
7321 if (creds)
7322 revert_creds(creds);
7323 if (ret)
7324 return ret;
7325 /* If the op doesn't have a file, we're not polling for it */
7326 if ((req->ctx->flags & IORING_SETUP_IOPOLL) && req->file)
7327 io_iopoll_req_issued(req, issue_flags);
7328
7329 return 0;
7330 }
7331
7332 static struct io_wq_work *io_wq_free_work(struct io_wq_work *work)
7333 {
7334 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
7335
7336 req = io_put_req_find_next(req);
7337 return req ? &req->work : NULL;
7338 }
7339
7340 static void io_wq_submit_work(struct io_wq_work *work)
7341 {
7342 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
7343 const struct io_op_def *def = &io_op_defs[req->opcode];
7344 unsigned int issue_flags = IO_URING_F_UNLOCKED;
7345 bool needs_poll = false;
7346 struct io_kiocb *timeout;
7347 int ret = 0, err = -ECANCELED;
7348
7349 /* one will be dropped by ->io_free_work() after returning to io-wq */
7350 if (!(req->flags & REQ_F_REFCOUNT))
7351 __io_req_set_refcount(req, 2);
7352 else
7353 req_ref_get(req);
7354
7355 timeout = io_prep_linked_timeout(req);
7356 if (timeout)
7357 io_queue_linked_timeout(timeout);
7358
7359
7360 /* either cancelled or io-wq is dying, so don't touch tctx->iowq */
7361 if (work->flags & IO_WQ_WORK_CANCEL) {
7362 fail:
7363 io_req_task_queue_fail(req, err);
7364 return;
7365 }
7366 if (!io_assign_file(req, issue_flags)) {
7367 err = -EBADF;
7368 work->flags |= IO_WQ_WORK_CANCEL;
7369 goto fail;
7370 }
7371
7372 if (req->flags & REQ_F_FORCE_ASYNC) {
7373 bool opcode_poll = def->pollin || def->pollout;
7374
7375 if (opcode_poll && file_can_poll(req->file)) {
7376 needs_poll = true;
7377 issue_flags |= IO_URING_F_NONBLOCK;
7378 }
7379 }
7380
7381 do {
7382 ret = io_issue_sqe(req, issue_flags);
7383 if (ret != -EAGAIN)
7384 break;
7385 /*
7386 * We can get EAGAIN for iopolled IO even though we're
7387 * forcing a sync submission from here, since we can't
7388 * wait for request slots on the block side.
7389 */
7390 if (!needs_poll) {
7391 if (!(req->ctx->flags & IORING_SETUP_IOPOLL))
7392 break;
7393 cond_resched();
7394 continue;
7395 }
7396
7397 if (io_arm_poll_handler(req, issue_flags) == IO_APOLL_OK)
7398 return;
7399 /* aborted or ready, in either case retry blocking */
7400 needs_poll = false;
7401 issue_flags &= ~IO_URING_F_NONBLOCK;
7402 } while (1);
7403
7404 /* avoid locking problems by failing it from a clean context */
7405 if (ret)
7406 io_req_task_queue_fail(req, ret);
7407 }
7408
7409 static inline struct io_fixed_file *io_fixed_file_slot(struct io_file_table *table,
7410 unsigned i)
7411 {
7412 return &table->files[i];
7413 }
7414
7415 static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
7416 int index)
7417 {
7418 struct io_fixed_file *slot = io_fixed_file_slot(&ctx->file_table, index);
7419
7420 return (struct file *) (slot->file_ptr & FFS_MASK);
7421 }
7422
7423 static void io_fixed_file_set(struct io_fixed_file *file_slot, struct file *file)
7424 {
7425 unsigned long file_ptr = (unsigned long) file;
7426
7427 file_ptr |= io_file_get_flags(file);
7428 file_slot->file_ptr = file_ptr;
7429 }
7430
7431 static inline struct file *io_file_get_fixed(struct io_kiocb *req, int fd,
7432 unsigned int issue_flags)
7433 {
7434 struct io_ring_ctx *ctx = req->ctx;
7435 struct file *file = NULL;
7436 unsigned long file_ptr;
7437
7438 if (issue_flags & IO_URING_F_UNLOCKED)
7439 mutex_lock(&ctx->uring_lock);
7440
7441 if (unlikely((unsigned int)fd >= ctx->nr_user_files))
7442 goto out;
7443 fd = array_index_nospec(fd, ctx->nr_user_files);
7444 file_ptr = io_fixed_file_slot(&ctx->file_table, fd)->file_ptr;
7445 file = (struct file *) (file_ptr & FFS_MASK);
7446 file_ptr &= ~FFS_MASK;
7447 /* mask in overlapping REQ_F and FFS bits */
7448 req->flags |= (file_ptr << REQ_F_SUPPORT_NOWAIT_BIT);
7449 io_req_set_rsrc_node(req, ctx, 0);
7450 out:
7451 if (issue_flags & IO_URING_F_UNLOCKED)
7452 mutex_unlock(&ctx->uring_lock);
7453 return file;
7454 }
7455
7456 static struct file *io_file_get_normal(struct io_kiocb *req, int fd)
7457 {
7458 struct file *file = fget(fd);
7459
7460 trace_io_uring_file_get(req->ctx, req, req->user_data, fd);
7461
7462 /* we don't allow fixed io_uring files */
7463 if (file && file->f_op == &io_uring_fops)
7464 io_req_track_inflight(req);
7465 return file;
7466 }
7467
7468 static void io_req_task_link_timeout(struct io_kiocb *req, bool *locked)
7469 {
7470 struct io_kiocb *prev = req->timeout.prev;
7471 int ret = -ENOENT;
7472
7473 if (prev) {
7474 if (!(req->task->flags & PF_EXITING))
7475 ret = io_try_cancel_userdata(req, prev->user_data);
7476 io_req_complete_post(req, ret ?: -ETIME, 0);
7477 io_put_req(prev);
7478 } else {
7479 io_req_complete_post(req, -ETIME, 0);
7480 }
7481 }
7482
7483 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
7484 {
7485 struct io_timeout_data *data = container_of(timer,
7486 struct io_timeout_data, timer);
7487 struct io_kiocb *prev, *req = data->req;
7488 struct io_ring_ctx *ctx = req->ctx;
7489 unsigned long flags;
7490
7491 spin_lock_irqsave(&ctx->timeout_lock, flags);
7492 prev = req->timeout.head;
7493 req->timeout.head = NULL;
7494
7495 /*
7496 * We don't expect the list to be empty, that will only happen if we
7497 * race with the completion of the linked work.
7498 */
7499 if (prev) {
7500 io_remove_next_linked(prev);
7501 if (!req_ref_inc_not_zero(prev))
7502 prev = NULL;
7503 }
7504 list_del(&req->timeout.list);
7505 req->timeout.prev = prev;
7506 spin_unlock_irqrestore(&ctx->timeout_lock, flags);
7507
7508 req->io_task_work.func = io_req_task_link_timeout;
7509 io_req_task_work_add(req, false);
7510 return HRTIMER_NORESTART;
7511 }
7512
7513 static void io_queue_linked_timeout(struct io_kiocb *req)
7514 {
7515 struct io_ring_ctx *ctx = req->ctx;
7516
7517 spin_lock_irq(&ctx->timeout_lock);
7518 /*
7519 * If the back reference is NULL, then our linked request finished
7520 * before we got a chance to setup the timer
7521 */
7522 if (req->timeout.head) {
7523 struct io_timeout_data *data = req->async_data;
7524
7525 data->timer.function = io_link_timeout_fn;
7526 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
7527 data->mode);
7528 list_add_tail(&req->timeout.list, &ctx->ltimeout_list);
7529 }
7530 spin_unlock_irq(&ctx->timeout_lock);
7531 /* drop submission reference */
7532 io_put_req(req);
7533 }
7534
7535 static void io_queue_sqe_arm_apoll(struct io_kiocb *req)
7536 __must_hold(&req->ctx->uring_lock)
7537 {
7538 struct io_kiocb *linked_timeout = io_prep_linked_timeout(req);
7539
7540 switch (io_arm_poll_handler(req, 0)) {
7541 case IO_APOLL_READY:
7542 io_req_task_queue(req);
7543 break;
7544 case IO_APOLL_ABORTED:
7545 /*
7546 * Queued up for async execution, worker will release
7547 * submit reference when the iocb is actually submitted.
7548 */
7549 io_queue_async_work(req, NULL);
7550 break;
7551 case IO_APOLL_OK:
7552 break;
7553 }
7554
7555 if (linked_timeout)
7556 io_queue_linked_timeout(linked_timeout);
7557 }
7558
7559 static inline void __io_queue_sqe(struct io_kiocb *req)
7560 __must_hold(&req->ctx->uring_lock)
7561 {
7562 struct io_kiocb *linked_timeout;
7563 int ret;
7564
7565 ret = io_issue_sqe(req, IO_URING_F_NONBLOCK|IO_URING_F_COMPLETE_DEFER);
7566
7567 if (req->flags & REQ_F_COMPLETE_INLINE) {
7568 io_req_add_compl_list(req);
7569 return;
7570 }
7571 /*
7572 * We async punt it if the file wasn't marked NOWAIT, or if the file
7573 * doesn't support non-blocking read/write attempts
7574 */
7575 if (likely(!ret)) {
7576 linked_timeout = io_prep_linked_timeout(req);
7577 if (linked_timeout)
7578 io_queue_linked_timeout(linked_timeout);
7579 } else if (ret == -EAGAIN && !(req->flags & REQ_F_NOWAIT)) {
7580 io_queue_sqe_arm_apoll(req);
7581 } else {
7582 io_req_complete_failed(req, ret);
7583 }
7584 }
7585
7586 static void io_queue_sqe_fallback(struct io_kiocb *req)
7587 __must_hold(&req->ctx->uring_lock)
7588 {
7589 if (req->flags & REQ_F_FAIL) {
7590 io_req_complete_fail_submit(req);
7591 } else if (unlikely(req->ctx->drain_active)) {
7592 io_drain_req(req);
7593 } else {
7594 int ret = io_req_prep_async(req);
7595
7596 if (unlikely(ret))
7597 io_req_complete_failed(req, ret);
7598 else
7599 io_queue_async_work(req, NULL);
7600 }
7601 }
7602
7603 static inline void io_queue_sqe(struct io_kiocb *req)
7604 __must_hold(&req->ctx->uring_lock)
7605 {
7606 if (likely(!(req->flags & (REQ_F_FORCE_ASYNC | REQ_F_FAIL))))
7607 __io_queue_sqe(req);
7608 else
7609 io_queue_sqe_fallback(req);
7610 }
7611
7612 /*
7613 * Check SQE restrictions (opcode and flags).
7614 *
7615 * Returns 'true' if SQE is allowed, 'false' otherwise.
7616 */
7617 static inline bool io_check_restriction(struct io_ring_ctx *ctx,
7618 struct io_kiocb *req,
7619 unsigned int sqe_flags)
7620 {
7621 if (!test_bit(req->opcode, ctx->restrictions.sqe_op))
7622 return false;
7623
7624 if ((sqe_flags & ctx->restrictions.sqe_flags_required) !=
7625 ctx->restrictions.sqe_flags_required)
7626 return false;
7627
7628 if (sqe_flags & ~(ctx->restrictions.sqe_flags_allowed |
7629 ctx->restrictions.sqe_flags_required))
7630 return false;
7631
7632 return true;
7633 }
7634
7635 static void io_init_req_drain(struct io_kiocb *req)
7636 {
7637 struct io_ring_ctx *ctx = req->ctx;
7638 struct io_kiocb *head = ctx->submit_state.link.head;
7639
7640 ctx->drain_active = true;
7641 if (head) {
7642 /*
7643 * If we need to drain a request in the middle of a link, drain
7644 * the head request and the next request/link after the current
7645 * link. Considering sequential execution of links,
7646 * REQ_F_IO_DRAIN will be maintained for every request of our
7647 * link.
7648 */
7649 head->flags |= REQ_F_IO_DRAIN | REQ_F_FORCE_ASYNC;
7650 ctx->drain_next = true;
7651 }
7652 }
7653
7654 static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
7655 const struct io_uring_sqe *sqe)
7656 __must_hold(&ctx->uring_lock)
7657 {
7658 unsigned int sqe_flags;
7659 int personality;
7660 u8 opcode;
7661
7662 /* req is partially pre-initialised, see io_preinit_req() */
7663 req->opcode = opcode = READ_ONCE(sqe->opcode);
7664 /* same numerical values with corresponding REQ_F_*, safe to copy */
7665 req->flags = sqe_flags = READ_ONCE(sqe->flags);
7666 req->user_data = READ_ONCE(sqe->user_data);
7667 req->file = NULL;
7668 req->fixed_rsrc_refs = NULL;
7669 req->task = current;
7670
7671 if (unlikely(opcode >= IORING_OP_LAST)) {
7672 req->opcode = 0;
7673 return -EINVAL;
7674 }
7675 if (unlikely(sqe_flags & ~SQE_COMMON_FLAGS)) {
7676 /* enforce forwards compatibility on users */
7677 if (sqe_flags & ~SQE_VALID_FLAGS)
7678 return -EINVAL;
7679 if ((sqe_flags & IOSQE_BUFFER_SELECT) &&
7680 !io_op_defs[opcode].buffer_select)
7681 return -EOPNOTSUPP;
7682 if (sqe_flags & IOSQE_CQE_SKIP_SUCCESS)
7683 ctx->drain_disabled = true;
7684 if (sqe_flags & IOSQE_IO_DRAIN) {
7685 if (ctx->drain_disabled)
7686 return -EOPNOTSUPP;
7687 io_init_req_drain(req);
7688 }
7689 }
7690 if (unlikely(ctx->restricted || ctx->drain_active || ctx->drain_next)) {
7691 if (ctx->restricted && !io_check_restriction(ctx, req, sqe_flags))
7692 return -EACCES;
7693 /* knock it to the slow queue path, will be drained there */
7694 if (ctx->drain_active)
7695 req->flags |= REQ_F_FORCE_ASYNC;
7696 /* if there is no link, we're at "next" request and need to drain */
7697 if (unlikely(ctx->drain_next) && !ctx->submit_state.link.head) {
7698 ctx->drain_next = false;
7699 ctx->drain_active = true;
7700 req->flags |= REQ_F_IO_DRAIN | REQ_F_FORCE_ASYNC;
7701 }
7702 }
7703
7704 if (io_op_defs[opcode].needs_file) {
7705 struct io_submit_state *state = &ctx->submit_state;
7706
7707 req->fd = READ_ONCE(sqe->fd);
7708
7709 /*
7710 * Plug now if we have more than 2 IO left after this, and the
7711 * target is potentially a read/write to block based storage.
7712 */
7713 if (state->need_plug && io_op_defs[opcode].plug) {
7714 state->plug_started = true;
7715 state->need_plug = false;
7716 blk_start_plug_nr_ios(&state->plug, state->submit_nr);
7717 }
7718 }
7719
7720 personality = READ_ONCE(sqe->personality);
7721 if (personality) {
7722 int ret;
7723
7724 req->creds = xa_load(&ctx->personalities, personality);
7725 if (!req->creds)
7726 return -EINVAL;
7727 get_cred(req->creds);
7728 ret = security_uring_override_creds(req->creds);
7729 if (ret) {
7730 put_cred(req->creds);
7731 return ret;
7732 }
7733 req->flags |= REQ_F_CREDS;
7734 }
7735
7736 return io_req_prep(req, sqe);
7737 }
7738
7739 static int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req,
7740 const struct io_uring_sqe *sqe)
7741 __must_hold(&ctx->uring_lock)
7742 {
7743 struct io_submit_link *link = &ctx->submit_state.link;
7744 int ret;
7745
7746 ret = io_init_req(ctx, req, sqe);
7747 if (unlikely(ret)) {
7748 trace_io_uring_req_failed(sqe, ctx, req, ret);
7749
7750 /* fail even hard links since we don't submit */
7751 if (link->head) {
7752 /*
7753 * we can judge a link req is failed or cancelled by if
7754 * REQ_F_FAIL is set, but the head is an exception since
7755 * it may be set REQ_F_FAIL because of other req's failure
7756 * so let's leverage req->result to distinguish if a head
7757 * is set REQ_F_FAIL because of its failure or other req's
7758 * failure so that we can set the correct ret code for it.
7759 * init result here to avoid affecting the normal path.
7760 */
7761 if (!(link->head->flags & REQ_F_FAIL))
7762 req_fail_link_node(link->head, -ECANCELED);
7763 } else if (!(req->flags & (REQ_F_LINK | REQ_F_HARDLINK))) {
7764 /*
7765 * the current req is a normal req, we should return
7766 * error and thus break the submittion loop.
7767 */
7768 io_req_complete_failed(req, ret);
7769 return ret;
7770 }
7771 req_fail_link_node(req, ret);
7772 }
7773
7774 /* don't need @sqe from now on */
7775 trace_io_uring_submit_sqe(ctx, req, req->user_data, req->opcode,
7776 req->flags, true,
7777 ctx->flags & IORING_SETUP_SQPOLL);
7778
7779 /*
7780 * If we already have a head request, queue this one for async
7781 * submittal once the head completes. If we don't have a head but
7782 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
7783 * submitted sync once the chain is complete. If none of those
7784 * conditions are true (normal request), then just queue it.
7785 */
7786 if (link->head) {
7787 struct io_kiocb *head = link->head;
7788
7789 if (!(req->flags & REQ_F_FAIL)) {
7790 ret = io_req_prep_async(req);
7791 if (unlikely(ret)) {
7792 req_fail_link_node(req, ret);
7793 if (!(head->flags & REQ_F_FAIL))
7794 req_fail_link_node(head, -ECANCELED);
7795 }
7796 }
7797 trace_io_uring_link(ctx, req, head);
7798 link->last->link = req;
7799 link->last = req;
7800
7801 if (req->flags & (REQ_F_LINK | REQ_F_HARDLINK))
7802 return 0;
7803 /* last request of a link, enqueue the link */
7804 link->head = NULL;
7805 req = head;
7806 } else if (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {
7807 link->head = req;
7808 link->last = req;
7809 return 0;
7810 }
7811
7812 io_queue_sqe(req);
7813 return 0;
7814 }
7815
7816 /*
7817 * Batched submission is done, ensure local IO is flushed out.
7818 */
7819 static void io_submit_state_end(struct io_ring_ctx *ctx)
7820 {
7821 struct io_submit_state *state = &ctx->submit_state;
7822
7823 if (state->link.head)
7824 io_queue_sqe(state->link.head);
7825 /* flush only after queuing links as they can generate completions */
7826 io_submit_flush_completions(ctx);
7827 if (state->plug_started)
7828 blk_finish_plug(&state->plug);
7829 }
7830
7831 /*
7832 * Start submission side cache.
7833 */
7834 static void io_submit_state_start(struct io_submit_state *state,
7835 unsigned int max_ios)
7836 {
7837 state->plug_started = false;
7838 state->need_plug = max_ios > 2;
7839 state->submit_nr = max_ios;
7840 /* set only head, no need to init link_last in advance */
7841 state->link.head = NULL;
7842 }
7843
7844 static void io_commit_sqring(struct io_ring_ctx *ctx)
7845 {
7846 struct io_rings *rings = ctx->rings;
7847
7848 /*
7849 * Ensure any loads from the SQEs are done at this point,
7850 * since once we write the new head, the application could
7851 * write new data to them.
7852 */
7853 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
7854 }
7855
7856 /*
7857 * Fetch an sqe, if one is available. Note this returns a pointer to memory
7858 * that is mapped by userspace. This means that care needs to be taken to
7859 * ensure that reads are stable, as we cannot rely on userspace always
7860 * being a good citizen. If members of the sqe are validated and then later
7861 * used, it's important that those reads are done through READ_ONCE() to
7862 * prevent a re-load down the line.
7863 */
7864 static const struct io_uring_sqe *io_get_sqe(struct io_ring_ctx *ctx)
7865 {
7866 unsigned head, mask = ctx->sq_entries - 1;
7867 unsigned sq_idx = ctx->cached_sq_head++ & mask;
7868
7869 /*
7870 * The cached sq head (or cq tail) serves two purposes:
7871 *
7872 * 1) allows us to batch the cost of updating the user visible
7873 * head updates.
7874 * 2) allows the kernel side to track the head on its own, even
7875 * though the application is the one updating it.
7876 */
7877 head = READ_ONCE(ctx->sq_array[sq_idx]);
7878 if (likely(head < ctx->sq_entries))
7879 return &ctx->sq_sqes[head];
7880
7881 /* drop invalid entries */
7882 ctx->cq_extra--;
7883 WRITE_ONCE(ctx->rings->sq_dropped,
7884 READ_ONCE(ctx->rings->sq_dropped) + 1);
7885 return NULL;
7886 }
7887
7888 static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr)
7889 __must_hold(&ctx->uring_lock)
7890 {
7891 unsigned int entries = io_sqring_entries(ctx);
7892 int submitted = 0;
7893
7894 if (unlikely(!entries))
7895 return 0;
7896 /* make sure SQ entry isn't read before tail */
7897 nr = min3(nr, ctx->sq_entries, entries);
7898 io_get_task_refs(nr);
7899
7900 io_submit_state_start(&ctx->submit_state, nr);
7901 do {
7902 const struct io_uring_sqe *sqe;
7903 struct io_kiocb *req;
7904
7905 if (unlikely(!io_alloc_req_refill(ctx))) {
7906 if (!submitted)
7907 submitted = -EAGAIN;
7908 break;
7909 }
7910 req = io_alloc_req(ctx);
7911 sqe = io_get_sqe(ctx);
7912 if (unlikely(!sqe)) {
7913 wq_stack_add_head(&req->comp_list, &ctx->submit_state.free_list);
7914 break;
7915 }
7916 /* will complete beyond this point, count as submitted */
7917 submitted++;
7918 if (io_submit_sqe(ctx, req, sqe)) {
7919 /*
7920 * Continue submitting even for sqe failure if the
7921 * ring was setup with IORING_SETUP_SUBMIT_ALL
7922 */
7923 if (!(ctx->flags & IORING_SETUP_SUBMIT_ALL))
7924 break;
7925 }
7926 } while (submitted < nr);
7927
7928 if (unlikely(submitted != nr)) {
7929 int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
7930 int unused = nr - ref_used;
7931
7932 current->io_uring->cached_refs += unused;
7933 }
7934
7935 io_submit_state_end(ctx);
7936 /* Commit SQ ring head once we've consumed and submitted all SQEs */
7937 io_commit_sqring(ctx);
7938
7939 return submitted;
7940 }
7941
7942 static inline bool io_sqd_events_pending(struct io_sq_data *sqd)
7943 {
7944 return READ_ONCE(sqd->state);
7945 }
7946
7947 static inline void io_ring_set_wakeup_flag(struct io_ring_ctx *ctx)
7948 {
7949 /* Tell userspace we may need a wakeup call */
7950 spin_lock(&ctx->completion_lock);
7951 WRITE_ONCE(ctx->rings->sq_flags,
7952 ctx->rings->sq_flags | IORING_SQ_NEED_WAKEUP);
7953 spin_unlock(&ctx->completion_lock);
7954 }
7955
7956 static inline void io_ring_clear_wakeup_flag(struct io_ring_ctx *ctx)
7957 {
7958 spin_lock(&ctx->completion_lock);
7959 WRITE_ONCE(ctx->rings->sq_flags,
7960 ctx->rings->sq_flags & ~IORING_SQ_NEED_WAKEUP);
7961 spin_unlock(&ctx->completion_lock);
7962 }
7963
7964 static int __io_sq_thread(struct io_ring_ctx *ctx, bool cap_entries)
7965 {
7966 unsigned int to_submit;
7967 int ret = 0;
7968
7969 to_submit = io_sqring_entries(ctx);
7970 /* if we're handling multiple rings, cap submit size for fairness */
7971 if (cap_entries && to_submit > IORING_SQPOLL_CAP_ENTRIES_VALUE)
7972 to_submit = IORING_SQPOLL_CAP_ENTRIES_VALUE;
7973
7974 if (!wq_list_empty(&ctx->iopoll_list) || to_submit) {
7975 const struct cred *creds = NULL;
7976
7977 if (ctx->sq_creds != current_cred())
7978 creds = override_creds(ctx->sq_creds);
7979
7980 mutex_lock(&ctx->uring_lock);
7981 if (!wq_list_empty(&ctx->iopoll_list))
7982 io_do_iopoll(ctx, true);
7983
7984 /*
7985 * Don't submit if refs are dying, good for io_uring_register(),
7986 * but also it is relied upon by io_ring_exit_work()
7987 */
7988 if (to_submit && likely(!percpu_ref_is_dying(&ctx->refs)) &&
7989 !(ctx->flags & IORING_SETUP_R_DISABLED))
7990 ret = io_submit_sqes(ctx, to_submit);
7991 mutex_unlock(&ctx->uring_lock);
7992
7993 if (to_submit && wq_has_sleeper(&ctx->sqo_sq_wait))
7994 wake_up(&ctx->sqo_sq_wait);
7995 if (creds)
7996 revert_creds(creds);
7997 }
7998
7999 return ret;
8000 }
8001
8002 static __cold void io_sqd_update_thread_idle(struct io_sq_data *sqd)
8003 {
8004 struct io_ring_ctx *ctx;
8005 unsigned sq_thread_idle = 0;
8006
8007 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
8008 sq_thread_idle = max(sq_thread_idle, ctx->sq_thread_idle);
8009 sqd->sq_thread_idle = sq_thread_idle;
8010 }
8011
8012 static bool io_sqd_handle_event(struct io_sq_data *sqd)
8013 {
8014 bool did_sig = false;
8015 struct ksignal ksig;
8016
8017 if (test_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state) ||
8018 signal_pending(current)) {
8019 mutex_unlock(&sqd->lock);
8020 if (signal_pending(current))
8021 did_sig = get_signal(&ksig);
8022 cond_resched();
8023 mutex_lock(&sqd->lock);
8024 }
8025 return did_sig || test_bit(IO_SQ_THREAD_SHOULD_STOP, &sqd->state);
8026 }
8027
8028 static int io_sq_thread(void *data)
8029 {
8030 struct io_sq_data *sqd = data;
8031 struct io_ring_ctx *ctx;
8032 unsigned long timeout = 0;
8033 char buf[TASK_COMM_LEN];
8034 DEFINE_WAIT(wait);
8035
8036 snprintf(buf, sizeof(buf), "iou-sqp-%d", sqd->task_pid);
8037 set_task_comm(current, buf);
8038
8039 if (sqd->sq_cpu != -1)
8040 set_cpus_allowed_ptr(current, cpumask_of(sqd->sq_cpu));
8041 else
8042 set_cpus_allowed_ptr(current, cpu_online_mask);
8043 current->flags |= PF_NO_SETAFFINITY;
8044
8045 audit_alloc_kernel(current);
8046
8047 mutex_lock(&sqd->lock);
8048 while (1) {
8049 bool cap_entries, sqt_spin = false;
8050
8051 if (io_sqd_events_pending(sqd) || signal_pending(current)) {
8052 if (io_sqd_handle_event(sqd))
8053 break;
8054 timeout = jiffies + sqd->sq_thread_idle;
8055 }
8056
8057 cap_entries = !list_is_singular(&sqd->ctx_list);
8058 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
8059 int ret = __io_sq_thread(ctx, cap_entries);
8060
8061 if (!sqt_spin && (ret > 0 || !wq_list_empty(&ctx->iopoll_list)))
8062 sqt_spin = true;
8063 }
8064 if (io_run_task_work())
8065 sqt_spin = true;
8066
8067 if (sqt_spin || !time_after(jiffies, timeout)) {
8068 cond_resched();
8069 if (sqt_spin)
8070 timeout = jiffies + sqd->sq_thread_idle;
8071 continue;
8072 }
8073
8074 prepare_to_wait(&sqd->wait, &wait, TASK_INTERRUPTIBLE);
8075 if (!io_sqd_events_pending(sqd) && !task_work_pending(current)) {
8076 bool needs_sched = true;
8077
8078 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
8079 io_ring_set_wakeup_flag(ctx);
8080
8081 if ((ctx->flags & IORING_SETUP_IOPOLL) &&
8082 !wq_list_empty(&ctx->iopoll_list)) {
8083 needs_sched = false;
8084 break;
8085 }
8086
8087 /*
8088 * Ensure the store of the wakeup flag is not
8089 * reordered with the load of the SQ tail
8090 */
8091 smp_mb();
8092
8093 if (io_sqring_entries(ctx)) {
8094 needs_sched = false;
8095 break;
8096 }
8097 }
8098
8099 if (needs_sched) {
8100 mutex_unlock(&sqd->lock);
8101 schedule();
8102 mutex_lock(&sqd->lock);
8103 }
8104 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
8105 io_ring_clear_wakeup_flag(ctx);
8106 }
8107
8108 finish_wait(&sqd->wait, &wait);
8109 timeout = jiffies + sqd->sq_thread_idle;
8110 }
8111
8112 io_uring_cancel_generic(true, sqd);
8113 sqd->thread = NULL;
8114 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
8115 io_ring_set_wakeup_flag(ctx);
8116 io_run_task_work();
8117 mutex_unlock(&sqd->lock);
8118
8119 audit_free(current);
8120
8121 complete(&sqd->exited);
8122 do_exit(0);
8123 }
8124
8125 struct io_wait_queue {
8126 struct wait_queue_entry wq;
8127 struct io_ring_ctx *ctx;
8128 unsigned cq_tail;
8129 unsigned nr_timeouts;
8130 };
8131
8132 static inline bool io_should_wake(struct io_wait_queue *iowq)
8133 {
8134 struct io_ring_ctx *ctx = iowq->ctx;
8135 int dist = ctx->cached_cq_tail - (int) iowq->cq_tail;
8136
8137 /*
8138 * Wake up if we have enough events, or if a timeout occurred since we
8139 * started waiting. For timeouts, we always want to return to userspace,
8140 * regardless of event count.
8141 */
8142 return dist >= 0 || atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
8143 }
8144
8145 static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
8146 int wake_flags, void *key)
8147 {
8148 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
8149 wq);
8150
8151 /*
8152 * Cannot safely flush overflowed CQEs from here, ensure we wake up
8153 * the task, and the next invocation will do it.
8154 */
8155 if (io_should_wake(iowq) || test_bit(0, &iowq->ctx->check_cq_overflow))
8156 return autoremove_wake_function(curr, mode, wake_flags, key);
8157 return -1;
8158 }
8159
8160 static int io_run_task_work_sig(void)
8161 {
8162 if (io_run_task_work())
8163 return 1;
8164 if (test_thread_flag(TIF_NOTIFY_SIGNAL))
8165 return -ERESTARTSYS;
8166 if (task_sigpending(current))
8167 return -EINTR;
8168 return 0;
8169 }
8170
8171 /* when returns >0, the caller should retry */
8172 static inline int io_cqring_wait_schedule(struct io_ring_ctx *ctx,
8173 struct io_wait_queue *iowq,
8174 ktime_t timeout)
8175 {
8176 int ret;
8177
8178 /* make sure we run task_work before checking for signals */
8179 ret = io_run_task_work_sig();
8180 if (ret || io_should_wake(iowq))
8181 return ret;
8182 /* let the caller flush overflows, retry */
8183 if (test_bit(0, &ctx->check_cq_overflow))
8184 return 1;
8185
8186 if (!schedule_hrtimeout(&timeout, HRTIMER_MODE_ABS))
8187 return -ETIME;
8188 return 1;
8189 }
8190
8191 /*
8192 * Wait until events become available, if we don't already have some. The
8193 * application must reap them itself, as they reside on the shared cq ring.
8194 */
8195 static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
8196 const sigset_t __user *sig, size_t sigsz,
8197 struct __kernel_timespec __user *uts)
8198 {
8199 struct io_wait_queue iowq;
8200 struct io_rings *rings = ctx->rings;
8201 ktime_t timeout = KTIME_MAX;
8202 int ret;
8203
8204 do {
8205 io_cqring_overflow_flush(ctx);
8206 if (io_cqring_events(ctx) >= min_events)
8207 return 0;
8208 if (!io_run_task_work())
8209 break;
8210 } while (1);
8211
8212 if (sig) {
8213 #ifdef CONFIG_COMPAT
8214 if (in_compat_syscall())
8215 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
8216 sigsz);
8217 else
8218 #endif
8219 ret = set_user_sigmask(sig, sigsz);
8220
8221 if (ret)
8222 return ret;
8223 }
8224
8225 if (uts) {
8226 struct timespec64 ts;
8227
8228 if (get_timespec64(&ts, uts))
8229 return -EFAULT;
8230 timeout = ktime_add_ns(timespec64_to_ktime(ts), ktime_get_ns());
8231 }
8232
8233 init_waitqueue_func_entry(&iowq.wq, io_wake_function);
8234 iowq.wq.private = current;
8235 INIT_LIST_HEAD(&iowq.wq.entry);
8236 iowq.ctx = ctx;
8237 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
8238 iowq.cq_tail = READ_ONCE(ctx->rings->cq.head) + min_events;
8239
8240 trace_io_uring_cqring_wait(ctx, min_events);
8241 do {
8242 /* if we can't even flush overflow, don't wait for more */
8243 if (!io_cqring_overflow_flush(ctx)) {
8244 ret = -EBUSY;
8245 break;
8246 }
8247 prepare_to_wait_exclusive(&ctx->cq_wait, &iowq.wq,
8248 TASK_INTERRUPTIBLE);
8249 ret = io_cqring_wait_schedule(ctx, &iowq, timeout);
8250 finish_wait(&ctx->cq_wait, &iowq.wq);
8251 cond_resched();
8252 } while (ret > 0);
8253
8254 restore_saved_sigmask_unless(ret == -EINTR);
8255
8256 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
8257 }
8258
8259 static void io_free_page_table(void **table, size_t size)
8260 {
8261 unsigned i, nr_tables = DIV_ROUND_UP(size, PAGE_SIZE);
8262
8263 for (i = 0; i < nr_tables; i++)
8264 kfree(table[i]);
8265 kfree(table);
8266 }
8267
8268 static __cold void **io_alloc_page_table(size_t size)
8269 {
8270 unsigned i, nr_tables = DIV_ROUND_UP(size, PAGE_SIZE);
8271 size_t init_size = size;
8272 void **table;
8273
8274 table = kcalloc(nr_tables, sizeof(*table), GFP_KERNEL_ACCOUNT);
8275 if (!table)
8276 return NULL;
8277
8278 for (i = 0; i < nr_tables; i++) {
8279 unsigned int this_size = min_t(size_t, size, PAGE_SIZE);
8280
8281 table[i] = kzalloc(this_size, GFP_KERNEL_ACCOUNT);
8282 if (!table[i]) {
8283 io_free_page_table(table, init_size);
8284 return NULL;
8285 }
8286 size -= this_size;
8287 }
8288 return table;
8289 }
8290
8291 static void io_rsrc_node_destroy(struct io_rsrc_node *ref_node)
8292 {
8293 percpu_ref_exit(&ref_node->refs);
8294 kfree(ref_node);
8295 }
8296
8297 static __cold void io_rsrc_node_ref_zero(struct percpu_ref *ref)
8298 {
8299 struct io_rsrc_node *node = container_of(ref, struct io_rsrc_node, refs);
8300 struct io_ring_ctx *ctx = node->rsrc_data->ctx;
8301 unsigned long flags;
8302 bool first_add = false;
8303 unsigned long delay = HZ;
8304
8305 spin_lock_irqsave(&ctx->rsrc_ref_lock, flags);
8306 node->done = true;
8307
8308 /* if we are mid-quiesce then do not delay */
8309 if (node->rsrc_data->quiesce)
8310 delay = 0;
8311
8312 while (!list_empty(&ctx->rsrc_ref_list)) {
8313 node = list_first_entry(&ctx->rsrc_ref_list,
8314 struct io_rsrc_node, node);
8315 /* recycle ref nodes in order */
8316 if (!node->done)
8317 break;
8318 list_del(&node->node);
8319 first_add |= llist_add(&node->llist, &ctx->rsrc_put_llist);
8320 }
8321 spin_unlock_irqrestore(&ctx->rsrc_ref_lock, flags);
8322
8323 if (first_add)
8324 mod_delayed_work(system_wq, &ctx->rsrc_put_work, delay);
8325 }
8326
8327 static struct io_rsrc_node *io_rsrc_node_alloc(void)
8328 {
8329 struct io_rsrc_node *ref_node;
8330
8331 ref_node = kzalloc(sizeof(*ref_node), GFP_KERNEL);
8332 if (!ref_node)
8333 return NULL;
8334
8335 if (percpu_ref_init(&ref_node->refs, io_rsrc_node_ref_zero,
8336 0, GFP_KERNEL)) {
8337 kfree(ref_node);
8338 return NULL;
8339 }
8340 INIT_LIST_HEAD(&ref_node->node);
8341 INIT_LIST_HEAD(&ref_node->rsrc_list);
8342 ref_node->done = false;
8343 return ref_node;
8344 }
8345
8346 static void io_rsrc_node_switch(struct io_ring_ctx *ctx,
8347 struct io_rsrc_data *data_to_kill)
8348 __must_hold(&ctx->uring_lock)
8349 {
8350 WARN_ON_ONCE(!ctx->rsrc_backup_node);
8351 WARN_ON_ONCE(data_to_kill && !ctx->rsrc_node);
8352
8353 io_rsrc_refs_drop(ctx);
8354
8355 if (data_to_kill) {
8356 struct io_rsrc_node *rsrc_node = ctx->rsrc_node;
8357
8358 rsrc_node->rsrc_data = data_to_kill;
8359 spin_lock_irq(&ctx->rsrc_ref_lock);
8360 list_add_tail(&rsrc_node->node, &ctx->rsrc_ref_list);
8361 spin_unlock_irq(&ctx->rsrc_ref_lock);
8362
8363 atomic_inc(&data_to_kill->refs);
8364 percpu_ref_kill(&rsrc_node->refs);
8365 ctx->rsrc_node = NULL;
8366 }
8367
8368 if (!ctx->rsrc_node) {
8369 ctx->rsrc_node = ctx->rsrc_backup_node;
8370 ctx->rsrc_backup_node = NULL;
8371 }
8372 }
8373
8374 static int io_rsrc_node_switch_start(struct io_ring_ctx *ctx)
8375 {
8376 if (ctx->rsrc_backup_node)
8377 return 0;
8378 ctx->rsrc_backup_node = io_rsrc_node_alloc();
8379 return ctx->rsrc_backup_node ? 0 : -ENOMEM;
8380 }
8381
8382 static __cold int io_rsrc_ref_quiesce(struct io_rsrc_data *data,
8383 struct io_ring_ctx *ctx)
8384 {
8385 int ret;
8386
8387 /* As we may drop ->uring_lock, other task may have started quiesce */
8388 if (data->quiesce)
8389 return -ENXIO;
8390
8391 data->quiesce = true;
8392 do {
8393 ret = io_rsrc_node_switch_start(ctx);
8394 if (ret)
8395 break;
8396 io_rsrc_node_switch(ctx, data);
8397
8398 /* kill initial ref, already quiesced if zero */
8399 if (atomic_dec_and_test(&data->refs))
8400 break;
8401 mutex_unlock(&ctx->uring_lock);
8402 flush_delayed_work(&ctx->rsrc_put_work);
8403 ret = wait_for_completion_interruptible(&data->done);
8404 if (!ret) {
8405 mutex_lock(&ctx->uring_lock);
8406 if (atomic_read(&data->refs) > 0) {
8407 /*
8408 * it has been revived by another thread while
8409 * we were unlocked
8410 */
8411 mutex_unlock(&ctx->uring_lock);
8412 } else {
8413 break;
8414 }
8415 }
8416
8417 atomic_inc(&data->refs);
8418 /* wait for all works potentially completing data->done */
8419 flush_delayed_work(&ctx->rsrc_put_work);
8420 reinit_completion(&data->done);
8421
8422 ret = io_run_task_work_sig();
8423 mutex_lock(&ctx->uring_lock);
8424 } while (ret >= 0);
8425 data->quiesce = false;
8426
8427 return ret;
8428 }
8429
8430 static u64 *io_get_tag_slot(struct io_rsrc_data *data, unsigned int idx)
8431 {
8432 unsigned int off = idx & IO_RSRC_TAG_TABLE_MASK;
8433 unsigned int table_idx = idx >> IO_RSRC_TAG_TABLE_SHIFT;
8434
8435 return &data->tags[table_idx][off];
8436 }
8437
8438 static void io_rsrc_data_free(struct io_rsrc_data *data)
8439 {
8440 size_t size = data->nr * sizeof(data->tags[0][0]);
8441
8442 if (data->tags)
8443 io_free_page_table((void **)data->tags, size);
8444 kfree(data);
8445 }
8446
8447 static __cold int io_rsrc_data_alloc(struct io_ring_ctx *ctx, rsrc_put_fn *do_put,
8448 u64 __user *utags, unsigned nr,
8449 struct io_rsrc_data **pdata)
8450 {
8451 struct io_rsrc_data *data;
8452 int ret = -ENOMEM;
8453 unsigned i;
8454
8455 data = kzalloc(sizeof(*data), GFP_KERNEL);
8456 if (!data)
8457 return -ENOMEM;
8458 data->tags = (u64 **)io_alloc_page_table(nr * sizeof(data->tags[0][0]));
8459 if (!data->tags) {
8460 kfree(data);
8461 return -ENOMEM;
8462 }
8463
8464 data->nr = nr;
8465 data->ctx = ctx;
8466 data->do_put = do_put;
8467 if (utags) {
8468 ret = -EFAULT;
8469 for (i = 0; i < nr; i++) {
8470 u64 *tag_slot = io_get_tag_slot(data, i);
8471
8472 if (copy_from_user(tag_slot, &utags[i],
8473 sizeof(*tag_slot)))
8474 goto fail;
8475 }
8476 }
8477
8478 atomic_set(&data->refs, 1);
8479 init_completion(&data->done);
8480 *pdata = data;
8481 return 0;
8482 fail:
8483 io_rsrc_data_free(data);
8484 return ret;
8485 }
8486
8487 static bool io_alloc_file_tables(struct io_file_table *table, unsigned nr_files)
8488 {
8489 table->files = kvcalloc(nr_files, sizeof(table->files[0]),
8490 GFP_KERNEL_ACCOUNT);
8491 return !!table->files;
8492 }
8493
8494 static void io_free_file_tables(struct io_file_table *table)
8495 {
8496 kvfree(table->files);
8497 table->files = NULL;
8498 }
8499
8500 static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
8501 {
8502 #if defined(CONFIG_UNIX)
8503 if (ctx->ring_sock) {
8504 struct sock *sock = ctx->ring_sock->sk;
8505 struct sk_buff *skb;
8506
8507 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
8508 kfree_skb(skb);
8509 }
8510 #else
8511 int i;
8512
8513 for (i = 0; i < ctx->nr_user_files; i++) {
8514 struct file *file;
8515
8516 file = io_file_from_index(ctx, i);
8517 if (file)
8518 fput(file);
8519 }
8520 #endif
8521 io_free_file_tables(&ctx->file_table);
8522 io_rsrc_data_free(ctx->file_data);
8523 ctx->file_data = NULL;
8524 ctx->nr_user_files = 0;
8525 }
8526
8527 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
8528 {
8529 unsigned nr = ctx->nr_user_files;
8530 int ret;
8531
8532 if (!ctx->file_data)
8533 return -ENXIO;
8534
8535 /*
8536 * Quiesce may unlock ->uring_lock, and while it's not held
8537 * prevent new requests using the table.
8538 */
8539 ctx->nr_user_files = 0;
8540 ret = io_rsrc_ref_quiesce(ctx->file_data, ctx);
8541 ctx->nr_user_files = nr;
8542 if (!ret)
8543 __io_sqe_files_unregister(ctx);
8544 return ret;
8545 }
8546
8547 static void io_sq_thread_unpark(struct io_sq_data *sqd)
8548 __releases(&sqd->lock)
8549 {
8550 WARN_ON_ONCE(sqd->thread == current);
8551
8552 /*
8553 * Do the dance but not conditional clear_bit() because it'd race with
8554 * other threads incrementing park_pending and setting the bit.
8555 */
8556 clear_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state);
8557 if (atomic_dec_return(&sqd->park_pending))
8558 set_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state);
8559 mutex_unlock(&sqd->lock);
8560 }
8561
8562 static void io_sq_thread_park(struct io_sq_data *sqd)
8563 __acquires(&sqd->lock)
8564 {
8565 WARN_ON_ONCE(sqd->thread == current);
8566
8567 atomic_inc(&sqd->park_pending);
8568 set_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state);
8569 mutex_lock(&sqd->lock);
8570 if (sqd->thread)
8571 wake_up_process(sqd->thread);
8572 }
8573
8574 static void io_sq_thread_stop(struct io_sq_data *sqd)
8575 {
8576 WARN_ON_ONCE(sqd->thread == current);
8577 WARN_ON_ONCE(test_bit(IO_SQ_THREAD_SHOULD_STOP, &sqd->state));
8578
8579 set_bit(IO_SQ_THREAD_SHOULD_STOP, &sqd->state);
8580 mutex_lock(&sqd->lock);
8581 if (sqd->thread)
8582 wake_up_process(sqd->thread);
8583 mutex_unlock(&sqd->lock);
8584 wait_for_completion(&sqd->exited);
8585 }
8586
8587 static void io_put_sq_data(struct io_sq_data *sqd)
8588 {
8589 if (refcount_dec_and_test(&sqd->refs)) {
8590 WARN_ON_ONCE(atomic_read(&sqd->park_pending));
8591
8592 io_sq_thread_stop(sqd);
8593 kfree(sqd);
8594 }
8595 }
8596
8597 static void io_sq_thread_finish(struct io_ring_ctx *ctx)
8598 {
8599 struct io_sq_data *sqd = ctx->sq_data;
8600
8601 if (sqd) {
8602 io_sq_thread_park(sqd);
8603 list_del_init(&ctx->sqd_list);
8604 io_sqd_update_thread_idle(sqd);
8605 io_sq_thread_unpark(sqd);
8606
8607 io_put_sq_data(sqd);
8608 ctx->sq_data = NULL;
8609 }
8610 }
8611
8612 static struct io_sq_data *io_attach_sq_data(struct io_uring_params *p)
8613 {
8614 struct io_ring_ctx *ctx_attach;
8615 struct io_sq_data *sqd;
8616 struct fd f;
8617
8618 f = fdget(p->wq_fd);
8619 if (!f.file)
8620 return ERR_PTR(-ENXIO);
8621 if (f.file->f_op != &io_uring_fops) {
8622 fdput(f);
8623 return ERR_PTR(-EINVAL);
8624 }
8625
8626 ctx_attach = f.file->private_data;
8627 sqd = ctx_attach->sq_data;
8628 if (!sqd) {
8629 fdput(f);
8630 return ERR_PTR(-EINVAL);
8631 }
8632 if (sqd->task_tgid != current->tgid) {
8633 fdput(f);
8634 return ERR_PTR(-EPERM);
8635 }
8636
8637 refcount_inc(&sqd->refs);
8638 fdput(f);
8639 return sqd;
8640 }
8641
8642 static struct io_sq_data *io_get_sq_data(struct io_uring_params *p,
8643 bool *attached)
8644 {
8645 struct io_sq_data *sqd;
8646
8647 *attached = false;
8648 if (p->flags & IORING_SETUP_ATTACH_WQ) {
8649 sqd = io_attach_sq_data(p);
8650 if (!IS_ERR(sqd)) {
8651 *attached = true;
8652 return sqd;
8653 }
8654 /* fall through for EPERM case, setup new sqd/task */
8655 if (PTR_ERR(sqd) != -EPERM)
8656 return sqd;
8657 }
8658
8659 sqd = kzalloc(sizeof(*sqd), GFP_KERNEL);
8660 if (!sqd)
8661 return ERR_PTR(-ENOMEM);
8662
8663 atomic_set(&sqd->park_pending, 0);
8664 refcount_set(&sqd->refs, 1);
8665 INIT_LIST_HEAD(&sqd->ctx_list);
8666 mutex_init(&sqd->lock);
8667 init_waitqueue_head(&sqd->wait);
8668 init_completion(&sqd->exited);
8669 return sqd;
8670 }
8671
8672 #if defined(CONFIG_UNIX)
8673 /*
8674 * Ensure the UNIX gc is aware of our file set, so we are certain that
8675 * the io_uring can be safely unregistered on process exit, even if we have
8676 * loops in the file referencing.
8677 */
8678 static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
8679 {
8680 struct sock *sk = ctx->ring_sock->sk;
8681 struct scm_fp_list *fpl;
8682 struct sk_buff *skb;
8683 int i, nr_files;
8684
8685 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
8686 if (!fpl)
8687 return -ENOMEM;
8688
8689 skb = alloc_skb(0, GFP_KERNEL);
8690 if (!skb) {
8691 kfree(fpl);
8692 return -ENOMEM;
8693 }
8694
8695 skb->sk = sk;
8696
8697 nr_files = 0;
8698 fpl->user = get_uid(current_user());
8699 for (i = 0; i < nr; i++) {
8700 struct file *file = io_file_from_index(ctx, i + offset);
8701
8702 if (!file)
8703 continue;
8704 fpl->fp[nr_files] = get_file(file);
8705 unix_inflight(fpl->user, fpl->fp[nr_files]);
8706 nr_files++;
8707 }
8708
8709 if (nr_files) {
8710 fpl->max = SCM_MAX_FD;
8711 fpl->count = nr_files;
8712 UNIXCB(skb).fp = fpl;
8713 skb->destructor = unix_destruct_scm;
8714 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
8715 skb_queue_head(&sk->sk_receive_queue, skb);
8716
8717 for (i = 0; i < nr; i++) {
8718 struct file *file = io_file_from_index(ctx, i + offset);
8719
8720 if (file)
8721 fput(file);
8722 }
8723 } else {
8724 kfree_skb(skb);
8725 free_uid(fpl->user);
8726 kfree(fpl);
8727 }
8728
8729 return 0;
8730 }
8731
8732 /*
8733 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
8734 * causes regular reference counting to break down. We rely on the UNIX
8735 * garbage collection to take care of this problem for us.
8736 */
8737 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
8738 {
8739 unsigned left, total;
8740 int ret = 0;
8741
8742 total = 0;
8743 left = ctx->nr_user_files;
8744 while (left) {
8745 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
8746
8747 ret = __io_sqe_files_scm(ctx, this_files, total);
8748 if (ret)
8749 break;
8750 left -= this_files;
8751 total += this_files;
8752 }
8753
8754 if (!ret)
8755 return 0;
8756
8757 while (total < ctx->nr_user_files) {
8758 struct file *file = io_file_from_index(ctx, total);
8759
8760 if (file)
8761 fput(file);
8762 total++;
8763 }
8764
8765 return ret;
8766 }
8767 #else
8768 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
8769 {
8770 return 0;
8771 }
8772 #endif
8773
8774 static void io_rsrc_file_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)
8775 {
8776 struct file *file = prsrc->file;
8777 #if defined(CONFIG_UNIX)
8778 struct sock *sock = ctx->ring_sock->sk;
8779 struct sk_buff_head list, *head = &sock->sk_receive_queue;
8780 struct sk_buff *skb;
8781 int i;
8782
8783 __skb_queue_head_init(&list);
8784
8785 /*
8786 * Find the skb that holds this file in its SCM_RIGHTS. When found,
8787 * remove this entry and rearrange the file array.
8788 */
8789 skb = skb_dequeue(head);
8790 while (skb) {
8791 struct scm_fp_list *fp;
8792
8793 fp = UNIXCB(skb).fp;
8794 for (i = 0; i < fp->count; i++) {
8795 int left;
8796
8797 if (fp->fp[i] != file)
8798 continue;
8799
8800 unix_notinflight(fp->user, fp->fp[i]);
8801 left = fp->count - 1 - i;
8802 if (left) {
8803 memmove(&fp->fp[i], &fp->fp[i + 1],
8804 left * sizeof(struct file *));
8805 }
8806 fp->count--;
8807 if (!fp->count) {
8808 kfree_skb(skb);
8809 skb = NULL;
8810 } else {
8811 __skb_queue_tail(&list, skb);
8812 }
8813 fput(file);
8814 file = NULL;
8815 break;
8816 }
8817
8818 if (!file)
8819 break;
8820
8821 __skb_queue_tail(&list, skb);
8822
8823 skb = skb_dequeue(head);
8824 }
8825
8826 if (skb_peek(&list)) {
8827 spin_lock_irq(&head->lock);
8828 while ((skb = __skb_dequeue(&list)) != NULL)
8829 __skb_queue_tail(head, skb);
8830 spin_unlock_irq(&head->lock);
8831 }
8832 #else
8833 fput(file);
8834 #endif
8835 }
8836
8837 static void __io_rsrc_put_work(struct io_rsrc_node *ref_node)
8838 {
8839 struct io_rsrc_data *rsrc_data = ref_node->rsrc_data;
8840 struct io_ring_ctx *ctx = rsrc_data->ctx;
8841 struct io_rsrc_put *prsrc, *tmp;
8842
8843 list_for_each_entry_safe(prsrc, tmp, &ref_node->rsrc_list, list) {
8844 list_del(&prsrc->list);
8845
8846 if (prsrc->tag) {
8847 bool lock_ring = ctx->flags & IORING_SETUP_IOPOLL;
8848
8849 io_ring_submit_lock(ctx, lock_ring);
8850 spin_lock(&ctx->completion_lock);
8851 io_fill_cqe_aux(ctx, prsrc->tag, 0, 0);
8852 io_commit_cqring(ctx);
8853 spin_unlock(&ctx->completion_lock);
8854 io_cqring_ev_posted(ctx);
8855 io_ring_submit_unlock(ctx, lock_ring);
8856 }
8857
8858 rsrc_data->do_put(ctx, prsrc);
8859 kfree(prsrc);
8860 }
8861
8862 io_rsrc_node_destroy(ref_node);
8863 if (atomic_dec_and_test(&rsrc_data->refs))
8864 complete(&rsrc_data->done);
8865 }
8866
8867 static void io_rsrc_put_work(struct work_struct *work)
8868 {
8869 struct io_ring_ctx *ctx;
8870 struct llist_node *node;
8871
8872 ctx = container_of(work, struct io_ring_ctx, rsrc_put_work.work);
8873 node = llist_del_all(&ctx->rsrc_put_llist);
8874
8875 while (node) {
8876 struct io_rsrc_node *ref_node;
8877 struct llist_node *next = node->next;
8878
8879 ref_node = llist_entry(node, struct io_rsrc_node, llist);
8880 __io_rsrc_put_work(ref_node);
8881 node = next;
8882 }
8883 }
8884
8885 static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
8886 unsigned nr_args, u64 __user *tags)
8887 {
8888 __s32 __user *fds = (__s32 __user *) arg;
8889 struct file *file;
8890 int fd, ret;
8891 unsigned i;
8892
8893 if (ctx->file_data)
8894 return -EBUSY;
8895 if (!nr_args)
8896 return -EINVAL;
8897 if (nr_args > IORING_MAX_FIXED_FILES)
8898 return -EMFILE;
8899 if (nr_args > rlimit(RLIMIT_NOFILE))
8900 return -EMFILE;
8901 ret = io_rsrc_node_switch_start(ctx);
8902 if (ret)
8903 return ret;
8904 ret = io_rsrc_data_alloc(ctx, io_rsrc_file_put, tags, nr_args,
8905 &ctx->file_data);
8906 if (ret)
8907 return ret;
8908
8909 ret = -ENOMEM;
8910 if (!io_alloc_file_tables(&ctx->file_table, nr_args))
8911 goto out_free;
8912
8913 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
8914 if (copy_from_user(&fd, &fds[i], sizeof(fd))) {
8915 ret = -EFAULT;
8916 goto out_fput;
8917 }
8918 /* allow sparse sets */
8919 if (fd == -1) {
8920 ret = -EINVAL;
8921 if (unlikely(*io_get_tag_slot(ctx->file_data, i)))
8922 goto out_fput;
8923 continue;
8924 }
8925
8926 file = fget(fd);
8927 ret = -EBADF;
8928 if (unlikely(!file))
8929 goto out_fput;
8930
8931 /*
8932 * Don't allow io_uring instances to be registered. If UNIX
8933 * isn't enabled, then this causes a reference cycle and this
8934 * instance can never get freed. If UNIX is enabled we'll
8935 * handle it just fine, but there's still no point in allowing
8936 * a ring fd as it doesn't support regular read/write anyway.
8937 */
8938 if (file->f_op == &io_uring_fops) {
8939 fput(file);
8940 goto out_fput;
8941 }
8942 io_fixed_file_set(io_fixed_file_slot(&ctx->file_table, i), file);
8943 }
8944
8945 ret = io_sqe_files_scm(ctx);
8946 if (ret) {
8947 __io_sqe_files_unregister(ctx);
8948 return ret;
8949 }
8950
8951 io_rsrc_node_switch(ctx, NULL);
8952 return ret;
8953 out_fput:
8954 for (i = 0; i < ctx->nr_user_files; i++) {
8955 file = io_file_from_index(ctx, i);
8956 if (file)
8957 fput(file);
8958 }
8959 io_free_file_tables(&ctx->file_table);
8960 ctx->nr_user_files = 0;
8961 out_free:
8962 io_rsrc_data_free(ctx->file_data);
8963 ctx->file_data = NULL;
8964 return ret;
8965 }
8966
8967 static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
8968 int index)
8969 {
8970 #if defined(CONFIG_UNIX)
8971 struct sock *sock = ctx->ring_sock->sk;
8972 struct sk_buff_head *head = &sock->sk_receive_queue;
8973 struct sk_buff *skb;
8974
8975 /*
8976 * See if we can merge this file into an existing skb SCM_RIGHTS
8977 * file set. If there's no room, fall back to allocating a new skb
8978 * and filling it in.
8979 */
8980 spin_lock_irq(&head->lock);
8981 skb = skb_peek(head);
8982 if (skb) {
8983 struct scm_fp_list *fpl = UNIXCB(skb).fp;
8984
8985 if (fpl->count < SCM_MAX_FD) {
8986 __skb_unlink(skb, head);
8987 spin_unlock_irq(&head->lock);
8988 fpl->fp[fpl->count] = get_file(file);
8989 unix_inflight(fpl->user, fpl->fp[fpl->count]);
8990 fpl->count++;
8991 spin_lock_irq(&head->lock);
8992 __skb_queue_head(head, skb);
8993 } else {
8994 skb = NULL;
8995 }
8996 }
8997 spin_unlock_irq(&head->lock);
8998
8999 if (skb) {
9000 fput(file);
9001 return 0;
9002 }
9003
9004 return __io_sqe_files_scm(ctx, 1, index);
9005 #else
9006 return 0;
9007 #endif
9008 }
9009
9010 static int io_queue_rsrc_removal(struct io_rsrc_data *data, unsigned idx,
9011 struct io_rsrc_node *node, void *rsrc)
9012 {
9013 u64 *tag_slot = io_get_tag_slot(data, idx);
9014 struct io_rsrc_put *prsrc;
9015
9016 prsrc = kzalloc(sizeof(*prsrc), GFP_KERNEL);
9017 if (!prsrc)
9018 return -ENOMEM;
9019
9020 prsrc->tag = *tag_slot;
9021 *tag_slot = 0;
9022 prsrc->rsrc = rsrc;
9023 list_add(&prsrc->list, &node->rsrc_list);
9024 return 0;
9025 }
9026
9027 static int io_install_fixed_file(struct io_kiocb *req, struct file *file,
9028 unsigned int issue_flags, u32 slot_index)
9029 {
9030 struct io_ring_ctx *ctx = req->ctx;
9031 bool needs_lock = issue_flags & IO_URING_F_UNLOCKED;
9032 bool needs_switch = false;
9033 struct io_fixed_file *file_slot;
9034 int ret = -EBADF;
9035
9036 io_ring_submit_lock(ctx, needs_lock);
9037 if (file->f_op == &io_uring_fops)
9038 goto err;
9039 ret = -ENXIO;
9040 if (!ctx->file_data)
9041 goto err;
9042 ret = -EINVAL;
9043 if (slot_index >= ctx->nr_user_files)
9044 goto err;
9045
9046 slot_index = array_index_nospec(slot_index, ctx->nr_user_files);
9047 file_slot = io_fixed_file_slot(&ctx->file_table, slot_index);
9048
9049 if (file_slot->file_ptr) {
9050 struct file *old_file;
9051
9052 ret = io_rsrc_node_switch_start(ctx);
9053 if (ret)
9054 goto err;
9055
9056 old_file = (struct file *)(file_slot->file_ptr & FFS_MASK);
9057 ret = io_queue_rsrc_removal(ctx->file_data, slot_index,
9058 ctx->rsrc_node, old_file);
9059 if (ret)
9060 goto err;
9061 file_slot->file_ptr = 0;
9062 needs_switch = true;
9063 }
9064
9065 *io_get_tag_slot(ctx->file_data, slot_index) = 0;
9066 io_fixed_file_set(file_slot, file);
9067 ret = io_sqe_file_register(ctx, file, slot_index);
9068 if (ret) {
9069 file_slot->file_ptr = 0;
9070 goto err;
9071 }
9072
9073 ret = 0;
9074 err:
9075 if (needs_switch)
9076 io_rsrc_node_switch(ctx, ctx->file_data);
9077 io_ring_submit_unlock(ctx, needs_lock);
9078 if (ret)
9079 fput(file);
9080 return ret;
9081 }
9082
9083 static int io_close_fixed(struct io_kiocb *req, unsigned int issue_flags)
9084 {
9085 unsigned int offset = req->close.file_slot - 1;
9086 struct io_ring_ctx *ctx = req->ctx;
9087 bool needs_lock = issue_flags & IO_URING_F_UNLOCKED;
9088 struct io_fixed_file *file_slot;
9089 struct file *file;
9090 int ret;
9091
9092 io_ring_submit_lock(ctx, needs_lock);
9093 ret = -ENXIO;
9094 if (unlikely(!ctx->file_data))
9095 goto out;
9096 ret = -EINVAL;
9097 if (offset >= ctx->nr_user_files)
9098 goto out;
9099 ret = io_rsrc_node_switch_start(ctx);
9100 if (ret)
9101 goto out;
9102
9103 offset = array_index_nospec(offset, ctx->nr_user_files);
9104 file_slot = io_fixed_file_slot(&ctx->file_table, offset);
9105 ret = -EBADF;
9106 if (!file_slot->file_ptr)
9107 goto out;
9108
9109 file = (struct file *)(file_slot->file_ptr & FFS_MASK);
9110 ret = io_queue_rsrc_removal(ctx->file_data, offset, ctx->rsrc_node, file);
9111 if (ret)
9112 goto out;
9113
9114 file_slot->file_ptr = 0;
9115 io_rsrc_node_switch(ctx, ctx->file_data);
9116 ret = 0;
9117 out:
9118 io_ring_submit_unlock(ctx, needs_lock);
9119 return ret;
9120 }
9121
9122 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
9123 struct io_uring_rsrc_update2 *up,
9124 unsigned nr_args)
9125 {
9126 u64 __user *tags = u64_to_user_ptr(up->tags);
9127 __s32 __user *fds = u64_to_user_ptr(up->data);
9128 struct io_rsrc_data *data = ctx->file_data;
9129 struct io_fixed_file *file_slot;
9130 struct file *file;
9131 int fd, i, err = 0;
9132 unsigned int done;
9133 bool needs_switch = false;
9134
9135 if (!ctx->file_data)
9136 return -ENXIO;
9137 if (up->offset + nr_args > ctx->nr_user_files)
9138 return -EINVAL;
9139
9140 for (done = 0; done < nr_args; done++) {
9141 u64 tag = 0;
9142
9143 if ((tags && copy_from_user(&tag, &tags[done], sizeof(tag))) ||
9144 copy_from_user(&fd, &fds[done], sizeof(fd))) {
9145 err = -EFAULT;
9146 break;
9147 }
9148 if ((fd == IORING_REGISTER_FILES_SKIP || fd == -1) && tag) {
9149 err = -EINVAL;
9150 break;
9151 }
9152 if (fd == IORING_REGISTER_FILES_SKIP)
9153 continue;
9154
9155 i = array_index_nospec(up->offset + done, ctx->nr_user_files);
9156 file_slot = io_fixed_file_slot(&ctx->file_table, i);
9157
9158 if (file_slot->file_ptr) {
9159 file = (struct file *)(file_slot->file_ptr & FFS_MASK);
9160 err = io_queue_rsrc_removal(data, i, ctx->rsrc_node, file);
9161 if (err)
9162 break;
9163 file_slot->file_ptr = 0;
9164 needs_switch = true;
9165 }
9166 if (fd != -1) {
9167 file = fget(fd);
9168 if (!file) {
9169 err = -EBADF;
9170 break;
9171 }
9172 /*
9173 * Don't allow io_uring instances to be registered. If
9174 * UNIX isn't enabled, then this causes a reference
9175 * cycle and this instance can never get freed. If UNIX
9176 * is enabled we'll handle it just fine, but there's
9177 * still no point in allowing a ring fd as it doesn't
9178 * support regular read/write anyway.
9179 */
9180 if (file->f_op == &io_uring_fops) {
9181 fput(file);
9182 err = -EBADF;
9183 break;
9184 }
9185 *io_get_tag_slot(data, i) = tag;
9186 io_fixed_file_set(file_slot, file);
9187 err = io_sqe_file_register(ctx, file, i);
9188 if (err) {
9189 file_slot->file_ptr = 0;
9190 fput(file);
9191 break;
9192 }
9193 }
9194 }
9195
9196 if (needs_switch)
9197 io_rsrc_node_switch(ctx, data);
9198 return done ? done : err;
9199 }
9200
9201 static struct io_wq *io_init_wq_offload(struct io_ring_ctx *ctx,
9202 struct task_struct *task)
9203 {
9204 struct io_wq_hash *hash;
9205 struct io_wq_data data;
9206 unsigned int concurrency;
9207
9208 mutex_lock(&ctx->uring_lock);
9209 hash = ctx->hash_map;
9210 if (!hash) {
9211 hash = kzalloc(sizeof(*hash), GFP_KERNEL);
9212 if (!hash) {
9213 mutex_unlock(&ctx->uring_lock);
9214 return ERR_PTR(-ENOMEM);
9215 }
9216 refcount_set(&hash->refs, 1);
9217 init_waitqueue_head(&hash->wait);
9218 ctx->hash_map = hash;
9219 }
9220 mutex_unlock(&ctx->uring_lock);
9221
9222 data.hash = hash;
9223 data.task = task;
9224 data.free_work = io_wq_free_work;
9225 data.do_work = io_wq_submit_work;
9226
9227 /* Do QD, or 4 * CPUS, whatever is smallest */
9228 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
9229
9230 return io_wq_create(concurrency, &data);
9231 }
9232
9233 static __cold int io_uring_alloc_task_context(struct task_struct *task,
9234 struct io_ring_ctx *ctx)
9235 {
9236 struct io_uring_task *tctx;
9237 int ret;
9238
9239 tctx = kzalloc(sizeof(*tctx), GFP_KERNEL);
9240 if (unlikely(!tctx))
9241 return -ENOMEM;
9242
9243 tctx->registered_rings = kcalloc(IO_RINGFD_REG_MAX,
9244 sizeof(struct file *), GFP_KERNEL);
9245 if (unlikely(!tctx->registered_rings)) {
9246 kfree(tctx);
9247 return -ENOMEM;
9248 }
9249
9250 ret = percpu_counter_init(&tctx->inflight, 0, GFP_KERNEL);
9251 if (unlikely(ret)) {
9252 kfree(tctx->registered_rings);
9253 kfree(tctx);
9254 return ret;
9255 }
9256
9257 tctx->io_wq = io_init_wq_offload(ctx, task);
9258 if (IS_ERR(tctx->io_wq)) {
9259 ret = PTR_ERR(tctx->io_wq);
9260 percpu_counter_destroy(&tctx->inflight);
9261 kfree(tctx->registered_rings);
9262 kfree(tctx);
9263 return ret;
9264 }
9265
9266 xa_init(&tctx->xa);
9267 init_waitqueue_head(&tctx->wait);
9268 atomic_set(&tctx->in_idle, 0);
9269 atomic_set(&tctx->inflight_tracked, 0);
9270 task->io_uring = tctx;
9271 spin_lock_init(&tctx->task_lock);
9272 INIT_WQ_LIST(&tctx->task_list);
9273 INIT_WQ_LIST(&tctx->prior_task_list);
9274 init_task_work(&tctx->task_work, tctx_task_work);
9275 return 0;
9276 }
9277
9278 void __io_uring_free(struct task_struct *tsk)
9279 {
9280 struct io_uring_task *tctx = tsk->io_uring;
9281
9282 WARN_ON_ONCE(!xa_empty(&tctx->xa));
9283 WARN_ON_ONCE(tctx->io_wq);
9284 WARN_ON_ONCE(tctx->cached_refs);
9285
9286 kfree(tctx->registered_rings);
9287 percpu_counter_destroy(&tctx->inflight);
9288 kfree(tctx);
9289 tsk->io_uring = NULL;
9290 }
9291
9292 static __cold int io_sq_offload_create(struct io_ring_ctx *ctx,
9293 struct io_uring_params *p)
9294 {
9295 int ret;
9296
9297 /* Retain compatibility with failing for an invalid attach attempt */
9298 if ((ctx->flags & (IORING_SETUP_ATTACH_WQ | IORING_SETUP_SQPOLL)) ==
9299 IORING_SETUP_ATTACH_WQ) {
9300 struct fd f;
9301
9302 f = fdget(p->wq_fd);
9303 if (!f.file)
9304 return -ENXIO;
9305 if (f.file->f_op != &io_uring_fops) {
9306 fdput(f);
9307 return -EINVAL;
9308 }
9309 fdput(f);
9310 }
9311 if (ctx->flags & IORING_SETUP_SQPOLL) {
9312 struct task_struct *tsk;
9313 struct io_sq_data *sqd;
9314 bool attached;
9315
9316 ret = security_uring_sqpoll();
9317 if (ret)
9318 return ret;
9319
9320 sqd = io_get_sq_data(p, &attached);
9321 if (IS_ERR(sqd)) {
9322 ret = PTR_ERR(sqd);
9323 goto err;
9324 }
9325
9326 ctx->sq_creds = get_current_cred();
9327 ctx->sq_data = sqd;
9328 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
9329 if (!ctx->sq_thread_idle)
9330 ctx->sq_thread_idle = HZ;
9331
9332 io_sq_thread_park(sqd);
9333 list_add(&ctx->sqd_list, &sqd->ctx_list);
9334 io_sqd_update_thread_idle(sqd);
9335 /* don't attach to a dying SQPOLL thread, would be racy */
9336 ret = (attached && !sqd->thread) ? -ENXIO : 0;
9337 io_sq_thread_unpark(sqd);
9338
9339 if (ret < 0)
9340 goto err;
9341 if (attached)
9342 return 0;
9343
9344 if (p->flags & IORING_SETUP_SQ_AFF) {
9345 int cpu = p->sq_thread_cpu;
9346
9347 ret = -EINVAL;
9348 if (cpu >= nr_cpu_ids || !cpu_online(cpu))
9349 goto err_sqpoll;
9350 sqd->sq_cpu = cpu;
9351 } else {
9352 sqd->sq_cpu = -1;
9353 }
9354
9355 sqd->task_pid = current->pid;
9356 sqd->task_tgid = current->tgid;
9357 tsk = create_io_thread(io_sq_thread, sqd, NUMA_NO_NODE);
9358 if (IS_ERR(tsk)) {
9359 ret = PTR_ERR(tsk);
9360 goto err_sqpoll;
9361 }
9362
9363 sqd->thread = tsk;
9364 ret = io_uring_alloc_task_context(tsk, ctx);
9365 wake_up_new_task(tsk);
9366 if (ret)
9367 goto err;
9368 } else if (p->flags & IORING_SETUP_SQ_AFF) {
9369 /* Can't have SQ_AFF without SQPOLL */
9370 ret = -EINVAL;
9371 goto err;
9372 }
9373
9374 return 0;
9375 err_sqpoll:
9376 complete(&ctx->sq_data->exited);
9377 err:
9378 io_sq_thread_finish(ctx);
9379 return ret;
9380 }
9381
9382 static inline void __io_unaccount_mem(struct user_struct *user,
9383 unsigned long nr_pages)
9384 {
9385 atomic_long_sub(nr_pages, &user->locked_vm);
9386 }
9387
9388 static inline int __io_account_mem(struct user_struct *user,
9389 unsigned long nr_pages)
9390 {
9391 unsigned long page_limit, cur_pages, new_pages;
9392
9393 /* Don't allow more pages than we can safely lock */
9394 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
9395
9396 do {
9397 cur_pages = atomic_long_read(&user->locked_vm);
9398 new_pages = cur_pages + nr_pages;
9399 if (new_pages > page_limit)
9400 return -ENOMEM;
9401 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
9402 new_pages) != cur_pages);
9403
9404 return 0;
9405 }
9406
9407 static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
9408 {
9409 if (ctx->user)
9410 __io_unaccount_mem(ctx->user, nr_pages);
9411
9412 if (ctx->mm_account)
9413 atomic64_sub(nr_pages, &ctx->mm_account->pinned_vm);
9414 }
9415
9416 static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
9417 {
9418 int ret;
9419
9420 if (ctx->user) {
9421 ret = __io_account_mem(ctx->user, nr_pages);
9422 if (ret)
9423 return ret;
9424 }
9425
9426 if (ctx->mm_account)
9427 atomic64_add(nr_pages, &ctx->mm_account->pinned_vm);
9428
9429 return 0;
9430 }
9431
9432 static void io_mem_free(void *ptr)
9433 {
9434 struct page *page;
9435
9436 if (!ptr)
9437 return;
9438
9439 page = virt_to_head_page(ptr);
9440 if (put_page_testzero(page))
9441 free_compound_page(page);
9442 }
9443
9444 static void *io_mem_alloc(size_t size)
9445 {
9446 gfp_t gfp = GFP_KERNEL_ACCOUNT | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP;
9447
9448 return (void *) __get_free_pages(gfp, get_order(size));
9449 }
9450
9451 static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
9452 size_t *sq_offset)
9453 {
9454 struct io_rings *rings;
9455 size_t off, sq_array_size;
9456
9457 off = struct_size(rings, cqes, cq_entries);
9458 if (off == SIZE_MAX)
9459 return SIZE_MAX;
9460
9461 #ifdef CONFIG_SMP
9462 off = ALIGN(off, SMP_CACHE_BYTES);
9463 if (off == 0)
9464 return SIZE_MAX;
9465 #endif
9466
9467 if (sq_offset)
9468 *sq_offset = off;
9469
9470 sq_array_size = array_size(sizeof(u32), sq_entries);
9471 if (sq_array_size == SIZE_MAX)
9472 return SIZE_MAX;
9473
9474 if (check_add_overflow(off, sq_array_size, &off))
9475 return SIZE_MAX;
9476
9477 return off;
9478 }
9479
9480 static void io_buffer_unmap(struct io_ring_ctx *ctx, struct io_mapped_ubuf **slot)
9481 {
9482 struct io_mapped_ubuf *imu = *slot;
9483 unsigned int i;
9484
9485 if (imu != ctx->dummy_ubuf) {
9486 for (i = 0; i < imu->nr_bvecs; i++)
9487 unpin_user_page(imu->bvec[i].bv_page);
9488 if (imu->acct_pages)
9489 io_unaccount_mem(ctx, imu->acct_pages);
9490 kvfree(imu);
9491 }
9492 *slot = NULL;
9493 }
9494
9495 static void io_rsrc_buf_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)
9496 {
9497 io_buffer_unmap(ctx, &prsrc->buf);
9498 prsrc->buf = NULL;
9499 }
9500
9501 static void __io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
9502 {
9503 unsigned int i;
9504
9505 for (i = 0; i < ctx->nr_user_bufs; i++)
9506 io_buffer_unmap(ctx, &ctx->user_bufs[i]);
9507 kfree(ctx->user_bufs);
9508 io_rsrc_data_free(ctx->buf_data);
9509 ctx->user_bufs = NULL;
9510 ctx->buf_data = NULL;
9511 ctx->nr_user_bufs = 0;
9512 }
9513
9514 static int io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
9515 {
9516 unsigned nr = ctx->nr_user_bufs;
9517 int ret;
9518
9519 if (!ctx->buf_data)
9520 return -ENXIO;
9521
9522 /*
9523 * Quiesce may unlock ->uring_lock, and while it's not held
9524 * prevent new requests using the table.
9525 */
9526 ctx->nr_user_bufs = 0;
9527 ret = io_rsrc_ref_quiesce(ctx->buf_data, ctx);
9528 ctx->nr_user_bufs = nr;
9529 if (!ret)
9530 __io_sqe_buffers_unregister(ctx);
9531 return ret;
9532 }
9533
9534 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
9535 void __user *arg, unsigned index)
9536 {
9537 struct iovec __user *src;
9538
9539 #ifdef CONFIG_COMPAT
9540 if (ctx->compat) {
9541 struct compat_iovec __user *ciovs;
9542 struct compat_iovec ciov;
9543
9544 ciovs = (struct compat_iovec __user *) arg;
9545 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
9546 return -EFAULT;
9547
9548 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
9549 dst->iov_len = ciov.iov_len;
9550 return 0;
9551 }
9552 #endif
9553 src = (struct iovec __user *) arg;
9554 if (copy_from_user(dst, &src[index], sizeof(*dst)))
9555 return -EFAULT;
9556 return 0;
9557 }
9558
9559 /*
9560 * Not super efficient, but this is just a registration time. And we do cache
9561 * the last compound head, so generally we'll only do a full search if we don't
9562 * match that one.
9563 *
9564 * We check if the given compound head page has already been accounted, to
9565 * avoid double accounting it. This allows us to account the full size of the
9566 * page, not just the constituent pages of a huge page.
9567 */
9568 static bool headpage_already_acct(struct io_ring_ctx *ctx, struct page **pages,
9569 int nr_pages, struct page *hpage)
9570 {
9571 int i, j;
9572
9573 /* check current page array */
9574 for (i = 0; i < nr_pages; i++) {
9575 if (!PageCompound(pages[i]))
9576 continue;
9577 if (compound_head(pages[i]) == hpage)
9578 return true;
9579 }
9580
9581 /* check previously registered pages */
9582 for (i = 0; i < ctx->nr_user_bufs; i++) {
9583 struct io_mapped_ubuf *imu = ctx->user_bufs[i];
9584
9585 for (j = 0; j < imu->nr_bvecs; j++) {
9586 if (!PageCompound(imu->bvec[j].bv_page))
9587 continue;
9588 if (compound_head(imu->bvec[j].bv_page) == hpage)
9589 return true;
9590 }
9591 }
9592
9593 return false;
9594 }
9595
9596 static int io_buffer_account_pin(struct io_ring_ctx *ctx, struct page **pages,
9597 int nr_pages, struct io_mapped_ubuf *imu,
9598 struct page **last_hpage)
9599 {
9600 int i, ret;
9601
9602 imu->acct_pages = 0;
9603 for (i = 0; i < nr_pages; i++) {
9604 if (!PageCompound(pages[i])) {
9605 imu->acct_pages++;
9606 } else {
9607 struct page *hpage;
9608
9609 hpage = compound_head(pages[i]);
9610 if (hpage == *last_hpage)
9611 continue;
9612 *last_hpage = hpage;
9613 if (headpage_already_acct(ctx, pages, i, hpage))
9614 continue;
9615 imu->acct_pages += page_size(hpage) >> PAGE_SHIFT;
9616 }
9617 }
9618
9619 if (!imu->acct_pages)
9620 return 0;
9621
9622 ret = io_account_mem(ctx, imu->acct_pages);
9623 if (ret)
9624 imu->acct_pages = 0;
9625 return ret;
9626 }
9627
9628 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
9629 struct io_mapped_ubuf **pimu,
9630 struct page **last_hpage)
9631 {
9632 struct io_mapped_ubuf *imu = NULL;
9633 struct vm_area_struct **vmas = NULL;
9634 struct page **pages = NULL;
9635 unsigned long off, start, end, ubuf;
9636 size_t size;
9637 int ret, pret, nr_pages, i;
9638
9639 if (!iov->iov_base) {
9640 *pimu = ctx->dummy_ubuf;
9641 return 0;
9642 }
9643
9644 ubuf = (unsigned long) iov->iov_base;
9645 end = (ubuf + iov->iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
9646 start = ubuf >> PAGE_SHIFT;
9647 nr_pages = end - start;
9648
9649 *pimu = NULL;
9650 ret = -ENOMEM;
9651
9652 pages = kvmalloc_array(nr_pages, sizeof(struct page *), GFP_KERNEL);
9653 if (!pages)
9654 goto done;
9655
9656 vmas = kvmalloc_array(nr_pages, sizeof(struct vm_area_struct *),
9657 GFP_KERNEL);
9658 if (!vmas)
9659 goto done;
9660
9661 imu = kvmalloc(struct_size(imu, bvec, nr_pages), GFP_KERNEL);
9662 if (!imu)
9663 goto done;
9664
9665 ret = 0;
9666 mmap_read_lock(current->mm);
9667 pret = pin_user_pages(ubuf, nr_pages, FOLL_WRITE | FOLL_LONGTERM,
9668 pages, vmas);
9669 if (pret == nr_pages) {
9670 /* don't support file backed memory */
9671 for (i = 0; i < nr_pages; i++) {
9672 struct vm_area_struct *vma = vmas[i];
9673
9674 if (vma_is_shmem(vma))
9675 continue;
9676 if (vma->vm_file &&
9677 !is_file_hugepages(vma->vm_file)) {
9678 ret = -EOPNOTSUPP;
9679 break;
9680 }
9681 }
9682 } else {
9683 ret = pret < 0 ? pret : -EFAULT;
9684 }
9685 mmap_read_unlock(current->mm);
9686 if (ret) {
9687 /*
9688 * if we did partial map, or found file backed vmas,
9689 * release any pages we did get
9690 */
9691 if (pret > 0)
9692 unpin_user_pages(pages, pret);
9693 goto done;
9694 }
9695
9696 ret = io_buffer_account_pin(ctx, pages, pret, imu, last_hpage);
9697 if (ret) {
9698 unpin_user_pages(pages, pret);
9699 goto done;
9700 }
9701
9702 off = ubuf & ~PAGE_MASK;
9703 size = iov->iov_len;
9704 for (i = 0; i < nr_pages; i++) {
9705 size_t vec_len;
9706
9707 vec_len = min_t(size_t, size, PAGE_SIZE - off);
9708 imu->bvec[i].bv_page = pages[i];
9709 imu->bvec[i].bv_len = vec_len;
9710 imu->bvec[i].bv_offset = off;
9711 off = 0;
9712 size -= vec_len;
9713 }
9714 /* store original address for later verification */
9715 imu->ubuf = ubuf;
9716 imu->ubuf_end = ubuf + iov->iov_len;
9717 imu->nr_bvecs = nr_pages;
9718 *pimu = imu;
9719 ret = 0;
9720 done:
9721 if (ret)
9722 kvfree(imu);
9723 kvfree(pages);
9724 kvfree(vmas);
9725 return ret;
9726 }
9727
9728 static int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args)
9729 {
9730 ctx->user_bufs = kcalloc(nr_args, sizeof(*ctx->user_bufs), GFP_KERNEL);
9731 return ctx->user_bufs ? 0 : -ENOMEM;
9732 }
9733
9734 static int io_buffer_validate(struct iovec *iov)
9735 {
9736 unsigned long tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);
9737
9738 /*
9739 * Don't impose further limits on the size and buffer
9740 * constraints here, we'll -EINVAL later when IO is
9741 * submitted if they are wrong.
9742 */
9743 if (!iov->iov_base)
9744 return iov->iov_len ? -EFAULT : 0;
9745 if (!iov->iov_len)
9746 return -EFAULT;
9747
9748 /* arbitrary limit, but we need something */
9749 if (iov->iov_len > SZ_1G)
9750 return -EFAULT;
9751
9752 if (check_add_overflow((unsigned long)iov->iov_base, acct_len, &tmp))
9753 return -EOVERFLOW;
9754
9755 return 0;
9756 }
9757
9758 static int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg,
9759 unsigned int nr_args, u64 __user *tags)
9760 {
9761 struct page *last_hpage = NULL;
9762 struct io_rsrc_data *data;
9763 int i, ret;
9764 struct iovec iov;
9765
9766 if (ctx->user_bufs)
9767 return -EBUSY;
9768 if (!nr_args || nr_args > IORING_MAX_REG_BUFFERS)
9769 return -EINVAL;
9770 ret = io_rsrc_node_switch_start(ctx);
9771 if (ret)
9772 return ret;
9773 ret = io_rsrc_data_alloc(ctx, io_rsrc_buf_put, tags, nr_args, &data);
9774 if (ret)
9775 return ret;
9776 ret = io_buffers_map_alloc(ctx, nr_args);
9777 if (ret) {
9778 io_rsrc_data_free(data);
9779 return ret;
9780 }
9781
9782 for (i = 0; i < nr_args; i++, ctx->nr_user_bufs++) {
9783 ret = io_copy_iov(ctx, &iov, arg, i);
9784 if (ret)
9785 break;
9786 ret = io_buffer_validate(&iov);
9787 if (ret)
9788 break;
9789 if (!iov.iov_base && *io_get_tag_slot(data, i)) {
9790 ret = -EINVAL;
9791 break;
9792 }
9793
9794 ret = io_sqe_buffer_register(ctx, &iov, &ctx->user_bufs[i],
9795 &last_hpage);
9796 if (ret)
9797 break;
9798 }
9799
9800 WARN_ON_ONCE(ctx->buf_data);
9801
9802 ctx->buf_data = data;
9803 if (ret)
9804 __io_sqe_buffers_unregister(ctx);
9805 else
9806 io_rsrc_node_switch(ctx, NULL);
9807 return ret;
9808 }
9809
9810 static int __io_sqe_buffers_update(struct io_ring_ctx *ctx,
9811 struct io_uring_rsrc_update2 *up,
9812 unsigned int nr_args)
9813 {
9814 u64 __user *tags = u64_to_user_ptr(up->tags);
9815 struct iovec iov, __user *iovs = u64_to_user_ptr(up->data);
9816 struct page *last_hpage = NULL;
9817 bool needs_switch = false;
9818 __u32 done;
9819 int i, err;
9820
9821 if (!ctx->buf_data)
9822 return -ENXIO;
9823 if (up->offset + nr_args > ctx->nr_user_bufs)
9824 return -EINVAL;
9825
9826 for (done = 0; done < nr_args; done++) {
9827 struct io_mapped_ubuf *imu;
9828 int offset = up->offset + done;
9829 u64 tag = 0;
9830
9831 err = io_copy_iov(ctx, &iov, iovs, done);
9832 if (err)
9833 break;
9834 if (tags && copy_from_user(&tag, &tags[done], sizeof(tag))) {
9835 err = -EFAULT;
9836 break;
9837 }
9838 err = io_buffer_validate(&iov);
9839 if (err)
9840 break;
9841 if (!iov.iov_base && tag) {
9842 err = -EINVAL;
9843 break;
9844 }
9845 err = io_sqe_buffer_register(ctx, &iov, &imu, &last_hpage);
9846 if (err)
9847 break;
9848
9849 i = array_index_nospec(offset, ctx->nr_user_bufs);
9850 if (ctx->user_bufs[i] != ctx->dummy_ubuf) {
9851 err = io_queue_rsrc_removal(ctx->buf_data, i,
9852 ctx->rsrc_node, ctx->user_bufs[i]);
9853 if (unlikely(err)) {
9854 io_buffer_unmap(ctx, &imu);
9855 break;
9856 }
9857 ctx->user_bufs[i] = NULL;
9858 needs_switch = true;
9859 }
9860
9861 ctx->user_bufs[i] = imu;
9862 *io_get_tag_slot(ctx->buf_data, offset) = tag;
9863 }
9864
9865 if (needs_switch)
9866 io_rsrc_node_switch(ctx, ctx->buf_data);
9867 return done ? done : err;
9868 }
9869
9870 static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg,
9871 unsigned int eventfd_async)
9872 {
9873 struct io_ev_fd *ev_fd;
9874 __s32 __user *fds = arg;
9875 int fd;
9876
9877 ev_fd = rcu_dereference_protected(ctx->io_ev_fd,
9878 lockdep_is_held(&ctx->uring_lock));
9879 if (ev_fd)
9880 return -EBUSY;
9881
9882 if (copy_from_user(&fd, fds, sizeof(*fds)))
9883 return -EFAULT;
9884
9885 ev_fd = kmalloc(sizeof(*ev_fd), GFP_KERNEL);
9886 if (!ev_fd)
9887 return -ENOMEM;
9888
9889 ev_fd->cq_ev_fd = eventfd_ctx_fdget(fd);
9890 if (IS_ERR(ev_fd->cq_ev_fd)) {
9891 int ret = PTR_ERR(ev_fd->cq_ev_fd);
9892 kfree(ev_fd);
9893 return ret;
9894 }
9895 ev_fd->eventfd_async = eventfd_async;
9896 ctx->has_evfd = true;
9897 rcu_assign_pointer(ctx->io_ev_fd, ev_fd);
9898 return 0;
9899 }
9900
9901 static void io_eventfd_put(struct rcu_head *rcu)
9902 {
9903 struct io_ev_fd *ev_fd = container_of(rcu, struct io_ev_fd, rcu);
9904
9905 eventfd_ctx_put(ev_fd->cq_ev_fd);
9906 kfree(ev_fd);
9907 }
9908
9909 static int io_eventfd_unregister(struct io_ring_ctx *ctx)
9910 {
9911 struct io_ev_fd *ev_fd;
9912
9913 ev_fd = rcu_dereference_protected(ctx->io_ev_fd,
9914 lockdep_is_held(&ctx->uring_lock));
9915 if (ev_fd) {
9916 ctx->has_evfd = false;
9917 rcu_assign_pointer(ctx->io_ev_fd, NULL);
9918 call_rcu(&ev_fd->rcu, io_eventfd_put);
9919 return 0;
9920 }
9921
9922 return -ENXIO;
9923 }
9924
9925 static void io_destroy_buffers(struct io_ring_ctx *ctx)
9926 {
9927 int i;
9928
9929 for (i = 0; i < (1U << IO_BUFFERS_HASH_BITS); i++) {
9930 struct list_head *list = &ctx->io_buffers[i];
9931
9932 while (!list_empty(list)) {
9933 struct io_buffer_list *bl;
9934
9935 bl = list_first_entry(list, struct io_buffer_list, list);
9936 __io_remove_buffers(ctx, bl, -1U);
9937 list_del(&bl->list);
9938 kfree(bl);
9939 }
9940 }
9941
9942 while (!list_empty(&ctx->io_buffers_pages)) {
9943 struct page *page;
9944
9945 page = list_first_entry(&ctx->io_buffers_pages, struct page, lru);
9946 list_del_init(&page->lru);
9947 __free_page(page);
9948 }
9949 }
9950
9951 static void io_req_caches_free(struct io_ring_ctx *ctx)
9952 {
9953 struct io_submit_state *state = &ctx->submit_state;
9954 int nr = 0;
9955
9956 mutex_lock(&ctx->uring_lock);
9957 io_flush_cached_locked_reqs(ctx, state);
9958
9959 while (state->free_list.next) {
9960 struct io_wq_work_node *node;
9961 struct io_kiocb *req;
9962
9963 node = wq_stack_extract(&state->free_list);
9964 req = container_of(node, struct io_kiocb, comp_list);
9965 kmem_cache_free(req_cachep, req);
9966 nr++;
9967 }
9968 if (nr)
9969 percpu_ref_put_many(&ctx->refs, nr);
9970 mutex_unlock(&ctx->uring_lock);
9971 }
9972
9973 static void io_wait_rsrc_data(struct io_rsrc_data *data)
9974 {
9975 if (data && !atomic_dec_and_test(&data->refs))
9976 wait_for_completion(&data->done);
9977 }
9978
9979 static void io_flush_apoll_cache(struct io_ring_ctx *ctx)
9980 {
9981 struct async_poll *apoll;
9982
9983 while (!list_empty(&ctx->apoll_cache)) {
9984 apoll = list_first_entry(&ctx->apoll_cache, struct async_poll,
9985 poll.wait.entry);
9986 list_del(&apoll->poll.wait.entry);
9987 kfree(apoll);
9988 }
9989 }
9990
9991 static __cold void io_ring_ctx_free(struct io_ring_ctx *ctx)
9992 {
9993 io_sq_thread_finish(ctx);
9994
9995 if (ctx->mm_account) {
9996 mmdrop(ctx->mm_account);
9997 ctx->mm_account = NULL;
9998 }
9999
10000 io_rsrc_refs_drop(ctx);
10001 /* __io_rsrc_put_work() may need uring_lock to progress, wait w/o it */
10002 io_wait_rsrc_data(ctx->buf_data);
10003 io_wait_rsrc_data(ctx->file_data);
10004
10005 mutex_lock(&ctx->uring_lock);
10006 if (ctx->buf_data)
10007 __io_sqe_buffers_unregister(ctx);
10008 if (ctx->file_data)
10009 __io_sqe_files_unregister(ctx);
10010 if (ctx->rings)
10011 __io_cqring_overflow_flush(ctx, true);
10012 io_eventfd_unregister(ctx);
10013 io_flush_apoll_cache(ctx);
10014 mutex_unlock(&ctx->uring_lock);
10015 io_destroy_buffers(ctx);
10016 if (ctx->sq_creds)
10017 put_cred(ctx->sq_creds);
10018
10019 /* there are no registered resources left, nobody uses it */
10020 if (ctx->rsrc_node)
10021 io_rsrc_node_destroy(ctx->rsrc_node);
10022 if (ctx->rsrc_backup_node)
10023 io_rsrc_node_destroy(ctx->rsrc_backup_node);
10024 flush_delayed_work(&ctx->rsrc_put_work);
10025 flush_delayed_work(&ctx->fallback_work);
10026
10027 WARN_ON_ONCE(!list_empty(&ctx->rsrc_ref_list));
10028 WARN_ON_ONCE(!llist_empty(&ctx->rsrc_put_llist));
10029
10030 #if defined(CONFIG_UNIX)
10031 if (ctx->ring_sock) {
10032 ctx->ring_sock->file = NULL; /* so that iput() is called */
10033 sock_release(ctx->ring_sock);
10034 }
10035 #endif
10036 WARN_ON_ONCE(!list_empty(&ctx->ltimeout_list));
10037
10038 io_mem_free(ctx->rings);
10039 io_mem_free(ctx->sq_sqes);
10040
10041 percpu_ref_exit(&ctx->refs);
10042 free_uid(ctx->user);
10043 io_req_caches_free(ctx);
10044 if (ctx->hash_map)
10045 io_wq_put_hash(ctx->hash_map);
10046 kfree(ctx->cancel_hash);
10047 kfree(ctx->dummy_ubuf);
10048 kfree(ctx->io_buffers);
10049 kfree(ctx);
10050 }
10051
10052 static __poll_t io_uring_poll(struct file *file, poll_table *wait)
10053 {
10054 struct io_ring_ctx *ctx = file->private_data;
10055 __poll_t mask = 0;
10056
10057 poll_wait(file, &ctx->cq_wait, wait);
10058 /*
10059 * synchronizes with barrier from wq_has_sleeper call in
10060 * io_commit_cqring
10061 */
10062 smp_rmb();
10063 if (!io_sqring_full(ctx))
10064 mask |= EPOLLOUT | EPOLLWRNORM;
10065
10066 /*
10067 * Don't flush cqring overflow list here, just do a simple check.
10068 * Otherwise there could possible be ABBA deadlock:
10069 * CPU0 CPU1
10070 * ---- ----
10071 * lock(&ctx->uring_lock);
10072 * lock(&ep->mtx);
10073 * lock(&ctx->uring_lock);
10074 * lock(&ep->mtx);
10075 *
10076 * Users may get EPOLLIN meanwhile seeing nothing in cqring, this
10077 * pushs them to do the flush.
10078 */
10079 if (io_cqring_events(ctx) || test_bit(0, &ctx->check_cq_overflow))
10080 mask |= EPOLLIN | EPOLLRDNORM;
10081
10082 return mask;
10083 }
10084
10085 static int io_unregister_personality(struct io_ring_ctx *ctx, unsigned id)
10086 {
10087 const struct cred *creds;
10088
10089 creds = xa_erase(&ctx->personalities, id);
10090 if (creds) {
10091 put_cred(creds);
10092 return 0;
10093 }
10094
10095 return -EINVAL;
10096 }
10097
10098 struct io_tctx_exit {
10099 struct callback_head task_work;
10100 struct completion completion;
10101 struct io_ring_ctx *ctx;
10102 };
10103
10104 static __cold void io_tctx_exit_cb(struct callback_head *cb)
10105 {
10106 struct io_uring_task *tctx = current->io_uring;
10107 struct io_tctx_exit *work;
10108
10109 work = container_of(cb, struct io_tctx_exit, task_work);
10110 /*
10111 * When @in_idle, we're in cancellation and it's racy to remove the
10112 * node. It'll be removed by the end of cancellation, just ignore it.
10113 */
10114 if (!atomic_read(&tctx->in_idle))
10115 io_uring_del_tctx_node((unsigned long)work->ctx);
10116 complete(&work->completion);
10117 }
10118
10119 static __cold bool io_cancel_ctx_cb(struct io_wq_work *work, void *data)
10120 {
10121 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
10122
10123 return req->ctx == data;
10124 }
10125
10126 static __cold void io_ring_exit_work(struct work_struct *work)
10127 {
10128 struct io_ring_ctx *ctx = container_of(work, struct io_ring_ctx, exit_work);
10129 unsigned long timeout = jiffies + HZ * 60 * 5;
10130 unsigned long interval = HZ / 20;
10131 struct io_tctx_exit exit;
10132 struct io_tctx_node *node;
10133 int ret;
10134
10135 /*
10136 * If we're doing polled IO and end up having requests being
10137 * submitted async (out-of-line), then completions can come in while
10138 * we're waiting for refs to drop. We need to reap these manually,
10139 * as nobody else will be looking for them.
10140 */
10141 do {
10142 io_uring_try_cancel_requests(ctx, NULL, true);
10143 if (ctx->sq_data) {
10144 struct io_sq_data *sqd = ctx->sq_data;
10145 struct task_struct *tsk;
10146
10147 io_sq_thread_park(sqd);
10148 tsk = sqd->thread;
10149 if (tsk && tsk->io_uring && tsk->io_uring->io_wq)
10150 io_wq_cancel_cb(tsk->io_uring->io_wq,
10151 io_cancel_ctx_cb, ctx, true);
10152 io_sq_thread_unpark(sqd);
10153 }
10154
10155 io_req_caches_free(ctx);
10156
10157 if (WARN_ON_ONCE(time_after(jiffies, timeout))) {
10158 /* there is little hope left, don't run it too often */
10159 interval = HZ * 60;
10160 }
10161 } while (!wait_for_completion_timeout(&ctx->ref_comp, interval));
10162
10163 init_completion(&exit.completion);
10164 init_task_work(&exit.task_work, io_tctx_exit_cb);
10165 exit.ctx = ctx;
10166 /*
10167 * Some may use context even when all refs and requests have been put,
10168 * and they are free to do so while still holding uring_lock or
10169 * completion_lock, see io_req_task_submit(). Apart from other work,
10170 * this lock/unlock section also waits them to finish.
10171 */
10172 mutex_lock(&ctx->uring_lock);
10173 while (!list_empty(&ctx->tctx_list)) {
10174 WARN_ON_ONCE(time_after(jiffies, timeout));
10175
10176 node = list_first_entry(&ctx->tctx_list, struct io_tctx_node,
10177 ctx_node);
10178 /* don't spin on a single task if cancellation failed */
10179 list_rotate_left(&ctx->tctx_list);
10180 ret = task_work_add(node->task, &exit.task_work, TWA_SIGNAL);
10181 if (WARN_ON_ONCE(ret))
10182 continue;
10183
10184 mutex_unlock(&ctx->uring_lock);
10185 wait_for_completion(&exit.completion);
10186 mutex_lock(&ctx->uring_lock);
10187 }
10188 mutex_unlock(&ctx->uring_lock);
10189 spin_lock(&ctx->completion_lock);
10190 spin_unlock(&ctx->completion_lock);
10191
10192 io_ring_ctx_free(ctx);
10193 }
10194
10195 /* Returns true if we found and killed one or more timeouts */
10196 static __cold bool io_kill_timeouts(struct io_ring_ctx *ctx,
10197 struct task_struct *tsk, bool cancel_all)
10198 {
10199 struct io_kiocb *req, *tmp;
10200 int canceled = 0;
10201
10202 spin_lock(&ctx->completion_lock);
10203 spin_lock_irq(&ctx->timeout_lock);
10204 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, timeout.list) {
10205 if (io_match_task(req, tsk, cancel_all)) {
10206 io_kill_timeout(req, -ECANCELED);
10207 canceled++;
10208 }
10209 }
10210 spin_unlock_irq(&ctx->timeout_lock);
10211 if (canceled != 0)
10212 io_commit_cqring(ctx);
10213 spin_unlock(&ctx->completion_lock);
10214 if (canceled != 0)
10215 io_cqring_ev_posted(ctx);
10216 return canceled != 0;
10217 }
10218
10219 static __cold void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
10220 {
10221 unsigned long index;
10222 struct creds *creds;
10223
10224 mutex_lock(&ctx->uring_lock);
10225 percpu_ref_kill(&ctx->refs);
10226 if (ctx->rings)
10227 __io_cqring_overflow_flush(ctx, true);
10228 xa_for_each(&ctx->personalities, index, creds)
10229 io_unregister_personality(ctx, index);
10230 mutex_unlock(&ctx->uring_lock);
10231
10232 io_kill_timeouts(ctx, NULL, true);
10233 io_poll_remove_all(ctx, NULL, true);
10234
10235 /* if we failed setting up the ctx, we might not have any rings */
10236 io_iopoll_try_reap_events(ctx);
10237
10238 INIT_WORK(&ctx->exit_work, io_ring_exit_work);
10239 /*
10240 * Use system_unbound_wq to avoid spawning tons of event kworkers
10241 * if we're exiting a ton of rings at the same time. It just adds
10242 * noise and overhead, there's no discernable change in runtime
10243 * over using system_wq.
10244 */
10245 queue_work(system_unbound_wq, &ctx->exit_work);
10246 }
10247
10248 static int io_uring_release(struct inode *inode, struct file *file)
10249 {
10250 struct io_ring_ctx *ctx = file->private_data;
10251
10252 file->private_data = NULL;
10253 io_ring_ctx_wait_and_kill(ctx);
10254 return 0;
10255 }
10256
10257 struct io_task_cancel {
10258 struct task_struct *task;
10259 bool all;
10260 };
10261
10262 static bool io_cancel_task_cb(struct io_wq_work *work, void *data)
10263 {
10264 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
10265 struct io_task_cancel *cancel = data;
10266
10267 return io_match_task_safe(req, cancel->task, cancel->all);
10268 }
10269
10270 static __cold bool io_cancel_defer_files(struct io_ring_ctx *ctx,
10271 struct task_struct *task,
10272 bool cancel_all)
10273 {
10274 struct io_defer_entry *de;
10275 LIST_HEAD(list);
10276
10277 spin_lock(&ctx->completion_lock);
10278 list_for_each_entry_reverse(de, &ctx->defer_list, list) {
10279 if (io_match_task_safe(de->req, task, cancel_all)) {
10280 list_cut_position(&list, &ctx->defer_list, &de->list);
10281 break;
10282 }
10283 }
10284 spin_unlock(&ctx->completion_lock);
10285 if (list_empty(&list))
10286 return false;
10287
10288 while (!list_empty(&list)) {
10289 de = list_first_entry(&list, struct io_defer_entry, list);
10290 list_del_init(&de->list);
10291 io_req_complete_failed(de->req, -ECANCELED);
10292 kfree(de);
10293 }
10294 return true;
10295 }
10296
10297 static __cold bool io_uring_try_cancel_iowq(struct io_ring_ctx *ctx)
10298 {
10299 struct io_tctx_node *node;
10300 enum io_wq_cancel cret;
10301 bool ret = false;
10302
10303 mutex_lock(&ctx->uring_lock);
10304 list_for_each_entry(node, &ctx->tctx_list, ctx_node) {
10305 struct io_uring_task *tctx = node->task->io_uring;
10306
10307 /*
10308 * io_wq will stay alive while we hold uring_lock, because it's
10309 * killed after ctx nodes, which requires to take the lock.
10310 */
10311 if (!tctx || !tctx->io_wq)
10312 continue;
10313 cret = io_wq_cancel_cb(tctx->io_wq, io_cancel_ctx_cb, ctx, true);
10314 ret |= (cret != IO_WQ_CANCEL_NOTFOUND);
10315 }
10316 mutex_unlock(&ctx->uring_lock);
10317
10318 return ret;
10319 }
10320
10321 static __cold void io_uring_try_cancel_requests(struct io_ring_ctx *ctx,
10322 struct task_struct *task,
10323 bool cancel_all)
10324 {
10325 struct io_task_cancel cancel = { .task = task, .all = cancel_all, };
10326 struct io_uring_task *tctx = task ? task->io_uring : NULL;
10327
10328 while (1) {
10329 enum io_wq_cancel cret;
10330 bool ret = false;
10331
10332 if (!task) {
10333 ret |= io_uring_try_cancel_iowq(ctx);
10334 } else if (tctx && tctx->io_wq) {
10335 /*
10336 * Cancels requests of all rings, not only @ctx, but
10337 * it's fine as the task is in exit/exec.
10338 */
10339 cret = io_wq_cancel_cb(tctx->io_wq, io_cancel_task_cb,
10340 &cancel, true);
10341 ret |= (cret != IO_WQ_CANCEL_NOTFOUND);
10342 }
10343
10344 /* SQPOLL thread does its own polling */
10345 if ((!(ctx->flags & IORING_SETUP_SQPOLL) && cancel_all) ||
10346 (ctx->sq_data && ctx->sq_data->thread == current)) {
10347 while (!wq_list_empty(&ctx->iopoll_list)) {
10348 io_iopoll_try_reap_events(ctx);
10349 ret = true;
10350 }
10351 }
10352
10353 ret |= io_cancel_defer_files(ctx, task, cancel_all);
10354 ret |= io_poll_remove_all(ctx, task, cancel_all);
10355 ret |= io_kill_timeouts(ctx, task, cancel_all);
10356 if (task)
10357 ret |= io_run_task_work();
10358 if (!ret)
10359 break;
10360 cond_resched();
10361 }
10362 }
10363
10364 static int __io_uring_add_tctx_node(struct io_ring_ctx *ctx)
10365 {
10366 struct io_uring_task *tctx = current->io_uring;
10367 struct io_tctx_node *node;
10368 int ret;
10369
10370 if (unlikely(!tctx)) {
10371 ret = io_uring_alloc_task_context(current, ctx);
10372 if (unlikely(ret))
10373 return ret;
10374
10375 tctx = current->io_uring;
10376 if (ctx->iowq_limits_set) {
10377 unsigned int limits[2] = { ctx->iowq_limits[0],
10378 ctx->iowq_limits[1], };
10379
10380 ret = io_wq_max_workers(tctx->io_wq, limits);
10381 if (ret)
10382 return ret;
10383 }
10384 }
10385 if (!xa_load(&tctx->xa, (unsigned long)ctx)) {
10386 node = kmalloc(sizeof(*node), GFP_KERNEL);
10387 if (!node)
10388 return -ENOMEM;
10389 node->ctx = ctx;
10390 node->task = current;
10391
10392 ret = xa_err(xa_store(&tctx->xa, (unsigned long)ctx,
10393 node, GFP_KERNEL));
10394 if (ret) {
10395 kfree(node);
10396 return ret;
10397 }
10398
10399 mutex_lock(&ctx->uring_lock);
10400 list_add(&node->ctx_node, &ctx->tctx_list);
10401 mutex_unlock(&ctx->uring_lock);
10402 }
10403 tctx->last = ctx;
10404 return 0;
10405 }
10406
10407 /*
10408 * Note that this task has used io_uring. We use it for cancelation purposes.
10409 */
10410 static inline int io_uring_add_tctx_node(struct io_ring_ctx *ctx)
10411 {
10412 struct io_uring_task *tctx = current->io_uring;
10413
10414 if (likely(tctx && tctx->last == ctx))
10415 return 0;
10416 return __io_uring_add_tctx_node(ctx);
10417 }
10418
10419 /*
10420 * Remove this io_uring_file -> task mapping.
10421 */
10422 static __cold void io_uring_del_tctx_node(unsigned long index)
10423 {
10424 struct io_uring_task *tctx = current->io_uring;
10425 struct io_tctx_node *node;
10426
10427 if (!tctx)
10428 return;
10429 node = xa_erase(&tctx->xa, index);
10430 if (!node)
10431 return;
10432
10433 WARN_ON_ONCE(current != node->task);
10434 WARN_ON_ONCE(list_empty(&node->ctx_node));
10435
10436 mutex_lock(&node->ctx->uring_lock);
10437 list_del(&node->ctx_node);
10438 mutex_unlock(&node->ctx->uring_lock);
10439
10440 if (tctx->last == node->ctx)
10441 tctx->last = NULL;
10442 kfree(node);
10443 }
10444
10445 static __cold void io_uring_clean_tctx(struct io_uring_task *tctx)
10446 {
10447 struct io_wq *wq = tctx->io_wq;
10448 struct io_tctx_node *node;
10449 unsigned long index;
10450
10451 xa_for_each(&tctx->xa, index, node) {
10452 io_uring_del_tctx_node(index);
10453 cond_resched();
10454 }
10455 if (wq) {
10456 /*
10457 * Must be after io_uring_del_tctx_node() (removes nodes under
10458 * uring_lock) to avoid race with io_uring_try_cancel_iowq().
10459 */
10460 io_wq_put_and_exit(wq);
10461 tctx->io_wq = NULL;
10462 }
10463 }
10464
10465 static s64 tctx_inflight(struct io_uring_task *tctx, bool tracked)
10466 {
10467 if (tracked)
10468 return atomic_read(&tctx->inflight_tracked);
10469 return percpu_counter_sum(&tctx->inflight);
10470 }
10471
10472 /*
10473 * Find any io_uring ctx that this task has registered or done IO on, and cancel
10474 * requests. @sqd should be not-null IFF it's an SQPOLL thread cancellation.
10475 */
10476 static __cold void io_uring_cancel_generic(bool cancel_all,
10477 struct io_sq_data *sqd)
10478 {
10479 struct io_uring_task *tctx = current->io_uring;
10480 struct io_ring_ctx *ctx;
10481 s64 inflight;
10482 DEFINE_WAIT(wait);
10483
10484 WARN_ON_ONCE(sqd && sqd->thread != current);
10485
10486 if (!current->io_uring)
10487 return;
10488 if (tctx->io_wq)
10489 io_wq_exit_start(tctx->io_wq);
10490
10491 atomic_inc(&tctx->in_idle);
10492 do {
10493 io_uring_drop_tctx_refs(current);
10494 /* read completions before cancelations */
10495 inflight = tctx_inflight(tctx, !cancel_all);
10496 if (!inflight)
10497 break;
10498
10499 if (!sqd) {
10500 struct io_tctx_node *node;
10501 unsigned long index;
10502
10503 xa_for_each(&tctx->xa, index, node) {
10504 /* sqpoll task will cancel all its requests */
10505 if (node->ctx->sq_data)
10506 continue;
10507 io_uring_try_cancel_requests(node->ctx, current,
10508 cancel_all);
10509 }
10510 } else {
10511 list_for_each_entry(ctx, &sqd->ctx_list, sqd_list)
10512 io_uring_try_cancel_requests(ctx, current,
10513 cancel_all);
10514 }
10515
10516 prepare_to_wait(&tctx->wait, &wait, TASK_INTERRUPTIBLE);
10517 io_run_task_work();
10518 io_uring_drop_tctx_refs(current);
10519
10520 /*
10521 * If we've seen completions, retry without waiting. This
10522 * avoids a race where a completion comes in before we did
10523 * prepare_to_wait().
10524 */
10525 if (inflight == tctx_inflight(tctx, !cancel_all))
10526 schedule();
10527 finish_wait(&tctx->wait, &wait);
10528 } while (1);
10529
10530 io_uring_clean_tctx(tctx);
10531 if (cancel_all) {
10532 /*
10533 * We shouldn't run task_works after cancel, so just leave
10534 * ->in_idle set for normal exit.
10535 */
10536 atomic_dec(&tctx->in_idle);
10537 /* for exec all current's requests should be gone, kill tctx */
10538 __io_uring_free(current);
10539 }
10540 }
10541
10542 void __io_uring_cancel(bool cancel_all)
10543 {
10544 io_uring_cancel_generic(cancel_all, NULL);
10545 }
10546
10547 void io_uring_unreg_ringfd(void)
10548 {
10549 struct io_uring_task *tctx = current->io_uring;
10550 int i;
10551
10552 for (i = 0; i < IO_RINGFD_REG_MAX; i++) {
10553 if (tctx->registered_rings[i]) {
10554 fput(tctx->registered_rings[i]);
10555 tctx->registered_rings[i] = NULL;
10556 }
10557 }
10558 }
10559
10560 static int io_ring_add_registered_fd(struct io_uring_task *tctx, int fd,
10561 int start, int end)
10562 {
10563 struct file *file;
10564 int offset;
10565
10566 for (offset = start; offset < end; offset++) {
10567 offset = array_index_nospec(offset, IO_RINGFD_REG_MAX);
10568 if (tctx->registered_rings[offset])
10569 continue;
10570
10571 file = fget(fd);
10572 if (!file) {
10573 return -EBADF;
10574 } else if (file->f_op != &io_uring_fops) {
10575 fput(file);
10576 return -EOPNOTSUPP;
10577 }
10578 tctx->registered_rings[offset] = file;
10579 return offset;
10580 }
10581
10582 return -EBUSY;
10583 }
10584
10585 /*
10586 * Register a ring fd to avoid fdget/fdput for each io_uring_enter()
10587 * invocation. User passes in an array of struct io_uring_rsrc_update
10588 * with ->data set to the ring_fd, and ->offset given for the desired
10589 * index. If no index is desired, application may set ->offset == -1U
10590 * and we'll find an available index. Returns number of entries
10591 * successfully processed, or < 0 on error if none were processed.
10592 */
10593 static int io_ringfd_register(struct io_ring_ctx *ctx, void __user *__arg,
10594 unsigned nr_args)
10595 {
10596 struct io_uring_rsrc_update __user *arg = __arg;
10597 struct io_uring_rsrc_update reg;
10598 struct io_uring_task *tctx;
10599 int ret, i;
10600
10601 if (!nr_args || nr_args > IO_RINGFD_REG_MAX)
10602 return -EINVAL;
10603
10604 mutex_unlock(&ctx->uring_lock);
10605 ret = io_uring_add_tctx_node(ctx);
10606 mutex_lock(&ctx->uring_lock);
10607 if (ret)
10608 return ret;
10609
10610 tctx = current->io_uring;
10611 for (i = 0; i < nr_args; i++) {
10612 int start, end;
10613
10614 if (copy_from_user(&reg, &arg[i], sizeof(reg))) {
10615 ret = -EFAULT;
10616 break;
10617 }
10618
10619 if (reg.resv) {
10620 ret = -EINVAL;
10621 break;
10622 }
10623
10624 if (reg.offset == -1U) {
10625 start = 0;
10626 end = IO_RINGFD_REG_MAX;
10627 } else {
10628 if (reg.offset >= IO_RINGFD_REG_MAX) {
10629 ret = -EINVAL;
10630 break;
10631 }
10632 start = reg.offset;
10633 end = start + 1;
10634 }
10635
10636 ret = io_ring_add_registered_fd(tctx, reg.data, start, end);
10637 if (ret < 0)
10638 break;
10639
10640 reg.offset = ret;
10641 if (copy_to_user(&arg[i], &reg, sizeof(reg))) {
10642 fput(tctx->registered_rings[reg.offset]);
10643 tctx->registered_rings[reg.offset] = NULL;
10644 ret = -EFAULT;
10645 break;
10646 }
10647 }
10648
10649 return i ? i : ret;
10650 }
10651
10652 static int io_ringfd_unregister(struct io_ring_ctx *ctx, void __user *__arg,
10653 unsigned nr_args)
10654 {
10655 struct io_uring_rsrc_update __user *arg = __arg;
10656 struct io_uring_task *tctx = current->io_uring;
10657 struct io_uring_rsrc_update reg;
10658 int ret = 0, i;
10659
10660 if (!nr_args || nr_args > IO_RINGFD_REG_MAX)
10661 return -EINVAL;
10662 if (!tctx)
10663 return 0;
10664
10665 for (i = 0; i < nr_args; i++) {
10666 if (copy_from_user(&reg, &arg[i], sizeof(reg))) {
10667 ret = -EFAULT;
10668 break;
10669 }
10670 if (reg.resv || reg.data || reg.offset >= IO_RINGFD_REG_MAX) {
10671 ret = -EINVAL;
10672 break;
10673 }
10674
10675 reg.offset = array_index_nospec(reg.offset, IO_RINGFD_REG_MAX);
10676 if (tctx->registered_rings[reg.offset]) {
10677 fput(tctx->registered_rings[reg.offset]);
10678 tctx->registered_rings[reg.offset] = NULL;
10679 }
10680 }
10681
10682 return i ? i : ret;
10683 }
10684
10685 static void *io_uring_validate_mmap_request(struct file *file,
10686 loff_t pgoff, size_t sz)
10687 {
10688 struct io_ring_ctx *ctx = file->private_data;
10689 loff_t offset = pgoff << PAGE_SHIFT;
10690 struct page *page;
10691 void *ptr;
10692
10693 switch (offset) {
10694 case IORING_OFF_SQ_RING:
10695 case IORING_OFF_CQ_RING:
10696 ptr = ctx->rings;
10697 break;
10698 case IORING_OFF_SQES:
10699 ptr = ctx->sq_sqes;
10700 break;
10701 default:
10702 return ERR_PTR(-EINVAL);
10703 }
10704
10705 page = virt_to_head_page(ptr);
10706 if (sz > page_size(page))
10707 return ERR_PTR(-EINVAL);
10708
10709 return ptr;
10710 }
10711
10712 #ifdef CONFIG_MMU
10713
10714 static __cold int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
10715 {
10716 size_t sz = vma->vm_end - vma->vm_start;
10717 unsigned long pfn;
10718 void *ptr;
10719
10720 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
10721 if (IS_ERR(ptr))
10722 return PTR_ERR(ptr);
10723
10724 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
10725 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
10726 }
10727
10728 #else /* !CONFIG_MMU */
10729
10730 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
10731 {
10732 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
10733 }
10734
10735 static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
10736 {
10737 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
10738 }
10739
10740 static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
10741 unsigned long addr, unsigned long len,
10742 unsigned long pgoff, unsigned long flags)
10743 {
10744 void *ptr;
10745
10746 ptr = io_uring_validate_mmap_request(file, pgoff, len);
10747 if (IS_ERR(ptr))
10748 return PTR_ERR(ptr);
10749
10750 return (unsigned long) ptr;
10751 }
10752
10753 #endif /* !CONFIG_MMU */
10754
10755 static int io_sqpoll_wait_sq(struct io_ring_ctx *ctx)
10756 {
10757 DEFINE_WAIT(wait);
10758
10759 do {
10760 if (!io_sqring_full(ctx))
10761 break;
10762 prepare_to_wait(&ctx->sqo_sq_wait, &wait, TASK_INTERRUPTIBLE);
10763
10764 if (!io_sqring_full(ctx))
10765 break;
10766 schedule();
10767 } while (!signal_pending(current));
10768
10769 finish_wait(&ctx->sqo_sq_wait, &wait);
10770 return 0;
10771 }
10772
10773 static int io_get_ext_arg(unsigned flags, const void __user *argp, size_t *argsz,
10774 struct __kernel_timespec __user **ts,
10775 const sigset_t __user **sig)
10776 {
10777 struct io_uring_getevents_arg arg;
10778
10779 /*
10780 * If EXT_ARG isn't set, then we have no timespec and the argp pointer
10781 * is just a pointer to the sigset_t.
10782 */
10783 if (!(flags & IORING_ENTER_EXT_ARG)) {
10784 *sig = (const sigset_t __user *) argp;
10785 *ts = NULL;
10786 return 0;
10787 }
10788
10789 /*
10790 * EXT_ARG is set - ensure we agree on the size of it and copy in our
10791 * timespec and sigset_t pointers if good.
10792 */
10793 if (*argsz != sizeof(arg))
10794 return -EINVAL;
10795 if (copy_from_user(&arg, argp, sizeof(arg)))
10796 return -EFAULT;
10797 if (arg.pad)
10798 return -EINVAL;
10799 *sig = u64_to_user_ptr(arg.sigmask);
10800 *argsz = arg.sigmask_sz;
10801 *ts = u64_to_user_ptr(arg.ts);
10802 return 0;
10803 }
10804
10805 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
10806 u32, min_complete, u32, flags, const void __user *, argp,
10807 size_t, argsz)
10808 {
10809 struct io_ring_ctx *ctx;
10810 int submitted = 0;
10811 struct fd f;
10812 long ret;
10813
10814 io_run_task_work();
10815
10816 if (unlikely(flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP |
10817 IORING_ENTER_SQ_WAIT | IORING_ENTER_EXT_ARG |
10818 IORING_ENTER_REGISTERED_RING)))
10819 return -EINVAL;
10820
10821 /*
10822 * Ring fd has been registered via IORING_REGISTER_RING_FDS, we
10823 * need only dereference our task private array to find it.
10824 */
10825 if (flags & IORING_ENTER_REGISTERED_RING) {
10826 struct io_uring_task *tctx = current->io_uring;
10827
10828 if (!tctx || fd >= IO_RINGFD_REG_MAX)
10829 return -EINVAL;
10830 fd = array_index_nospec(fd, IO_RINGFD_REG_MAX);
10831 f.file = tctx->registered_rings[fd];
10832 if (unlikely(!f.file))
10833 return -EBADF;
10834 } else {
10835 f = fdget(fd);
10836 if (unlikely(!f.file))
10837 return -EBADF;
10838 }
10839
10840 ret = -EOPNOTSUPP;
10841 if (unlikely(f.file->f_op != &io_uring_fops))
10842 goto out_fput;
10843
10844 ret = -ENXIO;
10845 ctx = f.file->private_data;
10846 if (unlikely(!percpu_ref_tryget(&ctx->refs)))
10847 goto out_fput;
10848
10849 ret = -EBADFD;
10850 if (unlikely(ctx->flags & IORING_SETUP_R_DISABLED))
10851 goto out;
10852
10853 /*
10854 * For SQ polling, the thread will do all submissions and completions.
10855 * Just return the requested submit count, and wake the thread if
10856 * we were asked to.
10857 */
10858 ret = 0;
10859 if (ctx->flags & IORING_SETUP_SQPOLL) {
10860 io_cqring_overflow_flush(ctx);
10861
10862 if (unlikely(ctx->sq_data->thread == NULL)) {
10863 ret = -EOWNERDEAD;
10864 goto out;
10865 }
10866 if (flags & IORING_ENTER_SQ_WAKEUP)
10867 wake_up(&ctx->sq_data->wait);
10868 if (flags & IORING_ENTER_SQ_WAIT) {
10869 ret = io_sqpoll_wait_sq(ctx);
10870 if (ret)
10871 goto out;
10872 }
10873 submitted = to_submit;
10874 } else if (to_submit) {
10875 ret = io_uring_add_tctx_node(ctx);
10876 if (unlikely(ret))
10877 goto out;
10878 mutex_lock(&ctx->uring_lock);
10879 submitted = io_submit_sqes(ctx, to_submit);
10880 mutex_unlock(&ctx->uring_lock);
10881
10882 if (submitted != to_submit)
10883 goto out;
10884 }
10885 if (flags & IORING_ENTER_GETEVENTS) {
10886 const sigset_t __user *sig;
10887 struct __kernel_timespec __user *ts;
10888
10889 ret = io_get_ext_arg(flags, argp, &argsz, &ts, &sig);
10890 if (unlikely(ret))
10891 goto out;
10892
10893 min_complete = min(min_complete, ctx->cq_entries);
10894
10895 /*
10896 * When SETUP_IOPOLL and SETUP_SQPOLL are both enabled, user
10897 * space applications don't need to do io completion events
10898 * polling again, they can rely on io_sq_thread to do polling
10899 * work, which can reduce cpu usage and uring_lock contention.
10900 */
10901 if (ctx->flags & IORING_SETUP_IOPOLL &&
10902 !(ctx->flags & IORING_SETUP_SQPOLL)) {
10903 ret = io_iopoll_check(ctx, min_complete);
10904 } else {
10905 ret = io_cqring_wait(ctx, min_complete, sig, argsz, ts);
10906 }
10907 }
10908
10909 out:
10910 percpu_ref_put(&ctx->refs);
10911 out_fput:
10912 if (!(flags & IORING_ENTER_REGISTERED_RING))
10913 fdput(f);
10914 return submitted ? submitted : ret;
10915 }
10916
10917 #ifdef CONFIG_PROC_FS
10918 static __cold int io_uring_show_cred(struct seq_file *m, unsigned int id,
10919 const struct cred *cred)
10920 {
10921 struct user_namespace *uns = seq_user_ns(m);
10922 struct group_info *gi;
10923 kernel_cap_t cap;
10924 unsigned __capi;
10925 int g;
10926
10927 seq_printf(m, "%5d\n", id);
10928 seq_put_decimal_ull(m, "\tUid:\t", from_kuid_munged(uns, cred->uid));
10929 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->euid));
10930 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->suid));
10931 seq_put_decimal_ull(m, "\t\t", from_kuid_munged(uns, cred->fsuid));
10932 seq_put_decimal_ull(m, "\n\tGid:\t", from_kgid_munged(uns, cred->gid));
10933 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->egid));
10934 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->sgid));
10935 seq_put_decimal_ull(m, "\t\t", from_kgid_munged(uns, cred->fsgid));
10936 seq_puts(m, "\n\tGroups:\t");
10937 gi = cred->group_info;
10938 for (g = 0; g < gi->ngroups; g++) {
10939 seq_put_decimal_ull(m, g ? " " : "",
10940 from_kgid_munged(uns, gi->gid[g]));
10941 }
10942 seq_puts(m, "\n\tCapEff:\t");
10943 cap = cred->cap_effective;
10944 CAP_FOR_EACH_U32(__capi)
10945 seq_put_hex_ll(m, NULL, cap.cap[CAP_LAST_U32 - __capi], 8);
10946 seq_putc(m, '\n');
10947 return 0;
10948 }
10949
10950 static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx,
10951 struct seq_file *m)
10952 {
10953 struct io_sq_data *sq = NULL;
10954 struct io_overflow_cqe *ocqe;
10955 struct io_rings *r = ctx->rings;
10956 unsigned int sq_mask = ctx->sq_entries - 1, cq_mask = ctx->cq_entries - 1;
10957 unsigned int sq_head = READ_ONCE(r->sq.head);
10958 unsigned int sq_tail = READ_ONCE(r->sq.tail);
10959 unsigned int cq_head = READ_ONCE(r->cq.head);
10960 unsigned int cq_tail = READ_ONCE(r->cq.tail);
10961 unsigned int sq_entries, cq_entries;
10962 bool has_lock;
10963 unsigned int i;
10964
10965 /*
10966 * we may get imprecise sqe and cqe info if uring is actively running
10967 * since we get cached_sq_head and cached_cq_tail without uring_lock
10968 * and sq_tail and cq_head are changed by userspace. But it's ok since
10969 * we usually use these info when it is stuck.
10970 */
10971 seq_printf(m, "SqMask:\t0x%x\n", sq_mask);
10972 seq_printf(m, "SqHead:\t%u\n", sq_head);
10973 seq_printf(m, "SqTail:\t%u\n", sq_tail);
10974 seq_printf(m, "CachedSqHead:\t%u\n", ctx->cached_sq_head);
10975 seq_printf(m, "CqMask:\t0x%x\n", cq_mask);
10976 seq_printf(m, "CqHead:\t%u\n", cq_head);
10977 seq_printf(m, "CqTail:\t%u\n", cq_tail);
10978 seq_printf(m, "CachedCqTail:\t%u\n", ctx->cached_cq_tail);
10979 seq_printf(m, "SQEs:\t%u\n", sq_tail - ctx->cached_sq_head);
10980 sq_entries = min(sq_tail - sq_head, ctx->sq_entries);
10981 for (i = 0; i < sq_entries; i++) {
10982 unsigned int entry = i + sq_head;
10983 unsigned int sq_idx = READ_ONCE(ctx->sq_array[entry & sq_mask]);
10984 struct io_uring_sqe *sqe;
10985
10986 if (sq_idx > sq_mask)
10987 continue;
10988 sqe = &ctx->sq_sqes[sq_idx];
10989 seq_printf(m, "%5u: opcode:%d, fd:%d, flags:%x, user_data:%llu\n",
10990 sq_idx, sqe->opcode, sqe->fd, sqe->flags,
10991 sqe->user_data);
10992 }
10993 seq_printf(m, "CQEs:\t%u\n", cq_tail - cq_head);
10994 cq_entries = min(cq_tail - cq_head, ctx->cq_entries);
10995 for (i = 0; i < cq_entries; i++) {
10996 unsigned int entry = i + cq_head;
10997 struct io_uring_cqe *cqe = &r->cqes[entry & cq_mask];
10998
10999 seq_printf(m, "%5u: user_data:%llu, res:%d, flag:%x\n",
11000 entry & cq_mask, cqe->user_data, cqe->res,
11001 cqe->flags);
11002 }
11003
11004 /*
11005 * Avoid ABBA deadlock between the seq lock and the io_uring mutex,
11006 * since fdinfo case grabs it in the opposite direction of normal use
11007 * cases. If we fail to get the lock, we just don't iterate any
11008 * structures that could be going away outside the io_uring mutex.
11009 */
11010 has_lock = mutex_trylock(&ctx->uring_lock);
11011
11012 if (has_lock && (ctx->flags & IORING_SETUP_SQPOLL)) {
11013 sq = ctx->sq_data;
11014 if (!sq->thread)
11015 sq = NULL;
11016 }
11017
11018 seq_printf(m, "SqThread:\t%d\n", sq ? task_pid_nr(sq->thread) : -1);
11019 seq_printf(m, "SqThreadCpu:\t%d\n", sq ? task_cpu(sq->thread) : -1);
11020 seq_printf(m, "UserFiles:\t%u\n", ctx->nr_user_files);
11021 for (i = 0; has_lock && i < ctx->nr_user_files; i++) {
11022 struct file *f = io_file_from_index(ctx, i);
11023
11024 if (f)
11025 seq_printf(m, "%5u: %s\n", i, file_dentry(f)->d_iname);
11026 else
11027 seq_printf(m, "%5u: <none>\n", i);
11028 }
11029 seq_printf(m, "UserBufs:\t%u\n", ctx->nr_user_bufs);
11030 for (i = 0; has_lock && i < ctx->nr_user_bufs; i++) {
11031 struct io_mapped_ubuf *buf = ctx->user_bufs[i];
11032 unsigned int len = buf->ubuf_end - buf->ubuf;
11033
11034 seq_printf(m, "%5u: 0x%llx/%u\n", i, buf->ubuf, len);
11035 }
11036 if (has_lock && !xa_empty(&ctx->personalities)) {
11037 unsigned long index;
11038 const struct cred *cred;
11039
11040 seq_printf(m, "Personalities:\n");
11041 xa_for_each(&ctx->personalities, index, cred)
11042 io_uring_show_cred(m, index, cred);
11043 }
11044 if (has_lock)
11045 mutex_unlock(&ctx->uring_lock);
11046
11047 seq_puts(m, "PollList:\n");
11048 spin_lock(&ctx->completion_lock);
11049 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
11050 struct hlist_head *list = &ctx->cancel_hash[i];
11051 struct io_kiocb *req;
11052
11053 hlist_for_each_entry(req, list, hash_node)
11054 seq_printf(m, " op=%d, task_works=%d\n", req->opcode,
11055 task_work_pending(req->task));
11056 }
11057
11058 seq_puts(m, "CqOverflowList:\n");
11059 list_for_each_entry(ocqe, &ctx->cq_overflow_list, list) {
11060 struct io_uring_cqe *cqe = &ocqe->cqe;
11061
11062 seq_printf(m, " user_data=%llu, res=%d, flags=%x\n",
11063 cqe->user_data, cqe->res, cqe->flags);
11064
11065 }
11066
11067 spin_unlock(&ctx->completion_lock);
11068 }
11069
11070 static __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *f)
11071 {
11072 struct io_ring_ctx *ctx = f->private_data;
11073
11074 if (percpu_ref_tryget(&ctx->refs)) {
11075 __io_uring_show_fdinfo(ctx, m);
11076 percpu_ref_put(&ctx->refs);
11077 }
11078 }
11079 #endif
11080
11081 static const struct file_operations io_uring_fops = {
11082 .release = io_uring_release,
11083 .mmap = io_uring_mmap,
11084 #ifndef CONFIG_MMU
11085 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
11086 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
11087 #endif
11088 .poll = io_uring_poll,
11089 #ifdef CONFIG_PROC_FS
11090 .show_fdinfo = io_uring_show_fdinfo,
11091 #endif
11092 };
11093
11094 static __cold int io_allocate_scq_urings(struct io_ring_ctx *ctx,
11095 struct io_uring_params *p)
11096 {
11097 struct io_rings *rings;
11098 size_t size, sq_array_offset;
11099
11100 /* make sure these are sane, as we already accounted them */
11101 ctx->sq_entries = p->sq_entries;
11102 ctx->cq_entries = p->cq_entries;
11103
11104 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
11105 if (size == SIZE_MAX)
11106 return -EOVERFLOW;
11107
11108 rings = io_mem_alloc(size);
11109 if (!rings)
11110 return -ENOMEM;
11111
11112 ctx->rings = rings;
11113 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
11114 rings->sq_ring_mask = p->sq_entries - 1;
11115 rings->cq_ring_mask = p->cq_entries - 1;
11116 rings->sq_ring_entries = p->sq_entries;
11117 rings->cq_ring_entries = p->cq_entries;
11118
11119 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
11120 if (size == SIZE_MAX) {
11121 io_mem_free(ctx->rings);
11122 ctx->rings = NULL;
11123 return -EOVERFLOW;
11124 }
11125
11126 ctx->sq_sqes = io_mem_alloc(size);
11127 if (!ctx->sq_sqes) {
11128 io_mem_free(ctx->rings);
11129 ctx->rings = NULL;
11130 return -ENOMEM;
11131 }
11132
11133 return 0;
11134 }
11135
11136 static int io_uring_install_fd(struct io_ring_ctx *ctx, struct file *file)
11137 {
11138 int ret, fd;
11139
11140 fd = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
11141 if (fd < 0)
11142 return fd;
11143
11144 ret = io_uring_add_tctx_node(ctx);
11145 if (ret) {
11146 put_unused_fd(fd);
11147 return ret;
11148 }
11149 fd_install(fd, file);
11150 return fd;
11151 }
11152
11153 /*
11154 * Allocate an anonymous fd, this is what constitutes the application
11155 * visible backing of an io_uring instance. The application mmaps this
11156 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
11157 * we have to tie this fd to a socket for file garbage collection purposes.
11158 */
11159 static struct file *io_uring_get_file(struct io_ring_ctx *ctx)
11160 {
11161 struct file *file;
11162 #if defined(CONFIG_UNIX)
11163 int ret;
11164
11165 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
11166 &ctx->ring_sock);
11167 if (ret)
11168 return ERR_PTR(ret);
11169 #endif
11170
11171 file = anon_inode_getfile_secure("[io_uring]", &io_uring_fops, ctx,
11172 O_RDWR | O_CLOEXEC, NULL);
11173 #if defined(CONFIG_UNIX)
11174 if (IS_ERR(file)) {
11175 sock_release(ctx->ring_sock);
11176 ctx->ring_sock = NULL;
11177 } else {
11178 ctx->ring_sock->file = file;
11179 }
11180 #endif
11181 return file;
11182 }
11183
11184 static __cold int io_uring_create(unsigned entries, struct io_uring_params *p,
11185 struct io_uring_params __user *params)
11186 {
11187 struct io_ring_ctx *ctx;
11188 struct file *file;
11189 int ret;
11190
11191 if (!entries)
11192 return -EINVAL;
11193 if (entries > IORING_MAX_ENTRIES) {
11194 if (!(p->flags & IORING_SETUP_CLAMP))
11195 return -EINVAL;
11196 entries = IORING_MAX_ENTRIES;
11197 }
11198
11199 /*
11200 * Use twice as many entries for the CQ ring. It's possible for the
11201 * application to drive a higher depth than the size of the SQ ring,
11202 * since the sqes are only used at submission time. This allows for
11203 * some flexibility in overcommitting a bit. If the application has
11204 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
11205 * of CQ ring entries manually.
11206 */
11207 p->sq_entries = roundup_pow_of_two(entries);
11208 if (p->flags & IORING_SETUP_CQSIZE) {
11209 /*
11210 * If IORING_SETUP_CQSIZE is set, we do the same roundup
11211 * to a power-of-two, if it isn't already. We do NOT impose
11212 * any cq vs sq ring sizing.
11213 */
11214 if (!p->cq_entries)
11215 return -EINVAL;
11216 if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
11217 if (!(p->flags & IORING_SETUP_CLAMP))
11218 return -EINVAL;
11219 p->cq_entries = IORING_MAX_CQ_ENTRIES;
11220 }
11221 p->cq_entries = roundup_pow_of_two(p->cq_entries);
11222 if (p->cq_entries < p->sq_entries)
11223 return -EINVAL;
11224 } else {
11225 p->cq_entries = 2 * p->sq_entries;
11226 }
11227
11228 ctx = io_ring_ctx_alloc(p);
11229 if (!ctx)
11230 return -ENOMEM;
11231 ctx->compat = in_compat_syscall();
11232 if (!capable(CAP_IPC_LOCK))
11233 ctx->user = get_uid(current_user());
11234
11235 /*
11236 * This is just grabbed for accounting purposes. When a process exits,
11237 * the mm is exited and dropped before the files, hence we need to hang
11238 * on to this mm purely for the purposes of being able to unaccount
11239 * memory (locked/pinned vm). It's not used for anything else.
11240 */
11241 mmgrab(current->mm);
11242 ctx->mm_account = current->mm;
11243
11244 ret = io_allocate_scq_urings(ctx, p);
11245 if (ret)
11246 goto err;
11247
11248 ret = io_sq_offload_create(ctx, p);
11249 if (ret)
11250 goto err;
11251 /* always set a rsrc node */
11252 ret = io_rsrc_node_switch_start(ctx);
11253 if (ret)
11254 goto err;
11255 io_rsrc_node_switch(ctx, NULL);
11256
11257 memset(&p->sq_off, 0, sizeof(p->sq_off));
11258 p->sq_off.head = offsetof(struct io_rings, sq.head);
11259 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
11260 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
11261 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
11262 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
11263 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
11264 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
11265
11266 memset(&p->cq_off, 0, sizeof(p->cq_off));
11267 p->cq_off.head = offsetof(struct io_rings, cq.head);
11268 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
11269 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
11270 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
11271 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
11272 p->cq_off.cqes = offsetof(struct io_rings, cqes);
11273 p->cq_off.flags = offsetof(struct io_rings, cq_flags);
11274
11275 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
11276 IORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS |
11277 IORING_FEAT_CUR_PERSONALITY | IORING_FEAT_FAST_POLL |
11278 IORING_FEAT_POLL_32BITS | IORING_FEAT_SQPOLL_NONFIXED |
11279 IORING_FEAT_EXT_ARG | IORING_FEAT_NATIVE_WORKERS |
11280 IORING_FEAT_RSRC_TAGS | IORING_FEAT_CQE_SKIP |
11281 IORING_FEAT_LINKED_FILE;
11282
11283 if (copy_to_user(params, p, sizeof(*p))) {
11284 ret = -EFAULT;
11285 goto err;
11286 }
11287
11288 file = io_uring_get_file(ctx);
11289 if (IS_ERR(file)) {
11290 ret = PTR_ERR(file);
11291 goto err;
11292 }
11293
11294 /*
11295 * Install ring fd as the very last thing, so we don't risk someone
11296 * having closed it before we finish setup
11297 */
11298 ret = io_uring_install_fd(ctx, file);
11299 if (ret < 0) {
11300 /* fput will clean it up */
11301 fput(file);
11302 return ret;
11303 }
11304
11305 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
11306 return ret;
11307 err:
11308 io_ring_ctx_wait_and_kill(ctx);
11309 return ret;
11310 }
11311
11312 /*
11313 * Sets up an aio uring context, and returns the fd. Applications asks for a
11314 * ring size, we return the actual sq/cq ring sizes (among other things) in the
11315 * params structure passed in.
11316 */
11317 static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
11318 {
11319 struct io_uring_params p;
11320 int i;
11321
11322 if (copy_from_user(&p, params, sizeof(p)))
11323 return -EFAULT;
11324 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
11325 if (p.resv[i])
11326 return -EINVAL;
11327 }
11328
11329 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
11330 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE |
11331 IORING_SETUP_CLAMP | IORING_SETUP_ATTACH_WQ |
11332 IORING_SETUP_R_DISABLED | IORING_SETUP_SUBMIT_ALL))
11333 return -EINVAL;
11334
11335 return io_uring_create(entries, &p, params);
11336 }
11337
11338 SYSCALL_DEFINE2(io_uring_setup, u32, entries,
11339 struct io_uring_params __user *, params)
11340 {
11341 return io_uring_setup(entries, params);
11342 }
11343
11344 static __cold int io_probe(struct io_ring_ctx *ctx, void __user *arg,
11345 unsigned nr_args)
11346 {
11347 struct io_uring_probe *p;
11348 size_t size;
11349 int i, ret;
11350
11351 size = struct_size(p, ops, nr_args);
11352 if (size == SIZE_MAX)
11353 return -EOVERFLOW;
11354 p = kzalloc(size, GFP_KERNEL);
11355 if (!p)
11356 return -ENOMEM;
11357
11358 ret = -EFAULT;
11359 if (copy_from_user(p, arg, size))
11360 goto out;
11361 ret = -EINVAL;
11362 if (memchr_inv(p, 0, size))
11363 goto out;
11364
11365 p->last_op = IORING_OP_LAST - 1;
11366 if (nr_args > IORING_OP_LAST)
11367 nr_args = IORING_OP_LAST;
11368
11369 for (i = 0; i < nr_args; i++) {
11370 p->ops[i].op = i;
11371 if (!io_op_defs[i].not_supported)
11372 p->ops[i].flags = IO_URING_OP_SUPPORTED;
11373 }
11374 p->ops_len = i;
11375
11376 ret = 0;
11377 if (copy_to_user(arg, p, size))
11378 ret = -EFAULT;
11379 out:
11380 kfree(p);
11381 return ret;
11382 }
11383
11384 static int io_register_personality(struct io_ring_ctx *ctx)
11385 {
11386 const struct cred *creds;
11387 u32 id;
11388 int ret;
11389
11390 creds = get_current_cred();
11391
11392 ret = xa_alloc_cyclic(&ctx->personalities, &id, (void *)creds,
11393 XA_LIMIT(0, USHRT_MAX), &ctx->pers_next, GFP_KERNEL);
11394 if (ret < 0) {
11395 put_cred(creds);
11396 return ret;
11397 }
11398 return id;
11399 }
11400
11401 static __cold int io_register_restrictions(struct io_ring_ctx *ctx,
11402 void __user *arg, unsigned int nr_args)
11403 {
11404 struct io_uring_restriction *res;
11405 size_t size;
11406 int i, ret;
11407
11408 /* Restrictions allowed only if rings started disabled */
11409 if (!(ctx->flags & IORING_SETUP_R_DISABLED))
11410 return -EBADFD;
11411
11412 /* We allow only a single restrictions registration */
11413 if (ctx->restrictions.registered)
11414 return -EBUSY;
11415
11416 if (!arg || nr_args > IORING_MAX_RESTRICTIONS)
11417 return -EINVAL;
11418
11419 size = array_size(nr_args, sizeof(*res));
11420 if (size == SIZE_MAX)
11421 return -EOVERFLOW;
11422
11423 res = memdup_user(arg, size);
11424 if (IS_ERR(res))
11425 return PTR_ERR(res);
11426
11427 ret = 0;
11428
11429 for (i = 0; i < nr_args; i++) {
11430 switch (res[i].opcode) {
11431 case IORING_RESTRICTION_REGISTER_OP:
11432 if (res[i].register_op >= IORING_REGISTER_LAST) {
11433 ret = -EINVAL;
11434 goto out;
11435 }
11436
11437 __set_bit(res[i].register_op,
11438 ctx->restrictions.register_op);
11439 break;
11440 case IORING_RESTRICTION_SQE_OP:
11441 if (res[i].sqe_op >= IORING_OP_LAST) {
11442 ret = -EINVAL;
11443 goto out;
11444 }
11445
11446 __set_bit(res[i].sqe_op, ctx->restrictions.sqe_op);
11447 break;
11448 case IORING_RESTRICTION_SQE_FLAGS_ALLOWED:
11449 ctx->restrictions.sqe_flags_allowed = res[i].sqe_flags;
11450 break;
11451 case IORING_RESTRICTION_SQE_FLAGS_REQUIRED:
11452 ctx->restrictions.sqe_flags_required = res[i].sqe_flags;
11453 break;
11454 default:
11455 ret = -EINVAL;
11456 goto out;
11457 }
11458 }
11459
11460 out:
11461 /* Reset all restrictions if an error happened */
11462 if (ret != 0)
11463 memset(&ctx->restrictions, 0, sizeof(ctx->restrictions));
11464 else
11465 ctx->restrictions.registered = true;
11466
11467 kfree(res);
11468 return ret;
11469 }
11470
11471 static int io_register_enable_rings(struct io_ring_ctx *ctx)
11472 {
11473 if (!(ctx->flags & IORING_SETUP_R_DISABLED))
11474 return -EBADFD;
11475
11476 if (ctx->restrictions.registered)
11477 ctx->restricted = 1;
11478
11479 ctx->flags &= ~IORING_SETUP_R_DISABLED;
11480 if (ctx->sq_data && wq_has_sleeper(&ctx->sq_data->wait))
11481 wake_up(&ctx->sq_data->wait);
11482 return 0;
11483 }
11484
11485 static int __io_register_rsrc_update(struct io_ring_ctx *ctx, unsigned type,
11486 struct io_uring_rsrc_update2 *up,
11487 unsigned nr_args)
11488 {
11489 __u32 tmp;
11490 int err;
11491
11492 if (check_add_overflow(up->offset, nr_args, &tmp))
11493 return -EOVERFLOW;
11494 err = io_rsrc_node_switch_start(ctx);
11495 if (err)
11496 return err;
11497
11498 switch (type) {
11499 case IORING_RSRC_FILE:
11500 return __io_sqe_files_update(ctx, up, nr_args);
11501 case IORING_RSRC_BUFFER:
11502 return __io_sqe_buffers_update(ctx, up, nr_args);
11503 }
11504 return -EINVAL;
11505 }
11506
11507 static int io_register_files_update(struct io_ring_ctx *ctx, void __user *arg,
11508 unsigned nr_args)
11509 {
11510 struct io_uring_rsrc_update2 up;
11511
11512 if (!nr_args)
11513 return -EINVAL;
11514 memset(&up, 0, sizeof(up));
11515 if (copy_from_user(&up, arg, sizeof(struct io_uring_rsrc_update)))
11516 return -EFAULT;
11517 if (up.resv || up.resv2)
11518 return -EINVAL;
11519 return __io_register_rsrc_update(ctx, IORING_RSRC_FILE, &up, nr_args);
11520 }
11521
11522 static int io_register_rsrc_update(struct io_ring_ctx *ctx, void __user *arg,
11523 unsigned size, unsigned type)
11524 {
11525 struct io_uring_rsrc_update2 up;
11526
11527 if (size != sizeof(up))
11528 return -EINVAL;
11529 if (copy_from_user(&up, arg, sizeof(up)))
11530 return -EFAULT;
11531 if (!up.nr || up.resv || up.resv2)
11532 return -EINVAL;
11533 return __io_register_rsrc_update(ctx, type, &up, up.nr);
11534 }
11535
11536 static __cold int io_register_rsrc(struct io_ring_ctx *ctx, void __user *arg,
11537 unsigned int size, unsigned int type)
11538 {
11539 struct io_uring_rsrc_register rr;
11540
11541 /* keep it extendible */
11542 if (size != sizeof(rr))
11543 return -EINVAL;
11544
11545 memset(&rr, 0, sizeof(rr));
11546 if (copy_from_user(&rr, arg, size))
11547 return -EFAULT;
11548 if (!rr.nr || rr.resv || rr.resv2)
11549 return -EINVAL;
11550
11551 switch (type) {
11552 case IORING_RSRC_FILE:
11553 return io_sqe_files_register(ctx, u64_to_user_ptr(rr.data),
11554 rr.nr, u64_to_user_ptr(rr.tags));
11555 case IORING_RSRC_BUFFER:
11556 return io_sqe_buffers_register(ctx, u64_to_user_ptr(rr.data),
11557 rr.nr, u64_to_user_ptr(rr.tags));
11558 }
11559 return -EINVAL;
11560 }
11561
11562 static __cold int io_register_iowq_aff(struct io_ring_ctx *ctx,
11563 void __user *arg, unsigned len)
11564 {
11565 struct io_uring_task *tctx = current->io_uring;
11566 cpumask_var_t new_mask;
11567 int ret;
11568
11569 if (!tctx || !tctx->io_wq)
11570 return -EINVAL;
11571
11572 if (!alloc_cpumask_var(&new_mask, GFP_KERNEL))
11573 return -ENOMEM;
11574
11575 cpumask_clear(new_mask);
11576 if (len > cpumask_size())
11577 len = cpumask_size();
11578
11579 if (in_compat_syscall()) {
11580 ret = compat_get_bitmap(cpumask_bits(new_mask),
11581 (const compat_ulong_t __user *)arg,
11582 len * 8 /* CHAR_BIT */);
11583 } else {
11584 ret = copy_from_user(new_mask, arg, len);
11585 }
11586
11587 if (ret) {
11588 free_cpumask_var(new_mask);
11589 return -EFAULT;
11590 }
11591
11592 ret = io_wq_cpu_affinity(tctx->io_wq, new_mask);
11593 free_cpumask_var(new_mask);
11594 return ret;
11595 }
11596
11597 static __cold int io_unregister_iowq_aff(struct io_ring_ctx *ctx)
11598 {
11599 struct io_uring_task *tctx = current->io_uring;
11600
11601 if (!tctx || !tctx->io_wq)
11602 return -EINVAL;
11603
11604 return io_wq_cpu_affinity(tctx->io_wq, NULL);
11605 }
11606
11607 static __cold int io_register_iowq_max_workers(struct io_ring_ctx *ctx,
11608 void __user *arg)
11609 __must_hold(&ctx->uring_lock)
11610 {
11611 struct io_tctx_node *node;
11612 struct io_uring_task *tctx = NULL;
11613 struct io_sq_data *sqd = NULL;
11614 __u32 new_count[2];
11615 int i, ret;
11616
11617 if (copy_from_user(new_count, arg, sizeof(new_count)))
11618 return -EFAULT;
11619 for (i = 0; i < ARRAY_SIZE(new_count); i++)
11620 if (new_count[i] > INT_MAX)
11621 return -EINVAL;
11622
11623 if (ctx->flags & IORING_SETUP_SQPOLL) {
11624 sqd = ctx->sq_data;
11625 if (sqd) {
11626 /*
11627 * Observe the correct sqd->lock -> ctx->uring_lock
11628 * ordering. Fine to drop uring_lock here, we hold
11629 * a ref to the ctx.
11630 */
11631 refcount_inc(&sqd->refs);
11632 mutex_unlock(&ctx->uring_lock);
11633 mutex_lock(&sqd->lock);
11634 mutex_lock(&ctx->uring_lock);
11635 if (sqd->thread)
11636 tctx = sqd->thread->io_uring;
11637 }
11638 } else {
11639 tctx = current->io_uring;
11640 }
11641
11642 BUILD_BUG_ON(sizeof(new_count) != sizeof(ctx->iowq_limits));
11643
11644 for (i = 0; i < ARRAY_SIZE(new_count); i++)
11645 if (new_count[i])
11646 ctx->iowq_limits[i] = new_count[i];
11647 ctx->iowq_limits_set = true;
11648
11649 if (tctx && tctx->io_wq) {
11650 ret = io_wq_max_workers(tctx->io_wq, new_count);
11651 if (ret)
11652 goto err;
11653 } else {
11654 memset(new_count, 0, sizeof(new_count));
11655 }
11656
11657 if (sqd) {
11658 mutex_unlock(&sqd->lock);
11659 io_put_sq_data(sqd);
11660 }
11661
11662 if (copy_to_user(arg, new_count, sizeof(new_count)))
11663 return -EFAULT;
11664
11665 /* that's it for SQPOLL, only the SQPOLL task creates requests */
11666 if (sqd)
11667 return 0;
11668
11669 /* now propagate the restriction to all registered users */
11670 list_for_each_entry(node, &ctx->tctx_list, ctx_node) {
11671 struct io_uring_task *tctx = node->task->io_uring;
11672
11673 if (WARN_ON_ONCE(!tctx->io_wq))
11674 continue;
11675
11676 for (i = 0; i < ARRAY_SIZE(new_count); i++)
11677 new_count[i] = ctx->iowq_limits[i];
11678 /* ignore errors, it always returns zero anyway */
11679 (void)io_wq_max_workers(tctx->io_wq, new_count);
11680 }
11681 return 0;
11682 err:
11683 if (sqd) {
11684 mutex_unlock(&sqd->lock);
11685 io_put_sq_data(sqd);
11686 }
11687 return ret;
11688 }
11689
11690 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
11691 void __user *arg, unsigned nr_args)
11692 __releases(ctx->uring_lock)
11693 __acquires(ctx->uring_lock)
11694 {
11695 int ret;
11696
11697 /*
11698 * We're inside the ring mutex, if the ref is already dying, then
11699 * someone else killed the ctx or is already going through
11700 * io_uring_register().
11701 */
11702 if (percpu_ref_is_dying(&ctx->refs))
11703 return -ENXIO;
11704
11705 if (ctx->restricted) {
11706 if (opcode >= IORING_REGISTER_LAST)
11707 return -EINVAL;
11708 opcode = array_index_nospec(opcode, IORING_REGISTER_LAST);
11709 if (!test_bit(opcode, ctx->restrictions.register_op))
11710 return -EACCES;
11711 }
11712
11713 switch (opcode) {
11714 case IORING_REGISTER_BUFFERS:
11715 ret = io_sqe_buffers_register(ctx, arg, nr_args, NULL);
11716 break;
11717 case IORING_UNREGISTER_BUFFERS:
11718 ret = -EINVAL;
11719 if (arg || nr_args)
11720 break;
11721 ret = io_sqe_buffers_unregister(ctx);
11722 break;
11723 case IORING_REGISTER_FILES:
11724 ret = io_sqe_files_register(ctx, arg, nr_args, NULL);
11725 break;
11726 case IORING_UNREGISTER_FILES:
11727 ret = -EINVAL;
11728 if (arg || nr_args)
11729 break;
11730 ret = io_sqe_files_unregister(ctx);
11731 break;
11732 case IORING_REGISTER_FILES_UPDATE:
11733 ret = io_register_files_update(ctx, arg, nr_args);
11734 break;
11735 case IORING_REGISTER_EVENTFD:
11736 ret = -EINVAL;
11737 if (nr_args != 1)
11738 break;
11739 ret = io_eventfd_register(ctx, arg, 0);
11740 break;
11741 case IORING_REGISTER_EVENTFD_ASYNC:
11742 ret = -EINVAL;
11743 if (nr_args != 1)
11744 break;
11745 ret = io_eventfd_register(ctx, arg, 1);
11746 break;
11747 case IORING_UNREGISTER_EVENTFD:
11748 ret = -EINVAL;
11749 if (arg || nr_args)
11750 break;
11751 ret = io_eventfd_unregister(ctx);
11752 break;
11753 case IORING_REGISTER_PROBE:
11754 ret = -EINVAL;
11755 if (!arg || nr_args > 256)
11756 break;
11757 ret = io_probe(ctx, arg, nr_args);
11758 break;
11759 case IORING_REGISTER_PERSONALITY:
11760 ret = -EINVAL;
11761 if (arg || nr_args)
11762 break;
11763 ret = io_register_personality(ctx);
11764 break;
11765 case IORING_UNREGISTER_PERSONALITY:
11766 ret = -EINVAL;
11767 if (arg)
11768 break;
11769 ret = io_unregister_personality(ctx, nr_args);
11770 break;
11771 case IORING_REGISTER_ENABLE_RINGS:
11772 ret = -EINVAL;
11773 if (arg || nr_args)
11774 break;
11775 ret = io_register_enable_rings(ctx);
11776 break;
11777 case IORING_REGISTER_RESTRICTIONS:
11778 ret = io_register_restrictions(ctx, arg, nr_args);
11779 break;
11780 case IORING_REGISTER_FILES2:
11781 ret = io_register_rsrc(ctx, arg, nr_args, IORING_RSRC_FILE);
11782 break;
11783 case IORING_REGISTER_FILES_UPDATE2:
11784 ret = io_register_rsrc_update(ctx, arg, nr_args,
11785 IORING_RSRC_FILE);
11786 break;
11787 case IORING_REGISTER_BUFFERS2:
11788 ret = io_register_rsrc(ctx, arg, nr_args, IORING_RSRC_BUFFER);
11789 break;
11790 case IORING_REGISTER_BUFFERS_UPDATE:
11791 ret = io_register_rsrc_update(ctx, arg, nr_args,
11792 IORING_RSRC_BUFFER);
11793 break;
11794 case IORING_REGISTER_IOWQ_AFF:
11795 ret = -EINVAL;
11796 if (!arg || !nr_args)
11797 break;
11798 ret = io_register_iowq_aff(ctx, arg, nr_args);
11799 break;
11800 case IORING_UNREGISTER_IOWQ_AFF:
11801 ret = -EINVAL;
11802 if (arg || nr_args)
11803 break;
11804 ret = io_unregister_iowq_aff(ctx);
11805 break;
11806 case IORING_REGISTER_IOWQ_MAX_WORKERS:
11807 ret = -EINVAL;
11808 if (!arg || nr_args != 2)
11809 break;
11810 ret = io_register_iowq_max_workers(ctx, arg);
11811 break;
11812 case IORING_REGISTER_RING_FDS:
11813 ret = io_ringfd_register(ctx, arg, nr_args);
11814 break;
11815 case IORING_UNREGISTER_RING_FDS:
11816 ret = io_ringfd_unregister(ctx, arg, nr_args);
11817 break;
11818 default:
11819 ret = -EINVAL;
11820 break;
11821 }
11822
11823 return ret;
11824 }
11825
11826 SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
11827 void __user *, arg, unsigned int, nr_args)
11828 {
11829 struct io_ring_ctx *ctx;
11830 long ret = -EBADF;
11831 struct fd f;
11832
11833 f = fdget(fd);
11834 if (!f.file)
11835 return -EBADF;
11836
11837 ret = -EOPNOTSUPP;
11838 if (f.file->f_op != &io_uring_fops)
11839 goto out_fput;
11840
11841 ctx = f.file->private_data;
11842
11843 io_run_task_work();
11844
11845 mutex_lock(&ctx->uring_lock);
11846 ret = __io_uring_register(ctx, opcode, arg, nr_args);
11847 mutex_unlock(&ctx->uring_lock);
11848 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs, ret);
11849 out_fput:
11850 fdput(f);
11851 return ret;
11852 }
11853
11854 static int __init io_uring_init(void)
11855 {
11856 #define __BUILD_BUG_VERIFY_ELEMENT(stype, eoffset, etype, ename) do { \
11857 BUILD_BUG_ON(offsetof(stype, ename) != eoffset); \
11858 BUILD_BUG_ON(sizeof(etype) != sizeof_field(stype, ename)); \
11859 } while (0)
11860
11861 #define BUILD_BUG_SQE_ELEM(eoffset, etype, ename) \
11862 __BUILD_BUG_VERIFY_ELEMENT(struct io_uring_sqe, eoffset, etype, ename)
11863 BUILD_BUG_ON(sizeof(struct io_uring_sqe) != 64);
11864 BUILD_BUG_SQE_ELEM(0, __u8, opcode);
11865 BUILD_BUG_SQE_ELEM(1, __u8, flags);
11866 BUILD_BUG_SQE_ELEM(2, __u16, ioprio);
11867 BUILD_BUG_SQE_ELEM(4, __s32, fd);
11868 BUILD_BUG_SQE_ELEM(8, __u64, off);
11869 BUILD_BUG_SQE_ELEM(8, __u64, addr2);
11870 BUILD_BUG_SQE_ELEM(16, __u64, addr);
11871 BUILD_BUG_SQE_ELEM(16, __u64, splice_off_in);
11872 BUILD_BUG_SQE_ELEM(24, __u32, len);
11873 BUILD_BUG_SQE_ELEM(28, __kernel_rwf_t, rw_flags);
11874 BUILD_BUG_SQE_ELEM(28, /* compat */ int, rw_flags);
11875 BUILD_BUG_SQE_ELEM(28, /* compat */ __u32, rw_flags);
11876 BUILD_BUG_SQE_ELEM(28, __u32, fsync_flags);
11877 BUILD_BUG_SQE_ELEM(28, /* compat */ __u16, poll_events);
11878 BUILD_BUG_SQE_ELEM(28, __u32, poll32_events);
11879 BUILD_BUG_SQE_ELEM(28, __u32, sync_range_flags);
11880 BUILD_BUG_SQE_ELEM(28, __u32, msg_flags);
11881 BUILD_BUG_SQE_ELEM(28, __u32, timeout_flags);
11882 BUILD_BUG_SQE_ELEM(28, __u32, accept_flags);
11883 BUILD_BUG_SQE_ELEM(28, __u32, cancel_flags);
11884 BUILD_BUG_SQE_ELEM(28, __u32, open_flags);
11885 BUILD_BUG_SQE_ELEM(28, __u32, statx_flags);
11886 BUILD_BUG_SQE_ELEM(28, __u32, fadvise_advice);
11887 BUILD_BUG_SQE_ELEM(28, __u32, splice_flags);
11888 BUILD_BUG_SQE_ELEM(32, __u64, user_data);
11889 BUILD_BUG_SQE_ELEM(40, __u16, buf_index);
11890 BUILD_BUG_SQE_ELEM(40, __u16, buf_group);
11891 BUILD_BUG_SQE_ELEM(42, __u16, personality);
11892 BUILD_BUG_SQE_ELEM(44, __s32, splice_fd_in);
11893 BUILD_BUG_SQE_ELEM(44, __u32, file_index);
11894
11895 BUILD_BUG_ON(sizeof(struct io_uring_files_update) !=
11896 sizeof(struct io_uring_rsrc_update));
11897 BUILD_BUG_ON(sizeof(struct io_uring_rsrc_update) >
11898 sizeof(struct io_uring_rsrc_update2));
11899
11900 /* ->buf_index is u16 */
11901 BUILD_BUG_ON(IORING_MAX_REG_BUFFERS >= (1u << 16));
11902
11903 /* should fit into one byte */
11904 BUILD_BUG_ON(SQE_VALID_FLAGS >= (1 << 8));
11905 BUILD_BUG_ON(SQE_COMMON_FLAGS >= (1 << 8));
11906 BUILD_BUG_ON((SQE_VALID_FLAGS | SQE_COMMON_FLAGS) != SQE_VALID_FLAGS);
11907
11908 BUILD_BUG_ON(ARRAY_SIZE(io_op_defs) != IORING_OP_LAST);
11909 BUILD_BUG_ON(__REQ_F_LAST_BIT > 8 * sizeof(int));
11910
11911 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC |
11912 SLAB_ACCOUNT);
11913 return 0;
11914 };
11915 __initcall(io_uring_init);
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git